Link to the home page.
Print from PDF version
 

Security Considerations

Introduction

"Information is the best friend of prevention. The September 11 attacks demonstrate that the war on terrorism must be fought and won at all levels of government. To meet this continuing threat, law enforcement officials at all levels—federal, state, and local—must work together, coordinating information and leveraging resources in the joint effort to prevent and disrupt terrorist activity."
- U.S. Attorney General John Ashcroft

Recent world events have expanded the borders in which justice systems must operate—beyond municipality, county, or state—to the national and global levels. Operating effectively in this environment increases the need to securely share information among diverse organizations. This priority has been expressed at the highest levels of government and was well articulated by U.S. Attorney General John Ashcroft in an April 11, 2002, press release.

As a further consideration, there is an ever-increasing threat to the security of valuable law enforcement and justice information resources from cyberattacks. The incidences of detected intrusions have increased over the last decade, and cyberterrorism has become a real risk. Figure 1-1: Security Intrusion Incidents is representative of statistics, collected by the Carnegie Mellon University Computer Emergency Response Team Coordination Center (CERT®/CC), providing an illustration of this threat (http://www.cert.org/stats/#incidents). The number of intrusions reported to the Center has increased exponentially over the last five years.

Figure 1-1: Security Intrusion Incidents
Security Intrusion Incidents graph

These changes in our environment increase the importance of information security in law enforcement and justice applications. System owners, managers, and users must be more aware of the technology and practices critical to safeguarding information. Security experts uniformly agree that there is no such thing as a 100 percent-secure information system. While there are many tools and practices that can dramatically reduce security risks, the technology is not at a point where anyone can guarantee that information resources will be safe from all possible threats. For this reason, system owners and managers must balance the level of risk, the value of the information, and the amount of investment in security safeguards. Striking this balance requires a firm background in the capabilities of security technology and an understanding of best practices.

Security Architecture

In order to achieve the goals of secure information sharing, organizations must think comprehensively about security or otherwise end up merely moving around the weak link in the security chain ineffectively protecting their information resources. In other words, if security is addressed by focusing on only one or two aspects of the enterprise, very strong protection is achieved only in those areas, and weaknesses are found in others. Those that seek to compromise the security of the enterprise will concentrate their efforts on these weaker areas.

Security Foundation

One way to address the complete universe of information security is to think in terms of three fundamental service areas: Confidentiality, Integrity, and Availability, as represented by the mnemonic "CIA."

  • Confidentiality—Confidentiality concerns the mechanisms that support information access policies and is designed to ensure that information is not exposed to unauthorized parties.
  • Integrity—Integrity reflects the accuracy or reliability of information products and requires processes and technology that prevent unauthorized modifications.
  • Availability—Availability is required to provide confidence that information systems will be accessible when needed—especially important in justice systems where the safety of civil servants or citizens may be at stake.

Information system owners and managers should develop a security architecture that addresses "CIA" and includes automated, procedural, and physical security safeguards.

Information system owners and managers should mandate information security architecture. The goal of information security is to protect information from a wide range of accidental or malicious threats. The objective is to:

  • Enable the sharing of trusted information.
  • Provide continuity in justice agencies.
  • Minimize organizational damage by protecting data and systems against destruction, modification, and disclosure.
  • Maximize opportunities for information sharing.

Figure 1-2: A Model for Security Architecture is extracted from Underlying Technical Models for Information Security (Stoneburner, 2001). This figure characterizes the services required to implement comprehensive security architecture. It is expressed in a format similar to that used for general information system enterprise architectures. The security services identified in this figure are addressed in this document.

Related Resources

Other related resources that help support the objective of secure information sharing and, more generally, the improvement of the assurance level of information systems in this country are as follows:

  • National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC) (http://csrc.nist.gov/)—The CSRC is the Web site of NIST's Computer Security Division, whose mission is to improve information systems' security by raising awareness of information technology (IT) risks, vulnerabilities, and protection requirements; researching, studying, and advising agencies of IT vulnerabilities; developing standards, metrics, tests, and validation programs; and developing guidance to increase secure IT planning, implementation, management, and operation. The site provides a wealth of background and guidance documents, including information on NIST's Automated Security Self-Evaluation Tool (ASSET).
  • CERT®/CC (http://www.cert.org)—The CERT® Coordination Center is a center of Internet security expertise, located at the Software Engineering Institute, a federally funded research and development organization operated by Carnegie Mellon University. The CERT®/CC focus is protecting information systems against potential problems, reacting to current problems, and predicting future problems. Their work products include handling computer security incidents and vulnerabilities, publishing security alerts, researching long-term changes in networked systems, and developing information and training.
  • Integrated Justice Information Systems (IJIS) Industry Working Group (IWG) (http://www.ijis.org)—The IJIS IWG is an organization of service and product vendors that serve the local, state, and federal agencies in the area of law enforcement and criminal justice. The charter for the IJIS IWG, sanctioned by the OJP, DOJ, is to contribute to the implementation of integrated justice information systems throughout the country by applying the knowledge and experience of the IT industry. The IJIS IWG Web site contains briefing materials and documents that provide background information on security technologies and practices.
  • Center for Internet Security (CIS) (http://www.cisecurity.org/)—CIS's mission is to help organizations effectively manage the risks related to information security. CIS provides methods and tools to improve, measure, monitor, and compare the security status of Internet-connected systems and appliances.