Transcription
U. S. Department of JusticeFederal Bureau of InvestigationCriminal Justice Information Services DivisionCriminal Justice Information Services (CJIS)Security PolicyVersion 5.17/13/2012CJISD-ITS-DOC-08140-5.1Prepared by:CJIS Information Security OfficerApproved by:CJIS Advisory Policy Board
EXECUTIVE SUMMARYLaw enforcement needs timely and secure access to services that provide data wherever andwhenever for stopping and reducing crime. In response to these needs, the Advisory PolicyBoard (APB) recommended to the Federal Bureau of Investigation (FBI) that the CriminalJustice Information Services (CJIS) Division authorize the expansion of the existing securitymanagement structure in 1998. Administered through a shared management philosophy, theCJIS Security Policy contains information security requirements, guidelines, and agreementsreflecting the will of law enforcement and criminal justice agencies for protecting the sources,transmission, storage, and generation of Criminal Justice Information (CJI). The FederalInformation Security Management Act of 2002 provides further legal basis for the APBapproved management, operational, and technical security requirements mandated to protect CJIand by extension the hardware, software and infrastructure required to enable the servicesprovided by the criminal justice community.The essential premise of the CJIS Security Policy is to provide appropriate controls to protect thefull lifecycle of CJI, whether at rest or in transit. The CJIS Security Policy provides guidance forthe creation, viewing, modification, transmission, dissemination, storage, and destruction of CJIdata. This policy applies to every individual—contractor, private entity, noncriminal justiceagency representative, or member of a criminal justice entity—with access to, or who operate insupport of, criminal justice services and information.The CJIS Security Policy integrates presidential directives, federal laws, FBI directives and thecriminal justice community’s APB decisions along with nationally recognized guidance from theNational Institute of Standards and Technology. The Policy is presented at both strategic andtactical levels and is periodically updated to reflect the security requirements of evolvingbusiness models. The Policy features modular sections enabling more frequent updates toaddress emerging threats and new security measures. The provided security criteria assistsagencies with designing and implementing systems to meet a uniform level of risk and securityprotection while enabling agencies the latitude to institute more stringent security requirementsand controls based on their business model and local needs.The CJIS Security Policy strengthens the partnership between the FBI and CJIS SystemsAgencies (CSA), including, in those states with separate authorities, the State IdentificationBureaus. Further, as use of criminal history record information for noncriminal justice purposescontinues to expand, the CJIS Security Policy becomes increasingly important in guiding theNational Crime Prevention and Privacy Compact Council and State Compact Officers in thesecure exchange of criminal justice records.The policy describes the vision and captures the security concepts that set the policies,protections, roles, and responsibilities with minimal impact from changes in technology. Thepolicy empowers CSAs with the insight and ability to tune their security programs according totheir needs, budgets, and resource constraints while remaining compliant with the baseline levelof security set forth in this Policy. The CJIS Security Policy provides a secure framework oflaws, standards, and elements of published and vetted policies for accomplishing the missionacross the broad spectrum of the criminal justice and noncriminal justice communities.7/13/2012CJISD-ITS-DOC-08140-5.1i
CHANGE MANAGEMENTRevisionChange DescriptionCreated/Changed byDateApproved By5.0Policy RewriteSecurity PolicyWorking Group02/09/2011See SignaturePageIncorporate CalendarYear 2011 APBapproved changes andadministrative changesCJIS ISO ProgramOffice07/13/2012APB & i
SUMMARY OF CHANGESVersion 5.11. In section 3.2.2(2)e, add “(LASO)”2. In section 3.2.6, change the words “is to” to the word “shall”3. Change title of Section 4 to “CRIMINAL JUSTICE INFORMATION ANDPERSONALLY IDENTIFIABLE INFORMATION”4. Rewrite Section 4.2, clarify handling of CHRI and rename “hot files” to “Non-RestrictedFiles Information”5. Renumber the following sections:a. Section 4.2.3 to section 4.2.4b. Section 4.2.4 to section 4.2.5c. Section 4.2.4.1 to section 4.2.5.1d. Section 4.2.4.2 to section 4.2.5.26. In Section 4.2.5.2, change the word “hot” to the words “NCIC Non-restricted”7. Change “is prohibited” to “shall not be used” in Section 5.5.6.28. Remove list item number 2 from Section 5.9.1.89. Replace Section 5.10.1.4, Voice over Internet Protocol10. In section 5.10.4.4, change the word “computer” to the words “user device”11. In section 5.10.4.4 bullet #2, change the acronym “PC” to the words “user device”12. Add language to Section 5.12.1.1(1), add requirement for state and national check13. Add language to Section 5.12.1.2(1), add requirement for state and national check14. Add definition of “Digital Signature” to Appendix A Terms and Definitions15. Add definition of “Escort” to Appendix A Terms and Definitions16. Add definition of “Internet Protocol (IP)” to Appendix A Terms and Definitions17. Add definition of “Logical Access” to Appendix A Terms and Definitions18. Add definition of “Physical Access” to Appendix A Terms and Definitions19. In Appendix A, Social Engineering definition, change the word “manipulation” to theword “manipulating”20. Add definition of “State of Residency” to Appendix A Terms and Definitions21. Add definition of “Voice over Internet Protocol (VoIP)” to Appendix A Terms andDefinitions22. Add these acronyms to Appendix B: PSTN, PBX, QoS23. Remove Appendix C-1.E and reference(s) to that diagram24. Change Assistant Director signature block, Appendix D-1, CJIS User Agreement25. Change Assistant Director signature block, Appendix D-3, Noncriminal Justice AgencyAgreement & Memorandum of Understanding26. Change Assistant Director signature block, Appendix D-4, Interagency ConnectionAgreement27. Change Appendix F, IT Security Incident Response Form, “Copies To:” block28. Change the title of Appendix G from “Virtualization” to “Best Practices”29. Rename Appendix G to Appendix G.1 “Virtualization”30. Add Appendix G.2 “Voice over Internet Protocol White Paper”31. Add language to Appendix H, Security Addendum Section 2.0132. Add reference to Appendix I7/13/2012CJISD-ITS-DOC-08140-5.1iii
TABLE OF CONTENTSExecutive Summary . iChange Management . iiSummary of Changes . iiiTable of Contents . ivList of Figures . ix1 Introduction .11.1 Purpose.11.2 Scope .11.3 Relationship to Local Security Policy and Other Policies .11.4 Terminology Used in This Document.21.5 Distribution of the CJIS Security Policy.22 CJIS Security Policy Approach .32.1 CJIS Security Policy Vision Statement.32.2 Architecture Independent .32.3 Risk Versus Realism .33 Roles and Responsibilities .43.1 Shared Management Philosophy.43.2 Roles and Responsibilities for Agencies and Parties .43.2.1 CJIS Systems Agencies (CSA) .53.2.2 CJIS Systems Officer (CSO) .53.2.3 Terminal Agency Coordinator (TAC) .63.2.4 Criminal Justice Agency (CJA).63.2.5 Noncriminal Justice Agency (NCJA) .63.2.6 Contracting Government Agency (CGA) .73.2.7 Agency Coordinator (AC) .73.2.8 CJIS System Agency Information Security Officer (CSA ISO) .73.2.9 Local Agency Security Officer (LASO) .83.2.10 FBI CJIS Division Information Security Officer (FBI CJIS ISO) .83.2.11 Repository Manager .93.2.12 Compact Officer .94 Criminal Justice Information and Personally Identifiable Information .104.1 Criminal Justice Information (CJI) .104.1.1 Criminal History Record Information (CHRI) .104.2 Access, Use and Dissemination of Criminal History Record Information (CHRI), NCICRestricted Files Information, and NCIC Non-Restricted Files Information .104.2.1 Proper Access, Use, and Dissemination of CHRI .114.2.2 Proper Access, Use, and Dissemination of NCIC Restricted Files Information .114.2.3 Proper Access, Use, and Dissemination of NCIC Non-Restricted Files Information114.2.3.1 For Official Purposes .114.2.3.2 For Other Authorized Purposes .114.2.3.3 CSO Authority in Other Circumstances .124.2.4 Storage .124.2.5 Justification and Penalties .124.2.5.1 Justification .127/13/2012CJISD-ITS-DOC-08140-5.1iv
4.2.5.2 Penalties .124.3 Personally Identifiable Information (PII).125 Policy and Implementation .145.1 Policy Area 1: Information Exchange Agreements .155.1.1 Information Exchange .155.1.1.1 Information Handling.155.1.1.2 State and Federal Agency User Agreements .155.1.1.3 Criminal Justice Agency User Agreements .165.1.1.4 Interagency and Management Control Agreements .165.1.1.5 Private Contractor User Agreements and CJIS Security Addendum.165.1.1.6 Agency User Agreements .175.1.1.7 Security and Management Control Outsourcing Standard .175.1.2 Monitoring, Review, and Delivery of Services .185.1.2.1 Managing Changes to Service Providers .185.1.3 Secondary Dissemination .185.1.4 References/Citations/Directives .185.2 Policy Area 2: Security Awareness Training .195.2.1 Awareness Topics .195.2.1.1 All Personnel .195.2.1.2 Personnel with Physical and Logical Access .195.2.1.3 Personnel with Information Technology Roles .205.2.2 Security Training Records .205.2.3 References/Citations/Directives .215.3 Policy Area 3: Incident Response .225.3.1 Reporting Information Security Events .225.3.1.1 Reporting Structure and Responsibilities.225.3.1.1.1 FBI CJIS Division Responsibilities . 225.3.1.1.2 CSA ISO Responsibilities . 225.3.2 Management of Information Security Incidents .235.3.2.1 Incident Handling.235.3.2.2 Collection of Evidence .235.3.3 Incident Response Training .235.3.4 Incident Monitoring.235.3.5 References/Citations/Directives .245.4 Policy Area 4: Auditing and Accountability.255.4.1 Auditable Events and Content (Information Systems) .255.4.1.1 Events .255.4.1.1.1 Content . 255.4.25.4.35.4.45.4.55.4.65.4.7Response to Audit Processing Failures .26Audit Monitoring, Analysis, and Reporting .26Time Stamps .26Protection of Audit Information .26Audit Record Retention .26Logging NCIC and III Transactions.267/13/2012CJISD-ITS-DOC-08140-5.1v
5.4.8 References/Citations/Directives .275.5 Policy Area 5: Access Control .285.5.1 Account Management .285.5.2 Access Enforcement .285.5.2.1 Least Privilege .285.5.2.2 System Access Control .295.5.2.3 Access Control Criteria .295.5.2.4 Access Control Mechanisms .295.5.3 Unsuccessful Login Attempts .305.5.4 System Use Notification.305.5.5 Session Lock .305.5.6 Remote Access .315.5.6.1 Personally Owned Information Systems .315.5.6.2 Publicly Accessible Computers .315.5.7 Wireless Access Restrictions .315.5.7.1 All 802.11x Wireless Protocols .315.5.7.2 Legacy 802.11 Protocols .335.5.7.3 Cellular.335.5.7.3.1 Cellular Risk Mitigations . 335.5.7.3.2 Voice Transmissions Over Cellular Devices . 345.5.7.4 Bluetooth .345.5.8 References/Citations/Directives .365.6 Policy Area 6: Identification and Authentication .375.6.1 Identification Policy and Procedures .375.6.1.1 Use of Originating Agency Identifiers in Transactions and InformationExchanges .375.6.2 Authentication Policy and Procedures .375.6.2.1 Standard Authentication (Password).385.6.2.2 Advanced Authentication.385.6.2.2.1 Advanced Authentication Policy and Rationale . 385.6.2.2.2 Advanced Authentication Decision Tree . 395.6.3 Identifier and Authenticator Management .415.6.3.1 Identifier Management .415.6.3.2 Authenticator Management .415.6.4 Assertions .425.6.5 References/Citations/Directives .425.7 Policy Area 7: Configuration Management .455.7.1 Access Restrictions for Changes .455.7.1.1 Least Functionality.455.7.1.2 Network Diagram.455.7.2 Security of Configuration Documentation .455.7.3 References/Citations/Directives .455.8 Policy Area 8: Media Protection .475.8.1 Media Storage and Access .477/13/2012CJISD-ITS-DOC-08140-5.1vi
5.8.2 Media Transport .475.8.2.1 Electronic Media in Transit .475.8.2.2 Physical Media in Transit .475.8.3 Electronic Media Sanitization and Disposal .475.8.4 Disposal of Physical Media .475.8.5 References/Citations/Directives .485.9 Policy Area 9: Physical Protection .495.9.1 Physically Secure Location .495.9.1.1 Security Perimeter .495.9.1.2 Physical Access Authorizations .495.9.1.3 Physical Access Control .495.9.1.4 Access Control for Transmission Medium .495.9.1.5 Access Control for Display Medium .495.9.1.6 Monitoring Physical Access .505.9.1.7 Visitor Control .505.9.1.8 Access Records .505.9.1.9 Delivery and Removal .505.9.2 Controlled Area .505.9.3 References/Citations/Directives .515.10 Policy Area 10: System and Communications Protection and Information Integrity .525.10.1 Information Flow Enforcement .525.10.1.1 Boundary Protection .525.10.1.2 Encryption .535.10.1.3 Intrusion Detection Tools and Techniques .535.10.1.4 Voice over Internet Protocol .535.10.2 Facsimile Transmission of CJI .545.10.3 Partitioning and Virtualization .545.10.3.1 Partitioning.545.10.3.2 Virtualization .545.10.4 System and Information Integrity Policy and Procedures .555.10.4.1 Patch Management .555.10.4.2 Malicious Code Protection.555.10.4.3 Spam and Spyware Protection .565.10.4.4 Personal Firewall .565.10.4.5 Security Alerts and Advisories .565.10.4.6 Information Input Restrictions .575.10.5 References/Citations/Directives .575.11 Policy Area 11: Formal Audits .585.11.1 Audits by the FBI CJIS Division.585.11.1.1 Triennial Compliance Audits by the FBI CJIS Division .585.11.1.2 Triennial Security Audits by the FBI CJIS Division .585.11.2 Audits by the CSA.585.11.3 Special Security Inquiries and Audits .585.11.4 References/Citations/Directives .585.12 Policy Area 12: Personnel Security .605.12.1 Personnel Security Policy and Procedures .607/13/2012CJISD-ITS-DOC-08140-5.1vii
5.12.1.1 Minimum Screening Requirements for Individuals Requiring Access to CJI:.605.12.1.2 Personnel Screening for Contractors and Vendors .615.12.2 Personnel Termination .615.12.3 Personnel Transfer.625.12.4 Personnel Sanctions.625.12.5 References/Citations/Directives .62APPENDICES . A-1Appendix A Terms and Definitions . A-1Appendix B Acronyms .B-1Appendix C Network Topology Diagrams . C-1Appendix D Sample Information Exchange Agreements . D-1Appendix E Security Forums and Organizational Entities.E-1Appendix F IT Security Incident Response Form . F-1Appendix G Best practices . G-1Appendix H Security Addendum . H-1Appendix I References . I-1Appendix J Noncriminal Justice Agency Supplemental Guidance . J-1Appendix K Criminal Justice Agency Supplemental Guidance . K-17/13/2012CJISD-ITS-DOC-08140-5.1viii
LIST OF FIGURESFigure 1 – Ov
U. S. Department of Justice Federal Bureau of Investigation Criminal Justice Information Services Division Criminal Justice Information Services (CJIS) Security Policy . Version 5.1 . 7/13/2012 . CJISD-ITS-DOC-08140-5.1 . Prepared by: CJIS Information Security Officer . Approved by: CJIS Advisory Policy Board
![Security Awareness Training 2015 Level I (002) [Read-Only]](/img/31/cogenttraininglevel1.jpg)
