We have to identify the threats and assign localized realistic weights to each to create a prioritized list. Thus we should develop a cost benefit solution “toolbox” and a security policy for the FIU.
Information security threats are global in nature, and indiscriminately target every organization and individual who owns or uses (primarily) electronic information. These threats are automated and loose on the internet. In addition, data is exposed to many other dangers, from acts of nature, through external attack to internal corruption and theft.
Risk assessment and risk treatment plans Every organization must have its own specific business model, objectives, unique selling features and culture, it also has its different appetites for risk. In other words, something that one organization sees as a threat against which it must guard, another might see as an opportunity that it should grasp. Similarly, one organization might be less prepared to invest in defences against an identified risk than another. For this, and other reasons, every organization that implements an ISMS must do so against the findings of a risk assessment whose methodology, findings and recommendations have been approved by the board of directors. ISO27001, in fact, requires there to be a risk assessment and, while it does not specify a methodology, is very clear that this risk assessment must be based on identifying threats and vulnerabilities at an individual asset level and, from there, analysing and assessing risks. Risk assessment tool. One can develop one’s own tool, or use one that is pre-designed to meet the specific requirements of both ISO27001 and BS7799-3, such as vsRisk, which is available on CD-Rom. It can be quickly and easily be deployed international standard ( ISO / IEC 15408) http://www.iso15408.net/15408presentation.htm
The MoJ Network is part of the e-government public internet based network accessible by the public. It is partly secured against Malware and Cyber Attacks. It enables set-up of Virtual Private Network (VPN) Encrypted). It enables batch filing of CTR and SAR via encrypted VPN. The access to on-line government databases (Registers) is enable via VPNs relayed through this system. The Collection Subsystem is detached from the Cyber world (external) and enables retrieval and input of external digital files via Virtual Private Network (e.g., reports SAR CTR), as well as report on removable media and files extracted from remote government databases. Scanning and data entry of printed documents and images. Collection Subsystem is linked to the Core Research Network via “Air Gap” (Hardware Software Box) that ensures one-way passage of passive files only. The “box” is commercially available. It maybe replaced by dedicated software solution (commercially available). The Research subsystem is the Core system of the FIU. It is classified as “Top Secret”. It is selectively accessible only to classified personnel according to the needs of their duty. It stores the entire knowledge base of the FIU (e.g., SARs CTRs External Registers files, Foreign FIU information sharing, ). It’s servers enable the researches to manage case files, use information mining, analytical and visualization tools) Information extraction from the Core system is closely controlled and monitored. There are no External Gateways to the Research subsystem.
Air-Gap or e-gap is a programmed hardware device which filters in-coming and out-going data and prevents any active software from crossing over to the Core System. The Israeli solution was developed by Whale Systems which was acquired by Microsoft in 2006 and integrated into its line of Microsoft IAG 2007.
The two key reasons for the growing interest in certification to ISO27001 are the proliferation of threats to information and the growing range of regulatory and statutory requirements that relate to information protection. The information security standards are the essential starting point for any organization that is commencing an information security project. Anyone contemplating such a project should purchase and study copies of both standards, which are available for online purchase in a money-saving kit, in either hard copy or electronic format, from here: http://www.itgovernance.co.uk/standards.aspx
Fingerprint and Facial Recognition http://www.l1id.com/pages/9-company L-1 develops customer-focused solutions that address the ID requirements of specific markets. U.S. Federal Border Management Criminal Justice Government ID
“ Senior Officers Privileges e.g., assigning cases, authorizing dissemination of intelligence reports, request for additional information, Open Sources search, termination of cases, Business Intelligence reports review. Top persons are privileged but may have to act together to complete a “Change” cycle or a major implementation of security policy.
The definition can be highly formal or informal. Security policies are enforced by Security Mechanisms
The Bell-La Padula model is a state machine model used for enforcing access control in government and military applications.  It was developed by David Elliott Bell and Leonard J. La Padula, subsequent to strong guidance from Roger R. Schell to formalize the U.S. Department of Defense (DoD) multilevel security (MLS) policy.    The model is a formal state transition model of computer security policy that describes a set of access control rules which use security labels on objects and clearances for subjects. Security labels range from the most sensitive (e.g.&quot;Top Secret&quot;), down to the least sensitive (e.g., &quot;Unclassified&quot; or &quot;Public&quot;). This is provided by e.g., Oracle Database Management toolbox. http://en.wikipedia.org/wiki/Bell-La_Padula_model The Biba Integrity Model describes rules for the protection of data integrity .
The log and the audit policies that govern it are also favorite targets of hackers and rogue system administrators seeking to cover their tracks before and after committing unauthorized activity. [ http://en.wikipedia.org/wiki/Log_management_and_intelligence
First step enables us to define scope of BCP. It provides an idea for limitations and boundaries of plan. It also includes audit and risk analysis reports for institution’s assets. Business impact analysis is the study and assessment of effects to the organization in the event of the loss or degradation of business/mission functions resulting from a destructive event. Such loss may be financial, or less tangible but nevertheless essential (e.g. human resources, shareholder liaison) Convincing senior management to approve BCP/DRP is key task. It is very important for security professionals to get approval for plan from upper management to bring it to effect. US National Standards Institute provides a tool set which can be used for doing BCP. National Institute of Standards and Technologies has published tools which can help in creating BCP.
The IT Security Plan and process is a first step to eliminating system and information compromises. 1. Take an inventory of your physical and information assets
Secure FIU Affordable Threats Restraining for FIU’s Computing Center
Objective of the Presentation Egmont Group ITWG
Defense Circles Egmont Group ITWG High level of protection to Local Area Network Data Protection per 15408 international standard ( ISO / IEC Maximum defense of IT system against external attacks Simple Operation High Level ID and users’ Authentication Implementing the INFOSEC model
FIU Systems Architecture ( IMPA Concept ) Egmont Group ITWG
Some Basic Good Practices highlights for Secure FIU
Importing data to the Core System
Protecting the Local Area Network
Defending the core Computing System
Transmission of Intelligence
Importing of Information Cleansing of External Files
To accommodate :
Secure reporting via Internet Virtual Private Network
Submission of reports on removable media
Insertion of External Government and commercial information from “Open Sources”
All input formats have to be subjected to a “Laundering” stand alone station that shall remove any Malware (e.g., Virus, Trojan )
1. Define what are you protecting? 2. Perform a risk assessment to determine what level of security is needed to protect your information assets. 3. Complete the checklist to make you aware of your security strengths and weaknesses . 4. Complete an evaluation. Evaluate your findings and discuss recommendations to correct deficiencies and/or improve security with departmental administration and IT staff. 5. Develop a security plan . Create a Security Plan with target dates for implementation.
Assign r esponsibilities and target dates for the plan.