Law Enforcement Tech Guide for Information …

1 Department of JusticeOffice of Community Oriented Policing ServicesInformationTechnology SecurityHow to Assess Risk and Establish Effective PoliciesA Guide for Executives, Managers, and TechnologistsLAw Enforcement tech Guide foR Copyright 2006 SEARCH Group, Incorporated. The Department of Justice reserves a royalty-free, nonexclusive, and irrevocable license to reproduce, publish, or otherwise use, and to authorize others to use, this book for Federal Government purposes. This document may be freely distributed and used for noncommercial and educational purposes. No part of this book may be reproduced in any form, by any means (including electronic, photocopying, recording, or otherwise) for commercial purposes without the prior permission of the Department of Justice or the Department of JusticeOffice of Community Oriented Policing ServicesBy Kelly J. Harris and Todd G. Shipley, CFE, CFCEThis publication was supported by cooperative agreement #2003 CKWXK054 awarded by the Department of Justice Office of Community Oriented Policing Services to SEARCH Group, Incorporated, 7311 Greenhaven Drive, Suite 145, Sacramento, CA 95831.

2 The opinions or recommendations contained herein are those of the author(s) and do not necessarily represent the official position or policies of the Department of Justice. References to specific organizations, products, or services should not be considered an endorsement of the product by the author(s) or the Department of Justice. Rather, the references are illustrations to supplement discussion of the SecurityHow to Assess Risk and Establish Effective PoliciesA Guide for Executives, Managers, and TechnologistsLAw Enforcement tech Guide foR Office of The Director1100 Vermont Avenue, NWWashington, Department of JusticeOffice of Community Oriented Policing ServicesDear Colleague,Technology systems have contributed significantly to the operational effectiveness and efficiency of law Enforcement agencies of all types. As the ability to collect, share, and use Information continues to gain momentum in modern policing, technology tools that offer agencies the chance to develop this ability are ever more omnipresent.

3 Yet, as much as we rely on technology for some of our most sensitive and necessary activities, securing that technology is often an afterthought to system deployment rather than being an integrated part of the strategic implementation process. The Law Enforcement tech Guide for Information Technology Security: How to Assess Risk and Establish Effective policies is intended to provide the law Enforcement community with strategies, best practices, recommendations, and ideas for developing and implementing Information technology security policies . It will help you identify and assess Information technology security risks within your agency and provide ideas for mitigating them. Moreover, it will encourage readers to view security policies and practices as an ongoing process of assessment, modification, and measurement. This Guide is one of the many resources that the Office of Community Oriented Policing Services (COPS) offers to law Enforcement .

4 It can be used as a stand-alone resource or used in conjunction with the original Law Enforcement tech Guide (how to plan, purchase and manage technology (successfully!) published by the COPS Office in 2002. That Guide and many of our other knowledge-based resources can be downloaded from , or they can be ordered free of charge by calling the COPS Office Response Center at or via e-mail at hope that you find this Guide to be both informative and helpful. Carl R. PeedDirectorviiAcknowledgments ..xAbout the Authors ..xiAbout the Guide ..3 Assumptions About You ..5 How this Guide Is Organized ..6 NIST A Logical Framework for IT Security Policy of Icons ..8A Roadmap to the Guide ..10IT Security Policy Development A Cyclical Process ..12 Chapter 1 Information Systems Security: Understanding Your Responsibility, Security policies , and Risk ..17A Responsibility to Secure Your Systems ..18 What Is a Security Policy? ..20 What Are the Risk Factors to an IT System?)

5 22 Evaluating Risk Is Key to Developing Security policies ..25 How Security policies Control Risk ..25 Chapter 2 Organize and Charge the Security Policy Development Team ..29 Step 1: Get Senior Leadership to the Table ..30 Step 2: Identify Stakeholders ..31 Step 3: Assign a Project Manager ..32 Step 4: Create a Governance Structure with Roles and Responsibilities ..33 Step 5: Review Your Agency Mission and Objectives ..35 Step 6: Allocate Resources ..36 Step 7: Adopt a Methodology and Plan of Action ..36 Sample Security Policy Development and Implementation Scenario ..38 ContentsAbout the GuideviiiChapter 3 Phase I Conduct a Security Self-Assessment ..45 The Self-Assessment Process ..46 Step 1: Identify the Systems, Single System, or System Part for Which You Will Develop Security policies ..47 Step 2: Assemble the Appropriate Participants for the Process and Hold a Kickoff Meeting ..47 Step 3: Gather Organizational Data.

6 48 Step 4: Conduct the Self-Assessment ..57 The SEARCH IT Security Self- and Risk-Assessment Tool: Easy to Use, Visible Results ..61 Chapter 4 Phase II Assess Security Risks ..71 Why Is the Risk-Assessment Process Important? ..72 Conduct a Risk Assessment ..73 Step 1: Identify the Risk and Write a Description of It ..73 Step 2: Categorize and Quantify the Identified Risks ..74 Step 3: Determine Your Tolerance for Levels of Risk ..76 Make Your Risk Assessment Easier by Using the SEARCH Assessment s Next? ..80 Chapter 5 Phase III Develop a Risk-Mitigation Strategy ..83 Prioritize Your Agency s Risks ..84 What Are Security Controls? ..84 Build Your Agency s Controls in Six Steps ..89 Document the Controls ..94 Select Which Controls to Implement and Assign Responsibility ..94 Develop an Implementation Plan ..95 Chapter 6 Phase IV Measure Your Security Controls ..99 What Are Security Measures? ..100 Develop and Select Measurement Methods.

7 100 Build Your Agency s Measures in Seven Steps ..103ixChapter 7 Formalize Your IT Security policies ..111 Write an Information Security Policy in Six Steps ..113 Conclusion ..118A. Assessment Worksheets and Questions from the SEARCH IT Security Self- and Risk-Assessment Tool ..121B. SEARCH IT Security Worksheets: Control Development, Measurement Development, Policy Development ..181C. Glossary of Security Terms ..189D. Security Resources ..195 AppendixesxAcknowledgmentsThis publication was prepared by SEARCH, The National Consortium for Justice Information and Statistics, Mr. Francis X. Aumand III, chair, and Ronald P. Hawley, executive director. The project director was Kelly J. Harris, deputy executive director. Ms. Harris and Todd G. Shipley, CFE, CFCE, director of training services, wrote this publication. James E. Jolley, CISSP, computer training specialist, was a contributor. Twyla R. Putt, corporate communications manager, edited this publication.

8 Jane L. Bassett, publishing specialist, provided layout and design. Chris Roebuck, webmaster, provided web site coordination. The federal project manager was Debra Cohen, , of the Department of Justice Office of Community Oriented Policing Services (COPS). The authors would like to thank the Hawaii Attorney General s Office IT Group for its advice in the development of the early drafts of the self- and risk-assessment CitationHarris, Kelly J. and Todd G. Shipley, Law Enforcement tech Guide for Information Technology Security: How to Assess Risk and Establish Effective policies , Washington, : Department of Justice Office of Community Oriented Policing Services, UsSEARCH, The National Consortium for Justice Information and Statistics, is dedicated to improving the quality of justice and public safety through the use, management, and exchange of Information ; application of new technologies; and responsible law and policy, while safeguarding security and assist local, tribal, county, regional, and state agencies and organizations including law Enforcement and public safety; first responders; prosecution; defense; adjudication; detention; corrections and probation; and other disciplines, such as transportation, drivers licensing, vehicle registration, public health, and social services through a broad array of activities, resources, and products.

9 Our focus is on criminal history systems, integrated justice Information systems, Information technology (planning, purchasing, managing), communications interoperability, and cybercrime investigation. Our services include in-house and on-site technical assistance and training, resource development (web sites, publications, white papers, conferences, workshops), public policy assistance, and model development (model legislation, standards and procedures, best practices) in these focus areas. SEARCH online resources provide Information on law Enforcement Information technology (IT), integrated justice, justice software solutions, and IT acquisition at the AuthorsAuthor Kelly J. Harris is deputy executive director for SEARCH, where she oversees the development, implementation, and management of all SEARCH programs and related projects. SEARCH programs focus on IT and its successful application to justice and public safety decision-making.

10 In each program, Ms. Harris directs a broad array of activities, resources, and products provided to local, regional, tribal, and state justice and public safety agencies nationwide. These include technical assistance, training, resource development (publications, web sites, model development), national-scope policy research, and national workshops, symposia, and conferences. Ms. Harris oversees programs funded by grants, cooperative agreements, and contracts from the Departments of Justice (DOJ) and Homeland Security (DHS), and from state andlocal key focus areas of SEARCH programs overseen by Ms. Harris are: Law and policy issues associated with Information and identification technologies Planning for and implementing Information -sharing technology Interoperable communications technologies High-technology crime activities and resources address such issues as justice Information -sharing system integration; how to plan for, develop, improve, acquire, and manage automated systems; homeland security; and combating cybercrime.