Authority to Operate (ATO)
What is an ATO (Authority to Operate)?
Per University Policy AD-95, any system processing or storing Restricted or High data must receive an Authority to Operate (ATO). Obtaining ATO ensures Penn State keeps its promises regarding rules and regulations. The first step of the enclave process is to submit an ATO request. This request will help track and manage your enclave project for its entire life cycle.
Once you have completed the processes to meet Authority to Operate, OIS will review the controls and processes put in place with you to issue the ATO. Once issued, OIS will review it on a yearly basis. You are not required to have the ATO reviewed when basic changes are made to the environment but we welcome you to consult with us if you plan to make changes that would significantly alter the way your system works. ATO is not a change management process.
Please submit an ATO request for every information system you have that contains High (level 3) or High Plus/Restricted (level 4) data. An “information system” is defined as a collection of systems which process, store, or handle the same type of data. For example, a health management application that consists of a database, web server, and 20 clients that use the web interface would be a single information system and require a single ATO. If that same unit also managed a system that stored social security numbers for the purpose of royalty payments, that would be another, separate ATO.
Enclave Quick Checklist: Requirements by Phase
- Create an ATO ticket
- Establish next-generation endpoint protection (Cylance)
- Begin security log collection, analysis and retention (Splunk)
- Ensure vulnerability detection (Nessus)
- Implement best practice items from Standards – User access, authentication, and authorization
- Implement best practice items from Standards – Enable host-based firewalls
- Generate all required system documentation
- Encrypt data in transit
- Secure endpoint access
- Integrate with Penn State’s Enterprise Firewall
- Complete security awareness training
- Implement physical security
- Use Enterprise Active Directory
- Ensure full network segmentation
- Restrict data transfer
- Fully integrate CyberArk, including administrative account password management, one-time passwords, and password rotations
OIS provides university leadership with status updates on unit compliance with University Policy AD95. OIS collects monthly unit progress updates towards ATO compliance and generates reports to provide with these status updates. Details include:
Per each Level 3 or Level 4 information system
- System owners for each system
- Data classification of each system
- Status update collection period for each system
- Last completed phase for each system
ATO status for each system per unit:
- Percentage of total systems with ATO
- Last phase completed
- Completion rate compared to total University Level 3-4 systems
- Special circumstances impacting progress
Please cooperate with data collection efforts.
Information security is a collaborative effort. With your help, OIS can provide accurate, timely reporting to University leadership, allowing them to make informed decisions.