Police Summit

The overwhelming increase in the mobility of the corporate workforce and the availability of wireless internet connections in airports, hotels, and coffee houses, creates an unbearable challenge to IT managers.

The overwhelming increase in the mobility of the corporate workforce and the availability of wireless internet connections in airports, hotels, and coffee houses, creates an unbearable challenge to IT managers. Whenever employees, travelling with their laptops, connect to a hotel hotspot, they are in fact connecting their corporate computers to an unsecured network, shared by hundreds of guests. This innocent connection jeopardizes sensitive data and can bring back security threats into the corporate network when returned to the office. For this reason, IT managers have adopted rigid security policies, creating a conflict between the need for security and the productivity of the mobile workforce. For example, some organizations consider the returning laptops as “infected”. The infected laptops are completely formatted and cleaned. Some allow dial-up connections-only (no Wi-Fi), while others go further to completely prohibit the connection of laptops to the Internet outside the corporate network.
This unbearable conflict between security and mobility can only be solved if the mobile force is equipped with the same level of security as they have inside the corporate network. To understand what this means, we should examine the level of security that is maintained inside the corporate networks.

Corporate Network – Two Lines of Defense

Corporate users enjoy higher security levels inside the corporate network because they operate behind two lines of defense. The first line of defense, is a set of robust security appliances, installed at the IT center and exclusively controlled by the IT department. It is largely based on a comprehensive set of IT security appliances running secured and hardened OS, with Firewall, IDS, IPS, Anti Virus, Anti Spyware,

Anti Spam and Content filtering. The second line is based on the Personal FW and Anti Virus software installed on end-user’s computers.

The first line of defense completely isolates the user at the physical and logical layers.
Unlike PCs, these appliances are equipped with a Hardened operating systems that do not have security holes, “back-doors”, or unsecured layers. They are designed for a single purpose, to provide security.

The first line of defense provides the following advantages:

• Mobile code is not run – content arriving from the internet is not executed on these appliances it just goes or does not go through into the network. It makes it more difficult to attack as the mobile code delivered by the hackers does not run on the appliances.

• Cannot be uninstalled – Security attacks often start by targeting the security software, while trying to uninstall it or stop its activity.

• Software-based security solutions, as any software program includes an uninstall option that can be targeted. In contrast, the hardware-based security appliances cannot be uninstalled as they are hard coded into the hardware.

• Non-writable Memory – Hardware-based solutions manage the memory in a restricted and controlled manner. The security appliances can prohibit access to its memory, providing greater protection against attacks on the security mechanism.

• Controlled by IT personnel – The security appliances are controlled by IT, who constantly maintains the highest security policies and updates.

• Performance – The security appliances are optimized for maximum security and operate independently from computers in the network, not degrading the performance of the desktops or consuming their resources. Consequently, the corporate PCs reside in a secured environment. If the security is breached, at least the damage stops at the gateway. The first line of defense prevents threats from entering the corporate network.

While the second line serves as a precaution and help defend against threats that may have already entered the network (e.g. emails). But the real problem starts when the corporate PCs go in and out of this secured environment. Outside the corporate network they are at the frontline with no first line of defense. The problem intensifies as they return, bypassing the first line of defense as they enter the network. These laptops can be considered as the greatest threat because they unknowingly infiltrate security threats into the supposedly safe network.

Bookmark It

Hide Sites

Alarm systems are intended to defend lives and possessions if they are installed, used, and maintained properly.   Datum show that homes without a burglar alarm system (for example) are five times more likely to be targeted.  Alarm systems are also great for fires and other crises.

Alarm systems are meant to protect lives and belongings if they are positioned, used, and maintained properly.   Datum show that homes without a burglar alarm system (for example) are four times more likely to be targeted.  Alarm systems are also great for fires and other crises.  Alarm systems are installed strategically in consultation with home and building owners.   Another benefit of alarm systems is that insurance companies will render diminished rates for building and/or homeowners insurance if the proper burglar and/or fire alarm systems are installed.  And dont forget, Fire alarm systems are operational and on-duty 24 hours a day, 7 days a week, 365 days a year.

There are a throng of divergent applications for alarms.  The most frequent are of course the fire and trespass types, but other applications are being unfurled at a ardent pace.  Think of applications such as medical alarm systems (also called personal alarms, and medical alert devices).  These systems are conceived to activate the EMS service in the event that a sufferer becomes injured, sick or ill.

Alarm systems can be stand-alone (i.e. a acoustic device is set off in the case of an intrusion or fire event), or they may be monitored by an outer monitoring company.  Remote alarm systems are exploited to connect the control unit to a preset monitor of some sort, and they come in many different configurations.  Telecom lines are traditionally utilized to broadcast a sign when an alarm event (fire, break-in, etc.) occurs.  These systems are interfaced with an auto-dialer that will mechanically give notice to the fire or police departments in the event of burglary or fire.   Most monitored burglar alarm systems are equipped with hi-tech battery and/or mobile backup systems that kick in straight away should your power or phone connection fail.  This forestalls a would-be thief from cutting off the phone line to preclude the alarm system from notifying the monitoring service.

Some alarm systems are tied to video surveillance systems so that current video of an intrusion area can be instantly displayed on a remote monitor, not to mention recorded.  With new technology, alarm systems are not only available as hardwired devices, but also as wireless.  The introduction of wireless alarm technology means that new sensors can be added quickly and easily without the need to run wires back to a control panel.

One of the major downsides to alarm systems are false alarms.  When an alarm system is not properly installed, used or maintained, the number of calls for police and fire dispatches may increase.  In many municipalities the alarm owner may be fined or cited if the alarm system becomes a nuisance.  But this being said, in 1994 the International Association of Chiefs of Police passed a Board Resolution stating that professionally installed and monitored alarm systems are useful instruments to deter crime and provide peace of mind for residential and business owners.

Bookmark It

Hide Sites

Is your vital selective information secure. How do you know. There ar several ways to increase confidence in the security measures of your vital entropy. The data could be moved to a non-accessible location. A security system firm could be hired to install, update, and monitor the system.

But perhaps the easiest method, and one that is now mandatory for the Department of Defense, is the manipulation of info engineering products that rich person been independently evaluate…

Is your vital selective information secure. How do you know. There ar several ways to increase confidence in the security measures of your vital entropy. The data could be moved to a non-accessible location. A security system firm could be hired to install, update, and monitor the system.

But perhaps the easiest method, and one that is now mandatory for the Department of Defense, is the manipulation of info engineering products that rich person been independently evaluated and certified. While this sounds like a great idea, how does one find such IT products.

The answer is that certified products listed on the Subject Information Assurance Partnership (NIAP) Web site at . The Home(a) Institute of Standards and Engineering (NIST) and the Interior(a) Security Agency (NSA) established the NIAP to evaluate data engineering science mathematical product conformance to international standards, namely the Park Criteria (CC). The programme, officially known as the NIAP Commons Criteria Evaluation and Validation Scheme (CCEVS) for IT Security, is a partnership between the public and private sectors.

The plan was implemented to aid consumers select commercial off-the-shelf (COTS) IT products that meet their surety requirements and to assist manufacturers of those products gain acceptance in the global marketplace. One of the platform’s main objectives is to improve the availability of evaluated IT products.

The other key element of Instruction 8500.2 is the inclusion of definitions for generic “hardiness” levels and the assignment of “baseline levels” of IA services to those lustiness levels, depending on the value of the and the environment in which the is used. Robustness horizontal surface descriptions assistance the ISSE and DAA determine at which spirit level of CC self-assurance a mustiness be evaluated. This is passed on to the seller for wont in developing an rating services contract bridge with a CCTL.

The ISSE and DAA should besides consider the following when selecting the valuation confidence degree: the value of the assets organism protected; the risk of those assets beingness compromised; the resources of those who might try to compromise the assets; and the ” requirements, mission, and customer needs.”

Instruction 8500.2 too augments key points from Directive 8500.1. Products available “nether multiple-award schedule contracts or non-Defense Department Government-Wide Acquisition Contracts awarded before July 1, 2002, moldiness be evaluated when and if a version release of the is made available below the take.” Simply stated, this means that products that just now existence received by the United States Department of Defense contracts awarded before July 1, 2002, be evaluated and validated the CC.

The instruction likewise states that “although products that wealthy person not satisfactorily completed may be used, contracts shall require. be satisfactorily completed inside a specified period of time.” This statement gives abridge officers the task of ensuring the purchase foreshorten includes provisions requiring vendors to complete the CC . Vendors cannot simply submit their products for and then not complete the process.

Vendors tin can work with their CCTL and the Defense to determine a reasonable period of time for the , which could be any number of months depending primarily on complexity, vender evidence preparedness, self-confidence grade elect, and the lab’s familiarity with the applied science. Finally, the instruction states that the original abbreviate specify that ” validation will be kept current” where utilization is anticipated for subsequent versions of that.

CC certificate maintenance is another task that requires effort and planning on the part of the trafficker because CC certificates apply to a specific version and configuration of a . The requirements for maintaining that certificate across future versions of the described in a document entitled “Assurance Continuity: CCRA Requirements,” issued in February 2004 by the international body responsible for(p) for maintaining the Green Criteria.

You toilet obtain a copy of this document from any CCTL or the NIAP CCEVS. shorten officers should ensure their vendors aware of the completion and certificate maintenance clauses in their contracts so that products do not fail to meet and maintain the CC certification requirements for continued exercise. As with Directive 8500.1, the heads of components entrusted with the responsibilities to ensure systems employ solutions in accordance with the 8500.2 sections describing evaluations.

Further emphasizing the importance the federal government and placing on evaluations, public law includes provisions for evaluations and the often-sought-after waivers to such policy requirements. Subtitle F: Information Engineering science, Section 352 of Public Law 107-314, passed in December 2002, directs the secretary of defense to establish a policy to limit the skill of authority products to those products that give birth been evaluated and validated in accordance with appropriate criteria, schemes, or programs. Such criteria or schemes include the NIAP CCEVS and the internationally developed CC.

While experienced vendors will state that accomplishment policy requirements lavatory sometimes be waived, the waiver clause in Public Law 107-314 authorizes the secretary of defense to provide such waivers only for U.S. Therefore, this law makes it difficult to obtain waivers to the acquirement policies requiring CC evaluations. Clearly, independent evaluations important to both the federal government and the , as NSTISSP #11, 8500.1, 8500.2, and Public Law 107-314 confirm.

Such evaluations allow the to deliver confidence that the products it purchases meet the security department claims made by the vendors. While the bulk of the work for obtaining these evaluations falls to the , the is creditworthy for ensuring that products evaluated and validated in accordance with the reduce requirements stated in the ‘s own policies.

The is as well for assisting the with the selection of the sureness layer for the since that pledge stratum is Chosen based on the protection needs and the application of purpose.

The understand that such evaluations and their subsequent maintenance not trivial tasks: They take weeks or months to complete depending on the stage , the preparedness of the to supply the required evidence, and the complexity of the . Usual Criteria evaluations play an important role in protecting . For this reason, procurement officers, narrow officers, and vendors should familiarize themselves with the criteria and the process.

Bookmark It

Hide Sites