This action might not be possible to undo. Are you sure you want to continue?
Page 1 of 17
SOP 1051-01 Title: Security Administration
Effective Date: Reason for Update: Owner: Operations Signature/ Date Objective The objective of this Standard Operating Procedure (SOP) is to provide and overview of the security control activities in the SDLC Business environment. This procedure establishes the responsibilities of the Senior Security Administrator. This individual is charged with identifying, communicating, monitoring and addressing issues and concerns that pose threats to computer and intellectual assets. All SDLC Security Administration Staff Section 1: Procedure Diagram Section 2: Roles and Responsibilities Section 3: Metrics Section 4: Procedure Activities Section 5: Forms Section 6: Exemptions Section 7: Tools/Software/Technology Used Appendix A: Security Change Request Form Appendix B: Security Profiles August 1, 2006 New SOP Location Portland Previous Version: None
Applicable To Sections
Related Procedures SOP 1005: Release Planning
Security Administration addresses the disposal of paper and electronic media. The Sr. communicating. Security Administration procedure defines the rules under which documents are to be annotated to show that they are the property of SDLC. it addresses third party requests for information and the process to authorize the release of materials. the exception log is analysed and recommendations for improvement are presented to management. Approved access is logged whenever it is considered an exception. The Sr. Security Administrator is the individual charged with identifying. any of which may include confidential data. In addition. System access requests are compared to pre-approved profiles as part of the request approval process. The Sr. All materials are to be consistently treated as though they contain confidential or sensitive information.SOP 1051-01 Definitions Page 2 of 17 Security Administration provides an overview to the areas of security control activities within the SDLC business environment. . An unauthorized individual defines threats as any form of intentional or unintentional access to confidential or sensitive materials. On a quarterly basis. Security Administrator oversees and maintains system access profiles. The Sr. A periodic review of profiles is performed. monitoring and addressing issues and concerns that pose threats to computer and intellectual assets.
SOP 1051-01 SECTION 1: PROCEDURE DIAGRAM Security Administration G12 G11 G10 G-9 G-8 G-7 G-6 G-5 G-4 G-3 G-2 G-1 G-0 Page 3 of 17 Technical Support Product Development Define Across all Gates: .Destruction of Electronic Media Governance Program Management Prepares request to Operations to make Available/Disable CO/QA and Client/QA Access On-Going .Access Levels/Security Rights .Destruction of Paper/Reports .Protection and Control of Intellectual Assets .Access Control and Oversight Approve s requests Engineering Department Development Approves Profiles Quality Assurance Systems Engineering Operations Definition of standard security access profiles and the use of master / restricted accounts Requests access to system Receives access as approved Site Measurement Legend Requirements Project Project Scope Start Strategy Lock-Down Lock-Down D e fin itio n P h a s e P la n A p p ro v a l Compares request to profile Changes Access with follow-up controls Systems Lock-Down Requirements Level Definition Estimates Approved Complete Project Detailed Plan Lock-Down Complete B e g in V a lid a tio n Begin System Certification Begin First Office Application Begin Controlled Rollout G e n e ra l A v a ila b ility .
SOP 1051-01 Security Access by G-6 Environment / Gate G-5 Page 4 of 17 DEV G-4 G-3 QA CO/ QA G-2 Client/ QA G-1 Staging G-1 G-0 <<--Production-->> Notes Technical Support Product Development Governance Data Collection Form Fill in the Security Access Rights for each environment / Gate (white and gray block areas) Program Management Prepares request to Operations to make Available/Disable CO/QA and Client/QA Access Development Quality Assurance System Engineering Operations Mgmt OCC RE ClearCase SQA Manager: Site Measurement Staging Begin Validation B e g in S y s te m C e rtific a tio n Environment Gate P r o je c t L o ck -D o w n Detailed Plan Complete Begin First Office Application B egin C ontrolle d R ollout G e n era l A v aila bility .
SOP 1051-01 Protection and Control of Intellectual Assets G12 G11 G10 G-9 G-8 G-7 G-6 G-5 G-4 G-3 Page 5 of 17 G-2 G-1 G-0 Technical Support Product Development Governance Data Collection Form Fill in the Requirements for Protection and Control of Intellectual Assets Program Management (white and gray block areas) Engineering Department Development Quality Assurance Systems Engineering Operations Site Measurement Legend No Controlled Controlled Project Start Project Strategy Lock-Down Requirements Scope Lock-Down D e f i n i t i o n P l a n P h a s e A p p r o v a l Systems Requirements Definition Approved Lock-Down Level Estimates Complete P ro je c t L o c k -D o w n Detailed Plan Complete B V e g i n a l i d a t i o n B e g in S y stem C e r tif i c a ti o n Begin First Office Application Begin Controlled Rollout General Availability .
SOP 1051-01 Destruction of Paper/ Reports G12 G11 G10 G-9 G-8 G-7 G-6 G-5 G-4 G-3 Page 6 of 17 G-2 G-1 G-0 Technical Support Product Development Governance Data Collection Form Fill in the Security Requirements for paper/reports for each environment / Gate Program Management (white and gray block areas) Engineering Department Development Quality Assurance Systems Engineering Operations Site Measurement Legend No Controlled Controlled Project Start Project Strategy Lock-Down Requirements Scope Lock-Down D e fin itio n P h a s e P la n A p p ro v a l Systems Requirements Definition Approved Lock-Down Level Estimates Complete P ro je c t L o c k -D o w n Detailed Plan Complete Begin Validation B e g in S y ste m C e rtific a tio n Begin First Office Application Begin Controlled Rollout General Availability .
) Quality Assurance Systems Engineering Operations Monitors Database access via periodic review of log files for exceptions Prepares Request to Add/Modify/ Delete a User ID Reviews Request to confirm within Approved Profile definition Approve? Receives security access (add/ change/ delete) Yes Temporary Access? Yes Sets expiration in system or set follow-up in 24 hours No Executes Security change Site Measurement No . Maximum access level permitted. etc. Unlimited or Temporary Access.SOP 1051-01 Password Control and Oversight Technical Support Product Development Page 7 of 17 Receives security access (add/ change/ delete) Governance Program Management Periodic Review of Access Profiles and approval of appropriate changes Periodic Review of Access Profiles and approval of appropriate changes Engineering Department Development Documents Systems Access Profiles (for all Systems and Controlled Utilities) and the use of master / restricted accounts (Type of user. functional unit.
SOP 1051-01 Password Control and Oversight Technical Support Product Development Page 8 of 17 Governance Program Management Engineering Department Development No Reviews Recommendation Approved? Quality Assurance Systems Engineering Operations Master Password? Yes Logs Reason for access in exception log Files approved request and retains for 3 months No Monthly destroys requests over 3 months old Quarterly reviews log to determine reason for master/restricted (including database ID) account usage Prepares Quarterly report for Management Reviews and prepares recommendations to improve controls and reduce the exception access to master/restricted accounts Yes Updates Procedures with approved changes and distributes Site Measurement Temporary AccessNo .
monitoring and addressing issues and concerns that pose threats to computer and intellectual assets.2 3. communicating. SECTION 3: METRICS Metric Cycle Time 3.1 Description The amount of time required to complete all steps in the creation/maintenance of a user ID from the time a request reaches the Security Administrator through delivery of the executed maintenance to the individual. A list of security advisories published each month along with its source and the time consumed in preparation and distribution. the Sr. Security Administrator is charged with identifying.4 . The person’s name will be reported to Engineering Department management and will receive recognition for their effort to compress cycle times and/or improve quality. In addition. This person oversees and maintains systems access and performs periodic reviews of profiles. The number of occurrences and amount of time spent on security events/investigations each month. regardless of whether or not the recommendation is implemented. Individuals who analyse a process and recommend ways to improve it. Advisories Special Events Change Agents 3. Each event will have a management report on file. Security Administrator prepares quarterly reports and makes recommendations for improvement to management.SOP 1051-01 SECTION 2: ROLES AND RESPONSIBILITIES Role Senior Security Administrator Responsibility Page 9 of 17 The Sr.3 3.
The Sr. The Security Administrator has the responsibility to disable access to any individual when that individual's actions create a perceived threat to the systems environment.2 Temporary Access 4.SOP 1051-01 SECTION 4: PROCEDURE ACTIVITIES Responsibility Security Profiles 4. The Sr. The Sr. The default period is one business day.3 User Access 4. Situational access is subject to audit review. unusual access or other events occurred which warrant additional review. Knowledge and skills are to be evaluated after each major enhancement to ensure they are current. Security Administrator performs the necessary review and promotes findings to the Manager of Operations at the time of discovery or as part of the quarterly report depending on severity.1 Page 10 of 17 Review Database Logs 4. The manager who authorized access is responsible for ensuring that documentation and communication is completed and distributed in a timely fashion. Due diligence will be undertaken prior to taking this escalation avenue. Security Administrator is responsible for verifying individual skill sets with appropriate management. Security Administrator reviews database access logs monthly to determine when exception access.5 Description Access to SDLC system environments is a “Right” that permits an individual to perform the duties associated with a particular job. Users are given access rights based on their job responsibilities and the training or knowledge they possess. Determination of the event and a report will be generated by the Security Administrator and distributed to both the Manager of Operations and the Senior Manager of the Engineering Department. This responsibility will be executed without regard to the individual’s title. In the event that the reason for the individual's action can not be determined and Operations Management is unavailable for council. The Security Administrator is responsible for ensuring that temporary access permissions are disabled at the end of the authorized period. the Security Administrator will disable the users account. . Situational access requires that actions performed be documented and communicated to the appropriate areas within the Engineering Department.4 Situational Access 4.
1. etc. process improvement. .” This applies to all documents that contain naming conventions used in coding and network configuration. The terms and conditions of that agreement will be enforced.7 • • • Protection of Assets of SDLC Confidential Information Conflict of Interest Sanctions for Breach of Ethical Standards SDLC Staff: Document Notices 4. Materials created for clients are to have “Copyright.SOP 1051-01 Responsibility Quarterly Report 4. The Employee Handbook used by SDLC addresses the protection of intellectual assets in the "Corporate Code of Ethics and Conduct Policy” section.2) The Manager of Operations reviews the Security Administrator’s recommendations: • Approved recommendations initiate the following process: − Procedure updated following Document Governance Procedure (SOP 1001) − Recommendation directed to the appropriate Unit Management for consideration − Manager of Operations or Security Administrator champions the change in process Manager of Operations requests for additional analysis and/or additional detail are handled by the Security Administrator in an appropriate and timely manner. These findings are used to prepare a quarterly report. specifically subsections: • SDLC Staff: Protection of Intellectual Assets 4. SDLC MM/YYYY” (Month and Year) on each page. changes to standard profiles. Each employee creating documents for internal use with confidential information or containing intellectual asset descriptions or definitions shall include a footer throughout the entire document stating “Confidential .8 Each employee must sign a non-disclosure agreement at the time of hire.Property of SDLC.6 Page 11 of 17 Description 1.1) The Security Administrator analyses the exception log to determine trends and reasons for requests. The report includes recommendations for root cause remediation.
transfers and new hires.13 Page 13 of 17 Description Any materials stored off-site will be placed in a locked container. storage media will contain all necessary instruction to restore the environment. When backup materials represent a systems environment. prior to allowing the individual access to the SDLC systems. Department Managers (and Human Resources) are responsible for timely notification to the Security Administrator of termination. promotions. The process flow diagram provides a high level view of the Security Administration procedure for Password Control and Oversight. Temporary access may be granted based on circumstances and the approval of appropriate management. modifying and removing access as approved by the Manager of Operations. The Security Administrator will immediately disable the terminated individuals access. . Each request for a security change is routed sequentially through the following steps. Operations will maintain a log of all off site materials. including passwords and current disaster/business recovery instructions. Deviations from a unit profile require a compelling reason for permanent access. Access to systems is defined first by the role of the unit to which an individual is hired or contracted. The unit manager is responsible for performing a knowledge assessment and an education process regarding SDLC’s standards and technology environment. Password Control and Oversight User IDs and passwords will be unique and assigned to one individual. but also provides the means to audit activities. The Security Administrator has primary responsibility for establishing. Access rights should be limited to the consultant’s engagement scope.SOP 1051-01 Responsibility Operations: Off Site Storage of Backup Materials 4 . Due consideration must be given prior to the granting of access rights to a consultant. These profiles are defined above. This not only increases accountability. Each unit has a profile defining the privileges associated with the roles and responsibilities of the normal work requirements for that unit. Group logon IDs will be prohibited.
Should acceptable resolution not be achieved.2 4.SOP 1051-01 Role/Activity Initiate Change Request Page 14 of 17 Description Requesting Department Management completes and authorizes the Security Change Request Form (Appendix A).18.14 Evaluate Request Request Approved 4 .15 4 .17 Implement Request 4 .18 .3 4. (Requests will normally be processes within four (4) business day hours. The Requestor signs the Security Change Request form acknowledging receipt.18.18.18.) Deliver approval to Manager of Operations: Request is within approved profile definitions Request is outside approved profiles. the Senior Manager of the Engineering Department will arbitrate. Security Administrator meets with the Requestor that access privileges are now available.18. Security Administrator sets password expiration in the system or schedules follow-up in 24 hours (next business day) and proceeds to step 4. but has supporting documentation.3 • No – executes and files the request. • • 4 . 4.3) The Sr.2) Is a Master ID involved in the request (outside standard profile)? • Yes – Sr. Request is forwarded to the Security Administrator for comparison to approved profile (Appendix B). Return to Requestor or Requesting Department Management with explanation. Security Administrator logs the request and reason in an exception log and proceeds to step 4.1 Request is outside approved profiles and does not have supporting documentation Requesting Department Management may appeal the rejected request by reviewing the reason with the Manager of Operations.18. 7. as well as the duration of the requested access privilege. That decision will be final.1) Is the request for Temporary Access? • Yes – the Sr.16 Request Denied 4 .2 • No – executes step 4.18. documentation supporting the request must be provided. In cases where exceptions are being requested. proceeds to step 4.
1 7.2 Description .SOP 1051-01 SECTION 5: FORMS Form Security Change Request Form Security Profiles Description See Appendix A See Appendix B Page 15 of 17 SECTION 6: EXCEPTIONS • Sandbox environments are excluded from this procedure. SECTION 7: TOOLS/SOFTWARE/TECHNOLOGY USED Tool Operating System Security Functionality Application Security Functionality 7.
SOP 1051-01 Appendix A: Security Change Request Form Security Change Request Form Page 16 of 17 Name: _________________________________ Unit: _______________________________ Title: __________________________________ Required Date: _______/_______/________ Requested Access: (Circle Requested Level) Environment Application Development RO / RW / Full Quality Assurance RO / RW / Full System Certification RO / RW / Full FOA (Client Acceptance Test) RO / RW / Full Production RO / RW / Full Database RO / RW / RO / RW / RO / RW / RO / RW / RO / RW / Hardware RO / RW / RO / RW / RO / RW / RO / RW / RO / RW / Full Full Full Full Full Full Full Full Full Full Signature of Requestor: ______________________ Request Date: ____________________ Approving Manager has assessed the individual’s knowledge and skills and certifies that the named individual meets all requirements for the security access level requested. is substantiating documentation attached? Yes / No (Circle one) Sr. Security Administrator: ________________________ Date Received: ___________________ Authorizing Manager: _________________________ Date: ___________________________ Secuirty Access Information: User ID: ____________________________ Verified by: _________________________ Date Executed: _________________________ Date: __________________________________ Acceptance Signature (User ID delivered and accepted by): _________________________________________ Date: ____________________________ By signing and accepting access to SDLC systems environment I warrant I have completed and returned an executed non-disclosure agreement. . the approving manager has assessed the individual’s knowledge of SDLC’s technical environment and it meets all requirements for the security access level requested. For access beyond development. Approving Manager: __________________________ Request Date: ____________________ Request in compliance with approved security access profiles? Yes / No (Circle one) If No.
. Note: Sandbox environments are excluded from this procedure. Audited through review of database logs.) SU = Super User Utility to assist Web users with ID issues. databases or hardware. Individuals may act in the capacity of a backup for the primary individual without being a member of the specific area. Area Network DBAs OCC Release Engineering Ops Engineering Ops Management Legend: Servers X X X X X Access Areas Resonate Database X X X X Network / H/W X X = Normal access rights for individual trained and demonstrating skills . Monitoring of direct content writes to production is required. None = Standard Web access only.= Situational exceptions requiring security to be enabled. No access to applications.SOP 1051-01 Appendix B: Security Profiles Area / Unit Engineering Developm ent Sustaining Development RW Advanced Development RW Strategic Development RW Quality Assurance -Applications RW Databases RO Systems Engineering Applications RO Databases Exception Hardware Full MIS Database RO SDLC Internal Departments Content (Content Utilities) None Technical Support None External Entities Exodus None CTC Communications None Legend: Page 17 of 17 System Environment System FOA/ Certificati Beta on RO RO RO RO RO RO Exception Full RO None None None None RO RO RO RO RO RO Exception Full RO None SU Full Full QA RO RO RO RO RO RO Exception Full RO None None None None Staging RO RO RO RO RO RO Exception Exception RO W* SU Full None Productio n None None None None RO RO Exception Exception RO W SU Full Full RW = Read / Write RO = Read Only Full = Unrestricted Exception = Full access with use restricted to request fulfillment W = Write (Direct write of Content to Production Database) W* = Write (Direct write of Content to Staging Database with automatic content update to the production environment. Owners have control over their own environments.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.