The Police Support Service System

(pl.: System Wspomagania Obsługi Policji – SWOP)

Modules put into service, functionality and
purpose and legal basis for processing
the personal data in the system
Ireneusz CHOŁONIEWSKI
National Police Headquarters Chisinau, Republic of Moldova
Funded by 25 – 29 May 2015
the European Union
 Dictionary

ABW – Internal Security Agency

– (pl.: Agencja Bezpieczeństwa Wewnętrznego)
BIOS – Basic Input/Output System
DBTI – ICT Security Department
– (pl.: Departament Bezpieczeństwa Teleinformatycznego)
ICC – Integrated circuit card 
PSTD – Police Data Transmission Network
– (pl.: Policyjna Sieć Transmisji Danych)
RBD – Redundant access gateway
– (pl.: Redundantna Brama Dostępowa)
RMSWiA – Regulation of the Minister of Internal Affairs and Administration
– (pl.: Rozporządzenie Ministra Spraw Wewnętrznych i Administracji)
 SWOP subsystem: Wages

One of the modules implemented in the Police Support Service System

(SWOP) is a subsystem called Wages, its primary function is to collect data on
employees of the Police in the field of personal data and payroll, in order to
provide comprehensive service on employment and finance of human
resources.
 Purpose of personal data processing in Wages subsystem

The purpose of personal data processing in the Wages subsystem is the

implementation of the statutory obligations imposed on the police by the
following acts:
̶ The Police Act of 6th April 1990 (Dz. U. 1990 No. 30, item 179, as
amended),
̶ The Law on Civil Service of 21st November 2008. (Dz. U. 2008 No. 227,
item 1505, as amended),
̶ Social Insurance Law of 13th August 1998 (Dz. U. No. 137, item 887, as
amended),
̶ The Law on Electronic Signature of 18th September 2001 (Dz. U. No.
130, item 1450) and implementing regulations, which regulate technical
and organizational requirements for certification system and the usage
of certificates by users.
 Access control to the operating system

In the Wages subsystem, we use security options offered by the Windows

operating system and we make each user responsible for his own account.
Each user has an individual account and password. Each attempt to login to
the system requires a username and a unique password or PIN (if the user
logs on to the operating system by using ICC). This security level system
prevents entry for people who do not know the password.
 The subsystem consists of modules implementing functions which are
thematically linked. Consequently, relevant subsystem sections are made
available only to groups of users using those sections. In order to grant
individual permissions to fulfil particular tasks in the subsystem, additionally a
database containing users permissions is created.
Detailed rules for the configuration of the workstation for Wages
subsystem

Configuring workstation for Wages subsystem is based on the following rules:

̶ workstation can have a few of user accounts with administrative
privileges,
̶ all access privileges to the operating system resources (files,
peripherals, network resource) as well as accounts and passwords are
set by the local or remote administrator,
̶ access to the BIOS and the operating system is password protected,
following the policy terms;
̶ all system services have to be installed by default by Microsoft.
 Principles of user authentication and authorization

Access to personal data processed in the Wages subsystem may take

place only after authenticating an authorized user on the system. Access to
the Wages subsystem is secured by:
̶ user authentication and authentication on the operating system and
Wages subsystem,
̶ measures of physical protection (access control system, intruder
alarm).
 Authentication and Authorization

Authentication and authorization of the end-user in operating system takes

place after the entry of the correct ICC PIN code (for users logging in to the
system using ICC) or after the entry of the correct username and password
(for users logging into the system without using the ICC).
 The administrator passwords are stored in a sealed envelope in a metal
cabinet. They must meet the following requirements:
̶ passwords can not contain a significant part of the user account name
or the full name of the user,
̶ passwords must have a minimum length of 12 alphanumeric characters
including upper or lowercase characters, digits or special characters
(such as%, $, #, @, etc.).
End users are required to store passwords and PINs to ICC secured, to
prevent third parties to get to know them.
 SWOP subsystem: Personnel

Another of the modules implemented in the Police Support Service System

(SWOP) is a software dedicated to human resources management -
Personnel subsystem. Its primary function is to collect data, including personal
information about employees in order to provide comprehensive management
of the police personnel's work and to improve human resources management
by their superiors.
 Personnel subsystem works in the PSTD network, therefore at least one
device for personal data processing on this network, is connected to the public
network. Consequently, it is needed to take into account the threat and in
accordance with Art. 6 Paragraph 4 of RMSWiA, it is obligatory to apply high
level of security of personal data processing.
 Redundant access gateway (RBD) consists of three levels, which include
devices like firewall and IPS probes, each from a different manufacturer. To
protect the PSTD against threats from external networks, the gateway is also
equipped with anti-virus and anti-spam scanners.
To conclude, the Personnel subsystem works on the PSTD network
ensuring the safety of transmitted data, RBD ‘point of contact’ with the Internet
and other telecommunication networks is controlled and protected in a way
accepted by DBTI ABW. Therefore it should be assumed that the above
solution provide a high level of security.
System protection against malicious software or penetrating

In order to eliminate the negative effects of the mentioned software, in

terms of confidentiality, availability, integrity and accountability, antivirus
software is installed on all the computers where personal data is processed.
Updating the virus signature database is performed with a frequency
depending on the manufacturer of antivirus software.
Antivirus software is configured so that each data carrier connected to the
access points has to be checked for the presence of malware.
 Terms of use of passwords / PIN by users cadre subsystem

End-user or administrators credentials (passwords/PIN codes) are not

classified. They must however, be protected by their owners in a way that
prevents third parties from getting to know them.
All end-users have to go by flowing rules to protect their credentials:
̶ user is responsible for unauthorized disclosure of his credentials,
̶ the end-user is obliged to use passwords, which are coherent with the
policy defined for each system, which means that the passwords should
be complicated and difficult to guess;
̶ the end-user is required to regularly change passwords, not less
frequently than every 30 days,
̶ when suspected disclosure of credentials, user is obliged to
immediately change them, and in the case of impossibility of their
change, he should ask the proper administrator for help,
̶ user has to keep his credentials secured, to prevent third parties to get to
know them,
̶ access to the BIOS settings of the access station is secured with at least 8
character password (if version of BIOS prevents the use of an 8 character
password, the password should be set to the maximum number of
characters allowed by the BIOS, but not less than 6 characters). The
password must contain uppercase and lowercase letters, numbers and
special characters (&, $,%, #, etc.). BIOS password should be kept by the
appropriate administrator, in a way which prevents its disclosure.
 Architecture of SWOP Personnel subsystem

Database server Application Server

Software: Software:
Windows Server 2003 or higher - Windows Server 2008 or higher
SQL Server 2005 Standard or higher - SWOP - Personnel subsystem

PSTD Network

Workstations – access to SWOP Workstations – access to SWOP Workstations – access to SWOP

applications through Terminal applications through Terminal applications through Terminal
(Remote Desktop) or application (Remote Desktop) or application (Remote Desktop) or application
“Client Group" “Client Group" “Client Group"
Thank you for your attention !
Any questions ?