Law Enforcement Tech Guide for Information …

1 Department of JusticeOffice of community oriented policing ServicesInformationTechnology SecurityHow to Assess Risk and Establish Effective PoliciesA Guide for Executives, Managers, and TechnologistsLAw Enforcement tech Guide foR Copyright 2006 SEARCH Group, Incorporated. The Department of Justice reserves a royalty-free, nonexclusive, and irrevocable license to reproduce, publish, or otherwise use, and to authorize others to use, this book for Federal Government purposes. This document may be freely distributed and used for noncommercial and educational purposes.

2 No part of this book may be reproduced in any form, by any means (including electronic, photocopying, recording, or otherwise) for commercial purposes without the prior permission of the Department of Justice or the Department of JusticeOffice of community oriented policing ServicesBy Kelly J. Harris and Todd G. Shipley, CFE, CFCEThis publication was supported by cooperative agreement #2003 CKWXK054 awarded by the Department of Justice Office of community oriented policing services to SEARCH Group, Incorporated, 7311 Greenhaven Drive, Suite 145, Sacramento, CA 95831.

3 The opinions or recommendations contained herein are those of the author(s) and do not necessarily represent the official position or policies of the Department of Justice. References to specific organizations, products, or services should not be considered an endorsement of the product by the author(s) or the Department of Justice. Rather, the references are illustrations to supplement discussion of the SecurityHow to Assess Risk and Establish Effective PoliciesA Guide for Executives, Managers, and TechnologistsLAw Enforcement tech Guide foR Office of The Director1100 Vermont Avenue, NWWashington, Department of JusticeOffice of community oriented policing ServicesDear Colleague,Technology systems have contributed significantly to the operational effectiveness and efficiency of law Enforcement agencies of all types.

4 As the ability to collect, share, and use Information continues to gain momentum in modern policing , technology tools that offer agencies the chance to develop this ability are ever more omnipresent. Yet, as much as we rely on technology for some of our most sensitive and necessary activities, securing that technology is often an afterthought to system deployment rather than being an integrated part of the strategic implementation process. The Law Enforcement tech Guide for Information Technology Security: How to Assess Risk and Establish Effective Policies is intended to provide the law Enforcement community with strategies, best practices, recommendations, and ideas for developing and implementing Information technology security policies.

5 It will help you identify and assess Information technology security risks within your agency and provide ideas for mitigating them. Moreover, it will encourage readers to view security policies and practices as an ongoing process of assessment, modification, and measurement. This Guide is one of the many resources that the Office of community oriented policing services (COPS) offers to law Enforcement . It can be used as a stand-alone resource or used in conjunction with the original Law Enforcement tech Guide (how to plan, purchase and manage technology (successfully!))

6 Published by the COPS Office in 2002. That Guide and many of our other knowledge-based resources can be downloaded from , or they can be ordered free of charge by calling the COPS Office Response Center at or via e-mail at hope that you find this Guide to be both informative and helpful. Carl R. PeedDirectorviiAcknowledgments ..xAbout the Authors ..xiAbout the Guide ..3 Assumptions About You ..5 How this Guide Is Organized ..6 NIST A Logical Framework for IT Security Policy of Icons ..8A Roadmap to the Guide ..10IT Security Policy Development A Cyclical Process.

7 12 Chapter 1 Information Systems Security: Understanding Your Responsibility, Security Policies, and Risk ..17A Responsibility to Secure Your Systems ..18 What Is a Security Policy? ..20 What Are the Risk Factors to an IT System? ..22 Evaluating Risk Is Key to Developing Security Policies ..25 How Security Policies Control Risk ..25 Chapter 2 Organize and Charge the Security Policy Development Team ..29 Step 1: Get Senior Leadership to the Table ..30 Step 2: Identify Stakeholders ..31 Step 3: Assign a Project Manager ..32 Step 4: Create a Governance Structure with Roles and Responsibilities.

8 33 Step 5: Review Your Agency Mission and Objectives ..35 Step 6: Allocate Resources ..36 Step 7: Adopt a Methodology and Plan of Action ..36 Sample Security Policy Development and Implementation Scenario ..38 ContentsAbout the GuideviiiChapter 3 Phase I Conduct a Security Self-Assessment ..45 The Self-Assessment Process ..46 Step 1: Identify the Systems, Single System, or System Part for Which You Will Develop Security Policies ..47 Step 2: Assemble the Appropriate Participants for the Process and Hold a Kickoff Meeting ..47 Step 3: Gather Organizational Data.

9 48 Step 4: Conduct the Self-Assessment ..57 The SEARCH IT Security Self- and Risk-Assessment Tool: Easy to Use, Visible Results ..61 Chapter 4 Phase II Assess Security Risks ..71 Why Is the Risk-Assessment Process Important? ..72 Conduct a Risk Assessment ..73 Step 1: Identify the Risk and Write a Description of It ..73 Step 2: Categorize and Quantify the Identified Risks ..74 Step 3: Determine Your Tolerance for Levels of Risk ..76 Make Your Risk Assessment Easier by Using the SEARCH Assessment s Next? ..80 Chapter 5 Phase III Develop a Risk-Mitigation Strategy.

10 83 Prioritize Your Agency s Risks ..84 What Are Security Controls? ..84 Build Your Agency s Controls in Six Steps ..89 Document the Controls ..94 Select Which Controls to Implement and Assign Responsibility ..94 Develop an Implementation Plan ..95 Chapter 6 Phase IV Measure Your Security Controls ..99 What Are Security Measures? ..100 Develop and Select Measurement Methods ..100 Build Your Agency s Measures in Seven Steps ..103ixChapter 7 Formalize Your IT Security Policies ..111 Write an Information Security Policy in Six Steps ..113 Conclusion ..118A. Assessment Worksheets and Questions from the SEARCH IT Security Self- and Risk-Assessment Tool.