Brad Flick, Associate Commissioner
Office of Information Security
All statements of fact, opinion, or analysis expressed are those of the author and do not reflect the official
positions or views of the Social Security Administration (SSA) or any other U.S. Government Agency. Nothing in
the contents should be construed as asserting or implying U.S. government authentication of information or
SSA's endorsement of the author’s views.









Confidentiality
Integrity
Availability
Threats
Vulnerabilities
Defense
Policy
Patch Management
Auditing

FY 2011
◦ $770 Billion in Benefits- Over 60 Million People
◦ 152 Million Transactions (avg. daily volume)
◦ $1.5 Billion in Annual IT Investment

Annual Workloads
17.2 Million Social Security Cards
1 Billion SS Number Verifications
147 Million Social Security Statements
270 Million Earnings Items Posted
3.9 Million Retirement, Survivor, and Medicare
applications
◦ 2.5 Million Disability Applications
◦
◦
◦
◦
◦

Network Overview
◦
◦
◦
◦
Approx. 100,000 system users
Over 1,300 offices worldwide
Over 200,000 network devices
Over 21 Petabytes of Data
10 principles

Your Reputation Precedes You


Security needs to be part of the culture
Privacy of SSA records – the 1st regulation adopted, 1937

Regulation No. 1
It being found by the Social Security Board (hereinafter
referred to as the Board) that the public interest and the
efficient administration of the functions with which the
Board is charged under the Social Security Act require that
the confidential nature of all wage records and other records
or information in possession of the Board, pertaining to any
person, be preserved.

Policy and Standards
◦ Should be like a good rental agreement
◦ Must be enforced

Communication
◦ If you can’t communicate, you will struggle to be
successful
◦ Everyone must understand the message

Training and Awareness
◦ Vital! Do not underestimate.
◦ Big Issues in 2011-Phishing Attack
 RSA
 Sr. Govt. Official’s Gmail compromise
 Federally Funded Research facilities

Security Has to be Usable
◦ If it is too difficult, it will be bypassed

Build It In, Don’t Retro Fit
◦ Obvious - but no magic solution
◦ Security is often ‘last minute’
 Developers and Sponsors resistant to changes
◦ Can be Cultural
◦ Must build awareness of the value of ‘building in’

Build Alert Mechanisms
◦
◦
◦
◦
Most folks focus on access control and audit trail.
Dashboards – are they being watched?
Audit trails – are they being reviewed?
Build tolerances to alert on suspicious activities.

Take Time to Plan
◦ Firefighting vs. fire prevention planning…

Regular Reality Checks are Necessary
Is there governance and compliance? Are the rules
relevant to the business process, understandable,
reflective of reality, and current? Are they
enforceable or at least not ignored?

Don’t assume the business owner will do the
right thing.
They will Roll the Dice every time.