CJIS Security Policy version 5.1 - Policy Area 1: Information Exchange Agreements

 

As we begin our journey into the policy areas of Criminal Justice Information Services (CJIS) Security Policy version 5.1, we find increased security requirements for several areas in our current topic of interest, Information Exchange Agreements. This area provides requirements for the information shared through communication mediums: electronic mail, instant messages, web services, facsimile, hard copy; and information systems sending, receiving, and storing Criminal Justice Information (CJI). The following information focuses on the recent changes to increase security measures.  As a reminder - Security requirements as set forth by the security policy are considered a starting point. Agencies are encouraged to develop local policies and procedures to further protect CJI.

 

Information Exchange

First, we find additional measures are in place to clarify the process of exchanging information. This assists agencies to provide the appropriate security measures in compliance with version 5.1. Information exchange agreements must be in place and agencies must document security measures as follows:

• Before exchanging CJI
• When sharing CJI data that is sent to and/or received from the FBI CJIS
• Commits both parties to the terms of information exchange

 

Information Handling

Information handling includes handling, processing, storing, and communication of CJI. Procedures are required to protect information from unauthorized disclosure, alteration or misuse.

 

Agency User Agreements

Updates to agency user agreements increases specifications for public and private Noncriminal Justice Agencies with additional requirements for:

• Authorization pursuant to federal law or state statute approved by the U.S. Attorney General
• Signed written agreement with the appropriate signatory authority of the CJIS Systems Agency and/or State Identification Bureaus providing the access
• Allow the FBI to periodically test the ability to penetrate the FBI’s network

 

Security and Management Control Outsourcing Standard

Increased measures in place requiring all Channelers are:

• Subject to the terms and conditions described in the Compact Council Security and Management Control Outsourcing Standard
• To meet the same training and certification criteria required by governmental agencies performing a similar function
• Subject to the same extent of audit review as local user agencies

 

Monitoring, Review, and Delivery of Services

Measures are added pertaining to private contractors and service providers requiring:

• Reports and records are regularly monitored and reviewed
• Control and visibility  for all security aspects including  identification of vulnerabilities and information security incident reporting and response
• Conformance to the incident reporting and response specifications

 

Managing Changes to Service Providers

Changes include:  provision of services, changes to existing services, and new services. Updated requirements incorporate:

• Any changes to services provided by a service provider are managed by the Criminal Justice Agency
• Evaluation of the risks to the agency is undertaken based on the criticality of the data, system, and the impact of the change

 

Secondary Dissemination

The final requirement update for Information Exchange is - log the dissemination of Criminal History Record Information when the receiving agency was not included in the primary information exchange agreement.

 

Summary

Security measures increased significantly for Information Exchange Agreements with the introduction of CJIS Security Policy version 5.0 and continue in version 5.1. Readers, who are familiar with the previous versions of the security policy, should closely review the measures of the current version. Areas of particular increase are seen for monitoring, managing, and documenting the exchange of information. 

 

Next Blog

Policy Area 2. Security Awareness and Training.  The majority of the requirements found in version 5.1 of the security policy first appeared in version 5.0.  Prior to these recent versions, security awareness and training was not a well documented process and contained few requirements. Join us next month, as we examine the updated requirements beginning with basic security awareness training and following through to assigning records maintenance responsibilities.

Kimball Actively Preparing Staff for Full Client Support on the State & Local Implementation Grant Program (SLIGP)

Kimball has been actively preparing our staff to support clients in preparing the grant applications, and as we announced last year, we established the Kimball Broadband Evolution Support Team (BEST) in anticipation of planning activities states are expected to perform under the SLIGP program.

 

 State and Local Implementation Grant Program (SLIGP); Supplemental Application Narrative

1. Existing Governance Body

 

a. Describe the organizational structure and membership of the existing Statewide Interoperability Governing Body (SIGB), or its equivalent, that is responsible for public safety communications in the State.

 

b. Describe the SIGB’s authority to make decisions regarding public safety communications and how these decisions are implemented.

 

c. Describe how the State will leverage its existing SIGB, or its equivalent, to coordinate the implementation of the Public Safety Broadband Network (PSBN) in the State.

 

d. How does the State plan to expand its existing SIGB to include representatives with an understanding of wireless broadband and Long Term Evolution (LTE) technology in order to facilitate its consultations with FirstNet?

 

e. Does the State currently dedicate sufficient financial resources to adequately support the SIGB? Does the State intend to invest funds received from SLIGP to financially support the SIGB? If so, provide the amount the State expects to request and describe the SIGB functions that these funds will support.

 

2. Statewide Communications Interoperability Plan (SCIP)

 

a. Are there existing strategic goals and initiatives in your SCIP focused on public safety wireless broadband? If so, what are they?

 

b. Describe how the State has engaged local governments and tribal nations, if applicable, in public safety broadband planning activities that have been completed to date.

 

c. Does the State intend to use SLIGP funding to support efforts to update the SCIP by adding public safety wireless broadband strategic goals and initiatives? If so, provide the amount the State expects to request and describe the activities that these funds will support.

 

3. State-level Involvement

 

a. What is the status of the Statewide Interoperability Coordinator (SWIC) for your State? Does this person work full-time in the SWIC capacity? How will this person be involved with SLIGP?

2

 

 

b. How will the State’s Chief Information Officer/Chief Technology Officer be involved with SLIGP and with activities related to the implementation of the nationwide public safety broadband network?

 

c. What other State-level organizations or agencies will be involved with SLIGP?

 

d. What are the specific staffing resources the State requires to effectively implement the consultation process with the First Responder Network Authority (FirstNet) and perform the requirements of SLIGP? If the application requests funding for additional staffing, provide the amount the State expects to request and describe the positions these funds will support.

 

e. How is the State engaging private industry and secondary users (e.g., utilities)?

 

4. Coordination with Local Government Jurisdictions

 

a. Describe the local government jurisdictional structure (e.g., municipalities, cities, counties, townships, parishes) located within the boundaries of the State, Commonwealth, Territory, or District applying for a grant. How many of these local jurisdictions exist within the State’s boundaries?

 

b. Describe how your State will involve these local jurisdictions to ensure there is adequate representation of their interests in the FirstNet consultation and in the planning and governance for SLIGP.

 

c. Describe past methods the State has used to successfully coordinate state-wide projects or activities with local government jurisdictions.

 

d. What have been some of the State’s primary challenges when engaging with local jurisdictions? What are some of the strategies that the State will employ to overcome these challenges during implementation of SLIGP?

 

5. Regional Coordination

 

a. Does your State have intrastate regional committees that are involved with public safety communications? If so, please describe their organizational structure and membership and how they provide input to the SIGB.

 

b. Describe any interstate regional bodies in which your State participates that are involved with public safety communications in the State.

 

c. How does the State plan to engage and leverage these existing regional coordination efforts in the nationwide public safety broadband network planning?

If you’d like help developing your responses to the many questions required for the grant application, Kimball’s BEST team is ready to get engaged immediately – contact us at communications.technology@lrkimball.com

Incident Response and Planning

by Lori Kleckner

We are at the final section of the NENA Next Generation Security Standard (NG-SEC). Our topic is Incident Response and Planning. Although most emergency call centers do well to respond to physical incidents, responding to cyber incidents is still an area in need of attention.

In regards to cyber security, an Incident Response Plan should include details how an organization will respond to a computer security incident. Examples of incidents include:

• Malicious code – a virus, worm, Trojan horse or other harmful code-based activity 
• Hacking – unauthorized access to systems
• Critical service outages – failure of power, network, phones or other vital services
• Denial of service – attack that prevents or impairs authorized use of systems by exhausting resources

Although incidents such as critical service outages may not be a result of a cyber attack, such reasoning should be considered when investigating the source of the outage. Your facility may not have been the intended target, but collecting information from your environment may assist a wider investigation into the incident. To be prepared for any attack, a sound method must be in place.

The Process

 Plan – an orderly process with defined expectations. This plan should detail what to look for, what to do and assign responsibility for each task. Keep in mind; it is more cost effective to prevent an incident than bear the consequences. Once a solid plan is in place, activities should focus on:

Detect – through monitoring and established thresholds for automated alarms and notification. Partner with organizations that provide warning of impending and recently occurring security incidents which may impact your environment.

Respond – efficient and effective response to early signs of malicious activity and during an actual incident. Responding to security incidents is an important part of an effective IT security program. Rapidly detect incidents to minimize loss and destruction as well as restore service.

Report – techniques are followed to assure all information has been captured and disseminated to the appropriate authorities. The NG-SEC standard provides a template for information to collect and report.

What to Look For

Terms such as events and incidents are utilized to identify activities. Events are any observable occurrence in a system or network. Some events may appear to be unusual, but are determined to be normal activity. However, adverse events are incidents that cause a negative consequence, such as system failure, unauthorized use of system privileges or loss of data. An incident is a violation or imminent threat of violation of security policies or standard security practices.

Examples are: 

• An email attachment that infects the network computers
• An employee providing illegal copies of software through peer-to-peer file sharing originating on a workstation 
• A botnet sending high volumes of connection requests to a web server, causing it to crash

Any unauthorized attempt to leverage access to a system, e.g. network, server, workstation, software or data, is considered a security incident. It is understood that a security violation may and often will fall under the purview of authorities such as the police, FBI or other law enforcement agencies.

What to Do

In accordance with NG-SEC, the process for identification and reporting security incidents shall: 

Contain the incident and minimize the loss or compromise of information assets

• Isolate the system as much as possible, e.g. disconnect from the network 
• Initiate Business Continuity or Disaster Recovery plan if needed

Enable the initiation of the appropriate legal process

• Approach each suspect event as though it may be a security violation
• Gather and preserve evidence
• Provide evidence and evidence analysis to appropriate authorities

Process requests for security related information

• Establish a person to lead communication requests both to and from your organization
• Utilize appropriate channels to communicate information regarding the incident
• Practice notification procedures to assure names, phone numbers and email addresses are valid

Correlate activity with other incidents to allow for coordinated action and to prevent duplicated efforts

Establish procedures to update or repair functionality utilized to propagate the incident

Gather statistics for identifying trends and development of security measures to counteract vulnerabilities

Establish methods and notification procedures, e.g. alarms to warn of possible malicious activity

Improve procedures and guidelines

• Review effectiveness of incident handling
• Recommend changes to prevent and protect against future incidents

Recommend priorities and how to react to circumstances

• Quicker and more efficient
• Reduce cost, duration and business impact
• Establish Service Level Agreements for out-sourced processes

Summary

Responding to an incident begins with planning. A well thought out process to detect, respond and report is essential. Monitoring can provide warning of malicious activity as it begins and will ideally be mitigated before it has the opportunity to escalate into an incident. Knowing what to look for and what to do when faced with a cyber security incident will reduce system outages and the costs associated with a security breach. NG-SEC Appendix 1: Incident Response Planning provides sample plans, forms and other information to assist with these processes.

Our next blog will recap the key points throughout our journey of the ten sections of NG-SEC.

L.R. Kimball Announces Formation of Public Safety Broadband Evolution Support Team (BEST)

L.R. Kimball today announced the formation of a specialized team, focused on supporting clients in all aspects of Public Safety Broadband planning, network design, applications and grants and funding pursuits.  The firm’s Broadband Evolution Support Team (BEST) will be made up of L.R Kimball’s in-house staff of experts and select industry partners, covering nearly every aspect of end-to-end public safety communications systems.

L.R. Kimball’s team members have expertise in public safety and government communications, radio engineering and information technology, FCC licensing and spectrum planning and public safety operations.  In addition, a number of the firm’s professionals have direct operations and management experience in government and the public safety industry, developing governance, operating structures and funding approaches.  This insight and experience provides a unique understanding of the requirements, operating environment, applications and capabilities needed by public safety broadband system users.  Equally important, the Kimball BEST staff  can provide clients with an understanding of not only the technical aspects of an decision, but a first-hand understanding of operational and, sometimes, political aspects of potential changes that might result from a recommended course of action. 

L.R. Kimball’s BEST staff includes experts who supported previous relevant client projects such as:

Successful NTIA BTOP Grant Program Applications for Pennsylvania, West Virginia, Vermont Telecommunications Authority and New Jersey (one of 7 Public Safety LTE project awards in the country)

LinkAMERICA Alliance Broadband Mapping - as part of the LinkAMERICA Alliance, L.R. Kimball is working through CostQuest Associates to implement the NTIA awarded State Broadband Data and Development projects for four states:  Alabama, Idaho, Wisconsin and Wyoming. 

Oklahoma Statewide Public Safety LTE Assessment –L.R. Kimball was engaged by Oklahoma to identify and asses existing radio communications infrastructure and resources in the state and provide recommendations to leverage these investments to upgrade government and public safety communications in the state.  L.R Kimball’s team completed a parallel analysis of need, conceptual design and budgetary cost estimates for an LTE infrastructure sharing the same backbone and sites as the land mobile radio network.

L.R. Kimball’s BEST staff is already actively engaged in monitoring and analyzing information being released as a result of the passage of HR 3630, by NTIA, the FCC and the Public Safety community.  Kimball’s BEST team is fully prepared to support clients in understanding the provisions of HR 3630 and the National Public Safety Broadband Network approach.  In particular, Kimball’s complete suite of capabilities and the BEST staff will bring clients all of tools needed to address the anticipated requirements of the State level Broadband Plans, including:

• Document and Inventory existing resources such as Tower sites, Microwave and Fiber Connectivity, etc.
• Interactive Mapping and Display of Resources and Networks
• Conceptual System Design and Cost Estimates
• Opt-in/Out Analysis
• Sustainability and Business Case Analysis
• Governance and Operating Model Approaches
• Application and Use Case Assessments and Recommendations
• Procurement Support
• Project Management and Implementation Support Services

 

For more information on the services supported by the L.R. Kimball Public Safety Broadband Evolution Support Team, contact:

 Kevin McGeary

(814) 867-4566 x3275

 

Background:

L.R. Kimball is one of the nation’s largest engineering/architecture/consulting firms and is the infrastructure business unit of CDI Engineering Solutions listed as #12 on Engineering News Record’s list of “Top 50 Telecommunications Firms.  Headquartered in Pennsylvania since our founding in 1953 as a civil engineering firm, L.R. Kimball has evolved into a contemporary, multifaceted full-service solution provider.  The firm is nationally recognized and serves clients from its ten regional offices across the United States.

 

The BEST is organized under L.R. Kimball Communications Technology Division, already supporting hundreds of Public Safety clients in NG9-1-1, Dispatch Operations and Staffing, Automated Systems, Radio and Wireless, GIS/Mapping, and Government and Regulatory Services.

Exception Approval and Risk Acceptance Process

by Lori Kleckner

This installment of our Next Generation Security blog discusses areas in the emergency call center environment which are not compliant with security policies, laws or regulations governing the environment, specifically the network. Risks exists, they are unavoidable. The actions taken to minimize negative impact, demonstrates due care to protect resources including devices, data and the ability to provide emergency services to the public. The National Emergency Number Association (NENA) Security for Next-Generation 9-1-1 Standard (NG-SEC) offers a structure for policies supporting the exception approval and risk acceptance process.

Risk Exception and Acceptance

Risk exception begins with identifying an exposure. This is recognizing an area where you are not compliant with policies, laws or regulations in place. Your resources are at risk for exposure to malicious activity or for penalties due to non-compliance.

Risk acceptance is acknowledging and agreeing to the consequences of exposure. You know your resources are exposed and accept the damage that could occur due to that exposure.

Risk mitigation is the action in place to minimize the impact of the consequences. 

The Process

Risk assessment: Conduct an assessment (we of course recommend the NENA NG-SEC Standard) to compare your environment to a standard developed for emergency call centers. From this assessment weigh the following factors to determine your level of risk: 

• Potential severity – how bad could it be
• Impact of the risk – what will happen, how much damage will it cause
• Likelihood – will it happen, how often

Risk analysis: Evaluate the feasibility and cost of mitigation strategies relative to the potential cost impact. Consider:

• How can we correct this        
• Will this cost more before or after it occurs
• Can we correct this now or ever

Risk response: There are four counter measures to the existence of a risk:

• Eliminate – correct the situation
• Reduce – mitigate the likelihood of occurrence or minimize the impact
• Transfer – move the responsibility or liability to another source, e.g. third-party outsourcing
• Accept – with no other options available, accept the consequences

Risk acceptance and approval: When risk cannot be eliminated, reduced to an acceptable level or transferred to another source, it must be accepted and approval from leadership must be obtained. Gaining approval from leadership provides awareness at the top level of the organization and engages allies to further support risk mitigation.

It is understood that removing a risk or reducing a risk to an acceptable level is not always possible. Reasons are often:

• Funding – not a budget priority at this time
• Technical – risk mitigation or removal is not supported by current devices
• Resources – there are simply not enough personnel available to support mitigation or removal

Findings from assessments performed by L.R. Kimball reveal that an exception approval and risk acceptance process is not common among emergency call centers. Having a formal process in place not only indentifies areas of concern but provides a plan to decrease, eliminate or at least prepare for the consequences of risks. The process also provides insight for future purchases that may aide in further reducing risk.

Summary

We have touched on the high-level points for exception approval and risk acceptance. Determining your level of risk requires an assessment and knowledge of security policies, laws and regulations governing your environment. The NG-SEC standard provides an in-depth process for risk analysis, mitigation and acceptance. Risks exist, they are unavoidable. By planning, you will create awareness throughout your organization of the risks present and increase your ability to minimize the consequences.

 The next installment of our NG-SEC series will discuss Incident Response and Planning. This will complete our review of the 10 sections of the NG-SEC standard. We will follow the final section with an overview and summary of NG-SEC series.

NG-SEC Compliance Audits and Reviews

by Lori Kleckner

The National Emergency Number Association (NENA) Security for Next-Generation 9-1-1 Standard (NG-SEC) is designed to provide specifications to properly employ security for Emergency Services IP Networks (ESInet). Over the past several months we have highlighted sections of NG-SEC to provide a summary of policy requirements, common discrepancy and offer insight to the benefits of security compliance.

This installment of our NG-SEC blog focuses on Compliance Audits and Reviews which provides a basis for auditing and assessing levels of security and risk to ESInet resources and the environment in which they exist. Compliance is based upon the standards as set forth by the NG-SEC standard. Although compliance is not currently mandatory across all ESInets, it provides a method to measure security posture and insight for achieving a secure environment.

Audit Process

The process for conducting an audit should include:

Establish parameters – all devices which are connected to or support the operation of the ESInet as well as policies and procedures impacting the ESInet, facility and personnel

Perform the audit – interviews, visual inspection of resources, facilities, documents, automated tools

Document audit findings – a summary of deficiency noted during the audit

Remediation of findings – a plan and timeline to correct deficiencies reported as well as follow-up tasks to ensure deficiencies are corrected or a risk mitigation plan is in place

Retention – documentation from the audit should be retained

NG-SEC offers an audit checklist (highlighted in a previous blog). It is highly recommended that persons performing the audit utilize this checklist as it is specifically designed to work in conjunction with NG-SEC.

Auditor

Auditors may be internal or external to the organization. The ability to be impartial is an important factor when performing audits. The audit team should be free from preconceived notions regarding the outcome of audit areas. PSAPs should consider partnering with other PSAPs to perform annual audits.  Due to the relationship between PSAPs, this would not be considered an external, third-party audit.  

External audits should be conducted every three years. Over the course of three years, each organization should receive two internal and one external audit. External audits should be contacted by a third-party, specifically for auditing purposes. Regardless of the auditor, the audit should utilize NG-SEC and the associated checklist. 

Other Audits

It is common to find PSAPs who are familiar with Criminal Justice Information Services (CJIS) audits performed on National Crime Information Center (NCIC) systems located in the same facility as the emergency call center. CJIS audits are well-respected; they focus on data, services, and protection controls that are in place for the NCIC system. These audits are intended for resources associated with NCIC and do not encompass all resources associated with ESInets. CJIS or NG-SEC audits may not be interchangeably substituted for each other. 

Summary

Performing NG-SEC audits should be included in the organization’s policies. Documentation review and interviews should be an integral part of any audit. Automated tools and penetration testing provide a more comprehensive assessment of the functionality, successfulness, and appropriateness of the security controls in place. Regardless of the audit method, corrective actions must be applied. If you are not ready for an audit, utilizing the audit process as an assessment provides a great starting point for securing your ESInet. Better yet, prepare for an ESInet with the appropriate security controls in place prior to implementation. If you do not know what is controlling your network, you do not have control of your network and are open to an array of security malfunctions.

 Next month we will look at the Exception Approval and Risk Acceptance Process followed by Incident Response and Planning. We will then complete the NG-SEC blogs with a summary of the series.

Network & Remote Access

By Lori Kleckner

This installment of our security series focuses on section 9 of NENA Security for Next-Generation 9-1-1 Standard (NG-SEC), designed to be used by public safety agencies as a guideline for securing their systems. As today’s emergency services networks are implemented, it is important to identify, document and protect them. Solutions should also be in place to address equipment and circuit fail-over. Network and remote access security addresses several security issues and strategies for mitigation.   

As part of this series, L.R. Kimball has been sharing some common findings of non-compliance with NG-SEC as observed during our PSAP assessments. In the area of network and remote access it is prevalent to find both the absence of firewalls and firewalls that are not properly configured. Accurate network diagrams are generally not made available to the PSAPs. Network redundancy is minimal. This is obviously problematic.

It is difficult to protect the network and associated assets without first defining the network. Once the boundaries of the network are understood (and documented), actions should be taken to secure those boundaries. Firewalls should be in place at each boundary of the network. Firewalls should be configured based on business need of traffic, minimizing the number of ports open and protocols permitted to ingress and egress the network. Following a defined process for maintaining the firewall to assure only appropriate network traffic is entering or leaving the network, is a defense against issues arising from both known and emerging threats.

Remote access to the network is an area requiring close scrutiny to determine the business need. Any access to the network has the potential to introduce malicious activity both intentional and unintentional. Remote access, whether for third-party maintenance access or remote employees, must adhere to polices and the intent of the firewall must not be circumvented.

Network redundancy and diversity often requires consideration of the options available to the PSAP. Redundancy includes duplication of equipment and circuits. Advantages of redundancy are realized during maintenance of equipment and in the event of an unforeseen failure. Redundancy will provide the resources to remain operational while repairs are enacted. In the same manner, the ability to provide an alternate route for network circuits to achieve diversity in the event of an outage, supports maintaining high availability needed to provide emergency call services.

The importance of network and remote access, as well as addressing availability through redundancy and diversity are issues facing today’s IP-connected PSAPs. With strong policies in place and the commitment to follow through, the availability of emergency call services is greatly increased.

Visit our blog next month to gain an overview of change control and documentation.

The NG-SEC Series Continues... Physical Security

By Lori Kleckner

This installment in the NG-SEC series discusses physical security guidelines. Although one may not think of physical security as a topic in a cyber security arena, without physical security, network devices are left unprotected from the surrounding environment. All NG9-1-1 information resources must be kept physically secured and protected from theft, misappropriation, misuse, unauthorized access and damage. NG-SEC section 8, Physical Security Guidelines includes:

• Building and Physical Access Control
• Authorized Physical Entry
• Storage Media and Output
• Mobile Devices
• Environmental Controls
• Server Room
• Data Communications Network

During PSAP assessments L.R. Kimball observes PSAPs are generally cognizant of physical security. Among positive findings are closed circuit cameras, keypad entry, attended reception area, and logging visitors. However, once access is gained to the facility, it is common to find the doors to the call center and equipment rooms left open and unattended.

A particular concern for physical security is third-party vendors with open access to the facility. While it is understood that there is a need for certain vendor employees to gain access to the facility on a 24 hour basis, it is not to say that their presence should be completely unattended. It is recommended that such personnel be logged in and their actions while in the facility monitored. It is important that the PSAP is aware of tasks that are performed by all personnel who have access to sensitive areas to prevent mishaps and to remain informed of actions taken.

Another point of concern during assessments is minimal concern afforded to areas with environmental controls. Physically securing the environmental controls is an important and often overlooked aspect of security. With server rooms and workstations that are reliant upon proper temperature and humidity control to operate, environmental controls are necessary. If equipment is not properly cooled, it will overheat resulting in system shutdown, data loss and possible equipment and software damage.

Similar areas of physical concern are:

• Commercial power rooms
• Emergency power rooms
• Communications rooms
• Cable vaults
• Switch rooms
• HVAC equipment rooms
• Operations control rooms

As PSAPs become connected via IP enabled networks, physical security is a growing responsibility that requires further attention. Unattended areas provide the opportunity for data theft and network interruptions. PSAPs should address physical security throughout the facility to assure restricted areas are available only to personnel with a business need.

Our next post will discuss network and remote access security.

Cyber Security Update: General Security for PSAPs

By Monique Lewis & Lori Kleckner

 

Our last posting, Information Classification and Protection, highlighted features from NG-SEC, Section 7, Safeguarding Information Assets. This month’s blog focuses on key elements from NG-SEC, Section 6, General Security. This section refers to network connectivity, multi-homed devices, wireless, etc. and is a catchall within the NG-SEC standard. We will focus on our findings during our assessments.

One of the keys to the success of General Security is for the PSAP Administrators to be knowledgeable and involved in all security operations of the PSAP. The administrators should perform annual self-reviews on the PSAP’s systems to assure compliance with all requirements. The reviews should be documented by the administrators and coordinated with the security manager and senior PSAP official. Additionally these reports should remain on file as a reference, until superseded by the following review. L.R. Kimball observed self-reviews were not being accomplished at the majority of 9-1-1 facilities visited.

The trend among the PSAPs included a lack of physical security policies, including a security training program. Although the PSAP staff had informal reporting procedures for suspicious activity, formalized procedures would assure the identification of suspicious activity to both the network and the facility in a timely manner. Generating a security training program would correct several of these issues, by instructing the staff on what to look for; when and how to report a threat; as well as to whom a threat should be reported thereby reducing the vulnerability to the network and facility.

The majority of PSAPS did well in the area of Inventory, network connectivity, and network documentation. The inventory of the PSAP’s equipment was present and updated routinely by the administrators and the PSAP managed services provider. With a few exceptions, access to the network was controlled by the effective use of a firewall. Most administrators locked all inbound and outbound unused and unnecessary ports. The network documentation for a great deal of the PSAPs was maintained with the PSAP’s managed services provider, which performed the majority of the documentation functions.

Administrators at most PSAPs effectively controlled server room access. However, administrators remained logged in to the system continuously, which leaves the system vulnerable. Should an intruder gain access to the network they have complete access to all data. Additionally, several administrators shared the administrator password with the staff, limiting the effectiveness of access control.

General security is an important factor in the successful operation of any organization. Considering the 9-1-1 facility’s critical mission, it is imperative staff remain aware of and follow the established security practices. Although it is not possible to eliminate all threats, implementing the steps above according to NG-SEC standards can significantly aid in the reduction of those threats.

Please join us for our next blog posting, as we will cover NG-SEC, Section 7, Safeguarding Information Assets.

Kimball experts featured by Urgent Communications

L.R. Kimball senior consultants, Jeremy Smith and Kevin McGeary are passionate about cyber security and making sure that public safety officials understand that the risk goes beyond attacks from hackers. Jeremy and Kevin recently presented on the topic of cyber security and the types of viruses and vulnerabilities.  The presentation and information they provided will be further discussed in L.R. Kimball resources, such as white papers and blog posts. 

In the meantime, we invite you to view the presentation or check out this Urgent Communications article which discusses how to best protect an agency's network.