Upload
rolf
View
55
Download
1
Embed Size (px)
DESCRIPTION
ASSESSING INFORMATION SYSTEMS SECURITY WITHIN LOCAL GOVERNMENTS : A PILOT STUDY FOR CENTRAL PENNSYLVANIA. Charlotte E. McConn, Jungwoo Ryoo, Tulay Girard, Penn State University, Altoona College. Overview. Rationale Methodology Theoretical framework Small local government interviews - PowerPoint PPT Presentation
Citation preview
ASSESSING ASSESSING INFORMATION SYSTEMS INFORMATION SYSTEMS
SECURITY WITHIN SECURITY WITHIN LOCAL GOVERNMENTSLOCAL GOVERNMENTS: :
A PILOT STUDY FOR A PILOT STUDY FOR CENTRAL CENTRAL
PENNSYLVANIAPENNSYLVANIA Charlotte E. McConn, Charlotte E. McConn,
Jungwoo Ryoo, Jungwoo Ryoo, Tulay Girard, Tulay Girard,
Penn State University, Altoona Penn State University, Altoona CollegeCollege
OverviewOverview
RationaleRationale MethodologyMethodology Theoretical frameworkTheoretical framework Small local government Small local government
interviewsinterviews Study resultsStudy results
ThreatsThreats & Vulnerablitites & Vulnerablitites
Could be Could be internalinternal (employees) or (employees) or externalexternal to the organization to the organization
Malicious ThreatsMalicious Threats Interruption of serviceInterruption of service
• Denial of service attackDenial of service attack• SPAMSPAM
Interception of dataInterception of data• Packet SniffingPacket Sniffing
Modification of dataModification of data• FraudFraud• EmbezzlementEmbezzlement
Social EngineeringSocial Engineering• PhishingPhishing• ExtortionExtortion
Natural ThreatsNatural Threats• FireFire• FloodFlood• HurricaneHurricane• TornadoTornado
Normal technical Normal technical ProblemsProblems• Hardware Hardware
Power failures or Power failures or surgessurges
Disk crashesDisk crashes DowntimeDowntime
Importance of SecurityImportance of Security
Data loss / Identity TheftData loss / Identity Theft Financial loss-$$$$$$$?Financial loss-$$$$$$$? Loss of privacy / peace of mindLoss of privacy / peace of mind Employment risks / liabilityEmployment risks / liability Criminal prosecution Criminal prosecution Personal productivity / time wastedPersonal productivity / time wasted
RationaleRationale
Preliminary literature search indicated Preliminary literature search indicated • Information systems security is a major Information systems security is a major
concern of many organizationsconcern of many organizations• Security policies have been developed and Security policies have been developed and
security funding is available for large federal security funding is available for large federal and state governing bodies.and state governing bodies.
• Not much research has been published on Not much research has been published on security issues faced by small local security issues faced by small local governments, policies in place and enforced, governments, policies in place and enforced, and funding available for security. and funding available for security.
Research ObjectivesResearch Objectives
Build an assessment framework and Build an assessment framework and measurement model that can quantify the measurement model that can quantify the overall information systems security overall information systems security readiness of a specific type of readiness of a specific type of organization. organization.
In particular, measure the vulnerabilities In particular, measure the vulnerabilities and security readiness of small and security readiness of small municipalities.municipalities.
MethodologyMethodology This is a preliminary study that was carried out in This is a preliminary study that was carried out in
the following four steps:the following four steps: Step 1Step 1: research the structures of local : research the structures of local
governments in central Pennsylvania,governments in central Pennsylvania, Step 2Step 2: form an advisory board with expertise in : form an advisory board with expertise in
Pennsylvania local governments,Pennsylvania local governments, Step 3Step 3: interview key individuals who have first-: interview key individuals who have first-
hand knowledge of the information systems used hand knowledge of the information systems used in local governments, andin local governments, and
Step 4Step 4: analyze the interviews to discover and : analyze the interviews to discover and document what types of information technologies document what types of information technologies local governments use, security challenges they local governments use, security challenges they face, how they provide security for their systems, face, how they provide security for their systems, and the level of security readinessand the level of security readiness
Theoretical FrameworkTheoretical Framework
Measurement models for information Measurement models for information systems security readiness have a core set systems security readiness have a core set based on these dimensionsbased on these dimensions
(A) Infrastructures, (A) Infrastructures, (B) Policies, Education, and Training, (B) Policies, Education, and Training, (C) Enforcement,(C) Enforcement,
A. InfrastructuresA. Infrastructures Security SoftwareSecurity Software
• Secure operating systemsSecure operating systems• Firewalls, virus scanners, anti-spywareFirewalls, virus scanners, anti-spyware• Intrusion detection softwareIntrusion detection software• Encryption softwareEncryption software
Physical SecurityPhysical Security• Locks, perimeter alarms, access restrictionsLocks, perimeter alarms, access restrictions
Human resourcesHuman resources• Employees designated to handle security-Employees designated to handle security-
related tasks including planning, risk related tasks including planning, risk assessment, technical support, monitoring, assessment, technical support, monitoring, auditing, etc. auditing, etc.
B) Policies, Education, and TrainingB) Policies, Education, and Training Are policies are well developed and readily Are policies are well developed and readily
available to employees?available to employees? Is periodic security training mandated and Is periodic security training mandated and
funded?funded?
C) EnforcementC) Enforcement What are access and authorization controls?What are access and authorization controls? Are employee activities monitored?Are employee activities monitored? What are accountability practices for What are accountability practices for
deviations from published policies?deviations from published policies?
Local governments in PALocal governments in PA
• 57 Cities 57 Cities Major metropolitan areas:Major metropolitan areas: Philadelphia (East) & Pittsburgh (West) Philadelphia (East) & Pittsburgh (West)
• More than 900 BoroughsMore than 900 Boroughs Populations vary from less than 100 to over Populations vary from less than 100 to over
38,00038,000 About 1/3 are urbanAbout 1/3 are urban Rest are ruralRest are rural
• TownshipsTownships Larger in area and typically surround Larger in area and typically surround
borough or cityborough or city 91 urban & 1400 rural townships91 urban & 1400 rural townships
Communities StudiedCommunities StudiedCentral Pennsylvania, USACentral Pennsylvania, USA
Interviews ConductedInterviews Conducted Case 1: an urban boroughCase 1: an urban borough
Population: over 5000Population: over 5000 47 Employees47 Employees 7 networked workstations 7 networked workstations
Case 2: a rural townshipCase 2: a rural township Population: over 4000Population: over 4000 18 Employees18 Employees 2 stand-alone microcomputers2 stand-alone microcomputers
Case 3: a rural boroughCase 3: a rural borough Population: over just over 900Population: over just over 900 10 Employees10 Employees 2 stand-alone PCs, one with internet connection2 stand-alone PCs, one with internet connection
Local computer consultantLocal computer consultant Provides support to #1 and #3 as well as many other small Provides support to #1 and #3 as well as many other small
local municipalitieslocal municipalities
Initial InterviewsInitial Interviews How is each local government organized? How is each local government organized? What types of computer applications are used? What types of computer applications are used? Which individuals within each organization have Which individuals within each organization have
access to the computer systems and sensitive access to the computer systems and sensitive data? data?
Who is responsible for information systems and Who is responsible for information systems and security? security?
What types of information systems security What types of information systems security training do employees receive? training do employees receive?
What types of computer security systems are What types of computer security systems are installed? installed?
Who is responsible for technical support for the Who is responsible for technical support for the information systems? Is the support provided information systems? Is the support provided within the organization or outsourced to an within the organization or outsourced to an external firm?external firm?
Study Outcomes Study Outcomes A. InfrastructureA. Infrastructure
i. Software security:i. Software security: the local government officials in this the local government officials in this study were aware of the importance of firewalls and anti-study were aware of the importance of firewalls and anti-virus software. However, they were less aware of the virus software. However, they were less aware of the possibility that their information systems might have been possibility that their information systems might have been compromised. compromised.
ii. Physical security:ii. Physical security: needs to be improved. In two of these needs to be improved. In two of these communities, doors were locked at the end of the day, but communities, doors were locked at the end of the day, but no alarm systems were installed. no alarm systems were installed.
iii. Human resources:iii. Human resources: there is a need for a designated there is a need for a designated person to handle risk assessment, security planning, person to handle risk assessment, security planning, employee monitoring, and intrusion detection/prevention employee monitoring, and intrusion detection/prevention which was minimal or non-existent in the communities in which was minimal or non-existent in the communities in this initial study.this initial study.
iv. Outsourcing:iv. Outsourcing: the case studies show that many local the case studies show that many local governments outsource their information technology governments outsource their information technology projects. More oversight is necessary to prevent projects. More oversight is necessary to prevent outsourcing from becoming another source of security outsourcing from becoming another source of security vulnerabilitiesvulnerabilities..
Study OutcomesStudy OutcomesB. Policies, Education, and TrainingB. Policies, Education, and Training
This category demands the greatest need for improvement.This category demands the greatest need for improvement. There seems to be a widespread lack of well-defined and There seems to be a widespread lack of well-defined and
well-documented information systems security policies. well-documented information systems security policies. Training appears to be sparse. All the key informants in the Training appears to be sparse. All the key informants in the
case studies expressed an interest in more security case studies expressed an interest in more security training, but they agreed that funding is the biggest training, but they agreed that funding is the biggest obstacle. obstacle.
A minimum set of security policies needs to be established A minimum set of security policies needs to be established to address:to address:• the enforcement of strong passwords and periodic the enforcement of strong passwords and periodic
changes in them,changes in them,• the encryption of data, especially on back-up devices the encryption of data, especially on back-up devices
and laptops,and laptops,• the specification of more secure locations for back-up the specification of more secure locations for back-up
data storage devices,data storage devices,• the regular information systems security training of any the regular information systems security training of any
employees who have access to sensitive data.employees who have access to sensitive data.
Study OutcomesStudy Outcomes C. Enforcement C. Enforcement
Although finding that one local government does Although finding that one local government does have limited security policies in place, this study have limited security policies in place, this study suggests that the policy enforcement is weak suggests that the policy enforcement is weak because supervisors are not monitoring because supervisors are not monitoring employees’ activities relevant to information employees’ activities relevant to information systems security. systems security.
Local government employees must not only be Local government employees must not only be better trained, but their usage of the information better trained, but their usage of the information systems must also be monitored. Employees systems must also be monitored. Employees violating published information systems security violating published information systems security policies should be held accountable.policies should be held accountable.
Future DirectionsFuture Directions
This study will This study will serve as a basis for serve as a basis for a more exhaustive a more exhaustive study of study of communities communities throughout the throughout the state.state.
Questions & Contact InfoQuestions & Contact Info
Charlotte Eudy McConn, Charlotte Eudy McConn, M.S., CDPM.S., CDP• [email protected]@psu.edu• www.personal.psu.edu/cxe6www.personal.psu.edu/cxe6
Jungwoo Ryoo, Ph.D.Jungwoo Ryoo, Ph.D.• [email protected]@psu.edu• www.personal.psu.edu/jxr65www.personal.psu.edu/jxr65
Tulay Girard, Ph.D.Tulay Girard, Ph.D.• [email protected]@psu.edu