The company has found that through the use of role-based security authentication and the defining of rights by role, the certification and accreditation audits are far more efficient in being completed, and provide far greater value. The previous approach of stratifying authorization to use systems within the company and the definition of access privileges by application, development tool, development region, or workbench development areas accessible globally over the network have been redesigned to define role-based approvals instead. This approach to roles-based workflows and the integration of only those system resources required for use has made auditability and compliance, hence certification more efficient. If there is variation from a role-based process alerts are immediately triggered and sent to system administrators and the system security managers. The rules of behavior are now applied on a per-role basis, no longer defined by a per system, application, workbench area or region of the development network. As a result the compliance to certification and accreditation as defined by agency audit criteria has dramatically improved as Coyote Systems has taken a more role-based approach to granting or denying access to systems, application and development tools. Variations from roles and behaviors are much more easily audited and investigated and potential security breaches thwarted. The final area of the management controls area is the systems security plan. In this area, Coyote's expertise in software development as their core business is evident. The CIO is the owner of the system security plan and collaborates...

Together this cross-functional team regularly meets to review how best and most securely to manage system integration strategies across the global development network. Their recommendations are turned into strategies reflected in the system security plan and then implemented by their internal development teams and rolled out by system administrators. Prior to the modifications being launched by the system administrators the VP of Software Quality has his department complete a series of regression tests relative to legacy operating systems, applications and development tools, and also completes a series of software quality assurance tests to verify its security. Once all of these tasks are completed the CIO and VPs of Software Engineering, Systems Infrastructure, Software Quality and Enterprise Security review the test results and authorize the integration, also updating the system security plan. The system security plan is kept current for major integration projects, yet does not reflect the process-related security updates that are occurring from the role-based definition. This is a major shortcoming of the plan and needs to have a role-based authentication section added to it. In addition the summary plan is also included in the broader IRM plan and is part of the broader it strategic planning process. In conclusion the system security plan is updated for significant system integration projects and plans, and also reviewed as part of the it strategic planning process. It also is part of the quarterly management