Presentation is loading. Please wait.

Presentation is loading. Please wait.

CJIS Security Policy.

Published byLucy Ball Modified over 8 years ago

Similar presentations

Presentation on theme: "CJIS Security Policy."— Presentation transcript:

1 CJIS Security Policy

2 CJIS Security Policy Purpose
Provide a minimum set of security requirements for access to FBI CJIS Division information. Protect and safeguard Criminal Justice Information (CJI). Ensure continuity of information protection. Provide appropriate controls to protect CJI, from creation through dissemination; whether at rest or in transit.

3 Criminal Justice Information (CJI)
The term used to refer to all of the FBI CJIS provided data necessary for law enforcement and civil agencies to perform their missions. CJI can be in the form of: Biometric Data Identity History Data Biographic Data Property Data Case/Incident History

4 CJIS Security Policy Administration
CSP is: Created by the States through CJIS Working Groups Approved or Disapproved for recommendation by the CJIS Advisory Policy Board (APB) Final Approval or Denial by the Director of the FBI CSP is not: Law Created by the Federal Government

5 CSP Policy Areas Information Exchange Agreements
Security Awareness Training Incident Response Auditing and Accountability Access Control Identification and Authentication Configuration Management Media Protection Physical Protection Systems and Communications Protection and Information Integrity Formal Audits Personnel Security Mobile Devices

6 Policy Area 1: Information Exchange Agreements
The information shared through communication mediums shall be protected with appropriate security safeguards. The agreements established by entities sharing information across systems and communications mediums are vital to ensuring all parties fully understand and agree to a set of security standards.

7 Policy Area 1: Information Exchange Agreements
Who needs them Criminal Justice Agencies Non-Criminal Justice Agencies Private Contractors Sample of Agreement Types User Agreements Management Control Agreements Security Addendums Secondary Dissemination Hint: Keep a repository of all agreements in a single location. These documents will not only be important should litigation arise, but will also be called for in an audit.

8 Policy Area 2: Security Awareness Training
Basic security awareness training shall be required within 6 months of initial assignment, and biennially thereafter, for all personnel who have access to CJI.

9 Policy Area 2: Security Awareness Training
3 Tiers of Training All Personnel Personnel with Physical and Logical Access to CJI Personnel with IT roles Training Records Records of individual basic security awareness training and specific information system security training shall be documented, kept current and maintained by the agency.

10 Policy Area 3: Incident Response
Agencies shall: Establish an operational incident handling capability for agency information systems that includes adequate preparation, detection, analysis, containment, recovery and user response activities; Track, document and report incidents to appropriate agency officials and/or authorities. Illinois CJIS Information Security Officer (CISO)

11 Policy Area 3: Incident Response
Examples of incidents Hacking Virus Intrusion Spyware Intrusion Malware Intrusion Line Sniffing Misuse (personnel) Keep a log of incidents and outcomes

12 Policy Area 4: Auditing and Accountability
Agencies shall implement audit and accountability controls to increase the probability of authorized users conforming to a prescribed pattern of behavior. Agencies shall carefully assess the inventory of components that compose their information systems to determine which security controls are applicable to the various components.

13 Policy Area 4: Auditing and Accountability
Examples DB Log Files System Sign On/Off Application Sign On/Off Server Changes Hardware Changes Transaction Logging Log File Logging

14 Policy Area 5: Access Control
Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing and transmission of CJIS information and the modification of information systems, applications services and communication configurations allowing access to CJIS information.

15 Policy Area 5: Access Control
Examples Account Management Ensuring accounts are deleted/deactivated when a user leaves employment. Access Control Role/Rule/Identity policies Least Privilege System Use Notification Remote Access Session Locks Personal Devices Public Devices

16 Policy Area 6: Identification and Authentication
The agency shall identify information system users and processes acting on behalf of users and authenticate the identities of those users or processes as a prerequisite to allowing access to agency information systems services.

17 Policy Area 6: Identification and Authentication
Examples User IDs Passwords Advanced Authentication AA Decision Matrix Personal Identification Numbers Use of Identity Providers Authenticate against a server and not a device

18 Policy Area 7: Configuration Management
Planned or unplanned changes to the hardware, software, and/or firmware components of the information system can have significant effects on the overall security of the system. The goal is to allow only qualified and authorized individuals access to information system components for purposes of initiating changes, including upgrades, and modifications.

19 Policy Area 7: Configuration Management
Network Diagram Interconnectivity of CJIS Systems Application Flow Diagram How the application data flows from user to Database, user to user, application to application. Not in CSP, but good idea to have one. Hint: Always maintain current Network and Application Diagrams. Not only will they help you track all your points of failure and security points, but it is required during an audit.

20 Policy Area 8: Media Protection
Media protection policy and procedures shall be documented and implemented to ensure that access to electronic and physical media in all forms is restricted to authorized individuals. Procedures shall be defined for securely handling, transporting and storing media.

21 Policy Area 8: Media Protection
Hint: Agencies should create strong policies and procedures for media disposal and protection. Copies of these polices and procedures should be kept in a central location as they could be asked for during an audit. Media Transport Storage and Access Digital Media Transport Encryption Physical Media Media Disposal i.e. Wiping Hard Drives, Shredding Documents

22 Policy Area 9: Physical Protection
Physical protection policy and procedures shall be documented and implemented to ensure CJIS and information system hardware, software and media are physically protected through access control measures.

23 Policy Area 9: Physical Protection
Physically Secure Location Visitor Control Physical Access Authorization Controlled Area If can’t have a physically secure building Limit access Lock the area Encrypt data at rest

24 Policy Area 10: System and Communications Protection and Information Integrity
Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency’s virtualized environment. In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information.

25 Policy Area 10: System and Communications Protection and Information Integrity
Boundary Protection Access Points into the network Encryption Data in transit Data at rest Must meet FIPS standards Cloud Computing Patch Management Anti-Virus Software Hint: In addition to implementing all the safeguards for protection and integrity, agencies should have written policies on safeguards. Keeping these policies together provides for easier access especially during an audit.

26 Policy Area 11: Formal Audits
Formal audits are conducted to ensure compliance with applicable statutes, regulations and policies. Occur, at a minimum, every 3 years. During security incidents Upon request by an agency Conducted by FBI CJIS Division on selected agencies Conducted by CSA every agency in a 3 year cycle

27 Policy Area 11: Formal Audits
NCIC Audit Usage Data Quality Data Integrity Policy/Agreements/Training Technical Security Audit Compliance to CSP Identify Weaknesses in Technical Security

28 Policy Area 11: Formal Audits Technical Security Audit
Methodology Risk Based Not all audits cover every aspect of CSP, some will focus on higher risk implementations. Pre-audit questionnaire Interview Site Visit/Data Center Walkthrough Draft Report Response Final Report

29 Policy Area 11: Formal Audits Technical Security Audit
Items To Bring All agency policies that touch the CSP i.e. Password creation/Training/Visitor Access/Data Center Access/Media Destruction, etc. Interagency Agreements Management Control Agreements Training Curriculum Network Diagram FIPS Certificates for Network Hardware Information flow diagram for each software application which stores or transmits CJI

30 Policy Area 12: Personnel Security
Having proper security measures against the insider threat is a critical component for the CJIS Security Policy. All employees and contractors who have access to CJI must undergo a Federal and State fingerprint-based background check. Any contractor with a felony conviction is disqualified from accessing CJI. Access shall be terminated for all employees who leave the employment of the agency. Hint: Your agency should have policies and procedures in place to review employment status versus system access at least on a yearly basis.

31 Policy Area 13: Mobile Devices
The agency shall: Establish usage restrictions and implementation guidance for mobile devices; and Authorize, monitor, control wireless access to the information system.

32 Policy Area 13: Mobile Devices
Wireless Protocols for all Access Points Cellular Services Bluetooth VoIP Mobile Device Management (MDM) Remote Locking Remote Wiping Setting & Locking Device Configuration Detecting Rooted Devices Disk Level Encryption Patching/Updates

33 Policy Area 13: Mobile Devices
Hint: Anything which cannot be done on a mobile device with a limited OS (i.e. Android or iOS) must be done through a Mobile Device Manager. Particular attention must be given when using mobile devices because of the increased risk associated with loss and/or theft of those devices. Wireless Device Risk Mitigation Apply Critical Patches as soon as they are available Configure for Local Device Authentication Use Advance Authentication Encrypt all CJI resident on the device Erase cached information, including authenticators Employ personal firewalls (can be done through MDM) Employ antivirus software (can be done through MDM)

34 CJIS Security Policy Appendices
Network Topology Diagram Examples Sample Information Exchange Agreements Best Practices (White Papers) Virtualization VOIP Cloud Computing Mobile Computing Security Addendum Supplemental Guidance for Criminal Justice Agencies and Non-Criminal Justice Agencies

35 Thank You! Illinois CISO: CJIS Security Policy Resource Center
Bob Libman (815) CJIS Security Policy Resource Center

Download ppt "CJIS Security Policy."

Similar presentations

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.
K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.

K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.

Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Jennifer Hlad, LEDS & OUCR Trainer LASO 101 – 2013 OREGON STATE POLICE LAW ENFORCEMENT DATA SYSTEMS CRIMINAL JUSTICE INFORMATION SERVICES DIVISION.

Jennifer Hlad, LEDS & OUCR Trainer LASO 101 – 2013 OREGON STATE POLICE LAW ENFORCEMENT DATA SYSTEMS CRIMINAL JUSTICE INFORMATION SERVICES DIVISION.
How To Prepare For A CJIS Audit

How To Prepare For A CJIS Audit
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
NONCRIMINAL JUSTICE AGENCY USE OF CRIMINAL JUSTICE INFORMATION

NONCRIMINAL JUSTICE AGENCY USE OF CRIMINAL JUSTICE INFORMATION
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Agenda Scope of Requirement Security Requirements

Agenda Scope of Requirement Security Requirements
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies

Session 3 – Information Security Policies

Similar presentations

Ads by Google