Upload
hoangdan
View
221
Download
2
Embed Size (px)
Citation preview
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
Cyber Security:NG-SEC 101What you need to know and how to achieve compliance
Jeremy L. Smith, CISSP
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
Webinar Frequently Asked Questions• Q&A at the end, please use your chat pod in left corner• Today’s webinar is being recorded and will be sent• PowerPoint slides to also be redistributed• If you didn’t register, email [email protected] to
ensure you receive the slides
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
The NG9-1-1 Educational Series
9 key initiativesOverview white paper and
webinar Individual webinars for
each of these topics (some might be grouped)
White papers each initiativeLast until National NENA
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
Today’s Presenter
Jeremy Smith, Senior Cyber Security Consultant, L.R. Kimball
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
Overview• Part 1: NG-SEC Overview
– NENA & Cyber Security– Why we need Cyber Security in NG9-1-1?– What is NG-SEC & why do we need security standard?– What does NG-SEC cover?
• Part 2: Achieving Compliance– How does NG-SEC affect me?
• PSAP– PSAP CPEs that are currently not interconnected– PSAP CPEs that are interconnected (e.g. in a host/remote, WAN)
• Vendor• State Agency
– Where/How do I start the compliance process?
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
Bio• Co-chair the NENA NG9-1-1
Security (NG-SEC) Working Group
• Sr. Cyber Security Consultant for L.R. Kimball– Lead the L.R. Kimball Cyber Security
Consulting team
• Certified Information Systems Security Professional (CISSP)
• Masters of Science in Information Systems Management w/ Emphasis in IT Security; & M.B.A.
• Adjunct University faculty teaching cyber security for grad/under grad students
• Past: – 7 Years with PlantCML
• Cyber Security Professional Services for 911 call centers
• Helped build Managed Services offering
• Lead Solutions Architect for NYPD/FDNY project
– Former Network Administrator, Microsoft Certified Trainer, & Marine
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
NG9-1-1: Your Target
Cyber Security
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
Part 1
NG-SEC Overview
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
Cyber Security - Defined• Protection of information/property from theft, corruption, or
natural disaster, while allowing the information and property to remain accessible and useful to its users. • Collective processes and mechanisms by which valuable
information and services are protected from publication, tampering or collapse by unauthorized activities or untrustworthy individuals and unplanned events respectively
• Translation:– Keeping your mission critical infrastructure or systems and the
information stored on them safe and available!
ARCHITECTURE ENGINEERING COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
Why do we need Cyber Security in NG9-1-1?
• Legacy 9-1-1 was typically not connected to other networks• Barriers to attack were high
– Logistics– Easier targets elsewhere
• In NG9-1-1, we are all connected• Barriers to attack dramatically decrease• 9-1-1 is attractive target• Need for cyber security never been greater
ARCHITECTURE ENGINEERING COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
NENA & Cyber Security• NENA is actively involved in ensuring that 9-1-1 stays
secure during & after transition to NG9-1-1
• Established a Joint Working Group: “Security for NG9-1-1”
– Responsible for all things security in NG9-1-1
– Co-chaired by Jeremy Smith & Gordon Vanauken
– Broad industry representation (e.g. State, PSAP, Vendor, telco, consultant, etc)
– Officially released standards on 2/6/10• NENA Document 75-001
– Standards are known as NG9-1-1 Security (NG-SEC)
ARCHITECTURE ENGINEERING COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
What is NG-SEC?• NG9-1-1 Security, or NG-SEC is the first comprehensive Cyber
Security standard for the Public Safety industry
• Applies to ALL NG9-1-1 entities:– PSAPS– Telcos– Vendors– Content Providers– Everyone!
• Covers a broad range of security areas– (more on this later…)
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
Why do we need a Cyber Security standard?
• With everyone connected the need for a consistent baseline becomes critical:– How does one agency and/or ESINet ensure that another cannot take it down? – How will each agency know what to do?– Each agency could have different interpretation of what it means to be secure– How would many in the industry go from “no security” to “enough security”– What is enough security?– How will vendors be able to comply without baseline?– Chasing a moving target
Standards provide a consistent baseline to start improving security during and after the transition to NG9-1-1
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
But NG9-1-1 isn’t here yet…can I wait??
• True, but many entities are currently planning NG9-1-1 deployment, migrations, etc– And some of you are even deploying networks
and other NG9-1-1 foundational elements• The systems that are being bought today will
likely be migrated to NG9-1-1 as opposed to fork lifted
• Entities need to start the planning process now– New Costs, new Operations, new Processes, new
Technology– Security must be built into NG9-1-1 from the outset,
not bolted on later
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
What does NG-SEC Address?4. Security Policies5. Information Classification & Protection6. General Security (network connectivity, multi-homed devices,
wireless, and more) 7. Safeguarding Information Assets (user ID and authentication,
passwords, system access, certificates, access control, rights and permissions, encryption, viruses, patching, auditing, and more)
8. Physical Security9. Network and Remote Access (includes firewalls, VPNs, etc)10. Change Control and Documentation11. Compliance Audits and Reviews12. Exception Approval and Risk Acceptance Process13. Incident Response Plan *Section titles map to actual
NG‐SEC sections
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
Some important things to note about NG-SEC
• Designed to provide baseline– Consistent foundation for security standardization
• Will continue to evolve and change as threats change– Isn’t perfect– Workgroup is permanent
• Allows for flexibility to exceed standards to nth degree.
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
Part 2: Complying with NG-SEC
Where do I begin if I am a:PSAP /Dispatch CenterState AgencyVendor / Maintenance ProviderContent Provider
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
Compliance – defined • At a high-level, achieving NG-SEC compliance means purposefully
creating, procuring, installing and maintaining NG9-1-1 solutions in a fashion that meets or exceeds the detailed security requirements outlined in the NG-SEC specification through independent and recurring verification.
• More plainly it means, increasing the level of security in your NG9-1-1 solution and having it independently verified against the NG-SEC spec.
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
The most important thing you can do now…
Begin the planning process!
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
I am a PSAP…
How does NG-SEC affect me?
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
Perspective
• Connectivity:– PSAPs that are currently not interconnected
– E.g. standalone, or part of a COG/RPC or some other regional type WAN etc
– PSAPs that are interconnected • E.g. host/remote configuration, or just a WAN for sharing map data, etc
• NG9-1-1 Planning– Actively are planning your NG9-1-1 – Have not started actively planning for NG9-1-1
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
The Basics (applies to all)
1. Get educated2. Take responsibility for securing your system3. Conduct a gap analysis / readiness assessment
– How far away are you from compliance?– People, Processes, and Technology
4. Start planning / budgeting now– Integrate into NG9-1-1 plans
5. Execute– Buy systems that are capable of being compliant– Make existing systems compliant – Weave security into everything you do
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
Not connected today…• If you are not yet interconnected…– You have a little more time– Take advantage of the time you have to prepare– But need to focus more on PSAP security and less on the
network– Plan ahead by increasing PSAP security to reduce risk when
network does come
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
Connected today (e.g. WAN, host/remote)
• If you are part of a WAN (e.g. sharing map data today, or as part of some host/remote config)– You already have introduced risk which will increase as NG9-1-1
evolves– You need to focus on PSAP Security– But also need to ensure your WAN is compliant– Not too late to start actively planning for NG-SEC compliance –
but start immediately
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
NG9-1-1 Plans• Every aspect of your NG9-1-1 transition should have a
security element– If you are building an ESINet, make NG-SEC compliance a
requirement to connect to it– Procurements should include it as a element – put it in the RFPs
• Seek out new funding– Inform your government entities / leaders– Grants
• Don’t wait until NG9-1-1 gets here or is deployed– Take advantage of the time you have now to develop your
security program
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
NG-SEC Compliance LifeCycle
Byrnes, C., & Scholtz, T. (2005). Use Information Security Program maturity
Timeline as an Analysis Tool. Gartner.
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
Some helpful tips• Focus on the Journey– Security is a journey, not a destination
• Compliance is a key element, but not the only one (e.g. monitoring, governance, etc)
– Define the vision• Know where you are (gap analysis / readiness assessment)• Know where you want to go (security plan / roadmap)
• Some security is better than no security– Do what you can handle/afford– Better than doing nothing– Break it into manageable chunks
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
I am a State Agency…
How does NG-SEC affect me?
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
State Agencies• Some things to consider:– Establish state-level governance and policies– Ensure any state-run equipment is compliant– Include it in pilot programs to see how agencies will handle it?– NG-SEC compliance a requirement for inclusion on state
contract?– Statewide Audit program?– Only fund centers who are NG-SEC compliant?– State-funded penetration/vulnerability assessments?
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
Vendor, Maint Provider or Content ProviderHow does NG-SEC affect them?
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
How does NG-SEC affect Vendors, Maint providers?
• Build systems that are NG-SEC compliant• Prove NG-SEC compliance by undergoing independent
auditing• Help customers
• Includes Telcos / Maint Providers!– Sell NG-SEC solutions– Provide NG-SEC compliant maint.
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
How does NG-SEC affect Content Providers?
• The applications and networks used to provide the content must be NG-SEC compliant• Content delivered must be NG-SEC compliant (as
applicable)• Must be willing to prove their compliance status
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
Other groups this may affect• Federal?– FEMA– DHS– DoD– Other?
• State-level DHSEM?• Healthcare?• International information sharing?– Cross border?
• Any entity involved in NG9-1-1 in any capacity…
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
Summary
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
Takeaways1. NG-SEC is here!2. Start with a Readiness Assessment
– “Gap analysis”3. Then build the roadmap…
– Start planning process now4. Hold vendors accountable while taking responsibility to
ensure you are compliant
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
NG9-1-1: Your Target
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
Questions?
Contact me: [email protected]
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
NG-SEC Coverage Areas
Optional / Time Permitting
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
What does NG-SEC Address?4. Security Policies5. Information Classification & Protection6. General Security (network connectivity, multi-homed devices,
wireless, and more) 7. Safeguarding Information Assets (user ID and authentication,
passwords, system access, certificates, access control, rights and permissions, encryption, viruses, patching, auditing, and more)
8. Physical Security9. Network and Remote Access (includes firewalls, VPNs, etc)10. Change Control and Documentation11. Compliance Audits and Reviews12. Exception Approval and Risk Acceptance Process13. Incident Response Plan
*Section titles map to actual NG‐SEC sections
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
Security Personnel & Policies• Entities required have security policies:
– Sr. Management Statement of Policy• Identifies who is formally responsible for security within the agency (Sr.
Manager – e.g. 911 Director, Police/Fire Chief, Executive, etc)• Identifies supporting security personnel like: Security Administrators,
Contractors/Consultants, Managed Services Providers, etc– Applicable Functional Policies
• Acceptable Use / Computer Usage Policy• Authentication / Password Policies• Physical Security Policy• Hiring Policy• Remote Access Policies• Technology Selection Policies,• System Hardening/Configuration Policies• Data Classification Policy
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
Information Classification & Protection
• Information classification is the framework for evaluating and protecting information and assets that contain information• Information is categorized based on the sensitivity,
applicable policies and/or legal and statutory requirements.• Classifying Data:
– Public [Examples: RFP, Phone Number)– Sensitive (Internal Use Only) [Examples: Internal
Policies, Internal Communications]– Sensitive (Restricted) [Examples: Salary information,
Internal audit info, incident reports, firewall rules]– Sensitive (Most Sensitive) [Examples: SSN, DL#,
Passwords, Biometric data]
ARCHITECTURE ENGINEERING COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
General Security
• Network security forms a cornerstone of the overall security posture for any NG9-1-1 Entity. • Improperly secured network can present many problems to an
NG9-1-1 Entity such as providing an avenue for intrusion, loss of service including an inability to accept 911 calls, or a conduit for propagation of malicious code.• Entities need to implement or conduct:
– Network Inventory– Control network ingress/egress points with firewall– Avoid use of Dual-Homed devices– Secure wireless connections– Security training for employees and security personnel– Incorporate security into all activities (e.g. project plan charters, new
projects, purchases, etc. Build it into the DNA of the organization!)
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
Safeguarding Information Assets• Identification & Authentication
– All devices require ID/Auth– New users should be created with
a policy (e.g. written request, traceability, minimum access granted, etc
– Lock users out after failed logon attempts
– No autologon– Passwords:
• Password is required• Must be complex• 8 characters• Min age: 3 / Max age: 60• Password History: 10
• Rights/Permissions– Least Privilege– Rename default accounts
• Encryption – when applicable• Antivirus software is mandatory• Systems must be patched with
security updates• Systems must be hardened• Redundancy whenever possible
and for critical systems• Audit logs• DR/BC plans created
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
Physical Security
• All NG9-1-1 Entity information resources shall be kept physically secured and protected from theft, misappropriation, misuse, unauthorized access and damage• Locked doors• Challenge folks who don’t belong• ID badges shall be used on entrance to building• Mobile devices shall be protected (e.g. laptop in
hotel)• Fire plans, fire suppression systems, UPS,
generator, HVAC• Equipment locked in server rooms/wire closets
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
Network and Remote Access
• Firewalls established at boundary points• Stateful firewalls are minimum (application
layer recommended)• VPNs used for remote access• Intrusion Detection / Prevention Systems
(IDS/IPS) should be considered• Network diversity should be strongly
considered with NG9-1-1
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
Change Control and Documentation
• Changes to the architecture, design or engineering of the NG9-1-1 networks shall include a formalized pre-cutover and post-cutover security review
• Formal change control process shall be followed and appropriate documentation shall be produced and retained
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
Compliance Audits and Reviews
• Agencies that deploy NG9-1-1 networks and develop security policies for them are required to conduct periodic audits or reviews to ensure that both the NG9-1-1 networks and the systems that are connecting to it comply with NG-SEC– Audits can be conducted internally or externally. – Internal audits are used to "self-check" an organization's compliance with security standards and/or
policies. – Entities performing internal audits or “self-checks” may use external, 3rd party resources if
necessary– External audit leverages a non-biased 3rd Party to independently perform the audit
• Internal Audits shall be conducted at a minimum of annually.• External audits shall be conducted at a minimum of once every 3 years.• Security audits shall utilize various methods to assess the security of networks
and processes, applications, services and platforms including automated tools, checklists, documentation review, penetration testing and interviews
ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
Exception Approval and Risk Acceptance Process
• There may be occasions when it is not possible to comply due to technical constraints, cost restrictions, or other reasons
• When such occasions arise, the resultant security risk shall be identified, documented and managed– Risk justification: Provides a business case for waiver or exception of the security requirement– Risk identification: Aims to thoroughly and unambiguously define the risk, the scope of what is at risk,
and how the risk was identified.– Risk assessment: Uses three risk factors to assess: the potential severity of the risk, the impact of the
risk, and the likelihood of the risk actually happening. These factors assist in deciding the mitigation of the risk, and in determining the frequency of review for the risk.
– Risk analysis: Evaluates the feasibility and costs of different mitigation strategies relative to the potential cost impact.
– Risk acceptance and approval: Only when risk cannot be totally removed or reduced to an acceptable level then it has to be accepted as is and get approval from NG9-1-1 Risk Acceptance Approver and include an Exception Approval/Risk Acceptance Form (EA/RAF).
ARCHITECTURE ENGINEERING COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL
FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION
Incident Response Plan
• An Incident Response Plan shall be implemented
• An Incident Response Plan is:– formal, written plan detailing how an
organization will respond to a computer security incident. Examples of security incidents include virus outbreaks, hacking attempts, critical service outages, denials of service, and more