Study Report: Comprehensive Network Security and Threat Assessment Planning
Study Report: IT Security
Security Notices - Articles
Guide To Network Security

 
 
Seven Federal Strategies For Planning IT Security
 
Many individuals, and organizations have resisted investing in e-business solutions because of the persistent and exaggerated belief that hackers and intruders will immediately besiege them. However, new business models, new IT applications and the decreasing cost of technology are driving justice agencies to adopt e-business applications. How then, can the justice agency plan for adequate information security?

Despite increased exposure to potential intruders, the experience and tools to build effective defenses are already available and constantly improving. With effective, advance planning, it is possible to respond rapidly and appropriately to security threats.

Overall, IT planning must be comprehensive, flowing directly from an organization's operational plans. In addition, an effective plan must describe the business requirements that map to operational goals. There are many ways to meet IT requirements, and substantial cost differences, but there should always be a clear justification for every dollar spent, and security must be built in to the IT infrastructure from the beginning.
 
Data in an IT system is at risk from various sources – user errors and malicious or nonmalicious hacking. Establishing an effective set of security policies and
procedures to reduce risk requires the use of comprehensive, best-practice strategies.
 
Keep Your Security – and Your Applications – Simple
As with any information system, when a security solution is too complicated, users will avoid or circumvent it, thus defeating its purpose. If users are unwilling to abide by an overly complicated security system, its usefulness is drastically reduced. Additionally, when application systems are made needlessly complex, regardless of how tightly integrated they are, they offer multiple points of access and require extensive security administration and support – ultimately translating into higher costs.
 
Develop Policies, Procedures and Penalties In Advance
By planning ahead and developing effective policies, procedures and penalties – you can help keep your applications and information secure. To avoid unnecessary obstacles, these should be enforced consistently.

Provide Training On The Use Of The System
Reinforce training by reviewing and publishing relevant news items, like attacks or system abuses. Keeping personnel properly informed and providing regular reminders can increase their retention rates and improve their understanding of critical security issues.
 
Use Available Security Products Rather Than Those Developed In-House
Available products based on open standards have been tested and proven, and have customer references from which knowledge can be gained. Even if products are new, the methodologies used in testing can be evaluated and the results reviewed. Most importantly, industry-standard products are typically well documented for users and for IT technical staff.
 
Compartmentalize Information, Assets and Users
Information assets require protection proportional to their value. Confidential informant files, intelligence reports and witness information must be carefully safeguarded, while public or easily replaced information does not require elaborate security. Accurately assessing data can help determine the most appropriate type of security system.
 
Inventory Management
IT assets (e.g., personal computers, servers, hubs) and supplies (e.g., software, diskettes) must be appropriately inventoried and secured. Organizations often take delivery of large amounts of hardware and software without verifying the orders, ensuring that items are configured correctly and work properly, or entering items into an asset control database. When items are lost or fail to perform properly, there are no records to substantiate the loss to prove that the system is not performing as required.
 
Configuration Control
Before any equipment is distributed to users, the configuration of every piece of hardware should be predetermined and all software properly registered. This information must be added to the inventory management system so that the inventory contains detailed descriptions of every system's components, hardware, software and location.
 

Problem Reporting
This information is invaluable in tracking and protecting assets, identifying security breaches and conducting effective investigations when problems are detected. Industry-standard software can check configurations and automatically report problems to security administrators. This software can also maintain a log of system changes, upgrades or maintenance. Finally, locking mechanisms for workstations can reduce theft or tampering.
 

Supply and Asset Management
Supplies and assets should be treated according to their cost or importance, yet often this area is neglected. For example, organizations lock up inexpensive supplies while mission-critical assets are left unprotected.

User Control
People should only have access to applications and information required to perform their job function. Even if approved for access to a restricted file, a user can be limited to viewing it from a certain workstation at a specific time. Organizations should also control who can create accounts or add users to the system, and audit the system frequently for dummy IDs or accounts.

System Documentation
One of the most frequently overlooked security threats relates to system documentation, which can often be found in open, unsecured offices. While it may seem convenient and less expensive to prepare and publish standard documentation, it can be dangerous to system security. Widely distributed end-user manuals often contain large amounts of technical information that is highly valuable to a hacker. Someone equipped with detailed systems information can assail with surgical accuracy instead of resorting to more easily detectable methods. Publishing documentation on a network instead of in print can greatly reduce the security threat, while reducing costs and simplifying updates.

Realistic Security Administration Objectives
No organization can set up or administer a completely impenetrable IT security program. Therefore, an organization must balance between desired and realistic goals. In-house staff can be utilized based on an assessment of what they can accomplish, while additional resources may be outsourced. There are many resources available to meet security needs that can be obtained from private companies at competitive costs. There is also value in resourcing – the symbiotic relationship between criminal justice agencies and members of the community. Sharing resources, pooling assets for joint acquisitions, donated services from universities or from the community are all potential ways to close gaps in a security plan.
 
Test Audit Inspect and Investigate Sites Continuously and Randomly
Regular updates to background investigations, use of voice stress analyzers, interviews and tip programs can help keep system security under control. In addition, organizations should implement methods for reviewing and testing code to protect against back doors into systems.
 
Other Approaches

Using automated auditing and monitoring programs
 
Publicizing threats and responses to them
 
Taking swift and consistent action when violations are detected or reported.
 
Using programs that check for file changes
 
Advising employees that disciplinary actions will be taken in IT security cases.

Conclusion
The dramatic increase in the use of IT has exposed organizations to attacks on their information systems, assets and databases. Contrary to popular belief, the real threat rarely comes from outside sources, such as hackers. Unfortunately, protecting against this misperceived threat is expensive and ignores the real danger of intentional or accidental security breaches from internal, trusted sources.
 

However, with proper attention given to planning and implementing IT security, law enforcement and criminal justice organizations can prevent the vast majority of system penetrations. Planning based on a realistic assessment of security needs and threats, followed by the implementation of a well-developed security plan, can provide effective and comprehensive protection against the majority of network security threats.
 

Full Name:
E-Mail Address:
Other topics ? Please let us know:
  

2005 Payson Technology Group, LLC All rights reserved. Payson Technology Group, LLC  

2005 GovSecurity.org All rights reserved. Study Report