Security Policy
Tyler Public Safety (TPS)
A Project Involving a Detailed Study of Tyler Public
Safety’s Security Policies
Project performed and presented
by
Billy Henson
ISQS 6342
Strategic Uses of Telecom Technology Summer 2006
June 28 2006
Under the direction of
Dr. John R. Durrett
The purpose of this project was to gain a deeper understanding of security policies
through participating in discussions with Tyler Public Safety’s Security manager,
studying Tyler Public Safety’s written security policy, improving the security policy, and
comparing those findings with notes taken from class, specifically related to the CIA
Triangle..
_______________________________________________________________________
Bhenson
1 of 12
3/6/2016
Table of Contents
Executive Summary …………………………………………………… … 3
Work History ………………………………………………………………. 3
General Nature of the Project ………………………………………………. 5
CIA Triangle ………………………………………………………………. 6
Details
………………… ………………………………………….… 7
PC Usage and Guidelines …………………………………………….….…. 8
Acceptable Use Policy…
… ……………………………………..……… 9
Facility Security Policy………………………………………….…………. 9
Security Training Policy …….………………………………….…………. 10
Password Policy …………… ……………………………………..……… 10
Network Connection Policy … ……………………………………..………11
Benefits, Future Plans, Take-Aways ………………………………..………11
Summary ………………… … ……………………………………..………12
Bhenson
2 of 12
3/6/2016
Security Policy
Security Policy Paper: this is the out of class segment of the course. Write a paper
giving me a real world example of a security policy, security standards, and security
guidelines for a real business. I prefer one where you have worked if that is not possible
the pick one you are familiar with, for instance a University Business School.
Executive Summary
Security policies are increasingly becoming more important as terabytes of
sensitive and valuable information pile up at unbelievable rates. Companies, employees,
and customers are involved in and touched by security policies in some form or fashion
on a daily basis. When reviewing security policies, guidelines, and procedures, the CIA
triangle is a good place to start as it covers many very sensitive areas.
In this context, the CIA triangle involves maintaining the confidentiality,
integrity, and availability of information resources. Everyone wants the satisfaction of
knowing their data is secure, correct, and available at all times. Throughout this paper I
will discuss the sections and elements of a real-life security policy maintained by a local
company, the reasons for needing each of the sections and elements as they relate to the
CIA triangle, accompanied by proposed changes and addendums to the security policy as
a whole.
Work History
I began my professional work experience interning with an agricultural insurance
company, AgriPeril Software, during my last semester as an undergraduate at Texas Tech
University. While interning as a Foxpro programmer, I was introduced to many new
challenges and concepts that seemed overwhelming at first. As time passed I soon
learned the company’s culture, what was expected, and what was acceptable. It was
Bhenson
3 of 12
3/6/2016
during this time that I learned the importance of guidelines and procedures as they related
to the management of security during software development.
As a small company that employed five programmers and one support person,
AgriPeril was challenged as they competed with much larger companies for business.
Formal guidelines and procedures were overlooked, as every team member became
responsible for a specific knowledge area, including programming and supporting their
work. This informal working environment allowed for greater flexibility among team
members and quicker responses to customer’s needs; but with that came many stressful
situations that demanded longer work hours. Ironically, this resulted in a very tightly
coupled, cohesive team that produced software that eventually became the premier crop
insurance application in the field.
A much larger insurance company, Fireman’s Fund, had been in the insurance
business for many decades, but had never entered into the crop insurance arena. Their
focus had primarily been in the areas of life, property, and casualty insurance. Fireman’s
Fund eventually acquired AgriPeril just prior to the turn of the century. Soon after the
acquisition Fireman’s Fund was faced with ensuring all of their software was Y2K
compliant. Realizing the vast number of changes necessary to achieve success in this
effort, they decided to further invest in becoming the first crop insurance provider to offer
a web-enabled application. This was my first formal introduction to security policies.
Prior to building our web-enabled application, everyone who used our system
maintained their own database in-house. As we moved to the internet, we made the
decision to use DB2 to store everyone’s data in one location. This would allow field and
table changes in a much more efficient manner. To help with the security issues related
Bhenson
4 of 12
3/6/2016
to everyone’s data located within one database, our CIO brought in a Security Specialist,
first as a contractor, but later hired him on full time. The project turned out to be
successful, but with success came curious competitors with deep pockets. Fireman’s
Fund soon sold off their newly acquired agriculture division, which left many without a
job. This led to my employment with INCODE.
General Nature of the Project
INCODE, a subsidiary of Tyler-Technologies, specializes in providing
Technology and Technology Services to local governments. I am currently working in
the area that is primarily responsible for developing and maintaining all applications
associated within our Tyler Public Safety Division, also known as TPS. Coming up with
a project for this course has been a great learning experience in and of itself. I started off
by discussing security policies with my immediate boss. This soon led to a very
interesting hour-long discussion.
During this hour-long meeting, (I call it a meeting because others were brought in), I
learned two key things:
 We had a security officer, but did not have a formal security policy within our
TPS division
 Many had no idea what types of security related policies, other than what we
already have in place, might be beneficial to the company
We do have security agreements with our clients, and staff with different levels of
security access, but very few employees knew of these agreements and access levels. In
an effort to discover what security policies would be beneficial to our company, I shared
the information I had gained in my research for this project with my boss and others.
Bhenson
5 of 12
3/6/2016
After leading into discussions around the CIA Triangle, everything began to come
together. We were all in agreement that this was an area that needed to be better defined
and discussed in greater detail. I will first briefly explain the CIA Triangle and how it
relates to my company, followed by details of my findings and work on this project, and
finally ending with a brief overview of benefits, future plans, and takeaways.
CIA Triangle
As Stated in my quiz, The CIA Triangle is a very good place to start when
reviewing a company’s security policy. For the purpose of understanding this area, for
those who might not have read my response to the quiz, I have included the breakdown of
each of the areas that comprise the CIA Triangle below.
Confidentiality
As confidentiality relates to IT, it means data and information intended to be
private, as outlined in any predefined expectations or otherwise, should remain private.
Not only does this include the data itself, but also the knowledge of such data. As a
company who deals in matters related to police and court records, as well as many other
areas of the criminal justice realm, we are responsible for keeping all of our data
confidential at all times. Many of our employees must pass specific security levels before
they are able to gain access to sensitive data. Reviewing this area with my coworkers
allowed us to take a much closer look at just how sensitive and confidential this
information is, and should remain.
Integrity
Integrity relates to the correctness and accuracy of data. Because we deal with
police departments, court systems, and other criminal data, we must be careful that the
Bhenson
6 of 12
3/6/2016
integrity of that data remains at a very high level as it passes through our systems. A
small mistake during a conversion could change someone’s life forever. Conversions are
very common within our industry and customers expect their data to represent exactly
what it represented prior to any conversion. This forces our company to run many
detailed checks during a conversion process, including record counts from every table.
Availability
Availability means that when someone requests information, and is authorized do
so, the data related to that information is made available to them in a timely manner. As
this relates to my company, the availability of data is of the utmost importance. Officers
in the field rely on the data to not only be accurate, but also available to them in seconds.
By looking up information within our system, an officer can find out if the person is
wanted, might be carrying, or otherwise dangerous. Faulty or unavailable information
could result in less than desired results for an officer.
Details
Discussions at work over the last month have evolved around security policies.
Everyone seems to be curious and eager to learn more about them. During our
discussions we all learned that we, indeed, have a person in charge of security, known as
our CSO, with a rather slim security policy in place; but not necessarily in force. For
legal purposes, and otherwise, we currently fall under the umbrella of our parent
company, but we felt we needed more restrictions and guidelines in place, specifically
related to our highly sensitive criminal justice data and information. I asked our CSO to
brainstorm with me a couple of hours each week, and help me come up with what a more
detailed security policy might look like, if we had one. From these meetings, we
Bhenson
7 of 12
3/6/2016
produced the following, which are not a part of TPS. (Much more upper level
management and legal involvement would need to take place to enforce any of the items
that we discussed).
We came up with these five areas very closely tied to the areas found in the text
for this class, “The CISSP Prep Guide” (ISBN: 0-7645-5915-X):

PC Usage and Guidelines

Acceptable use Policy

Facility Security Policy

Security Training Policy

Password Policy

Network Connection Policy
PC Usage and Guidelines
PC Usage and Guidelines covers general guidelines found within many companies. In
addition to these we felt it important to break levels of security clearance down within
our public safety group, mainly because we have employees cleared through the FBI,
while others may be cleared through one of the many Departments of Public Safety
across the nation. We also want to include the shredding of any printed documents that
may contain sensitive and highly secure information. This would help ensure the
confidentiality agreements we have with our clients are maintained. Many times we are
required to store criminal information on our computers for validation, testing, and
converting into other formats. Because of this, we included a statement within this
section that states we will never reproduce or store information on our systems without
permission from our clients as well as our Chief Security Officer, (CSO). To
Bhenson
8 of 12
3/6/2016
demonstrate what this section might look like, we wrote our ideas down, using “policy”
terms, as shown below:






TPS staff is prohibited from storing CJIS information in any format.
If for some reason a TSP obtains CJIS information in a digital format, the
information should remain local and protected by password on their computer
and never be placed on the network nor should the TSP share this information
with staff other than TSP members.
If for some reason a TSP obtains CJIS information in the form of printed
materials, the materials should be shredded immediately.
The TSO should be notified of the receipt of any CJIS information.
For no reason should CJIS information be retained past the end of a working
day.
The TSP should not only delete but wipe away (leave no trace) of any CJIS
information stored on their local computer.
Acceptable Use Policy
The intention of this policy is not to impose restrictions on the established culture
of openness, trust, and integrity that we try to maintain at TPS, but rather to protect our
employees as well as our customers. Like many other companies, our users should be
aware that the data they create on corporate systems remains the property of TPS. They
should encrypt any information that they consider sensitive. As stated throughout this
paper, confidentiality is very important when dealing with this type of information. At
TPS, employees are allowed to use the internet with very few restrictions. We feel
something should be included in the policy that refers to employees being responsible for
exercising good judgment regarding the reasonableness of personal use. This will
hopefully send a message, letting employees know that this is a privilege, but wrongful
use of the internet can potentially damage the security of our data.
Facility Security Policy
We currently operate out of two buildings side by side. One requires a magnetic
card for entry, while the other requires a 4 digit key-code. Access to either facility is an
Bhenson
9 of 12
3/6/2016
important aspect in protecting network security. Allowing access to individuals other than
TSP staff could compromise network security. Because of this, we felt that key codes
should be assigned by the CSO for each TPS staff member. We also wanted to mention
that TPS staff members should secure their key code by memorization and not store the
information in any other location. (This is easier said than done most times). Over the
course of a month we average about 10 customers, or potential customers, visiting our
facility. We thought it would help send a sense of security if we ensured that each visitor
was always escorted by a TPS staff member. Finally, to help ensure our facilities are as
secure as possible, in our ideal world, the CSO will audit the access to our facilities on a
monthly basis and investigate any access to the facility outside of regular working hours.
Security Training Policy
We felt that training was an area most often overlooked by ourselves and many
other IT shops. Because security is so important and we have failed in the area of training
in the past, we felt it important to include this section. Having the CSO responsible for
reviewing the Security and Computer Use Guidelines and Policies at least on an annual
basis with all TPS staff members is our first note. This will ensure everyone is in “theknow”, while keeping security at the forefront. We also thought it would be a good idea
to have the TSO review the Security and Computer Use Guidelines with new TPS staff
members on the first day of employment, in an effort to communicate and support our
commitment to security.
Password Policy
Our password policy is pretty typical of what everyone else is enforcing, with
documented examples of poor passwords, and suggestions for strong passwords.
Bhenson
10 of 12
3/6/2016
Included with this is a pneumonic for memorizing passwords without having to write
them down. For example, try to create passwords that can be easily remembered. One
way to do this is create a password based on a song title, affirmation, or other phrase. For
example, the phrase might be: "This May Be One Way To Remember" and the password
could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation.
Network Connection Policy
We have many developers and support staff who bring laptops and other devices
to work for various reasons. We decided that all computers installed on TPS network fall
under the authority and responsibility of the CSO and must meet the minimum security
requirements of TPS regulations and policies. The intent of this policy is to ensure that all
systems installed on the TPS network are maintained at appropriate levels of security
while at the same time not impeding the ability of TPS staff to perform their work.
Benefits, Future Plans, Take-Aways
One of the major benefits of this project is I now know the rules within our
company and what is expected of me. I learned of the CIA Triangle, and brought others
in who were as curious about this new information and what we might turn up. In the
future we plan to formalize a security policy, get upper management buy-in, and ensure
our security policy is shared and signed by all employees. Plans to review such a policy,
on a regular basis will be a major key to its success. Throughout this project, I realized
just how much I did not know about security policies, but feel I have improved, and hope
to continue in that direction..
Bhenson
11 of 12
3/6/2016
Summary
In summary, security management is becoming increasingly more important to
companies that wish to maintain a competitive advantage in the marketplace. Because of
this, candidates for employment who possess certifications and demonstrated experience
in the areas of security will have a distinct advantage over other candidates who lack such
credentials. As companies evolve and attempt to remain competitive in the marketplace,
guidelines, procedures, and rules will certainly change as well. Because of this, it is
advantageous for companies and employees to build firm foundations in the areas of
security management and training, but to do so in a way that will allow them the
flexibility to adapt to change in a relatively short amount of time.
Bhenson
12 of 12
3/6/2016