Case Study › Central Security Administrator - Responsibilities

Central Security Administrator - Responsibilities

This section describes the functional responsibilities of the central security administrator (CSA) at First Tennessee Bank. The mission of the CSA is to administer a corporate‑wide data security program designed to protect against unauthorized access, the intentional or unintentional disclosure, manipulation, and/or destruction of computer‑based corporate information assets.

The objective of the First Tennessee data security program is to minimize potential exposure of the corporation. The approach to meeting this objective is based upon the following actions:

• Document existing security controls for all computer‑based applications.
• Evaluate existing security controls, in terms of strengths and weaknesses, to estimate current risk/exposure levels.
• Install standardized base controls, to be applied to all computer terminals in the corporation. For example:
  • Assign each computer terminal a unique identification code to be automatically verified upon each computer access attempt.
  • Assign each authorized person a unique identification code to be automatically verified upon each computer access attempt.
  • Assign each authorized person a unique, secret password to be automatically verified upon each computer access attempt.
  • Restrict access, disclosure, manipulation, and erasure capabilities to only authorized individuals for each computer‑based application.
  • Restrict the ability to initiate computer programs, copy computer data files, and perform other computing functions to only authorized individuals for each computer‑based application.
  • Install automated mechanism to log and report all data security violations.
• Develop recommended additional security controls to further enhance the security level within a particular functional area:
  • Automatically enforce mandatory changing of secret individual passwords at specified intervals.
  • Automatically enforce restriction of individual users to only specified computer terminals.
  • Automatically disconnect unattended, inactive terminals after specified time limit expiration.
  • Automatically enforce restriction of individual access to specified days of the week only (for example, Monday‑Friday).
  • Automatically enforce restriction of individual access to specified time of day only (for example, 8‑5).
  • Automatically control each individual's ability to display, manipulate, and/or erase only authorized data files, programs, and so on.
  • Automatically control each individual's ability to initiate computer programs, copy computer data files, and perform other computing functions based upon granted authority.
• Specific CSA administrative functions:
  • Develop and install a comprehensive data security violation monitoring capability.
  • Perform regular reviews of all security violation reports and initiate appropriate corrective actions.
  • Regularly distribute security violation reports to business unit and, as required, department management for follow‑up action.
  • Develop a corporate security awareness program to inform and educate all FTB employees of their security responsibilities.
  • Assist department security coordinators in the communication and resolution of highly technical security issues to other departments (T & IS).
  • Install automatic enforcement mechanisms to enforce and maintain base controls.
  • Develop and recommend additional data security controls to department security coordinators.
  • Maintain comprehensive documentation of the corporate security environment.

The CSA function will reside in the Transaction and Systems Information business unit, but will be accountable to all appropriate corporate management charged with data security responsibility. Further, the activities of the CSA will be closely monitored at all times by the EDP Audit group.