Presentation to ISSD Task Force

INFORMATION SYSTEMS SECURITY DIVISION

Reorganization Study

Prepared: May 6, 1991 Revised: May 7, 1991

I. Proposed Reorganization (Security Automation Division)

II. Why Merger of Fraud Detection and ISS Divisions

III. ISSD Staff Reduction• Service & Project Assumptions • ISS-WA Organization & Service Reductions • 155-LA Organizations & Service Reductions • 155-AZ Temporary Organization

IV. Cost Reduction SummaryV. Action Summary VI. ISSD Functions Summary

• Reduction in Cost • Infusion of Expert System Knowledge into Security Function• Centralized Supervision & Administration of Security Technical

Functions WHY J XXXXXXX AS DIVISION MANAGER• Significantly More Technical and Managerial Depth

- 30 years of Technical and Managerial Data Processing Experience - Development and Systems Assurance Management Experience - Data Center Production and Operations Management Experience - Security (RACF) Project Experience - Expert Systems Project Experience - Commercial and M Application & Architecture Design Experience - Business Resumption and Data Processing Contingency Planning

Experience

• SAD with the Support of SPAC performs Security Product Reviews

• SPBA accepts decentralized Branch Security Administration. AZ Security Service will be provided without local presence (no reduction in service anticipated)

• SPAC-NW will use their current system as basis for SPC Online Request Processing and therefore have responsibility for SPC Security Architecture

ELIMINATE • Security Boiler Plate Contributions to Legal

Documents

REDIRECT • MVS Request Processing • Physical Security Reviews • Security Product Research

REDUCE • New Business Research • Procedure and Guideline Writing • Security Awareness Program • Department & Division Administrative

Documentation

ELIMINATE • Security Boiler Plate Contribution to Legal

Documents

REDIRECT • PC/Virus Software Distribution• Physical Security Reviews

REDUCE • Security Product Research • New Business Research • Procedure & Guideline Writing • Security Awareness Program • Department & Division Administrative

Documentation

REDIRECT • Procedure & Guideline Writing • TANDEM Request Processing, and

Violation Reporting & Review

CONSOLIDATE ELSEWHERE INTO SAD • MVS Environment Management (WA) • MVS Request Processing (LA) • Cryptographic Key Management (LA) • Audit Response (WA)

TRANSFER TO USERS • Thirty Plus Internal Security

Applications

• 2 ND QUARTER 1991- Layoff Division Manager - Layoff Mainframe Technical Consultant In LA - Layoff Midrange Technical Consultant In LA - Move Data Security Analyst from WA to LA

(add TANDEM skills to LA)

• 4 TH QUARTER 1991 - Complete Conversion of Arizona Processing to

Common Architecture

• 1 ST QUARTER 1992- Transfer(Layoff) AZ Manager - Layoff AZ Data Security Analyst

KEPT AT CURRENT LEVEL OF EFFORT • SPC Security Architecture Development • Mainframe & Tandam Security Request Processing (Consolidated) • Mainframe & Tandem Security Technical Support • Midrange, LAN, and PC Security Technical Support • Network Security Support • Online Security Request Processing System Development • Wire Transfer Security Support • Cryptographic Key Management • MAC Security Request Processing (CA) • Database and Tracking of Waiver, Virus, and Security Incident Events • Information Systems Security Committee (ISSC) Support • Information Systems Security Manual (ISSM) Policy Development • Application Project (such as BDS) Security Consulting

REDUCED LEVEL OF EFFORT • Security Procedure and Guideline Writing (Consolidated) • Security Awareness Program • Security Product Reviews (with SPAC) • New Business Research Assistance • Department and Division Administrative Documentation

OVERALL PURPOSE The purpose of this position is to provide support to the Corporate Security Department objectives in:

- Managing and coordinating of computer security plans, projects, and policies; - Developing external fraud detection and prevention applications; - Administering passwords and users identifications for productions and development operations. - Identify and monitor emerging technology in the fields of information security and expert systems products

REQ UIREM ENTS - Minimum of 20 years of data processing background with a thorough understanding of computer

operating systems and networks. The major emphasis is in database computer environments supported in different geographic locations.

- Ability to interact with senior management to gain concurrence on security related methods and production processing.

- Possess technical skills to interact, make decisions, and implement security methods consistent with business and technical requirements.

- Proven record of knowledge based application development and installation. RESPONSIBILITIES

- Provide technical direction and leadership to apply and create access controls to meet Federal, State, CCC, NBE, and internal audit requirements. Additionally, provide risk versus exposure analysis and recommendations.

- Provide security direction in the SPC dynamic technical and business environments. - Work with AC in the creation of security related technology, products, procedures, systems, and

concepts. The position requires the ability to innovate and to manage innovative projects. - Ensure that the security needs/requirements of the corporation are maintained and established

with consideration to the amount of risk or exposure to electronic assets. - Ensure and provide technical direction to mitigate security related failures and damage that

can have significant negative impact on the total organization. - Provide technical direction for the design of expert systems related to external fraud detection

and prevention. - Ability to analyze user expertise into knowledge base rules.