Link to the home page.
Print from PDF version
 

How to Use This Document

"Understanding the threat and risk mitigation options is 90 percent of the solution in securing information systems. The Global security documents help provide that understanding."

Dr. Alan Harbitter
CTO PEC Solutions

Executives, Managers, and Policymakers

Executives and managers should use this document as a resource to secure critical justice information systems and as a resource of ideas and best practices to consider in building their agency's information infrastructure. Security should also be considered before sharing information with other agencies in order to develop compatible security policies. For example, agencies such as the Federal Bureau of Investigation (FBI) Criminal Justice Information Services (CJIS) and the National Law Enforcement Telecommunication System (NLETS) have minimal standards required before they allow access to their information systems. This document is not designed to replace or reduce those minimal standards but rather to enhance them where applicable.


"There is a strong need for information security in justice applications."

Fred Cotton
SEARCH, The National Consortium for
Justice Information and Statistics
Training Services Director

This document contains background information, overviews of best practices, and guidelines for secure information sharing. Fifteen disciplines have been identified—governance; physical security; personnel security screening; separation of duties; identification and authentication; authorization and access control; data integrity; data classification; change management; public access, privacy, and confidentiality; firewalls, virtual private networks (VPNs), and other network safeguards; intrusion detection systems; critical incident response; security auditing; and disaster recovery and business continuity—that span the important elements of an information security architecture.

This document is not intended to suggest a standard security approach, nor is it intended to provide an in-depth security solution for any particular system. It is also not intended to provide detailed technical reference for system administrators.

Many of these suggested practices are low-cost in that they require users to be educated about security practices and suggest awareness and evaluation of the security threat. Other practices require capital investment and continued maintenance to ensure their effectiveness. However, doing nothing can have unacceptable associated costs.

Justice, Courts, and Public Safety Practitioners; Information System Owners; and Security Information Officers

A security architecture should be developed by justice, courts, and public safety practitioners; information system owners; and security information officers that addresses the three fundamental service areas—Confidentiality, Integrity, and Availability (see "Security Considerations" for more information)—and includes automated, procedural, and physical security safeguards. In addition to these service areas, there are three overarching security discipline objectives: Support, Prevention, and Detection and Recovery. Managers should also consider these in layered security architecture to provide security protection across the multiple security disciplines and to establish security services that satisfy justice information technology requirements (see Security Architecture found in "Security Considerations" for more information). At minimum, practitioners should review their overall security architecture to ensure that the fifteen security disciplines have the appropriate security practices applied.