|
Seven Federal
Strategies For Planning IT Security
Many individuals, and organizations have resisted investing in e-business
solutions because of the persistent and exaggerated belief that hackers and intruders will immediately besiege them. However,
new business models, new IT applications and the decreasing cost of technology are driving justice agencies to adopt e-business
applications. How then, can the justice agency plan for adequate information security?
Despite increased exposure to potential intruders, the experience
and tools to build effective defenses are already available and constantly improving. With effective, advance planning, it
is possible to respond rapidly and appropriately to security threats.
Overall, IT planning must be comprehensive, flowing directly from
an organization's operational plans. In addition, an effective plan must describe the business requirements that map to operational
goals. There are many ways to meet IT requirements, and substantial cost differences, but there should always be a clear justification
for every dollar spent, and security must be built in to the IT infrastructure from the beginning.
Data in an IT system is at risk from various sources – user errors
and malicious or nonmalicious hacking. Establishing an effective set of security policies and
procedures to reduce risk
requires the use of comprehensive, best-practice strategies.
Keep Your Security – and Your Applications – Simple
As
with any information system, when a security solution is too complicated, users will avoid or circumvent it, thus defeating
its purpose. If users are unwilling to abide by an overly complicated security system, its usefulness is drastically reduced.
Additionally, when application systems are made needlessly complex, regardless of how tightly integrated they are, they offer
multiple points of access and require extensive security administration and support – ultimately translating into higher
costs.
Develop
Policies, Procedures and Penalties In Advance
By planning ahead and developing effective policies, procedures
and penalties – you can help keep your applications and information secure. To avoid unnecessary obstacles, these should
be enforced consistently.
Provide Training On The Use Of The System
Reinforce
training by reviewing and publishing relevant news items, like attacks or system abuses. Keeping personnel properly informed
and providing regular reminders can increase their retention rates and improve their understanding of critical security issues.
Use Available Security Products Rather Than Those Developed
In-House
Available products based on open standards have been tested and proven, and have customer references
from which knowledge can be gained. Even if products are new, the methodologies used in testing can be evaluated and the results
reviewed. Most importantly, industry-standard products are typically well documented for users and for IT technical staff.
Compartmentalize Information, Assets and Users
Information assets require protection proportional to their value. Confidential
informant files, intelligence reports and witness information must
be carefully safeguarded, while public or easily replaced information does not require elaborate security. Accurately assessing
data can help determine the most appropriate type of security system.
Inventory
Management
IT assets (e.g., personal computers, servers, hubs) and supplies (e.g.,
software, diskettes) must be appropriately inventoried and secured. Organizations often take delivery of large amounts of
hardware and software without verifying the orders, ensuring that items are configured correctly and work properly, or entering
items into an asset control database. When items are lost or fail to perform properly, there are no records to substantiate
the loss to prove that the system is not performing as required.
Configuration
Control
Before any equipment is distributed to users, the configuration of every
piece of hardware should be predetermined and all software properly registered. This information must be added to the inventory
management system so that the inventory contains detailed descriptions of every system's components, hardware, software and
location.
Problem Reporting
This information is invaluable in tracking and protecting assets, identifying security breaches and conducting effective
investigations when problems are detected. Industry-standard software can check configurations and automatically report problems
to security administrators. This software can also maintain a log of system changes, upgrades or maintenance. Finally, locking
mechanisms for workstations can reduce theft or tampering.
Supply and Asset Management
Supplies and assets should be treated according to their cost or importance, yet often this area is neglected. For example,
organizations lock up inexpensive supplies while mission-critical assets are left unprotected.
User Control
People should only have access to applications and information required to perform their job function. Even if approved
for access to a restricted file, a user can be limited to viewing it from a certain workstation at a specific time. Organizations
should also control who can create accounts or add users to the system, and audit the system frequently for dummy IDs or accounts.
System Documentation
One of the most frequently overlooked security threats relates to system documentation, which can often be found in open,
unsecured offices. While it may seem convenient and less expensive to prepare and publish standard documentation, it can be
dangerous to system security. Widely distributed end-user manuals often contain large amounts of technical information that
is highly valuable to a hacker. Someone equipped with detailed systems information can assail with surgical accuracy instead
of resorting to more easily detectable methods. Publishing documentation on a network instead of in print can greatly reduce
the security threat, while reducing costs and simplifying updates.
Realistic Security Administration Objectives
No
organization can set up or administer a completely impenetrable IT security program. Therefore, an organization must balance
between desired and realistic goals. In-house staff can be utilized based on an assessment of what they can accomplish, while
additional resources may be outsourced. There are many resources available to meet security needs that can be obtained from
private companies at competitive costs. There is also value in resourcing – the symbiotic relationship between criminal
justice agencies and members of the community. Sharing resources, pooling assets for joint acquisitions, donated services
from universities or from the community are all potential ways to close gaps in a security plan.
Test Audit Inspect and Investigate Sites Continuously and Randomly
Regular updates to background investigations, use of voice stress analyzers, interviews and tip programs can help keep
system security under control. In addition, organizations should implement methods for reviewing and testing code to protect
against back doors into systems.
Other Approaches
Using automated auditing and monitoring programs
Publicizing threats and responses to them
Taking swift and consistent action when violations are detected
or reported.
Using programs that check for file changes
Advising employees that disciplinary actions will be taken in IT security
cases.
Conclusion
The dramatic increase in the use of IT has exposed organizations to attacks on their information systems, assets and
databases. Contrary to popular belief, the real threat rarely comes from outside sources, such as hackers. Unfortunately,
protecting against this misperceived threat is expensive and ignores the real danger of intentional or accidental security
breaches from internal, trusted sources.
However, with proper attention given to planning and implementing
IT security, law enforcement and criminal justice organizations can prevent the vast majority of system penetrations. Planning
based on a realistic assessment of security needs and threats, followed by the implementation of a well-developed security
plan, can provide effective and comprehensive protection against the majority of network security threats.
|
