Presentation is loading. Please wait.

Presentation is loading. Please wait.

Justice IT Security Issues

Published byCamilla Cole Modified over 8 years ago

Similar presentations

Presentation on theme: "Justice IT Security Issues"— Presentation transcript:

0 Establishing Effective Security Policies and Procedures
Innovations in Justice: Information-Sharing Strategies and Best Practices BJA Regional Information-Sharing Conference Establishing Effective Security Policies and Procedures Mr. James E. Cabral Jr., CISSP, CISA, GSEC MTG Management Consultants, LLC March 29, 2007

1 Justice IT Security Issues
Disaster Recovery File and Disk Level Encryption Enterprise and Personal Firewalls Ongoing Vulnerability Testing Multi-tier Anti-Virus Solutions Intrusion Detection Systems Internal Modem Control Operating System File Integrity Web Site Security Patch Management Wireless Security Filtering and Monitoring Spam and Spyware Controls Employee Web Monitoring and Filtering Instant Messenger Monitoring and Management Intrusion Prevention (Behavioral) Platform Security Compliance Remote Access Authentication/Identity Management Remote Security Administration Enterprise-wide Single Sign-On Self-Service Password Reset Secure Web-Based Password Recovery Change Management Tracking Document Control and Classification Log Analysis and Consolidation Network Traffic Monitoring and Reconstruction Forensic Investigations and Media Analysis Agency and Staff Certification Is anyone working on any of these problems right now? Some of them? Maybe all off them? Ask the audience what issues are most important to them? Ask the audience which of this items they have a written policy on? Copyright © Bill Spernow 2006 782/40/108053(ppt)

2 Basic Security Policy Process
Identify what assets you need to protect. Identify the threats to those assets. Use frameworks and industry-specific guidelines to select and implement controls to mitigate the threats. Policies and procedures. Technical controls. Human controls. Monitor compliance and effectiveness of controls (metrics). Periodically review and update controls. 782/40/108053(ppt)

3 Security Policy Program Success
Success is dependent on four interdependent components: 1. Strong upper-level management support. 2. Practical security policies and procedures. 3. Properly implemented controls. 4. Quantifiable performance metrics and analysis. 782/40/108053(ppt)

4 Common Justice Problems …
Systems are already developed. Personnel are already in place with various levels of training. Some policy may exist. Some procedures may be in place. Some controls are in place. Some metrics may be used to measure compliance. 782/40/108053(ppt)

5 Just What Is a Security Policy?
A security policy is a directive that defines a specific behavior for one or more individuals within your agency. Each security policy is designed to reduce a specific set of security risks to a level acceptable to management. 782/40/108053(ppt)

6 IT Security Policies in Reality …
They are administrative directives. They set goals and assign responsibilities. They are difficult to write and implement. Users usually think they are intrusive. 782/40/108053(ppt)

7 Why a Particular Security Policy?
Based on the existing environment, a security policy is crafted so that it will lower the system risk to an acceptable level as set by management. A security policy, while it may look simple, may in fact require a great deal of work to craft it properly based on your agency’s individual risk. 782/40/108053(ppt)

8 Security Policy Considerations?
A security policy is created through an analysis of what information? Pertinent legislation and regulations. Agreements with other parties. Higher-level policies. Detailed knowledge of the target IT system. Anticipated threats. Implementation and operational costs. Management’s risk tolerance. 1) CJIS Policies 2) Clinger-Cohen Act 3) Sarbanes – Oxley Act 4) Government Performance and Results Act (GRPA) 5) Government Paperwork Elimination Act (GPEA) 6) Federal Security Management Act (FISMA) 7) State IT Statutes & Policies 782/40/108053(ppt)

9 Security Policy Development Life Cycle
Self-assessment. Risk-assessment. Controls. Metrics (measurements). Self-Assessment Risk-Assessment Policy Controls Metrics 782/40/108053(ppt)

10 Taking the Challenge to Build Effective Security Policy
Organize your security policy development team. Conduct a security self-assessment. Assess security risks. Develop a risk mitigation strategy. Measure your security controls. Formalize and write your security policy. 782/40/108053(ppt)

11 Organize Your Security Policy Development Team
Obtain leadership and involvement of senior management. Identify and recruit internal and external stakeholders and obtain their input and support. Assign a project manager to guide and oversee the initiative. Create a governance structure with defined roles and responsibilities. Review your business mission and IT strategic plan as guidance to your security initiative. Allocate time and human/financial resources. Adopt a methodology and action plan to developing/ implementing your security policies. 782/40/108053(ppt)

12 Conduct a Security Self-Assessment
Determine which systems or system part you want to develop security policies for. Assemble appropriate stakeholders and hold a kick-off meeting to discuss the process. Gather relevant organizational data about the systems to be assessed. Conduct a security self- and risk-assessment. Compile the results. 782/40/108053(ppt)

13 Assess Security Risks For each assessment question your team answered during the self-assessment, identify the risk and write a description of it. Categorize and quantify each identified risk: Likelihood – Remote, possible, or likely. Severity – High, medium, or low. Area of Impact – Human, financial, liability, etc. Determine your tolerance level for each identified risk (avoid, assume, mitigate, or transfer). Determine a numeric priority for action for each identified risk. 782/40/108053(ppt)

14 Develop a Risk Mitigation Strategy
Prioritize risks using the results of the risk-assessment. Build security controls to mitigate risks. Document the controls. Select which controls to implement and manage, and assign responsibility for these. Develop an implementation plan that articulates how each control is implemented. 782/40/108053(ppt)

15 Measure Your Security Controls
Develop and select measurement methods for the controls you will implement. Identify existing measures. Identify all other possible measures. Identify implications of measures. Recommend measures for adoption by management. 782/40/108053(ppt)

16 Formalize and Write Your Security Policy
Identify existing policy that addresses the identified risks. Write proposed security policy that addresses these risks. Recommend security policy for adoption by management. 782/40/108053(ppt)

17 Writing An IT Security Policy
Step Action 1 Identified Risk Start with an identified risk that your agency management decided must be mitigated. 2 Management Control Decision List the control your agency management decided upon to mitigate this risk. 3 Measure Implementation List the measures your agency management decided to implement in order to assess the effectiveness of this control. 4 Existing Policy Document any existing policy the agency management has that addresses the risk identified in Step 1. 5 Proposed Security Policy List any proposed security policy. 6 Policy Recommendation Make a recommendation to agency management regarding security policy to adopt. 782/40/108053(ppt)

18 Example Policy Development Step 1 – Identified Risk
“Personnel who have not undergone thorough background checks have access to information systems.” 782/40/108053(ppt)

19 Example Policy Development Step 2 – Management Control Decision
“Conduct background investigations internally using our own employees. Training will be provided by a neighboring agency that conducts their own investigations. Access to a public information database will be purchased and a policy will be written to ensure proper background investigations are conducted.” 782/40/108053(ppt)

20 Example Policy Development Step 3 – Measure Implementation
“The Personnel Division Commander will conduct an annual audit of the background investigations section to ensure compliance with the agency policy.” 782/40/108053(ppt)

21 Example Policy Development Step 4 – Existing Policy
“No current policy statement exists within the agency for this identified risk.” 782/40/108053(ppt)

22 Example Policy Development Step 5 – Proposed Security Policy
“This policy will affect all members of the agency. The agency will immediately begin completing thorough background checks of all employees, civilian or sworn, who have access to agency systems. The checks will be completed by the background unit, which will be an ancillary responsibility of the Detective Division Commander. Any personnel failing to complete the background process will be administratively suspended until such time as the background can be properly completed. Personnel who, through the investigation, do not obtain a satisfactory background shall be referred to the personnel section for reassignment within the agency.” 782/40/108053(ppt)

23 Example Policy Development Step 6 – Policy Recommendation
This policy will affect all new employees who have been given a conditional offer of hire. A thorough background check of the new hire will be completed prior to the person’s assignment to a position that will give them access to the agency’s system. Under the direction of the Commander in Charge of Administration, the detectives assigned background investigations will conduct a thorough background check according to the procedures developed at the direction of the Commander and approved by the Chief of the agency. Due to the sensitive nature of the background check process, only the Commander in Charge of Administration, the Assistant, Chief of the agency, the agency Chief and the agency counsel will be allowed to review the completed background information. Any new hires failing to complete the background process will be promptly notified of their status and referred to the personnel section. 782/40/108053(ppt)

24 Security Frameworks NIST. ISO 17799. U.S. standards.
Security guidelines for federal systems. ISO Internationally recognized standard. Applicable to both public and private sector implementations. 782/40/108053(ppt)

25 FIPS-Federal Information Processing Standards
NIST The Federal Information Security Management Act (FISMA) of 2002 requires NIST to: “…developing and overseeing the implementation of policies, principles, standards, and guidelines on information security, including through ensuring timely agency adoption of and compliance with standards…” FIPS-Federal Information Processing Standards 782/40/108053(ppt)

26 ISO 17799 Security policy. Organizational security.
Asset classification and control. Personnel security. Physical and environmental security. Communications and operations management. Access control. Systems development and maintenance. Business continuity management. Compliance. 782/40/108053(ppt)

27 Security Guidance for Justice Systems
CJIS security policies. Mandatory for systems that connect to NCIC. SEARCH – Law Enforcement Tech Guide on Information Technology Security, How to Assess Risk and Establish Effective Policies A Guide for Executives, Managers, and Technologists Guidance for state and local law enforcement. Applying security practices to Justice Information Sharing (JIS) Guidance for state and local JIS. Includes both wired and wireless versions. 782/40/108053(ppt)

28 CJIS Security Policy Roles and responsibilities. Security enforcement.
Computer security incident response capability. ORI authorizations and user agreements. Technical security. Use and dissemination of criminal history record information and NCIC hot file information. Audits of CJIS information systems. Appendices: A – Forms. B – Web Sites. C – Guideline Documents. D – Other Resources. 782/40/108053(ppt)

29 Tech Guide Overview Designed to give decision makers a better understanding of the importance of the self- and risk- assessment processes. Distill established guidance from the National Institute of Standards and Technology (NIST). Give decision makers an IT security and risk assessment tool that can help them through a complicated process. 782/40/108053(ppt)

30 The SEARCH IT Security Self- and Risk-Assessment Tool
782/40/108053(ppt)

31 Self-Assessment 782/40/108053(ppt)

32 Risk-Assessment 782/40/108053(ppt)

33 Applying Security Practices to JIS
Support Governance. Physical security. Personnel security screening. Separation of duties. Prevention Identification and authentication. Authorization and access control. Data Integrity. Data classification. Change management. Public access, privacy, and confidentiality. Firewalls, VPNs, and other network safeguards. Detection and Recovery Intrusion detection systems. Critical incident response. Attack detection and prevention. Security auditing. Risk management. Disaster recovery and business continuity. 782/40/108053(ppt)

34 Example Policies and Procedures
State of Minnesota The Office of Enterprise Technology. SANS. GLOBAL Privacy and Information Quality. 782/40/108053(ppt)

35 References SANS Security Policy Project and Primer.
NIST Computer Security Special Publications. ISO CJIS Security Policy. Contact your state CJIS Systems Officer Law Enforcement Tech Guide for IT Security Policies. Applying Security Practices to Justice Information Sharing. Privacy Policy Development Guide and Implementation Templates. 782/40/108053(ppt)

36 & Questions Answers 782/40/108053(ppt)

Download ppt "Justice IT Security Issues"

Similar presentations

Module N° 4 – ICAO SSP framework

Module N° 4 – ICAO SSP framework
EMS Checklist (ISO model)

EMS Checklist (ISO model)
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
Security and Personnel

Security and Personnel
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Contractor Management and ISO 14001:2004

Contractor Management and ISO 14001:2004
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.

University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Risk Assessment Frameworks

Risk Assessment Frameworks
Session 3 – Information Security Policies

Session 3 – Information Security Policies

Similar presentations

Ads by Google