by Lori Kleckner
The National Emergency Number Association (NENA) Security for Next-Generation 9-1-1 Standard (NG-SEC) is designed to provide specifications to properly employ security for Emergency Services IP Networks (ESInet). Over the past several months we have highlighted sections of NG-SEC to provide a summary of policy requirements, common discrepancy and offer insight to the benefits of security compliance.
This installment of our NG-SEC blog focuses on Compliance Audits and Reviews which provides a basis for auditing and assessing levels of security and risk to ESInet resources and the environment in which they exist. Compliance is based upon the standards as set forth by the NG-SEC standard. Although compliance is not currently mandatory across all ESInets, it provides a method to measure security posture and insight for achieving a secure environment.
The process for conducting an audit should include:
Perform the audit – interviews, visual inspection of resources, facilities, documents, automated tools
Document audit findings – a summary of deficiency noted during the audit
Remediation of findings – a plan and timeline to correct deficiencies reported as well as follow-up tasks to ensure deficiencies are corrected or a risk mitigation plan is in place
Retention – documentation from the audit should be retained
NG-SEC offers an audit checklist (highlighted in a previous blog). It is highly recommended that persons performing the audit utilize this checklist as it is specifically designed to work in conjunction with NG-SEC.
Auditors may be internal or external to the organization. The ability to be impartial is an important factor when performing audits. The audit team should be free from preconceived notions regarding the outcome of audit areas. PSAPs should consider partnering with other PSAPs to perform annual audits. Due to the relationship between PSAPs, this would not be considered an external, third-party audit.
External audits should be conducted every three years. Over the course of three years, each organization should receive two internal and one external audit. External audits should be contacted by a third-party, specifically for auditing purposes. Regardless of the auditor, the audit should utilize NG-SEC and the associated checklist.
It is common to find PSAPs who are familiar with Criminal Justice Information Services (CJIS) audits performed on National Crime Information Center (NCIC) systems located in the same facility as the emergency call center. CJIS audits are well-respected; they focus on data, services, and protection controls that are in place for the NCIC system. These audits are intended for resources associated with NCIC and do not encompass all resources associated with ESInets. CJIS or NG-SEC audits may not be interchangeably substituted for each other.
Performing NG-SEC audits should be included in the organization’s policies. Documentation review and interviews should be an integral part of any audit. Automated tools and penetration testing provide a more comprehensive assessment of the functionality, successfulness, and appropriateness of the security controls in place. Regardless of the audit method, corrective actions must be applied. If you are not ready for an audit, utilizing the audit process as an assessment provides a great starting point for securing your ESInet. Better yet, prepare for an ESInet with the appropriate security controls in place prior to implementation. If you do not know what is controlling your network, you do not have control of your network and are open to an array of security malfunctions.
Next month we will look at the Exception Approval and Risk Acceptance Process followed by Incident Response and Planning. We will then complete the NG-SEC blogs with a summary of the series.