Policy on information security management for Estonian Police and Border Guard

Written By Udokwu Chibuzor Joseph, Olusola Thomas Ajayi and Ievgen Bilyk

Information security management refers to a number of controlling measures that an organization undertakes to protect their information system from emerging risks (Isaca.org, 2015). This approach is becoming more and more widespread, as both private and public entities rely on information systems in their operations nowadays. Also, the number of threats to these systems is growing rapidly. In this regard, Estonia seems to be particularly vulnerable, because the functioning of this state is dependent of their information system. Many transactions and documents are already provided only through this system, and their number is rising. To address these challenges, Estonian Police and Border Guard needs to develop the policy on information security management. In this essay, main components that should be considered when developing such policy are discussed: information systems security management strategies, key performance indicators of this management, and critical factors that impact the systemic security. These components are analyzed in the context of Estonian information system, for instance, with public key infrastructure taken into account. As a result, the recommendations on policy on information security management for Estonian police are provided. ice are provided.

A strategy defines a set of objectives of a certain organization and clearly stated procedures and policies that will help the organization achieve such objective. In the case of information security, the strategy must clearly identify goals of the information systems in the organization and various actions that will be taken to keep these information systems secure.
Information System architecture is a formal definition of the business processes and rules, systems structure, technical framework, and product technologies for a business or organizational information system (Cavalcanti, 2015). In designing the information system of the Estonian Police, it is important to identify the systemic structure of these information systems and product technologies that will be used to achieve them.

Information assurance is a set of measures taken in order to ensure the confidentiality, integrity, and availability of information stored in the information systems (e.g. database). Information system architecture is a formal definition of the business processes and rules, systems structure, technical framework, and product technologies for a business or organizational information system (Cavalcanti, 2015). In designing the information system of the Estonian Police, it is important to identify the systemic structure of these information systems and product technologies that will be used to achieve them

This architecture aims to guarantee a 100% availability of information systems. This is achieved by keeping a mirrored copy of an information system in a secured location. In an event of failure, the mirror copy of the system is switched on automatically without any downtime. This system is redundstem architecture is a formal definition of the business processes and rules, systems structure, technical framework, and product technologies for a business or organizational information system (Cavalcanti, 2015). In designing the information system of the Estonian Police, it is important to identify the systemic structure of these information systems and product technologies that will be used to achieve them. ant and quite costly to implement. So, to implement this structure of information system, the Estonian police should only consider critical information and critical services to use high value architecture.

The software products and technologies used for designing these information systems are very important because of possible vulnerabilities that they may present. Also, the vendors and suppliers for these softwares have to be evaluated before a supply agreement is made. The issue of legacy software and vulnerabilities, such as zero day exploits, are various ways an attacker from the outside can use to gain access to the network. A legacy system means an outdated or obsolete technology that is still under use by an individual or organization (Webopedia.com, 2015). Such softwares present a security risk to the information systems of Estonian Police board. Therefore, it is important that the Estonian Police always gets the software supplies from the vendors with proper security certificate. And such vendors should always provide regular updates in order to patch any vulnerability that is found within their software.

Intrusion detection system (IDS) is a device or software designed to monitor and detect malicious activities over a network. A log of malicious activities is usually kept by the IDS as .log files. Modern IDS systems are capable of detecting intrusions and sending details of malicious activities to the management station of the information system. Some intrusion detection systems are also capable of preventing intrusions by stopping such malicious activities and sending report to the security administrator. The later are referred as intrusion detection and prevention systems (IDPS).

Various models of intrusion detection and prevention systems exist. The main defining factor of the various models of IDPS is based on where they are positioned in a network. If an IDPS is placed outside the gateway to the network of an organization, then such systems are called host based intrusion IDS systems. The main goal of this model of IDS is to detect malicious activities coming from outside the organization’s network. When a suspicious activity is detected on a user side, such user’s IP address is logged and usually blacklisted. The main flaw of this system is that it doesn’t monitor activities coming from with the organization’s network (subnetworks). Network based IDS systems are usually placed within the network, and they tend to monitor activities from various network devices in the organizationæs network. They can be put at important positions in the network, such as gateway to subnetworks, servers etc. Though this system monitors activities within the network, it usually doesn’t detect malicious activities coming from outside the organization’s network. A combination of these two systems guarantees a better monitoring within and outside the organization. A good IDS system should be able to integrate access control and logging policy with the system. A lot of privileges are associated with network administrators, as a good IDS system must be able to monitor activities of various ‘privileged’ users in the network and report whenever there is an abuse of privilege by a user. The Estonian Police and Border Guard should secure their information systems from attacks from outside their organization, but also from malicious users and administrators within the network. Therefore, a good IDS system for the Estonian police should be mounted outside the network, within the network (at sensitive positions), and integrate access control and logging systems.

A strong password policy must be set across users and staff that have access to information systems in the police. Common passwords can easily be guessed by an attacker, and also weak passwords can be broken using dictionary brute force attack means. Modern day cybersecurity hackers are armed with several armies of botnets, which are usually in the same capacity with supercomputers. With such tools, an attacker can easily find his way into the information systems of the Estonian police. Such password policies used by the Police board must ensure that the passwords combine letters, special characters, numerical numbers, and are more than eight in length. With such password policy in place, it will be extremely difficult or probably impossible for an attacker to use brute force techniques to access the information systems of the police.

To ensure that all strategies and policies are properly implemented across all information systems held by the Police and Border Guard, a well designed information systems audit should be carried at regular intervals. A good audit must cover the management controls, technology and software used in implementing the information systems. It is also recommended that only certified individuals that have no ties with the Estonian police should be contracted for this task. This will ensure that only unbiased and scientifically proven result will be gotten from the audit report. A well planned audit must have a follow-up plan. A follow-up plan makes it possible for the observations and recommendations of audit report to be implemented at the end of the audit.

Despite the numerous initiatives and some of them resulting in useful standards in the continuous assurance field within the information security community all around the world, standardization regarding indicators and security measurement is missing (ETSI, 2015). Estonian police need a standard in terms of key performance indicators of the information security management considering the importance of the roles played by this body. This will enable them to assess and benchmark themselves with other agencies within Estonia and also police authorities in the world.

Availability. This indicator is concerned with the uptime and downtime level of the police information system. It can be measured by the number of downtime/uptime cases. In case of Estonian police, it can be measured by the number of times a registered police officer is able or unable to access information to execute his or her job (Saint Germain, 2005).

Vulnerability. Looking at the sensitivity of the role that police play in the society (Estonia in particular), it is important to measure the information system’s vulnerability to both internal and external attacks. This one can be measured using the following: percentage of successful system compromises; percentage of intrusion attempts detected (Faial, 2002). Information security vulnerability can also be measured using the number of successful external attacks on the information system per time and the number of successful internal attacks on the information system per time (ETSI, 2015). Vulnerability measurements can also be looked at from the technology perspective as software vulnerability. This indicator measures the level of police information system software’s strength to malwares. Rating from 1 to 5 can be used, with five being the highest positive strength of the software in question.

Compliance and training level of users. This indicator emphasises the need for the police to be regularly trained on the sensitivity of citizens data under their custody and also their level of competence to effectively use and manage the information security infrastructure, such as eID, information servers, public and private key infrastructure. The number can be rightly measured by using the percentage of information security risks exposed by the police. If an indicator is high, than the security training needs to be reviewed, reformulated or remade from scratch. Also, training should be a must for all police officers to prevent information leakage and other risks associated with it (Faial, 2002). This indicator can be measured using the number of errors or misuse of information at the disposal of the police officers and authority. Another good measurement index would be the number of internal defiant behaviours recorded in a timeframe within the agency.

Resilience. This is another important performance indicator, as the the police authority need to provide all their stakeholders (citizens, Minister of Interior, Parliament and President, etc.) with greater confidence in their capacity to recover from any interruption to service at any time. This can be measured by how fast the Estonian Police and Border Guard’s information systtem is able to bounce back to work after an attack or downtime (Saint Germain, 2005).

Interoperability. It is important to state that Estonian police authority and their information security cannot operate in silos without proper communication with other systems or agencies within the state and even externally. Hence, interoperability of the information system without exposing the citizens and the state to danger is a key indicator to determine if the security policy or strategy allows handshake with other systems. Interoperability in the context of Estonian police information security system can be measured by how many information systems it is able to get information from to complete a transaction or handle a complaint lodged by citizens at a given period.

Limited accessibility. Officials of the police agency should be able to access the information security document to effectively carry out their duties based on the level of information a role requires. For this to be achieved, defined level of identification and authentication is required either by the officials or the citizens alike. This would enable control of authorized users in the system. This indicator can be measured by number of unauthorized users that access the information system of the Estonian police agency at a given period. It is noteworthy to emphasize here that undue access to information could be both internal or external.

Information security management of any system should be conducted in accordance with critical factors that impact this system. Whereas the relative importance of these factors may vary from one system to another, their basic list is clearly defined in different sources: confidentiality, integrity, and availability (CIA) (Breithaupt and Merkow, 2014). So, these factors will be explained and supported by the examples from the Estonian Police and Border Guard practice below. Also, some context-specific critical factors exist in the case of Estonia. Particularly, the access to state information system is based on the combination of identification, authentification, and authorization (Kabay, 2013). These concepts will be looked at in relation to public key and ID-card infrastructure. Finally, aligning new state projects with general information security framework will be suggested as a critical factor. The case of e-residency will be discussed in this regard.

To begin with, any information system faces the need to include three basic critical factors. The first one is confidentiality. This factor means defining which users are able to see certain types of information and which ones are not (University of Miami, 2008). Usually, this factor is implemented with the help of certain authentification tools, for instance login and password. In the context of Estonian police practice, they define different types of users that access state information system: private, corporate, and state officials (Eesti.ee - Gateway to Estonia, 2015). The authentification is completed with the help of ID-cards, digital electronic signatures, and passwords. These user documents are issued by Police and Border Guard on a case by case basis.
The second factor to consider is integrity. This concept signifies that information is full, updated, and not distorted by some unauthorized user (Information Security Handbook, 2009). In case of Estonian information system, this factor is satisfied, because it is necessary to login to the system to edit certain information and each action of the user is recorded into a .log file (Eesti.ee - Gateway to Estonia, 2015). Most important is that these rules apply to every user without exception, for instance a private person can find information about a visit of the police officer who accessed their data.
Coming to availability, it means that users can access the systemic information when needed (Chia, 2012). Service level agreement is a usual instrument to ensure the required level of systemic availability. In case of Estonia, their system is available 100% during the year, because functioning of the country is dependent on it. The only case when the system was not available since it is launch took place in 2007, when it became a subject to a massive distributed denial of service attack (Traynor, 2007). The downtime of two-three hours proved to be critically dangerous. This event galvanized cyber defence activities of Estonian police that has its own Cyber Crimes Unit nowadays (e-Estonia, 2015). As can be seen, the CIA factors are critically important for the Estonian Police and Border Guard’s management of information security. This body is responsible for issuing confidentiality documents, participates in integrity scheme, and combats availability threats to the state information system. Therefore, all new activities in the system should be compliant with the mentioned factors and Estonian police is expected to participate in ensuring this compliance.

These factors are specific for Estonian information system, because the latter one is based on different groups of users with different access rights. To start with the definition of indentification, the term means recongnition of a user in a certain data processing system (Kabay, 2013). Thus, ID card with an electronic chip serves for this purpose. The chip contains certain personal data like digital electronic signature and birth date (SK, p. 6). Another opportunity is mobile ID, when SIM card is personalized and serves to identify the user (e-Estonia, 2015). Due to these two ways, it is possible to identify a user when they enter the system. Coming to the next point, authentification refers to positive identification or proving a user’s identity in the system (Kabay, 2013). In Estonian case, this function is performed with the help of password for ID card. Thus, it is necessary to enter a personal four-digit password to enter the system (e-Estonia, 2015). The Police and Border Guard provides a password together with issuing ID card. Also, a user can change their password upon receiving the identity document.
Authorization is related to user rights in a certain information system (Kabay, 2013). In other words, the system should provide a specific choice of actions for every user. This concept refers to the mentioned division into citizen, business, and state official roles (Eesti.ee - Gateway to Estonia, 2015). So, all these user types are authorized to perform different actions. For instance, it is not possible to apply for a company tax refund on behalf of a physical person.
Overall, it seems that indentification, authentification, and authorization are already implemented in Estonian information system. However, the police has to work continuously on these aspects in two main directions: updating and upgrading. First of all, it is necessary to update personal information of the users. For instance, certificates in a digital electronic signature need to be changed to new ones after a certain time period, which is done through the Police and Border Guard. Secondly, new technologies should be integrated into security processes in order to keep the system resilient to new threats. For example, stronger cryptography standards should be added to e-signature in new ID cards.

Having discussed six critical factors that impact Estonian state’s information system, it is important to outline possible challenges that emerge with new projects. For this purpose, the division of work among state bodies should be considered. Particularly, Ministry of Economic Affairs and Communications is responsible for making country’s economy more competitive (Ministry of Economic Affairs and Communications, 2015). This responsibility entails creating state-level projects. Among recent ones, e-residency and e-embassies of data are two most prominent. In contrast to this activity, Ministry of Interior takes care of the country’s internal affairs (Ministry of Interior, 2015). Under the Ministry, the Police and Border Guard is the first agency that is responsible for internal security. The issue of what should come first, economic facilitation or country’s security, arises. In most cases, the first one is considered to be more important in Estonia.
Under such conditions, the Police and Border Guard should provide extensive and well-grounded reports on the risks to state information system’s security that new projects bring about. Specific focus ought to be made on aligning new projects with the discussed factors. Otherwise, the whole system will become more vulnerable. Coming to the case of e-residency, this project seeks to facilitate business environment in the country by providing access to using Estonian ID-card infrastructure to citizens of other countries around the world (e-Estonia, 2015). This way, e-residents can use business services that are available in Estonia. The opportunity promises to be very useful not only for creating and maintaining a company in the country, but also for building the image of Estonia as an innovative state. However, many risks for state information system come together with this project. For instance, having Estonian ID-card means a possibility to encrypt files using public key infrastructure that is provided by the state. The need to break this encryption might appear when the latter one is used for illegal purposes. In this case, the encryption will cease to protect the files of all Estonian citizens. Unauthorized parties might access these files, so authorization factor is at threat here. It is evident from this example that Estonian police should analyze and report such risks in new projects.
All in all, it is the responsibility of Estonian police to protect state information system. New state-level projects should be scrutinized in terms of risks that they bring to six critical factors. Though this analysis might fail to prevent launching the project, like in case of e-residency, the police should prepare a range of responses to the situation when the risks that are related to critical factors materialize.

Considering the dependence of the Estonian Police and Border Guard on information systems, sustainable information security management policies and strategies need to be at the centre of their operation. Therefore the following conclusive remarks are offered to secure the information system, which centres around availability, integrity, and confidentiality.
High availability architecture with the aim of guaranteeing 100% availability of the information system in this case is important. This is achieved by keeping a mirrored copy of an information system in a secured location in order to secure critical information and services even during downtime. Procurement of product technologies and equipments, such as hardware and software, needs to be well monitored, as obsolete or substandard technologies, if used in this case, present higher security risk not only to the police department, but also to the entire state due to high systemic susceptibility to attacks (internally and externally). This can be achieved by using updated intrusion detection and prevention systems(IDPS).
In essence, a good IDS system for the Estonian police should be mounted outside the network and within the network (at sensitive positions), and it should integrates access control and logging systems. The latter ones should be supported with a strong password policy.
Coming to the next point, the importance of audit policy cannot be overemphasized as for regular checks of the police information systems, majorly on compliance with the best practices and global standards. In this case, certified auditors with no ties with the police should be used to avoid biased reports.
Key performance indicators should be set from the scratch and also regularly reviewed because they will serve as the benchmarking criteria to measure the performance of the information security system. Among other indicators, the key indicators for the Estonian Police and Border Guard should be standardised and focused on availibilty, vulnerability, resilience, interoperability, accesibility, and compliance and training level of users. The standard measurment of these indicators would enable proper management of the information system.
Estonia as a state has already implemented information security system that revolves around eID and public key infrastructure, which allows sequential processes of identification, authentification and authorization. The Police and Border Guard need to strengthen this process ast the key infrastructure to access information systems (eID) is under their custody.
Meaning, the police has to work continuously on these aspects in two main directions: updating and upgrading. Also, new technologies should be integrated into security processes in order to keep the system resilient to new threats. Finally, all state-level projects should be scrutinized in terms of risks that they bring to six critical factors of confidentilaity, integrity, availability, identification, authentification and authorization. Though this analysis might lead to delays in launching a specific project, the police should prepare a range of responses to the situation when risks to critical factors materialize.

Breithaupt, J. and Merkow, M. (2015). Principle 2: The Three Security Goals Are Confidentiality, Integrity, and Availability | Information Security Principles of Success | Pearson IT Certification. [online] Pearsonitcertification.com. Available at: http://www.pearsonitcertification.com/articles/article.aspx?p=2218577&seqNum=3 [Accessed 4 May 2015].
Cavalcanti, J. C. (2015). Effects of IT on Enterprise Architecture, Governance, and Growth. [online] Available at: https://books.google.com/books?id=Nh-XBQAAQBAJ&pg=PA108&lpg=PA108&dq=An+information+system+architecture+is+a+formal+definition+of+the+business+processes+and+rules,+systems+structure,+technical+framework,+and+product+technologies+for+a+business+or+organizational+information+system.&source=bl&ots=N3EtTw1D_5&sig=k0Ro8Jjm_U4_hKdPGvMaAz-_hQA [Accessed 4 May 2015].
Chia, T. (2012). Confidentiality, Integrity, Availability: The three components of the CIA Triad. IT Security Community Blog. [online] Available at: http://security.blogoverflow.com/2012/08/confidentiality-integrity-availability-the-three-components-of-the-cia-triad/ [Accessed 4 May 2015].
Eesti.ee - Gateway to Estonia, (2015). Services - eesti.ee. [online] Available at: https://www.eesti.ee/eng/services [Accessed 4 May 2015].
e-Estonia, (2015). Cyber Security. [online] Available at: https://e-estonia.com/the-story/digital-society/cyber-security/ [Accessed 4 May 2015].
ETSI, (2015). ETSI - European Telecommunications Standards Institute. [online] Available at: http://www.etsi.org/ [Accessed 4 May 2015].
Faial, J. (2002). Global Information Assurance Certification Paper. [online] Giac.org. Available at: http://www.giac.org/paper/gsec/2272/introduction-information-security-performance-measurement/103901 [Accessed 4 May 2015].
Information Security Handbook, (2015). Confidentiality, Integrity & Availability. [online] Available at: http://ishandbook.bsewall.com/risk/Methodology/CIA.html [Accessed 4 May 2015].
Isaca.org, (2015). Information Security Management Overview. [online] Available at: http://www.isaca.org/Groups/Professional-English/information-secuirty-management/Pages/Overview.aspx [Accessed 4 May 2015].
Kabay, M. E. (2013). Identification, Authentication and Authorization on the World Wide Web. [online] Available at: http://www.windowsecurity.com/whitepapers/websecurity/WWW_Security/Identification_Authentication_and_Authorization_on_the_World_Wide_Web.html [Accessed 4 May 2015].
Mkm.ee, (2015). Home | Ministry of Economic Affairs and Communications. [online] Available at: https://www.mkm.ee/en [Accessed 4 May 2015]. Saint Germain, R. (2005). Information Security Management Best Practice Based on ISO/IEC 17799. [online] http://www.arma.org. Available at: http://www.arma.org/bookstore/files/Saint_Germain.pdf [Accessed 4 May 2015].
Siseministeerium.ee, (2015). Home | Ministry of Internal Affairs. [online] Available at: https://www.siseministeerium.ee/en [Accessed 4 May 2015]. SK, (2015). The Estonian ID Card and Digital Signature Concept. [online] Available at: http://www.id.ee/public/The_Estonian_ID_Card_and_Digital_Signature_Concept.pdf [Accessed 4 May 2015].
Traynor, I. (2007). Russia accused of unleashing cyberwar to disable Estonia. The Guardian. [online] Available at: http://www.theguardian.com/world/2007/may/17/topstories3.russia [Accessed 4 May 2015].
University of Miami, (2008). Confidentiality, Integrity and Availability (CIA) - Information Technology - Miller School of Medicine at the University of Miami. [online] Available at: http://it.med.miami.edu/x904.xml [Accessed 4 May 2015].
Webopedia.com, (2015). What is Legacy (Legacy System, Legacy Software)? Webopedia. [online] Available at: http://www.webopedia.com/TERM/L/legacy.html [Accessed 4 May 2015].