Cyber Security Update: General Security for PSAPs

By Monique Lewis & Lori Kleckner

 

Our last posting, Information Classification and Protection, highlighted features from NG-SEC, Section 7, Safeguarding Information Assets. This month’s blog focuses on key elements from NG-SEC, Section 6, General Security. This section refers to network connectivity, multi-homed devices, wireless, etc. and is a catchall within the NG-SEC standard. We will focus on our findings during our assessments.

One of the keys to the success of General Security is for the PSAP Administrators to be knowledgeable and involved in all security operations of the PSAP. The administrators should perform annual self-reviews on the PSAP’s systems to assure compliance with all requirements. The reviews should be documented by the administrators and coordinated with the security manager and senior PSAP official. Additionally these reports should remain on file as a reference, until superseded by the following review. L.R. Kimball observed self-reviews were not being accomplished at the majority of 9-1-1 facilities visited.

The trend among the PSAPs included a lack of physical security policies, including a security training program. Although the PSAP staff had informal reporting procedures for suspicious activity, formalized procedures would assure the identification of suspicious activity to both the network and the facility in a timely manner. Generating a security training program would correct several of these issues, by instructing the staff on what to look for; when and how to report a threat; as well as to whom a threat should be reported thereby reducing the vulnerability to the network and facility.

The majority of PSAPS did well in the area of Inventory, network connectivity, and network documentation. The inventory of the PSAP’s equipment was present and updated routinely by the administrators and the PSAP managed services provider. With a few exceptions, access to the network was controlled by the effective use of a firewall. Most administrators locked all inbound and outbound unused and unnecessary ports. The network documentation for a great deal of the PSAPs was maintained with the PSAP’s managed services provider, which performed the majority of the documentation functions.

Administrators at most PSAPs effectively controlled server room access. However, administrators remained logged in to the system continuously, which leaves the system vulnerable. Should an intruder gain access to the network they have complete access to all data. Additionally, several administrators shared the administrator password with the staff, limiting the effectiveness of access control.

General security is an important factor in the successful operation of any organization. Considering the 9-1-1 facility’s critical mission, it is imperative staff remain aware of and follow the established security practices. Although it is not possible to eliminate all threats, implementing the steps above according to NG-SEC standards can significantly aid in the reduction of those threats.

Please join us for our next blog posting, as we will cover NG-SEC, Section 7, Safeguarding Information Assets.

Information Classification & Protection

by Lori Kleckner & Monique Lewis

In this installment of L.R. Kimball’s series on Next Generation 9-1-1 (NG9-1-1) Security, or NG-SEC, we will discuss information classification and protection. Classification measures are in place to protect sensitive information. Types of sensitive information include personnel records and network configurations. Personal health information recorded from emergency calls may be protected as well. Unauthorized release of sensitive information may result in law suits, exposed networks, and the possibility of violating federal laws.

Information should be classified according to its level of sensitivity. The level of sensitivity determines the level of protection. What you should consider when classifying information:

• Policies
• Regulations
• Laws
• Mandates

L.R. Kimball observed that security policies do not exist among most 9-1-1 facilities visited. However, an informal policy was implemented at each facility. It appears to be commonplace among the 9-1-1 community at large to treat uncategorized information as sensitive when the classification is unknown. L.R. Kimball found that each facility bears its own variation of informal information classification and identification of sensitive information.

Additionally, several facilities have similarities when it came to treatment of security policies. For example, many facilities required signature and pickup on a specific type of information. Although most 9-1-1 facilities tends not to create the security policy for information classification, L.R. Kimball found it to be commonplace among most emergency responders to have some form of informal policy pertaining to information classification implemented. 

Responsibility for classifying and protecting information should be clearly defined. The data owner and data custodian should be known and identified. The data owner is responsible for determining the value or sensitivity of the information and assigning classification, e.g. public, internal use only, restricted. The data owner should communicate appropriate access and safeguard requirements to the data custodian and users. The data custodian is responsible for applying the restrictions established by the data owner to ensure confidentiality, integrity, and availability is maintained.

Role	Responsibility
Data Owner	Establish classification and protection levels
Data Custodian	Apply and manage appropriate safeguards
Data User	Adhere to controls in place

Uncategorized information could lead to the release of sensitive information. Formalizing information and classification policies will reduce the possibility of accidental release of sensitive information.

Our next blog will highlight NG-SEC section 6, General Security.

When It Comes to Public Safety Security Programs, Security Policies are the Key to Success

Blog post by Monique Lewis and Lori Kleckner on June 17, 2011

In this multi-series blog posting on security at public safety answering points and public safety organizations, our first blog provided background on how and where we obtained our information and discussed how we will provide information to you in future postings as they relate to the NG9-1-1 Security (NG-SEC) standard.

In this blog posting, we will discuss the first section of the NG-SEC standard, security policy and its effects on PSAPs. At a minimum, the NG-SEC required the following areas to be covered in policy:

• Senior Management Statement of Policy (Organizational Policy)
• Functional Policies
• Procedures

It is important that the senior management statement of policy identify an individual responsible for security. Additionally the senior management statement should describe the organization’s objectives and security goals in writing. We observed that many these senior management statements of policies do not exist among most of the 9-1-1 facilities we visited.

PSAPs have implemented functional policies in both formal and informal way among many PSAPs. Most PSAPs have solid hiring practices in place; authenticate passwords; and physical security policies implemented. Many PSAPs do not have wireless, remote, or incident response policies implemented at their facility. Although formal procedures seem to be a common practice among many PSAPs, we have discovered that informal procedures are just as widespread among the 9-1-1 community.

The 9-1-1 community should be aware that security policies are instrumental to an effective security program. Formalizing security policies into 9-1-1 facilities is the first step to getting the organization on the path toward mission success. Functional policies and procedures will aid in the prevention of the accidental release of sensitive information. Cyber security should be a part of everyone’s focus.

Our next blog posting will feature Information Classification and Protection.

The 3 P's of Cyber Security for 9-1-1: Planning, Procedures and Policies

Blog post by Monique Lewis and Lori Kleckner on May 26, 2011

Our work in cyber security often finds us assessing a Public Safety Answering Point’s (PSAP) readiness to comply with the National Emergency Number Association’s (NENA’s) Security for Next Generation 9-1-1 Standard (NG-SEC). 

Over the past year, we’ve looked at a variety of PSAPs across the country and without divulging specific private information related to a client, we’ve taken note of several small steps many PSAPs could take to improve their readiness for a cyber security breach. One of these areas is related to security plans and policies.

NENA’s NG-SEC standard and the NG-SEC Audit Checklist is a great starting point for developing security plans and policies. The general areas covered by NG-SEC include

• security policies
• information classification and protection
• general security
• safeguarding information assets
• physical security guidelines
• network and remote access security guidelines
• change control and documentation
• compliance audits and reviews
• exception approval and risk acceptance process
• incident response and planning.

Although many PSAPs have processes in place, the amount of formal documentation they have is very limited. Quite often, written plans, policies, and procedures are lacking, creating inconsistencies that allow for dangerous gaps in security.