Presentation is loading. Please wait.

Presentation is loading. Please wait.

How To Prepare For A CJIS Audit

Published byGiovanna Weatherhead Modified over 9 years ago

Similar presentations

Presentation on theme: "How To Prepare For A CJIS Audit"— Presentation transcript:

1 How To Prepare For A CJIS Audit

2 How To Prepare For A CJIS Audit
Overview Who, What, Why and When Audit Process Self Audit Using Network diagram Required Written Policies/Process Available Resources

3 PRAY

4 How To Prepare For A CJIS Audit Helps To Know
Who conducts CJIS audit? What is being audited? Why are we being audited? When does the audit take place?

5 How To Prepare For A CJIS Audit Who conducts CJIS Audit?
Texas DPS CJIS Security Team Ensures all criminal justice and noncriminal justice agencies accessing TLETS meet requirements mandated by the CJIS Security Policy Office created 2006 CJIS Information Security Officer – Alan Ferretti 12 Auditors 1200 TLETS agencies Audited 882 agencies

6 How To Prepare For A CJIS Audit What is being audited?
CJIS Security Policy 5.0 Compliance Establishes the minimum security requirements for Criminal Justice Information. Version 5.0 has grown to four times the pages and two and a half times the requirements found in Version 4.5. Technology continues to progress and be made available. Security threats have continued to increase. Version 5.0 is no longer a classified document. It is now considered a public document.

7 How To Prepare For A CJIS Audit Why is my agency being audited?
CJIS Security Policy Requirement Every 3 years Other audit triggers

8 Possible Audit Triggers Requires CJIS Security Office’s Approval
Pre–Audit Site Audit (within days) Tri-annual Audit. N/A Yes New Agency. Security Incident or Exceptional Event Adding new technology accessing, storing or processing CJIS data (ex. Handhelds, MDTs, Virtual Technology). Any upgrade to the system exceeding 25% of the cost of the system being upgraded. Adding a system to interface with TLETS (CAD/RMS). CJIS network addition or configuration change. Moving TLETS equipment to a new site. Request to host an agency or to be hosted by an agency. Increasing the number of terminals by 25% or greater. Increasing the number of terminals by less than 25% No Swapping out network equipment (1 for 1). Adding a system not accessing CJIS data (ex. e-tickets). Any upgrade to the system which is NOT replacing or adding to like technology.

9 How To Prepare For A CJIS Audit Audit Process
Schedule audit 2 - 6 weeks notice Follow up with detailing instructions and recommendations Formal notification by letter Pre-Audit Phone call Clarify instructions Answer Questions

10 How To Prepare For A CJIS Audit
Audit Process – On site Audit CJIS Security Policy Version 5 Audit Checklist Section: Policy Walk Through Technical Wireless Interface Questions 20 7 19 17

11 How To Prepare For A CJIS Audit. Audit Process - Compliant
Formal letter mail to agency Next scheduled audit – 3 years unless event occurs that triggers audit

12 How To Prepare For A CJIS Audit. Audit Process – Non-compliant
Non -compliant letter, listing items out of compliance mailed to the agency Agency given 30 days to correct noncompliant issues or its plan to correct noncompliant items Compliant letter mailed to agency upon verification of correct items

13

14

15 How To Prepare For A CJIS Audit Self Audit - Network Diagram
Depicts router(s), switch(s), and firewall(s) and lists their make and model? (Technical) Manufacturer supporting devices with updates? (Technical) Network devices secured with locked doors? (Walk Through) & Restricted/Controlled area signage posted? (Walk Through) CJI data transmitted out side the secured network encrypted at a minimum 128 bit and is a FIPS Certificate on file? (Technical) Network properly segmented from non law enforcement networks ? (Technical) Firewall in place between networks and Internet? (Technical) Firewall fails “close”? (Technical)

16 How To Prepare For A CJIS Audit Self Audit - Network Diagram
Network Diagram – IT /Network Support If IT/Network Support personnel are: Vendor Security Addendum on file and does it include Texas Signatory Page? (Policy) Signed FBI Certification page? (Policy) Fingerprint based background check ? (Policy) & Security Awareness Training completed (every 2 years) and documented ? (Policy) 5.2.2

17 How To Prepare For A CJIS Audit Self Audit - Network Diagram
If IT/Network Support personnel are: Non LE employees (i.e. city or county) Signed Management Control Agreement on File (Policy) Fingerprint based back ground check (Policy) Security Awareness Training completed (every 2 years) and documented (Policy) 5.2.2 LE employees Fingerprint based back ground check (Policy) Security Awareness Training completed (every 2 years and documented (Policy) 5.2.2

18 How To Prepare For A CJIS Audit Self Audit - Network Diagram
Depicts number of TLETS terminals? (Technical) Operating system patched? (Walk Through) Anti-virus installed and operating and AV signature files updated? (Walk Through) & Terminals kept behind secure doors, protected from unauthorized viewing & unauthorized visitors logged and escorted? (Walk Through) Restricted/Controlled area signage posted? (Walk Through) Session locked after 30 min of inactivity? (Interface) 5.5.5 Media Control (Policy) – How is equipment containing CJI Data exiting a secure location controlled? Destruction (Policy) & – Written procedures for destroying electronic and physical media?

19 How To Prepare For A CJIS Audit Self Audit - Network Diagram
If terminal operators personnel are: Vendor Security Addendum on file and does it include Texas Signatory Page? (Policy) Signed FBI Certification page? (Policy) Fingerprint cards submitted to DPS ? (Policy) & Security Awareness Training completed (every 2 years) and documented ? (Policy) 5.2.2

20 How To Prepare For A CJIS Audit Self Audit - Network Diagram
If terminal operators personnel are: Non LE employees (i.e. city or county) Signed Management Control Agreement on File (Policy) Fingerprint cards submitted to DPS (Policy) Security Awareness Training completed (every 2 years) and documented (Policy) 5.2.2 If terminal operators personnel are: LE employees Fingerprint card submitted to DPS (Policy) Security Awareness Training completed (every 2 years and documented (Policy) 5.2.2

21 How To Prepare For A CJIS Audit Self Audit - Network Diagram
Mobiles (Technical) Operating system patched. (Walk Through) Anti-virus installed and operating and AV signature files updated? (Walk Through) & Firewall enabled (Walk Through) Vehicles locked when not in use (Walk Through) Listing of all wireless devices and contact number to disable them if the need arises. (Wireless) & If transmitted outside secure location (PD, Vehicle) advance authentication required (Technical) CJI data transmitted out side the secured network encrypted at a minimum 128 bit and is a FIPS Certificate on file? (Technical)

22 How To Prepare For A CJIS Audit Self Audit - Network Diagram
Interface (CAD/RMS)? (Interface) Operating system patched. (Walk Through) Anti-virus installed and operating and AV signature files updated? (Walk Through) & Meets password requirements (Interface) Locks after 5 consecutive invalid log on attempts (Interface) 5.5.3 NCIC & III transactions retain for 1 year (Interface) 5.4.7 Log audit events (Interface) Meets audit retention, monitoring , alert and review requirements? (Interface) & 5.4.3 CAD/RMS kept behind secure doors, protected from unauthorized viewing & unauthorized visitors logged and escorted (Walk Through) &

23 How To Prepare For A CJIS Audit Self Audit - Network Diagram
Interface (CAD/RMS)? (Interface-Continued) Restricted/Controlled area signage posted (Walk Through) CJI data transmitted out side the secured network encrypted at a minimum 128 bit and is a FIPS Certificate on file? (Technical)

24 How To Prepare For A CJIS Audit Self Audit - Network Diagram
Hosting/Hosted Agency Inter-local Agency Agreement on file (Policy) If hosting agency – Depict hosted agency connection (encryption strength), name, and number of devices (Technical) If hosted agency – Depict hosting agency connection (encryption strength), name, and number of devices (Technical) CJI data transmitted out side the secured network encrypted at a minimum 128 bit and is a FIPS Certificate on file? (Technical)

25 How To Prepare For A CJIS Audit Written Policies & Procedures
Security Awareness Training – 5.2.2 Incident Response Plan – 5.3.1 Procedures for revoking/removing CJI access – 5.51, & Policy governing use of personally owned– Sanitization, and physical destruction procedures of electronic media before release or reuse – & 5.8.4 Disposal and or destruction of physical media – Security Alert and Advisories process – 5.5.1 Process for validating user accounts – 5.5.1 Policy forbidding transmitting CJI outside secure location -

26 How To Prepare For A CJIS Audit Available Resources – CJIS Audit Team
Jeannette Cardensa CJIS Auditor (512) Dan Conte (512) Ginger Coplen (512) Alan Ferretti CJIS Information Security Officer (512) Oswald Enriquez (512) Erwin Pruneda (512) Linda Sims (512) Miguel Scott Info Sec Analyst Deborah Wright (512) first

27 How To Prepare For A CJIS Audit
Available Resources – Security Review Website CJIS Security Policy CJIS Security Policy Audit Checklist Security Awareness Training Network Diagram Management Control Agreement FIPS Certificates CJIS Security Addendum Policy Examples Security Advisories Agencies Scheduled To Be Audited Thru March 2013

28 Miguel Scott Information Security Analyst TX Dept of Public Safety Office:

Download ppt "How To Prepare For A CJIS Audit"

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
(Individuals with Disabilities Education Improvement Act) and

(Individuals with Disabilities Education Improvement Act) and
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.

K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
Voice over the Internet Protocol (VoIP) Technologies… How to Select a Videoconferencing System for Your Agency Based on the Work of Watzlaf, V.M., Fahima,

Voice over the Internet Protocol (VoIP) Technologies… How to Select a Videoconferencing System for Your Agency Based on the Work of Watzlaf, V.M., Fahima,
Jennifer Hlad, LEDS & OUCR Trainer LASO 101 – 2013 OREGON STATE POLICE LAW ENFORCEMENT DATA SYSTEMS CRIMINAL JUSTICE INFORMATION SERVICES DIVISION.

Jennifer Hlad, LEDS & OUCR Trainer LASO 101 – 2013 OREGON STATE POLICE LAW ENFORCEMENT DATA SYSTEMS CRIMINAL JUSTICE INFORMATION SERVICES DIVISION.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Washington State Patrol Non-Criminal Justice Agency

Washington State Patrol Non-Criminal Justice Agency
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
NONCRIMINAL JUSTICE AGENCY USE OF CRIMINAL JUSTICE INFORMATION

NONCRIMINAL JUSTICE AGENCY USE OF CRIMINAL JUSTICE INFORMATION
Information Security Policies and Standards

Information Security Policies and Standards
Security Analysis and Recommendations. PB’s&J Presenters & Topics David Bihm User Account Management Nathan Julson Data Classification Firewall Architectures.

Security Analysis and Recommendations. PB’s&J Presenters & Topics David Bihm User Account Management Nathan Julson Data Classification Firewall Architectures.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
CJIS Security Policy.

CJIS Security Policy.
10 Essential Security Measures PA Turnpike Commission.

10 Essential Security Measures PA Turnpike Commission.
Network security policy: best practices

Network security policy: best practices
AARP Tax-Aide 2010 - 20111 2010-2011 FOR ALL AARP TAX-AIDE VOLUNTEERS AARP TAX-AIDE PROGRAM POLICIES AND PROCEDURES.

AARP Tax-Aide FOR ALL AARP TAX-AIDE VOLUNTEERS AARP TAX-AIDE PROGRAM POLICIES AND PROCEDURES.
PCI 3.0 Boot Camp Payment Card Industry Data Security Standards 3.0.

PCI 3.0 Boot Camp Payment Card Industry Data Security Standards 3.0.

Similar presentations

Ads by Google