Add to collection(s) Add to saved
  1. Business
  2. Management

Security Policy Development - SEARCH | The National Consortium

advertisement 
Establishing Effective Security Policies
BJA Regional Information Sharing Conference
Justice IT Security Issues
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Disaster Recovery
File & Disk Level Encryption
Enterprise & Personal Firewalls
Ongoing Vulnerability Testing
Multi-tier Anti-Virus Solutions
Intrusion Detection Systems
Internal Modem Control
Operating System File Integrity
Web Site Security
Patch Management
Wireless Security
E-mail Filtering and Monitoring
Spam & Spyware Controls
Employee Web Monitoring &
Filtering
• Instant Messenger Monitoring &
Management
• Intrusion Prevention (Behavioral)
• Platform Security Compliance
• Remote Access Authentication /
Identity Management
• Remote Security Administration
• Enterprise-wide Single Sign-On
• Self-service Password Reset
• Secure Web-Based E-Mail
• Password Recovery
• Change Management Tracking
• Document Control &
Classification
• Log Analysis & Consolidation
• Network Traffic Monitoring &
Reconstruction
• Forensic Investigations & Media
Analysis
• Agency & Staff Certification
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
Copyright © Bill Spernow 2006
1
Basic Security Policy Process
 Identify what assets you need to protect.
 Identify the threats to those assets.
 Use frameworks and industry-specific
guidance to select and implement controls to
mitigate the threats.
Policies and procedures.
Technical controls.
Human controls.
 Monitor compliance and effectiveness of
controls (Metrics).
 Periodically review and update controls.
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
2
Security Policy Program Success
Success is Dependent on Four Interdependent
Components:
1) Strong Upper-Level Management Support
2) Practical Security Policies and Procedures
3) Properly Implemented Controls
4) Quantifiable Performance Metrics and Analysis
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
3
Common Justice Problems…
 Systems are already developed
 Personnel are already in place with various levels of
training
 Some policy may exist
 Some Procedures may be in place
 Some Controls are in place
 Some metrics may be used to measure compliance
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
4
Just what is a Security Policy?
• A Security Policy is a directive that defines a
specific behavior for one or more individuals
within your agency.
• Each Security Policy is designed to reduce a
specific set of security risks to a level
acceptable to management.
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
5
IT Security Policies in reality…
• They are administrative directives.
• They set goals and assign responsibilities.
• They are a pain to write and implement
• and users usually think they are intrusive.
www.iccfbi.gov
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
Why a particular Security Policy?
• Based on the existing environment, a security policy is
crafted so that it will lower the system risk to an
acceptable level as set by management
• A security policy, while it may look simple, may in fact
require a great deal of work to craft it properly based
on your agency’s individual risk.
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
7
Security Policy Considerations?
• A Security Policy is created through an analysis of what
information?







Pertinent legislation and regulations
Agreements with other parties
Higher level policies
Detailed knowledge of the target IT system
Anticipated threats
Implementation and operational costs
Management’s risk tolerance
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
8
Security Policy Development Life Cycle
SelfAssessment
• Policy
• Self-Assessment
RiskAssessment
• Risk-Assessment
• Controls
Policy
• Metrics (measurements)
Controls
Metrics
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
9
Taking the Challenge to build Effective
Security Policy
• Organize your Security Policy Development Team
• Conduct a Security Self-assessment
• Assess Security Risks
• Develop a Risk Mitigation Strategy
• Measure Your Security Controls
• Formalize and Write your Security Policy
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
10
Organize your Security Policy
Development Team
a. Obtain leadership and involvement of senior management
b. Identify and recruit internal and external stakeholders and obtain
their input and support
c. Assign a Project Manager to guide and oversee initiative
d. Create a governance structure with defined roles and responsibilities
e. Review your business mission and IT strategic plan as guidance to
your security initiative
f. Allocate time and human/financial resources
g. Adopt a methodology and action plan to developing/implementing
your security policies
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
11
Conduct a Security Self-assessment
a. Determine which system(s) or system part you want to
develop security policies for
b. Assemble appropriate stakeholders and hold a kick-off
meeting to discuss process
c. Gather relevant organizational data about the system(s)
to be assessed
d. Conduct a Security Self- and Risk-assessment
e. Compile the results
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
12
Assess Security Risks
a. For each assessment question your team answered
during the self-assessment, identify the risk and write a
description of it.
b. Categorize and quantify each identified risk :
1. Likelihood: remote, possible or likely;
2. Severity: high, medium or low;
3. Area of impact: human, financial, liability, etc.
c. Determine your tolerance level for each identified risk
(avoid, assume, mitigate, or transfer)
d. Determine a numeric priority for action for each
identified risk (1 being highest priority, 3 being lowest)
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
13
Develop a Risk Mitigation Strategy
a. Prioritize risks, using the results of the risk-assessment
b. Build security controls to mitigate risks
c. Document the controls
d. Select which controls to implement and manage, and
assign responsibility for these
e. Develop an implementation plan that articulates how
each control is implemented
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
14
Measure Your Security Controls
a. Develop and select measurement methods for the
controls you will implement
b. Identify existing measures
c. Identify all other possible measures
d. Identify implications of measures
e. Recommend measures for adoption by management
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
15
Formalize and Write your Security Policy
a. Identify existing policy that addresses the identified
risks
b. Write proposed security policy that addresses these
risks
c. Recommend security policy for adoption by
management
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
16
WRITING AN IT SECURITY POLICY
STEP
ACTION
1
Identified risk
Start with an identified risk that your agency decided must
be mitigated
2
Management
control decision
List the control your agency management decided upon to
mitigate this risk
3
Measure
implementation
List the measure(s) your agency management decided to
implement in order to assess the effectiveness of this control
4
Existing policy
Document any existing policy the agency has that addresses
the risk identified in Step 1
5
Proposed
security policy
List any proposed security policy
6
Policy
recommendation
Make a recommendation to management regarding security
policy to adopt
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
17
Example Policy DevelopmentStep 1 – Identified Risk
“Personnel who have not undergone thorough
background checks have access to information
systems.”
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
18
Example Policy DevelopmentStep 2 – Management Control Decision
“Conduct background investigations internally using
our own employees. Training will be provided by a
neighboring agency that conducts their own
investigations. Access to a public information
database will be purchased and a policy will be
written to ensure proper background investigations
are conducted.”
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
19
Example Policy Development –
Step 3 Measure Implementation
“The Personnel Division Commander will conduct an
annual audit of the background investigations
section to ensure they are complying with the agency
policy.”
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
20
Example Policy Development –
Step 4 – Existing Policy
“No current policy statement exists within the
agency for this identified risk.”
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
21
Example Policy Development –
Step 5 – Proposed Security Policy
“This policy will affect all members of the agency.
The agency will immediately begin completing
thorough background checks of all employees,
civilian or sworn, who have access to agency
systems. The checks will be completed by the
background unit, which will be an ancillary
responsibility of the Detective Division Commander.
Any personnel failing to complete the background
process will be administratively suspended until such
time as the background can be properly completed.
Personnel who through the investigation do not
obtain a satisfactory background shall be referred to
the personnel section for reassignment within the
agency.”
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
22
Example Policy Development –
Step 6 – Policy Recommendation
• This policy will affect all new employees who have been given
a conditional offer of hire.
• A thorough background check of the new hire will be
completed prior to the person’s assignment to a position that
will give them access to the agency’s system.
• Under the direction of the Commander in Charge of
Administration, the detectives assigned background
investigations will conduct a thorough background according
to the procedures developed at the direction of the
Commander and approved by the Chief of the Agency.
• Due to the sensitive nature of the background check process,
only the Commander in Charge of Administration, the
Assistant, Chief of the agency, the agency Chief and the
agency counsel will be allowed to review the completed
background information.
• Any new hires failing to complete the background process will
be promptly notified of their status and referred to the
personnel section.
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
23
Security Policy Resources
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
24
Security Frameworks
• NIST
• US standards
• Security guidelines for federal systems
• ISO 17799
• Internationally recognized standard
• Applicable to both public and private sector
implementations
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
25
NIST
The Federal Information Security Management Act (FISMA) of 2002
requires NIST to:
“…developing and overseeing the implementation of policies,
principles, standards, and guidelines on information security,
including through ensuring timely agency adoption of and
compliance with standards…”
FIPS-Federal
Information
Processing
Standards
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
26
ISO 17799
•
•
•
•
•
•
•
•
•
•
Security Policy
Organizational Security
Asset Classification and Control
Personnel Security
Physical and Environmental Security
Communications and Operations Management
Access Control
Systems Development and Maintenance
Business Continuity Management
Compliance
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
27
Security Guidance for Justice Systems
• CJIS Security Policies
• Mandatory for systems that connect to NCIC
• SEARCH - Law Enforcement Tech Guide for Information
Technology Security, How to Assess Risk and Establish
Effective Policies A Guide for Executives, Managers, and
Technologists
• Applying Security Practices to Justice Information
Sharing (JIS)
• Guidance for state and local justice information
sharing
• Includes both wired and wireless versions
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
28
Tech Guide Overview
• Designed to give decision
makers a better
understanding of the
importance of the self and
risk assessment process.
• Distill established guidance
from the National Institute
of Standards and
Technology (NIST).
• Give decision makers a IT
security and risk
assessment tool that can
help them through a
complicated process.
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
29
The SEARCH IT Security Self- and Riskassessment Tool
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
30
Self-Assessment
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
31
Risk-Assessment
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
32
Example Policies and Procedures
• State of Minnesota Office of Enterprise Technology
www.state.mn.us/portal/mn/jsp/home.do?agency=OE
Tweb
• SANS
• GLOBAL Privacy and Information Quality
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
33
References
• SANS Security Policy Project and Primer
 www.sans.org/resources/policies/
• NIST Computer Security Special Publications
 http://csrc.nist.gov/publications/nistpubs/
• ISO 17799
 www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUM
BER=33441
• CJIS Security Policy
 Contact your state CJIS Systems Officer
• Law Enforcement Tech Guide for IT Security Policies
 www.cops.usdoj.gov/default.asp?Item=512
• Applying Security Practices to Justice Information Sharing
 http://it.ojp.gov/topic.jsp?topic_id=58
• Privacy Policy Development Guide and Implementation
Templates
 http://it.ojp.gov/topic.jsp?topic_id=55
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
34
Questions?
Todd G. Shipley, CFE, CFCE
Director, Systems Security and
High Tech Crime Prevention
Training
SEARCH
7311 Greenhaven Drive, Suite 145
Sacramento, California 95831
916-392-2550
www.search.org
SEARCH, The National Consortium for Justice Information and Statistics |
www.search.org
35
Related documents
Elk Grove Village, IL 60007-1098
Elk Grove Village, IL 60007-1098
Consortium agreement
Consortium agreement
TAACCCT EvaluationPresentation - Office of Community College
TAACCCT EvaluationPresentation - Office of Community College
National Chemical & Biological Defense Consortium LOI
National Chemical & Biological Defense Consortium LOI
MONDAY: Students will present their rock projects to the class
MONDAY: Students will present their rock projects to the class
DARTFORD & GRAVESHAM PARENTS CONSORTIUM LTD
DARTFORD & GRAVESHAM PARENTS CONSORTIUM LTD
Download
advertisement