Charlotte E. McConn, Jungwoo Ryoo, Tulay Girard, Penn State University, Altoona College

19
ASSESSING ASSESSING INFORMATION SYSTEMS INFORMATION SYSTEMS SECURITY WITHIN SECURITY WITHIN LOCAL GOVERNMENTS LOCAL GOVERNMENTS : : A PILOT STUDY FOR A PILOT STUDY FOR CENTRAL PENNSYLVANIA CENTRAL PENNSYLVANIA Charlotte E. McConn, Charlotte E. McConn, Jungwoo Ryoo, Jungwoo Ryoo, Tulay Girard, Tulay Girard, Penn State University, Penn State University, Altoona College Altoona College

description

ASSESSING INFORMATION SYSTEMS SECURITY WITHIN LOCAL GOVERNMENTS : A PILOT STUDY FOR CENTRAL PENNSYLVANIA. Charlotte E. McConn, Jungwoo Ryoo, Tulay Girard, Penn State University, Altoona College. Overview. Rationale Methodology Theoretical framework Small local government interviews - PowerPoint PPT Presentation

Transcript of Charlotte E. McConn, Jungwoo Ryoo, Tulay Girard, Penn State University, Altoona College

Page 1: Charlotte E. McConn,  Jungwoo Ryoo,  Tulay Girard,  Penn State University,  Altoona College

ASSESSING ASSESSING INFORMATION SYSTEMS INFORMATION SYSTEMS

SECURITY WITHIN SECURITY WITHIN LOCAL GOVERNMENTSLOCAL GOVERNMENTS: :

A PILOT STUDY FOR A PILOT STUDY FOR CENTRAL CENTRAL

PENNSYLVANIAPENNSYLVANIA Charlotte E. McConn, Charlotte E. McConn,

Jungwoo Ryoo, Jungwoo Ryoo, Tulay Girard, Tulay Girard,

Penn State University, Altoona Penn State University, Altoona CollegeCollege

Page 2: Charlotte E. McConn,  Jungwoo Ryoo,  Tulay Girard,  Penn State University,  Altoona College

OverviewOverview

RationaleRationale MethodologyMethodology Theoretical frameworkTheoretical framework Small local government Small local government

interviewsinterviews Study resultsStudy results

Page 3: Charlotte E. McConn,  Jungwoo Ryoo,  Tulay Girard,  Penn State University,  Altoona College

ThreatsThreats & Vulnerablitites & Vulnerablitites

Could be Could be internalinternal (employees) or (employees) or externalexternal to the organization to the organization

Malicious ThreatsMalicious Threats Interruption of serviceInterruption of service

• Denial of service attackDenial of service attack• SPAMSPAM

Interception of dataInterception of data• Packet SniffingPacket Sniffing

Modification of dataModification of data• FraudFraud• EmbezzlementEmbezzlement

Social EngineeringSocial Engineering• PhishingPhishing• ExtortionExtortion

Natural ThreatsNatural Threats• FireFire• FloodFlood• HurricaneHurricane• TornadoTornado

Normal technical Normal technical ProblemsProblems• Hardware Hardware

Power failures or Power failures or surgessurges

Disk crashesDisk crashes DowntimeDowntime

Page 4: Charlotte E. McConn,  Jungwoo Ryoo,  Tulay Girard,  Penn State University,  Altoona College

Importance of SecurityImportance of Security

Data loss / Identity TheftData loss / Identity Theft Financial loss-$$$$$$$?Financial loss-$$$$$$$? Loss of privacy / peace of mindLoss of privacy / peace of mind Employment risks / liabilityEmployment risks / liability Criminal prosecution Criminal prosecution Personal productivity / time wastedPersonal productivity / time wasted

Page 5: Charlotte E. McConn,  Jungwoo Ryoo,  Tulay Girard,  Penn State University,  Altoona College

RationaleRationale

Preliminary literature search indicated Preliminary literature search indicated • Information systems security is a major Information systems security is a major

concern of many organizationsconcern of many organizations• Security policies have been developed and Security policies have been developed and

security funding is available for large federal security funding is available for large federal and state governing bodies.and state governing bodies.

• Not much research has been published on Not much research has been published on security issues faced by small local security issues faced by small local governments, policies in place and enforced, governments, policies in place and enforced, and funding available for security. and funding available for security.

Page 6: Charlotte E. McConn,  Jungwoo Ryoo,  Tulay Girard,  Penn State University,  Altoona College

Research ObjectivesResearch Objectives

Build an assessment framework and Build an assessment framework and measurement model that can quantify the measurement model that can quantify the overall information systems security overall information systems security readiness of a specific type of readiness of a specific type of organization. organization.

In particular, measure the vulnerabilities In particular, measure the vulnerabilities and security readiness of small and security readiness of small municipalities.municipalities.

Page 7: Charlotte E. McConn,  Jungwoo Ryoo,  Tulay Girard,  Penn State University,  Altoona College

MethodologyMethodology This is a preliminary study that was carried out in This is a preliminary study that was carried out in

the following four steps:the following four steps: Step 1Step 1: research the structures of local : research the structures of local

governments in central Pennsylvania,governments in central Pennsylvania, Step 2Step 2: form an advisory board with expertise in : form an advisory board with expertise in

Pennsylvania local governments,Pennsylvania local governments, Step 3Step 3: interview key individuals who have first-: interview key individuals who have first-

hand knowledge of the information systems used hand knowledge of the information systems used in local governments, andin local governments, and

Step 4Step 4: analyze the interviews to discover and : analyze the interviews to discover and document what types of information technologies document what types of information technologies local governments use, security challenges they local governments use, security challenges they face, how they provide security for their systems, face, how they provide security for their systems, and the level of security readinessand the level of security readiness

Page 8: Charlotte E. McConn,  Jungwoo Ryoo,  Tulay Girard,  Penn State University,  Altoona College

Theoretical FrameworkTheoretical Framework

Measurement models for information Measurement models for information systems security readiness have a core set systems security readiness have a core set based on these dimensionsbased on these dimensions

(A) Infrastructures, (A) Infrastructures, (B) Policies, Education, and Training, (B) Policies, Education, and Training, (C) Enforcement,(C) Enforcement,

Page 9: Charlotte E. McConn,  Jungwoo Ryoo,  Tulay Girard,  Penn State University,  Altoona College

A. InfrastructuresA. Infrastructures Security SoftwareSecurity Software

• Secure operating systemsSecure operating systems• Firewalls, virus scanners, anti-spywareFirewalls, virus scanners, anti-spyware• Intrusion detection softwareIntrusion detection software• Encryption softwareEncryption software

Physical SecurityPhysical Security• Locks, perimeter alarms, access restrictionsLocks, perimeter alarms, access restrictions

Human resourcesHuman resources• Employees designated to handle security-Employees designated to handle security-

related tasks including planning, risk related tasks including planning, risk assessment, technical support, monitoring, assessment, technical support, monitoring, auditing, etc. auditing, etc.

Page 10: Charlotte E. McConn,  Jungwoo Ryoo,  Tulay Girard,  Penn State University,  Altoona College

B) Policies, Education, and TrainingB) Policies, Education, and Training Are policies are well developed and readily Are policies are well developed and readily

available to employees?available to employees? Is periodic security training mandated and Is periodic security training mandated and

funded?funded?

C) EnforcementC) Enforcement What are access and authorization controls?What are access and authorization controls? Are employee activities monitored?Are employee activities monitored? What are accountability practices for What are accountability practices for

deviations from published policies?deviations from published policies?

Page 11: Charlotte E. McConn,  Jungwoo Ryoo,  Tulay Girard,  Penn State University,  Altoona College

Local governments in PALocal governments in PA

• 57 Cities 57 Cities Major metropolitan areas:Major metropolitan areas: Philadelphia (East) & Pittsburgh (West) Philadelphia (East) & Pittsburgh (West)

• More than 900 BoroughsMore than 900 Boroughs Populations vary from less than 100 to over Populations vary from less than 100 to over

38,00038,000 About 1/3 are urbanAbout 1/3 are urban Rest are ruralRest are rural

• TownshipsTownships Larger in area and typically surround Larger in area and typically surround

borough or cityborough or city 91 urban & 1400 rural townships91 urban & 1400 rural townships

Page 12: Charlotte E. McConn,  Jungwoo Ryoo,  Tulay Girard,  Penn State University,  Altoona College

Communities StudiedCommunities StudiedCentral Pennsylvania, USACentral Pennsylvania, USA

Page 13: Charlotte E. McConn,  Jungwoo Ryoo,  Tulay Girard,  Penn State University,  Altoona College

Interviews ConductedInterviews Conducted Case 1: an urban boroughCase 1: an urban borough

Population: over 5000Population: over 5000 47 Employees47 Employees 7 networked workstations 7 networked workstations

Case 2: a rural townshipCase 2: a rural township Population: over 4000Population: over 4000 18 Employees18 Employees 2 stand-alone microcomputers2 stand-alone microcomputers

Case 3: a rural boroughCase 3: a rural borough Population: over just over 900Population: over just over 900 10 Employees10 Employees 2 stand-alone PCs, one with internet connection2 stand-alone PCs, one with internet connection

Local computer consultantLocal computer consultant Provides support to #1 and #3 as well as many other small Provides support to #1 and #3 as well as many other small

local municipalitieslocal municipalities

Page 14: Charlotte E. McConn,  Jungwoo Ryoo,  Tulay Girard,  Penn State University,  Altoona College

Initial InterviewsInitial Interviews How is each local government organized? How is each local government organized? What types of computer applications are used? What types of computer applications are used? Which individuals within each organization have Which individuals within each organization have

access to the computer systems and sensitive access to the computer systems and sensitive data? data?

Who is responsible for information systems and Who is responsible for information systems and security? security?

What types of information systems security What types of information systems security training do employees receive? training do employees receive?

What types of computer security systems are What types of computer security systems are installed? installed?

Who is responsible for technical support for the Who is responsible for technical support for the information systems? Is the support provided information systems? Is the support provided within the organization or outsourced to an within the organization or outsourced to an external firm?external firm?

Page 15: Charlotte E. McConn,  Jungwoo Ryoo,  Tulay Girard,  Penn State University,  Altoona College

Study Outcomes Study Outcomes A. InfrastructureA. Infrastructure

i. Software security:i. Software security: the local government officials in this the local government officials in this study were aware of the importance of firewalls and anti-study were aware of the importance of firewalls and anti-virus software. However, they were less aware of the virus software. However, they were less aware of the possibility that their information systems might have been possibility that their information systems might have been compromised. compromised.

ii. Physical security:ii. Physical security: needs to be improved. In two of these needs to be improved. In two of these communities, doors were locked at the end of the day, but communities, doors were locked at the end of the day, but no alarm systems were installed. no alarm systems were installed.

iii. Human resources:iii. Human resources: there is a need for a designated there is a need for a designated person to handle risk assessment, security planning, person to handle risk assessment, security planning, employee monitoring, and intrusion detection/prevention employee monitoring, and intrusion detection/prevention which was minimal or non-existent in the communities in which was minimal or non-existent in the communities in this initial study.this initial study.

iv. Outsourcing:iv. Outsourcing: the case studies show that many local the case studies show that many local governments outsource their information technology governments outsource their information technology projects. More oversight is necessary to prevent projects. More oversight is necessary to prevent outsourcing from becoming another source of security outsourcing from becoming another source of security vulnerabilitiesvulnerabilities..

Page 16: Charlotte E. McConn,  Jungwoo Ryoo,  Tulay Girard,  Penn State University,  Altoona College

Study OutcomesStudy OutcomesB. Policies, Education, and TrainingB. Policies, Education, and Training

This category demands the greatest need for improvement.This category demands the greatest need for improvement. There seems to be a widespread lack of well-defined and There seems to be a widespread lack of well-defined and

well-documented information systems security policies. well-documented information systems security policies. Training appears to be sparse. All the key informants in the Training appears to be sparse. All the key informants in the

case studies expressed an interest in more security case studies expressed an interest in more security training, but they agreed that funding is the biggest training, but they agreed that funding is the biggest obstacle. obstacle.

A minimum set of security policies needs to be established A minimum set of security policies needs to be established to address:to address:• the enforcement of strong passwords and periodic the enforcement of strong passwords and periodic

changes in them,changes in them,• the encryption of data, especially on back-up devices the encryption of data, especially on back-up devices

and laptops,and laptops,• the specification of more secure locations for back-up the specification of more secure locations for back-up

data storage devices,data storage devices,• the regular information systems security training of any the regular information systems security training of any

employees who have access to sensitive data.employees who have access to sensitive data.

Page 17: Charlotte E. McConn,  Jungwoo Ryoo,  Tulay Girard,  Penn State University,  Altoona College

Study OutcomesStudy Outcomes C. Enforcement C. Enforcement

Although finding that one local government does Although finding that one local government does have limited security policies in place, this study have limited security policies in place, this study suggests that the policy enforcement is weak suggests that the policy enforcement is weak because supervisors are not monitoring because supervisors are not monitoring employees’ activities relevant to information employees’ activities relevant to information systems security. systems security.

Local government employees must not only be Local government employees must not only be better trained, but their usage of the information better trained, but their usage of the information systems must also be monitored. Employees systems must also be monitored. Employees violating published information systems security violating published information systems security policies should be held accountable.policies should be held accountable.

Page 18: Charlotte E. McConn,  Jungwoo Ryoo,  Tulay Girard,  Penn State University,  Altoona College

Future DirectionsFuture Directions

This study will This study will serve as a basis for serve as a basis for a more exhaustive a more exhaustive study of study of communities communities throughout the throughout the state.state.

Page 19: Charlotte E. McConn,  Jungwoo Ryoo,  Tulay Girard,  Penn State University,  Altoona College

Questions & Contact InfoQuestions & Contact Info

Charlotte Eudy McConn, Charlotte Eudy McConn, M.S., CDPM.S., CDP• [email protected]@psu.edu• www.personal.psu.edu/cxe6www.personal.psu.edu/cxe6

Jungwoo Ryoo, Ph.D.Jungwoo Ryoo, Ph.D.• [email protected]@psu.edu• www.personal.psu.edu/jxr65www.personal.psu.edu/jxr65

Tulay Girard, Ph.D.Tulay Girard, Ph.D.• [email protected]@psu.edu