Transcription
How To Prepare For A CJIS Audit
How To Prepare For A CJIS AuditOverview Who, What, Why and When Audit Process Self Audit Using Network diagram Required Written Policies/Process Available Resources
PRAY
How To Prepare For A CJIS AuditHelps To Know§Who conducts CJIS audit?§What is being audited?§Why are we being audited?§When does the audit take place?
How To Prepare For A CJIS AuditWho conducts CJIS Audit? Texas DPS CJIS Security Team Ensures all criminal justice and noncriminal justiceagencies accessing TLETS meet requirements mandatedby the CJIS Security Policy Office created 2006 CJIS Information Security Officer – Alan Ferretti 12 Auditors 1200 TLETS agencies Audited 882 agencies
How To Prepare For A CJIS AuditWhat is being audited? CJIS Security Policy 5.0 Compliance— Establishes the minimum security requirements forCriminal Justice Information.— Version 5.0 has grown to four times the pages and two and ahalf times the requirements found in Version 4.5.§ Technology continues to progress and be made available.§ Security threats have continued to increase.— Version 5.0 is no longer a classified document. It is nowconsidered a public document.
How To Prepare For A CJIS AuditWhy is my agency being audited? CJIS Security Policy Requirement Every 3 years Other audit triggers
Audit TriggersRequires CJISSecurity Office’sApprovalPre–AuditSite Audit(within 30-60days)Tri-annual Audit.N/AYesYesNew Agency.YesYesYesSecurity Incident or Exceptional EventYesYesYesAdding new technology accessing, storing or processingCJIS data (ex. Handhelds, MDTs, Virtual Technology).YesYesYesAny upgrade to the system exceeding 25% of the cost ofthe system being upgraded.YesYesYesAdding a system to interface with TLETS (CAD/RMS).YesYesYesCJIS network addition or configuration change.YesYesYesMoving TLETS equipment to a new site.YesYesYesRequest to host an agency or to be hosted by an agency.YesYesYesIncreasing the number of terminals by 25% or greater.YesYesYesIncreasing the number of terminals by less than 25%YesNoNoSwapping out network equipment (1 for 1).NoNoNoAdding a system not accessing CJIS data (ex. e-tickets).NoNoNoAny upgrade to the system which is NOT replacing oradding to like technology.NoNoNoPossible Audit Triggers
How To Prepare For A CJIS AuditAudit Process Schedule audit 2 - 6 weeks notice Follow up with email detailing instructions andrecommendations Formal notification by letter Pre-Audit Phone call Clarify instructions Answer Questions
How To Prepare For A CJIS AuditAudit Process – On site AuditCJIS Security Policy Version 5Audit nical7Wireless19Interface17
How To Prepare For A CJIS Audit.Audit Process - Compliant Compliant Formal letter mail to agency Next scheduled audit – 3 years unless event occurs thattriggers audit
How To Prepare For A CJIS Audit.Audit Process – Non-compliant Non-compliant Non -compliant letter, listing items out ofcompliance mailed to the agency Agency given 30 days to correct noncompliantissues or its plan to correct noncompliant items Compliant letter mailed to agency uponverification of correct items
DPS Satellite256 Bit AESEncryptionSatellite DishBldg RoofDPS Satellite DishPESTXDPS VSAT Hub3 DES1Encr 28 BityptionInternetROUTERMAKE/MODELCAD/RMS3DES 128 BitEncryption3 DES1Encr 28 BityptionFIREWALLMAKE AND DEL40 MDTs3DES 128 BitEncryption Sub StationTLETS TerminalSWITCHMAKE/MODELAnother Law EnforcementAgency 5 TLETS Terminal 7 TLETS TerminalFOR OFFICIAL USE ONLYDATEAny Law Enforcement AgencyTLETS Mainframe5 MDTs
ANY LAW ENFORCEMENT AGENCYDateFOR OFFICIAL USE ONLY128BIT3DESAny Law EnforcementAgency5 MDT
How To Prepare For A CJIS AuditSelf Audit - Network Diagram Network Diagram Depicts router(s), switch(s), and firewall(s) and lists their make andmodel? (Technical) 5.7.1.2§Manufacturer supporting devices with updates? (Technical)§Network devices secured with locked doors? (Walk Through)5.9.1.3 & 5.9.1.4§Restricted/Controlled area signage posted? (Walk Through)5.9.1.1 CJI data transmitted out side the secured network encrypted at aminimum 128 bit and is a FIPS 140-2 Certificate on file? (Technical)5.10.1.2 Network properly segmented from non law enforcement networks ?(Technical) 5.10.1.2 Firewall in place between networks and Internet? (Technical)5.10.1.1 Firewall fails “close”? (Technical) 5.10.1.1
How To Prepare For A CJIS AuditSelf Audit - Network Diagram Network Diagram – IT /Network Support If IT/Network Support personnel are: Vendor§Security Addendum on file and does it include TexasSignatory Page? (Policy) 5.1.1.5§Signed FBI Certification page? (Policy) 5.1.1.5§Fingerprint based background check ? (Policy) 5.12.1.1 &5.12.1.2§Security Awareness Training completed (every 2 years)and documented ? (Policy) 5.2.2
How To Prepare For A CJIS AuditSelf Audit - Network Diagram Network Diagram If IT/Network Support personnel are: Non LE employees (i.e. city or county)§Signed Management Control Agreement on File (Policy)5.1.1.4§Fingerprint based back ground check (Policy) 5.12.1.1§Security Awareness Training completed (every 2 years)and documented (Policy) 5.2.2 If IT/Network Support personnel are: LE employees Fingerprint based back ground check (Policy) 5.12.1.1 Security Awareness Training completed (every 2 years anddocumented (Policy) 5.2.2
How To Prepare For A CJIS AuditSelf Audit - Network Diagram Network Diagram Depicts number of TLETS terminals? (Technical) 5.7.1.2 Operating system patched? (Walk Through) 5.10.4.1 Anti-virus installed and operating and AV signature filesupdated? (Walk Through) 5.10.4.2 & 5.10.4.3 Terminals kept behind secure doors, protected fromunauthorized viewing & unauthorized visitors logged andescorted? (Walk Through) 5.9.1.3 Restricted/Controlled area signage posted? (Walk Through)5.9.1.1 Session locked after 30 min of inactivity? (Interface) 5.5.5 Media Control (Policy) 5.9.1.9 – How is equipmentcontaining CJI Data exiting a secure location controlled? Destruction (Policy) 5.8.4 & 5.8.2 – Written procedures fordestroying electronic and physical media?
How To Prepare For A CJIS AuditSelf Audit - Network Diagram Network Diagram – If terminal operators personnel are: Vendor§Security Addendum on file and does it include TexasSignatory Page? (Policy) 5.1.1.5§Signed FBI Certification page? (Policy) 5.1.1.5§Fingerprint cards submitted to DPS ? (Policy) 5.12.1.1 &5.12.1.2§Security Awareness Training completed (every 2 years)and documented ? (Policy) 5.2.2
How To Prepare For A CJIS AuditSelf Audit - Network Diagram Network Diagram If terminal operators personnel are: Non LE employees (i.e. city or county)§Signed Management Control Agreement on File (Policy)5.1.1.4§Fingerprint cards submitted to DPS (Policy) 5.12.1.1§Security Awareness Training completed (every 2 years)and documented (Policy) 5.2.2 If terminal operators personnel are: LE employees Fingerprint card submitted to DPS (Policy) 5.12.1.1 Security Awareness Training completed (every 2 years anddocumented (Policy) 5.2.2
How To Prepare For A CJIS AuditSelf Audit - Network Diagram Network Diagram Mobiles (Technical) Operating system patched. (Walk Through) 5.10.4.1 Anti-virus installed and operating and AV signature filesupdated? (Walk Through) 5.10.4.2 & 5.10.4.3 Firewall enabled (Walk Through) 5.10.4.4 Vehicles locked when not in use (Walk Through) 5.9.1.3 Listing of all wireless devices and contact number to disablethem if the need arises. (Wireless) 5.5.7 & 5.5.71 If transmitted outside secure location (PD, Vehicle) advanceauthentication required (Technical) 5.6.2.2 CJI data transmitted out side the secured network encrypted ata minimum 128 bit and is a FIPS 140-2 Certificate on file?(Technical) 5.10.1.2
How To Prepare For A CJIS AuditSelf Audit - Network Diagram Network Diagram Interface (CAD/RMS)? (Interface) Operating system patched. (Walk Through) 5.10.4.1 Anti-virus installed and operating and AV signature filesupdated? (Walk Through) 5.10.4.2 & 5.10.4.3 Meets password requirements (Interface) 5.6.2.1 Locks after 5 consecutive invalid log on attempts (Interface)5.5.3 NCIC & III transactions retain for 1 year (Interface) 5.4.7 Log audit events (Interface) 5.4.1.1 Meets audit retention, monitoring , alert and reviewrequirements? (Interface) 5.4.2 & 5.4.3 CAD/RMS kept behind secure doors, protected fromunauthorized viewing & unauthorized visitors logged andescorted (Walk Through) 5.9.1.3 & 5.9.1.4
How To Prepare For A CJIS AuditSelf Audit - Network Diagram Network Diagram Interface (CAD/RMS)? (Interface-Continued)§Restricted/Controlled area signage posted (Walk Through)5.9.1.1 CJI data transmitted out side the secured network encrypted at aminimum 128 bit and is a FIPS 140-2 Certificate on file? (Technical)5.10.1.2
How To Prepare For A CJIS AuditSelf Audit - Network Diagram Hosting/Hosted Agency Inter-local Agency Agreement on file (Policy) 5.1.1.4 If hosting agency – Depict hosted agency connection (encryptionstrength), name, and number of devices (Technical) 5.7.1.2 If hosted agency – Depict hosting agency connection (encryptionstrength), name, and number of devices (Technical) 5.7.1.2 CJI data transmitted out side the secured network encrypted at aminimum 128 bit and is a FIPS 140-2 Certificate on file? (Technical)5.10.1.2
How To Prepare For A CJIS AuditWritten Policies & Procedures Security Awareness Training – 5.2.2 Incident Response Plan – 5.3.1 Procedures for revoking/removing CJI access – 5.51,5.12.2 & 5.12.3 Policy governing use of personally owned– 5.5.61 Sanitization, and physical destruction procedures ofelectronic media before release or reuse – 5.8.3 &5.8.4 Disposal and or destruction of physical media –5.9.1.2 Security Alert and Advisories process – 5.5.1 Process for validating user accounts – 5.5.1 Policy forbidding transmitting CJI outside securelocation -
How To Prepare For A CJIS AuditAvailable Resources – CJIS Audit TeamJeannette CardensaCJIS Auditor(512) 424-7910Dan ConteCJIS Auditor(512) 424-7137Ginger CoplenCJIS Auditor(512) 424-7913Alan FerrettiCJIS InformationSecurity Officer(512) 424-7186Oswald EnriquezCJIS Auditor(512) 424-7914Erwin PrunedaCJIS Auditor(512) 424-7911Linda SimsCJIS Auditor(512) 424-2937Miguel ScottInfo Sec Analyst512-424-7912Deborah WrightCJIS Auditor(512) 424-7876first name.lastname@dps.texas.gov
How To Prepare For A CJIS AuditAvailable Resources – Security Review Website http://www.txdps.state.tx.us/securityreview–CJIS Security Policy–CJIS Security Policy Audit Checklist–Security Awareness Training–Network Diagram–Management Control Agreement–FIPS 140-2 Certificates–CJIS Security Addendum–Policy Examples– Security Advisories–Agencies Scheduled To Be Audited Thru March 2013
Miguel ScottInformation Security AnalystTX Dept of Public SafetyOffice: 512-424-7912Email: miguel.scott@dps.texas.gov
How To Prepare For A CJIS Audit Self Audit -Network Diagram Network Diagram If IT/Network Support personnel are: Non LE employees (i.e. city or county) §Signed Management Control Agreement on File (Policy) 5.1.1.4 §Fingerprint based back ground check (Policy) 5.12.1.1 §Security Awareness Training completed (every 2 years)
