CJIS Security Policy

Provide a minimum set of security requirements for access to FBI CJIS Division information.

Protect and safeguard Criminal Justice Information (CJI).

Ensure continuity of information protection. Provide appropriate controls to protect CJI,

from creation through dissemination; whether at rest or in transit.

CJIS Security PolicyPurpose

The term used to refer to all of the FBI CJIS provided data necessary for law enforcement and civil agencies to perform their missions. CJI can be in the form of: Biometric Data Identity History Data Biographic Data Property Data Case/Incident History

Criminal Justice Information(CJI)

CSP is: Created by the States through CJIS Working

Groups Approved or Disapproved for recommendation

by the CJIS Advisory Policy Board (APB) Final Approval or Denial by the Director of the

FBI CSP is not:

Law Created by the Federal Government

CJIS Security Policy Administration

Information Exchange Agreements Security Awareness Training Incident Response Auditing and Accountability Access Control Identification and Authentication Configuration Management Media Protection Physical Protection Systems and Communications Protection and Information Integrity Formal Audits Personnel Security Mobile Devices

CSP Policy Areas

The information shared through communication mediums shall be protected with appropriate security safeguards. The agreements established by entities sharing information across systems and communications mediums are vital to ensuring all parties fully understand and agree to a set of security standards.

Policy Area 1: Information Exchange Agreements

Who needs them Criminal Justice Agencies Non-Criminal Justice Agencies Private Contractors

Sample of Agreement Types User Agreements Management Control Agreements Security Addendums Secondary Dissemination

Policy Area 1: Information Exchange Agreements

Hint: Keep a repository of all agreements in a single location. These documents will not only be important

should litigation arise, but will also be called for in an audit.

Basic security awareness training shall be required within 6 months of initial assignment, and biennially thereafter, for all personnel who have access to CJI.

Policy Area 2: Security Awareness Training

3 Tiers of Training All Personnel Personnel with Physical and Logical Access to CJI Personnel with IT roles

Training Records Records of individual basic security awareness

training and specific information system security training shall be documented, kept current and maintained by the agency.

Policy Area 2: Security Awareness Training

Agencies shall: Establish an operational incident handling

capability for agency information systems that includes adequate preparation, detection, analysis, containment, recovery and user response activities;

Track, document and report incidents to appropriate agency officials and/or authorities. Illinois CJIS Information Security Officer (CISO)

Policy Area 3: Incident Response

Examples of incidents Hacking Virus Intrusion Spyware Intrusion Malware Intrusion Line Sniffing Misuse (personnel)

Keep a log of incidents and outcomes

Policy Area 3: Incident Response

Agencies shall implement audit and accountability controls to increase the probability of authorized users conforming to a prescribed pattern of behavior.

Agencies shall carefully assess the inventory of components that compose their information systems to determine which security controls are applicable to the various components.

Policy Area 4: Auditing and Accountability

Examples DB Log Files System Sign On/Off Application Sign On/Off Server Changes Hardware Changes Transaction Logging Log File Logging

Policy Area 4: Auditing and Accountability

Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing and transmission of CJIS information and the modification of information systems, applications services and communication configurations allowing access to CJIS information.

Policy Area 5: Access Control

Examples Account Management

Ensuring accounts are deleted/deactivated when a user leaves employment.

Access Control Role/Rule/Identity policies

Least Privilege System Use Notification Remote Access Session Locks Personal Devices Public Devices

Policy Area 5: Access Control

The agency shall identify information system users and processes acting on behalf of users and authenticate the identities of those users or processes as a prerequisite to allowing access to agency information systems services.

Policy Area 6: Identification and Authentication

Examples User IDs Passwords Advanced Authentication

AA Decision Matrix Personal Identification Numbers Use of Identity Providers

Authenticate against a server and not a device

Policy Area 6: Identification and Authentication

Planned or unplanned changes to the hardware, software, and/or firmware components of the information system can have significant effects on the overall security of the system. The goal is to allow only qualified and authorized individuals access to information system components for purposes of initiating changes, including upgrades, and modifications.

Policy Area 7: Configuration Management

Network Diagram Interconnectivity of CJIS Systems

Application Flow Diagram How the application data flows from user to

Database, user to user, application to application.

Not in CSP, but good idea to have one.

Policy Area 7: Configuration Management

Hint: Always maintain current Network and Application Diagrams. Not only will they

help you track all your points of failure and security points, but it is required during an

audit.

Media protection policy and procedures shall be documented and implemented to ensure that access to electronic and physical media in all forms is restricted to authorized individuals.

Procedures shall be defined for securely handling, transporting and storing media.

Policy Area 8: Media Protection

Media Transport Storage and Access Digital Media Transport

Encryption Physical Media Media Disposal

i.e. Wiping Hard Drives, Shredding Documents

Policy Area 8: Media Protection

Hint: Agencies should create strong policies and procedures for media disposal and protection. Copies of these polices and procedures should be kept in a central location as they

could be asked for during an audit.

Physical protection policy and procedures shall be documented and implemented to ensure CJIS and information system hardware, software and media are physically protected through access control measures.

Policy Area 9: Physical Protection

Physically Secure Location Visitor Control Physical Access Authorization Controlled Area

If can’t have a physically secure building Limit access Lock the area Encrypt data at rest

Policy Area 9: Physical Protection

Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency’s virtualized environment. In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information.

Policy Area 10: System and Communications Protection and

Information Integrity

Boundary Protection Access Points into the network

Encryption Data in transit Data at rest Must meet FIPS 140-2 standards

Cloud Computing Patch Management Anti-Virus Software

Policy Area 10: System and Communications Protection and

Information Integrity

Hint: In addition to implementing all the safeguards for protection and integrity, agencies should have written

policies on safeguards. Keeping these policies together provides for easier access especially during an audit.

Formal audits are conducted to ensure compliance with applicable statutes, regulations and policies.

Occur, at a minimum, every 3 years. During security incidents Upon request by an agency Conducted by FBI CJIS Division on selected

agencies Conducted by CSA every agency in a 3 year

cycle

Policy Area 11: Formal Audits

NCIC Audit Usage Data Quality Data Integrity Policy/Agreements/Training

Technical Security Audit Policy/Agreements/Training Compliance to CSP Identify Weaknesses in Technical Security

Policy Area 11: Formal Audits

Methodology Risk Based

Not all audits cover every aspect of CSP, some will focus on higher risk implementations.

Pre-audit questionnaire Interview Site Visit/Data Center Walkthrough Draft Report Response Final Report

Policy Area 11: Formal AuditsTechnical Security Audit

Items To Bring All agency policies that touch the CSP

i.e. Password creation/Training/Visitor Access/Data Center Access/Media Destruction, etc.

Interagency Agreements Management Control Agreements Training Curriculum Network Diagram FIPS 140-2 Certificates for Network Hardware Information flow diagram for each software application

which stores or transmits CJI

Policy Area 11: Formal AuditsTechnical Security Audit

Having proper security measures against the insider threat is a critical component for the CJIS Security Policy.

All employees and contractors who have access to CJI must undergo a Federal and State fingerprint-based background check. Any contractor with a felony conviction is

disqualified from accessing CJI. Access shall be terminated for all employees

who leave the employment of the agency.

Policy Area 12: Personnel Security

Hint: Your agency should have policies and procedures in place to review employment status versus system access at

least on a yearly basis.

The agency shall: Establish usage restrictions and

implementation guidance for mobile devices; and

Authorize, monitor, control wireless access to the information system.

Policy Area 13: Mobile Devices

Wireless Protocols for all Access Points Cellular Services Bluetooth VoIP Mobile Device Management (MDM)

Remote Locking Remote Wiping Setting & Locking Device Configuration Detecting Rooted Devices Disk Level Encryption

Patching/Updates

Policy Area 13: Mobile Devices

Wireless Device Risk Mitigation Apply Critical Patches as soon as they are

available Configure for Local Device Authentication Use Advance Authentication Encrypt all CJI resident on the device Erase cached information, including

authenticators Employ personal firewalls (can be done

through MDM) Employ antivirus software (can be done

through MDM)

Policy Area 13: Mobile Devices

Hint: Anything which cannot be done on a mobile device with a limited OS (i.e. Android or iOS) must be done through a Mobile

Device Manager. Particular attention must be given when using mobile devices because of the increased risk associated with

loss and/or theft of those devices.

Network Topology Diagram Examples Sample Information Exchange Agreements Best Practices (White Papers)

Virtualization VOIP Cloud Computing Mobile Computing

Security Addendum Supplemental Guidance for Criminal Justice

Agencies and Non-Criminal Justice Agencies

CJIS Security PolicyAppendices

Illinois CISO: Bob Libman (815) 740-3064 Robert_Libman@isp.state.il.us

CJIS Security Policy Resource Center http://

www.fbi.gov/about-us/cjis/cjis-security-policy-resource-center/view

Thank You!