cjis security policy. provide a minimum set of security requirements for access to fbi cjis...
TRANSCRIPT
CJIS Security Policy
Provide a minimum set of security requirements for access to FBI CJIS Division information.
Protect and safeguard Criminal Justice Information (CJI).
Ensure continuity of information protection. Provide appropriate controls to protect CJI,
from creation through dissemination; whether at rest or in transit.
CJIS Security PolicyPurpose
The term used to refer to all of the FBI CJIS provided data necessary for law enforcement and civil agencies to perform their missions. CJI can be in the form of: Biometric Data Identity History Data Biographic Data Property Data Case/Incident History
Criminal Justice Information(CJI)
CSP is: Created by the States through CJIS Working
Groups Approved or Disapproved for recommendation
by the CJIS Advisory Policy Board (APB) Final Approval or Denial by the Director of the
FBI CSP is not:
Law Created by the Federal Government
CJIS Security Policy Administration
Information Exchange Agreements Security Awareness Training Incident Response Auditing and Accountability Access Control Identification and Authentication Configuration Management Media Protection Physical Protection Systems and Communications Protection and Information Integrity Formal Audits Personnel Security Mobile Devices
CSP Policy Areas
The information shared through communication mediums shall be protected with appropriate security safeguards. The agreements established by entities sharing information across systems and communications mediums are vital to ensuring all parties fully understand and agree to a set of security standards.
Policy Area 1: Information Exchange Agreements
Who needs them Criminal Justice Agencies Non-Criminal Justice Agencies Private Contractors
Sample of Agreement Types User Agreements Management Control Agreements Security Addendums Secondary Dissemination
Policy Area 1: Information Exchange Agreements
Hint: Keep a repository of all agreements in a single location. These documents will not only be important
should litigation arise, but will also be called for in an audit.
Basic security awareness training shall be required within 6 months of initial assignment, and biennially thereafter, for all personnel who have access to CJI.
Policy Area 2: Security Awareness Training
3 Tiers of Training All Personnel Personnel with Physical and Logical Access to CJI Personnel with IT roles
Training Records Records of individual basic security awareness
training and specific information system security training shall be documented, kept current and maintained by the agency.
Policy Area 2: Security Awareness Training
Agencies shall: Establish an operational incident handling
capability for agency information systems that includes adequate preparation, detection, analysis, containment, recovery and user response activities;
Track, document and report incidents to appropriate agency officials and/or authorities. Illinois CJIS Information Security Officer (CISO)
Policy Area 3: Incident Response
Examples of incidents Hacking Virus Intrusion Spyware Intrusion Malware Intrusion Line Sniffing Misuse (personnel)
Keep a log of incidents and outcomes
Policy Area 3: Incident Response
Agencies shall implement audit and accountability controls to increase the probability of authorized users conforming to a prescribed pattern of behavior.
Agencies shall carefully assess the inventory of components that compose their information systems to determine which security controls are applicable to the various components.
Policy Area 4: Auditing and Accountability
Examples DB Log Files System Sign On/Off Application Sign On/Off Server Changes Hardware Changes Transaction Logging Log File Logging
Policy Area 4: Auditing and Accountability
Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing and transmission of CJIS information and the modification of information systems, applications services and communication configurations allowing access to CJIS information.
Policy Area 5: Access Control
Examples Account Management
Ensuring accounts are deleted/deactivated when a user leaves employment.
Access Control Role/Rule/Identity policies
Least Privilege System Use Notification Remote Access Session Locks Personal Devices Public Devices
Policy Area 5: Access Control
The agency shall identify information system users and processes acting on behalf of users and authenticate the identities of those users or processes as a prerequisite to allowing access to agency information systems services.
Policy Area 6: Identification and Authentication
Examples User IDs Passwords Advanced Authentication
AA Decision Matrix Personal Identification Numbers Use of Identity Providers
Authenticate against a server and not a device
Policy Area 6: Identification and Authentication
Planned or unplanned changes to the hardware, software, and/or firmware components of the information system can have significant effects on the overall security of the system. The goal is to allow only qualified and authorized individuals access to information system components for purposes of initiating changes, including upgrades, and modifications.
Policy Area 7: Configuration Management
Network Diagram Interconnectivity of CJIS Systems
Application Flow Diagram How the application data flows from user to
Database, user to user, application to application.
Not in CSP, but good idea to have one.
Policy Area 7: Configuration Management
Hint: Always maintain current Network and Application Diagrams. Not only will they
help you track all your points of failure and security points, but it is required during an
audit.
Media protection policy and procedures shall be documented and implemented to ensure that access to electronic and physical media in all forms is restricted to authorized individuals.
Procedures shall be defined for securely handling, transporting and storing media.
Policy Area 8: Media Protection
Media Transport Storage and Access Digital Media Transport
Encryption Physical Media Media Disposal
i.e. Wiping Hard Drives, Shredding Documents
Policy Area 8: Media Protection
Hint: Agencies should create strong policies and procedures for media disposal and protection. Copies of these polices and procedures should be kept in a central location as they
could be asked for during an audit.
Physical protection policy and procedures shall be documented and implemented to ensure CJIS and information system hardware, software and media are physically protected through access control measures.
Policy Area 9: Physical Protection
Physically Secure Location Visitor Control Physical Access Authorization Controlled Area
If can’t have a physically secure building Limit access Lock the area Encrypt data at rest
Policy Area 9: Physical Protection
Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency’s virtualized environment. In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information.
Policy Area 10: System and Communications Protection and
Information Integrity
Boundary Protection Access Points into the network
Encryption Data in transit Data at rest Must meet FIPS 140-2 standards
Cloud Computing Patch Management Anti-Virus Software
Policy Area 10: System and Communications Protection and
Information Integrity
Hint: In addition to implementing all the safeguards for protection and integrity, agencies should have written
policies on safeguards. Keeping these policies together provides for easier access especially during an audit.
Formal audits are conducted to ensure compliance with applicable statutes, regulations and policies.
Occur, at a minimum, every 3 years. During security incidents Upon request by an agency Conducted by FBI CJIS Division on selected
agencies Conducted by CSA every agency in a 3 year
cycle
Policy Area 11: Formal Audits
NCIC Audit Usage Data Quality Data Integrity Policy/Agreements/Training
Technical Security Audit Policy/Agreements/Training Compliance to CSP Identify Weaknesses in Technical Security
Policy Area 11: Formal Audits
Methodology Risk Based
Not all audits cover every aspect of CSP, some will focus on higher risk implementations.
Pre-audit questionnaire Interview Site Visit/Data Center Walkthrough Draft Report Response Final Report
Policy Area 11: Formal AuditsTechnical Security Audit
Items To Bring All agency policies that touch the CSP
i.e. Password creation/Training/Visitor Access/Data Center Access/Media Destruction, etc.
Interagency Agreements Management Control Agreements Training Curriculum Network Diagram FIPS 140-2 Certificates for Network Hardware Information flow diagram for each software application
which stores or transmits CJI
Policy Area 11: Formal AuditsTechnical Security Audit
Having proper security measures against the insider threat is a critical component for the CJIS Security Policy.
All employees and contractors who have access to CJI must undergo a Federal and State fingerprint-based background check. Any contractor with a felony conviction is
disqualified from accessing CJI. Access shall be terminated for all employees
who leave the employment of the agency.
Policy Area 12: Personnel Security
Hint: Your agency should have policies and procedures in place to review employment status versus system access at
least on a yearly basis.
The agency shall: Establish usage restrictions and
implementation guidance for mobile devices; and
Authorize, monitor, control wireless access to the information system.
Policy Area 13: Mobile Devices
Wireless Protocols for all Access Points Cellular Services Bluetooth VoIP Mobile Device Management (MDM)
Remote Locking Remote Wiping Setting & Locking Device Configuration Detecting Rooted Devices Disk Level Encryption
Patching/Updates
Policy Area 13: Mobile Devices
Wireless Device Risk Mitigation Apply Critical Patches as soon as they are
available Configure for Local Device Authentication Use Advance Authentication Encrypt all CJI resident on the device Erase cached information, including
authenticators Employ personal firewalls (can be done
through MDM) Employ antivirus software (can be done
through MDM)
Policy Area 13: Mobile Devices
Hint: Anything which cannot be done on a mobile device with a limited OS (i.e. Android or iOS) must be done through a Mobile
Device Manager. Particular attention must be given when using mobile devices because of the increased risk associated with
loss and/or theft of those devices.
Network Topology Diagram Examples Sample Information Exchange Agreements Best Practices (White Papers)
Virtualization VOIP Cloud Computing Mobile Computing
Security Addendum Supplemental Guidance for Criminal Justice
Agencies and Non-Criminal Justice Agencies
CJIS Security PolicyAppendices
Illinois CISO: Bob Libman (815) 740-3064 [email protected]
CJIS Security Policy Resource Center http://
www.fbi.gov/about-us/cjis/cjis-security-policy-resource-center/view
Thank You!