Network Security Network Security Network Security Network Security Network Security Network Security Network Security Network Security Network Security Computer Security Computer Security Computer Security Computer Security

Comprehensive Planning, Security and Threat Assessment

Many organizations have resisted investing in solutions because of the persistent
and exaggerated belief hackers and intruders will immediately attack them.
However, new business models, new IT applications and the decreasing cost of
technology are driving justice agencies to adopt e-business applications. How then,
can the justice agency plan for adequate information security?

Dealing with challenges don't panic. This is good advice for IT security planning, too.
Despite increased exposure to intruders, the experience and tools to build effective
defenses are already available and constantly improving. With effective, advance
planning, it is possible to respond rapidly and appropriately to security threats.

Overall, IT planning must be comprehensive, flowing directly from an organization's
operational plans. In addition, an effective plan must describe the business
requirements that map to operational goals. There are many ways to meet IT
requirements, and substantial cost differences, but there should always be a clear
justification for every dollar spent, and security must be built in to the IT infrastructure
from the beginning.

Federal Strategies For Planning IT Security

Data in an IT system is at risk from various sources – user errors and malicious or
nonmalicious hacking. Establishing an effective set of security policies and
procedures to reduce risk requires the use of comprehensive, best-practice strategies.

Keep your security – and your applications – simple
As with any information system, when a security solution is too complicated, users will
avoid or circumvent it, thus defeating its purpose. If users are unwilling to abide by an
overly complicated security system, its usefulness is drastically reduced. Additionally,
when application systems are made needlessly complex, regardless of how tightly
integrated they are, they offer multiple points of access and require extensive security
administration and support – ultimately translating into higher costs.

Develop policies, procedures and penalties in advance
By planning ahead and developing effective policies, procedures and penalties –
you can help keep your applications and information secure. To
avoid unnecessary obstacles, these should be enforced consistently.

Provide training on the use of the system.
Reinforce training by reviewing and publishing relevant news items, like attacks or
system abuses. Keeping personnel properly informed and providing regular reminders
can increase their retention rates and improve their understanding of critical security

Use available security products rather than those developed in-house
Available products based on open standards have been tested and proven, and have
customer references from which knowledge can be gained. Even if products are new,
the methodologies used in testing can be evaluated and the results reviewed. Most
importantly, industry-standard products are typically well documented for users and for
IT technical staff.

Compartmentalize information, assets and users
Information assets require protection proportional to their value. Confidential
informant files, intelligence reports and witness information must be carefully
safeguarded, while public or easily replaced information does not require elaborate
security. Accurately assessing data can help determine the most appropriate type of
security system.

Inventory management. IT assets (e.g., personal computers, servers, hubs) and
supplies (e.g., software, diskettes) must be appropriately inventoried and secured.
Organizations often take delivery of large amounts of hardware and software without
verifying the orders, ensuring that items are configured correctly and work properly, or
entering items into an asset control database. When items are lost or fail to perform
properly, there are no records to substantiate the loss to prove that the system is not
performing as required.

Configuration control. Before any equipment is distributed to users, the configuration
of every piece of hardware should be predetermined and all software properly
registered. This information must be added to the inventory management system so
that the inventory contains detailed descriptions of every system's components,
hardware, software and location.

Problem reporting. This information is invaluable in tracking and protecting assets,
identifying security breaches and conducting effective investigations when problems
are detected. Industry-standard software can check configurations and automatically
report problems to security administrators. This software can also maintain a log of
system changes, upgrades or maintenance. Finally, locking mechanisms for
workstations can reduce theft or tampering.

Supply and asset management. Supplies and assets should be treated according to
their cost or importance, yet often this area is neglected. For example, organizations
lock up inexpensive supplies while mission-critical assets are left unprotected.

User control. People should only have access to applications and information required
to perform their job function. Even if approved for access to a restricted file, a user can
be limited to viewing it from a certain workstation at a specific time. Organizations
should also control who can create accounts or add users to the system, and audit the
system frequently for dummy IDs or accounts.

System documentation. One of the most frequently overlooked security threats relates
to system documentation, which can often be found in open, unsecured offices. While
it may seem convenient and less expensive to prepare and publish standard
documentation, it can be dangerous to system security. Widely distributed end-user
manuals often contain large amounts of technical information that is highly valuable
to a hacker. Someone equipped with detailed systems information can assail with
surgical accuracy instead of resorting to more easily detectable methods. Publishing
documentation on a network instead of in print can greatly reduce the security threat,
while reducing costs and simplifying updates.

Realistic security administration objectives
No organization can set up or administer a completely impenetrable IT security
program. Therefore, an organization must balance between desired and realistic
goals. In-house staff can be utilized based on an assessment of what they can
accomplish, while additional resources may be outsourced. There are many resources
available to meet security needs that can be obtained from private companies at
competitive costs. There is also value in resourcing – the symbiotic relationship
between criminal justice agencies and members of the community. Sharing
resources, pooling assets for joint acquisitions, donated services from universities or
from the community are all potential ways to close gaps in a security plan.

Test, audit, inspect and investigate sites continuously and randomly
Regular updates to background investigations, use of voice stress analyzers,
interviews and tip programs can help keep system security under control. In addition,
organizations should implement methods for reviewing and testing code to protect
against back doors into systems. Other approaches include:

Using automated auditing and monitoring programs

Publicizing threats and responses to them

Taking swift, consistent and appropriate action when violations are detected

Using programs that check for file changes

Advising employees that disciplinary actions will be taken in IT security cases.

The dramatic increase in the use of IT has exposed organizations to attacks on their
information systems, assets and databases. Contrary to popular belief, the real threat
rarely comes from outside sources, such as hackers. Unfortunately, protecting against
this misperceived threat is expensive and ignores the real danger of intentional or
accidental security breaches from internal, trusted sources.

However, with proper attention given to planning and implementing IT security, law
enforcement and criminal justice organizations can prevent the vast majority of
system penetrations. Planning based on a realistic assessment of security needs and
threats, followed by implementation of a well-developed security, can provide effective
and comprehensive protection against the majority of network security threats.


Network SecurityNetwork SecurityNetwork SecurityNetwork SecurityNetwork SecurityNetwork Security

Computer network security professionals, network security solutions.

2009 All rights reserved
Payson Technology Group, LLC Study Report Computer Network Security