Establishing Effective Security Policies BJA Regional Information Sharing Conference Justice IT Security Issues • • • • • • • • • • • • • • Disaster Recovery File & Disk Level Encryption Enterprise & Personal Firewalls Ongoing Vulnerability Testing Multi-tier Anti-Virus Solutions Intrusion Detection Systems Internal Modem Control Operating System File Integrity Web Site Security Patch Management Wireless Security E-mail Filtering and Monitoring Spam & Spyware Controls Employee Web Monitoring & Filtering • Instant Messenger Monitoring & Management • Intrusion Prevention (Behavioral) • Platform Security Compliance • Remote Access Authentication / Identity Management • Remote Security Administration • Enterprise-wide Single Sign-On • Self-service Password Reset • Secure Web-Based E-Mail • Password Recovery • Change Management Tracking • Document Control & Classification • Log Analysis & Consolidation • Network Traffic Monitoring & Reconstruction • Forensic Investigations & Media Analysis • Agency & Staff Certification SEARCH, The National Consortium for Justice Information and Statistics | www.search.org Copyright © Bill Spernow 2006 1 Basic Security Policy Process Identify what assets you need to protect. Identify the threats to those assets. Use frameworks and industry-specific guidance to select and implement controls to mitigate the threats. Policies and procedures. Technical controls. Human controls. Monitor compliance and effectiveness of controls (Metrics). Periodically review and update controls. SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 2 Security Policy Program Success Success is Dependent on Four Interdependent Components: 1) Strong Upper-Level Management Support 2) Practical Security Policies and Procedures 3) Properly Implemented Controls 4) Quantifiable Performance Metrics and Analysis SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 3 Common Justice Problems… Systems are already developed Personnel are already in place with various levels of training Some policy may exist Some Procedures may be in place Some Controls are in place Some metrics may be used to measure compliance SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 4 Just what is a Security Policy? • A Security Policy is a directive that defines a specific behavior for one or more individuals within your agency. • Each Security Policy is designed to reduce a specific set of security risks to a level acceptable to management. SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 5 IT Security Policies in reality… • They are administrative directives. • They set goals and assign responsibilities. • They are a pain to write and implement • and users usually think they are intrusive. www.iccfbi.gov SEARCH, The National Consortium for Justice Information and Statistics | www.search.org Why a particular Security Policy? • Based on the existing environment, a security policy is crafted so that it will lower the system risk to an acceptable level as set by management • A security policy, while it may look simple, may in fact require a great deal of work to craft it properly based on your agency’s individual risk. SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 7 Security Policy Considerations? • A Security Policy is created through an analysis of what information? Pertinent legislation and regulations Agreements with other parties Higher level policies Detailed knowledge of the target IT system Anticipated threats Implementation and operational costs Management’s risk tolerance SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 8 Security Policy Development Life Cycle SelfAssessment • Policy • Self-Assessment RiskAssessment • Risk-Assessment • Controls Policy • Metrics (measurements) Controls Metrics SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 9 Taking the Challenge to build Effective Security Policy • Organize your Security Policy Development Team • Conduct a Security Self-assessment • Assess Security Risks • Develop a Risk Mitigation Strategy • Measure Your Security Controls • Formalize and Write your Security Policy SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 10 Organize your Security Policy Development Team a. Obtain leadership and involvement of senior management b. Identify and recruit internal and external stakeholders and obtain their input and support c. Assign a Project Manager to guide and oversee initiative d. Create a governance structure with defined roles and responsibilities e. Review your business mission and IT strategic plan as guidance to your security initiative f. Allocate time and human/financial resources g. Adopt a methodology and action plan to developing/implementing your security policies SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 11 Conduct a Security Self-assessment a. Determine which system(s) or system part you want to develop security policies for b. Assemble appropriate stakeholders and hold a kick-off meeting to discuss process c. Gather relevant organizational data about the system(s) to be assessed d. Conduct a Security Self- and Risk-assessment e. Compile the results SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 12 Assess Security Risks a. For each assessment question your team answered during the self-assessment, identify the risk and write a description of it. b. Categorize and quantify each identified risk : 1. Likelihood: remote, possible or likely; 2. Severity: high, medium or low; 3. Area of impact: human, financial, liability, etc. c. Determine your tolerance level for each identified risk (avoid, assume, mitigate, or transfer) d. Determine a numeric priority for action for each identified risk (1 being highest priority, 3 being lowest) SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 13 Develop a Risk Mitigation Strategy a. Prioritize risks, using the results of the risk-assessment b. Build security controls to mitigate risks c. Document the controls d. Select which controls to implement and manage, and assign responsibility for these e. Develop an implementation plan that articulates how each control is implemented SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 14 Measure Your Security Controls a. Develop and select measurement methods for the controls you will implement b. Identify existing measures c. Identify all other possible measures d. Identify implications of measures e. Recommend measures for adoption by management SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 15 Formalize and Write your Security Policy a. Identify existing policy that addresses the identified risks b. Write proposed security policy that addresses these risks c. Recommend security policy for adoption by management SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 16 WRITING AN IT SECURITY POLICY STEP ACTION 1 Identified risk Start with an identified risk that your agency decided must be mitigated 2 Management control decision List the control your agency management decided upon to mitigate this risk 3 Measure implementation List the measure(s) your agency management decided to implement in order to assess the effectiveness of this control 4 Existing policy Document any existing policy the agency has that addresses the risk identified in Step 1 5 Proposed security policy List any proposed security policy 6 Policy recommendation Make a recommendation to management regarding security policy to adopt SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 17 Example Policy DevelopmentStep 1 – Identified Risk “Personnel who have not undergone thorough background checks have access to information systems.” SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 18 Example Policy DevelopmentStep 2 – Management Control Decision “Conduct background investigations internally using our own employees. Training will be provided by a neighboring agency that conducts their own investigations. Access to a public information database will be purchased and a policy will be written to ensure proper background investigations are conducted.” SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 19 Example Policy Development – Step 3 Measure Implementation “The Personnel Division Commander will conduct an annual audit of the background investigations section to ensure they are complying with the agency policy.” SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 20 Example Policy Development – Step 4 – Existing Policy “No current policy statement exists within the agency for this identified risk.” SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 21 Example Policy Development – Step 5 – Proposed Security Policy “This policy will affect all members of the agency. The agency will immediately begin completing thorough background checks of all employees, civilian or sworn, who have access to agency systems. The checks will be completed by the background unit, which will be an ancillary responsibility of the Detective Division Commander. Any personnel failing to complete the background process will be administratively suspended until such time as the background can be properly completed. Personnel who through the investigation do not obtain a satisfactory background shall be referred to the personnel section for reassignment within the agency.” SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 22 Example Policy Development – Step 6 – Policy Recommendation • This policy will affect all new employees who have been given a conditional offer of hire. • A thorough background check of the new hire will be completed prior to the person’s assignment to a position that will give them access to the agency’s system. • Under the direction of the Commander in Charge of Administration, the detectives assigned background investigations will conduct a thorough background according to the procedures developed at the direction of the Commander and approved by the Chief of the Agency. • Due to the sensitive nature of the background check process, only the Commander in Charge of Administration, the Assistant, Chief of the agency, the agency Chief and the agency counsel will be allowed to review the completed background information. • Any new hires failing to complete the background process will be promptly notified of their status and referred to the personnel section. SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 23 Security Policy Resources SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 24 Security Frameworks • NIST • US standards • Security guidelines for federal systems • ISO 17799 • Internationally recognized standard • Applicable to both public and private sector implementations SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 25 NIST The Federal Information Security Management Act (FISMA) of 2002 requires NIST to: “…developing and overseeing the implementation of policies, principles, standards, and guidelines on information security, including through ensuring timely agency adoption of and compliance with standards…” FIPS-Federal Information Processing Standards SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 26 ISO 17799 • • • • • • • • • • Security Policy Organizational Security Asset Classification and Control Personnel Security Physical and Environmental Security Communications and Operations Management Access Control Systems Development and Maintenance Business Continuity Management Compliance SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 27 Security Guidance for Justice Systems • CJIS Security Policies • Mandatory for systems that connect to NCIC • SEARCH - Law Enforcement Tech Guide for Information Technology Security, How to Assess Risk and Establish Effective Policies A Guide for Executives, Managers, and Technologists • Applying Security Practices to Justice Information Sharing (JIS) • Guidance for state and local justice information sharing • Includes both wired and wireless versions SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 28 Tech Guide Overview • Designed to give decision makers a better understanding of the importance of the self and risk assessment process. • Distill established guidance from the National Institute of Standards and Technology (NIST). • Give decision makers a IT security and risk assessment tool that can help them through a complicated process. SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 29 The SEARCH IT Security Self- and Riskassessment Tool SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 30 Self-Assessment SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 31 Risk-Assessment SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 32 Example Policies and Procedures • State of Minnesota Office of Enterprise Technology www.state.mn.us/portal/mn/jsp/home.do?agency=OE Tweb • SANS • GLOBAL Privacy and Information Quality SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 33 References • SANS Security Policy Project and Primer www.sans.org/resources/policies/ • NIST Computer Security Special Publications http://csrc.nist.gov/publications/nistpubs/ • ISO 17799 www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUM BER=33441 • CJIS Security Policy Contact your state CJIS Systems Officer • Law Enforcement Tech Guide for IT Security Policies www.cops.usdoj.gov/default.asp?Item=512 • Applying Security Practices to Justice Information Sharing http://it.ojp.gov/topic.jsp?topic_id=58 • Privacy Policy Development Guide and Implementation Templates http://it.ojp.gov/topic.jsp?topic_id=55 SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 34 Questions? Todd G. Shipley, CFE, CFCE Director, Systems Security and High Tech Crime Prevention Training SEARCH 7311 Greenhaven Drive, Suite 145 Sacramento, California 95831 916-392-2550 www.search.org SEARCH, The National Consortium for Justice Information and Statistics | www.search.org 35