EPA
Vol. 3
March/April 1980
No. 2
ADP CONFERENCE EMPHASIZES CHANGE
Ken Spears
Talk of change dominated the fourth EPA
ADP Conference, held this year from
February 11 through February 15 at
Southern Pines, N.C. The regional
sessions, the general sessions, and the
technical sessions all stressed the
complexity of "changing information
resources." As R. C. Stringer (MIDSD)
noted in his opening remarks for the
conference, the continuing change in EPA's
data processing management programs and in
data processing technology "strongly
reflects the extension of computer
technology from the large-scale computer
room to the office, library, laboratory,
and virtually every facet of the
organization."
To control such change, the conference
participants generally agreed on three
methods: (1) plan carefully for
information requirements, (2) manage
existing and evolving resources
effectively, and (3) consolidate in-
formation systems if possible. How well
these methods work depends, of course, on
thorough preparation. Reliable audits and
studies are usually necessary before
detailed planning begins.
DATA CENTER ACTIVITIES
According to Don Fulford (MIDSD/NCC), the
National Computer Center and the
Washington Computer Center also underwent
a year of change and are currently in a
transition period. Fulford presented the
major achievements of both centers in
FY1979 and previewed plans for the future.
During the past year both centers
experienced continued growth, increased
M ' •
R. C. Stringer (left). Director, MIDSD, presents Don
Fulford, Chief, Data Center Branch, with the Service
Award from the USE, Inc. (Univac Scientific
Exchange) group.
direct services to users, and upgraded
their hardware, software, and security
systems. In addition, at WCC the
dedicated organization matured and the
center converted to the Multiple Virtual
Storage (MVS) operating system. The NCC
achieved record stability, added three new
systems, and transferred equipment into
its new building. "We have established a
solid base," Fulford said, "from which we
can move on to the future."
Both centers plan to meet the increasing
needs of their users, especially in terms
of reliability, maintainability, and
availability. To achieve this goal,
Fulford sees improved communications with
users as indispensable. "As we move into
the '80's," he said, "our involvement and
(Continued on page 3)
-------�
WCC HIGHLIGHTS
Maureen Johnson
All WCC processing is now on the
MVS/TSO/WYLBUR operating system. The new
MVS system was made available to users on
both the IBM 370/168 and IBM 370/3032 on
January 14, 1980. Significant improve-
ments in performance and stability have
resulted from the conversion.
y WYLBUR users experienced a high level
of frustration during December and January
because of frequent lapses in WYLBUR
availability and associated loss of
workspaces. Several major problems, most
of which are now resolved, contributed to
the unstable WYLBUR situation.
The XEROX 1200 located at the
Washington Distribution Center is in final
testing and will soon be available for
user production work. The XEROX 1200,
which produces high-speed, high-quality
hardcopy from print image magnetic tape,
is 2 to 3-1/2 times faster than the WCC's
high-speed printers.
The Washington Distribution Center
will be expanded this summer to
accommodate a PDP-11/70 minicomputer
system and thus will enhance the overall
capabilities of the Distribution Center.
EPA Data Talk ia published bimonthly by the
EPA Management Information and Data Systems
Division, National Computer Center, for EPA
personnel and contractors interested in
general ADP topics.
Comments, suggestions, and news items
should be addressed to:
William G. Allen
Editor, EPA Data Talk
National Computer Center
Research Triangle Park
North Carolina 27711
To ensure that our distribution list is up
to date, please indicate any required
changes on the mailing label attached to
this issue and mail it to the above
address.
NCC HIGHLIGHTS
Tom Rogers
w The expansion to the computer
facility building has been completed and
was accepted in early January. The new
IBM 3800 Laser Printer was immediately
installed there along with selected
hardware from the current Sperry Univac
equipment. The printer provides
high-quality and high-speed print
capabilities to the NCC user community.
All printers, high-speed disks, and
communications/symbiont processors are now
operational within the new space.
The IBM 3800 Laser Printer, installed
in January, is currently available to
users on a limited basis. Further
utilization details will be distributed
through user raemos .
V.
The revised NCC User Reference Manual
(URN) was distributed to the NCC user
community on January 30. The revision
process began about a year ago and has
resulted in an easier-to-use and
easier-to-update reference document.
Special thanks go to the RTF ADP
Coordinators who reviewed the final draft.
Progress toward completing the NCC
Disaster Recovery Plan was delayed when
the Bureau of Census declined to sign the
formal contingency agreement with the NCC.
Although an informal agreement had been
reached, at the time of formal commitment
the Computer Operations Division within
Census was directed to procure guaranteed
time at a commercial facility. However,
the U.S. Treasury Department's Office of
Computer Science has expressed interest in
a mutual backup agreement. This possibil-
ity is being studied now.
The deadline for contributions to the
May/June issue of EPA Data Talk is April
25, 1980. Contributions received after
that date will be published at the
discretion of the editor.
-------�
(Continued from page 1)
planning with the users will have to
increase." Already the centers have
expanded their efforts toward this goal.
They now offer, for example, more
training, more printed and on-line
materials, and more opportunity for
personal communication.
PLANNING AND MANAGEMENT
Like the address of Fulford, that of
Robert L. Chartrand (Library of Congress)
ranged from the past to the present to the
future. His keynote address centered on
the fact that the present is a time for
redefinition and recommitment in terms of
information technology. "So often,"
he said, "our management at the
departmental/agency level is so busy it
does not take time to learn enough about
data processing and good management
techniques."
Chartrand reminded the participants that
now that ADP, traditional Library Science,
and information services seem to be
merging, workers must learn what
information resources they need, which
ones exist, where they are, what they
cost, and how they can be accessed. He
then reviewed government's endeavors to
help. Within the past two years, for
example, a series of studies have been
made and 75 laws passed in Congress
regarding information policies, programs,
and technology. In addition, an Office of
Federal Information Policy has been
proposed and the American Society of
Information Sciences has provided a list
of 149 current on-line data bases.
According to Chartrand, these concentrated
efforts to enumerate information resources
will continue.
In a session on "Decentralization of
Timeshare, Plans, and Budget," Ken Byram
(MIDSD), Dan Cirelli (MIDSD), and
Dick Boyd (MIDSD) discussed data
processing planning, data processing
budgeting, and the role of the Steering
Committee. To supply adequate information
on requirements for timeshare services and
to provide MIDSD the review and control
authority it needs, the procedure they
recommend would tie timeshare budgeting to
the Agency's successful Zero Base Budget
(ZBB) process.
Sam Brown, Director, National Computer Center,
addresses the conference.
The planning process would consist of (l)
overall guidance from the Steering
Committee, (2) a working group by office
or media, (3) a requirements plan reviewed
by the Steering Committee, (4) the details
added, (5) final Steering Committee
approval, and (6) a 5-year plan updated
yearly. The ZBB process would furnish
MIDSD the details and precise information
necessary to justify requesting the funds
it needs to run the data centers
effectively. The Steering Committee would
involve upper management in ADP processing
and would help resolve conflicts between
users and the Agency.
Formal planning and management of
systems development were discussed by
Gene Lowrimore (MIDSD), John Hart (MIDSD),
Mary Lou Melley (MIDSD) , and Vic Cohen
(MIDSD). To reduce dependency on
contractor support for systems
development, the team recommends formal
management, integrated systems, program-
wide coordination, and ADP planning. Such
an approach, they say, would yield more
intelligent use of ADP resources and more
effective use of ADP systems. Although
contractors would continue to implement
systems requirements, management would
furnish specific statements of need.
Providing explicit information elements
and design and testing requirements, for
example, would allow MIDSD more control.
(Continued on Page 6)
-------�
ADP SECURITY
Marguerite I. Hall, Computer Specialist
This is the second in a series of four articles on ADP Security. The first article
reviewed the peculiarities of ADP that make it inherently insecure. This, the second
part of the second article, looks at goals, the scope of ADP security, and its key
concepts and terminology. Because of its length only the first part of this article
appeared in the last issue of EPA Data Talk. The third article traces the
development of awareness of ADP security in the Federal sector. The fourth article
covers EPA'a recently developed Agencywide security program and our plans for a
staged implementation.
Core Concepts: Part II
In a way, CONTROLS are what it's all about. Controls counter threats. Control is the
antonym of vulnerability. If you have a control, you don't have a vulnerability. If you
have a vulnerability, you don't have control. A control can be designed to counter a
single threat. A moisture detector will alert you to the presence of water. Other
threats are best thwarted by a series of controls. For example, power supply problems may
be countered with uninterrupted power supply equipment backed up by banks of batteries
backed up by motor generators. There are some controls that work against multiple
threats. More barrier for the buck, so to speak. A guard at the computer room door can
prevent theft, mischief, accidents, vandalism, sabotage, and the like. Authentication
(you are who you say you are) and authorization (you are privileged) software prevents
unauthorized use of services, destruction, alteration, and disclosure of data.
One way of categorizing controls is by what you're trying to do with them. The word is
"strategy." There are controls that prevent adverse events. There are controls that
detect adverse events. There are controls to minimize the effects of adverse events, and
there are controls to recover from an adverse event. Table 1 gives an example of a
control strategy for fire loss.
Table 1. Control Strategy for Fire Loss
• STRATEGY-
Prevent Detect Minimize Recover
Halon
Clean Smoke Offsite Contingency
Room Detector Data Storage Arrangements
A second way to categorize controls is by type. There are physical, technical, adminis-
trative, and managerial controls. Physical controls are the ones thought of first.
Physical controls are concerned with facility site and structure, physical layout, access
barriers, and environmental monitoring equipment. They're masonry walls, vaults, locks,
TV monitors, air conditioners, and filters. They're fire extinguishers and moisture
detectors and alarm annunciators, brooms, mops, and vacuum cleaners.
Technical controls are imbedded in hardware, peripherals, software, and telecommunication
gear. They are diagnostic circuitry, component redundancies, and memory-protect features.
They are trusted operating systems and machine accounting routines. They are encryption
algorithms and security violation reports and hash totals and audit trails.
-------�
ADMINISTRATIVE
Administrative controls are every bit as important as technical and physical ones but take
a little more imagination to picture. Administrative controls concern people and pro-
cedures. Whom you hire, when you fire, how you train, supervise, and discipline all
matter. Who is authorized to do what to which, when, matters. So does log keeping. You
need to keep track of who enters a sensitive area, who receives a delivery, and who
requests a sensitive report. The procedures you develop and follow for software
development and for software and hardware modification matter too. So does tracking usage
and chargeback. You need procedures to rotate critical data through offsite storage and
procedures for contingency operation in case of data center disaster.
Managerial controls tie everything to-
gether. Picture, as in Figure 1, a
three-tiered triangle with "management" at
the top, "administration" in the middle,
and "physical" and "technical" forming the
base.
Managerial controls concern planning and
evaluation. They involve the allocation
of people, plant, equipment, time, and
dollars. They include formal audit.
Audit means an independent review of the
effectiveness and efficiency of your
controls. It's a check to make sure that
your controls are actually in place, being
followed, and working. When audit finds
things amiss, you're back in an
interactive loop -- that is, back to
planning and evaluation, resource
allocations, and another audit. For sure,
security isn't a one-time drill.
The final concept is RISK MANAGEMENT. Recall that the definition of risk was expected
cost, over a certain amount of time, for the occurrence of a specific adverse event. Risk
management adds another element: selection of suitable controls. At the most elementary
level, it's making sure that the cost of the control is less than the risk. It would be
patently ridiculous to install a $200,000 fire prevention system at a minicomputer site
where the risk is $10,000.
Control strategy is rarely, if ever, easy. Choices range from simple to sophisticated,
singular to serial, inexpensive to exorbitant. With each choice comes cost: dollars for
installation and operation of controls, dollars for risk. The trick is to pick the con-
trol which will result in the lowest total "cost." Look at Table 2 and select a control.
Table 2. Example of Control Strategy
PHYSICAL
TECHNICAL
Figure 1. Controls
Adverse Event
Theft
Control
Guard Service
24-Hour
3rd-Shift
"Cost"
Control Risk
$90,000 $95,000
$25,000 $35,000
Total
$185,000
$ 60,000
-------�
If you picked the guard for the graveyard
shift, you picked right. The price of
control is less than the risk, and the
total "cost" is the lower alternative.
Results are often surprising, things you
wouldn't guess. Hardware encryption makes
sense but software encryption doesn't.
Passwords must be changed more often. c
Employee termination procedures need $
reworking. Figure 2 graphically presents T
this effect.
The total "cost" principle works just as
well for a whole data center or a complex
application system as it does for a single
adverse event. It's just infinitely more
complicated. In fact, thousands of
calculations and hundreds of iterations on
the calculations are often required.
Obviously, risk management is a good
candidate for automation. And as you
might guess, there are companies in the
business of supplying proprietary software
so you can do just that.
In summary, think back to our original goal to
TAKE ALL REASONABLE MEASURES TO PROTECT OUR ADP RESOURCES
"ADP resources" you now know are everything from hardware to information. "Protection"
you know too. It's the prevention, detection, minimization, or recovery from a threat
exploiting a vulnerability, reaching a resource, and causing an adverse event. That's
control. And "reasonable" is what risk management is about. It elevates the selection of
protection from guesswork to rational, predictable decisionmaking. And finally, "take"
means "do it."
REDUCED VULNERABILITY
Figure 2. Control Strategy
(Continued from page 3)
Additional training, the team believes,
would also improve systems development.
To illustrate the value of such training,
three instructors from NADPI described the
courses they teach: Wayne Savage
(DeBoever, Savage, and Associates), "ADP
Project Administration"; John Sherrod
(independent consultant), "Overview of
Information in EPA"; and John Censor
(Planning & Control, Inc.), "Project
Management Principles and Practices."
AUDITS AND STUDIES
Gerard Hallaren (IDC) reminded the
conference participants that computer
technology advances faster than most users
and managers can absorb and that both
hardware and software continue to become
more specialized. And since EPA has
embarked on an ambitious procurement
program to sustain its computing resources
to the year 2000, he emphasized that a
sound knowledge of computing resources is
essential. J. Michael Steinacher
(MIDSD/NCC) then reviewed the results of
the many specialized studies undertaken by
the Systems Acquisition and Implementation
Program team to prepare for this large
computer service procurement.
Wilbur D. Campbell (GAO) described the
audit program at GAO, the method of making
audit assignments, and the strategy of
integrating the results of these audits.
He too pointed out that GAO audits and
other consulting reports show the need to
change ADP management structure and the
programs it serves. Dan S. Soranno (GAO)
reported that GAO has completed its audit
of EPA's ADP program. He highlighted the
audit, the approach taken, the conclusions
reached, and the recommendations submitted
by the team.
-------�
Edward J. Hanley (OMAS) presented the
recommendations of the DAA Advisory Group
on Monitoring and reviewed the basis for
the recommendations, the ADP management
study performed by Nolan and Norton.
Hanley predicted that the study will
become part of a major management
initiative and will affect hundreds of
Agency personnel.
SYSTEMS CONSOLIDATION
A. Michael Kaplan (FMD) reported on the
Office of Resource Management (ORM)
Integration Project. The project involves
developing a management information system
by combining data from Personnel,
Contracts, Finance, ZBB, and Grants. The
project team is currently working to
provide management with better and more
efficient information. They have, for
example, furnished data to programming
offices, developed a project control that
allows users to access data in the
financial management data base, and
directed programming offices to input
their data directly into the financial
management system. In addition, they
hired Arthur Young and Associates to study
the requirements of management.
Donald Fitzpatrick (Arthur Young and
Associates) discussed the findings of the
ORM. study, "Alternative Strategies for the
Integration of ORM Information." The
report offers four alternatives designed
to improve information handling capability
in ORM, to improve management of ORM's
current information resources, and to
assist ORM in planning for future support
requirements.
Morris Yaguda (MIDSD) and six panelists
representing various activities in EPA's
Consolidated Permit Program discussed this
new consolidated approach to contractor
resources and management.
Currently, information is collected by EPA
and the states, but management lacks
common facility and chemical ID numbers,
standard geographical codes, data element
standards, integrated information systems,
a comprehensive process to maintain
high-quality information, and a formal
structure to manage information at
headquarters, in the regions, and in the
states.
By integrating separate information
systems and permit programs, the Consoli-
dated Permit Program seeks to (1) provide
complete residual controls, (2) remove
inconsistencies and overlaps, (3) stream-
line permit processing to a single
regional office, (4) encourage public
participation, and (5) reduce costs. And
by showing that the program works, EPA
hopes to foster state participation and
eventually transfer the program to the
states.
How to establish a Chemical Substances
Information Network (CSIN) was
demonstrated by Sidney Siegel (OTS/OPIl).
CSIN, a network of coordinated on-line
information systems concerning chemical
substances, can provide access to
information in hundreds of potentially
relevant data bases. Thus it could
satisfy requirements regarding toxic
substances legislation and a broad
spectrum of related activities.
To implement such a program, Siegel says
that you need two things: "the physical
and mental attributes of an alley
fighter."
According to Siegel, CSIN could be used by
regulatory agencies, research insti-
tutions, industry, public interest groups,
and educational institutions. Its
benefits include increased productivity of
professional staff, high product quality,
rapid response, and effective interagency
data sharing. A CSIN prototype, he said,
will be in place with some capability near
the end of 1980.
SPECIAL INTEREST GROUPS
New to this year's conference were
meetings held by user groups: Regional
ADP Coordinators, Financial Management
Officers and Users, and Minicomputer
Managers. Where appropriate, joint
meetings were conducted.
Included for the second time were the
"Birds-of-a-Feather" sessions. These
small, informal meetings were devoted to
special-interest topics such as word
processing, RACF security and MVS
conversion at WCC, and distributed data
processing.
(Continued on page 8, column 2)
-------�
8 NCC REQUESTS
GRAPHICS INFORMATION
Ernie Watson
"A picture is worth a thousand words" is a
quotation especially applicable to
graphics in the computer industry.
Although the technology for graphically
representing data has existed for some
time, only recently has it come of age.
To better plan for this "coming of age" in
EPA, the National Computer Center needs
your input.
The NCC has mailed a graphics survey to
all ADP Coordinators in the Agency. It
asks for specific recommendations and
poses questions about current requirements
and support. Thus it is designed to help
the NCC assess not only your future
graphics requirements but also your
present level of satisfaction relative to
graphics.
The NCC hopes that your ADP Coordinator
will seek your assistance. If not,
however, won't you share your viewpoint
with the coordinator anyway?
(Continued from page 7)
SUMMARY
The conference centered on change,
planning, management, and systems
consolidation. Its overall theme of
"Information Resources in Transition"
recurred frequently as the 310
participants exchanged ideas, outlined
plans, and highlighted programs and
studies. The conference demonstrated that
BPA's current activities should give the
Agency the blueprint it needs to build for
the future. R. C. Stringer perhaps summed
up the general feeling best in his closing
remarks. "After meeting a lot of you," he
said, "I am far more optimistic about our
chances of success."
UNITED STATES
ENVIRONMENTAL PROTECTION AOENCY
National Computer Center
Research Triangle Park
North Carolina 27711
OFFICIAL. BUSINESS
PCNALTY FOR PRIVATE USE 93OO
POSTAGE AND FCCS PAID
U S CNVINOMMCNTAL
PNOTCCTMN ACCNCT
KPA-U9
-------� |