HIGH LEVEL COMPLIANCE REVIEW PHYSICAL SECURITY. Standards of the Standards for Victoria Police Law Enforcement Data Security.

Transcription

1 HIGH LEVEL COMPLIANCE REVIEW PHYSICAL SECURITY Standards of the Standards for Victoria Police Law Enforcement Data Security June 2008

2 Acknowledgement This report was prepared for the Commissioner by Alan Roberts, Senior Information Security Auditor and Kim Lajoie, Technical Project Officer, of the Office of the, in consultation with relevant areas and employees of Victoria Police. Appreciation is expressed for the assistance and cooperation of Victoria Police members during the conduct of this compliance review. Published by The PO Box 281 World Trade Centre Melbourne Victoria 8005 September 2008 Copyright State of Victoria,

3 Table of Contents Executive Summary 4 1. Introduction Purpose and Scope Approach Definitions and Abbreviations Management Response to Findings and Recommendations Compliance Assessment Rating 9 2. Physical Security CLEDS Physical Security Standards Policy and Process Roles and Responsibilities Site Visits Observations and Findings Standard Standard Standard Standard Standard Standard Conclusions Recommendations 29 Appendix A Statement of relevant Standards and Protocols 30 Appendix B Persons interviewed and documents reviewed 34 Appendix C Glossary 35 Appendix D Response to report by Chief Commissioner of Police 36 3

4 Executive Summary Background Under the Act 2005, the Commissioner is required to undertake monitoring activities, including audits, to monitor compliance by Victoria Police with standards and protocols established under the Act. An annual program of high level compliance reviews, as well as detailed risk based audits, has been established and commenced. The objective of a high level review is to identify whether documented policies and monitoring frameworks have been implemented by Victoria Police to meet the requirements and intent of CLEDS Standards and Protocols. The Review A high level compliance review of the Physical Security law enforcement data security standards (Standards 14 to 19) and associated protocols has been undertaken. In order to assess physical security within Victoria Police the high level review examined policy and operational issues involving facilities (office complex and police station) maintenance and management, evidence and exhibits management, and information technology and hard copy records storage and management. An assessment rating of Compliant (where existing security controls meet the requirements and intent of the standards and protocols), Partially Compliant (where existing security controls partially or inconsistently meet the requirements and intent of the standards and protocols) or Non Compliant (where existing security controls are consistently inadequate in meeting the requirements and intent of the standards and protocols) has been assigned as a result of the review. Results of Review Overall, Victoria Police have implemented an appropriate level of physical security controls, where such controls are either physical (through building design) or technical. Major facilities are suitably protected from unauthorised physical access and external and environmental threats. In these cases the threats and countermeasures are tangible and benefit from Victoria Police s expertise in crime prevention. Victoria Police s wired data infrastructure and metropolitan digital radio networks are well protected from interception and loss of service. Wired data infrastructure benefits from the existing physical protection offered by Victoria Police facilities. The metropolitan digital radio networks encrypt all communications and offer modern features such as remote deactivation of terminals. 4

5 Suitable implementation of technical controls also extends to clear screen policy and protection of portable devices. The default time-out for computers limits the risk of data being inappropriately accessed while a computer is unattended and some suitable guidelines and tools are available for protecting data held on portable devices. While these broad controls go a significant way towards ensuring appropriate physical security for Law Enforcement Data, there are some significant and specific weaknesses which should be addressed. The Enterprise Information Security Policy does not provide adequate detail for the protection of portable devices, nor does it make reference to such detail. Users of portable devices are not provided with security instructions and education and training in relation to these devices is inadequate and inconsistent. The ability for unauthorised members to visit non-twenty-four hour stations out of hours raises concerns about the effective management of physical access keys and alarm access codes. The state-wide Statenet Mobile Radio (SMR) is the radio network used for voice by Victoria Police in regional areas. It is not encrypted and is able to be accessed by anyone with commercial-grade equipment. It is known that unauthorised third parties regularly intercept Police communications over this network. Additionally, there are regular incidents of unauthorised third parties transmitting on police channels, disrupting police activities. There are several significant security weaknesses at the Records Management Storage and Disposal facility. Poor physical segregation with access by the public and other Government Departments to law enforcement data, understaffing, and a lack of control over security services, increase the risk to Law Enforcement Data stored at the facility. These weaknesses warrant immediate attention, particularly given the sensitive nature of much of the information held at the facility. Some facilities are more vulnerable to external or environmental threats than others. Training and awareness of staff continues to be a concern, particularly as it relates to clear desk policy and protection of portable devices. This is a significant weakness as the effective application of physical security policy is dependant on staff actively executing their responsibilities. Agreements with Approved Third Parties do not adequately address the CLEDS physical security standards as there seems to be no process for ensuring relevant agreements contain site-specific requirements for physical security controls. With the exception of 24 hour stations, no guidelines exist to assist Victoria Police to determine the appropriate level. Agreements do not deal adequately with portable devices; carriage, use and storage of law enforcement data; disruptions to service and supporting infrastructure; or protection of electronic information from interception and loss of service. 5

6 An assessment of Victoria Police compliance with CLEDS Physical Security standards and protocols is provided in the table below. Standard S14 - Facilities protected from unauthorised access S15 - Protection of laptops and data during physical external transport S16 - Reduce risk of disruption from external (inc environmental) threats S17 - Communications infrastructure protected from interception or loss S18 - Protect data during storage, handling and transport S19 - Clear desk and screen policy CLEDS Assessment Partial Compliance Partial Compliance Compliant Partial Compliance Partial Compliance Partial Compliance As a result of these observations, an overall compliance rating of Partially Compliant, with the CLEDS physical security standards and protocols is considered appropriate at this time. Recommendations The makes the following recommendations to assist Victoria Police in addressing matters raised by the high level review. Recommendation One: That Victoria Police amend the Enterprise Information Security Policy and related documents to include a suitable level of detail for effective physical security, including the physical security of portable devices that store Law Enforcement Data. Recommendation Two: That Victoria Police implement a plan to strengthen non-24 hour facilities in the case of external risks to security and implement a suitable level of protection from unauthorised physical access. Recommendation Three: That Victoria Police remedy the security deficits at the Records Management Storage and Disposal facility as a matter of urgency. Recommendation Four: That Victoria Police upgrade the radio network used for voice in regional areas to implement encryption and ensure unauthorised interception or transmission does not occur. Recommendation Five: That Victoria Police implement training and awareness programs to ensure staff appropriately protect Law Enforcement Data on desks and in portable devices. 6

7 Recommendation Six: That Victoria Police ensure agreements with Approved Third Parties adequately protect physical security of Victoria Police Law Enforcement Data. June

8 High Level Compliance Review of Physical Security 1. Introduction The Standards for Law Enforcement Data Security were established in February and July 2007 by the (CLEDS). The Standards and associated protocols are binding on Victoria Police. Under the Act 2005, the Commissioner is required to undertake monitoring activities, including audits, to monitor compliance by Victoria Police with standards and protocols established under the Act. An annual program of high level compliance reviews, as well as detailed risk based audits, has been established. The objective of a high level review is to identify whether documented policies and monitoring frameworks have been implemented by Victoria Police to meet requirements contained within the CLEDS standards and protocols. Physical Security is one of fifteen categories of standards and protocols issued by CLEDS Purpose and Scope The scope of this compliance review is confined to examining the existence and operation of Victoria Police policy and process involving physical security measures designed to protect law enforcement data from unauthorised access, destruction, use, modification or release Approach The high level compliance review involved discussions with key stakeholders, analysis of policy and procedures for compliance with the requirements and intent of the CLEDS Physical Security standards and protocols, and verification/testing of operational compliance and monitoring frameworks. Agreements with Approved Third Parties for authorised access to Victoria Police law enforcement data were also reviewed for compliance with the requirements and intent of the CLEDS physical security standards and protocols Definitions and Abbreviations The common definitions and abbreviations used in this report are explained in Appendix C Glossary Management Response to Findings and Recommendations A draft version of the high level Physical Security compliance review report was provided to the Chief Commissioner of Police for information, factual review and consideration of the CLEDS recommendations. The response to the report from the Chief Commissioner of Police is at Appendix D. 8

9 1.5. Compliance Assessment Rating Victoria Police s compliance with CLEDS physical security standards will be assessed in the following terms: Compliant Partially Compliant Non Compliant Existing security controls meet the requirements and intent of the Standards and Protocols Existing security controls partially or inconsistently meet the requirements and intent of the Standards and Protocols Existing security controls are consistently inadequate in meeting the requirements and intent of the Standards and Protocols Recommendations will be made where less than full compliance is identified. 9

10 2. Physical Security Physical security measures represent only one aspect of protective security, but remain an important element of the total protective security process. Maintenance of security is both an organisational and local management responsibility, with day to day implementation and monitoring of security being the responsibility of each work area. Physical security measures must also be underpinned by a high level of staff security awareness, particularly for the protection of security classified information and resources. Sensible management of security risk involves an appropriate combination of procedural and physical control measures CLEDS Physical Security Standards The s interest in physical security focuses on the physical security of Law Enforcement Data. Chapter five of the Standards for Victoria Police Law Enforcement Data Security addresses the issue of LED physical security. A total of six physical security standards and seven associated protocols have been established and issued by CLEDS. Most standards apply equally to Approved Third Parties (ATP) that have been authorised to access Victoria Police (VP) information and data. Victoria Police is therefore required to reflect and enforce CLEDS physical security requirements (standards & protocols) in all agreements involving LED. A summary of each standard (applicable to both Victoria Police and Agreements with ATP) is provided below, while further information is contained within Section 3 of the report. Standard 14: All Victoria Police (and ATP) facilities that access, store or handle law enforcement data must be physically protected against unauthorised access. (Protocols ) Standard 15: Adequate physical security measures (at VP and ATP facilities) must be established for the carriage, use and storage of law enforcement data on portable computing devices or portable data storage devices. (Protocols ) Standard 16: Physical security controls (at VP and ATP facilities) must be implemented that reduce the risk of disruptions to service caused by external or environmental threats and safeguard the provision of supporting infrastructure services. Standard 17: Electronic communications infrastructure (wired or wireless) used (at VP and ATP facilities) for law enforcement data must be protected from interception or loss of service. Standard 18: Appropriate physical security measures must be implemented (at VP and ATP facilities) to protect all forms of law enforcement data during storage, handling and transport. Standard 19: A clear desk and screen policy must be implemented (at VP and ATP facilities) for all environments that work with law enforcement data. 10

11 2.2. Policy and Process The Victoria Police Manual (VPM) is the authoritative organisation-wide policy and procedures manual. As an online publication accessible through the Victoria Police Intranet it is the central policy gateway for employees to identify and implement corporate policies and procedures. Reference to security matters and links to other policy resources and guidelines are contained within both the Operations and Administration and Management components of the VPM. (For example: Information security, Document security, Records disposal, Intelligence management, Workplace Inspections). Physical security control measures for information system resources are contained within the Victoria Police Enterprise Information Security Policy 2004 (EISP), which represents the overarching policy on information security for Victoria Police. Within the EISP, reference is made to principles of effective protective security practice being directly related to the Australian Government Protective Security Manual (PSM). The PSM represents an authoritative reference in regards to security, however, it forms the foundation for security initiatives within Victoria Police because of the mandatory requirement for workplaces exchanging information with the Australian Government to fully comply with the manual. The Victoria Police Document Security Best Practice Guideline 2007 contains procedures primarily based on those in the PSM, with supplementary information from Defence Signals Directorate s Australian Government Information and Communications Technology Security Manual (ACSI 33). The Document Security Best Practice Guideline is a non-mandatory statement of best practice and do not represent either an instruction or policy statement. In many cases Regions and Departments have also incorporated security practices into local induction programs and/or standard operating procedures Roles and Responsibilities The Victoria Police Security Committee (VPSC) is entrusted with the oversight and governance of the provision of security and development of strategies, guiding principles and standards for security at Victoria Police premises and facilities. A direction from the Chief Commissioner (2006) assigned ultimate responsibility for security to the Commander Specialist Support Department, as chair of the VPSC. The committee is responsible for all security-related policy for all Victoria Police buildings while the day to day implementation of security for Victoria Police premises is the responsibility of each work area. The creation of a new Organisational Security Committee (OSC) as a sub-committee of the Police Operations Standing Committee is likely to replace the VPSC. The new committee will have responsibility for physical security and is chaired by Deputy Commissioner Kieran Walshe. The OSC will include the Agency Security Advisor and Business Information Technology Services representatives. 1 The current version of the Australian Government Protective Security Manual was published

12 Protective Services Officers, part of Specialist Support Department (SSD), are responsible for policing the security requirements of the Victoria Police Centre and St Kilda Road complexes. The security of Crime Department areas relocated from St Kilda Road to leased accommodation in Flinders Street (2 levels from late 2007) is, however, not covered by SSD. The Business Management Department (BMD) has a key physical security role through its direct involvement with construction and maintenance of police buildings, property lodgements and storage, equipment, police and public records, and the whole of life asset strategy. Station Managers however are responsible for the proper care and maintenance of buildings, fittings and fixtures, fences, grounds, and other property in their charge, as well as the security and management of law enforcement information. Business Information Technology Services (BITS) have shared responsibility for physical security of information by way of their direct involvement with the development, management and coordination of Victoria Police information and communications systems infrastructure and security. Information security training and awareness resources (brochures/posters) have also been developed and are available from the BITS intranet. Corporate Management Review Division (CMRD), as part of its core risk management function, undertakes risk analysis and assessment of areas in order to minimise or eliminate risk in everyday policing. Physical security should be a consideration in the conduct of local workplace risk assessments, inspections and audits, however, the level of attention directly paid to the physical security of law enforcement data is largely left to the discretion of local management Site Visits In assessing the existence and operation of physical security arrangements over Victoria Police law enforcement data, Office of CLEDS staff visited a number of key areas and sites. Areas and sites for high level review were selected on the basis of the anticipated nature of the LED involved and the possible vulnerability of physical security arrangements where Victoria Police operate in a shared facility environment. Site visits considered facilities (office complex and police station) maintenance and management, evidence and exhibits management, and information technology and hard copy records storage and management. A total of 7 site visits were conducted in addition to general physical security observations in and around the VPC and public access (retail) concourse level. Information gained from site visit discussions and observations were also considered in conjunction with particulars contained in Regional and Departmental self assessment documentation (April 2008) regarding implementation of the CLEDS standards. This information provided a valuable insight into the nature and extent of actions planned (or undertaken) to review existing processes, procedures and the general management of law enforcement data security. 12

13 3. Observations and Findings 3.1. Standard 14 Victoria Police must ensure that all facilities that access, store or handle law enforcement data are physically protected against unauthorised access. Victoria Police must ensure that Agreements with Approved Third Parties include the requirement to ensure that all facilities that access, store or handle law enforcement data are physically protected against unauthorised access. The intent of this standard is to prevent unauthorised access to law enforcement data by the creation of a secure physical environment. The standard is supported by five protocols highlighting requirements which must, at a minimum, be addressed to meet the standard. Protocols cover the issues of - Assessment of security risk; Security perimeters & secure areas; External access points; Training and education program; and Agreements with Approved Third Parties Observations For this high level review, several aspects of Standard Fourteen were examined Management responsibility, implementation at sites, staff awareness and agreements with Approved Third Parties Management responsibility Victoria Police are fully aware of the need for an effective security environment to exist. This is demonstrated by acknowledgement of the need for security and/or physical security measures throughout operational and administrative policy documentation such as the VPM, EISP, and Intelligence standards and guidelines. The Victoria Police Security Committee Charter, approved by the Policing Operations Standing Committee in September 2006, clearly defines the function and responsibilities of the committee to oversight and develop best practice standards in relation to security issues. While the committee was responsible for several initiatives, such as more secure identification certificates, security assessments of police buildings and standards for parking of non-police vehicles at the VPC; its scope has mainly focused on the VPC. The establishment of the Organisational Security Committee has recently been finalised and may address these concerns. Physical security within Victoria Police is largely directed towards the protection and property maintenance of key infrastructure involving buildings (VP complexes, police stations, storage facilities etc.), major information technology systems, and the overall protection of staff and operational resources from adverse unplanned events. Evidence of security risk assessments being undertaken is not readily available, thus the frequency of these assessments is not clear. Apart from the police stations visited, management at the other sites indicated assessment of security risk is either undertaken by BMD as part of property management or generally forms a consideration as part of overall operational and contingency planning. 13

14 Physical security arrangements within individual areas and locations of Victoria Police are the responsibility of local management and are generally not standard due to the nature of accommodation (buildings and surrounds) and the overall operations involving law enforcement data. For example, the Victorian Police Forensic Services Centre utilises sophisticated perimeter sensors and CCTV surveillance to directly monitor and control access to the site, while security arrangements at the Records Management storage and disposal facility is outside the direct control of Victoria Police due to the site being administered under a shared tenancy arrangement. The generic 24 hour Police Station Specification for Security Services incorporates information involving security system/access control/security alarm requirements in both general and technical terms. This document forms the basis for all service tendering. A standard access control policy has repeatedly been approved by Victoria Police but copies are unobtainable and it has not been implemented Implementation at sites Operating within a shared accommodation environment (World Trade Centre complex comprising a number of tower blocks) impacts the implementation of a fully managed physical environment due to other public access and building tenancy requirements. Use of electronic security control systems (access cards) to gain entry to secure work units, monitoring and supervision of contractors and visitors within work areas, the presence of strategically positioned perimeter and internal CCTV surveillance cameras throughout the Victoria Police Complex, and security monitoring by Protective Services Officers and the private security firm ISS provides a relatively secure physical environment. Security assessments of the VPC and St Kilda Road police complex have been conducted by Protective Services Officers and reports submitted to executive management for information and action. Within police buildings, 24 hour police stations and specialist facilities there is evidence that physical security of premises has been considered by management and action taken to restrict or actively monitor attempts at unauthorised access. Separation of public areas from secure and authorised access areas and security over external access points was noted during site visits in both older style police stations and the more modern designed police stations and facilities. During a site visit however, the importance of being able to monitor and control after hours access to police premises, particularly when surveillance equipment is not installed, was discussed. Office of CLEDS staff were informed that instances of after hours access to an unattended 16 hour police station by members no longer working at the station had been discovered. It is understood the situation has been brought to the attention of regional management, however, the importance of effectively managing door (key lock) security and internal alarm code management has been highlighted. The practice of sworn members visiting police facilities, other than their own work location, to access corporate information is acknowledged. However it is considered that such access should be restricted to hours when the station is open to maintain the security of all law enforcement data within police facilities and prevent instances of unauthorized and unsupervised access. 14

15 A number of sites are currently undertaking renovations that incorporate upgrading and/or strengthening existing physical security arrangements. The Mounted Branch is undertaking building security improvements, the St Kilda Road complex is being refurbished and existing reception and rear car park security strengthened, and a new purpose built hanger is being built to address Air Wing security concerns. As new data information system facilities are being established/constructed BITS Technical Services & Architecture Group are requiring adherence to Australian Government (ASIOT4) Intruder Resistant Area specifications. The Agency Security Advisor is also actively involved in reviewing system security controls and levels of physical security at both Victoria Police and external service provider facilities Staff awareness Varying levels of recognition of matters of physical security within regional and departmental local operating procedures and induction documentation (posted on the Victoria Police intranet) have been noted. The Operations Coordination Department Induction Package provides a range of information involving physical security and has also incorporated awareness of the CLEDS standard and protocols into their Business Plan for national information sharing. A range of BITS information awareness guides/brochures/posters, available from their intranet web site, provides guidance on best practice information security. There is, however, limited evidence to indicate that physical security training and education requirements have been adequately examined and incorporated into business rules, induction training and/or standard operating procedures throughout the organisation. Self assessment by Victoria Police departments and regions regarding implementation of action plans involving CLEDS standards (as at April 2008) seems to support the view that further awareness and education/induction training is required. In the new CMRD electronic risk management bulletin Risky Business (June 2008) Law Enforcement Data Security has been highlighted to all risk management portfolio holders, risk champions and deputies. All Regions and Departments have been encouraged to discuss the issue at their next risk management meeting. Provision within Risky Business of the definition of Law Enforcement Data, accompanied by a link to the CLEDS web site (cleds.vic.gov.au) containing an electronic version of all standards and protocols is considered an important step in alerting the entire organisation to the importance and mandatory requirement to effectively manage LED Agreements with Approved Third Parties In relation to physical security, the Approved Third Parties of concern are service providers. In the case of outsourced data management and storage (IBM) and radio (Motorola & Telstra) services, physical security arrangements are those of the individual service provider, subjected to negotiated improvements to address Victoria Police requirements or specific security concerns. 15

16 These agreements do not sufficiently meet the requirements or intent of Standard Fourteen. Where relevant agreements include physical security requirements, they either reference organisation-wide policy or supply a requirement that physical security requirements are to be the result of negotiation and agreement. The problem with referencing organisation-wide policy is that these policy documents do not provide site-specific (or even police-specific) instructions. In these cases there appears to be no work undertaken to adapt or interpret these requirements to produce a site-specific set of physical security requirements. In some other agreements physical security requirements are specified as being the result of negotiation. In these cases Victoria Police do not have a guideline for determining an appropriate level of protective security. A lack of such a guideline substantially increases the risk of security controls being implemented inconsistently or inappropriately. The notable exception to this is the construction of twenty-four hour police stations. Corporate Support Services Division maintains a document titled Generic 24 hour Police Station Specification for Security Services. This document provides specific details of security controls to be installed as new twenty-four hour police stations are constructed. As almost all twenty-four hour stations perform similar functions, the risk of inappropriate selection of security controls is low Findings Key issues for compliance with Standard 14 are: effective management of physical access keys, alarm access codes and after hours visits by unauthorised members to smaller facilities, such as non-twentyfour hour stations needs to be implemented; and agreements with Approved Third Party service providers lack site-specific requirements for security controls. Although there is a demonstrated commitment to maintaining an appropriate physical security environment an overall assessment of partial compliance with Standard 14 is considered appropriate at this point in time as all elements of the standard and/or protocol requirements have not been sufficiently addressed or implemented throughout Victoria Police Standard 15 Appropriate physical security measures must be implemented to protect law enforcement data stored in portable computing and data storage devices or during physical transport outside of Victoria Police premises. Victoria Police must ensure that Agreements with Approved Third Parties include the requirement to apply appropriate security measures in respect of the carriage, use and storage of law enforcement data, portable computing devices or portable data storage devices that contain law enforcement data. 16

17 The intent of this standard is to ensure law enforcement data stored on portable devices or in physical transit outside of Victoria Police premises is not subjected to unauthorised access. The protocol requires appropriate business rules to support the security of data in these circumstances Observations Portable Law Enforcement Data is any Law Enforcement Data stored on portable data storage devices (including laptops and USB flash drives) or any Law Enforcement Data being physically transported. The responsibility for protection of portable Law Enforcement Data rests with individual work groups. The Victoria Police Manual states: Managers and supervisors are responsible for the physical security of all desktop computers, portable computer devices and printers located in their workplace (VPM ) Each portable computing device must have an assigned owner who is responsible for ensuring that all security requirements relating to the device are met. (VPM ) Additionally, the Enterprise Information Security Policy (EISP) states: The responsibility for the protection of each Victoria Police portable computing device (and therefore the information contained thereon) resides with the person to whom the equipment has been provided (EISP 17.3) While the Enterprise Information Security Policy (EISP) makes a general statement of the need to ensure the physical protection of portable devices, it provides no details on how to achieve an appropriate level of protection. While reference is made to a document titled Victoria Police Guidelines for the Protection of Portable Computing Devices, this document does not exist 2. Business Information Technology Services provides portable devices such as laptops and USB flash drives to other areas of Victoria Police. It also makes available some guides and tools for protecting portable computing devices but make no effort to ensure individuals and work groups across Victoria Police are aware of their security responsibilities with regard to these devices. For the physical security of non-electronic Law Enforcement Data during transport outside Victoria Police premises, the Victoria Police Manual refers to the Document Security Best Practice Guideline. While the Guideline is a useful resource with specific instructions for the protection of non-electronic information, the instructions themselves are non-mandatory. Agreements with Approved Third Parties do not adequately address the CLEDS physical security standard in relation to carriage, use and storage of Law Enforcement Data, including portable devices. 2 Confirmed by the Business Information Technology Services Technical Standards & Policy Manager 17

18 Findings Victoria Police goes some way to meeting the requirements of Standard 15 by clearly stating that individuals and local management are wholly responsible for the physical security of Law Enforcement Data stored in devices or during transport. Such an approach, however, relies on adequate support by training and instructions. Key issues regarding compliance with Standard 15 are: users of devices such as laptops and USB flash drives are not provided with security instructions on receipt of the device; coverage of security responsibilities in induction and ongoing training is inadequate and inconsistent; and the Enterprise Information Technology Security Policy does not provide adequate detail for the protection of portable devices, nor does it make reference to such detail. Without adequate support, individuals and local management cannot be reasonably expected to implement a consistent approach to physical security that is appropriate to the level of risk. An overall assessment of partial compliance with Standard 15 is considered appropriate at this point in time Standard 16 All Victoria Police facilities that access, store or handle law enforcement data must have physical security controls that reduce the risk of disruptions to service caused by external or environmental threats and safeguard the provision of supporting infrastructure services. Victoria Police must ensure that Agreements with Approved Third Parties include the requirement to ensure that all facilities that access, store or handle law enforcement data have physical security controls that reduce the risk of disruptions to service caused by external or environmental threats and safeguard the provision of supporting infrastructure services. The intent of this standard is to ensure physical protection to supporting services on which the secure infrastructure for law enforcement data relies in order to function effectively and ensure continued operation during a disaster or crisis Observations Major police facilities are protected from external and environmental threats by way of physical separation and backup power generators. The Victoria Police Design Guidelines state: 24 hour police stations - all essential lighting and power circuits shall be backed up by emergency generator; - all essential communications and building security equipment computer shall be backed up by the emergency generator as well as UPS systems. 18

19 16 hour and 8 hour police stations - provide external power inlet for the connection of a mobile generator to supply selected essential lighting and power circuits; - radio communications equipment shall be backed up by rechargeable battery system; - UPS systems usually not required. Major facilities have substantial backup power generators. New twenty-four hour stations being built are required to have backup power generators, and currently eighty-four (out of one hundred) twenty-four hour stations have such generators. Most sensitive police work areas are kept some distance from public areas. For example, the operational areas of the Forensic Lab are far from the perimeter fence. Also, work involving sensitive Law Enforcement Data at the Victoria Police Centre and the St Kilda Rd Complex are conducted some distance above ground level and away from public areas. This reduces the likely impact of an adverse event in a public place or non-police facility disrupting sensitive or critical tasks. For data processing centres and servers, Victoria Police resources are duplicated to reduce the risk of outages caused by equipment being rendered unavailable or inoperable. The Victoria Police mainframe provides the following three applications: Law Enforcement Assistance Program (LEAP), the database of incidents and other operations records; Human Resources Millennium (HR:M), the database of personnel records; and SAS, a statistical analysis system. The entire hardware, software and data of the mainframe are duplicated and physically housed at a facility in a different suburb. The data is synchronised between main site and the duplicate site to ensure a reasonably quick change-over is possible in case the main site becomes unavailable. Non-mainframe applications have various levels of High Availability, but no full Disaster Recovery capability. This means these applications have some resilience against localised server outages (such as hardware failures) but little or no ability to continue functioning following large-scale physical damage. Shared network storage (commonly called G Drives and H Drives ) for each station is physically located at the station. Standard operating procedures exist to regularly back up the data in case of loss or damage, allowing stored data to be restored in case of hardware failure. Agreements with Approved Third Parties do not adequately address the CLEDS physical security standard in respect of external disruptions to service or safeguarding supporting infrastructure services. 19

20 Findings Major police facilities appear to have suitable security controls to reduce the risk of external or environmental threats. Where weaknesses are identified, measures are taken to localise any vulnerability and reduce the risk. Nevertheless, some facilities are more vulnerable to external or environmental threats, such as many non-twentyfour hour stations. The physically separate duplication of the Victoria Police mainframe allows missioncritical Law Enforcement Data stored in the Law Enforcement Assistance Program to remain available even after a catastrophic incident. Network storage and other applications are protected to a lesser degree, but are not as widely critical to police operations. A general assessment of compliant is certainly warranted at this point in time. Maintaining full compliance will require urgent attention to the issue of Approved Third Party agreements Standard 17 Electronic communications infrastructure (wired or wireless) used for law enforcement data must be protected from interception or loss of service. Victoria Police must ensure that Agreements with Approved Third Parties include the requirement that electronic infrastructure (wired or wireless) be protected from interception or loss of service. The intent of this standard is to ensure the continued availability, confidentiality and integrity of law enforcement data during electronic transmission Observations The majority of police communications occur over the following networks: Wired data infrastructure, used for computer-based communications; Mobile Data Network (MDN), wireless data infrastructure for metropolitan areas; Mobile Metropolitan Radio (MMR), digital voice radio for metropolitan areas; State-wide Statenet Mobile Radio (SMR), analogue voice radio for country areas; and Public telephone network. The wired data infrastructure is used for all computer-based communications. This includes: All ; Information viewed from a server or application; Data files transferred between computers or servers; and Information accessed by Approved Third Parties. 20