I. Executive Overview

 

Based on existing security standards guidance, the OCA business and technical environment, and a risk analysis performed, three alternatives were developed for each section (see narrative below) regarding statewide judicial standards options for security and protection of electronic and physical information while in storage and electronic transport via telecommunications.   These alternative security standards include desktop computing, client-server technology, local area networks, and wide area networks within the mix.  The alternative standards also address the required mix of tools and techniques including firewalls, intrusion detection, virus protection, passwords, encryption, vulnerability analysis, backup, disaster recovery planning, and physical security of the infrastructure.  The documentation for these standards includes identification and analysis of risks and security control options associated with each alternative.   For each of these standards a documented Minimum, Optimum, and Maximum security and control option is provided.  The technical specifications provided are also suitable, where appropriate, for defining statements of work and potential statewide contracts for IT security services. 

 

The Optimum Security standard is the recommended option for the most adequate IT security and control to be provided at the most appropriate cost.  Determining the Optimum Security standard as the recommended option was an extremely difficult decision due to the wide range of differences in technology between the nearly 2600 courts throughout the State of Texas.

 

II.  Overall Risk Assessment                                                                        

 

Risk assessment is a process for courts to perform in order to determine the level of risk associated with a given system.  The output of this process is the residual risk and a determination of what controls and standards should be addressed. 

 

Risk is a function of the likelihood of a security event and the impact that event would have on the organization’s mission.  To determine likelihood, courts analyze threats to the system in conjunction with the vulnerabilities present.  Impact is determined by considering the criticality of the system in supporting the organizational mission.

 

III.  Computer Security Policy                                       

 

Information security policy refers to the set of rules and practices an entity uses to manage and protect its information resources.  In discussions of information security, the term policy has more than one meaning. Policy is senior management’s directives to create an information resources security program, establish its goals, and assign responsibilities. Policy is also used to refer to specific security rules for particular systems or specific managerial decisions such as establishing an organization’s e-mail privacy policy or fax security policy.

IV.  Security Awareness and Awareness Training                                                    

 

Security awareness, awareness training, and education[1] are all necessary to the successful implementation of any information security program. These three elements are related, but they involve distinctly different levels of learning.

 

Awareness is not awareness training but is a prerequisite to it. Its purpose is to focus attention on security. Security awareness programs should be well established within the courts.[2] Awareness provides a baseline of security knowledge for all users, regardless of job duties or position. IT security awareness programs should be tied directly to security policy development and, if appropriate, the court’s information security incident response capability.

 

Awareness Training is geared to understanding the security aspects of the particular IT systems and applications that each individual uses. Each system is a distinct entity that requires its own set of security measures. Security awareness training shall take into account the uniqueness of each system and application.  It is recommended that awareness training be provided for all new employees,[3] whenever there is a significant change in the court’s IT security environment or procedures, and when an employee enters a new position that deals with sensitive, critical and/or confidential information. Annual refresher courses in security awareness training must also be provided, with the time period based upon the sensitivity of the information an employee handles.

                                                     

Education differs from training in both breadth and depth of knowledge and skills acquired. Security education, including formal courses and certification programs, is most appropriate for a court’s designated IT and/or system security specialists.

 

V. Court Risk Analysis and Assessment

 

Risk analysis and assessment assists a court in determining what information systems, data, and associated assets (facilities, equipment, personnel) constitute the critical information infrastructure. To conduct a risk analysis and assessment, the following steps shall be performed:

• Inventory all assets – including information assets (hardware and software), associated assets (IT facilities, peripheral equipment, IT personnel), and system interdependencies.
• Risk Analysis - involves determining and documenting the vulnerabilities in critical information assets. This may be a time-consuming task that will require the assistance of experts in the court’s particular hardware and software (operating systems, telecommunications, and application systems).
• Risk Assessment - risk management assessment shall be applied to the entire list of vulnerabilities and risks associated with their critical assets and infrastructure dependencies. Security enhancement costs often exceed available resources. Therefore, improvements normally must be made according to a number of risk management assessment factors.

 

VI.  Access Control Systems

 

The purpose of access control systems and practices is to protect information from the threats of unauthorized disclosure, modification, or destruction.  Access controls fortify the confidentiality, integrity, and availability of information assets by identifying and authenticating data, and users. 

 

Access control is a broad topic that incorporates many basic security practices, with one of the most important relating to password usage.  Therefore, password standards are an important subset of access control standards. Although access to sensitive information on critical computer systems is best controlled with strong authentication practices, well designed passwords may be adequate for controlling access to less sensitive information, so long as robust password standards are in place and users knowledgeable about what is required of them regarding computer security.

 

VII.  Firewall

 

Firewalls are an important component of secure network architecture.  They provide a secure gateway to other trusted and untrusted networks, and help ensure the confidentiality, integrity and availability of your information assets. Firewalls provide several types of protection. They can:

·        block unwanted network traffic;

·        direct incoming traffic to more trustworthy internal systems;

·        hide vulnerable systems from the Internet;

·        log traffic to and from the private network; and

·        hide information like system names, network topology, network device types, and internal user ID’s from the Internet

 

Considerable research, planning, and a thorough understanding each court’s business, network, topology and security policies are needed to successfully implement firewall systems. 

 

Firewalls are not an absolute guarantee of network security. They only extend a perimeter defense around a network. Once an attacker (who may be an authorized user) gains access to the protected network, all systems are at risk. Firewalls also do not prevent attacks through network “backdoors” like dial-up modem connections, direct leased-line connections, or other network departure points. Only network traffic that actually passes through the firewall may be held to its rules; the firewall cannot enforce a policy against traffic using any other network entry points.

 

VIII.  Intrusion Detection System 

 

Intrusion detection is the process of monitoring events occurring in a computer system or network and analyzing them for signs of intrusions. Intrusion is defined as an attempt to compromise the confidentiality, integrity, availability, or to bypass the security mechanisms of a computer or network.  Intrusion detection is accomplished either by manually reviewing system generated logs and taking appropriate action, or by using intrusion detection system software for automated review, analysis, and response to an intrusion. 

 

Intrusion detection system (IDS) software monitors computer systems and network traffic and analyzes that data for possible hostile attacks originating from outside the court, as well as for system misuse or attacks originating from inside the enterprise. The main advantage of an intrusion detection system is that it provides a clearer view of server and network activity and issues alerts notifying administrators of unauthorized or unusual activity.  Intrusion detection systems will not compensate for weak authentication and identification mechanisms, weaknesses in network protocols, or the lack of security policy.  IDS software also requires extensive resources to install, configure, and maintain.

 

IX.  Encryption Planning

 

The Texas Administrative Code states that, "encryption techniques for storage and transmission of information shall be used based on documented court security risk management decisions.” Cryptography is the science of transforming data so that it is interpretable only by authorized persons. Data that is unencrypted is called plaintext. The process of disguising plaintext data is called encryption, and encrypted data is called ciphertext. The process of transforming ciphertext back to plaintext is called decryption.

 

Cryptography relies upon two basic components: an algorithm and a key. Algorithms are complex mathematical formulae, and keys are strings of bits used in conjunction with algorithms to make the required transformations. There are two basic types of cryptography: symmetric and asymmetric. Each type has its’ advantages and disadvantages:

 

• Symmetric-key cryptography—two or more parties share the same key, which is used to both encrypt and decrypt data.
• Asymmetric-key cryptography—(also called “public-key cryptography”) uses a pair of keys (pairs of numbers) that allows data encrypted with one key to be decrypted by the other key.

 

Most current cryptographic applications combine both types to exploit each of their strengths. 

 

X.  Virus Protection   

 

Since the advent of Internet e-mail and widespread use of the World Wide Web, malicious programs have become a major security threat. Viruses and worms can be transmitted around the world in a short period of time by attaching infected executable files to e-mail messages. The attachments are usually “Trojan horses” masquerading as something the recipient has requested or would like to see, and may appear to be coming from a known source.

 

The best defense against these programs is a combination of management practices and the use of anti-virus software on servers, workstations, and laptops. Complete anti-virus software includes: a virus scanner that tests files and directories for the presence of viruses, including e-mail attachments; a “disinfectant” to remove viruses from infected files; real-time protection against viruses that may hide in a computer’s memory; and a subscription service for updates to the virus signature files to maintain protection as new viruses are discovered. [4]

 

XI. Web Server Security                                                            

 

Many courts have embraced the Web as a tool to disseminate information to their constituents. The growing expectation is that interactive government service delivery and the procurement of supplies and services will migrate to the online environment as well. As this expectation is realized, the visibility of Websites will continue to increase and courts will be more reliant on them for conducting day-to-day operations.

 

The constituents, vendors, and employees who interact with the court in this new online environment will expect accessible and reliable information, live interaction with service providers, stable connections, e-commerce capabilities and secure transmission and storage of information submitted online. Security exposures are introduced by each of these expectations. Web documents and images can be altered or deleted, Web servers can be used as a base for internal network attacks, and online privacy can be compromised.

 

Some courts are already using the Web to provide general information and many courts currently have static Web pages in which the information is coded in files that are tied together via hypertext links.  Courts are beginning to connect their Websites to databases in order to provide more information via active content.  It is anticipated that courts will soon be accepting monetary payments on-line. In an on-line world, where the risks are high, it is essential to adhere to sound practices that mitigate such risks.  The level of controls required must be consistent with the risks.  Therefore, Websites that use active content and process financial transactions will require more security and controls than static information-only Websites.

 

XII.  Physical Security                                                                  

 

Physical security refers to the protection of IT building sites and equipment (and information and software contained therein) from theft, vandalism, natural and manmade disasters, and accidental damage. Courts must be concerned with IT building construction, room assignments, emergency procedures, regulations governing equipment placement and use, energy and water supplies, product handling—and relationships with employees, outside contractors, and other courts and governmental agencies. Some solutions require the installation of locks, fire extinguishers, surge protectors, window bars, automatic fire equipment, and alarm systems at IT facilities.[5]

 

XIII. Backup and Disaster Recovery Planning

 

Adequate Backup and Disaster Recovery Planning (DRP) Standards help protect information assets of the courts, in the event of an accidental erasure or unforeseen catastrophe, and allow for the continued ability to provide services while reducing the operational and financial impact of the loss or destruction of critical systems and data.

 

Backup involves vital processes generally followed for the periodic protection of computer applications, operating systems, and data by creating properly protected copies of critical systems and data that are readily available after a computer loss or outage. 

 

Disaster Recovery Planning provides for a process to follow in restoring critical computer hardware and software (equipment, operating systems, network communications, data files, applications) after an event that results in the destruction of court computer systems.

 

Business Continuity involves overall reestablishment of an entire court infrastructure after a natural or man-made disaster occurs; however, the IT Standards discussed within this document do not address business continuity except as it relates to computer system disaster recovery.  

IT standards requirements for backup, off-site rotation of backup copies produced, and computer system hardware and software reestablishment (i.e. disaster recovery) after a catastrophe may vary widely due to the numerous court’s differing levels of automation.

 

XIV. Remote Access Control

 

Trends such as telecommuting, electronic commerce, and the use of intranets are driving the need for courts to provide their users with remote access to their computer systems.  Remote access security must be stronger than general network security in order to protect the integrity of the internal network, while at the same time allowing external access to it. The point where remote access is allowed into the internal network is where a court will be susceptible to hackers and other uninvited guests that can probe and attack their network systems. Since remote access poses special risks, courts must address specific controls related to such access capabilities.

 

The risks involved in allowing access to the internal network make it crucial to know exactly who are the remote users, what are their needs, and how to incorporate remote access controls into a security plan. Remote users are no longer just employees dialing in from home computers to check their e-mail. Today’s remote access users are part-time and full-time telecommuters, business partners, and clients that rely upon access to the internal network to accomplish mission-critical court business.

 

Although traditional modems are sufficient for applications such as unsecured e-mail, they are rapidly becoming too slow for users working with larger applications and advanced graphics. Dialing in through an analog modem over the public switched telephone network (PSTN) is being phased out by high-speed and high bandwidth network connection mechanisms, such as the Integrated Services Digital Network (ISDN), cable modems, Asymmetrical Digital Subscriber Lines (ADSL, xDSL), and certain wireless technologies.[6]

Standards

 

	Option 1 – Minimum Security	Option 2 – Optimum Security	Option 3 – Maximum Security
III. Computer Security Policy Threats addressed: (1) Outsider gains access to externally accessible network device (2) Outsider gains unauthorized access to internal system resources (3) Insider gaining unauthorized access to information (4) Virus damages critical data and impacts availability of system (5) Natural threat results in loss of data and unavailability of system (6) Insider intercepts network data and gains unauthorized access to system (7) Insider gains physical access to critical network devices resulting in loss of data and equipment. (8) Outsider gains physical access to network devices (9) Insider inadvertently damages data (10) Hardware malfunctions and damages data and/or systems	Require only high-level program-level policy.	Require program level, system-specific, and issue-specific policy.	Require program level, system-specific, and issue-specific policy.  Require annual testing of users’ knowledge of the computer security policy and annual compliance assessments.
IV. Security Awareness and Awareness Training   Threats addressed: (1) – (10)	Require security awareness program tied to security policy development and the court’s information security incident response capability.	Require both security awareness program and on-going annual security awareness training.	Require both security awareness program and annual security awareness training. Annually test users on security training issues.
V. Court Risk Analysis and Assessment   Threats addressed: (1)     – (10)	Perform vulnerability assessment focusing on existing environment without regard to value of assets.	Require annual formal risk assessment including inventory of assets, risk analysis, and risk assessment.	Require formal risk assessment including inventory of assets, risk analysis, and risk assessment.  Update risk assessment quarterly.
VI. Access Control Systems    Threats addressed: (1) Outsider gains access to externally accessible network device (2) Outsider gains unauthorized access to internal system resources (3) Insider gains unauthorized access to information (9) Insider inadvertently damages data	Multipurpose servers allowed; screen-saver timeout for keyboard inactivity; 6 character passwords; minimal password construction requirements; manual requirement to change passwords every 90 to 120 days; password sharing disallowed; protect password file in secure directory.	“Minimum Security” plus: consider single purpose servers; separate network bridges, firewalls, and routers; password protection of console; create/maintain user security profiles; desk top system protection; 7 character password with numeric digit; restrictive password construction; auto password prompt after 60-90 days; all default passwords changed; encrypt password file and transmissions; history of 10-12 passwords; cracker software used to test new passwords.	“Optimum Security” plus: required use of ‘strong authentication’ methods; required single purpose server; segment networks; consoles physically secure; remote system admin controls; secure centralized network connection points; transfer sensitive info from desktop to server in secure area; erase old hard drives data; delay logon prompt display; password protect laptops; eight character passwords with numeric digit required; auto system password change prompt every 30 days.
VII. Firewall   Threats addressed: (1) Outsider gains access to externally accessible network device (2) Outsider gains unauthorized access to internal system resources (4) Virus damages critical data and impacts availability of system	No stand-alone firewall required.  Use packet-filtering router or modem to control access.	Requires hardware or software based firewall.	Requires software-based “enterprise” firewall.  Mixture of hardware/software vendors prevents person with one vendor expertise from easy access.
VIII. Intrusion Detection System   Threats addressed: (1) Outsider gains access to externally accessible network device (2) Outsider gains unauthorized access to internal system resources 3) Insider gains unauthorized access to information	Turn logging on all servers and network devices and manually review logs on a regular basis.	“Minimum security” requirements plus require network-based IDS (for those courts that have a LAN connected to the network).	“Optimum security” requirements plus require use of integrated host-based IDS software. Hardware/software & IDS vendor mixture helps to prevent access.
IX. Encryption Planning   Threats addressed: (1) Outsider gains access to externally accessible network device (2) Outsider gains unauthorized access to internal system resources (3) Insider gains unauthorized access to information (6) Insider intercepts network data and gains unauthorized access to system	Use approved encryption tools such as Secure Socket Layers (SSL) and IPSec to encrypt sensitive data traversing an un-trusted network.	Implement a high-level encryption policy to define how the court will use encryption technology.  The policy will address the encryption of data in storage and in transit.	Implement a high-level encryption policy to define how the court will use encryption technology.  The policy will address the encryption of data in storage and transit. Implement a PKI (Public Key Infrastructure).
X. Virus Protection   Threats addressed: (4) Virus damages critical data and impacts availability of system	Policies concentrate on educating users on their responsibilities for regularly scanning for viruses.	Policies should dictate more frequent scanning for viruses, and the use of server and email virus scanners.	All reasonable virus infection prevention methods. Extensive user awareness training. Apply all current OS patches.
XI. Web Server Security   Threats addressed: (1) Outsider gains access to externally accessible network device (2) Outsider gains unauthorized access to internal system resources 3) Insider gains unauthorized access to information	Implement a Web server with the default security in place.	Implement a Web server in a DMZ and take steps to “harden” the Web server application and operating system.	Implement a Web server in a DMZ and take steps to “harden” the Web server application & operating system.  Implement an IDS monitor in the DMZ to monitor intrusion attempts. Mix of hardware/software vendors prevents access by person with expertise of only one vendor.
XII. Physical Security   Threats addressed: (5) Natural threat results in loss of data and unavailability of system (7) Insider gains physical access to critical network devices resulting in loss of data and equipment. (8) Outsider gains physical access to network devices (10) Hardware malfunctions and damages data and/or systems	Place computing equipment in a low visibility location.  Train employees to challenge unfamiliar individuals in the office area.  Provide surge protection against electric spikes and dips.	Computing equipment shall be placed in a controlled environment with access limited to personnel who are responsible for administering the equipment. The room shall be environmentally controlled.	Computing equipment shall be placed in a controlled environment with access limited to personnel who are responsible for administering the equipment. The room shall be environmentally controlled.  In addition, controls such as physical access logs and video cameras should be implemented.
XIII. Backup and Disaster Recovery Planning   Threats addressed: (4) Virus damages critical data and impacts availability of system (5) Natural threat results in loss of data and unavailability of system (7) Insider gains physical access to critical network devices resulting in loss of data and equipment. (8) Outsider gains physical access to network devices (9) Insider inadvertently damages data (10) Hardware malfunctions and damages data and/or system	Backup: Critical data and systems copied weekly and moved to a different area with adequate physical access, fire protection, and environmental controls provided.   Disaster Recovery: Stand-alone PC’s or LAN hardware is purchased at the time just after a disaster and then loaded with backup copies of critical systems/data created previously.	Backup: Full backups of all systems & data weekly.  Incremental backups done daily. Backups immediately moved to a physically secure, fire protected, and environmentally secure off-site facility.   Disaster Recovery: Stand-alone PC’s are purchased at the time just after the disaster and loaded with backup copies of critical systems/data created previously. LANs use contracted “cold site” obtained prior to a disaster that is equipped with LAN hardware bought only at the time just after a disaster occurs. Load LANs with copies of systems and data created previously and stored at the off-site facility.	Backup: Optimum Security Option plus: Backup tapes verified after creation. Proper tape storage in labeled dust-free containers. DRP, hardware & software inventories, insurance policies, documentation, and special documents all put in off-site facility.   Disaster Recovery: Stand-alone PC’s that are compatible are purchased prior to a disaster and stored or used at alternate site. Just after a disaster, data and systems backups are loaded to the PCs. LANs will require an alternate “hot-site” facility equipped with compatible hardware & software. Backup copy systems/data is loaded after a disaster.
XIV. Remote Access Control   Threats addressed: (1) Outsider gains access to externally accessible network device (2) Outsider gains unauthorized access to internal system resources (3) Insider gains unauthorized access to information	Remote access part of overall security plan; user-name and password or “blind password” is required; single RAS; central modem pool; reduce modem pool controller time-out period; modem reset and clean termination at end of each dial-in period; log-on banner contains an unfriendly warning.	Dial-in callback or caller-id required; segment RAS from internal network; security software or firewall on home computers’ dial-ins; required encryption; IT supervision of VPN/encryption.	Integrate multiple remote access security solutions; dynamic passwords required; find all workstation PC and laptop PC modems to see if legitimately needed.

 

Reference:

NIST Special Publication 800-30, Risk Management Guide, June 2001.