Upload
edgar-franklin
View
218
Download
2
Tags:
Embed Size (px)
Citation preview
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 2
• Disaster Recovery• File & Disk Level Encryption• Enterprise & Personal Firewalls• Ongoing Vulnerability Testing• Multi-tier Anti-Virus Solutions • Intrusion Detection Systems• Internal Modem Control• Operating System File Integrity • Web Site Security • Patch Management• Wireless Security• E-mail Filtering and Monitoring• Spam & Spyware Controls• Employee Web Monitoring &
Filtering• Instant Messenger Monitoring &
Management• Intrusion Prevention (Behavioral)
• Platform Security Compliance• Remote Access Authentication /
Identity Management• Remote Security Administration• Enterprise-wide Single Sign-On• Self-service Password Reset • Secure Web-Based E-Mail• Password Recovery• Change Management Tracking• Document Control &
Classification• Log Analysis & Consolidation• Network Traffic Monitoring &
Reconstruction• Forensic Investigations & Media
Analysis• Agency & Staff Certification
Copyright © Bill Spernow 2006
Justice IT Security Issues
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 3
Basic Security Policy Process
Identify what assets you need to protect. Identify the threats to those assets. Use frameworks and industry-specific
guidance to select and implement controls to mitigate the threats.Policies and procedures.Technical controls.Human controls.
Monitor compliance and effectiveness of controls (Metrics).
Periodically review and update controls.
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 4
Security Policy Program Success
Success is Dependent on Four Interdependent Components:
1) Strong Upper-Level Management Support
2) Practical Security Policies and Procedures
3) Properly Implemented Controls
4) Quantifiable Performance Metrics and Analysis
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 5
Common Justice Problems…
Systems are already developed
Personnel are already in place with various levels of training
Some policy may exist
Some Procedures may be in place
Some Controls are in place
Some metrics may be used to measure compliance
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 6
Just what is a Security Policy?
• A Security Policy is a directive that defines a specific behavior for one or more individuals within your agency.
• Each Security Policy is designed to reduce a specific set of security risks to a level acceptable to management.
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org
IT Security Policies in reality…
• They are administrative directives.
• They set goals and assign responsibilities.
• They are a pain to write and implement
• and users usually think they are intrusive.
www.iccfbi.gov
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 8
Why a particular Security Policy?
• Based on the existing environment, a security policy is crafted so that it will lower the system risk to an acceptable level as set by management
• A security policy, while it may look simple, may in fact require a great deal of work to craft it properly based on your agency’s individual risk.
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 9
Security Policy Considerations?
• A Security Policy is created through an analysis of what information?
Pertinent legislation and regulations Agreements with other parties Higher level policies Detailed knowledge of the target IT system Anticipated threats Implementation and operational costs Management’s risk tolerance
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 10
Security Policy Development Life Cycle
• Policy
• Self-Assessment
• Risk-Assessment
• Controls
• Metrics (measurements)
Policy
Metrics
Controls
Self-
Assessment
Risk-
Assessment
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 11
Taking the Challenge to build Effective Security Policy
• Organize your Security Policy Development Team
• Conduct a Security Self-assessment
• Assess Security Risks
• Develop a Risk Mitigation Strategy
• Measure Your Security Controls
• Formalize and Write your Security Policy
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 12
Organize your Security Policy Development Team
a. Obtain leadership and involvement of senior management
b. Identify and recruit internal and external stakeholders and obtain their input and support
c. Assign a Project Manager to guide and oversee initiative
d. Create a governance structure with defined roles and responsibilities
e. Review your business mission and IT strategic plan as guidance to your security initiative
f. Allocate time and human/financial resources
g. Adopt a methodology and action plan to developing/implementing your security policies
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 13
Conduct a Security Self-assessment
a. Determine which system(s) or system part you want to develop security policies for
b. Assemble appropriate stakeholders and hold a kick-off meeting to discuss process
c. Gather relevant organizational data about the system(s) to be assessed
d. Conduct a Security Self- and Risk-assessment
e. Compile the results
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 14
Assess Security Risks
a. For each assessment question your team answered during the self-assessment, identify the risk and write a description of it.
b. Categorize and quantify each identified risk :• Likelihood: remote, possible or likely; • Severity: high, medium or low; • Area of impact: human, financial, liability, etc.
c. Determine your tolerance level for each identified risk (avoid, assume, mitigate, or transfer)
d. Determine a numeric priority for action for each identified risk (1 being highest priority, 3 being lowest)
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 15
Develop a Risk Mitigation Strategy
a. Prioritize risks, using the results of the risk-assessment
b. Build security controls to mitigate risks
c. Document the controls
d. Select which controls to implement and manage, and assign responsibility for these
e. Develop an implementation plan that articulates how each control is implemented
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 16
Measure Your Security Controls
a. Develop and select measurement methods for the controls you will implement
b. Identify existing measures
c. Identify all other possible measures
d. Identify implications of measures
e. Recommend measures for adoption by management
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 17
Formalize and Write your Security Policy
a. Identify existing policy that addresses the identified risks
b. Write proposed security policy that addresses these risks
c. Recommend security policy for adoption by management
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 18
WRITING AN IT SECURITY POLICY
STEP ACTION
1 Identified risk Start with an identified risk that your agency decided must be mitigated
2 Management control decision
List the control your agency management decided upon to mitigate this risk
3 Measure implementation
List the measure(s) your agency management decided to implement in order to assess the effectiveness of this control
4 Existing policy Document any existing policy the agency has that addresses the risk identified in Step 1
5 Proposed security policy
List any proposed security policy
6 Policy recommendation
Make a recommendation to management regarding security policy to adopt
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 19
Example Policy Development- Step 1 – Identified Risk
“Personnel who have not undergone thorough background checks have access to information systems.”
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 20
Example Policy Development-Step 2 – Management Control Decision
“Conduct background investigations internally using our own employees. Training will be provided by a neighboring agency that conducts their own investigations. Access to a public information database will be purchased and a policy will be written to ensure proper background investigations are conducted.”
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 21
Example Policy Development –Step 3 Measure Implementation
“The Personnel Division Commander will conduct an annual audit of the background investigations section to ensure they are complying with the agency policy.”
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 22
Example Policy Development –Step 4 – Existing Policy
“No current policy statement exists within the agency for this identified risk.”
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 23
Example Policy Development –Step 5 – Proposed Security Policy
“This policy will affect all members of the agency. The agency will immediately begin completing thorough background checks of all employees, civilian or sworn, who have access to agency systems. The checks will be completed by the background unit, which will be an ancillary responsibility of the Detective Division Commander. Any personnel failing to complete the background process will be administratively suspended until such time as the background can be properly completed. Personnel who through the investigation do not obtain a satisfactory background shall be referred to the personnel section for reassignment within the agency.”
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 24
Example Policy Development –Step 6 – Policy Recommendation
• This policy will affect all new employees who have been given a conditional offer of hire.
• A thorough background check of the new hire will be completed prior to the person’s assignment to a position that will give them access to the agency’s system.
• Under the direction of the Commander in Charge ofAdministration, the detectives assigned background investigations will conduct a thorough background according to the procedures developed at the direction of the Commander and approved by the Chief of the Agency.
• Due to the sensitive nature of the background check process, only the Commander in Charge of Administration, the Assistant, Chief of the agency, the agency Chief and the agency counsel will be allowed to review the completed background information.
• Any new hires failing to complete the background process will be promptly notified of their status and referred to the personnel section.
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 25
Security Policy Resources
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 26
Security Frameworks
• NIST• US standards• Security guidelines for federal systems
• ISO 17799• Internationally recognized standard• Applicable to both public and private sector
implementations
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 27
NIST
The Federal Information Security Management Act (FISMA) of 2002 requires NIST to: “…developing and overseeing the implementation of policies,principles, standards, and guidelines on information security,including through ensuring timely agency adoption of andcompliance with standards…”
FIPS-Federal
Information
Processing
Standards
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 28
ISO 17799
• Security Policy• Organizational Security• Asset Classification and Control• Personnel Security• Physical and Environmental Security• Communications and Operations Management• Access Control• Systems Development and Maintenance• Business Continuity Management• Compliance
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 29
Security Guidance for Justice Systems
• CJIS Security Policies• Mandatory for systems that connect to NCIC
• SEARCH - Law Enforcement Tech Guide for Information Technology Security, How to Assess Risk and Establish Effective Policies A Guide for Executives, Managers, and Technologists
• Applying Security Practices to Justice Information Sharing (JIS)• Guidance for state and local justice information
sharing• Includes both wired and wireless versions
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 30
Tech Guide Overview
•Designed to give decision makers a better
understanding of the importance of the self and risk assessment process.
•Distill established guidance from the National Institute of Standards and Technology (NIST).
•Give decision makers a IT security and risk
assessment tool that can help them through a complicated process.
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 31
The SEARCH IT Security Self- and Risk-assessment Tool
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 32
Self-Assessment
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 33
Risk-Assessment
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 34
Example Policies and Procedures
• State of Minnesota Office of Enterprise Technologywww.state.mn.us/portal/mn/jsp/home.do?agency=OETweb
• SANS
• GLOBAL Privacy and Information Quality
SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 35
References
• SANS Security Policy Project and Primer www.sans.org/resources/policies/
• NIST Computer Security Special Publications http://csrc.nist.gov/publications/nistpubs/
• ISO 17799 www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?
CSNUMBER=33441• CJIS Security Policy
Contact your state CJIS Systems Officer• Law Enforcement Tech Guide for IT Security Policies
www.cops.usdoj.gov/default.asp?Item=512• Applying Security Practices to Justice Information Sharing
http://it.ojp.gov/topic.jsp?topic_id=58• Privacy Policy Development Guide and Implementation
Templates http://it.ojp.gov/topic.jsp?topic_id=55