Comprehensive Planning, Security and Threat AssessmentMany organizations have resisted investing in e-business solutions because of the persistent and exaggerated belief that hackers and intruders will immediately besiege them. However, new business models, new IT applications and the decreasing cost of technology are driving justice agencies to adopt e-business applications. How then, can the justice agency plan for adequate information security?The science fiction book Hitchhikers Guide to the Galaxy has a rule for dealing with challenges: Don't panic. This is good advice for IT security planning, too. Despite increased exposure to potential intruders, the experience and tools to build effective defenses are already available and constantly improving. With effective, advance planning, it is possible to respond rapidly and appropriately to security threats.Overall, IT planning must be comprehensive, flowing directly from an organization's operational plans. In addition, an effective plan must describe the business requirements that map to operational goals. There are many ways to meet IT requirements, and substantial cost differences, but there should always be a clear justification for every dollar spent, and security must be built in to the IT infrastructure from the beginning.Strategies For Planning IT SecurityData in an IT system is at risk from various sources – user errors and malicious or nonmalicious hacking. Establishing an effective set of security policies and procedures to reduce risk requires the use of comprehensive, best-practice strategies.Keep your security – and your applications – simpleAs with any information system, when a security solution is too complicated, users will avoid or circumvent it, thus defeating its purpose. If users are unwilling to abide by an overly complicated security system, its usefulness is drastically reduced. Additionally, when application systems are made needlessly complex, regardless of how tightly integrated they are, they offer multiple points of access and require extensive security administration and support – ultimately translating into higher costs.Develop policies, procedures and penalties (P3) in advanceBy planning ahead and developing effective policies, procedures and penalties – known as the P3 – you can help keep your applications and information secure. To avoid unnecessary obstacles, these should be enforced consistently.Provide training on the use of the system, emphasizing the P3Reinforce training by reviewing and publishing relevant news items, like attacks or system abuses. Keeping personnel properly informed and providing regular reminders can increase their retention rates and improve their understanding of critical security issues.Use available security products rather than those developed in-houseAvailable products based on open standards have been tested and proven, and have customer references from which knowledge can be gained. Even if products are new, the methodologies used in testing can be evaluated and the results reviewed. Most importantly, industry-standard products are typically well documented for users and for IT technical staff.Compartmentalize information, assets and usersInformation assets require protection proportional to their value. Confidential informant files, intelligence reports and witness information must be carefully safeguarded, while public or easily replaced information does not require elaborate security. Accurately assessing data can help determine the most appropriate type of security system.Inventory management. IT assets (e.g., personal computers, servers, hubs) and supplies (e.g., software, diskettes) must be appropriately inventoried and secured. Organizations often take delivery of large amounts of hardware and software without verifying the orders, ensuring that items are configured correctly and work properly, or entering items into an asset control database. When items are lost or fail to perform properly, there are no records to substantiate the loss to prove that the system is not performing as required.Configuration control. Before any equipment is distributed to users, the configuration of every piece of hardware should be predetermined and all software properly registered. This information must be added to the inventory management system so that the inventory contains detailed descriptions of every system's components, hardware, software and location.Problem reporting. This information is invaluable in tracking and protecting assets, identifying security breaches and conducting effective investigations when problems are detected. Industry-standard software can check configurations and automatically report problems to security administrators. This software can also maintain a log of system changes, upgrades or maintenance. Finally, locking mechanisms for workstations can reduce theft or tampering.Supply and asset management. Supplies and assets should be treated according to their cost or importance, yet often this area is neglected. For example, organizations lock up inexpensive supplies while mission-critical assets are left unprotected.User control. People should only have access to applications and information required to perform their job function. Even if approved for access to a restricted file, a user can be limited to viewing it from a certain workstation at a specific time. Organizations should also control who can create accounts or add users to the system, and audit the system frequently for dummy IDs or accounts.System documentation. One of the most frequently overlooked security threats relates to system documentation, which can often be found in open, unsecured offices. While it may seem convenient and less expensive to prepare and publish standard documentation, it can be dangerous to system security. Widely distributed end-user manuals often contain large amounts of technical information that is highly valuable to a hacker. Someone equipped with detailed systems information can assail with surgical accuracy instead of resorting to more easily detectable methods. Publishing documentation on a network instead of in print can greatly reduce the security threat, while reducing costs and simplifying updates.Realistic security administration objectivesNo organization can set up or administer a completely impenetrable IT security program. Therefore, an organization must balance between desired and realistic goals. In-house staff can be utilized based on an assessment of what they can accomplish, while additional resources may be outsourced. There are many resources available to meet security needs that can be obtained from private companies at competitive costs. There is also value in resourcing – the symbiotic relationship between criminal justice agencies and members of the community. Sharing resources, pooling assets for joint acquisitions, donated services from universities or from the community are all potential ways to close gaps in a security plan.Test, audit, inspect and investigate sites continuously and randomlyRegular updates to background investigations, use of voice stress analyzers, interviews and tip programs can help keep system security under control. In addition, organizations should implement methods for reviewing and testing code to protect against back doors into systems. Other approaches include:Using automated auditing and monitoring programsPublicizing threats and responses to themTaking swift, consistent and appropriate action when violations are detected orreported.Using programs that check for file changesAdvising employees that disciplinary actions will be taken in IT security cases.ConclusionThe dramatic increase in the use of IT has exposed organizations to attacks on their information systems, assets and databases. Contrary to popular belief, the real threat rarely comes from outside sources, such as hackers. Unfortunately, protecting against this misperceived threat is expensive and ignores the real danger of intentional or accidental security breaches from internal, trusted sources.However, with proper attention given to planning and implementing IT security, law enforcement and criminal justice organizations can prevent the vast majority of system penetrations. Planning based on a realistic assessment of security needs and threats, followed by the implementation of a well-developed security plan, can provide effective and comprehensive protection against the majority of network security threats.


Payson Technology Group, LLC