Transcription
Information Technology Securityand theCJIS Security PolicyNicholas HarrisCJIS Information Security OfficerOregon State ASSIFIED//FOUO11
OBJECTIVE Why does OSP audit? What is the CJIS Security Policy? Where does the CJIS Security Policy comefrom? What is criminal justice information(CJI)? What to expect from an OSP IT audit?UNCLASSIFIED//FOUO2
OBJECTIVE What are the top noncompliance issues? Discussion of policy for top noncomplianceissuesUNCLASSIFIED//FOUO3
SHARED MANAGEMENT Where does CJI come from?– Local, state, tribal, and federal agencies Because the information is shared – The FBI CJIS Division employs shared managementphilosophyUNCLASSIFIED//FOUO4
SHARED MANAGEMENT What does ‘shared management’ mean?– The FBI CJIS Division and its user community shareresponsibility for operation and management ofshared information systemsUNCLASSIFIED//FOUO5
SHARED MANAGEMENT How does ‘shared management’ work?– CJIS Systems Agency (CSA)– CJIS Systems Officer (CSO)– CJIS Information Security Officer (CISO)– CJIS Advisory Process The CJIS Advisory Process is used to – Establish a minimum standard of requirements toensure continuity of information protection(write minimum policy standards)UNCLASSIFIED//FOUO6
ADVISORY POLICY BOARD What does the Advisory Policy Board (APB)govern?– CJI obtained by criminal justice agencies forcriminal justice purposesUNCLASSIFIED//FOUO7
COMPACT COUNCIL What does the National Crime Prevention andPrivacy Compact Council (Council) govern?– CJI obtained by all agencies for noncriminal justicepurposesUNCLASSIFIED//FOUO8
CJIS SECURITY POLICY Written by the user community (through theCJIS Advisory Process) Published yearly Current Version 5.6 Provides minimum standard for IT security ofCJI across the nation Over 600 ‘shall’ statementsUNCLASSIFIED//FOUO9
CJIS SECURITY POLICY Where do the requirements come from?– Although the CJIS Security Policy is written by theuser community in conjunction with the FBIthrough the Advisory Process, the requirementsand language are often borrowed from theNational Institute of Standards and Technology(NIST) [a part of the United States Department ofCommerce]UNCLASSIFIED//FOUO10
CRIMINAL JUSTICE INFORMATION Definition:– ‘Criminal Justice Information’ is the term used torefer to all of the FBI CJIS Division provided datanecessary for law enforcement and civil agenciesto perform their missions including, but notlimited to biometric, identity history, biographic,property, and case/incident history data (i.e. anyinformation obtained from the FBI)UNCLASSIFIED//FOUO11
CRIMINAL JUSTICE INFORMATION What does this mean?– CJI taken from FBI systems and copied,transposed, or scanned into local agencyinformation systems (e.g. a records managementsystem [RMS]) is still considered CJI and still fallsunder the scope of the CJIS Security PolicyUNCLASSIFIED//FOUO12
CJIS AUDIT UNIT Why does OSP audit?– Formal audits are conducted to ensurecompliance with applicable statutes, regulationsand policies– Information housed in CJIS systems is obtainedfrom the user community; the audit ensures thatall agencies with access protect the data of thecommunity at largeUNCLASSIFIED//FOUO13
CJIS AUDIT UNIT Who does the OSP audit?– Each CJA and or NCJA every three (3) years– Vendors who have contractual CJIS with OregonAgencies Who participates?– CJIS ISO visits the CJA/NCJA and small statisticalsample of local agencies (number varies based onresources)– Looks for trends in the stateUNCLASSIFIED//FOUO14
CJIS AUDIT UNIT What is the general audit process for theAgency– 4 to 6 weeks prior Initial contact to local agency Pre-audit material forwarded electronicallyUNCLASSIFIED//FOUO16
CJIS AUDIT UNIT What does the pre-audit material include?‒ Provides general idea of topic areas that willbe discussed‒ List of documentation the agency isrequired to provide‒ Provides an idea of who to have presentduring the auditUNCLASSIFIED//FOUO17
CJIS AUDIT UNIT What happens the day of the audit?‒ Administrative Interview‒ Physical Security Inspection Tour of the facility/datacenter‒ Policy Assessment Packet Summarizes issues/concerns foundUNCLASSIFIED//FOUO18
CJIS AUDIT UNIT What happens after the audit?– 60 days after (workload permitting) Agency gets official draft report– 120 days after (workload permitting) Response from Agency dueUNCLASSIFIED//FOUO19
CJIS AUDIT UNIT What happens after the audit?‒ APB Compliance Evaluation Subcommittee(CES) Criminal Justice‒ Compact Council Sanctions Committee Noncriminal Justice III misuse by Criminal JusticeUNCLASSIFIED//FOUO20
NATIONAL AUDIT RESULTSCriminal Justice AgenciesEvent LoggingEncryptionSystem Use NotificationAdvanced AuthenticationSecurity Awareness TrainingManagement Control AgreementsSecurity AddendumsMedia DisposalUNCLASSIFIED//FOUO21
NATIONAL AUDIT RESULTSNoncriminal Justice AgenciesContracted Noncriminal Justice FunctionsEncryptionEvent LoggingPersonally Owned ComputersMobile DevicesSystem Use NotificationIdentification / User IDAuthentication (Passwords)UNCLASSIFIED//FOUO22
NATIONAL AUDIT RESULTSCJA Top FindingsNCJA Top FindingsPersonally Owned ComputersContracted Noncriminal Justice FunctionsSecurity AddendumsPersonally Owned ComputersEncryptionSecurity Incident ResponseAdvanced AuthenticationSecurity Awareness TrainingEvent LoggingEncryptionSecurity Incident ResponsePhysical SecurityManagement Control AgreementsMedia DisposalMedia ProtectionMobile DevicesSecurity Awareness TrainingAuthentication (Passwords)UNCLASSIFIED//FOUO23
NATIONAL AUDIT RESULTSTop Findings at both CJA and NCJAContractors (MCA/Security Addendum/Outsourcing)Personally Owned ComputersSecurity Incident ResponseEncryptionSecurity Awareness TrainingUNCLASSIFIED//FOUO24
FORMAL AGREEMENTS Before exchanging information – Ensure a formal agreement is in place thatspecifies the terms of the relationship Usage and dissemination restrictions Access restrictions and training requirements Physical and technical security controls for storage ofinformation Division of the roles and responsibilities Security incident reporting proceduresUNCLASSIFIED//FOUO25
FORMAL AGREEMENTSAuthorizedRecipientPerforming ServicesType of ServiceAgreement NeededCJANCJACriminal JusticeManagement ControlAgreementCJAPrivate ContractorCriminal JusticeSecurity AddendumCJACJACriminal JusticeInformation ExchangeAgreementUNCLASSIFIED//FOUO26
FORMAL AGREEMENTS Management Control Agreement– Signed between the CJA agency head and theagency head of the noncriminal justice agency Applies only if ALL of the following are met: Using any outside noncriminal justicegovernmental agency To perform a criminal justice function With unescorted access to unencrypted CJIUNCLASSIFIED//FOUO27
FORMAL AGREEMENTS CJIS Security Addendum– Signed by each unescorted private contractor– Cannot be altered/substituted Applies only if ALL of the following are met: Using any outside personnel (not governmental) To perform a criminal justice function With unescorted access to unencrypted CJIUNCLASSIFIED//FOUO28
SCENARIOThe Sheriff’s Office (a CJA) is receiving IT services fromthe County Department of Information Technology (aNCJA). IT services include desktop support andnetwork administration. The information systems,containing CJI, are housed at the county IT data centerwith all other county government departments. AllCounty IT personnel have unescorted access to the datacenter. The racks housing the Sheriff’s Officeequipment are not locked and the CJI is notencrypted at rest.UNCLASSIFIED//FOUO29
SCENARIODoes the CJA need a management controlagreement? Using any outside noncriminal justicegovernmental agency To perform a criminal justice function With unescorted access to unencrypted CJIUNCLASSIFIED//FOUO30
SCENARIOYESUNCLASSIFIED//FOUO31
SCENARIOThe Police Department (a CJA) is receivingcustodial services from the City FacilitiesDepartment (a NCJA). Personnel are paidfrom Facilities budget and answer to theDirector of City Facilities. All custodialpersonnel are allowed unescorted accessto the Police Department, includingsecure terminal areas.UNCLASSIFIED//FOUO32
SCENARIODoes the CJA need a management controlagreement? Using any outside noncriminal justicegovernmental agencyX To perform a criminal justice function With unescorted access to unencrypted CJIUNCLASSIFIED//FOUO33
SCENARIONOUNCLASSIFIED//FOUO34
SCENARIOThe 911 Dispatch Center (a NCJA) providesMDTs for the Police Department (a CJA).The MDT application servers andnetworking are controlled and maintainedby the 911 Center. The MDT laptops areissued and owned by the PoliceDepartment and are connected to the 911via VPN connection.UNCLASSIFIED//FOUO35
SCENARIODoes the CJA need a management controlagreement? Using any outside noncriminal justicegovernmental agency To perform a criminal justice function With unescorted access to unencrypted CJIUNCLASSIFIED//FOUO36
SCENARIOYESUNCLASSIFIED//FOUO37
SCENARIOThe Sheriff’s Office (a CJA) is using a localcloud storage company to store RMSbackups containing CJI. The backups areencrypted at rest by the Sheriff’s Office ITprior to leaving the facility and the Sheriff’sOffice manages the key infrastructure. Thecloud vendor cannot unencrypt the data.UNCLASSIFIED//FOUO38
SCENARIODoes the CJA need a signed CJIS SecurityAddendum? Using any outside personnel (not governmental) To perform a criminal justice functionX With unescorted access to unencrypted CJIUNCLASSIFIED//FOUO39
SCENARIONOUNCLASSIFIED//FOUO40
SCENARIOThe Police Department (a CJA) rentscopiers from a private company. Thecopiers are being used by agencypersonnel to copy and/or scan CJI data.Every 2 years the copiers are replaced. Theprivate company sends the CJA a certificateof destruction of all the hard drives.UNCLASSIFIED//FOUO41
SCENARIODoes the CJA need a signed CJIS SecurityAddendum? Using any outside personnel (not governmental) To perform a criminal justice function With unescorted access to unencrypted CJIUNCLASSIFIED//FOUO42
SCENARIOYESUNCLASSIFIED//FOUO43
SCENARIOCity IT (a NCJA governmental) provides IT services andmedia destruction to a local Police Department (a CJA).City IT personnel have access to all of the PoliceDepartments information systems containing CJI. TheCity IT has a subcontract with a local company forphysical and electronic media destruction of all thecity’s media including the Police Department.Shredding is not witnessed by City IT.UNCLASSIFIED//FOUO44
SCENARIODoes the CJA need a management controlagreement? Using any outside noncriminal justicegovernmental agency To perform a criminal justice function With unescorted access to unencrypted CJIUNCLASSIFIED//FOUO45
SCENARIOYESUNCLASSIFIED//FOUO46
SCENARIODoes the CJA need a signed CJIS SecurityAddendum? Using any outside personnel (not governmental) To perform a criminal justice function With unescorted access to unencrypted CJIUNCLASSIFIED//FOUO47
SCENARIOYESUNCLASSIFIED//FOUO48
PERSONNEL SECURITY Who needs a fingerprint-based record checkfor access to CJI?– All personnel with unescorted access tounencrypted CJI (whether access is physical orlogical)UNCLASSIFIED//FOUO49
SCENARIOThe Sheriff’s Office (a CJA) is receiving IT services fromthe County Department of Information Technology (aNCJA). IT services include desktop support andnetwork administration. The information systems,containing CJI, are housed at the county IT data centerwith all other county government departments. AllCounty IT personnel have unescorted access to the datacenter. The racks housing the Sheriff’s Officeequipment are not locked and the CJI is notencrypted at rest.UNCLASSIFIED//FOUO50
SCENARIODoes the CJA need to submit fingerprints? unescorted access to unencrypted CJIUNCLASSIFIED//FOUO51
SCENARIOYESUNCLASSIFIED//FOUO52
SCENARIOThe Police Department (a CJA) is archiving all backuptapes with the City Archive Department (a NCJA). Thetapes, containing CJI, are not encrypted at rest. A CJAemployee takes the backup tapes to the Archivewarehouse every Tuesday and locks the tapes within aCJA designated cage within the warehouse. StateArchive personnel have key access to the cage foremergency purposes only but are supposed to requestpermission from the CJA prior to entry.UNCLASSIFIED//FOUO53
SCENARIODoes the CJA need to submit fingerprints? unescorted access to unencrypted CJIUNCLASSIFIED//FOUO54
SCENARIOYESUNCLASSIFIED//FOUO55
SCENARIOThe Sheriff’s Office (CJA) is using a well-knownvendor for their mobile data terminal (MDT)direct access information system. Theinformation system is administered by thevendor through remote maintenance (which isnot initiated or monitored by the CJA). Theprivate contractor has advised that they servicemany CJAs throughout the country and havebeen vetted in several other states.UNCLASSIFIED//FOUO56
SCENARIODoes the CJA need to submit fingerprints? unescorted access to unencrypted CJIUNCLASSIFIED//FOUO57
SCENARIOYESUNCLASSIFIED//FOUO58
SECURITY AWARENESS TRAINING Who needs to complete security awarenesstraining?– All personnel with unescorted access tounencrypted CJI (whether access is physical orlogical)UNCLASSIFIED//FOUO59
SECURITY AWARENESS TRAINING When is security awareness training required?– Within 6 months of unescorted access– At least once every 2 yearsUNCLASSIFIED//FOUO60
SECURITY AWARENESS TRAINING What needs to be in the training?– Level 1 – those with physical access only (notperforming a criminal justice function – incidental access or “walkingaround access”) [i.e. janitorial, maintenance, coke vendors, etc.]– Level 2 – those with physical access onlyperforming a criminal justice function (accesson purpose) [i.e. paper shredding, records clerks, scanning services,couriers, etc.]UNCLASSIFIED//FOUO61
SECURITY AWARENESS TRAINING What needs to be in the training?– Level 3 – those with physical and logicalaccess (access to electronically see criminal justice info) [i.e. themajority of your staff, terminal operators, record entry, officer w/mdts, etc.]– Level 4 – those with ITUNCLASSIFIED//FOUO62
WRITTEN POLICY STANDARDS All important policy and procedures should bewritten for consistency and continuity ofinformation –––––Standards of discipline for misusePhysical protectionSecure media storage, transport, and sanitization/disposalAccount managementProper use/access from remote locations, usingpersonal devices, mobile devices, etc.– Incident reportingUNCLASSIFIED//FOUO63
MEDIA PROTECTION Controlled access – at rest and in transit ID Verification and escort of visitor Secure sanitization/destruction– Authorized personnel– Witnessed– At least 3 passes for wipesUNCLASSIFIED//FOUO64
SYSTEM USE NOTIFICATION The system use notification shall provide thefollowing:– The user is accessing a restricted information system– System usage may be monitored, recorded, and subject toaudit– Unauthorized use of the system is prohibited and may besubject to criminal and/or civil penalties– Use of the system indicated consent to monitoringand recordingUNCLASSIFIED//FOUO65
SYSTEM USE NOTIFICATION The system use notification must remain on thescreen until user acknowledges the notification andtakes explicit action to log inUNCLASSIFIED//FOUO66
IDENTIFICATION Each user shall be uniquely identified– No shared user accounts, no generic log in (especiallyincludes remote maintenance by administrative ITpersonnel or private contractors) Least privilege Need–to–knowUNCLASSIFIED//FOUO67
IDENTIFICATION Agency should have written policy and proceduresfor issuing user accounts as well as disabling and/ordeleting of user accounts and performing validationof user accounts (annual audit of access)UNCLASSIFIED//FOUO68
AUTHENTICATION Passwords– Minimum of 8 characters– Numbers, letters, and special characters– Cannot be same as UserID– Expire in maximum of 90 days– Cannot reuse previous 10– Not transmitted in clear outside securelocationUNCLASSIFIED//FOUO69
ADVANCED AUTHENTICATION What is two-factor authentication?1. Something you know (username andpassword)2. AND one of the following Something you are (biometrics) Something you have (token, one-timepassword, etc.)UNCLASSIFIED//FOUO70
ADVANCED AUTHENTICATION When is advanced authentication (AA)required?– Direct access information systems accessedoutside the physically secure location– This will affect the following:– User population– Remote maintenance to direct access systemUNCLASSIFIED//FOUO71
ADVANCED AUTHENTICATION When is AA NOT required?– Access from within the physically securelocation– Indirect access from outside the physicallysecure locationUNCLASSIFIED//FOUO72
ADVANCED AUTHENTICATION Its important to note– Mobile devices that cannot support a full-featuredoperating system, may use compensating controls(e.g. mobile device management [MDM]) in lieu ofAA as a temporary solutionUNCLASSIFIED//FOUO73
ADVANCED AUTHENTICATION AA in the criminal justice conveyance– A criminal justice conveyance is considered a physicallysecure location and therefore, when officers are directlyaccessing CJI from within a criminal justice conveyance, AAis not required as long as the enclosed vehicle is meeting5.9.1.3UNCLASSIFIED//FOUO74
ADVANCED AUTHENTICATION AA in the criminal justice conveyance– Mobile devices that cannot be removed or operate outsidethe criminal justice conveyance do not require AA– Conversely, mobile devices that can receive directtransactional responses from outside the criminal justiceconveyance must implement AA– The APB did NOT approve written policy as a control toprevent use of an MDT outside the criminal justiceconveyance as sufficient to meet the exemptionUNCLASSIFIED//FOUO75
SCENARIOA Police Department (a CJA) has mobile dataterminals (MDTs) with direct access mountedwithin the police vehicle. The officers, by policy,remove the MDT from the vehicle each nightand store within their home. The modem is inthe trunk and the MDT cannot connect to thePolice Department network to access CJI fromoutside the vehicle.UNCLASSIFIED//FOUO76
SCENARIODoes the CJA need advanced authentication? Direct access information system Accessed from a physically secure location(criminal justice conveyance) Will not work if removed from the secure locationUNCLASSIFIED//FOUO77
SCENARIONOUNCLASSIFIED//FOUO78
SCENARIOHere is why Although the officers have direct access to CJI,they cannot initiate a direct access transactionfrom outside the criminal justice conveyance,which is considered a physically secure location.UNCLASSIFIED//FOUO79
SCENARIOA Police Department (a CJA) is using RMSsoftware administered by private contractor.Private contractor personnel remote login attheir leisure (session is not initiated by CJA) tothe RMS server. The RMS is a direct accessinformation system (i.e. can initiate transactionsdirectly to the state /FBI). The CJA does notvirtually escort contractors.UNCLASSIFIED//FOUO80
SCENARIODoes the CJA need advanced authentication? Direct access information system Accessed from outside the physically securelocation Contractors can grant themselves direct access (asadministrators)UNCLASSIFIED//FOUO81
SCENARIOYESUNCLASSIFIED//FOUO82
SCENARIOHere is why Because the private contractor personnel have remoteaccess (access outside the physically secure location) toa direct access information system, they must utilize AAprior to accessing the direct access RMS.Note: IT administrators, whether internal or external tothe CJA, with elevated privileges pose a higher risk toCJI and the state/national network because of thenature of their knowledge and privileges withinthe network/system.UNCLASSIFIED//FOUO83
SCENARIO
CJIS Security Policy Nicholas Harris CJIS Information Security Officer Oregon State Police Nicholas.harris@state.or.us (503)302-7269 UNCLASSIFIED//FOUO 1. OBJECTIVE . Advanced Authentication Security Awareness Training Event Logging Encryption Security Incident Response Physical Security
