Presentation is loading. Please wait.

Presentation is loading. Please wait.

How To Prepare For A CJIS Audit. Overview Who, What, Why and When Audit Process Self Audit Using Network diagram Required Written Policies/Process Available.

Similar presentations


Presentation on theme: "How To Prepare For A CJIS Audit. Overview Who, What, Why and When Audit Process Self Audit Using Network diagram Required Written Policies/Process Available."— Presentation transcript:

1 How To Prepare For A CJIS Audit

2 Overview Who, What, Why and When Audit Process Self Audit Using Network diagram Required Written Policies/Process Available Resources

3 PRAY

4 Helps To Know How To Prepare For A CJIS Audit Helps To Know  Who conducts CJIS audit?  What is being audited?  Why are we being audited?  When does the audit take place?

5 Who conducts CJIS Audit? How To Prepare For A CJIS Audit Who conducts CJIS Audit? Texas DPS CJIS Security Team −Ensures all criminal justice and noncriminal justice agencies accessing TLETS meet requirements mandated by the CJIS Security Policy −Office created 2006 −CJIS Information Security Officer – Alan Ferretti −12 Auditors −1200 TLETS agencies −Audited 882 agencies

6 What is being audited? How To Prepare For A CJIS Audit What is being audited? CJIS Security Policy 5.0 Compliance —Establishes the minimum security requirements for Criminal Justice Information. —Version 5.0 has grown to four times the pages and two and a half times the requirements found in Version 4.5.  Technology continues to progress and be made available.  Security threats have continued to increase. —Version 5.0 is no longer a classified document. It is now considered a public document.

7 Why is my agency being audited? How To Prepare For A CJIS Audit Why is my agency being audited? CJIS Security Policy Requirement Every 3 years Other audit triggers

8 Audit Triggers Possible Audit Triggers Requires CJIS Security Office ’ s Approval Pre – Audit Site Audit (within days) Tri-annual Audit.N/AYesYes New Agency.YesYesYes Security Incident or Exceptional EventYesYesYes Adding new technology accessing, storing or processing CJIS data (ex. Handhelds, MDTs, Virtual Technology).YesYesYes Any upgrade to the system exceeding 25% of the cost of the system being upgraded.YesYesYes Adding a system to interface with TLETS (CAD/RMS).YesYesYes CJIS network addition or configuration change.YesYesYes Moving TLETS equipment to a new site.YesYesYes Request to host an agency or to be hosted by an agency.YesYesYes Increasing the number of terminals by 25% or greater.YesYesYes Increasing the number of terminals by less than 25%YesNoNo Swapping out network equipment (1 for 1).NoNoNo Adding a system not accessing CJIS data (ex. e-tickets).NoNoNo Any upgrade to the system which is NOT replacing or adding to like technology.NoNoNo

9 Audit Process How To Prepare For A CJIS Audit Audit Process Schedule audit − weeks notice −Follow up with detailing instructions and recommendations −Formal notification by letter Pre-Audit −Phone call −Clarify instructions −Answer Questions

10 How To Prepare For A CJIS Audit Audit Process – On site Audit CJIS Security Policy Version 5 Audit Checklist Section:Policy Walk ThroughTechnicalWirelessInterface Questions

11 Audit Process - Compliant How To Prepare For A CJIS Audit. Audit Process - Compliant Compliant − Formal letter mail to agency −Next scheduled audit – 3 years unless event occurs that triggers audit

12 Audit Process – Non-compliant How To Prepare For A CJIS Audit. Audit Process – Non-compliant Non-compliant −Non -compliant letter, listing items out of compliance mailed to the agency −Agency given 30 days to correct noncompliant issues or its plan to correct noncompliant items −Compliant letter mailed to agency upon verification of correct items

13

14

15 Self Audit - Network Diagram How To Prepare For A CJIS Audit Self Audit - Network Diagram Network Diagram −Depicts router(s), switch(s), and firewall(s) and lists their make and model? (Technical)  Manufacturer supporting devices with updates? (Technical)  Network devices secured with locked doors? (Walk Through) &  Restricted/Controlled area signage posted? (Walk Through) −CJI data transmitted out side the secured network encrypted at a minimum 128 bit and is a FIPS Certificate on file? (Technical) −Network properly segmented from non law enforcement networks ? (Technical) −Firewall in place between networks and Internet? (Technical) −Firewall fails “close”? (Technical)

16 Self Audit - Network Diagram How To Prepare For A CJIS Audit Self Audit - Network Diagram Network Diagram – IT /Network Support If IT/Network Support personnel are: −Vendor  Security Addendum on file and does it include Texas Signatory Page? (Policy)  Signed FBI Certification page? (Policy)  Fingerprint based background check ? (Policy) &  Security Awareness Training completed (every 2 years) and documented ? (Policy) 5.2.2

17 Self Audit - Network Diagram How To Prepare For A CJIS Audit Self Audit - Network Diagram Network Diagram If IT/Network Support personnel are: −Non LE employees (i.e. city or county)  Signed Management Control Agreement on File (Policy)  Fingerprint based back ground check (Policy)  Security Awareness Training completed (every 2 years) and documented (Policy) If IT/Network Support personnel are: −LE employees Fingerprint based back ground check (Policy) Security Awareness Training completed (every 2 years and documented (Policy) 5.2.2

18 Self Audit - Network Diagram How To Prepare For A CJIS Audit Self Audit - Network Diagram Network Diagram Depicts number of TLETS terminals? (Technical) −Operating system patched? (Walk Through) −Anti-virus installed and operating and AV signature files updated? (Walk Through) & −Terminals kept behind secure doors, protected from unauthorized viewing & unauthorized visitors logged and escorted? (Walk Through) −Restricted/Controlled area signage posted? (Walk Through) −Session locked after 30 min of inactivity? (Interface) −Media Control (Policy) – How is equipment containing CJI Data exiting a secure location controlled? −Destruction (Policy) & – Written procedures for destroying electronic and physical media?

19 Self Audit - Network Diagram How To Prepare For A CJIS Audit Self Audit - Network Diagram Network Diagram – If terminal operators personnel are: −Vendor  Security Addendum on file and does it include Texas Signatory Page? (Policy)  Signed FBI Certification page? (Policy)  Fingerprint cards submitted to DPS ? (Policy) &  Security Awareness Training completed (every 2 years) and documented ? (Policy) 5.2.2

20 Self Audit - Network Diagram How To Prepare For A CJIS Audit Self Audit - Network Diagram Network Diagram If terminal operators personnel are: −Non LE employees (i.e. city or county)  Signed Management Control Agreement on File (Policy)  Fingerprint cards submitted to DPS (Policy)  Security Awareness Training completed (every 2 years) and documented (Policy) If terminal operators personnel are: −LE employees Fingerprint card submitted to DPS (Policy) Security Awareness Training completed (every 2 years and documented (Policy) 5.2.2

21 Self Audit - Network Diagram How To Prepare For A CJIS Audit Self Audit - Network Diagram Network Diagram Mobiles (Technical) Operating system patched. (Walk Through) Anti-virus installed and operating and AV signature files updated? (Walk Through) & Firewall enabled (Walk Through) Vehicles locked when not in use (Walk Through) Listing of all wireless devices and contact number to disable them if the need arises. (Wireless) & If transmitted outside secure location (PD, Vehicle) advance authentication required (Technical) CJI data transmitted out side the secured network encrypted at a minimum 128 bit and is a FIPS Certificate on file? (Technical)

22 Self Audit - Network Diagram How To Prepare For A CJIS Audit Self Audit - Network Diagram Network Diagram Interface (CAD/RMS)? (Interface) Operating system patched. (Walk Through) Anti-virus installed and operating and AV signature files updated? (Walk Through) & Meets password requirements (Interface) Locks after 5 consecutive invalid log on attempts (Interface) NCIC & III transactions retain for 1 year (Interface) Log audit events (Interface) Meets audit retention, monitoring, alert and review requirements? (Interface) & CAD/RMS kept behind secure doors, protected from unauthorized viewing & unauthorized visitors logged and escorted (Walk Through) &

23 Self Audit - Network Diagram How To Prepare For A CJIS Audit Self Audit - Network Diagram Network Diagram −Interface (CAD/RMS)? (Interface-Continued)  Restricted/Controlled area signage posted (Walk Through) −CJI data transmitted out side the secured network encrypted at a minimum 128 bit and is a FIPS Certificate on file? (Technical)

24 Self Audit - Network Diagram How To Prepare For A CJIS Audit Self Audit - Network Diagram Hosting/Hosted Agency −Inter-local Agency Agreement on file (Policy) −If hosting agency – Depict hosted agency connection (encryption strength), name, and number of devices (Technical) −If hosted agency – Depict hosting agency connection (encryption strength), name, and number of devices (Technical) −CJI data transmitted out side the secured network encrypted at a minimum 128 bit and is a FIPS Certificate on file? (Technical)

25 Written Policies & Procedures How To Prepare For A CJIS Audit Written Policies & Procedures Security Awareness Training – Incident Response Plan – Procedures for revoking/removing CJI access – 5.51, & Policy governing use of personally owned– Sanitization, and physical destruction procedures of electronic media before release or reuse – & Disposal and or destruction of physical media – Security Alert and Advisories process – Process for validating user accounts – Policy forbidding transmitting CJI outside secure location -

26 Jeannette Cardensa CJIS Auditor (512) Dan Conte CJIS Auditor (512) Ginger Coplen CJIS Auditor (512) Alan Ferretti CJIS Information Security Officer (512) Oswald Enriquez CJIS Auditor (512) Erwin Pruneda CJIS Auditor (512) Linda Sims CJIS Auditor (512) Miguel Scott Info Sec Analyst Deborah Wright CJIS Auditor (512) first How To Prepare For A CJIS Audit Available Resources – CJIS Audit Team

27 – CJIS Security Policy – CJIS Security Policy Audit Checklist – Security Awareness Training – Network Diagram – Management Control Agreement – FIPS Certificates – CJIS Security Addendum – Policy Examples – Security Advisories – Agencies Scheduled To Be Audited Thru March 2013 How To Prepare For A CJIS Audit Available Resources – Security Review Website

28 Miguel Scott Information Security Analyst TX Dept of Public Safety Office:


Download ppt "How To Prepare For A CJIS Audit. Overview Who, What, Why and When Audit Process Self Audit Using Network diagram Required Written Policies/Process Available."

Similar presentations


Ads by Google