Important issues to consider regarding IT network and computers?
Protecting a computer network can be a very daunting task. Here we identify some of the more important items that a police chief should consider. These issues will apply whether the chief maintains and operates her own network, or simply wants to be informed about the critical issues. For example, below we discuss the following:
• Separating the Data and Segmenting the Network
• Protecting the Network
• Educating Users and Protecting the Host
• Planning for a Cyber Incident
• Policies and Procedures
Separating the Data and Segmenting the Network
An agency must first determine the types of data that are stored on computers throughout the network before deciding the most appropriate way to protect them. Understanding which kinds of data exist on the network will also help the agency determine which employees should have access to the systems.
To separate data and segment a network, an agency should:
- Catalogue the types of information (employee records, crime information, email accounts, etc.);
- Differentiate the information according to sensitivity. One way to think about this is to ask, “What are the harmful consequences that would occur if this information were lost, corrupted, stolen, or destroyed?”
- Once identified, the data and all related applications should be segmented into different network environments, which are then protected with appropriate network and user access restrictions, including data encryption, if necessary. Segments should be separated by internal firewalls. Firewall rules and access controls will determine what information passes between segments and how staff move from one segment to another.
More information on network segmentation can be found in the Security Week article, Improving Security via Proper Network Segmentation Whenever possible, rely on security and network professionals to design and implement network segments.
Protecting the Network
The next step is hardening the network perimeter. These tasks should be performed by a licensed security management agency. This process involves:
- Minimizing the number of computers that are exposed to the public Internet.
- Building a firewall that isolates most agency computers from the Internet
- Routing staff computers access to public Internet through a proxy server
- Isolating computers that process highly sensitive information and restricting access
- Deploying a security monitoring system that monitors networks, servers and staff computers (e.g., endpoints) for suspicious events, and detects malware and cyber threats
- Scanning all computers for vulnerabilities, including malware and other more intrusive threats
- Identifying vulnerabilities, prioritizing them by severity (intrusiveness, loss of data, etc.) and patching them as quickly as possible.
For more information on vulnerability management, please see NIST Special Publication 800-40 Revision 3
Educating Users and Protecting the Host
Proper security does not stop at the network. Every computer connected to the network, should also minimize the number of applications installed. Seldom-used applications often serve as conduits into an organization’s network, so they need to be updated and patched routinely.
In addition to uninstalling or disabling unnecessary applications, employee workstations and laptops should also be equipped with anti-virus software. This will reduce the number of opportunities attackers have to use malicious software to steal information or corrupt data. This software is available from many reputable security agencies.
But of course, many data security incidents are caused by tricking employees into opening corrupted email attachments or providing confidential information through phishing messages. It is therefore critical to communicate the harms that can occur via email attacks. Anti-virus software can detect and prevent harmful outcomes in many cases, but they are not fool-proof.
Effective information security awareness training that discusses threats and safe computing practices is essential. Only an effective monitoring capability that can detect and respond to malware introduced through phishing provides the degree of protection most organizations require. Learn more about email attacks.
It is critical to backup any important information. The easiest way to accomplish this task is to copy all relevant data to an external hard drive, network file server, or dedicated backup server. These drives are easy to use and serve to restore information if it becomes lost, corrupted, or stolen. The protocols for backing up data should be part of a disaster recovery or business continuity plan and be appropriately secured against unauthorized access.
Precautions also must be taken when employees work remotely. Employees who access agency servers from a remote location may be doing so from an unsecure network. Additional security measures, such as two factor authentication and encryption, should be used to provide added security. Departments may also want to consider only granting remote access to specific users (for example, command staff) and/or to specific computers or networks.
Planning Ahead for a Cyber Incident
Always be prepared for a cyber attack by developing a Cyber Incident Response Plan (CIRP). The CIRP should establish procedures to help reduce the impact of a cyber attack and prepare to recover after an attack. It should be formalized in writing and include the following components:
- Detail the roles, responsibilities of each stakeholder, clearly identify those who are in charge
- Define lines of communication, both internally and externally (e.g., fusion centers, US-CERT, other state or federal agencies)
- Develop a staffing plan. You may need to bring in addition incident response expertise from outside vendors depending on the severity of the incident
- Determine reporting requirements to federal agencies. This may include reporting requirements if sensitive data is lost or released to the public
- Define and prioritize the severity of an attack
- Define the procedures for containing and investigating the event, as well as returning IT systems to their fully operational state
- If necessary, restore data from the backup file
- Test or practice the plan annually, including a post-incident activity.
More information on incident response plans can be found with the Incident Handling Guide (PDF) from the National Institute of Standards and Technology. Complete information on contingency planning for system recovery can be found in the NIST publication Contingency Planning Guide for Federal Information Systems (PDF).
Policies and Procedures
Developing and implementing strong policies and procedures is essential to mitigating many of the risks outlined above, and to ensuring information systems security. Policies and procedures should address:
Access and Use
- What constitutes authorized access/use of data (including digital evidence)?
- Who will be authorized to access/use different types of data?
- Who will be authorized to approve access/use of data?
- What records/logs will be kept to identify who accessed data, when it was accessed, and how it was used?
- Clearly specify that all data generated, received, collected, and/or stored is the sole property of your agency, regardless of where it is stored.
- Even data and evidence stored on off-site servers (such as cloud-based systems or other external servers) must be included.
- Ensure that your agency has the ability to audit the physical location where any hardware hosting your data is located.
- Specify what type of information can be shared with other agencies and under what circumstances.
- Who can authorize sharing information and how will that authorization be provided?
- How will information that is shared with other agencies be tracked/logged?
- What type of physical security (restricted access rooms) and digital security (encryption or password) will be placed on agency data, information, and evidence?
- How will your agency protect electronic devices (including mobile devices)?
- Work with your IT provider to ensure that the appropriate firewall, anti-virus program, and security settings are placed on all agency devices.
- Require training for all employees (sworn and civilian) about the importance of abiding by all department policies related to information systems security, device use, and Internet browsing.
- Establish procedures for enforcement if employees are suspected of being, or have been found to be, non-compliant.