• Mission & Governance
• Services Overview
• How to Get Involved
• Standing Committees
• NCSL Foundation

• Issue Areas: A-Z
• State-Federal Relations
• NCSL Standing Committees
• News from D.C. and the States

• About State Legislatures
• Elections, Campaigns & Redistricting
• NCSL's StateConnect Directory
• Web Sites

• Online Guide to NCSL Services
• Staff Sections and Networks
• Meetings & Professional Development
• Staff Directories

• Meetings Calendar
• Online Registration
• Meetings Home Page
• Legislative Summit

• Bookstore
• State Legislatures Magazine
• NCSL's StateConnect Directory

Modern justice agencies rely heavily upon their information technology resources to perform critical tasks and to provide emergency services to the public. Increasingly, justice agencies share information across wide area networks and the global Internet. The sensitivity of this information and its related systems infrastructure make it a particularly vulnerable target. The core components of these information technology resources are so critical that disabling any single resource could potentially incapacitate the mutually dependent and interconnected systems. Disruption or intentional corruption of the information justice systems can have a dramatic impact upon our organizations and the society we serve. It must be recognized that the justice information technology systems are a vital part of the nation's critical infrastructure, and as such, information technology infrastructure requires comprehensive security architecture. Protecting this critical resource is not just a matter of operational good sense; it is increasingly a matter of national security and public safety.

Security should be a core foundation of any information system and is best implemented during the design of any given system. Security can and should be successfully added to existing systems as well. Security cannot be ignored.

This document is intended to introduce justice executives and managers to good, basic security practices that they can deploy within their enterprise and between multiple enterprises. Executives and managers should use this document as a resource to secure critical justice information systems, and as a resource of ideas and best practices to consider in building their agency's information infrastructure. Security should also be considered before sharing information with other agencies. Agencies such as Criminal Justice Information Services (CJIS) and the National Law Enforcement Telecommunication System (NLETS) have minimum standards required before they allow access to their information systems. This document is not designed to replace or reduce those minimum standards but rather to enhance them where applicable.

This document is not intended to suggest a standard security approach, nor is it intended to provide an in-depth security solution for any particular system. It is also not intended to provide detailed technical reference for system administrators.

Many of these suggested practices are low cost in that they require users to be educated about security practices and suggest awareness and evaluation of the security threat. Other practices require capital investment and continued maintenance to ensure their effectiveness. However, doing nothing can have unacceptable associated costs.

Recent world events have expanded the borders in which justice systems must operate-beyond the municipality, county, or state-to the national and global levels. Operating effectively in this environment increases the need to securely share information among diverse organizations. Further, securely sharing justice information along the vertical (i.e., city, county, tribal, state, and national) and horizontal (i.e., first responder, investigator, court, and corrections) cross sections of the justice community is now a national priority. This priority has been expressed at the highest levels of government and was well articulated by U.S. Attorney General John Ashcroft in an
April 11, 2002, press release:

As a further complication, there is an ever-increasing threat to the security of valuable law enforcement and justice information resources from cyber attack. The incidences of detected intrusions have increased over the last decade and cyber terrorism has become a real threat. Figure 1, shown on the following page, is based on statistics collected by the Carnegie Mellon University Computer Emergency Response Team Coordination Center (CERT®/CC), provides an illustration of this threat. The number of intrusions reported to the Center has increased exponentially over the last five years.

These changes in our environment increase the importance of information security in law enforcement and justice applications. System owners, managers, and users must be more aware of the technology and practices critical to safeguarding information. Security experts uniformly agree that there is no such thing as a 100 percent secure information system. While there are many tools and practices that can dramatically reduce security risks, the technology is not at a point where anyone can guarantee that information resources will be safe from all possible threats. For this reason, system owners and managers must balance the level of risk, the value of the information, and the amount of investment in security safeguards. Striking this balance requires background in the capabilities of security technology and an understanding of best practices.

The purpose of this document is to educate the reader and to provide guidelines for applying security technology and practices. The long-term goal is to enable an environment of electronic trust among law enforcement and justice organizations. Electronic trust will be engendered if each organization can be assured that all parties with access to shared information follow certain minimum practices to safeguard that information. An environment of electronic trust is a minimum requirement for us to begin to fulfill the national priority of sharing information and improving the safety of the country.

Global was formed in support of a fundamental belief: the ability to share justice data will result in safer communities because a crucial, driving currency-information-will be quickly and accurately available to all those protecting our nation's citizens. Named to connote a consortium of key stakeholders and constituencies rather than a physical computer network, Global advises the federal government, specifically through the
U.S. Attorney General, on justice information sharing and integration. Through counsel on related activities and initiatives, the goal of Global is to facilitate standards-based electronic information exchange throughout the justice community. This last part is fundamental, because public safety is best secured when all players-from patrol officers to prosecutors, from courts officials to corrections personnel-have access to timely and accurate information. Global is further organized into working groups, comprised of committee members and subject-matter experts. The Global Security Working Group focuses on establishing the guidelines and best practices needed to share information in a secure manner.

There are other related initiatives that help support the objective of secure information sharing and more generally, improving the assurance level of information systems in this country. They are:

The goal of information security is to protect information from a wide range of accidental or malicious threats. The objective is to:

In order to achieve the goals of secure information sharing, we must think comprehensively about security; otherwise, we end up merely moving around the weak link in the security chain and do not effectively protect information resources. In other words, if security is addressed by focusing on only one or two aspects of the enterprise, very strong protection is achieved only in those areas and weaknesses are found in others. Those that seek to compromise the security of the enterprise will concentrate their efforts on the weaker areas.

One way to address the complete universe of information security is to think in terms of three fundamental service areas: Confidentiality, Integrity, and Availability, as represented by the mnemonic: "CIA."

• Integrity: Integrity reflects the accuracy of information products and requires processes and technology that prevent unauthorized parties from inappropriately modifying information.

Information system owners and managers should develop a security architecture that addresses "CIA" and includes automated, procedural, and physical security safeguards.

In addition, managers should consider layered security architecture to provide security protection across the multiple security domains and to establish security services that satisfy justice information technology requirements. The three overarching objectives are support, prevention, and detection and recovery.

This document covers the following security domains for each objective.

Supporting Services - These services are generic and underlie most information technology capabilities. Please reference the following security domains for further reference material.

Prevention

Detection and Recovery

• Disaster Recovery and Business Continuity

Figure 2 is extracted from Underlying Technical Models for Information Security. This figure characterizes the services required to implement comprehensive security architecture. It is expressed in a format similar to that used for general information system enterprise architectures. The security services identified in this figure are addressed in this document. The terminology used in the figure 2 is defined below; it is an extraction from the NIST document. A listing of the NIST architecture and the topics addressed in this document are on the following pages.

In a distributed system, the ability to accomplish security objectives is highly dependent on trustworthy communications. Protected communications ensures the integrity, availability, and confidentiality of information while in transit. Reference Chapters 7, 10, and 11.

Ensuring that a claimed identity is valid is extremely important. The authentication service provides the means to verify the identity of a subject. Reference Chapter 5.

 Authorization

The authorization service enables specification and subsequent management of the allowed actions for a given system. Reference Chapter 6.

When the subject requesting access has been validated for access to particular processes, enforcing the defined security policy is still necessary. The access control enforcement service provides this enforcement, and frequently the enforcement mechanisms are distributed throughout the system. It is not only the correctness of the access control decision, but also the strength of the access control enforcement that determines the level of security obtained. Checking identity and requested access against access control lists is a common access control enforcement mechanism. File encryption is another example of an access control enforcement mechanism. Reference Chapter 6.

System accountability depends upon the ability to ensure that senders cannot deny sending information and that receivers cannot deny receiving it. Non-repudiation is a service that spans prevention and detection. This service has been placed into the prevention category because the mechanisms implemented prevent the ability to successfully repudiate an action. As a result, this service is typically performed at the point of transmission or reception. Reference Chapter 7.

Both government and private systems are increasingly required to maintain the privacy of individuals using these systems. The transaction privacy service protects against loss of privacy with respect to transactions being performed by an individual. Reference Chapter 10.

The auditing of security relevant events is a key element for after-the-fact detection of and recovery from security breaches. Reference Chapter 14.

Detecting insecure situations is essential in order to respond in a timely manner. Also, detecting a security breach is of little use if no effective response can be initiated. The intrusion detection and containment service provides these two capabilities. Reference Chapter 12.

In order to determine that integrity has been compromised, the ability must exist to detect when information or system state is potentially corrupted. The proof of wholeness service provides this ability. Reference Chapter 7.

When a security breach occurs, the system must be able to return to a state that is known to be secure. That is the purpose for this service. Reference Chapter 7.

In order to implement many of the other services, it is essential that both subjects and objects be identifiable. This service provides the capability to uniquely identify users, processes, and information resources. Reference Chapter 5.

Cryptographic keys must be securely managed when cryptographic functions are implemented in various other services.

The security features of the system need to be administered in order to meet the needs of a specific installation and to account for changes in the operational environment.

Underlying the various security functional capabilities is a base of confidence in the technical implementation. This represents the quality of the implementation from both the perspective of the design processes used and the manner in which the implementation was accomplished. Some examples of system protections are: residual information protection (also known as object reuse), least privilege, process separation, modularity, layering, and minimization of what needs to be trusted. Reference Chapters 2, 3, and 4.

This document contains background information, overviews of best practices, and guidelines for secure information sharing. We have identified 15 disciplines-governance; physical security; personnel security screening; separation of duties; identification and authentication; authorization and access control; data integrity; data classification; change management; privacy and confidentiality; firewalls, VPNs, and other network safeguards; intrusion detection systems; critical incident response; security auditing; and disaster recovery and business continuity-that span the important elements of an information security architecture. The previous pages provided a quick overview of each of the disciplines. Chapters 1 through 15 of the document address each discipline. In the next volume, we will identify common models for justice information sharing and describe how to apply the security practices of each discipline to the models.

In the chapters of this document that describe the disciplines, we adopted some of the terminology developed for the National Association of State Chief Information Officers (NASCIO) architecture Tool-kit was adopted as a convenient, standardized way to overview the security services and technologies. In general, each chapter includes the following subheadings:

• References: provides references to assist justice organizations in designing their security practices to meet well-established industry standards.

The overall objective of this document is to provide the reader with an easily understood overview of best practices and the technology available for securely sharing information among law enforcement and justice organizations.

Table 1. The Information Security Disciplines Covered in this Document

In many of the other security disciplines, there is a clear and common understanding of the functions involved. Governance is a high-level activity, and may be difficult to describe in a succinct way. For an individual organization, it deals with the activities required to assess risk, set direction, and monitor the application of security tools with the objective of creating a secure operating environment. Additionally, it deals with specialized needs brought about by justice information sharing and considers the composition, placement, and operating procedures of governing groups established to promote sharing of information.

Security management encompasses a number of functions, as outlined in this document. Governance recognizes that these functions need oversight and control at a high level to assure that each is addressed appropriately. Only in this way can the benefits of a comprehensive security program be gained. Further, information sharing and joint operations are becoming increasingly important for criminal justice organizations. That implies the need for governance structures that cross individual agencies. Consequently, governance issues deserve prominent consideration.

Use the governance body to tie senior management into the security awareness process, and have a formal process or tool that relates operational risks to investments for each major security expenditure.

Computer systems and networks are vulnerable to physical attack; therefore, procedures should be implemented to insure that systems and networks are physically secure. Physical access to a system or network provides the opportunity for an intruder to damage, steal, or corrupt computer equipment, software, and information. When computer systems are networked with other departments or agencies for the purpose of sharing information, it is critical that each party to the network take appropriate measures to insure that their system will not be physically breached, thereby compromising the entire network. Physical security procedures may be the least expensive to implement, but can also be the most costly if not implemented because the most expensive and sophisticated computer protection software can be overcome if an intruder obtains physical access to the network.

The physical security chapter identifies potential physical threats to facilities, hardware, software, and sensitive information. This chapter also recommends best practices to secure computer systems from physical intrusion.

An organization should consider including the following physical security policies into their organization's overall security policy:

Theft of hardware, software, or data can be expensive due to the necessity to restore lost data and the cost of replacing equipment and software. Theft also causes a loss in the confidence of the department that may have compromised the network.

Vandalism in most cases is not directed at compromising a system or network, so much as it is the senseless destruction of property. Both external perpetrators and internal perpetrators may pose a vandalism threat. Low morale in an organization may be the underlying reason for vandalism caused by internal perpetrators. The actual threat to a network posed by vandalism is difficult to assess, because vandalism is generally not motivated by a conscious effort to compromise a network. Like theft, vandalism can be expensive due to the necessity to replace damaged equipment and software.

External and internal intruders may attempt to manipulate or destroy IT equipment, accessories, documents, and software. The potential of damage caused by an intruder's manipulation increases the longer they remain undetected, thereby increasing their knowledge of the system and their ability to wreak havoc on a network. The threats may include unauthorized access to sensitive data and outright destruction of data media or IT systems.

Internal staff may attempt to modify privileges or access unauthorized information, either for their own purposes or for others. This may result in system crashes or breaches in other areas of the network opened up through configuration errors. Disabling of alarm systems can pose a serious threat as well.

Temporary workers, contractors, and consultants represent a unique security threat in that they are generally not subject to the same background checks as a department's full-time employees but they may be granted the same high level of access to the system and network. Contractors and consultants will sometimes know the applications and operating systems running on the network better than department employees. Temporary employees should be closely scrutinized until a level of trust can be established. Question consulting firms and contract agencies about their hiring policies and standards. Threats may also arise through the conduct of cleaning staff by playing on the system or theft of system components, accidentally detaching a plug-in connection, water seepage into equipment, or documents being mislaid or discarded as trash.

Masquerading or impersonation can occur when an intruder obtains a false identity by obtaining a user ID and password. Someone may be misled about the identity of the party being communicated with for the purpose of obtaining sensitive information. An intruder can also use masquerading to connect to an existing connection without having to authenticate himself, as this step has already been taken by the original participants in the communication.

Social engineering is used by intruders to access sensitive information. Intruders act like department staff and use keywords during conversations to obtain information. "Sounding" can be performed by telephone where intruders pose as staff as in the following examples:

Establish policies to limit employees from attaching unauthorized hardware to the office system. Unauthorized hardware includes computers, modems, terminals, printers, and disk or tape drives. The policies should also restrict software that employees may load onto the office system. Finally, implement policies regarding opening unidentified
e-mail attachments and downloads off the Internet.

Perform monthly audits of all systems and peripherals attached to the network infrastructure. Make random inspections of equipment to search for unauthorized attached hardware to the network. Identify missing or misplaced hardware. Search and identify any unauthorized hardware attached to the network.

Inspect computers and networks for signs of unauthorized access. Search for intrusion or tampering with CD-ROMs, tapes, disks, paper, and system components that are subject to physical compromise by damage, theft, or corruption.

Intruders choose targets by weighing the risk and effort versus the expected reward. Therefore, all measures implemented to prevent break-ins should be designed to increase the risk to potential intruders. The possible measures for protection against break-ins should be adapted to each specific situation. Protect doors or windows by adding security shutters. Add additional locks or security bars. Add additional lighting inside and outside the building. Seek advice from police and security professionals. When planning physical security measures, care must be taken to ensure that provisions relating to fire and personal protection; e.g., regarding the serviceability of escape routes, are not violated. Staff must be informed about the anti-burglary measures that are to be observed.

A fundamental but frequently overlooked aspect of sound internal security is the physical restrictions placed on access to systems and networks. Having good physical security in place is a necessary follow-up to whatever office building security your organization may have in place. Know who is entering department offices at all times and make sure that your secure computing areas are locked and restrict access. Network security measures can be rendered useless if an intruder can bluff their way past the entrance security; walk into your computer room and take diskettes, tapes, or servers.

Strangers, visitors, craftsmen, maintenance, and cleaning staff should be supervised. Should the need arise to leave a stranger alone in an office, the occupant of that office should ask another staff member to supervise or request the visitor to wait outside the office. If it is not possible to accompany outsiders, the minimum requirement should be to secure the personal work area: desk, cabinet, and PC. The requirement for this measure must be explained to the staff and should be made part of department policy.

Control entry into buildings and rooms housing sensitive equipment. Security measures may range from issuance of keys to high-tech identification systems. When implementing policies for entry regulation, consider the following:

Establishment of an entrance control service has far-reaching positive effects against a number of threats. However, this presupposes that some fundamental principles are observed in the performance of entrance control. Entrance security must observe and/or monitor all movements of persons at the entrance. Unknown persons must prove their identity to the entrance security staff. Before allowing a visitor to enter, check with the person to be visited. A visitor must be escorted to the person to be visited or met by the latter at the entrance. Security staff must know the office employees. In case of termination of employment, security staff must be informed of the date from which this member of staff is to be denied access. A visitor log should be kept to document access. Consider issuance of visitor's passes. The job duties of security staff should be designed to specifically identify their tasks in support of other protective measures, such as building security after business hours, activation of the alarm system, and checking of outside doors and windows.

An alarm system consists of a number of local alarm devices that communicate with a control center, through which the alarm is triggered. If an alarm system covering break-ins, fire, water, and gas is installed and can be expanded at reasonable cost, it should be considered whether, as a minimum, the IT core areas (such as server rooms, data media archives, technical infrastructure rooms, etc.) could be included in the surveillance provided by this system. This will enable threats such as fire, burglary, or theft to be detected in good time so that countermeasures can be taken. To ensure that this is the case, it is imperative that the alarms are sent on to an office that is permanently staffed. It is important that this office has the expertise, equipment, and personnel required to respond to the alarm. The guidelines of the organization concerned for connection to the respective networks should be considered here.

An alarm system is a complex entity that has to be planned and installed taking into account the building and the risk. Planning, installation, and maintenance of an alarm system should therefore be carried out by experts. If these are not available within the organization, external support should be obtained. The alarms can be networked in different ways. Depending on the nature and size of the areas requiring protection and the guidelines in force, suitable systems must be chosen and installed. When planning or expanding an alarm system, care must be taken to ensure that cable routes are sufficiently sized to permit networking, and as few changes as possible should be made to the routing. To maintain the protective effect of the alarm system, it should be serviced and tested on a regular basis. If there is no alarm system or the existing system cannot be used, local detection devices should be considered as a minimum. These work on a completely independent basis without being connected to any central facility. The alarm is given on site or else it is passed to a different location by means of a simple two-wire line.

Installation of an alarm system should be mandatory for a computer center. If there is no central alarm system, local alarm devices should installed in these rooms. Where local alarm devices are used for early detection, steps should be taken to ensure that an alarm can also be heard outside the rooms concerned. Signaling can be affected by various routes and should be passed to an office that is staffed around the clock.

Develop procedures for detection of dangers, dissemination of information, and sounding the alarm, which should be modified when changes in usage occur. Alarm systems should be serviced and tested regularly. Notify staff of the procedure to be implemented when alarms are triggered.

Windows and outward leading doors (e.g., balconies, patios) should be closed and locked whenever a room is unoccupied. During regular working hours and a definite short absence of staff, mandatory regulations for offices need not be enforced. Have instructions to close windows and outside doors issued. Make regular checks to see that windows and doors are closed by occupants after leaving the rooms.

The doors of unoccupied rooms should be locked. This will prevent unauthorized persons from obtaining access to documents and IT equipment. It is particularly important to lock individual offices where these are located in areas accessible by the public or where access cannot be controlled by any other means.

In an open office, where cubicles dominate and it is not possible to lock individual offices, employees should lock away their documents in their desks and a secure desktop workstation policy should be implemented (additional information on formulating this policy can be found later in this chapter.)

Instruct staff to lock their offices when they leave. Make random checks to determine whether offices are locked when their occupants leave.

If unauthorized persons enter protected rooms, damage may be caused by intentional and unintentional acts. After an unauthorized intrusion, office routines may be disrupted in order to search for damage, theft, and unauthorized and missing hardware/software. Intentional or unintentional damage to systems may be caused by temporary help, who are employed to substitute for cleaning staff. Temporary help may accidentally clean workstations and sensitive equipment with solutions or methods damaging to hardware.

Secure rooms such as the server room, computer center, data media archives, and air conditioning unit should not be identified on office locator boards or by name plates affixed to the room door. By identifying sensitive areas, a potential intruder can prepare more specifically and thus with a greater chance of success.

Avoid locating secure rooms in areas exposed to view or potential danger. Avoid locating secure rooms on the first floor of buildings that are open to view by passersby or that are exposed to attack and vandalism. First floor rooms are more likely to be easily observed or exposed to breaking and entering. Rooms or areas requiring protection should be located in the center of a building rather than in its outer parts.

The effectiveness of any measure will always be commensurate to the enforcement of that measure. Inspection rounds offer the simplest means of monitoring the implementation of measures and the observance of requirements and instructions.

Inspection rounds should not be aimed at the detection of offenders for the purpose of punishing them. Rather, controls should be aimed primarily at remedying perceived negligence at the earliest possible moment, such as closing windows, taking documents into custody, etc. As a secondary objective, security breaches can be identified and possibly avoided in future. Inspection rounds should also be made during office hours and to inform staff members about how and why pertinent regulations are being applied. Thus, they will be perceived by all persons concerned as a help rather than a hindrance.

Sensitive information not properly disposed of may be the source of valuable information for persons seeking to do harm. An intruder, competitor, or temporary staff can gain valuable information in a low-tech manner by simply going through trash for discarded paperwork that might contain sensitive information. At a minimum, shred all papers and documentation containing sensitive company information, network diagrams, and systems data to prevent a security breach by those who might seek information by rummaging through your trash. Advise employees against writing down user IDs or passwords at all, much less discarding them intact in their trash can.

In the case of functioning media, the data should be overwritten with random patterns. Non-functioning data media, such as CD-ROMS, should be destroyed mechanically.

The recommended disposal of material requiring protection should be detailed in a specific directive; adequate disposal facilities are to be provided. This includes storage devices and media (i.e., floppy and hard disks, magnetic tapes, and CD-ROMS/DVDs.) If sensitive resources are collected prior to their disposal, the collected material must be kept under lock and be protected against unauthorized access.

The first line of defense in physical security is to secure desktop workstations. Effective policies and procedures to secure desktop workstations should be a significant part of your network and information security strategy because of the sensitive information often stored on workstations and their connections. Many security problems can be avoided if the workstations and network are appropriately configured. Default hardware and software configurations; however, are set by vendors who tend to emphasize features and functions more than security. Since vendors are not aware of your security needs, you must configure new workstations to reflect your security requirements and reconfigure them as your requirements change.

There is usually a higher risk of theft at home because homes are usually not protected to the same extent as the work place. Workstations at home are accessible to family members and visitors, who may intentionally or unintentionally manipulate business-related data on the workstation if data is not properly protected. Inadvertent or intentional manipulation affects the confidentiality and integrity of the business-related information, as well as the availability of data and IT services on the workstation. Appropriate procedures should be implemented to achieve a degree of security comparable with that prevailing on office premises. A home environment does not normally provide the security infrastructure present on the premises of a company or institute.

It is advisable to assign a complete secure room for use as a workplace at home. Such a workplace should at least be separated from the rest of the premises by means of a door.

IT equipment intended for professional purposes should be provided by the employer, and the use of these services for private purposes should be prevented by official instructions. Question employees who have a workplace at home regularly or periodically as to whether their workplace complies with security and operational requirements.

Laptop or mobile IT systems create a greater risk of theft or damage. Due to the inherent nature of a mobile system, it will be removed from the confines of a secure office. Therefore, implement policies to safeguard mobile IT systems.

Business-related documents and data media at the home workstations must only be accessible to the authorized employee, and when they are not in use they must be kept in a locked location. A lockable desk, safe, or cabinet must be available for this purpose. At a minimum, the lock must be capable of withstanding attacks using tools that are easy to create or to purchase. The degree of protection provided by the drawer should be appropriate to the security requirements of the documents and data media contained therein.

Ensuring that the personnel within your organization who have authorized access to sensitive systems are suitable and trustworthy is the cornerstone of a good system security. Statistics show that the majority of system misuse is conducted by those with authorized access to the information. As a trusted partner in criminal justice information sharing, it is imperative that your employees undergo a significant screening process to determine their suitability for access to your systems and those to whom you connect. This applies to all positions and to all phases of the contracting process where access to critical systems is authorized.

The personnel security screening discipline describes the methods that agencies must use to screen an applicant's background for past inappropriate behavior that may put unclassified but sensitive data at risk. The rigor of the screening may vary based on the applicant's access requirements to computer systems and databases. It is imperative that all applicants be screened in a standardized manner. Personnel security screening will promote trust among agency criminal justice partners.

Once an organization decides on an approach for personnel screening, the policies related to that approach should be documented so that there is a written guideline specifying the consistent and comprehensive application of the screening process. The personnel department will play an important role in this policy development and new tools may need to be developed for the selection process. The Global Security Working Group maintains a library of security screening policies samples

It is a best practice to require background checks on all employees every five years. The initial personnel screening process comprises the following steps.

Screening must be carried out according to the highest level of information that will be accessed in the performance of assigned duties or during the contracting process. If the employee will access only information contained within their jurisdiction with no gateway access to justice partners, the screening process may differ from that incumbent who has access to multiple justice partner information.

Verification of personal data, education, professional qualifications, employment, and references; a declaration signed by the incumbent concerning any conviction for a criminal offense (may be a part of the application process); and a criminal history records check based on a full name and date of birth search of state and federal records (for criminal justice employment) comprises the basic reliability check for no direct access.

When an reliability check for direct access to critical systems and justice partners is needed the following is involved: 1) Verification of personal data, education, professional qualifications, employment, and references; 2) a declaration signed by the incumbent concerning any conviction for a criminal offense (may be a part of the application process); 3) a criminal history records check based on a full name and date of birth search of state and federal records for criminal justice employment (which should be completed within thirty days of employment and after name and date of birth check is completed with either positive or negative results); 4) a credit check, when duties or tasks performed would require it, or in the event of a discovered criminal record; and 5) a criminal history records check with the submission of a completed applicant fingerprint card to the Federal Bureau of Investigation, Criminal Justice Information Services (CJIS) Division through the state identification bureau, when the state is a single-source participant.

The screening process involves the review of personal information and while it must be a mandatory requirement for a successful applicant, consent is required prior to beginning the process. Written consent may only be given by those persons who have reached legal age; otherwise, the signature of a parent or guardian is required. Make certain that the screening process does not begin prior to receiving this written consent. Inform those who do not consent to the screening process that they cannot be considered further for employment or contract work.

For all security screenings, a declaration regarding the existence of a criminal record must be obtained. The applicant will be required to state whether he or she has been convicted of a criminal offense. This may be a part of the application process form(s).

To initiate this type of check, access to the state and federal criminal history record systems is required. In most cases, employment within criminal justice agencies allows, if not demands, that this check be minimally completed prior to allowing direct or secondary access to systems that may contain sensitive information. If state and federal criminal history records access is not available within your agency, it will be necessary to determine internal procedures within your city, county, state, or federal jurisdiction to conduct these name and date of birth criminal history background checks. Proper legal identification must be presented by the applicant, as the inquiry must be made by using legal full name and accurate date of birth information. It is important to note that these checks may cause multiple hits on common names, and the only accurate method of determining whether the person inquired upon matches any possible response is through fingerprint comparison.

When required, fingerprints are to be taken after the consent form is completed, and will normally be taken at your jurisdiction's enforcement unit such as the state police, county sheriff (bailiff for courts), local police, or booking unit. Every effort should be made to ensure the comfort of the applicant during this process. The completed fingerprint (normally done in duplicate) should be forwarded to the appropriate entity within your jurisdiction for processing.

Where required, the credit check is conducted by the agency, at their expense, through the associated credit bureaus. While not necessarily an accurate indicator of an employee's suitability for a position, it may be used in addition to other information obtained to make an informed decision.

For contracting firms, the contracting authority is responsible for ensuring that the firm verifies its employee's personal, educational, and employment data and conducts reference checks. The contracting authority initiates criminal records checks and conducts other appropriate checks.

Once the checks are completed, a decision must be made based on the information gathered. Factors to be considered are subjective and varied and cannot be adequately discussed here. In most cases, a gross misdemeanor or felony conviction within the past ten years is just cause for denial of employment with direct access to these systems. Consult your personnel department and legal department for additional information.

Based on your evaluation, grant or deny access to the system.

If negative information is obtained from your screening process this step must be completed. The applicant may be in possession of additional information that may make your evaluation process more complete. If a name and date of birth check has revealed a match, a fingerprint comparison may be necessary to adequately protect the applicant from any false-positives that such a check may result in.

For a listing of applicable security screening standards see:

Separation of duties is a critical element of a robust security policy. Separation of duties requires the segregation of programming, database administration, security, user functions, and source code access into separate job functions performed by different individuals. Separation of duties is closely linked, in many respects, to change management (reference Chapter 9).

Separation of duties segregates critical, operational IT functions into distinct jobs to prevent a single person from harming a development or operational system or the services they provide, whether by an accidental act, omission, or intentional act.

A system administrator should establish and enforce a policy of separation of duties.

A separation of duties policy should be established and documented which encompasses programming, database administration, security, user functions, and source code access into separate job functions performed by different individuals; a training program should be established for impacted personnel on separation of duties; and an audit plan should be established and executed periodically to ensure compliance with the separation of duties policy.

An individual should not have access to more than one critical task as identified by management. Personnel should only perform those duties specified in their job descriptions; therefore, programming and operations functions should be performed by different individuals.

Programmers should not be able to execute any jobs in a production mode, perform database administration functions, perform application security functions, or have access to production databases.

Operators should not have the ability to make changes to production applications or system software libraries, and database changes should be administered by database administration personnel only.

Security responsibilities should be clearly separated from processing operations functions. Security functions (i.e., authority, access to data, restricting functions) should be performed by security personnel.

Identification and Authentication (I&A) are the first line of defense in many information systems. I&A mechanisms provide a basic security function: they ensure that those wishing to gain access to information resources are indeed who they represent themselves to be. There is increasing focus on authentication protocols and technology. Today, the most common form of authentication is password control. In general, technologies for authenticating a potential user of an information system are organized into three identification factors: something you know, something you have, and something about yourself. An example of something you know is a password or a personal identification number (PIN). Something you have might be a smart card. Something about yourself can be a biometric such as a fingerprint, iris pattern, facial pattern, handwriting, or voice pattern. Highly secure systems can use multiple factors. For example, a biometric authentication system may also require the entry of a password to mitigate the risk of false-positive matches.

I&A describe the methods and technology that users engage to identify themselves to an information system. There is a wide range of alternatives available in both method and technology. These alternatives vary in rigor (i.e., the security assurance level, or the degree of protection that they provide) and cost. In general, rigor and cost are directly proportional-the more rigorous a method/technology, the more it costs. The justice information system owner/designer should look to methods that provide as high a level of assurance as possible within cost constraints.

Once an organization decides on an approach for authentication, the policies related to that approach should be documented so that there is a written guideline specifying the consistent and comprehensive application of authentication throughout the information enterprise. The policy should identify scope, methods, standards, and organizational and individual responsibilities. The Global Security Working Group maintains a library of authentication policies samples at the Web site <http://www.it.ojp.gov>.

Reference the following documents for examples of I&A policy statements:

Most authentication techniques follow the "challenge-response" model where an individual is prompted (the challenge) to provide some private information (the response.) The complexity of this interaction is governed, in part, by the number of I&A factors included in the response.

Both cost and level of protection increase as the number of factors increase. Generally, the factors are added in the following order: (1) something you know, (2) something you have, (3) something about yourself. For example, system designers may start with a something you know factor and add a something you have factor to get the next increment of protection. The following paragraphs provide background on the three factors and summarize best practices under each. This overview is concluded with a discussion of authentication servers-systems that are added to an information network for the sole purpose of completing the authentication process.

Passwords remain the most common form of I&A. Unfortunately, passwords can be easily misapplied and provide a weak level of security. One reason is that users tend to pick simple passwords that are easy to remember. For example, there are approximately 50,000 words in the English dictionary. If a dictionary word is used as a password, it is a fairly quick and easy task for a computer program to try each one of the 50,000 and guess the password. System administrators should use software that enforces the selection of strong passwords (8 characters or more with a mix of lowercase, uppercase, and special characters, and no simple words or names.) Furthermore, system administrators should periodically run security software utilities that scan for weak passwords. Password security mechanisms can be strengthened further through the use of "one-time passwords." One-time passwords can be implemented through either software or hardware. Hardware implementations, typically dependant on the use of a token device, are described in the next chapter.

New products are currently available that apply to the something you know factor in a slightly different way. These products use information that is available on individuals from large, public data sources to "test" the individual and confirm identity. For example, someone claiming to be John Ashcroft might be asked to enter John Ashcroft's social security number and the address of his last three residences. This type of authentication may be appropriate in situations where the authentication subject is from the general public. Because data sources for personal information are generally accessible databases, it may be inappropriate to rely solely on knowledge of this information to verify identity. For example, to improve the assurance level of the process, the individual may be asked to produce some form of formal identification in addition to correctly responding to questions on personal background. As in all I&A approaches, care must be taken to match the level of assurance of the method to the risk of a false-positive or negative authentication.

Probably the simplest and least costly hardware token device is one that is used to implement a one-time password. The security limitations of passwords can be summarized briefly: easy passwords are easy to "crack"; complex passwords are hard to remember. Passwords that are hard to remember are often written down somewhere. In some cases, they are written down in dangerous places such as Post-it notes stuck to a workstation. A one-time password token provides a code that can be appended to the user's password. This code changes on each use so that the password is different each time it is entered. This addition makes simple passwords more complex. Even if the password is "sniffed" (inappropriately intercepted and stolen), there is little harm since the compromised password cannot be used again.

A one-time password token device often resembles a credit card-sized pager. Many token devices work by displaying a code that the user can append to his/her password. The code is calculated by encrypting the time of day with a secret encryption key stored on the device. The authentication server (i.e., the computer system with which the user interacts for the purposes of I&A) knows what encryption key is assigned to the holder of the token and applies the same calculation to the time of day. The user reads the number currently displayed on the token and enters it along with his/her password. This type of system is much easier and less costly to administer than smart cards that depend on public key cryptography. Furthermore, this approach does not require reader devices to be installed on the laptop or workstation being used to gain access to the justice information system or network.

Smart cards are a more complex and an expensive way to implement something you have I&A. They can also provide more flexibility and functionality. A smart card is a credit card size device that contains a computer processor chip and solid-state storage. In many I&A applications, the smart card will store the user's digital certificate. The digital certificate is a data file that contains the user's private key. Please refer to the chapter on data integrity for a more detailed description of digital certificates and private keys. To authenticate to a justice information system or network, the user will insert his/her smart card into a hardware reader connected to a workstation or laptop computer. The processor on the smart card will encrypt a text string with the user's private key. The authentication server can confirm the authenticity of the smart card by decrypting the text string with the user's public key-if the text correctly decrypts with the user's public key, it could only have been encrypted with the user's private key. In this approach, the user's private key never has to be communicated outside of the smart card-it never "leaves" the smart card's circuitry. This helps preserve the integrity of the private key.

Whoever holds the smart card also holds all of the access privileges associated with the user. To minimize the risk associated with lost or stolen smart cards, another identification factor is often required with each smart card use. The user may have to enter a password or a PIN whenever the smart card is placed in a reader. The password or PIN is said to "unlock" the private key for use in I&A. An even more rigorous approach would be to require biometrics to unlock the private key stored on the smart card. Several smart card vendors are currently working on technology that will place a fingerprint reader directly on the smart card. The result will be a very secure and easy to use I&A mechanism.

There are several reasons why smart card-based I&A systems can be costly to implement and operate. The cost associated with the smart cards and the readers can be significant when considering a system that supports a large community of users. In addition, the administrative burdens of issuing and managing smart cards increase the cost of using a workstation or laptop computer.

Biometrics can offer a rigorous means of authentication by requiring physical identification in addition to something you know or something you have. Biometric methods take several different forms, and they result in varying levels of cost and complexity depending on the type of information being accessed.

When evaluating different biometric devices and alternatives, it is important to consider the FRR ("false rejection rate" or type I error) and the FAR ("false acceptance rate" or type II error). The FRR measures the percent of rejections that should have been accepted (a valid user who used the device but was not properly identified); the FAR measures the percent of accepted or validated log ons that should have been rejected (an invalid user who was improperly identified as a valid one). These two ratings are closely related. On average, today's biometric devices typically have a four to five percent error rate. The correlation between the two rates can be expressed in the following manner: for a highly secure solution, the FAR would be zero percent and the FRR would be five percent. If the FAR were to increase to three percent, the FRR would need to lower to two percent. All manufacturers provide their average FRR and FAR ratings. Other factors to consider are cost, environmental conditions (weather, dust, humidity), and intrusiveness to users.

The different types of biometrics can be grouped into two categories: physical and behavioral. Examples of physical biometrics are a fingerprint or iris pattern; examples of behavioral biometrics are a voice or keystroke pattern. The following paragraphs summarize physical and behavioral biometrics.

This is perhaps the most well-known and accepted form of physical biometrics in use today. The uniqueness of fingerprints has been recognized for a long time, and fingerprints are the defacto standard identifier in the justice community. It is not surprising that this is also the most common form of electronic biometric identification currently in use. The unique patterns of a given finger are analyzed and stored in a database and compared against a user attempting to gain entry into a system. If a matching pattern is found in the database, the user is granted access. The particular methods of validating a given pattern may differ (for example, minutiae or moiré fringe), but the end result is the same. Some newer scanners detect the temperature or electrical impulses of the digit being scanned, thereby confirming that the finger is currently attached to a living being. Fingerprints are very easy to obtain through scanning, and the technology is non-intrusive.

This physical biometric method involves measuring and analyzing the shape of the hand. Different individual characteristics, such as length or width of a certain digit, are combined to ensure a unique pattern. This method can be quite accurate. It is relatively easy to implement and fairly non-intrusive.

The retina of each eye is as unique as a fingerprint and relatively easy to scan. Scanning maps the layers of blood vessels on the retinal surface at the back of the eye. This physical biometric method requires that the person stand completely still for a period of time while focusing on a given object. While highly accurate, this method is not widely used due to its intrusive nature and the necessity to remove eyeglasses and, in some cases, contact lenses.

Iris scanning is relatively new and very accurate. It works by comparing the color patterns in the iris with a sample or template stored in the database. This physical biometric method is somewhat intrusive, but not nearly as much as a retina scan. Although it is not necessary to remove eyeglasses, the method may not work on a person wearing colored contact lenses. This method is very easy and inexpensive to implement; a simple electronic camera device can be used to perform the scan.

This area of physical biometrics has received much attention lately owing to the widespread appeal of its variety of methods. Facial recognition works by combining many different characteristics of the face such as size, shape, width, color, and even heat patterns. It is non-intrusive and fairly easy to implement, although its overall accuracy is not as good as fingerprints, retina, or iris scans.

Voice recognition is not simply a matter of recognizing a person's voice, but rather an overall analysis of several different factors such as inflection, gait, and volume. Voice recognition is inexpensive in most applications because it requires little additional hardware beyond the microphones that come standard on PC workstations. This behavioral biometric method is non-intrusive and easy to install, but is not necessarily the most accurate.

Signature analysis captures and monitors several different aspects of a live signature. Users sign their name as usual on a device such as a touch screen or digitizing tablet, and the system monitors the creation of the signature. Characteristics such as velocity, pressure, and pattern are compared to a known sample. This behavioral biometric method is widely accepted as non-intrusive because all users frequently sign their name as a form of identification. The method is neither expensive nor difficult to implement, but its overall accuracy has yet to be proven.

Perhaps, more important than the type of biometric methods and devices is the overall strategy for deploying and implementing biometrics in an information system. Biometric methods are typically a very good way to identify an individual, but they should be used in conjunction with another method of verification. If a fingerprint scanner is the sole method of verification, a user with an injured or bandaged hand may not be able to log on. This type of problem exists with many biometrics: a user with a cold sounds different; certain drugs affect the eyes; and heat, cold, dust, and other environmental elements can affect the accuracy of many biometric devices. For these reasons, it is important to consider the operating location of the measuring device-whether it is a laptop installed in a police patrol cruiser or a desktop at the precinct. It may also be appropriate to provide different authentication methods for different levels of information sensitivity.

NIST is currently evaluating biometric technology and products for the U.S. Congress, as mandated by the Patriot Act of 2001. The Act calls for biometric identifiers on non-citizens' travel documents by October 2004. NIST has come to four preliminary conclusions:

One of the NIST researchers commented that biometric identifiers "...always look stronger and easier in theory than they are in practice. Effective enrollment is difficult, and physical spoofing is a lot easier than we would like." While it must be noted that the NIST study is being conducted for a very specific application of biometrics, some of their preliminary conclusions are relevant to I&A for information system access. With the exception of fingerprint systems, there are very few examples of production biometrics authentication. In contrast, the law enforcement and justice community has relied on fingerprints for investigative and positive identification purposes for decades. As biometric technology matures, the full range of physical and behavioral features described in this chapter will become more important as means of positive I&A. In the meantime, the majority of production I&A systems will continue to focus on fingerprints when adding biometrics as an additional factor for increased levels of assurance.

Frequently in justice applications, a user will first authenticate to a network and then require access to several systems and information repositories connected to that network. For example, a corrections officer may need to access the jail information system as well as the courts case management system to coordinate the transportation of an inmate to a trial. One way to reduce the number of authentications required and to manage user privileges is to incorporate an authentication server into the network. The authentication server can be used to implement a security service called "single sign on." The sole function of the authentication server is to validate the credentials of a user prior to granting access to network resources. To accomplish this, there must be electronic trust relationships between the authentication server and the other servers in the enterprise-in our example, between the authentication server, jail information system, and court case management servers.

The authentication server is a single point of access to many of the enterprise resources. For this reason, additional system management attention must be focused on the authentication server to maintain the integrity of the network. However, it is often easier to focus on one server and make sure that it is protected and well-managed to ensure that the authentication process is not compromised than to divide efforts over every server in the network. There are several advantages in using a central authentication server:

While these are strong advantages, it must be reiterated that the authentication server places all of the authentication "eggs in one basket." If the security of the authentication server is compromised, all of the information systems that rely on it for access control can also be compromised. For this reason, it is imperative that considerable attention be paid to the management and monitoring of the authentication server.

If all of the servers in a network use the same operating system (e.g., UNIX,
Windows 2000, Netware, or OS390) centralized authentication service may be a native feature of the enterprise network design. For example, in a homogenous Windows 2000 network, the user can authenticate to the "primary domain controller" and use trust relationships between the servers to access information anywhere in the network where the proper authorization exists. However, many justice networks are heterogeneous and include several types of servers and operating systems. Heterogeneous server networks are almost a fact of life in larger justice networks where information systems are owned and operated by different organizations. The court case management system may operate on a central mainframe. The sheriff's jail system may operate on a UNIX server housed in its facilities. Police files may reside on Netware file servers. An authentication server can be used to help manage user I&A in this type of environment.

For a listing of applicable biometric standards see:

After identification and authentication is properly performed, the system knows who a user is. The next equally important step is to determine what permissions and access authorizations the user holds. Authorization and access controls are an essential part of maintaining need-to-know and privacy policies, and protecting sensitive information. They also support data integrity by restricting the rights to modify information to those who are authorized to do so.

This authorization/access control chapter provides an overview of the methods and technologies used to define, enforce, and manage the allocation of resource access permissions to users of justice information systems. A discussion of some of the unique access management issues encountered in sharing information among disparate organizations is also provided.

Well-defined access policies are important to the security of an information system. The policy statement should provide clear guidelines on how to assign, remove, modify, authorize, and audit access privileges. The policy should consider the sensitivity of the information, need-to-know considerations, and privacy restrictions. The Global Security Working Group maintains a library of policy samples at the Web site <http://www.it.ojp.gov>. The reader may refer to The Missouri OSCA Data Security Guidelines, Section 5.4.4 Access Controls for examples of access control policy statements.

Managing and controlling access to information resources is a long-standing and well-studied problem. As a result, there is a rich and evolving set of technologies to address the problem. There are two fundamental types of access control: mandatory and discretionary, sometimes referred to as MAC and DAC, respectively. MAC and DAC can be defined as follows:

In most MAC-based systems, both users and information resources are labeled. A familiar MAC implementation is the one used for national security information. In that implementation, the labels may include: "Unclassified," "Confidential," "Secret," and "Top Secret." In order to obtain access to secret information, the user needs at least a "Secret" clearance. In this regard, access controls are mandatory-they cannot be changed at the discretion of the system administrator.

In DAC systems, there are no explicit, security level labels on users and information. The system administrator plays a much more significant role in assigning permissions to users. Access to a resource may be granted to a user based on the discretion of the system administrator. Although there is no formal concept of security level, DAC systems are usually based on some kind of policy that instructs the administrator on how to determine who gets access to what.

This chapter focuses primarily on DAC since it is the dominant type of access control in justice applications. While attempts have been made to define security levels and labels for information, there is no well-accepted standard on a par with the national security level MAC system. Lack of standards, however, does not eliminate the need to understand and categorize the access sensitivity of information. This topic is addressed further under the data classification discipline. (Reference Chapter 8.)

DAC is typically implemented through some form or an access control list (ACL). A sample ACL appears in Table 1. The ACL is a table that allocates the right to access an "object" to "subjects." An access right traditionally includes permissions such as create, delete, read, write, and modify. A subject might be a specific user such as "Officer Jones" or a group of users such as "police officers." ACLs are typically implemented in vendor's system software products. An operating system (such as Windows 2000) will have an ACL, as will a database management system (such as Oracle).

Table 1. Sample Access Control List

Role-based Access Control (RBAC) builds on the model for an ACL subject. In RBAC, permissions are associated with roles, and users are made members of appropriate roles. This model simplifies access administration, management, and audit. The role-permission relationship changes much less frequently than the role-user relationship. RBAC allows these two relationships to be managed separately and gives much clearer guidance to system administrators on how to properly add new users and their associated permissions. RBAC is particularly appropriate in justice information sharing systems where there are typically several organizationally diverse user groups that need access, in varying degrees, to enterprise-wide data. For example, when Officer Jones joins the police, he/she will be given the information access privileges that are due the "police officer role." Some of these privileges may be associated with information that is maintained by other organizations, such as the sheriff or the courts.

Environments in which users must gain access to multiple information systems create additional administration and management challenges. Each information system will maintain its own ACL. The administrators for each system will be required to maintain current and accurate ACLs that may include users from other organizations. There will need to be policies and procedures used to validate the credentials of users from external organizations. Ideally, the ACLs would be integrated so that within a single organization, access to multiple information systems can be managed in a centralized manner and, across multiple organizations, additions and changes to access privileges can be coordinated and supported. Products and technologies that address this problem are named Extranet Access Management (EAM).

The problem of managing access to multiple applications is not a new one, and several solutions exist. For example, the well-known mainframe utility, RACF (Resource Access Control Facility), allows the system administrator to manage user access permissions to multiple databases and software applications. There are mechanisms within the mainstream server operating systems (e.g., Netware, Windows 2000, and UNIX) to establish privileges for registered users on different systems. EAM tools extend the ability to centrally manage access to a wide variety of information systems including Web services. The problem becomes more complex as the information systems become more diverse and spread over multiple agencies. In some cases, for example, the administrators from "Agency A" may not want users from "Agency B" to be automatically added to their system by "Agency B" administrators without their explicit knowledge and approval. The ideal access management solution will honor the user permission policies of each agency it serves while making administration as easy and automated as possible. The following technologies support this type of solution.

Lists of users and their privileges (ACLs) are typically stored in data structures called directories. The standard for accessing directories is the LDAP. While LDAP is only an access method and does not define the content or format of the ACL information, it is a broadly implemented standard and provides an important tool to enterprise-wide access management.

SAML is an emerging standard and does not yet have broad industry support. SAML is Extensible Markup Language (XML)-based and provides a standardized way to specify the content of the ACL. Industry watchers predict that it will improve the integration of access control and management among multiple, diverse information systems.

For applicable standards see:

Data integrity is a condition we strive to maintain. It is not a security practice, function, or device. It is the condition that exists when data is unchanged from its source, and has not been accidentally or maliciously modified, altered, or destroyed. In order to maintain data integrity during operations such as transfer, storage, and retrieval; and to ensure preservation of data for their intended use, several threat types must be addressed, either by policy, practice, and/or security technologies.

The task of trying to maintain data integrity is compounded by the fact that threats can originate from hardware defects, software errors, poor design concepts, internal component and telecommunications interference (noise), friendly humans, and hostile humans to name just a few. The purpose of this chapter is to discuss some of the more common threats to data, and some of the preventative security measures available.

There are many possible causes of data corruption in a computer system:

System failures are primarily within the province of integrated circuit manufacturers and systems vendors. Most system vendors provide error detection and correction on main memory, and parity checking on secondary cache.

Aside from installing a properly sized uninterruptible power source (UPS), there is little that the end user can do to protect against data integrity problems resulting from systems failures.

For situations where businesses cannot afford to risk the integrity of their data, purchasing specialized equipment can provide additional protection. Systems are available, usually at increased cost, that deploy parallel processors that crosscheck each other's output, and perform end to end checksums on all data being transported.

• Checksums: Some communications programs use poor quality checksums on data being sent over lines with high error rates.
• Text vs. Binary Transfer: When transferring data between machines that use different end-of-line and end-of-file representations in text files, it is very easy to corrupt data when transferring a complete directory that holds both binary and text files.
• Subdirectories and Hidden Files: When transferring a tree of files by directory, it is easy to miss one or more subdirectories. Hidden or invisible files can be easily overlooked during a transfer of all files in a directory.
• Interrupt Handling: Some file programs do not recover properly when interrupted. They can leave partial data on the target that is not recognized as being incomplete when the transfer is restarted. Some transfer programs see the partial data on the target and modify the name of the file during the restart.
• Overwriting Files With Similar Names: In situations where files are being transferred to a target system that supports only shorter file names, the in-coming file names may be truncated. If after truncation, the file names match file names already on the target, an overlay may occur.

Communications programs and file transfer utilities are available that can be set to detect most of the situations outlined above and generate warning messages. Some will suspend processing until they are told to ignore the possible error condition. To compensate, most of the better programs allow for larger checksums for poor quality line conditions.

Users would be well advised to purchase a communications program/file transfer utility that can be programmed to warn the users when any of the above conditions occur.

Some disk storage systems come with transparent software utilities to maximize disk capacity by compressing and decompressing data. Storage systems also include transparent encryption utilities to protect data while in storage. Many of these programs are quite reliable, while others can occasionally corrupt data without any warning.

Care should be taken to avoid purchasing any transparent utility that performs any data transformations unless the vendor can provide test data showing that the utility will not cause data corruption.

Users who want to simply view a file, but are unfamiliar with read-only viewing tools may revert to using file editors. When editors are used to view data it is very easy to unintentionally delete or modify characters while reading a file.

When deleting files, extreme care must be taken to not delete some files by mistake. This is especially true when using a wild card command. If, for example, in order to delete files coff001.dat through coff009.dat the command "delete coff*.dat" is used, a file that should be retained called coffee.dat will also be deleted. Selecting the wrong backup tape, when doing a file restore, is a common way to corrupt data, as well.

Unintentional human threats should be addressed by using improved software utilities and training, training, and more training.

Protection can be improved by using good file name standards, access control restrictions, and utilities that detect and compensate for possible human error. For example, most properly installed and configured tape management utilities will prevent restoring a file from other than the most current finalized backup copy. If an older version needs to be used, a manual override must be applied.

Utilities that come with most of today's modern operating systems can be configured to provide protection from many of the unintentional user threats. For example, many file deletion utilities can be configured to create a backup copy of every file that is deleted. Although there are software solutions available to restore deleted files and correct corrupted records, there is little that can be done to prevent the harm that can come from using data that has been corrupted.

Unintentional human threats will continue to evolve with improvements in technology. The more common threats will be eliminated by software improvements only to be replaced by threats that are introduced by new software capabilities. Systems administrators must remain aware of the situations and software vulnerabilities that contribute to unintentional human threats. Software remedies should be implemented when available, and policy updates combined with training should be used to address the threats that remain.

Intentional human threats are unfortunately not limited to external perpetrators. Disgruntled and/or dishonest employees with access privileges and knowledge of the target system(s) pose significant threats that are much more difficult to detect.

Other chapters of this document describe some of the security services that are available to reduce the risk of intrusions and protect internal resources, including data, from being compromised. Two of the primary objectives provided by this suite of security services are origin authentication and content authentication.

Both origin and content authentication are required to protect systems resources, and it is common for both to be provided by the same security services.

Origin authentication allows the identity of a message originator to be verified. This service denies access to unauthorized originators, and counters the threat of masquerades. Content integrity service compliments origin integrity service by allowing the originator to provide proof that the content of a message has not been modified.

Content integrity methods vary somewhat depending upon the type of origin integrity being used. The basic methodology involves the sender including an integrity control value that is computed using a cryptographic algorithm or private key to "fingerprint" message content. Message content is used to construct the integrity control value or hash value so that the probability is minute that another piece of plain text or encrypted text could hash to the same value. The longer the hash, usually, 112-168 bits, the more minute the probability.

The receiving system uses the same hash algorithm and/or digital signature to recalculate the hash total for the message received. If the recalculated hash matches the hash sent with the message, the message was not altered while in transit. It is recommended that hash totals be at least 128 bits.

In terms of data integrity, Public Key Infrastructure (PKI) is one of the technologies in use today, other than basic hash totals and addresses both origin and content authentication. PKI uses advance cryptography to make the data unintelligible to anyone lacking the secret key(s) needed to decrypt the data. Secret key and public key systems are commonly used.

A secret key application is very simple in that only one key is used and must be in the possession of both the sender and the recipient for the encryption and decryption to function. Secret key systems are still widely used but suffer from the difficulties that come with the task of distributing the secret keys in a secure manner. In public key encryption, a related pair of keys are used, a private key and a public key. The sender uses the public key of the recipient to encrypt the data being sent, and the recipient uses their private key to decrypt the data.

Public keys are commonly attached to other information that specifically identifies the key-holder. This information is in the form of a certificate that includes the certificate holder's name, serial number, and the identity (name and digital signature) of the Certificate Authority that assigned the certificate. Another important piece of information in the certificate is a block of data that has been encrypted with the sender's private key. This data block is the sender's digital signature. When a message is sent, a unique hash value is created by using a one-way hash function and stored in a message digest. Upon receipt, the sender's digital signature is decrypted and uses the same hash function to create a second hash value for validation purposes. If the sender and recipient's hash values match, the data has not been altered. The fact that the digital signature of the sender was created using his/her private key also provides non-repudiation.

Data integrity cannot be maintained adequately without protection from disgruntled and dishonest employees. Other chapters of this document cover some of the core security services and policies that are necessary to reduce the risk of internal human threats.

To help in reducing threats from inside an organization, there are several suggestions that could be followed. All employees should have background checks completed and a separation of duties should be implemented. If an employee does not need access to systems resources, deny access. Consider creating a security policy manual that includes a chapter on internal threats for employees to have on hand. Implement two-level authentications (what you know and what you have); strict password policies; and sign-out procedures for access to hard media, such as tape drives, CDs, and repair disks. And last but not least, use audit system and intrusion deletion software.

The following simple precautions can significantly reduce the chances of experiencing data integrity problems:

Prepare a thorough plan for responding to data integrity problems. This plan can be a subset of the Intrusion Detection Response and/or Disaster Recovery Plans. More information on recovery planning is available at <http://www.cert.org/security-improvement/modules/m06.html>.

One of the first steps to securing electronic information is to determine what data needs protection. Information varies in its degrees of sensitivity, need for integrity, and its criticality. Therefore, the required protection measures to secure the data vary also. An information classification scheme should be developed to designate classes of information and their associated protection measures.

The data classification describes methods to categorize information for different levels of security protection. Alternatives vary in rigor (i.e., the degree of protection that they provide) and cost. Cost can be in dollars or in manual effort. In general, rigor and cost are directly proportional-the more rigorous a method, the more it costs. The justice information system owner should select methods that provide as high a level of assurance as possible within cost constraints.

The level of assurance of the classification method employed should be balanced against the cost and the risk associated with unauthorized disclosure, uncontrolled modification, or being unable to access the data by authorized users. Information is classified based on its need for:

An owner should be designated for each set of information. Generally, this should be the person in charge of the unit that produced the data. It is the responsibility of the information owner to determine to which class the information belongs and to whom the information may be disclosed. The security administrator ensures the proper classification measures, as determined by the information owner, are enforced according to the security policy. There should be mechanisms in place to allow audits and reviews of the classifications assigned and associated security measures implemented. All data should be classified, regardless of the media on which it resides.

Once an organization decides on an approach for classification, it should document the policies, providing a consistent and comprehensive application of classification throughout the enterprise. The policy should identify scope, methods, standards, and organizational and individual responsibilities. The reader may refer to the following documents for examples of classification policy statements:

Table 1: Confidentiality Classification

Table 2: Integrity Classification

Table 3: Availability Classification