Statement of John Dyer,
Acting Principal Deputy Commissioner, Social Security Administration
before the House Committee on Banking and Financial Services
September 23, 1997
Mr Chairman and Members of the Committee:
Thank you for inviting me here today to discuss computer security at the Social Security Administration (SSA).
At the outset, Mr. Chairman, it is our highest priority to maintain the confidentiality of the information in SSA's systems. Nothing is more important in the operation of our programs than ensuring that the public has confidence that the information placed in our trust is secure. This basic philosophy is a cornerstone of everything we do. In fact, the very first regulation issued by the new Social Security Administration in 1935 dealt with the nondisclosure of SSA record data.
SSA pays benefits each month to almost 50 million beneficiaries. In FY 1998 alone, SSA delivered $400 billion in benefits. In order to achieve our mission, many of Social Security's 66,000 employees must have access, on a need to know basis, to computer records. This creates an inherent tension between the need to deliver accurate benefits on time to the right person and the need to have the tightest security possible. When the agency leams that an employee has abused his or her systems privileges, steps are immediately taken to impose penalties, as severe as termination, on the individual.
When Social Security first became independent in 1995, and had its own Inspector General (IG) for the first time devoted only to SSA's activities, the Commissioner asked the IG to make employee integrity the number one issue and the IG has done so. SSA has consistently asked for additional resources for the IG and received support from Congress for those requests.
We have taken both preventive and enforcement actions to protect information in Social Security files from any wrongful use by our own employees and from any unauthorized access by outsiders. It is important to emphasize that SSA's mainframe computers have never been successfully penetrated by outside parties. This is not to say that we are resting on our laurels. We constantly reevaluate and, when necessary, upgrade the security features necessary to maintain the public's confidence that our systems are secure.
Maintaining SSA Systems Security
In order to meet the challenges of data security in today's highly technological environment, the Agency has adopted an enterprise-wide approach to systems security, financial information, data integrity, and prevention of fraud, waste, and abuse. We have full-time staff devoted to systems security stationed throughout the Agency, in all regions and in central office. They provide day to day oversight and control over our computer software. In addition, we have a Deputy Commissioner-level Office of Systems which supports the operating system, develops new software and the related controls and in general assures that SSA is taking advantage of the latest in effective systems technology.
SSA has a Chief Financial Officer, also at the Deputy Commissioner-level, who assures that all new systems have the required financial controls to maintain sound stewardship over the monies entrusted to our care. In addition, as the Principal Deputy Commissioner, I also serve as the agency's ChiefInformation Officer; this dual role gives me the oversight of the agency as a whole to assure that our initiatives are enterprise wide in scope.
As I have mentioned, as an independent agency, we have our own IG who can focus his efforts on the agency's needs and concerns. The IG is also very active in working with other Federal, State and local law enforcement agencies to assure all avenues for investigation and prosecution are being pursued-especially for systems security-related issues.
Modern computer security requires the implementation of sophisticated software and control of access to the system. SSA uses state of the art software that carefully restricts any user access to data except for its intended use. Using this software, only persons with a "need to know" in order to perform a particular job function are approved and granted access. Our systems controls not only register and record access, but also determine what functions a person can do once access is authorized. SSA security personnel assign a computer-generated personal identification number and an initial password to persons who are approved for access (the person must change the password every 30 days). This allows SSA to audit and monitor the actions individual employees take when using the system. These same systems provide a means to investigate allegations of misuse and have been crucial in prosecuting employees who misuse their authority.
In summary, we have in place the right authorities, the right personnel, and the right software controls to prevent penetration of our systems and to address systems security issues as they surface.
Audit of SSA's Systems Controls
SSA, as an agency, has been preparing audited financial statements since FY 1987. Fiscal year 1997 represented the fourth consecutive year that SSA' s financial statements have received an unqualified, or clean, audit opinion from SSA's IG or its contractor. The auditors stated, "In our opinion management's assenion that SSA's systems of accounting and internal controls are in compliance with the internal control objectives in OMB Bulletin NO. 93-06 is fairly stated, in all material respects". SSA received an unqualified opinion from the auditors that our systems of internal controls meet the standards set up by the Office of Management and Budget (OMB). Our financial statements are prepared consistent with the requirements of the Federal Accounting Standards Advisory Board, OMB, the Chief Financial Officers' Act, and other relevant Federal statutes.
PricewaterhouseCoopers (PwC) conducted the FY 1997 audit under contract with the General Accounting Office (GAO) and our IG. As part of the audit, PwC provided SSA with two management letters that gave recommendations as to how SSA could improve its systems safeguards and financial management controls. Over the past few months, SSA and PwC have been working closely to reach final agreement on how to achieve the objectives of the PwC recommendations. (We have provided this committee with SSA's FY 1997 financial statement--part of the latest Accountability Report-as well as two Management Letters given to SSA by PwC.)
SSA's Response to the Audit
The Social Security Administration and our auditor, PwC, are in agreement on almost all recommendations. SSA takes these issues seriously and has embarked on an aggressive timetable of corrective action. Some of the auditor's recommendations take longer to achieve but I believe that the auditor would say that we are proceeding expeditiously. SSA and PwC have come to closure on virtually all of the recommendations contained in the PwC reports. PwC is now reviewing our progress in making the called for changes and will report on them as part of the audit of SSA's financial statements for fiscal year 1998, this fall.
SSA has developed a workplan to implement these agreed-upon improvements. There are a couple of areas where we are still exploring solutions and expect to close them out as part of the FY 1998 audit process.
I would like now to address some of the major changes we are making in the four primary areas that PwC identified as follows:
1) SSA needs improved controls to protect its information;
2) SSA needs to improve and fully test its plan for maintaining continuity of operations;
3) SSA needs to improve its software application development and change control policies and procedures; and
4) SSA needs to improve controls over insufficient separation of duties.
Finding 1, Protection of Information: The auditors made 43 recommendations on how the Agency could better protect its data in both a mainframe and distributive environment. We agreed with 41 of these recommendations and have closed or completed 30 to date. Some of the actions taken include limiting the use of modems, implementing a process to identify unauthorized modems on a continuing basis, removing access inunediately for unauthorized modems when discovered; and strengthening access controls over programmers and other system's personnel. New password guidelines were implemented which require the use of more characters and we are making enhancements to our single signon architecture.
The auditors recently told us that they noted improvements in this area in this year's audit, particularly in the mainframe environments, but believed we needed to give more attention to tbe distributive environment. We wi ll continue working with the auditors to further improve this area.
Finding 2, continuity of operations: There were five recommendations in this area, focused primarily on an updated contingency plan covering both data center activities and activities performed by end users, covering critical operations should interruptions occur, and testing combinations of multiple critical workloads simultaneously. We agreed with all five recommendations.
SSA is committed to testing all critical workloads wi thin a 3-year cycle and has expanded our test capability from 64 hours to 120 hours in 1999. We are taking a fresh look at identifying our critical work loads and how we Mil maintain continuity of operations in the event of the loss of our computer center in both a short and long-term scenario.
Finding 3, software development: In this area the auditors felt that control and security measures for application systems changes could be improved. We have closed or completed 17 of the 35 recommendations to date and are actively working on the others. New and revised procedures were developed to ensure that requested changes to systems were properly approved, coded, tested, documented, and authorized for production. We now have appropriate policies and procedures in place to document system change control practices and are committed to ensuring 100 percent compliance with policy.
Finding 4, separation of duties: There were three areas where the auditors felt we had inadequate separation of duties: field offices, systems operations, and security administration. We generally agreed that we could improve in the areas of systems operations and security administration and have addressed 18 recommendations so far. We disagreed with five recommendations pertaining to field offices because of the high cost of implementing these recommendations and asked the auditors to reconsider and develop alternative approaches. The auditors have reconsidered these recommendations and are in the process of developing revised recommendations which Mil emphasize the use of performance measurement data to identify high-risk transactions for analysis and, when warranted, additional preventive controls. These new recommendations are much less labor intensive and appear to be achievable. We will continue to work with the auditors to improve this area.
I want to come back to the broader concerns. Addressing systems security is and always will be first of all a high priority for SSA. By design, the Agency has used a system architecture that relied almost exclusively on mainframe systems and centralized databases. With this architecture we are able to more tightly control computer security than those Agencies who are faced with large numbers of local and/or distributed systems.
As SSA, in the increasingly technological environment, moves away from the mainframe environment to more distributed systems, we need to carefully consider at evety step of the process how to build in security features. We have already taken a number of steps to ensure that these new systems Mil be as secure as possible.
We have supported and will continue to support the independent audit of our financial statements. We have support ed the auditors detailed testing of SSA's systems. We will work with the various oversight bodies-the General Accounting Office and the IG, for example, to review what we are doing and identify any issues they believe we need to address. Only in this way can we be assured SSA is getting all the advice that is available to us, and doing its uttnost to maintain the security of our computer systems, and the data they contain.
Zero Tolerance for FraudFinally, I also want to state that we have a zero tolerance at SSA for fraud, waste, and abuse. We believe that our zero tolerance policy has paid off, as evidenced by the fact that almost all of the recommendations made to the Agency by independent auditors in recent years have been of a theoretical nature, e.g., our systems have a weakness that needs to be addressed to assure there is no abuse. Nonetheless, when we have evidence of an abuse of system privileges, addressing the matter is a number one priority of the Agency.
On June 22, 1998, Commissioner Apfel issued a notice to all SSA employees about administrative sanctions to be taken against any SSA employee who abuses his or her systems privileges. The penalties are severe and will lead to termination of employment for any offense that involves selling data.
SSA's IG is committed to the investigation and prosecution of every employee abuse case that is identified. Many of the SSA employee cases turned over to the Inspector General for investigation were first discovered by the Social Security Administration itself. In addition, we have asked the IG to make investigation of employee fraud the number one priority.
As I noted at the outse t the Social Security Administration has a long-standing tradition of assuring the public that their personal records are secure. Systems security is not a one-time task to be accomplished, but rather is an ongoing mission we can never lose sight of. We know we cannot rest on past practice, but must be vigilant in every way we can to assure that these personal records remain secure, and that public confidence in SSA is maintained.
I want to thank the Committee for holding this hearing and focusing on what we all view as a critical issue. We are glad to know that the Congress shares our concerns, and we will work with the Committee to assure the American people that we are doing all we can to maintain the security of our computer operations.
This concludes my prepared statement. I will be happy to answer any questions you may have.