Issue link: https://let.epubxp.com/i/407623
www.officer.com November 2014 Law Enforcement Technology 19 to their jobs must give up some level of control and privacy. But let's think about the unthink- able: What if a breach takes place? If the agency is prepared for that, then data loss could be minimized, even if an advanced persistent threat found a way in, or an insider decided to compromise a public safety computer system. So the agency policy FIRST has to focus on information security and not on the device that is used to access it. Most law enforcement agencies treat all information in their custody the same way, and apply security practices to the network using an "everything is criti- cal information" model. I'd argue that if everything is a priority, then really nothing is a priority. Therefore, the goal should be to better identify what to pro- tect and separate the most important information from any public network. This is already done in the federal sys- tem with classified information systems. In law enforcement, Communities of Interest (COIs) could be established to segment data in ways that will protect it from unauthorized exposure. SECOND, establish a security model and policy that addresses insider threats and not just the persistent attacks that hackers pose to the agency. To prevent data loss or breach, con- sider establishing COIs within a law enforcement or public safety agency. That solution means that information is only available to those employees with a need to access or review it as part of their official duties. Consider adopting a corporate risk management approach that includes continuous diagnostics, monitoring and segmentation of law enforcement data that will prevent a "Snowden moment" involving a police agency. THIRD, consider the use of cloud technology to shift the risk of protect- ing some public safety data to service providers that are well-equipped to protect it in accordance with federal information security policies and ser- vice levels written into the contract. Some vendors extend the same type of protection that exists within a private network to data in a public cloud. The goal in information security in a BYOD environment is not focused on the devices that are used to access the network, but on the data security prac- tices that the agency uses to classify and secure its data. ■ Robert Sprecher PMP, Practice Director for Unisys North American Public Safety and Justice Offerings, has 30 years of national and international law enforcement experience. He has worked as a detective, commander and department director for large, urban public safety agencies before joining Unisys. A highly publicized court case in 2005 vividly illustrated this issue when a police offcer in Santa Fe, New Mexico, was required to provide the court with access to records of his personal cell phone activity during a DUI arrest.