Transcription
8/24/2012SLED Overview of the FBICriminal Justice Information Services(CJIS) Security PolicyVersion .GOVFor Official Use Only 1This session will be an overview of the FBICriminal Justice Information Services(CJIS) Security 5.1 policy and how itpertains and applies to municipal courtclerks, magistrates, judges and other courtstaff who are receiving NCIC criminaljustice information.For Official Use Only2Security policy The essential premise of the CJIS SecurityPolicy is to provide appropriate controls toprotect the full lifecycle of CJI, whether at rest orin transit. The CJIS Security Policy providesguidance for the creation, viewing, modification,transmission, dissemination, storage, anddestruction of CJI data. This policy applies toevery individual—contractor, private entity,noncriminal justice agency representative, ormember of a criminal justice entity—with accessto, or who operate in support of, criminal justiceservices and information.For Official Use Only31
8/24/2012What is (NCIC) National CrimeInformation Center NCIC 2000 is a nationwide, computerizedinformation system established as a service toall local, state, federal, and international criminaljustice agencies.The goal of NCIC 2000 is to help the criminaljustice community perform its duties by providingand maintaining a computerized filing system ofaccurate and timely documented criminal justiceinformation.For Official Use Only The NCIC 2000 data bank can best bedescribed as a computerized index ofdocumented criminal justice informationconcerning crimes and criminals of nationwideinterest. NCIC files also include missing andunidentified person files, persons files who posea threat to officer and public safety, as well asstolen property files.All state and local agencies participating in theNCIC 2000 System are required to adhere to thesecurity guidelines that can be found in theFBI/CJIS Security Policy 5.1For Official Use Only 45The NCIC 2000 System stores vastamounts of criminal justice informationwhich can be instantly retrieved by and/orfurnished to any authorized agency and isa virtually uninterrupted operation 24hours a day, 7 days a weekFor Official Use Only62
8/24/2012Types of queriesFor Official Use Only7Types of queriesFor Official Use Only8NCIC stats In January 1967 when NCIC became operational, itincluded five files, which contained 356,784 records. Inits first year of operation, NCIC processed approximately2.4 million transactions, or an average of 5,479transactions daily. Last year NCIC processed 2.4 billiontransactions. Recently, NCIC experienced a new oneday record of 8.6 million transactions. Presently, NCICcontains 19 files with over 15 million records, of whichnearly 1.7 million are in the wanted persons file. NCICservices more than 90,000 user agencies and averages7.5 million transactions per day. Currently on theaverage South Carolina performs 350,000 transactionsper day.For Official Use Only93
8/24/2012The local/regional computer availabilitygoals shall be 100 percent with 96 percentas minimum. Equipment and/or technologicalincompatibility shall not be sufficientjustification for any agency to operateoutside of the normal CSA configuration. For Official Use Only The data stored in the NCIC 2000 System andthe III File are documented criminal justiceinformation and must be protected to ensurecorrect, legal, and efficient dissemination anduse. It is incumbent upon an agency operatingan NCIC 2000 infrastructure to implement thenecessary procedures to make that componentsecure from any unauthorized use. Anydeparture from this responsibility warrants theremoval of the offending component from furtherNCIC 2000 participation.For Official Use Only 1011Throughout the last several years, there havebeen significant changes in the CJIScommunity’s telecommunications and systemsarchitecture. As a result of technologicaladvances, the FBI Director authorized a securitymanagement structure to specifically addresstechnical security controls, policy revision,oversight, training, and security incidentresolution and notification.For Official Use Only124
8/24/2012 In addition to the changes there have been asignificant number of the larger and moreimportant computer systems in this country thathave been successfully penetrated byindividuals whose reasons ran the gamete frommonetary profit to ideologic principles. If theNational Crime Information Center (NCIC) isgoing to function efficiently and effectively intoday's society System Security must be anomni-present element of its everyday operation.For Official Use Only 13Therefore the CJIS Advisory Policy Board(APB) adopted new policies in the areas ofidentification, authentication, encryption,wireless applications, dial-up access,Internet access, public networks, andfirewalls to address security concerns.For Official Use Only14A Federal Working Group and severalregional Working Groups were establishedto recommend policy and procedures forthe programs administered by the FBICJIS Division. These Working Groups are alsoresponsible for the review of operationaland technical issues related to theoperation of or policy for these programs. For Official Use Only155
8/24/2012 The FBI uses hardware and software controls tohelp ensure System security. However, finalresponsibility for the maintenance of the securityand confidentiality of criminal justice informationis shared with the individual agenciesparticipating in the NCIC 2000 System and theIT departments who support the agencies.Further information regarding System securitycan be obtained from the FBI/CJIS SecurityPolicy 5.1For Official Use Only 16The essential premise of the CJIS SecurityPolicy is to provide appropriate controls toprotect the full lifecycle of CJI, whether at rest orin transit. The CJIS Security Policy providesguidance for the creation, viewing, modification,transmission, dissemination, storage, anddestruction of CJI data. This policy applies toevery individual—contractor, private entity,noncriminal justice agency representative, ormember of a criminal justice entity—with accessto, or who operate in support of, criminal justiceservices and information.For Official Use Only17Policy Purpose To provide minimum security requirements associatedwith the creation, viewing, modification, transmission,dissemination, storage, or destruction of Criminal JusticeInformation or CJI. To provide a baseline security policy for Local, State,and Federal agencies to build their policies upon. (It isthe minimum standard a local policy must follow). The policy covers roles and responsibilities as well asthe 12 areas of compliance.For Official Use Only186
8/24/2012Roles and Responsibilities – StateISO SLED will appoint an Information SecurityOfficer (ISO) who has the responsibility toestablish and maintain information securitypolicy, assesses threats andvulnerabilities, performs risk and controlassessments, oversees the governance ofsecurity operations, and establishesinformation security training andawareness programs.For Official Use Only19Roles and Responsibilities stateCSO Each state must have a CJIS SecurityOfficer (CSO) assigned by the head of theCJIS Systems Agency (CSA)(SLED) whois responsible for enforcing security policyrules over ALL agencies, users, anddevices accessing CJI information via thestate CSA(SLED).For Official Use Only20Roles and Responsibilities – LocalLevel Each local agency accessing CriminalJustice Information or CJI is required tohave a Terminal Access Coordinator(TAC) and a Local Access Security Officer(LASO) to oversee that the CJIS SecurityPolicy is being abided by locally. Theycan be the same person.For Official Use Only217
8/24/2012Terminal Agency Coordinator(TAC)The TAC serves as the point-of-contact atthe local agency for matters relating toCJIS information access. A TACadministers CJIS systems programs withinthe local agency and oversees theagency’s compliance with CJIS systemspolicies. The TAC is the Agency Coordinator (AC) For Official Use Only22AC of the CGA The AC is a staff member of the CGA whomanages agreements, responsible for thesupervision and integrity of the system,training and continuing education ofemployees as required. 3.2.7For Official Use Only23Agency Coordinator (AC) The AC shall be responsible for thesupervision and integrity of the system,training and continuing education ofemployees and operators, scheduling ofinitial training and testing, and certificationtesting and all required reports by NCIC.For Official Use Only248
8/24/2012The AC shall: Understand the communications, recordscapabilities, and needs of the individualwhich is accessing federal and staterecords through or because of itsrelationship with the CGA.Receive information from the CGA (e.g.,system updates) and disseminate it toappropriate individuals.For Official Use Only25The AC shall: Maintain up-to-date records of allemployees or contractors who access thesystem, including name, date of birth,social security number, date fingerprintcard(s) submitted, date security clearanceissued, and date initially trained, tested,certified or recertified (if applicable).For Official Use Only26The AC shall: Schedule new operators for thecertification exam as well as schedulecertified operators for biennial recertification testing within thirty (30) daysprior to the expiration of certification.Schedule operators for other mandatedclass.For Official Use Only279
8/24/2012The AC shall: The AC will not permit anuntrained/untested or non-certifiedemployee or contractor to access CJI orsystems supporting CJI where access toCJI can be gained.For Official Use Only28The AC shall: Provide completed applicant fingerprintcards on each Contractor employee whoaccesses the system to the CJA (or,where appropriate, CSA) for criminalbackground investigation prior to suchemployee accessing the system.For Official Use Only29Local Agency Security Officer(LASO) The primary Information Security contactbetween a local law enforcement agency andthe CSAThe LASO actively represents their agency in allmatters pertaining to Information Security,disseminates Information Security alerts andother material to their constituents, maintainsInformation Security documentation (includingsystem configuration data), assists withInformation Security audits of hardware andprocedures, and keeps the CSA informed as toany Information Security needs and problems.For Official Use Only3010
8/24/2012Roles and Responsibilities –Outsourcing of CJI Administration The responsibility for the management ofthe approved security requirements shallremain with the Criminal Justice Agency. Thus the outsourcing of the state CSO andISO positions is not allowed. Thus the outsourcing of local TAC andLASO positions is not allowedFor Official Use Only31Roles and Responsibilities – LocalPoints of Contact Local or municipal entities should refer allCJIS Security procedural or technicalquestions to their local criminal justiceagency’s TAC or LASO. They are thelocal point of contact. If the local TAC or LASO does not have ananswer they can refer to the state CSO forassistance.For Official Use Only32Illegal Dissemination of CJI and PIICan Lead to PenaltiesImproper access and dissemination of anyCJI data including CHRI may result inadministrative sanctions, termination, andstate and federal penalties. Refer to S.C. Financial Fraud and IdentityTheft Law for more information. For Official Use Only3311
8/24/2012What does the policy cover?Information Exchange Agreements.Awareness TrainingIncident ResponseAuditing and AccountabilityAccess ControlIdentification and Authentication1.2.3.4.5.6.For Official Use Only34What does the policy cover? (cont.)7.8.9.10.11.12.Configuration ManagementMedia ProtectionPhysical ProtectionSystems & Communications Protectionand Information IntegrityFormal AuditsPersonnel SecurityFor Official Use Only35Information Exchange AgreementsPolicy Area 1 Criminal Justice Information requires protectionthroughout its life which is why agreements need to be inplace between each agency sharing CJI data. Theseagreements must specify security controls meeting theCJIS Security Policy requirements and be in placebefore any CJI can be exchanged.Agreements should state the policies, standards,sanctions, governance, auditing, services accessed andpolicy compliance required for the user agencyCJI exchange includes e-mail, instant messaging, webservices, facsimile, hard copy, and the informationsystems sending, receiving, and storing CJI.For Official Use Only3612
8/24/2012Some Agreement TypesUserService Management Control * Inter-Agency * CJIS Security Addendum * Civil Agency User Agreement Livescan/Latent Fingerprint Sharing For Official Use Only37Agreements requiredfor NCJAManagement Control agreement - grants the criminal justiceagency management control over the operations of the noncriminal justice agency as they relate to access to the LawEnforcement Data System network and services.Required between CJA and the NCJA which provides services to the CJA(dispatching, record keeping, computer services, etc.)."Management Control" means the authority to set and enforce: (a) Priorities; (b) Standards for the selection, supervision and termination of personnel;and (c) Policy governing the operation of computers, circuits, andtelecommunications terminals used to process, store, or transmitinformation to or receive information from the Law Enforcement DataSystem.For Official Use Only38Agreements requiredfor NCJA cont’Inter-Agency – agreement between two agencies thatstates standards, policy, and access required of theparties State CSA to non-criminal justice agency (DSIT)Local criminal justice agency to non-criminaljustice agency (county or city)Security Addendum Criminal Justice Agency & private contractor(each employee)Non-criminal Justice Agency & private contractor(each employeeFor Official Use Only3913
8/24/2012ExampleCJA supported by NCJASLED is CSA SLED’s enterprise extends to Metropolitan PD Metropolitan City IT department performs IT administration of PDnetwork with some private contractorsAgreements Needed CJA user agreement between SLED and Metropolitan PD Inter-agency agreement between Metropolitan City IT andMetropolitan PD Management control agreement between Metropolitan PD andMetropolitan City IT Security Addendum between Metropolitan City IT and PrivatecontractorsFor Official Use Only405.2 Policy Area 2: SecurityAwareness Training Security awareness training shall be requiredbefore an initial assignment for all personnelwho have access to CJI. The CSO/CSA mayaccept the documentation of the completion ofsecurity awareness training from anotheragency. Accepting such documentation fromanother agency means that the acceptingagency assumes the risk that the training maynot meet a particular requirement or processrequired by federal, state, or local laws.For Official Use Only41Security Awareness TrainingPolicy Area 2 Security awareness training is mandatory forthose with roles in the support, administration orgeneral access to criminal justice information. All criminal justice employees, non-criminaljustice employees, contractors, vendors, etc.The level of training is dependent on the role ofthe individual – IT support requires the highestlevel of training.For Official Use Only4214
8/24/2012Security Awareness TrainingPolicy Area 2 Training must be performed every twoyears The management control criminal justiceagency designated person (TAC, LASO,ISO, CSO, NCIC coordinator) isresponsible for coordinating and verifyingthe completion of this requirement for theirrespective agencyFor Official Use Only43Incident ResponsePolicy Area 3 The information security officer at SLEDhas been identified as the POC onsecurity-related issues for the CSA andrespective agencies in the state. The ISO is responsible for ensuringLASOs (local agency security officer)institute the CSA incident responsereporting procedures at the local level.For Official Use Only44Policy Directive - 5.3Agencies shall:(i) establish an operational incident handlingcapability for agency information systemsthat includes adequate preparation,detection, analysis, containment, recovery,and user response activities;(ii) track, document, and report incidents toappropriate agency officials and/orauthoritiesFor Official Use Only4515
8/24/2012Responsibilities for incidentresponseAgencies whether criminal justice or non-criminal justice, that areresponsible for the administration of criminal justice, dispatching,record keeping, or computer services for CJI all are required tofollow the CJIS policy incident reporting requirements.Four critical tasks must be followed with incidents: Incident Handling Collection of evidence Incident Response training Incident MonitoringThese procedures may be audited by SLED and/or the FBI duringthe required technical and policy audits.For Official Use Only46Auditing and AccountabilityPolicy Area 4 Agencies shall implement audit andaccountability controls to increase the probabilityof authorized users conforming to a prescribedpattern of behavior. Agencies shall carefully access the inventory ofcomponents that compose their informationsystems to determine which security controls areapplicable to the various components.For Official Use Only47Logging EventsPolicy 5.4 states specific logging requirements Specific events must be logged Content to log on each event is specified Monitoring, analysis and log reporting actions Response to logged events Log retention is 365 days Other requirements exist for NCIC, III and CJISaccess and information loggingFor Official Use Only4816
8/24/2012Access ControlPolicy Area 5 Access control provides the planning andimplementation of mechanisms to restrictreading, writing, processing and transmission ofCJIS information and the modification ofinformation systems, applications, services andcommunication configurations allowing accessto CJIS information.Access control includes physical in addition tological access.For Official Use Only49User Access Control Always assign least privilege to accountsUse Job duties, Physical, logical or networklocation, and Date/Time restrictions for access.All employee status changes must be reportedand accounts adjusted as required.Policy guidelines state requirements for annualvalidation of accounts, logging of access andinactivity or failed log in attempts (policy 5.5)For Official Use Only50Access Control Recommendations System administrator access must be tightlyregulated.Only allow remote admin access in emergencysituations.Don’t allow remote access for group accountsAlways provide System Notifications orWarnings to users logging on.Use approved mechanisms to control thisaccess. Policy 5.5.2.3 and 5.5.2.4Security must be FIPS 140-2.For Official Use Only5117
8/24/2012CJI Access RestrictionsCJI access is not allowed from personallyowned or public computers. No CJI over Bluetooth at this time due tonot FIPS140-2 approved encryptionstandard. CJI over Wireless and Cellular must becarefully regulated following policy 5.5.7 For Official Use Only52Identification and AuthenticationPolicy Area 6All users must be properly identified priorto access to any agency informationsystems or services. Follow password policies for all access tothe criminal justice infrastructure ornetwork where CJI is transmitted as listedin 5.6.2.1 For Official Use Only53Advanced AuthenticationAdvanced Authentication (AA) is requiredwhen users are accessing CJI informationvia a network that is not deemed secureby the SLED ISO. Policy 5.6.2.2 Advanced Authentication is the useadditional identifiers on top of login ID andpassword that may include PKI, biometric,smart cards tokens, software tokens etc For Official Use Only5418
8/24/2012Configuration ManagementPolicy Area 7The goal is to allow only qualified andauthorized individuals access toinformation system components forpurposes of initiating changes, includingupgrades, and modifications. Thus agencies must restrict who hasconfiguration management permissions For Official Use Only55Configuration ManagementRequirementsAll network changes must provide adetailed network topography diagram tothe SLED ISO anytime there is a proposednetwork change or a network change hasoccurred. Agencies must protect all systemconfiguration documentation fromunauthorized access. For Official Use Only56Media ProtectionPolicy Area 8Procedures must be defined for securelyhandling, transporting, and storing mediaboth electronic and physical. Procedures must also be in place for thesanitation and disposal of electronic andphysical media that meet policies. All entities accessing CJI media must bevetted authorized personnel. Specific policies are in policy 5.8 For Official Use Only5719
8/24/2012Physical ProtectionPolicy Area 9 All CJI and associated information systems mustbe in a physically secure location.This can be a facility, area, room or group ofrooms with controls described in 5.9.1.1 –5.9.1.9Personnel security for access to the area mustfollow policy area 12The location is subject to the managementcontrol of the CJA and must follow all criminaljustice policies.For Official Use Only58Physical protection A security perimeter should be established andposted as such.A list of authorized personnel with access mustbe maintained.All physical access points to the secure areamust be controlled.All physical access to the IT systems andtransmission lines shall be controlled.The display or view of information from outsidethis controlled area must prevent unauthorizedviewing.For Official Use Only59Visitor ControlVisitors must be authenticated beforeauthorizing escorted access. Access records shall be maintainedfollowing the policy requirements in 5.9.1.8 Items entering and exiting the area shallbe controlled and authorized For Official Use Only6020
8/24/2012 Non-criminal justice agencies or contractorsmust follow these procedures to report incidentsto the LASO at the criminal justice agency theysupport. (Who signed the management controlagreement?) The criminal justice agency LASO will reportthese incidents to the SLED ISO who will in turncommunicate the details to the FBI CJIS ISO.For Official Use Only61Systems & CommunicationsProtection and Information IntegrityPolicy Area 10Examples range from boundary andtransmission protection to securing virtualenvironments. Information flow enforcement betweeninterconnected systems shall be controlled. For Official Use Only62Information FlowInformation flow regulates where the informationallowed to travel within the IT system and betweenIT systems. CJI can not be transmitted unencrypted acrossthe public network Outside traffic that claims to be from the agencymust be blocked Web requests from the public network not froman internal web proxy should not be passed.For Official Use Only6321
8/24/2012Layers of protectionCJI and system shall provide boundaryprotection as established in policy 5.10.1.1 Encryption standards must be met policy5.10.1.2, SLED has additionalrequirements for encryption AES 256. Intrusion detection/prevention tools shallbe in place following policy 5.10.1.3 VoIP and facsimile policies shall also beimplemented per policy 5.10.1.4 For Official Use Only64Information Technology securityIT security is hardware and/or softwareused to assure the integrity and protectionof information and the means ofprocessing it. Many criminal justice data systems andnetworks are interconnected to oneanother and the Internet. As such, those systems and networks arevulnerable to exploitation by unauthorizedindividuals. For Official Use Only65PartitioningSpecific controls must be in place to use thistechnology with Criminal justice information andProcessing.The application, service, or system shall: Separate user functionality (including UIservices) form information system management. Separate UI services from information storageand management services either physically orlogically. Guidelines for achieving this arespecified in 5.10.3.1For Official Use Only6622
8/24/2012Virtualization All security controls in the policy apply tovirtualization.Additional controls exist in policy 5.10.3.2 Isolate host from virtual machineMaintain audit logs for all virtual hosts and machines(store these outside of virtual environment)Physically separate Internet facing virtual machinesfrom virtual machines that process CJICritical device drivers shall be contained in a separateguest.For Official Use Only67VirtualizationAddition technical security controls are suggested.These include: Encrypt network traffic between virtual machineand host Implement IDS and IPS within the virtualmachine environment Virtually firewall each virtual machine from eachother or physically firewall each with anapplication layer firewall controlling protocols Segregate the administrative duties for the hostFor Official Use Only68System & Information IntegrityThe agency shall develop and implementa local policy for installing relevant securitypatches, service packs and hot fixes. The policy must include items andprocedures (policy 5.10.4.1) for installingthese ‘fixes’. Malicious code, spam and firewallprotection must be implemented followingpolicy 5.10.4.2 - 5.10.4.3 For Official Use Only6923
8/24/2012Formal AuditsPolicy Area 11 Formal audits are conducted on IT services, secureareas, personnel and policies by SLED and the FBI.Regular audit are triennial but can be conducted morefrequently.The FBI has the authority to conduct unannouncedsecurity inspections and scheduled audits of thefacilities.All agencies CJA and NCJA are subject to the auditrequirements and inspections.Responses to audit findings must be addressed in anaccepted manner by the CJA, SLED and FBI.Failure to correct deficiencies will result in sanctions.For Official Use Only70Personnel SecurityPolicy Area 12All personnel who have access tounencrypted criminal justice information(CJI) including those with only physical orlogical access must be screened. All requests for access must be cleared bythe CJA who maintains managementcontrol. The TAC or LASO is the point ofcontact for these requests. For Official Use Only71Background Checks Notification of subsequent arrest and/orconvictions for those who have access must besent to the CSO to determine if access shouldbe continued.Support personnel, contractors, custodialworkers, and others with access to physicallysecure or controlled locations shall be subject tothese regulations unless escorted by anauthorized person at all times.For Official Use Only7224
8/24/2012Personnel screening for contractorsand vendorsIn addition to requirements in policy 5.12.1.1, the followitems are in place: The contracting government agency (CGA) shall coordinate thebackground check prior to granting access with the criminal justiceagency that has management control. If a record of any kind if found, the CGA will be notified and accessis delayed pending a review by the CJA. The CGA must notify thecontractor appointed security officer. All felony convictions are disqualifications for access. Arrest warrants are disqualifications for access. The CGA shall maintain a list of personnel who have beenauthorized for access and shall provide a current list to the CSOwhen requested. The CGA can request the CSO to review any denials.For Official Use Only73Maintenance after grantingphysical or logical access Upon termination or separation, the individual’saccess shall immediately be terminated.Reassignments or transfers shall result inactions such as closing and establishing newaccounts and changing system accessauthorizations.A formal sanctions process for failure to complywith established information security policiesand procedures shall be documented,distributed and enforced. This should beavailable during an audit.For Official Use Only74Background Checks A state of residency and national fingerprintbackground check is require for unescortedaccess AND all personnel who have directaccess to CJI and all those who have ITresponsibility.Any felony conviction will result in accessdenied.If a record of any kind exists, access can not begranted until the CSO (SLED) reviews anddetermines if access is appropriate.For Official Use Only7525
8/24/2012System & Information IntegrityAny mobile device by design (laptops, handhelds,PDA etc) must employ personal firewall protection. A minimum list of activities performed by the personalfirewall is listed in policy 5.10.4.4 Manage program access to the InternetBlock unsolicited requests to connect to the deviceFilter incoming traffic by IP, protocol or destination portMaintain and IP traffic logSecurity alerts and advisories must be received by theagency and policies must be in place for handling theinformation. Policy 5.10.4.5For Official Use Only76Information Technology securityA vulnerability is a condition or weaknessin (or the absence of): Security Procedures Technical Controls Physical Controls Other controls that could be exploited by athreat. For Official Use Only77Information Technology securityAll systems and networks havevulnerabilities. The goal of security is to minimize thosevulnerabilities. Vulnerabilities include, but not limited tophysical, natural, hardware and software. For Official Use Only7826
8/24/2012Information Technology security Vulnerabilities ExamplesPhysical: The placement of a computer in anon-secure location.Natural: a server connected to a power sourcewithout a surge protector or backup powersupply.Hardware: a connection to the Internet without afirewall.Software: not updating the computer operatingsystem when updates are issued.For Official Use Only79Information Technology security Security Points of ContactIdentify who is using the hardware/softwareand ensure that no unauthorized
(CJIS) Security Policy Version 5.1 8/09/2012 CJISD-ITS-DOC-08140-5. SLEDISO@SLED.SC.GOV For Official Use Only 2 . initial training and testing, and certification testing and all required reports by NCIC. 8/24/2012 9 For Official Use Only 25 The AC shall:
