CSL BULLETIN
                   August 1993 


SECURITY PROGRAM MANAGEMENT 
This bulletin discusses the establishment and operation of a
security program as a management function and describes some of
the features and issues common to most organizations.  OMB
Circular A-130, "Management of Federal Information Resources,"
June 25, 1993, requires that federal agencies establish computer
security programs.  Because organizations differ in size,
complexity, management styles, and culture, it is not possible to
describe one ideal security program.  

Structure of a Security Program 
Security programs are often distributed throughout the
organization with different elements performing different
functions.  Sometimes the distribution of the security function
may be haphazard, based on chance.  Ideally, the structure of a
security program should result from the implementation of a
planned and integrated management philosophy.

Figure 1. shows a management structure based on that of an actual
federal agency.  The agency consists of five major units, each
with several large computer facilities.  Each facility runs
multiple applications.  This type of organization needs to manage
security at the agency level, the unit level, the computer
facility level, and the application level.

Managing computer security at multiple levels brings many
benefits.  Each level contributes to the overall security program
with different types of expertise, authority, and resources.  In
general, the higher levels (such as the headquarters or unit
levels) better understand the organization as a whole, exercise
more authority, set policy, and enforce compliance with
applicable policies and procedures.  On the other hand, the
systems levels (such as the computer facility and applications
levels) know the technical and procedural requirements and
problems.  The levels of security program management are
complementary; each helps the other be more effective.

Most organizations have at least two levels of security
management.  The central security program addresses the overall
management of security within the organization or a major
component of the organization, including such activities as
policy development and oversight.  The system level security
program focuses on the management of security for a particular
information processing system.  This function includes activities
such as selecting and installing safeguards and may be performed
by users, functional managers, or computer systems personnel.  

Central Security Program 
A central security program which manages or coordinates the use
of security-related resources across the entire organization
provides these benefits:

Efficiency and Economy
A central program can disseminate security-related information
throughout the agency in an efficient and cost-effective manner.
Information to be shared includes policies, regulations,
standards, training opportunities, and security incident reports. 
Internal security-related information, such as procedures which
worked or did not work, virus infections, security problems and
solutions also should be shared within an organization.  Often
these issues are specific to the operating environment and
culture of the organization.  

Another use of an organization-wide conduit of information is the
increased ability to influence external and internal policy
decisions.  A central security program office which speaks for
the entire organization is more likely to be listened to by upper
management and external organizations.  

Also the central organization can share information with external
groups as illustrated in Figure 2.  Since external interaction
occurs at both the organization and system levels, a central
security organization should be aware of the interactions at the
system level to exploit all important sources.

Sources of Security Information
NIST:     Federal Information Processing Standards (FIPS), NIST
          Publication List 91, Computer Security Publications,
          and the NIST Computer Security BBS.
GSA:      Federal Information Resources Management Regulation     
          (FIRMR) Parts 201-20 and 201-39.
OMB:      OMB Circular A-130, Management of Federal Information
          Resources, June 25, 1993
FIRST:    Forum of Incident Response and Security Teams for
          security incident-related information.

The central security program assists the organization in spending
its scarce security dollars more efficiently.  Such organizations
can develop expertise and share it, reducing the need to contract
out repeatedly for similar services, such as contingency planning
or risk analysis.  The expertise can be resident in the central
security program or distributed throughout the system-level
programs.  Another advantage of a centralized program is its
ability to negotiate discounts based on volume purchasing of
security hardware and software.

Oversight
A central security program serves as an independent evaluation or
enforcement function to ensure that organizational subunits
secure resources cost-effectively and follow applicable policy. 
With a central oversight function, organizations can take
responsibility for their own security programs, identify and
correct problems before they become major concerns, and avoid
external investigations and audits.  

Elements of a Central Security Program

o  A program manager should be selected as the information
technology (IT) security program manager.  The program should be
staffed with able personnel and linked to the program management
function and IT security personnel in other parts of the
organization.  The security program requires a stable base in
terms of personnel, funding, and other support.  Additionally,
the benefits of an oversight function cannot be achieved if the
security program is not recognized within an organization as
having expertise and authority.

To be effective, a central security program must be an
established part of organization management.  If system managers
and applications owners do not consistently interact with the
security program, it becomes an empty token of upper management's
"commitment to security."  

o  A security policy provides the foundation for the IT security
program and is the means for documenting and promulgating
important decisions about IT security.  The central security
program should also publish standards, regulations, and
guidelines which implement and expand on policy.  

o  A published mission and function statement grounds the IT
security program into the unique operating environment of the
organization.  The statement should clearly establish the
function of the IT security program, define responsibilities for
the IT security program and other related programs and entities,
and provide the basis for evaluating the effectiveness of the IT
security program.

o  Long-term strategies should be developed to incorporate
security into the next generation of information technology. 
Since the IT field moves rapidly, planning for future operating
environments is essential.

o  A compliance program enables the organization to assess
conformance with national and organization-specific policies and
requirements.  National requirements include those prescribed
under the Computer Security Act of 1987, OMB Circular A-130,
Federal Information Resources Management Regulations (FIRMR), and
Federal Information Processing Standards (FIPS).

o  Liaisons should be established with internal groups including
the information resources management (IRM) office and traditional
security offices (such as personnel or physical security), other
offices such as Safety, Reliability, and Quality Assurance,
Internal Control, and the agency Inspector General.  These
relationships facilitate integrating security into the management
of an organization.  The relationships must be more than just
sharing information; the offices must influence each other to
assure that security is considered in agency plans for
information technology.

o  Liaisons should be established with external groups to take
advantage of external information sources and to improve the
dissemination of this information throughout the organization.

System Level Security Program 
While a central security program addresses the entire spectrum of
information resources security for an organization, the system
level security programs implement security for each information
system.  Functions include influencing decisions about controls
to implement, purchasing and installing technical controls,
administering day-to-day security, evaluating system
vulnerabilities, and responding to security problems.

The system security officer must raise security issues and help
to develop solutions.  For example, has the data owner made clear
the security requirements of the system?  Will bringing a new
function online impact security?  Is the system vulnerable to
hackers and viruses?  Has the contingency plan been tested? 
Raising these kinds of questions forces system managers and data
owners to identify their security requirements and ensure that
they are met.

Characteristics of a Viable System Level Security Program

o   Security management should be integrated into the management
of the system to assure that system managers and data owners
consider security in the planning and operation of the system. 
The system level security program manager should participate in
the selection and implementation of appropriate technical
controls and security procedures, understand system
vulnerabilities, and be able to respond quickly to system
security problems.

For large systems, such as a mainframe data center, the security
program often includes a manager and several staff positions in
such areas as access control, user administration, and
contingency and disaster recovery planning.  For small systems,
such as an office-wide local area network (LAN), the security
program may be an adjunct responsibility of the LAN
administrator.  

o  Security should be separated from operations.  When the
security program is embedded in IT operations, the security
program often lacks independence, exercises minimal authority,
receives little management attention, and lacks resources.  The
General Accounting Office (GAO) identified this organizational
mode as a principal basic weakness in federal agency IT security
programs (GAO Report LCD 78-123).  

One approach to the conflict between needs for management and
independence is a link between the security program and upper
management through the central security program.  Another
arrangement is the complete independence of the security program
from system management, with the security program reporting
directly to higher management.  Many hybrid alignments exist,
such as co-location of the staff but separate reporting and
supervisory structures.  

o  The development of system security plans by system level
security personnel is a natural choice, as this staff knows the
system thoroughly and can document weaknesses and solutions. 
Computer security and privacy plans for sensitive systems are
mandated by the Computer Security Act of 1987.

Summary
Organizations, large and small, need to establish a computer
security policy and program that integrates central office and
system level security efforts, is supported by top management,
and is publicized to all employees of the agency.  Central and
system level security programs must work together to achieve the
common goal of protecting an organization's vital information
resources.