The VASWCD IT Committee works to provide advice and resources for Districts to improve their IT capabilities while maintaining a clearinghouse of IT best practices across Districts. The following covers some basic tips on IT security management from the VASWCD IT Committee. For more information on the IT Committee and its charter, click here.
The IT Committee believes the ISO/IEC 27002 is an international standard for IT Security Best Practices. It was adopted by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) to provide a code of practice for information security management. ISO/IEC27002:2013 is the latest version. You may obtain a copy of the standard at www.iso27001security.com.
A simplified outline of the standard is given below.
Basic IT Security Management:
To protect an organization’s IT infrastructure and information, security management procedures should be adopted. At a minimum an organization should adopt the recommendations below.
Business Continuity – Implement a disaster recovery plan to ensure that your organization can recover from a business continuity event such as fire or floods. As part of this ensure that regular backups are made of organization critical information. Backups are the last line of defense against hardware failure, or the damage caused by a security breach, or accidental deletion of data.
Firewall – Use a firewall. A firewall acts as a barrier between the public internet and the organization’s network. It helps to protect the servers and PC’s on the network from hackers and viruses.
Anti-Virus Software – Install up-to-date anti-virus software on all servers and PC’s on the network and all mobile devices such as laptops, tablets and smart phones. Anti-virus software is one of the main defenses against online problems. It continually scans for viruses, including Trojans and worms.
Security Patches – Install the latest security patches for the applications and operating systems utilized by the organization. As new threats emerge, regularly download the available security updates to ensure maximum protection.
Spyware – Implement measures and install software to stop spyware. Spyware is a threat to privacy and the information it can harvest from a computer can lead to financial fraud.
Wireless Networks – Wireless networks should be implemented in a secure fashion. Without suitable protection, such as a firewall and encryption, Wi-Fi (wireless) networks are vulnerable to eavesdropping, hackers and freeloaders.
Spam Email – Implement measures to stop spam email. It is extremely inefficient for an organization’s staff to have to spend time dealing with unwanted spam email. Spam email clogs up e-mail inboxes and may contain viruses and spyware.
Internet – Browsing the internet can be dangerous. Malicious websites contain viruses and spyware and criminals create fake sites to steal personal information. Many websites also contain content that it would be inappropriate for an organization’s staff to view. Organizations implement systems to protect themselves from these dangers.
Outline Reference: http://www.ruskwig.com/security_management.htm
Example IT Security Policies are provided:
- Cybersecurity Tips (Homeland Security)
- Email Policy
- Mobile Device Security Policy
- Internet Policy
- Passwords Policy
- Security Policy
- User policy
A basic concept in Cybersecurity/IT Security is the idea of Personal Responsibility. Recent spectacular examples of IT breaches show the importance of individual actions. 1) The Sony hack was accomplished by the use of a disgruntled employee’s password. 2) The recently disclosed $1Billion robbery of major banks was accomplished by an e-mail attachment that was opened by a bank employee. The attachment contained a program that allowed the thieves access to bank accounts.
Another very important concept for District employees to understand is that because our salaries are paid from public funds, our equipment is purchased by public funds, and we are conducting public business, our activities in pursuit of our duties are subject to Public Law—local, state and federal. An example of an acceptable use policy for individuals using publicly funded computer equipment as covered by Virginia State Code is:
Public Records Management:
Federal Law – As public employees, we work with public records and information about members of the public we serve. Some of the information is “personally identifiable information” (PII) defined by the FTC as “Data that can be linked to specific individuals, and includes but is not limited to such information as name, postal address, phone number, e-mail address, social security number and driver’s license number.”
Public Law 93-579, enacted in 1974 as the Privacy Act, states that the right to privacy is a personal and fundamental right protected by the Constitution of the United States. So it is very important for District employees to safeguard the information entrusted to them and also to understand that many of District employees’ activities are regulated by Federal Privacy Laws.
Guidelines for safeguarding PII formulated by the National Institutes of Standards and Technology (NIST) are given below:
Virginia State Law – The Library of Virginia provides an extensive guide for managing public records and reducing liability risks, using Virginia law as the legal authority for the guidelines.
Continuity of Operations:
Both the Library of Virginia’s Public Records Manual and the National Institute of Standards and Technology’s Guidelines address the concepts of Risk Management, Continuity of Operations Plans, Records Emergency Action Plans, Compliance Audits and ongoing Awareness Training for District staff.
Very briefly, Risk Management involves assessing what are the most valuable assets and the most critical functions in a District’s office, what the threats are and how to protect against the threats.
Continuity of Operations Plans (COOPs) are formulated to enable a District to prepare for and keep operating during an emergency, such as a fire, flood, electrical outage, and security breaches. COOPs are a series of steps taken that enable a District to protect/retrieve essential data and equipment in order to efficiently continue or reconstruct basic operations.
Records Emergency Action Plans (REAPs) are plans that identify specific records essential to a District’s operations, and give steps for backing them up and retrieving them in an emergency. Essential records (as defined by the Library of Virginia) are an office’s active files, and can include personnel records, payrolls, and active contracts.
Compliance Audits are done periodically to assess how well a District and District staff are carrying out the plans they have adopted for continuity of operations, protection of valuable data and equipment, and complying with public law in the conduct of their daily business.
Awareness Training is given regularly to inform District staff about updates in public laws, new security threats, and review District and State policies on records management and IT Security.
The Library of Virginia Public Records Manual has live links to on-line training courses for records management and compliance. It provides, among other links, access to the Intergovernmental Preparedness for Essential Records Project. It also has guidelines for creating Continuity of Operations Plans and Records Emergency Action Plans.