Presentation to ISSD Task Force INFORMATION SYSTEMS SECURITY DIVISION Reorganization Study Prepared: May 6, 1991 Revised: May 7, 1991

I. Proposed Reorganization (Security Automation Division) II. Why Merger of Fraud Detection and ISS Divisions III. ISSD Staff Reduction Service & Project Assumptions ISS-WA Organization & Service Reductions 155-LA Organizations & Service Reductions 155-AZ Temporary Organization IV. Cost Reduction Summary V. Action Summary VI. ISSD Functions Summary

Reduction in Cost Infusion of Expert System Knowledge into Security Function Centralized Supervision & Administration of Security Technical Functions WHY J XXXXXXX AS DIVISION MANAGER Significantly More Technical and Managerial Depth - 30 years of Technical and Managerial Data Processing Experience - Development and Systems Assurance Management Experience - Data Center Production and Operations Management Experience - Security (RACF) Project Experience - Expert Systems Project Experience - Commercial and M Application & Architecture Design Experience - Business Resumption and Data Processing Contingency Planning Experience

SAD with the Support of SPAC performs Security Product Reviews SPBA accepts decentralized Branch Security Administration. AZ Security Service will be provided without local presence (no reduction in service anticipated) SPAC-NW will use their current system as basis for SPC Online Request Processing and therefore have responsibility for SPC Security Architecture

ELIMINATE Security Boiler Plate Contributions to Legal Documents REDIRECT MVS Request Processing Physical Security Reviews Security Product Research REDUCE New Business Research Procedure and Guideline Writing Security Awareness Program Department & Division Administrative Documentation

ELIMINATE Security Boiler Plate Contribution to Legal Documents REDIRECT PC/Virus Software Distribution Physical Security Reviews REDUCE Security Product Research New Business Research Procedure & Guideline Writing Security Awareness Program Department & Division Administrative Documentation

REDIRECT Procedure & Guideline Writing TANDEM Request Processing, and Violation Reporting & Review

CONSOLIDATE ELSEWHERE INTO SAD MVS Environment Management (WA) MVS Request Processing (LA) Cryptographic Key Management (LA) Audit Response (WA) TRANSFER TO USERS Thirty Plus Internal Security Applications

2 ND QUARTER Layoff Division Manager - Layoff Mainframe Technical Consultant In LA - Layoff Midrange Technical Consultant In LA - Move Data Security Analyst from WA to LA (add TANDEM skills to LA) 4 TH QUARTER Complete Conversion of Arizona Processing to Common Architecture 1 ST QUARTER Transfer(Layoff) AZ Manager - Layoff AZ Data Security Analyst

KEPT AT CURRENT LEVEL OF EFFORT SPC Security Architecture Development Mainframe & Tandam Security Request Processing (Consolidated) Mainframe & Tandem Security Technical Support Midrange, LAN, and PC Security Technical Support Network Security Support Online Security Request Processing System Development Wire Transfer Security Support Cryptographic Key Management MAC Security Request Processing (CA) Database and Tracking of Waiver, Virus, and Security Incident Events Information Systems Security Committee (ISSC) Support Information Systems Security Manual (ISSM) Policy Development Application Project (such as BDS) Security Consulting REDUCED LEVEL OF EFFORT Security Procedure and Guideline Writing (Consolidated) Security Awareness Program Security Product Reviews (with SPAC) New Business Research Assistance Department and Division Administrative Documentation

OVERALL PURPOSE The purpose of this position is to provide support to the Corporate Security Department objectives in: - Managing and coordinating of computer security plans, projects, and policies; - Developing external fraud detection and prevention applications; - Administering passwords and users identifications for productions and development operations. - Identify and monitor emerging technology in the fields of information security and expert systems products REQ UIREM ENTS - Minimum of 20 years of data processing background with a thorough understanding of computer operating systems and networks. The major emphasis is in database computer environments supported in different geographic locations. - Ability to interact with senior management to gain concurrence on security related methods and production processing. - Possess technical skills to interact, make decisions, and implement security methods consistent with business and technical requirements. - Proven record of knowledge based application development and installation. RESPONSIBILITIES - Provide technical direction and leadership to apply and create access controls to meet Federal, State, CCC, NBE, and internal audit requirements. Additionally, provide risk versus exposure analysis and recommendations. - Provide security direction in the SPC dynamic technical and business environments. - Work with AC in the creation of security related technology, products, procedures, systems, and concepts. The position requires the ability to innovate and to manage innovative projects. - Ensure that the security needs/requirements of the corporation are maintained and established with consideration to the amount of risk or exposure to electronic assets. - Ensure and provide technical direction to mitigate security related failures and damage that can have significant negative impact on the total organization. - Provide technical direction for the design of expert systems related to external fraud detection and prevention. - Ability to analyze user expertise into knowledge base rules.