Establishing Effective Security Policies BJA Regional Information Sharing Conference

Establishing Effective Security Policies

BJA Regional Information Sharing Conference

SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 2

• Disaster Recovery• File & Disk Level Encryption• Enterprise & Personal Firewalls• Ongoing Vulnerability Testing• Multi-tier Anti-Virus Solutions • Intrusion Detection Systems• Internal Modem Control• Operating System File Integrity • Web Site Security • Patch Management• Wireless Security• E-mail Filtering and Monitoring• Spam & Spyware Controls• Employee Web Monitoring &

Filtering• Instant Messenger Monitoring &

Management• Intrusion Prevention (Behavioral)

• Platform Security Compliance• Remote Access Authentication /

Identity Management• Remote Security Administration• Enterprise-wide Single Sign-On• Self-service Password Reset • Secure Web-Based E-Mail• Password Recovery• Change Management Tracking• Document Control &

Classification• Log Analysis & Consolidation• Network Traffic Monitoring &

Reconstruction• Forensic Investigations & Media

Analysis• Agency & Staff Certification

Copyright © Bill Spernow 2006

Justice IT Security Issues


Basic Security Policy Process

Identify what assets you need to protect. Identify the threats to those assets. Use frameworks and industry-specific

guidance to select and implement controls to mitigate the threats.Policies and procedures.Technical controls.Human controls.

Monitor compliance and effectiveness of controls (Metrics).

Periodically review and update controls.


Security Policy Program Success

Success is Dependent on Four Interdependent Components:

1) Strong Upper-Level Management Support

2) Practical Security Policies and Procedures

3) Properly Implemented Controls

4) Quantifiable Performance Metrics and Analysis


Common Justice Problems…

Systems are already developed

Personnel are already in place with various levels of training

Some policy may exist

Some Procedures may be in place

Some Controls are in place

Some metrics may be used to measure compliance


Just what is a Security Policy?

• A Security Policy is a directive that defines a specific behavior for one or more individuals within your agency.

• Each Security Policy is designed to reduce a specific set of security risks to a level acceptable to management.

SEARCH, The National Consortium for Justice Information and Statistics | www.search.org

IT Security Policies in reality…

• They are administrative directives.

• They set goals and assign responsibilities.

• They are a pain to write and implement

• and users usually think they are intrusive.

www.iccfbi.gov


Why a particular Security Policy?

• Based on the existing environment, a security policy is crafted so that it will lower the system risk to an acceptable level as set by management

• A security policy, while it may look simple, may in fact require a great deal of work to craft it properly based on your agency’s individual risk.


Security Policy Considerations?

• A Security Policy is created through an analysis of what information?

Pertinent legislation and regulations Agreements with other parties Higher level policies Detailed knowledge of the target IT system Anticipated threats Implementation and operational costs Management’s risk tolerance


Security Policy Development Life Cycle

• Policy

• Self-Assessment

• Risk-Assessment

• Controls

• Metrics (measurements)

Policy

Metrics

Controls

Self-

Assessment

Risk-

Assessment


Taking the Challenge to build Effective Security Policy

• Organize your Security Policy Development Team

• Conduct a Security Self-assessment

• Assess Security Risks

• Develop a Risk Mitigation Strategy

• Measure Your Security Controls

• Formalize and Write your Security Policy


Organize your Security Policy Development Team

a. Obtain leadership and involvement of senior management

b. Identify and recruit internal and external stakeholders and obtain their input and support

c. Assign a Project Manager to guide and oversee initiative

d. Create a governance structure with defined roles and responsibilities

e. Review your business mission and IT strategic plan as guidance to your security initiative

f. Allocate time and human/financial resources

g. Adopt a methodology and action plan to developing/implementing your security policies


Conduct a Security Self-assessment

a. Determine which system(s) or system part you want to develop security policies for

b. Assemble appropriate stakeholders and hold a kick-off meeting to discuss process

c. Gather relevant organizational data about the system(s) to be assessed

d. Conduct a Security Self- and Risk-assessment

e. Compile the results


Assess Security Risks

a. For each assessment question your team answered during the self-assessment, identify the risk and write a description of it.

b. Categorize and quantify each identified risk :• Likelihood: remote, possible or likely; • Severity: high, medium or low; • Area of impact: human, financial, liability, etc.

c. Determine your tolerance level for each identified risk (avoid, assume, mitigate, or transfer)

d. Determine a numeric priority for action for each identified risk (1 being highest priority, 3 being lowest)


Develop a Risk Mitigation Strategy

a. Prioritize risks, using the results of the risk-assessment

b. Build security controls to mitigate risks

c. Document the controls

d. Select which controls to implement and manage, and assign responsibility for these

e. Develop an implementation plan that articulates how each control is implemented


Measure Your Security Controls

a. Develop and select measurement methods for the controls you will implement

b. Identify existing measures

c. Identify all other possible measures

d. Identify implications of measures

e. Recommend measures for adoption by management


Formalize and Write your Security Policy

a. Identify existing policy that addresses the identified risks

b. Write proposed security policy that addresses these risks

c. Recommend security policy for adoption by management


WRITING AN IT SECURITY POLICY

STEP ACTION

1 Identified risk Start with an identified risk that your agency decided must be mitigated

2 Management control decision

List the control your agency management decided upon to mitigate this risk

3 Measure implementation

List the measure(s) your agency management decided to implement in order to assess the effectiveness of this control

4 Existing policy Document any existing policy the agency has that addresses the risk identified in Step 1

5 Proposed security policy

List any proposed security policy

6 Policy recommendation

Make a recommendation to management regarding security policy to adopt


Example Policy Development- Step 1 – Identified Risk

“Personnel who have not undergone thorough background checks have access to information systems.”


Example Policy Development-Step 2 – Management Control Decision

“Conduct background investigations internally using our own employees. Training will be provided by a neighboring agency that conducts their own investigations. Access to a public information database will be purchased and a policy will be written to ensure proper background investigations are conducted.”


Example Policy Development –Step 3 Measure Implementation

“The Personnel Division Commander will conduct an annual audit of the background investigations section to ensure they are complying with the agency policy.”


Example Policy Development –Step 4 – Existing Policy

“No current policy statement exists within the agency for this identified risk.”


Example Policy Development –Step 5 – Proposed Security Policy

“This policy will affect all members of the agency. The agency will immediately begin completing thorough background checks of all employees, civilian or sworn, who have access to agency systems. The checks will be completed by the background unit, which will be an ancillary responsibility of the Detective Division Commander. Any personnel failing to complete the background process will be administratively suspended until such time as the background can be properly completed. Personnel who through the investigation do not obtain a satisfactory background shall be referred to the personnel section for reassignment within the agency.”


Example Policy Development –Step 6 – Policy Recommendation

• This policy will affect all new employees who have been given a conditional offer of hire.

• A thorough background check of the new hire will be completed prior to the person’s assignment to a position that will give them access to the agency’s system.

• Under the direction of the Commander in Charge ofAdministration, the detectives assigned background investigations will conduct a thorough background according to the procedures developed at the direction of the Commander and approved by the Chief of the Agency.

• Due to the sensitive nature of the background check process, only the Commander in Charge of Administration, the Assistant, Chief of the agency, the agency Chief and the agency counsel will be allowed to review the completed background information.

• Any new hires failing to complete the background process will be promptly notified of their status and referred to the personnel section.


Security Policy Resources


Security Frameworks

• NIST• US standards• Security guidelines for federal systems

• ISO 17799• Internationally recognized standard• Applicable to both public and private sector

implementations


NIST

The Federal Information Security Management Act (FISMA) of 2002 requires NIST to: “…developing and overseeing the implementation of policies,principles, standards, and guidelines on information security,including through ensuring timely agency adoption of andcompliance with standards…”

FIPS-Federal

Information

Processing

Standards


ISO 17799

• Security Policy• Organizational Security• Asset Classification and Control• Personnel Security• Physical and Environmental Security• Communications and Operations Management• Access Control• Systems Development and Maintenance• Business Continuity Management• Compliance


Security Guidance for Justice Systems

• CJIS Security Policies• Mandatory for systems that connect to NCIC

• SEARCH - Law Enforcement Tech Guide for Information Technology Security, How to Assess Risk and Establish Effective Policies A Guide for Executives, Managers, and Technologists

• Applying Security Practices to Justice Information Sharing (JIS)• Guidance for state and local justice information

sharing• Includes both wired and wireless versions


Tech Guide Overview

•Designed to give decision makers a better

understanding of the importance of the self and risk assessment process.

•Distill established guidance from the National Institute of Standards and Technology (NIST).

•Give decision makers a IT security and risk

assessment tool that can help them through a complicated process.


The SEARCH IT Security Self- and Risk-assessment Tool


Self-Assessment


Risk-Assessment


Example Policies and Procedures

• State of Minnesota Office of Enterprise Technologywww.state.mn.us/portal/mn/jsp/home.do?agency=OETweb

• SANS

• GLOBAL Privacy and Information Quality


References

• SANS Security Policy Project and Primer www.sans.org/resources/policies/

• NIST Computer Security Special Publications http://csrc.nist.gov/publications/nistpubs/

• ISO 17799 www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?

CSNUMBER=33441• CJIS Security Policy

Contact your state CJIS Systems Officer• Law Enforcement Tech Guide for IT Security Policies

www.cops.usdoj.gov/default.asp?Item=512• Applying Security Practices to Justice Information Sharing

http://it.ojp.gov/topic.jsp?topic_id=58• Privacy Policy Development Guide and Implementation

Templates http://it.ojp.gov/topic.jsp?topic_id=55


Questions?

Todd G. Shipley, CFE, CFCE

Director, Systems Security and High Tech Crime Prevention TrainingSEARCH

7311 Greenhaven Drive, Suite 145Sacramento, California 95831

916-392-2550

www.search.org

Documents

Establishing Effective Security Policies BJA Regional Information Sharing Conference