Establishing Effective Security Policies and Procedures
Download
Report
Transcript Establishing Effective Security Policies and Procedures
Innovations in Justice:
Information-Sharing Strategies and Best Practices
BJA Regional Information-Sharing Conference
Establishing Effective Security
Policies and Procedures
Mr. James E. Cabral Jr., CISSP, CISA, GSEC
MTG Management Consultants, LLC
March 29, 2007
Justice IT Security Issues
Disaster Recovery
Platform Security Compliance
File and Disk Level Encryption
Enterprise and Personal Firewalls
Remote Access Authentication/Identity
Management
Ongoing Vulnerability Testing
Remote Security Administration
Multi-tier Anti-Virus Solutions
Enterprise-wide Single Sign-On
Intrusion Detection Systems
Self-Service Password Reset
Internal Modem Control
Secure Web-Based E-Mail
Operating System File Integrity
Password Recovery
Web Site Security
Change Management Tracking
Patch Management
Document Control and Classification
Wireless Security
Log Analysis and Consolidation
E-Mail Filtering and Monitoring
Network Traffic Monitoring and Reconstruction
Spam and Spyware Controls
Forensic Investigations and Media Analysis
Employee Web Monitoring and Filtering
Agency and Staff Certification
Instant Messenger Monitoring and Management
Intrusion Prevention (Behavioral)
Copyright © Bill Spernow 2006
782/40/108053(ppt)
1
Basic Security Policy Process
Identify what assets you need to protect.
Identify the threats to those assets.
Use frameworks and industry-specific guidelines to select and
implement controls to mitigate the threats.
» Policies and procedures.
» Technical controls.
» Human controls.
Monitor compliance and effectiveness of controls (metrics).
Periodically review and update controls.
782/40/108053(ppt)
2
Security Policy Program Success
Success is dependent on four interdependent
components:
1. Strong upper-level management support.
2. Practical security policies and procedures.
3. Properly implemented controls.
4. Quantifiable performance metrics and analysis.
782/40/108053(ppt)
3
Common Justice Problems …
Systems are already developed.
Personnel are already in place with various levels of
training.
Some policy may exist.
Some procedures may be in place.
Some controls are in place.
Some metrics may be used to measure compliance.
782/40/108053(ppt)
4
Just What Is a Security Policy?
A security policy is a directive that defines a specific
behavior for one or more individuals within your
agency.
Each security policy is designed to reduce a specific
set of security risks to a level acceptable to
management.
782/40/108053(ppt)
5
IT Security Policies in Reality …
They are administrative directives.
They set goals and assign responsibilities.
They are difficult to write and implement.
Users usually think they are intrusive.
www.iccfbi.gov
782/40/108053(ppt)
6
Why a Particular Security Policy?
Based on the existing environment, a security policy
is crafted so that it will lower the system risk to an
acceptable level as set by management.
A security policy, while it may look simple, may in fact
require a great deal of work to craft it properly based
on your agency’s individual risk.
782/40/108053(ppt)
7
Security Policy Considerations?
A security policy is created through an analysis of
what information?
» Pertinent legislation and regulations.
» Agreements with other parties.
» Higher-level policies.
» Detailed knowledge of the target IT system.
» Anticipated threats.
» Implementation and operational costs.
» Management’s risk tolerance.
782/40/108053(ppt)
8
Security Policy Development Life Cycle
Policy.
Self-assessment.
Risk-assessment.
Controls.
Metrics
(measurements).
SelfAssessment
RiskAssessment
Policy
Controls
Metrics
782/40/108053(ppt)
9
Taking the Challenge to Build Effective
Security Policy
Organize your security policy development team.
Conduct a security self-assessment.
Assess security risks.
Develop a risk mitigation strategy.
Measure your security controls.
Formalize and write your security policy.
782/40/108053(ppt)
10
Organize Your Security Policy
Development Team
Obtain leadership and involvement of senior management.
Identify and recruit internal and external stakeholders and
obtain their input and support.
Assign a project manager to guide and oversee the
initiative.
Create a governance structure with defined roles and
responsibilities.
Review your business mission and IT strategic plan as
guidance to your security initiative.
Allocate time and human/financial resources.
Adopt a methodology and action plan to developing/
implementing your security policies.
782/40/108053(ppt)
11
Conduct a Security Self-Assessment
Determine which systems or system part you want to
develop security policies for.
Assemble appropriate stakeholders and hold a kickoff meeting to discuss the process.
Gather relevant organizational data about the
systems to be assessed.
Conduct a security self- and risk-assessment.
Compile the results.
782/40/108053(ppt)
12
Assess Security Risks
For each assessment question your team answered
during the self-assessment, identify the risk and write a
description of it.
Categorize and quantify each identified risk:
» Likelihood – Remote, possible, or likely.
» Severity – High, medium, or low.
» Area of Impact – Human, financial, liability, etc.
Determine your tolerance level for each identified risk
(avoid, assume, mitigate, or transfer).
Determine a numeric priority for action for each
identified risk.
782/40/108053(ppt)
13
Develop a Risk Mitigation Strategy
Prioritize risks using the results of the risk-assessment.
Build security controls to mitigate risks.
Document the controls.
Select which controls to implement and manage, and
assign responsibility for these.
Develop an implementation plan that articulates how
each control is implemented.
782/40/108053(ppt)
14
Measure Your Security Controls
Develop and select measurement methods for the
controls you will implement.
Identify existing measures.
Identify all other possible measures.
Identify implications of measures.
Recommend measures for adoption by
management.
782/40/108053(ppt)
15
Formalize and Write Your Security Policy
Identify existing policy that addresses the identified
risks.
Write proposed security policy that addresses these
risks.
Recommend security policy for adoption by
management.
782/40/108053(ppt)
16
Writing An IT Security Policy
Step
Action
1
Identified Risk
Start with an identified risk that your agency
management decided must be mitigated.
2
Management
Control Decision
List the control your agency management decided
upon to mitigate this risk.
3
Measure
Implementation
List the measures your agency management
decided to implement in order to assess the
effectiveness of this control.
4
Existing Policy
Document any existing policy the agency
management has that addresses the risk identified
in Step 1.
5
Proposed Security
Policy
List any proposed security policy.
6
Policy
Recommendation
Make a recommendation to agency management
regarding security policy to adopt.
782/40/108053(ppt)
17
Example Policy Development
Step 1 – Identified Risk
“Personnel who have not undergone thorough
background checks have access to information
systems.”
782/40/108053(ppt)
18
Example Policy Development
Step 2 – Management Control Decision
“Conduct background investigations internally using
our own employees. Training will be provided by a
neighboring agency that conducts their own
investigations. Access to a public information
database will be purchased and a policy will be
written to ensure proper background investigations
are conducted.”
782/40/108053(ppt)
19
Example Policy Development
Step 3 – Measure Implementation
“The Personnel Division Commander will conduct
an annual audit of the background investigations
section to ensure compliance with the agency
policy.”
782/40/108053(ppt)
20
Example Policy Development
Step 4 – Existing Policy
“No current policy statement exists within the
agency for this identified risk.”
782/40/108053(ppt)
21
Example Policy Development
Step 5 – Proposed Security Policy
“This policy will affect all members of the agency. The agency will
immediately begin completing thorough background checks of
all employees, civilian or sworn, who have access to agency
systems. The checks will be completed by the background unit,
which will be an ancillary responsibility of the Detective Division
Commander. Any personnel failing to complete the background
process will be administratively suspended until such time as the
background can be properly completed. Personnel who,
through the investigation, do not obtain a satisfactory
background shall be referred to the personnel section for
reassignment within the agency.”
782/40/108053(ppt)
22
Example Policy Development
Step 6 – Policy Recommendation
This policy will affect all new employees who have been given a
conditional offer of hire.
A thorough background check of the new hire will be completed prior to the
person’s assignment to a position that will give them access to the
agency’s system.
Under the direction of the Commander in Charge of Administration, the
detectives assigned background investigations will conduct a thorough
background check according to the procedures developed at the direction
of the Commander and approved by the Chief of the agency.
Due to the sensitive nature of the background check process, only the
Commander in Charge of Administration, the Assistant, Chief of the
agency, the agency Chief and the agency counsel will be allowed to review
the completed background information.
Any new hires failing to complete the background process will be promptly
notified of their status and referred to the personnel section.
782/40/108053(ppt)
23
Security Frameworks
NIST.
» U.S. standards.
» Security guidelines for federal systems.
ISO 17799.
» Internationally recognized standard.
» Applicable to both public and private sector implementations.
782/40/108053(ppt)
24
NIST
The Federal Information Security Management Act (FISMA) of 2002
requires NIST to:
“…developing and overseeing the implementation of policies, principles,
standards, and guidelines on information security, including through
ensuring timely agency adoption of and compliance with standards…”
FIPS-Federal
Information
Processing
Standards
782/40/108053(ppt)
25
ISO 17799
Security policy.
Organizational security.
Asset classification and control.
Personnel security.
Physical and environmental security.
Communications and operations management.
Access control.
Systems development and maintenance.
Business continuity management.
Compliance.
782/40/108053(ppt)
26
Security Guidance for Justice Systems
CJIS security policies.
» Mandatory for systems that connect to NCIC.
SEARCH – Law Enforcement Tech Guide on Information
Technology Security, How to Assess Risk and Establish Effective
Policies A Guide for Executives, Managers, and Technologists
» Guidance for state and local law enforcement.
Applying security practices to Justice Information Sharing (JIS)
» Guidance for state and local JIS.
» Includes both wired and wireless versions.
782/40/108053(ppt)
27
CJIS Security Policy
Roles and responsibilities.
Security enforcement.
Computer security incident response capability.
ORI authorizations and user agreements.
Technical security.
Use and dissemination of criminal history record information and NCIC hot
file information.
Audits of CJIS information systems.
Appendices:
» A – Forms.
» B – Web Sites.
» C – Guideline Documents.
» D – Other Resources.
782/40/108053(ppt)
28
Tech Guide Overview
Designed to give decision makers
a better understanding of the
importance of the self- and riskassessment processes.
Distill established guidance from
the National Institute of
Standards and Technology
(NIST).
Give decision makers an IT
security and risk assessment tool
that can help them through a
complicated process.
782/40/108053(ppt)
29
The SEARCH IT Security Self- and RiskAssessment Tool
782/40/108053(ppt)
30
Self-Assessment
782/40/108053(ppt)
31
Risk-Assessment
782/40/108053(ppt)
32
Applying Security Practices to JIS
Detection and Recovery
Support
Governance.
Intrusion detection systems.
Physical security.
Critical incident response.
Personnel security screening.
Separation of duties.
Attack detection and
prevention.
Security auditing.
Prevention
Identification and authentication.
Risk management.
Authorization and access control.
Data Integrity.
Disaster recovery and
business continuity.
Data classification.
Change management.
Public access, privacy, and confidentiality.
Firewalls, VPNs, and other network
safeguards.
782/40/108053(ppt)
33
Example Policies and Procedures
State of Minnesota The Office of Enterprise Technology.
www.state.mn.us/portal/mn/jsp/home.do?agency=OETweb
SANS.
GLOBAL Privacy and Information Quality.
782/40/108053(ppt)
34
References
SANS Security Policy Project and Primer.
» www.sans.org/resources/policies/
NIST Computer Security Special Publications.
» www.csrc.nist.gov/publications/nistpubs/
ISO 17799.
» www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=33441
CJIS Security Policy.
» Contact your state CJIS Systems Officer
Law Enforcement Tech Guide for IT Security Policies.
» www.cops.usdoj.gov/default.asp?Item=512
Applying Security Practices to Justice Information Sharing.
» www.it.ojp.gov/topic.jsp?topic_id=58.
Privacy Policy Development Guide and Implementation Templates.
» www.it.ojp.gov/topic.jsp?topic_id=55
782/40/108053(ppt)
35
782/40/108053(ppt)
36