VIEWGRAPH 1: PROBLEM FROM AN AGENCY PERSPECTIVE

Declassified and Approved For Release 2012/08/23: CIA-RDP90G00993R000300390009-3 UNCLASSIFIED VIEWGRAPH I: PROBLEM FROM AN AGENCY PERSPECTIVE INFORMATION EXPLOSION GROWING NEEDS OF POLICY COMMUNITY TECHNICAL SOLUTIONS AVAILABLE AUTOMATION HAS INCREASED SECURITY RISKS BALANCING ACT NEEDED INCREASING COMPETENCE OF USERS DECISION-MAKING PROCESS OUTMODED AGENCY-WIDE POLICY NEEDED UNCLASSIFIED Declassified and Approved For Release 2012/08/23: CIA-RDP90G00993R000300390009-3 Declassified and Approved For Release 2012/08/23: CIA-RDP90G00993R000300390009-3 UNCLASSIFIED TALKING POINTS: The Problem From An Agency Perspective -- We continue to create ever more impressive ways to collect information, extending and expanding the information "explosion." -- We confront a policy-making community with a continually growing appetite for information and judgment on a rapidly changing and expanding array of issues; information technology is becoming increasingly central to our ability to satisfy this appetite. -- The technology that is creating the "explosion" can also help us cope, but we must do a better job of managing to use technology effectively. -- The security challenge posed by personal computers and networking is growing. -- The rapidly expanding capability of personal computers at continually declining cost may accelerate a trend toward the acquisition of specific hardware for specific problems or functional areas (such as system tasking, counterterrorism support or overseas operations). Vendors can be expected to develop lots of ideas to tempt us. Balancing our compatibility and security concerns with obvious opportunities for improving the quality of our work will be much more difficult in the years to come. -- Young people coming to work for us are more and more accustomed to working with computers, and current employees are rapidly becoming "computer literate." We must both challenge them, and give them a voice in determining what tools they will use, or we will lose the best among them. -- Our decentralized decision-making process isn't serving us as well as it once did. We need to develop an agreed-upon Agency perspective and policy on issues to provide the policy structure and guidance we need. UNCLASSIFIED Declassified and Approved For Release 2012/08/23: CIA-RDP90G00993R000300390009-3 Declassified and Approved For Release 2012/08/23: CIA-RDP90G00993R000300390009-3 UNCLASSIFIED VIEWGRAPH II: STRAWMAN AGENCY INFORMATION POLICY A. STATEMENT OF COMMITMENT B. SECURITY IN A CHANGING ENVIRONMENT C. RESPONSIBILITY D. HUMAN RESOURCES E. COMPATIBILITY, STANDARDS AND PROCUREMENT F. NETWORK PLANNING AND MANAGEMENT UNCLASSIFIED Thursday, 1500-1600 Thursday, 1600-1800 Thursday, 2000-2200 Friday, 0800-0930 Friday, 0930-1130 Friday, 1300-1430 Declassified and Approved For Release 2012/08/23: CIA-RDP90G00993R000300390009-3 Declassified and Approved For Release 2012/08/23: CIA-RDP90G00993R000300390009-3 UNCLASSIFIED A. STATEMENT OF COMMITMENT - Talking Points Problem: -- No Agency authority on information technology - OIT and OC have done much work in identifying our future and options, but no Agency-wide policy or statement of direction exists -- Perception is lack of direction/floundering/being driven by technology -- Employees do not know "rules,"and will identify solutions incompatible with Agency-wide standards and directions unless we settle on these and put in place reasonable mechanisms to ensure that we can achieve our goals. (Some could say there aren't any rules.) Goal: Provide guidance and direction to all employees on information technology Strawman Policy Elements: -- commitement to use information technology to improve productivity, efficiency and the quality of our substantive work intention to create an information technology structure in which individal creativity thrives but corporate needs, not parochial concerns, form the basis for policy decisions committment to secure data processing with a workstation on every desk by 2000 intention to actively MANAGE information technology use and investments -- intention to create a single, compatible network based on cooperatively determined technical standards users and central services will jointly determine standards, but once agreed upon, compliance will be required -- intention to introduce new technology by evolution and more quickly where problems UNCLASSIFIED Declassified and Approved For Release 2012/08/23: CIA-RDP90G00993R000300390009-3 Declassified and Approved For Release 2012/08/23: CIA-RDP90G00993R000300390009-3 UNCLASIFIED Page 2. require it -- decision to abandon "homegrown" solutions in favor of mainstream information technology solutions wherever possible -- intention to balance security/compatibility demands with advanced technology needs I Propose: ISB should draft :ind publish an Agency information technology policy :t.atement, incorporating the policy elements above UNCLASSIFIED Page 2. Declassified and Approved For Release 2012/08/23: CIA-RDP90G00993R000300390009-3 Declassified and Approved For Release 2012/08/23: CIA-RDP90G00993R000300390009-3 UNCLASSIFIED B. SECURITY - Talking Points Problem: -- the PC has changed the game; the threat to our automated data is growing in scope, complexity and cost -- too many users do not comprehend the seriousness of the problem or understand the rules of system use -- the efforts of many players spread over several offices remain unfocused and therefore less effective -- we have no statement of the overall priority of security within the whole information technology area -- little leadership Goal: Established, well-publicized set of security standards governing our network and systems, rules for system users, a policy enforcing these, and a well-funded and focused computer security investment program, and a widespread employee sense of ownership/commitment to all these rules. Strawman Policy Elements: statement of Agency commitment to a security program and protected funding for it rules and penalties governing system use real-time auditing of system use regular authentication of users physical control and encryption of all locally- stored data -- real-time network and gateway monitoring and interdiction to enforce compartmentation and suppress unauthorized data transfer -- importance Qf employee commitment and support Payoff: -- better security -- focus the various security players on a single, comprehensive program UNCLASSIFIED Declassified and Approved For Release 2012/08/23: CIA-RDP90G00993R000300390009-3 Declassified and Approved For Release 2012/08/23: CIA-RDP90G00993R000300390009-3 UNCLASSIFIED Page 2. educate all employees on the rules and reduce the incidence of non-criminal "hacking" raise the priority of the computer security issue in budget deliberations wider base committment/support provide a model for other Community and defense agencies to follow I Propose: The Board should ask DDA to commission a task force to: (1) draft comprehensive security standards for systems and rules for users, (2) draft an enforcement policy and (3) outline a realistic program of investment and procurement to support the policy. Suggestion: The task force should begin with all the security headaches attending the introduction of the PC's as the most serious of many current threats. UNCLASSIFIED Page 2. Declassified and Approved For Release 2012/08/23: CIA-RDP90G00993R000300390009-3 Declassified and Approved For Release 2012/08/23: CIA-RDP90G00993R000300390009-3 UNCLASSIFIED C. RESPONSIBILITY - Talking Points Problem: -- more competent customers are demanding better service and more functionality -- from customers' perspective, support is fragmented and ad hoc, management is ineffectual -- introduction of the PC brings new needs for customer support -- pressure on components to buy vendor solutions rather than directorate or Agency solutions is likely to grow - OIT doing too many little jobs, located too far from customers -- directorate involvement uneven -- customer (end user) responsibilities not yet thoughtfully considered Goal: Clearly defined information technology responsibilities of individuals, components, directorates, central services (OIT, OC, OS) and vendors Strawman Policy Elements: -- agreement on responsibility for decisions about data including storage, maintenance, backup, updating, introduction of new technology (such as optical disks) and access to databases for all data types including current, archival, substantive and operational data -- agreement on responsibility for all customer support including training, applications pro- gramming, hardware installation and replace- ment, integration of stand-alone technology, local storage options, local networking options, printing, software maintenance, consulting services, etc. -- agreement on responsibility for acquisition, operation, maintenance of systems that will UNCLASSIFIED Declassified and Approved For Release 2012/08/23: CIA-RDP90G00993R000300390009-3 Declassified and Approved For Release 2012/08/23: CIA-RDP90G00993R000300390009-3 UNCLASSIFIED Page 2. Ca o fax / provide coftti4bicd service understanding on how to launch a cooperative effort to systematically identify and introduce useful advanced technology into our systems intention to establish service standards (OIT's statement of commitment to the customer) as a goal toward which we are actively working -- Directorate organizations need service standards too Payoff: -- improve customer support -- enable better cooperation between information technology customers and providers help solve many "between the cracks" issues free OIT from jobs customers could better do for themselves to facilitate assumption of a more active system management role I Propose: (1) Board members, as representatives of their directorates, should develop a preliminary consensus on management responsibilities at this conference and finalize this by year's end, and publish it as an element of the overall ISB policy (2) Continue to support and monitor the Customer Standards Group's effort to develop service standards Suggestion: (1) The Board should begin with customer support and data storage as the most pressing problems of responsibility (2) We have a new secretarial system in which we are actively seeking ways to "enrich" jobs so they can qualify to be Level IV. Are there ways to combine secretarial "enrichment" and "customer support"? UNCLASSIFIED Page 2. Declassified and Approved For Release 2012/08/23: CIA-RDP90G00993R000300390009-3 Declassified and Approved For Release 2012/08/23: CIA-RDP90G00993R000300390009-3 UNCLASSIFIED D. HUMAN RESOURCES - Talking Points Problem: our personnel management policy does not always allow the most talented information technologists to Achieve their maximum potential nor maximize their contribution to the organization as the economy improves, SDI gets underway, and the plethora of "beltway bandits" continues to increase, we will be increasingly hardpressed to hire and retain the best technical specialists the press of daily work gives our technical experts little time to keep current on new technology or experiment with creative solutions to our problems our current personnel system is dated and inflexible -- incapable of responding to the career needs of today's technologists Goal: A career management system that will allow us to attract, hold and motivate the best information technology specialists. Payoff: make the profession more attractive inside our organization allow us to hire and keep the best in the profession bring creative young technologists to work here and motivate current employees to get the retraining needed to maximize their contribution improve security (happy, busy employees don't "hack") Suggestion: The Agency Compensation Task Force is rethinking the compensation system. The Board should support and monitor this effort with an eye to the impact on information technology specialists. We should begin by tabling some creative new ideas for the Task Force to consider. UNCLASSIFIED Declassified and Approved For Release 2012/08/23: CIA-RDP90G00993R000300390009-3 Declassified and Approved For Release 2012/08/23: CIA-RDP90G00993R000300390009-3 UNCLASSIFIED E. COMPATIBILITY, STANDARDS, AND ACQUISITION - Talking Points Problem: -- decision to procure new capabilities aren't being made against a common set of standards or rules -- the problem will get worse as standalone system costs come down and vendor imagination increases -- we continue to waste time and resources rekeying already digitized data because many of our systems cannot communicate with one another -- we are increasingly likely to procure systems which will require expensive subsequent modification to provide connectivity -- we decrease our organizational flexibility and restrict the mobility of our people by proliferating standalone systems Goal: A single telecommunications and data processing system in which compatability and connectivity are limited only by security requirements, and are supported by technical standards and responsible procurement decisions. Strawman Policy Elements: -- endorse a statement of direction toward distributed architecture and decentralized functionality state that technical standards are necessary and they will be cooperatively determined and centrally enforced state that we will procure no new systems which fail to meet the technical standards we adopt, and that older systems will be required to conform to the standards as part of any upgrade plans -- agree that OIT and the directorates will cooperate to choose, with the framework of our technical standards, a handful of the most generally useful solutions for procurement redefine the role of OIT and OC in actively and creatively managing network, including enforcement of standards and procurement decisions UNCLASSIFIED Declassified and Approved For Release 2012/08/23: CIA-RDP90G00993R000300390009-3 Declassified and Approved For Release 2012/08/23: CIA-RDP90G00993R000300390009-3 UNCLASSIFIED F. NETWORK PLANNING AND MANAGEMENT - Talking Points Problem: we are not actively managing the network we are building nor the systems already in place the directorates do not understand their own requirements and priorities well and do not state them clearly -- we need a better way to analyze the costs and implications of directorate investment decisibns for the world-wide network -- we need a better method for assessing the impact of external demands on our network and systems we need a method for systematically reviewing and identifying advanced technology that would improve the way we do our business in short, we don't plan as well as we should Goal: To understand our information technology requirements, priorities, costs, long-range implications and use this knowledge to actively manage our network world-wide. Elements: -- a model of the network -- an efficient method for determining requirements, defining priorities and making resource allocation and investment decisions based on these -- new technique for assessing the impact on the whole network of new systems, customer-initiated programs and external customer demands for our services Payoff: ensure each of us understands our organization's information technology requirements and priorities better grasp of budget choices and better investment decisions -- priority problems do not wait forever for technical solutions already available elsewhere UNCLASSIFIED Declassified and Approved For Release 2012/08/23: CIA-RDP90G00993R000300390009-3 Declassified and Approved For Release 2012/08/23: CIA-RDP90G00993R000300390009-3 UNCLASSIFIED Page 2. -- statement that the only exceptions to compatibility and standards rules will be made be for small, narrowly focused systems with stringent security needs Payoff: -- keep technical complexity, costs, and the number of different approachs to similar problems within reasonable bounds -- limit technical constraints on user mobility and communications -- improve security simplify and structure investment decisions make modernization and innovation easier and less costly I Propose: (1) The Board continue to support and monitor the work of the Customer Standards Group to develop technical standards that will ensure compatability. (2) The Board draft and publish a policy statement incorporating the above policy elements for enforcing standards UNCLASSIFIED Page 2. Declassified and Approved For Release 2012/08/23: CIA-RDP90G00993R000300390009-3