information security preparedness in LEA's and implement, test and validate the ... economic evaluations of security technology investments as a requirement that ..... organizational, legal, and national security factors. .... 5.6 A summary of the findings of the Information security measures and best practices used by LEA's and.
International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 8, August 2016
Web Based Integrated Evaluation Framework for Information Security Preparedness in Law Enforcement Agencies Samuel W. Ndichu1, Prof. Patrick J. Ogao2 1
(Department of Computer Science, Maseno University, Maseno, Kenya) (School of Computing & I.T, Technical University of Kenya, Nairobi, Kenya)
2
Abstract— Information security preparedness requires a consideration of both technical and non-technical solutions to information security. Law Enforcement Agencies (LEA’s) being the primary security organs in a country are highly prone to information and network attacks due to the sensitivity nature of data and information they hold and transmit in their day to day operations. This paper seeks to identify and review the various security measures and security best practices used by various LEA’s and organizations in the world through an extensive review of literature. Then develop an evaluation framework for information security preparedness in LEA’s and implement, test and validate the framework using a case study. The paper presents an integrated evaluation framework for Information security preparedness. The framework addresses information security evaluation from three different aspects/categories/areas namely; organizational, technical and user/personnel information security preparedness evaluation. This paper contributes to the information security evaluation literature by developing an evaluation framework that can be used to comprehensively determine the level of information security preparedness of a particular LEA with a weighting factor to the results of the evaluation. This is an issue which has not yet been widely addressed in the contemporary literature. Keywords- Law enforcement agencies, information security, evaluation framework, preparedness, security measures 1. INTRODUCTION
Information security involves the implementation of safeguards that protect against intrusion, mishaps and mistakes. Organizations dependence on Information Communication and Technology (ICT) is steadily growing and is present in many different areas such as; public utilities, communications (mobile telephony), financial institutions (ATM’s), medical (diagnostic equipment), etc. These security measures have various components and they include and are not limited to; physical security, operational security, information security, disaster recovery, access control, cryptography, auditing and laws and ethics. It is the responsibility of organizational management, technical experts and users through information security policies and other documents and support to emphasize the importance of information security in their organizations. There is need to determine what data is valuable and needs to be protected, who is responsible for protecting it and to what extent, to what extent the user may access and use the data, and what the consequences are for noncompliance. Information security will therefore involve the implementation of security measures that covers and protects the ICT resources of an organization and hence the need for a framework to evaluate the comprehensiveness of the implemented security measures. Technical and organizational systems are equally important when it comes to information security and the lack of fit between social and technical systems is the primary cause of information systems problems [1]. Technical solutions are necessary to address vulnerabilities such as viruses, denial of service attacks, etc. but the involvement of humans in information security is of equal importance and many examples of security issues such as phishing and social engineering, where humans are involved, exist and hence the need to consider the human factor when developing a framework for evaluating information security [2]. It is also important to consider social problems when evaluating security technology since it’s much harder to build a secure system with people in it than it is to build a secure system with just math in it [3]. There is also need for provision of economic evaluations of security technology investments as a requirement that more and more customers ask vendors to satisfy by considering the typical calculation of a Return-On-Investment (ROI) index based on the evaluation of the Annual Loss Expectancy (ALE), as the one provided usually by vendors of Information Technology (IT) security [4]. Law Enforcement Agencies (LEA’s) rely on network connections to provide the widest possible functionality, hence, all the information security risks related to networks and to the access to networks, are also applicable to such information systems and the fact that LEA’s are high-profile targets of information systems attacks due to the high criticality of the data and information they hold and transmit in their day-to-day operations. This shows the importance of adequate information security preparedness in LEA’s since their information systems are open and prone to information security risks, for example, unauthorized access and changes.
827
https://sites.google.com/site/ijcsis/ ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 8, August 2016
2. LITERATURE REVIEW
2.1 Review of the current evaluation approaches The purpose of this is to review the current evaluation approaches for information security preparedness in LEA’s. To develop the framework, a review of information security preparedness evaluation approaches and or models (approaches related to my research) is necessary. This also includes approaches used to evaluate or measure or assess information security preparedness or adequacy or to assess information security measures implemented to safeguard information security. The framework will be based on three information security evaluation methods or approaches. These approaches which are closely related to my area of research are; a) The Octave approach [5][6]. b) Critical Success Factors (CSF) [7]. c) The socio-technical approach [8]. 2.1.1 The Octave approach This is a standard approach for risk-driven and practice-based information security evaluation. The three key aspects of the octave approach are; operationally critical threat, asset and vulnerability evaluation. The octave method was developed with large organizations in mind (300 employees or more). Large organizations generally have a multilayered hierarchy and are likely to maintain their own computing infrastructure, along with the internal ability to run vulnerability evaluation tools and interpret results in relation to critical assets. The octave method uses a three-phased approach to examine organizational and technology issues, assembling a comprehensive picture of the organization's information security needs. 2.1.2 Critical Success Factors (CSF) Critical Success Factors are derived from several definitions of Information security and a combination of these different definitions concludes that information security is about technology, processes and people. “Information security is a well-informed sense of assurance that information risks and technical, formal and informal controls are in dynamic balance” [7]. This approach is based on technical, formal and informal security controls (which are synonyms of technology, processes and people) since the absence of any of the three can compromise information security. The CSFs are grouped utilizing the technical, formal and informal approach. 2.1.3 The socio-technical approach This approach is built on the assumption that information system development involves the design of a work organization where its information system has to be compatible with the surrounding social system, that is, the user and the organizational environments [9]. This means that a socio-technical model should combine the features of the information system, the user and the organizational environments. Technical and organizational systems are equally important and the lack of fit between social and technical systems is the primary cause of information systems problems [2]. 2.2 Critic of the Literature These three information security evaluation approaches are more relevant to my work at this level since they all seek to evaluate the adequateness of the implemented information security measures from more than one area or aspect rather than just considering or concentrating with just one area or aspect of information security when evaluating information security preparedness but the three despite considering or concentrating with more than one area or aspect of information security are not comprehensive enough: No single approach have factored or catered for all the areas or aspects necessary to ensure adequate information security preparedness. The octave approach which is a risk-driven and practice-based information security evaluation approach has the three key aspects of; operationally critical threat, asset and vulnerability evaluation. The octave method was developed with large organizations in mind (300 employees or more). Large organizations generally have a multi-layered hierarchy and are likely to maintain their own computing infrastructure, along with the internal ability to run vulnerability evaluation tools and interpret results in relation to critical assets. The octave method uses a three-phased approach to examine organizational and technology issues, assembling a comprehensive picture of the organization's information security needs [5]. The critical success factors approach is derived from several definitions of information security and a combination of these different definitions concludes that information security is about technology, processes and people. “Information security is a well-informed sense of assurance that information risks and technical, formal and informal controls are in dynamic balance” [7]. This approach is based on technical, formal and informal security controls (which are synonyms of technology, processes and people) since the absence of any of the three can compromise information security. The social-technical approach which is built on the assumption that information system development involves the design of a work organization where its information system has to be compatible with the surrounding social system, that is, the user and the organizational environments [9]. This means that a socio-technical model should combine the features of the information system, the user and the organizational environments [8].
828
https://sites.google.com/site/ijcsis/ ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 8, August 2016
Studies have shown that non-technical issues are as important as technical issues in safeguarding an organization’s sensitive information. The importance of non-technical issues related to information security, however, is not taken into account in many studies. There is a resulting lack of attention in the open literature on factors such as the national and organizational culture, environment and level of awareness and how these factors relate to generic attitudes towards information security. Therefore, taking into consideration the technical and non-technical factors, and the different levels of technology and the localized variables and limitations, this paper will therefore seek to develop a web based integrated framework for evaluation of information security preparedness in law enforcement agencies. 3. RESEARCH DESIGN
3.1 Introduction This research seeks to identify and review the various security measures used by LEA’s, develop an evaluation framework for information security preparedness in law enforcement agencies and implement, test and validate the framework using a case study. The research design used to achieve the research objectives consists of three fundamental phases; a) Phase One – Research and data gathering b) Phase Two – Develop the framework c) Phase Three – Implement, test and validate the framework Phase One Research and Data Gathering
Phase Two Develop the framework
Phase Three Implement, Test and validate the framework
Using Document Reviews
Based on Octave, CSF and Social technical approaches
Using a Case Study
Figure 1: Proposed approach
Figure 1 above shows the three phases of the research design to be used. Phase one which is research and data gathering will involve extensive literature review for information security measures and information security best practices used by LEA’s. Phase two will be the development stage for the information security preparedness evaluation framework based on three approaches namely; the octave approach, the critical success factors (CSF) approach and the social-technical approach. These are approaches which are more related to my area of research which is evaluation of information security preparedness. The last phase, phase three which is implementing, testing and validating the framework will involve a case study where I will test the framework locally using the national police service as the case study where I will be able to determine the level of information security preparedness of the institution. 3.2 Field Study The following data collection methods or techniques will be used; document reviews concerning the organizations information security measures/practices and interviews with the ICT personnel. 3.3 Sample Selection The national police service headquarters (vigilance house) will be selected to provide information about the current implemented measures/practices for information security. The national police service headquarters is the administrative department of the national police service and co-ordination of the various LEA’s activities is done from here and hence it is expected to have the best information security measures/practices employed locally by the national police service since it is obligated with implementation of such measures/practices and other branches and departments rely on decisions made in the national police service headquarters. 3.4 Data Analysis Process The data gathered from the document reviews and the responses from the interviews will be analyzed to be able to determine the level of information security preparedness of the national police service headquarters. Using the results obtained from the organizational security evaluation, technical security evaluation and user/people security evaluation, it will be possible to determine the level of information security preparedness of the institution. The
829
https://sites.google.com/site/ijcsis/ ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 8, August 2016
responses will then be grouped into three categories; organizational, technical and user security. The statistical tools to be used to present data include; tabular presentation and pie charts. 4. CONCEPTUAL FRAMEWORK
4.1 Conceptual Framework Having identified the weaknesses in the previous approaches (which are; The octave approach is more of organization aspect of information security, the CSF and the social-technical approaches are more concerned with the technical aspect of information security, as well as the user or people aspect of information security), the proposed framework will be based on integration of the three approaches or methods discussed above; The octave approach which focuses on operationally critical threat, asset and vulnerability evaluation, the critical success factors (CSF) approach which focuses on technology, processes and people and the socio-technical approach which seeks a fit between social and technical systems so as to build on the strengths of each of these approaches and at the same time minimize the weaknesses observed in the individual approaches. Based on the three approaches discussed above, the proposed framework will seek to comprehensively evaluate all areas as concerned to information security preparedness in LEA’s. Therefore, the proposed framework in this research is based on evaluating information security preparedness in three different categories, areas or aspects; organizational security, technical security and user or people security.
Preventive, Detective and Responsive
Law Enforcement Agency (L.E.A)
Evaluate Organizational information security preparedness
Evaluate Technical information security preparedness
Evaluate User information security preparedness
Figure 2: Conceptual framework
Figure 2 above shows the three different categories or areas on which the evaluation of information security preparedness will be based on. The categories or areas are organizational security, technical security and user/personnel security. This paper presents the results of the research and data analysis. This paper will present the literature review on information security best practices and measures used by LEA’s and organizations for their information systems and then based on the various security measures and best practices, categorizes them according to the three information security evaluation areas, categories or aspects as they appear in the conceptual framework. Then proceeds to implement, test and validate the developed framework using a case study and finally present the results of the test and validation. 5. RESEARCH AND DATA GATHERING
5.1 Information security measures and best practices used by LEA’S and organizations IT security covers many issues such as security policy development and implementation, user education, encryption, system administration, network firewall, intrusion detection, and programming practice etc. [10]. Common issues such as training for system administrators, risk assessment, physical security, security policies, and proper system administration are identified as part of important steps to secure a LEA’s network [11]. Better equipment, training, and awareness are part of the basis for LEA’s information security assessment [12]. In the preparedness phase, governments, organizations, and individuals and in this case the LEA’s, develop measures to protect their information systems or assets and minimize damage (for example, implementing firewalls, Intrusion Detection Systems (IDS), training and awareness exercises, or installing antivirus programs, etc.) [13]. Presently used identity authentication procedures make use of passwords, data encryption systems, digital signatures, and firewalls, alone or in combination, in order to ensure trust and confidentiality in the agreement formation process [14]. Recognizing the increasing use of computers by federal agencies and the vulnerability of computer-stored information, including personal information, to unauthorized access, Congress enacted the Computer Security Act of 1987. The statute requires each federal agency to develop security plans for its computer systems containing sensitive information. Such plans are subject to review by the National Institute of Standards and Technology (NIST). The statute also mandates a computer systems security and privacy advisory board to identify emerging managerial, technical, administrative, and physical safeguard issues relative to computer systems security and privacy. Each federal agency is directed to
830
https://sites.google.com/site/ijcsis/ ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 8, August 2016
provide all employees involved with the management, use, or operation of its computer systems with mandatory periodic training in computer security awareness and accepted computer security practice [15]. To assist organizations in making the appropriate selection of security controls for their information systems, the concept of baseline controls is introduced. Baseline controls are the initial security controls recommended for an information system based on the system’s security categorization [16]. Some of these security controls include access control, awareness and training, audit and accountability, configuration management, contingency planning, identification and authentication, incidence response, maintenance, media protection, physical and environmental protection, personnel security, risk assessment, system and communication protection and integrity. DHS’s National Cyber Security Division (NCSD) has established tools to help State and local security officials conduct assessments. NCSD’s Cyber Security Vulnerability Assessment (CSVA) draws on an automated set of questions to assess an entity’s cyber security posture and recommend a suite of remedial actions to address any observed security gaps. The following areas from the CSVA methodology offer a framework to identify vulnerabilities systems; security policy, electronic access control, personnel security, physical and environmental security, security awareness and training, monitoring and incident response, disaster recovery and business continuity, system development and acquisition, configuration management, risk and vulnerability management [17]. 5.2 Security technologies [18] A CSI/FBI 2005 computer crime and security survey report shows use of firewalls was reported by 97 percent of respondents and anti-virus software was reported as being used by 96 percent of the organizations. Intrusion detection systems were being used by 72 percent of the organizations and 70 percent used server-based access control lists. With the exceptions of the categories of smart cards and intrusion prevention systems, differences in reported use from 2004 were no greater than 5 percent. The use of smart cards and other one-time password tokens increased from 35 percent to 42 percent, while the intrusion prevention system bandwagon reversed with a decline in use to 35 percent from 45 percent. Intrusion prevention systems attempt to identify and block malicious network activity in real time. Although these systems look like firewalls, they work differently; firewalls block all traffic except that which they have a reason to pass, while intrusion prevention systems pass all traffic unless they have a reason to block it [18]. Figure 3 below is a summary of categories of security technology used by organizations and their level of usage in percentage as reported by CSI/FBI 2005 computer crime and security survey. Use of firewalls and anti-virus software scored the highest amongst the various security technologies reported by the survey with 97 percent and 96 percent respectively.
Figure 3: CSI/FBI 2005 computer crime and security survey, source: [18]
Figure 4 below shows key categories of CSI computer crime and security survey and the level of usage of the different technologies in percentage.
831
https://sites.google.com/site/ijcsis/ ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 8, August 2016
Figure 4: CSI computer crime and security survey, source: [18]
5.3 Security measures [19] Security measures that have been used include encryption; operations security, cash accounts security, employee training, and firewalls [19]. Encryption of a file and data make it more difficult for anyone to access them, so encryption should be considered an important tool for protecting confidential information. Operations security includes such measures as monitoring users, creating audit trails of system users, and conducting physical surveillance of users and systems. A number of measures are required to secure cash accounts, including changing passwords regularly, using numerical access control systems, upgrading authentication software, monitoring employees, maintaining audit trails, and regularly reviewing cash accounts for small losses. Across the board, increased employee training has consistently helped minimize computer-related theft. "Firewalls" are software controls that permit system access only to users specifically registered with a computer. Data have shown no significant relationship between this countermeasure and information protection. LEA’s must develop specialized criminal investigative units and prevention programs for computer crime. Also, police departments should take immediate steps to protect their own information systems [19]. 5.4 The system-level, technical perspective [20] Critical Information Infrastructure Protection (CIIP) is approached as an IT-security or information assurance issue, with a strong focus on internet security. In this view, threats to the information infrastructure are to be confronted by technical means such as firewalls, anti-virus software, or intrusion and detection software [20]. The establishment of so-called Computer Emergency Response Teams (CERTs) and similar early warning approaches in various countries are examples of this perspective. Therefore, governments should pay special attention to the following issues: 1) Understanding the nature of risks and threats and the resulting vulnerabilities; Governments should provide reliable and well-documented threat and risk assessments in this field, taking into account technical, and organizational, legal, and national security factors. A good example of a government agency covering the legal, technical, and security policy aspects of CIIP is the Swiss Reporting and Analysis Center for Information Assurance (MELANI). 2) Enhancing vulnerability detection and response; this approach is exemplified by the Computer Emergency Response Teams (CERTs) and Information Sharing and Analysis Centers (ISACs). Governments must handle sensitive information with care. This is certainly one of the reasons why the UK National Infrastructure Security Co-ordination Centre (NISCC) is such a successful model in handling CIIP. 3) Promoting more secure products and services, and supporting research and development; Governments should encourage the development of more secure IT-related products and services, particularly security standards and certification procedures. Since it is difficult for each private company to ascertain whether its security levels are adequate when obtaining software, cryptography, or IT services on the open market, the Japanese Ministry of Economy, Trade and Industry (METI), for instance, has developed several information security evaluation systems that are conducted through a third party since April 2003. These systems include information auditing system, an information security management system, certification for the evaluation of security products, and encryption technology evaluation systems. These standards are not only used for the government’s procurement of its own software and IT services, but can also be used by the private sector in the future.
832
https://sites.google.com/site/ijcsis/ ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 8, August 2016
4) Raising awareness and information-sharing; Governments need to inform individuals and organizations about risks related to cybercrime and the dangers of insufficient security for themselves and for others, as well as available solutions. A common vocabulary has to be defined and sensitive information classified. Some governments have set up special education programs. For instance, in South Korea, information security education has become part of the computer literacy education that begins at primary-school level. For instance the UK government has undertaken initiatives such as “IT Safe - IT Security Awareness for Everyone” and “GetSafe- Online” that particularly address home users and small businesses with advice in plain English and practical tips on protecting computers. In Germany the campaign “Security in the Internet” and the internet service “BSI for the citizen” provide easy-to-understand information on relevant IT security issues. Awareness-raising is also a main activity of the European Network and Information Security Agency (ENISA). 5) Developing an adequate legal framework; Although many developed countries have discussed the protection and security of information (infrastructures) and related legislation for some years, most of them have only begun to review and adapt their legislation since 11 September 2001. The Republic of Korea enacted a special “Information Infrastructure Protection Act” in January 2001 that outlines the government framework for information infrastructure protection. Because national laws are developed autonomously, there is a need to harmonize national legal provisions and to enhance judicial and police cooperation internationally. Many countries have also set up special cyber-crime units, which are usually, part of the national police force and/or the intelligence services, or of another LEA’s. 6) Emergency preparedness and crisis management; Successful emergency management requires clear guidelines and recommendations. In Canada, for example, an all-hazards approach was initiated with the establishment of Public Safety and Emergency Preparedness Canada (PSEPC) and its National Critical Infrastructure Assurance Program (NCIAP) in 2003. CIIP is pursued in partnership between government organizations, private-sector owners and operators, and others with a stake in the Canada’s national critical infrastructure. The partners exchange timely information about risks, vulnerabilities, and threats and thus create a better understanding of interdependencies. 5.5 Other measures include; 1) Upgrading operating system; a new version of any operating system is generally the safest since it have improved security features for developers seek to improve or advance the versions; hence a windows 10 version for example is more preferred to a Windows XP version. 2) Firewall; this can be either hardware or software and protects a computer against hackers, viruses and spyware and also stops a computer from being hijacked or being used for DDOS attacks and used to infect other machines or send spam email. 3) Use anti-virus software; Needs regular updating to ensure its effectiveness since new threats emerge now and then. Used for scanning computers for viruses, also checks incoming email and web sites for viruses. It is not included in the operating system it needs be bought and installed. 4) Anti-spyware software; this kind of program is different from anti-virus software and is important since an anti-virus software will not protect your computer from spyware, rather you need an anti-spyware program for this. Anti-spyware programs like anti-virus programs also need regular updating to ensure their effectiveness. 5) WPA or WEP encryption to secure wireless network should be enabled to ensure authorization and authentication hence preventing crimes such as eavesdropping. Renaming the network (the SSID) and switch off SSID broadcast so people cannot find your network too easily is also important. MAC filtering is also important to restrict access to trusted computers. 6) Spam filter program; This is important to filter or get lid of spam message which might contain harmful programs and codes 7) Backups; for important data and stored in a different location. This should be regular to ensure relevancy of data. 8) Physical security; Use of labels, locks, alarms etc. 5.6 A summary of the findings of the Information security measures and best practices used by LEA’s and organizations Table 1 below presents a summary of the findings of the Information security measures and best practices used by LEA’s and organizations after a review of the relevant literature. It shows the source and the information security measures and best practices. Source Information security measures and best practices Pfleeger 2003 Security policy development and implementation, user education, encryption, system administration, network firewall, intrusion detection, and programming practice etc.
833
https://sites.google.com/site/ijcsis/ ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 8, August 2016
Brown 2002
Training for system administrators, risk assessment, physical security, security policies, and proper system administration Reese et al. 2008 Better equipment, training, and awareness Laura 2010 Firewalls, Intrusion Detection Systems (IDS), training and awareness exercises, installing antivirus programs, etc. Saunders and Zucker 1999 Passwords, data encryption systems, digital signatures, and firewalls Gordon et al. 2005 Firewalls, anti-virus software, IDS, IPS, ACL, encryption, passwords and biometrics Richardson 2008 Anti-virus software, anti-spyware software, firewalls, biometrics, monitoring, encryption, firewalls, forensic tools, IPS, IDS, logs, ACL, WEP,WAP, SSID, Passwords, VPN and patch management Carter and Katz 1996 Encryption; operations security, cash accounts security, employee training, firewalls, monitoring, audit trails, physic6al surveillance, passwords and password policy, access control systems, upgrading software, specialized criminal investigative units and prevention programs for computer crime Abele 2006 Firewalls, anti-virus software, or intrusion and detection software, Computer Emergency Response Teams (CERTs) , vulnerability detection and response, security standards and certification procedures, auditing, information security management, encryption, awareness, education, legal framework, special cyber-crime units NIST (National Institute of Access control, awareness and training, audit and accountability, configuration management, contingency Standards and Technology) 2006 planning, identification and authentication, incidence response, maintenance, media protection, physical and environmental protection, personnel security, risk assessment, system and communication protection and integrity Relyea 2002 Computer security act, security plans, security plans review, identify emerging managerial, technical, administrative, and physical safeguard issues relative to computer systems security and privacy, employees training and awareness National Strategy for Homeland Security policy, electronic access control, personnel security, physical and environmental security, security Security 2007 awareness and training, monitoring and incident response, disaster recovery and business continuity, system development and acquisition, configuration management, risk and vulnerability management Others Upgrading operating system, firewall, anti-virus software, Anti-spyware software, WPA, WEP, SSID, MAC filtering, Spam filter program, Backups, labels, locks, alarms etc. Table 1: Summary of information security measures and best practices used by LEA’s and organizations
6. DEVELOPMENT OF THE FRAMEWORK
6.1 Introduction To develop the integrated evaluation framework for information security preparedness in LEA’s, the three major aspects or categories of information security, that is, organizational, technical and user/personnel information security aspects are derived from the three approaches reviewed earlier, which include, the octave approach [5], Critical Success Factors (CSF) [7] and social-technical approach [8]. In order to close the gap or eliminate the weaknesses identified in these three approaches, an integrated framework will be developed based on these three approaches that will seek to comprehensively evaluate information security preparedness in LEA’s. Each of these three approaches seeks to evaluate information security from either one aspect or two aspects of information security but none of these approaches comprehensively evaluates information security. Hence integration of the various information security aspects in one information security evaluation framework is necessary in order to close the identified gap. Each of the three information security aspects or categories has various information security components classified under each of the aspect. To determine these information security components under each of the information security aspect or category, a literature review was done to identify the various information security measures and information security best practices used by LEA’s and organizations. The literature review done earlier provides the various information security aspects and components to be classified accordingly under each of the information security aspect or category hence necessitating the development of an integrated information security evaluation framework. Figure 5 below shows the relationship between the approaches, the information security measures and best practices and development of the integrated evaluation framework for information security preparedness in LEA’s.
834
https://sites.google.com/site/ijcsis/ ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 8, August 2016
Figure 5: The Relationship between the information security evaluation approaches, the information security measures and best practices and the development of the integrated evaluation framework for information security preparedness in law enforcement agencies.
6.2 The framework 6.2.1 Organizational information security preparedness aspect This aspect is further sub-divided into two information security aspects; policies and procedures and each of these have its own information security components. 6.2.2 Technical information security preparedness aspect This aspect is further sub-divided into three information security aspects; preventive, detective, responsive. This is important because it helps on to determine the level of either the preventive, detective or responsive information security preparedness, hence if one was interested in determining the level of either of these three information security preparedness aspects, this is made easier by the framework. The framework presents 18 preventive information security components (8 optional and 10 mandatory information security components), 8 detective information security components (2 optional and 6 mandatory information security components) and 7 responsive information security components (1 optional and 6 mandatory information security components). 6.2.3 User/personnel information security preparedness aspect This aspect has awareness, training and education information security aspects and the user/personnel information security preparedness components are developed based on these three information security components. To put this framework into practice, a checklist is needed in order to be able to identify with ease which particular information security component is present or exists in a LEA and which particular information security component is lacking or does not exist in a LEA. The checklist can be found at the appendices section. 6.2.4 Weighting Each of these three evaluation aspects has its components. The organizational information security preparedness aspect has 21 O information security components, the technical information security preparedness aspect has 24T information security components and the user/personnel information security preparedness aspect has 5U information security components. Each of these components is assigned equal weighting for the purpose of determining the level of preparedness in percentage terms. The total number of information security components from the three aspects is 50 information security components. To determine the weighting for the organizational information security preparedness aspect, the technical information security preparedness aspect and the user/personnel information security preparedness aspect; the number of information security components in the particular information security aspect is divided by the total number of information security components in the framework and the result is multiplied by a hundred to get the weighting in percentage. Therefore; i. To determine the weighting for the organizational information security preparedness aspect; organizational information security components/total number of information security components*100 21/50*100=42% ii. To determine the weighting for the technical information security preparedness aspect; technical information security components/total number of information security components*100 24/50*100=48% iii. To determine the weighting for the user/personnel information security preparedness aspect; user/personnel information security components/total number of information security components*100 5/50*100=10% Hence, organizational information security preparedness aspect accounts for 42% of information security preparedness, the technical information security preparedness aspect accounts for 48% of information security preparedness and user/personnel information security preparedness aspect accounts for 10% of information security preparedness in the framework. Using these weighting values, one can be able to determine the level of preparedness of each of these three aspects in a lea and be able to specifically point out where the weakness is, or where the organization or agency is failing in terms of information security preparedness. 6.2.5 Threshold This is the baseline or the minimum level or number of information security components a particular LEA is expected to have implemented. To determine the baseline using this framework, the information security components are grouped into optional and mandatory information security components. The optional information security components are marked with a letter (O) in the framework. The optional information security components are; antivirus updating procedure (the anti-viruses can be set at automatic run mode so that they can be updating automatically); anti-spyware software (the same functionality is incorporated in most anti-virus software’s); IPS (a combination of ids and firewall can do the same work); biometrics (can be replaced by other cheaper low level and low technological measures such as passwords, locks etc.); VPN, WPA, WEP, SSID and MAC filtering (are only necessary if you have a wireless network); User security information (employee training programs and security awareness sensitization can
835
https://sites.google.com/site/ijcsis/ ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 8, August 2016
serve the same purpose). The optional information security components are 10, subtracting this from the total number of information security components in the framework (which is 50); we get 40 mandatory information security components. Dividing the number of mandatory information security components (40) with the total number of information security components (50) in the framework and multiply the result by 100 we get the threshold in percentage. Therefore the threshold for this framework will be; the number of mandatory information security components/the total number of information security components in the framework*100=Threshold. Therefore, threshold is equal to; 40/50*100=80% 6.3 Integrated evaluation framework for information security preparedness in LEA’s
Figure 6: The integrated evaluation framework for information security preparedness in LEA’s
Figure 6 above is the evaluation framework for information security preparedness in LEA. The framework seeks to evaluate information security preparedness of a LEA from three aspects or perspectives; organizational, technical and user/personnel information security preparedness. The framework key; D P ACL CCTV DRP IPS SSID VPN WPA
– Detective – Preventive – Access Control List – Closed Circuit Television – Disaster Recovery Plan – Intrusion Prevention System – Service Set Identifier – Virtual Private Network – Wireless-Fidelity Protected Access
O R BCP CERT IDS OS UPS WEP
836
– Optional – Responsive – Business Continuity Plan – Computer Emergency Response Team – Intrusion detection System – Operating System – Uninterruptible Power Supply – Wired Equivalent Privacy
https://sites.google.com/site/ijcsis/ ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 8, August 2016
7. IMPLEMENTATION, TESTING AND VALIDATION OF THE FRAMEWORK
7.1 Implementation of the framework The developed framework is implemented in a web based system titled “web based integrated evaluation framework for information security preparedness in LEA’s” comprising of three aspect or perspectives (similar to the three information security categories in the developed framework) namely; organizational, technical and user/personnel information security preparedness. The web based system has four pages used to implement the various aspects of the evaluation framework. The pages include; i. The home page ii. The evaluation page iii. The results page iv. The abbreviations page The details of the various pages are as explained below; 7.1.1 Homepage The web based system has a homepage which contains the title of the web based system and the evaluation framework for information security preparedness in LEA’s. Below is a screen shot showing the details of the home page.
Figure 7: A screen shot of the homepage of the web based system
7.1.2 The evaluation page The evaluation page has the implementation of the organizational, technical and user/personnel information security preparedness evaluation. Each of the security aspects has a set of questions with a button at the last column of the question, where one is supposed to select or tick if a particular security measure or practice exists in a particular organization or the LEA’s being evaluated. The aspects are as shown in the screen shots below; The Organizational Information Security Aspect;
837
https://sites.google.com/site/ijcsis/ ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 8, August 2016
Figure 8: A screen shot of the organizational information security preparedness evaluation page of the web based system
The Technical Information Security Aspect;
Figure 9: A screen shot of the technical information security preparedness evaluation page of the web based system
The User/Personnel Information Security Aspect;
838
https://sites.google.com/site/ijcsis/ ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 8, August 2016
Figure 10: A screen shot of the user/personnel information security preparedness evaluation page of the web based system
7.1.3 Results page The system also has a results page which displays the level of organizations information security preparedness in percentage after one clicks the “submit or evaluate” button. Below is a screen shot of the results page.
Figure 11: A screen shot of the results page of the web based system
7.1.4 Abbreviations page The system also has an abbreviations page which gives a brief description of the system and the meaning of the various abbreviations used in the evaluation framework. Below is a screen shot of the abbreviations page.
839
https://sites.google.com/site/ijcsis/ ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 8, August 2016
Figure 12: A screen shot of the abbreviations page of the web based system
7.2 Testing and validation of the framework Testing and validation was done at the national police service headquarters (Vigilance house) using the framework checklist to determine which information security components are present in the agency and which ones are not by interviewing a group of four (4) ICT/technical personnel and hence being able to determine the agency’s level of information security preparedness. The results of the test are as follows; Organizational information security preparedness (42%) ICT Policies
Remarks
1)
Exists
9
2)
Regular review
X
3)
Employee read sign
X
4)
Simple and practical (Easy to use)
9
5)
Easily accessible
X
6)
Data classification defined
9
7)
Equipment classification
9
8)
Owner (Designated authority)
9
9)
Responsibilities defined
9
10) Password policy
9
11) Guidelines
9
12) DRP
9
13) BRP
9
ICT Procedures 14) User registration 9 15) User de-registration X 16) Anti-virus updating (O) 9 17) OS and software upgrade X 18) Back-up 9 19) Employee background check 9 20) Security violation penalty 9 21) Reporting (incidents, weakness, malfunction) 9 Table 2: A summary of the organizational information security preparedness evaluation
840
https://sites.google.com/site/ijcsis/ ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 8, August 2016
Out of the 21 O organizational information security components in the framework, the national police service headquarters (vigilance house) has 16 information security components implemented. Therefore, the organizational information security preparedness of the national police service headquarters (vigilance house) is; 16/21*42=32% Technical information security preparedness (48%) Technical Information Security measures and Best Practices 1) 2) 3) 4) 5) 6)
Anti-virus s/w Anti-spyware s/w (O) CCTV Security log Back-up Labels
P
D
R
Remarks
9 9
9 9 9 9
9 9 9 9 9 9
9 9 X 9 9 9
9 9
7) IDS 9 X 8) IPS (O) 9 9 X 9) Auditing & monitoring 9 9 10) Alarms 9 X 11) Configuration management 9 9 12) Firewall 9 9 13) UPS & Generator 9 9 14) ACL 9 9 15) Encryption 9 9 16) Password 9 9 17) Biometrics (O) 9 X 18) VPN (O) 9 X 19) WPA (O) 9 X 20) WEP (O) 9 X 21) SSID (O) 9 X 22) MAC filters (O) 9 X 23) Locks 9 9 24) CERT 9 X Table 3: A summary of the technical information security preparedness evaluation
Out of the 24T technical information security components in the framework, the national police service headquarters (vigilance house) has 13 information security components implemented. Therefore, the technical information security preparedness of the national police service headquarters (vigilance house) is; 13/24*48=26% The technical preventive information security preparedness; • Expected technical preventive information security components=18 (8 Optional & 10 Mandatory) • Implemented technical preventive information security components=11 (1 Optional &10 Mandatory) 11/18*26.2=16.0% The technical detective information security preparedness; • Expected technical detective information security components=8 (2 Optional & 6 Mandatory) • Implemented technical detective information security components=4 (1 Optional & 3 Mandatory) 4/8*11.6=5.8% The technical responsive information security preparedness; • Expected technical responsive information security components=7 (1 Optional & 6 Mandatory) • Implemented technical responsive information security components=5 (1 Optional & 4 Mandatory) 5/7*10.2=7.3% User/Personnel information security preparedness (10%) Awareness, training &education 1) 2)
Remarks
User security information (O) Defined user responsibility
X 9
9 9 9 Table 4: A summary of the user/personnel information security preparedness evaluation 3) 4) 5)
Employee training programs Security awareness sensitization programs System(s) administrator training programs
841
https://sites.google.com/site/ijcsis/ ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 8, August 2016
Out of the 5U user/personnel technical information security components in the framework, the national police service headquarters (vigilance house) has 4 information security components implemented. Therefore, the user/personnel information security preparedness of the national police service headquarters (vigilance house) is; 4/5*10=8% To get the level of Information security preparedness of the National Police Service in Kenya, by generalizing the results; Organizational + Technical + User/Personnel (information security preparedness) 32%+26%+8%=66% The difference between the Threshold (Expected minimum information security components) and the Implemented Information security components; 80% (Threshold) – 66% (Implemented information security components) =14% 8. DISCUSSION OF FINDINGS AND CONCLUSION
8.1 Discussion of findings Technical information security preparedness is the weakest with a difference of 22% between the expected 48% technical information security preparedness and the implemented 26% technical information security components followed by organizational information security preparedness with a difference of 10% between the expected 42% organizational information security preparedness and the implemented 32% organizational information security components and the strongest aspect is the user/personnel information security preparedness with a difference of 2% between the expected 10% user/personnel information security preparedness and the implemented 8% user/personnel information security components. After identifying the weakest category of information security and the expected minimum information security components not implemented, a recommendation on the required or necessary measures which needs to be implemented is made and it is the duty of the particular LEA’s to implement the information security measures and practices based on the results obtained. Table 5 below summarizes the organizational, technical and user/personnel information security preparedness; National Police Service – Implemented Percentage of Information Security Expected Kenya Level of information security information security aspect information Information security components preparedness it security preparedness accounts for components 21 O 16 42% 32% (16/21*42) Organizational information security 24T 13 48% 26% (13/24*48) Technical information security 5U 4 10% 8% (4/5*10) User/Personnel information security 50 33 100% 66% (33/50*100) Preparedness level Table 5: A summary of the national police service (Kenya) information security preparedness Table 6 below summarizes the technical preventive, technical detective and technical responsive information security preparedness; Technical Expected Implemented Percentage of information National Police Service – information information security information security security preparedness it Kenya Level of Information aspect components components accounts for security preparedness 18 11 26.2% (18/33*48) 16.0% (11/18*26.2) Preventive 8 4 11.6% (8/33*48) 5.8% (4/8*11.6) Detective 7 5 10.2% (7/33*48) 7.3% (5/7*10.2) Responsive Table 6: A summary of the National Police Service (Kenya) preventive, detective and responsive information security preparedness
8.2 Pie chart The pie chart below summarizes the results of the national police service (Kenya) information security preparedness evaluation. The organizational information security preparedness was found to be at 32% against the expected level of 42%; the technical information security preparedness was found to be at 26% against the expected level of 48%; the user/personnel information security preparedness was found to be at 8% against the expected level of 10%. 34% of the security components in the framework are not implemented in the national police service (Kenya).
842
https://sites.google.com/site/ijcsis/ ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 8, August 2016
National Police Service (Kenya)
Information Security components NOT implemented; 34%
User/Personnel information security preparedness; Expected-=10% Implemented= 8%
Organizational information security preparedness; Expected=42% Implemented= 32%
Technical information security preparedness; Expected=48% Implemented= 26%
Figure 13: A summary of the results of the national police service (Kenya) information security preparedness evaluation
8.3 Conclusions 1) There is need to develop a means of determining the level of information security preparedness in a LEA particularly in developing countries and hence the development of this framework is of importance in providing this means. 2) There is also a need to evaluate technical and nontechnical information security aspects of a LEA since information security involves more than just the technical measures and technologies but also involves factors such as user/human aspect and organizational aspect of information security. 3) To effectively determine the level of preparedness of a LEA, the use of quantifiable measures is necessary hence the need to develop a weighting procedure that covers all the information security aspects of a LEA. The weighting procedure for this framework covers all the three information security aspects. Most of the frameworks and approaches that I came across during the literature review lacked this weighting feature. 4) This framework is more suited for use by IT/IS/ICT expects/professionals since they have the knowledge of the various terms used in the framework which may be unfamiliar to nonIT/IS/ICT personnel. 5) Using this framework, it is possible to determine the level of information security preparedness in a LEA in percentage terms hence being able to quantifiably report the weak or lacking aspects of information security. 8.4 Critical review and reflection Some of the reasons or challenges (that were expressed by the four ICT/technical personnel that i interviewed) for failure of implementation of the various information security components were; 1) Financial limitation where they informed me that the ICT department operates on a limited budget i.e. inadequate integration of information security into budgetary process. 2) Rigid information systems/computer users who demand for some requirements for example some computer are still using Windows XP despite of their users being advised on advantages of upgrading because some users claim they are familiar with it and since some of these users are superior in rank compared to the head of ICT, they have no option rather than to comply. 3) Bureaucracy where ranks have to be followed hence implementation and decision making takes longer than is necessary. 4) Inadequate senior management support to information security. 5) Limited capability to detect, report and share information security threats due to increased number, sources and ways of attack. 6) Limited information security training for general users, IT professionals and security professionals. 7) Under emphasis of internal threats. 8) Lack of defined penalties for various offences of information security breaches. 8.5 Further work or Recommendation 1) Some future development from this research would be to develop this framework to be able to cater for information security preparedness evaluation in different types of industries and organizations such as private and public organizations, governmental and nongovernmental organizations, etc.
843
https://sites.google.com/site/ijcsis/ ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 8, August 2016
2) There is need to refine the threshold factor; the minimum level or number of information security components a particular LEA is expected to have. 3) Further work is also in the development and refining of the weighting procedure to be able to determine which information security components are more important than the others, which ones are mandatory and which ones are optional, etc., to be able to assign weight according to the importance or criticality of a particular information security component/technology. 4) There is need for regular use of the framework, probably once a year at a minimum, to be able to continuously improve information security preparedness in a LEA and in order to minimize or eliminate the impact as a result of attacks to the information systems. APPENDICES The checklist for the evaluation framework for information security preparedness in LEA’s A checklist for the Evaluation Framework for Information Security Preparedness in LEA (Threshold=80%) Tick if security measure exists Policies Evaluation of Organizational Information Security 1.Exists Preparedness (42%) 2.Regular review 21/50*100=42% 3.Employee read sign 4.Simple and practical (Easy to use) 5.Easily accessible 6.Data classification defined 7.Equipment classification 8.Owner (Designated authority) 9.Responsilities defined 10.Password policy 11.Guidelines 12.DRP 13.BRP
Evaluation of Technical Information Security Preparedness (48%) 24/50*100=48%
Procedures 14.User registration 15.User de-registration 16.Anti-virus updating (O) 17.OS and software upgrade 18.Back-up 19.Employee background check 20.Security violation penalty 21.Reporting (incidents, weakness, malfunction) Technical Security measures and Best Practices 1.Anti-virus s/w 2.Anti-spyware s/w (O) 3.CCTV 4.Security log 5.Back-up 6.Labels
P
D
R
9 9
9 9 9 9
9 9 9 9 9 9
9 9
7.IDS 8.IPS (O) 9.Auditing & monitoring 10.Alarms 11.Configuration management 12.Firewall 13.UPS & Generator 14.ACL 15.Encryption 16.Password 17.Biometrics (O)
844
9
9 9 9 9
9 9 9 9 9 9 9
https://sites.google.com/site/ijcsis/ ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 8, August 2016
Evaluation of User/Personnel Information Security Preparedness (10%) 5/50*100=10%
18.VPN (O) 19.WPA (O) 20.WEP (O) 21.SSID (O) 22.MAC filters (O) 23.Locks 24.CERT Awareness, training &education
9 9 9 9 9 9 9
1. User security information (O) 2.Defined user responsibility 3.Employee training programs 4.Security awareness sensitization programs 5. System(s) administrator training programs
REFERENCES [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20]
Livari, J. and Hirschheim, R 1996, Analyzing Information Systems Development: A Comparison and Analysis of Eight IS Development. Information Systems Journal, 21 (7), 551-575 HA Kruger, L Drevin, T Steyn 2006, A framework for evaluating ICT security awareness, ISSA Proceedings Bruce Schneier 1999, Security in the Real World: How to Evaluate Security Technology, CSI’s NetSec Conference in St. Louis, MO. Computer Security Journal, Volume XV, Number 4 Marco Cremonini and Patrizia Martini 2005, Evaluating Information Security Investments from Attackers Perspective: the Return-OnAttack (ROA), 4th Workshop on the Economics on Information Security Carnegie Mellon 2008, Information Security Risks Evaluation, The OCTAVE Approach. OCTAVE 2003, Alberts C., Dorofee A. Managing Information Security Risks, “The OCTAVE Approach” Addison-Wesley Publishing — ISBN: 0321118863 Jose M Torres, Jose M Sarriegi, Javier Santos, and Nicolás Serrano 2006, Managing Information Systems Security: Critical Success Factors and Indicators to Measure effectiveness, Springer-Verlag Berlin Heidelberg, Managing Information Systems Security Salahuddin Alfawaz, Lauren May and Kavoos Mohanak 2008, E-government Security in Developing Countries: A Managerial Conceptual Framework. In: International Research Society for Public Management Conference, 26-28, Queensland University of Technology, Brisbane Lyytinen, K 1987, Different Perspectives on Information Systems: Problems and Solutions. ACM Computing Surveys, 19 (1) Pfleeger, C.P. and S.L. Pfleeger 2003, Security in Computing. Third ed: Prentice Hall David A. Brown 2002, GSEC Practical Assignment Version 1.3, Steps to Secure a Law Enforcement Network, SANS Institute Lee Reese, Joseph Fitzgerald and Benjamin Thomas 2008, SERRI Project: Law Enforcement Regional Technology Assessment and Gap Analysis, U.S. Department of Homeland Security, U.S. Department of Energy Interagency Agreement 43WT10301 Laura L. Wilson 2010, Before the Emergency: A Framework for Evaluating Emergency Preparedness Alternatives at Higher Education Institutions, Lexicon, Department of Homeland Security (DHS), p.19–20, National Government Association (NGA) 1979, CEM Governors’ Guide, p. 13 Kurt M. Saunders & Bruce Zucker 1999, Counteracting Identity Fraud in the Information Age, The Identity Theft and Assumption Deterrence Act, International Review of Law, Computers & Technology, 13:2, 183-192 Harold C. Relyea 2002, E-gov: Introduction and overview, Library of Congress, Congressional Research Service, Government Information Quarterly 9–35, Washington, DC 20540-7470, USA NIST 2006, (Carlos M. Gutierrez, Robert Cresanti and William Jeffrey), National Institute of Standards and Technology, Recommended Security Controls for Federal Information Systems, High-impact Baseline, NIST Special Publication 800-53, Revision 1 Excerpt, ANNEX 3 National Strategy for Homeland Security October 2007, National Cyber Security Division (NCSD), Cyber Security Vulnerability Assessment (CSVA) tool Lawrence A. Gordon, Martin P. Loeb, William Lucyshyn and Robert Richardson 2005 CSI/FBI Computer Crime and Security Survey D L Carter and A J Katz 1996, Computer Crime: An Emerging Challenge for Law Enforcement, FBI Law Enforcement Bulletin Journal Volume: 65 Issue: 12, Pages: 1-8 Isabelle Abele-Wigert 2006, Challenges Governments Face in the Field of Critical Information Infrastructure Protection (CIIP); Stakeholders and Perspectives, CIIP Handbook
845
https://sites.google.com/site/ijcsis/ ISSN 1947-5500
