Whether government, corporate or faith-based file security is important.

No matter the denomination, church file security is especially important because it may not only deal with money, and privacy but the sanctity of the church community. The member, guest and family information must be protected just as much as the preacher, reverend, deacons, bishops, nuns, and/or administrators.

Coordination of church file security:
It is important to first identify what are the churches sensitive data. You may have in your mind what is or isn’t important files to protect for the church, but you may not have the authority or prerogative to make such an important determination. Even if you do, it important to get ideas from the staff and or clergy of what files should be protected and what level of protection should be considered. And interview or meeting with information owners is the first step.

Access to the church files:
Anyone with access to the church files should sign a user license agreement. This is a standard for security no matter what organization you enter. This is to make sure that those who are trusted with access understand what they can and can not do when entering the system. Items in a basic user license agreement include: what can be copied and/or installed on the system, what can and can not be done while accessing church files, whether or not church files are monitored for heightened security. User License agreements are usually done when multiple people have access to a medium to large network with critical resource (i.e. privacy data, financial information, sensitive data). They are also done for software, website/forum and data base access.

You can find examples of a user license agreement on the Internet.

What Church Files to Protect:
Files in a church community may include mission, member, drive, donation and service information that need to be protected. Any files dealing with any money should be protected always. Personal files of church members should be protected as well as data bases with potentially sensitive information. Even if the church has NO sensitive information, the files that allow any access from the Internet (such as webpages or ftp files and folders) should protected with various levels of security including: Username password (don’t EVER use anonymous for FTP), mandatory user registrations, and file permission lock down.

The reason this is important even for churches with no sensitive information, is that some malicious hackers like to use other organizations resources to upload viruses, spam, scams and pornography.

Regulations to consider:
The Privacy Act of 1974 make it mandatory to protect the personal information of all individuals

No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains, MORE

Health Insurance Portability and Accountability Act (HIPAA) is another important law to consider when addressing church file security. Among other things, HIPAA deals with the protection of peoples medical and health history.

File Permission:
Files that are sensitive for a church should have some permissions assigned to them to allow only authorized users (system administrators, missionaries, clergy, secretaries) access. This is one part of the access control. Most operating systems have this capability. Don’t forget that not only computers need to be protected, routers, switches and databases also need adequate security.

Standard-issue security
Certification and accreditation process for national security systems to extend to the rest of government. A two-year-old effort to standardize processes for certifying and accrediting government IT systems could soon bear fruit, according to officials from several agencies.

The Committee on National Security Systems is preparing instructions for implementing a unified certification and accreditation (C&A) process that could be used on all national security systems, including those in the Defense Department and intelligence community, said Tony Cornish, chairman of the CNSS’ C&A working group.

At the same time, the National Institute of Standards and Technology plans to update its C&A guidance for systems covered by the Federal Information Security Management Act, said Ron Ross, a senior computer scientist and FISMA implementation lead at NIST.

“We are very close to producing a unified C&A process for the entire federal government,” Ross said in July at a government security symposium hosted by Symantec. “Within the next six to eight months, you are going to see a plethora of new things coming out” from CNSS and NIST.

CNSS’ instructions will be incorporated into NIST guidelines in its 800 series of special publications. Ross said a major update of SP 800-53 Rev. 2, “Recommended Security Controls for Federal Information Systems,” is expected in December, and a draft of the first revision of SP 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems,” is expected to be released for comment soon.

A single, governmentwide approach would make it easier for agencies to share data and cooperate with one another and with states, foreign allies and the private sector.

It could enable reciprocity, or the acceptance of other agencies’ C&A processes, without requiring recertification, and also could streamline acquisition processes by making it easier for vendors and developers to meet one set of standards.

C&A is a process for ensuring that IT systems are operating with an appropriate level of security. In the certification phase, the security of the system is documented; for accreditation, a designated authority signs off on the system’s fitness to go into operation. The concept has been around for some time, but there has been little standardization.

“In the past, we each had our own set of policies, and we didn’t look at each other’s,” said Sherrill Nicely, deputy associate director of national intelligence at the Office of the Director of National Intelligence.

FISMA requires C&A of information technology systems, but that does not apply to national security systems. And within the national security community, the military and intelligence sectors each have had their own way of doing things.

“Since about 1993, the Defense Department had its program, the Defense IT Security Certification and Accreditation Process,” said Eustace King, DOD chief of acquisition and technology oversight. “It worked pretty well” in a time before DOD’s emphasis on network- centric systems and information sharing, but it lacked enterprise visibility.

That C&A program was replaced with the Defense Information Assurance Certification and Accreditation Process. DOD was moving to the program in 2006 to harmonize military and intelligence processes when, a year later, it was expanded to include the rest of the national security community by bringing in the CNSS.

Through NIST, C&A procedures eventually will be standardized across all of government. However, policies do not change mind-sets, and old habits still remain one of the primary challenges to a standardized process. At DOD, there is a reluctance to accept reciprocity — that is, to give full credit to another agency’s C&A process without recertification, King said.

The intelligence community faces a similar hurdle, said Sharon Ehlers, an assistant deputy associate director of national intelligence.

“The cultural change has been the biggest challenge,” Ehlers said. “When it is not invented here, people don’t want to look at it.”

New experiments using Heisenberg’s uncertainty principle extend the range of quantum cryptography, an advanced method of communicating in unbreakable code. Finding a way to keep snoops from tapping into other people’s information is a challenge that has gone to the subatomic level. First proposed in 1984, quantum cryptography (QC) promises to send

read more | digg story