1 / 27

Law Enforcement Tech Guide On Information Technology Security How to Assess Risk and Establish Effective Policies

Law Enforcement Tech Guide On Information Technology Security How to Assess Risk and Establish Effective Policies. A Guide for Executives, Managers, and Technologists. Tech Guide Background. Information Security Technical Assistance requests:

wayland
Download Presentation

Law Enforcement Tech Guide On Information Technology Security How to Assess Risk and Establish Effective Policies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Law Enforcement Tech Guide OnInformation Technology SecurityHow to Assess Risk and Establish Effective Policies A Guide for Executives, Managers, and Technologists

  2. Tech Guide Background • Information Security Technical Assistance requests: • Most Common initial request was for “Penetration testing”. • Commonality among TA requestors • Limited Documentation of Policy or No Policy statements regarding Information Security of agency computer systems.

  3. Tech Guide Development • Initial Assistance • Hawaii Attorney General’s Office • Official Review Committee • William Spernow, Security Mentors, LLC, Security Consultant • Liane M. Moriyama, Hawaii Criminal Justice Data Center • Dr. Ron Glensor, Reno (Nevada) Police Department • Steve Correll, NLETS—The International Justice & Public Safety Information Sharing Network • Susan Ballou, Office of Law Enforcement Standards, Steering Committee Representative for State/Local Law Enforcement, National Institute for Standards and Technology (NIST) • Mark Wilson, CISSP, IT Specialist (Information Security) Computer Security Division Information Technology Laboratory National Institute for Standards and Technology (NIST)

  4. Additional Review • Global Justice Information Sharing Initiative Advisory Board and the Security Committee • Security Committee, Integrated Justice Information Systems Institute • Security and Access Ad Hoc Subcommittee, FBI Criminal Justice Information Services Advisory Policy Board • Microsoft Corporation • Office of Community Oriented Policing Services (COPS), U.S. Department of Justice

  5. Tech Guide Overview • Designed to give decision makers a better understanding of the importance of the self and risk assessment process. • Distill established guidance from the National Institute of Standards and Technology (NIST). • Give decision makers a IT security and risk assessment tool that can help them through a complicated process.

  6. Why NIST Standards The Federal Information Security Management Act (FISMA) of 2002 requires NIST to: “…developing and overseeing the implementation of policies, principles, standards, and guidelines on information security, including through ensuring timely agency adoption of and compliance with standards…” FIPS-Federal Information Processing Standards

  7. Why is a Federal Standard important to State and Local LE? • CJIS • Sarbanes/Oxley • Breach notification laws • HIPPA • Child Protection Agencies

  8. Why is the Self/Risk-assessment Process Important? -Because no system can be 100 percent secure—unless it is unplugged.

  9. Why a Self/Risk Assessment Approach? • Identifies potential problems. 2. Enables well-informed decisions about how to address risks to the system. 3. Provides managers with specific system information to justify IT budget expenditures in the area of security.

  10. Why a Risk Assessment Approach? • Allows you to identify, classify, and prioritize existing risks to your IT systems. • Once completed you can determine how you are going to handle each specifically identified risk. • Allows managers the choice to live with the certain risks or—through better informed security policies and controls—reduce or mitigate those risks to an acceptable level.

  11. The TechGuide layout- About this Guide • About the Guide • Assumptions About You • How this Guide is Organized • NIST—A Logical Framework for IT Security Policy Development • Definitions of Icons • A Roadmap to the Guide • IT Security Policy Development— A Cyclical Process

  12. The TechGuide Layout • Chapter 1 - Information Systems Security: Understanding Your Responsibility, Security Policies, and Risk. • Chapter 2 - Organize and Charge the Security Policy Development Team. • Chapter 3 - Phase I–Conduct a Security Self-assessment • Chapter 4 - Phase II–Assess Security Risks.. • Chapter 5 - Phase III–Develop a Risk Mitigation Strategy • Chapter 6 - Phase IV–Measure Your Security Controls • Chapter 7 - Formalize Your IT Security Policies

  13. The TechGuide Layout- Appendices A: Assessment Worksheets and Questions from the SEARCH IT Security Self- and Risk-assessment Tool B: SEARCH IT Security Worksheets–Control Development, Measurement Development, Policy Development C: Glossary of Security Terms D: Security Resources

  14. TechGuide Tool and Worksheets • SEARCH IT Security Self- and Risk-assessment Tool • Assessment Worksheets and Questions from the SEARCH IT Security Self- and Risk-assessment Tool • SEARCH IT Security Control Development Worksheet • SEARCH IT Security Measurement Development Worksheet • SEARCH IT Security Policy Development Worksheet

  15. SEARCH IT Security Self/Risk Assessment Tool • The SEARCH Information Security Self-Assessment tool is based on the original NIST Information Security Guide 800-26. • This self-assessment tool utilizes an extensive questionnaire against which the security of a system or group of interconnected systems can be measured. • The questionnaire can be used primarily as an examination of relevant documentation or as a rigorous examination and test of a systems controls. • This tool does not establish new security requirements.

  16. Assessment Tool Overview • The goal of this tool is to provide a standardized approach to assessing an information system for state and local law enforcement agencies. • This tool is not intended to be a complete and comprehensive review of a system. • This tool can be used by all levels of management within the criminal justice community who are responsible for IT security at the system level or organization level.

  17. Tool Design and layout • Built in Microsoft Windows Excel • Utilizes Advanced Features of Excel • Broken out into Four primary categories • Management • Operational • Technical • State and Local Law Enforcement-specific IT Security Controls

  18. Assessment Tool

  19. Assessment Tool-Worksheet layout

  20. Self Assessment

  21. Self Assessment-Effectiveness Ranking

  22. Self Assessment Question Assistance

  23. Self Assessment Question References

  24. Risk Decision Process

  25. Risk Decision Process

  26. Tool Demo

  27. Questions? Todd G. Shipley, CFE, CFCE Director, Systems Security and High Tech Crime Prevention Training SEARCH 7311 Greenhaven Drive, Suite 145 Sacramento, California 95831 916-392-2550 www.search.org

More Related