how to prepare for a cjis audit
DESCRIPTION
How To Prepare For A CJIS Audit. How To Prepare For A CJIS Audit Overview. Who, What, Why and When Audit Process Self Audit Using Network diagram Required Written Policies/Process Available Resources. PRAY. Who conducts CJIS audit? What is being audited? Why are we being audited? - PowerPoint PPT PresentationTRANSCRIPT
How To Prepare For A CJIS Audit
How To Prepare For A CJIS AuditOverview
• Who, What, Why and When
• Audit Process
• Self Audit Using Network diagram
• Required Written Policies/Process
• Available Resources
PRAY
How To Prepare For A CJIS AuditHelps To Know
Who conducts CJIS audit?
What is being audited?
Why are we being audited?
When does the audit take place?
How To Prepare For A CJIS Audit Who conducts CJIS Audit?
• Texas DPS CJIS Security Team− Ensures all criminal justice and noncriminal justice
agencies accessing TLETS meet requirements mandated by the CJIS Security Policy
− Office created 2006− CJIS Information Security Officer – Alan Ferretti− 12 Auditors− 1200 TLETS agencies− Audited 882 agencies
How To Prepare For A CJIS Audit What is being audited?
• CJIS Security Policy 5.0 Compliance— Establishes the minimum security requirements for
Criminal Justice Information.— Version 5.0 has grown to four times the pages and two and a
half times the requirements found in Version 4.5. Technology continues to progress and be made available. Security threats have continued to increase.
— Version 5.0 is no longer a classified document. It is now considered a public document.
How To Prepare For A CJIS Audit Why is my agency being audited?
• CJIS Security Policy Requirement• Every 3 years• Other audit triggers
Audit Triggers
Possible Audit TriggersRequires CJIS
Security Office’s Approval
Pre–Audit
Site Audit (within 30-60
days)
Tri-annual Audit. N/A Yes Yes
New Agency. Yes Yes Yes
Security Incident or Exceptional Event Yes Yes Yes
Adding new technology accessing, storing or processing CJIS data (ex. Handhelds, MDTs, Virtual Technology).
Yes Yes Yes
Any upgrade to the system exceeding 25% of the cost of the system being upgraded.
Yes Yes Yes
Adding a system to interface with TLETS (CAD/RMS). Yes Yes Yes
CJIS network addition or configuration change. Yes Yes Yes
Moving TLETS equipment to a new site. Yes Yes Yes
Request to host an agency or to be hosted by an agency. Yes Yes Yes
Increasing the number of terminals by 25% or greater. Yes Yes Yes
Increasing the number of terminals by less than 25% Yes No No
Swapping out network equipment (1 for 1). No No No
Adding a system not accessing CJIS data (ex. e-tickets). No No No
Any upgrade to the system which is NOT replacing or adding to like technology.
No No No
How To Prepare For A CJIS Audit Audit Process
• Schedule audit− 2 - 6 weeks notice− Follow up with email detailing instructions and
recommendations− Formal notification by letter
• Pre-Audit− Phone call− Clarify instructions− Answer Questions
How To Prepare For A CJIS AuditAudit Process – On site Audit
CJIS Security Policy Version 5 Audit Checklist
Section: PolicyWalk
Through Technical Wireless InterfaceQuestions 20 7 7 19 17
How To Prepare For A CJIS Audit. Audit Process - Compliant
• Compliant− Formal letter mail to agency− Next scheduled audit – 3 years unless event occurs that
triggers audit
How To Prepare For A CJIS Audit. Audit Process – Non-compliant
• Non-compliant− Non -compliant letter, listing items out of
compliance mailed to the agency− Agency given 30 days to correct noncompliant
issues or its plan to correct noncompliant items− Compliant letter mailed to agency upon
verification of correct items
FIREWALLMAKE AND MODEL
PES
Satellite Dish Bldg Roof
DPS Satellite
DPS Satellite Dish
Another Law Enforcement Agency
256 Bit AES Encryption
FOR OFFICIAL USE ONLYDATE
Any Law Enforcement Agency
40 MDTs
TXDPS VSAT Hub
TLETS MainframeCAD/RMS
SWITCHMAKE/MODEL
Internet
`7 TLETS Terminal
3DES 128 Bit Encryption
3DES 128 Bit Encryption
3DES 128 Bit Encryption
SWITCHMAKE/MODEL
`5 TLETS Terminal
5 MDTs
SWITCHMAKE/MODEL
ROUTERMAKE/MODEL
ROUTERMAKE/MODEL
`Sub Station
TLETS Terminal
3DES 128 Bit Encryption
Any Law Enforcement Agency
5 MDT
128 B
IT 3DES
ANY LAW ENFORCEMENT AGENCY Date
FOR OFFICIAL USE ONLY
How To Prepare For A CJIS Audit Self Audit - Network Diagram
• Network Diagram
− Depicts router(s), switch(s), and firewall(s) and lists their make and model? (Technical) 5.7.1.2
Manufacturer supporting devices with updates? (Technical) Network devices secured with locked doors? (Walk Through)
5.9.1.3 & 5.9.1.4 Restricted/Controlled area signage posted? (Walk Through)
5.9.1.1
− CJI data transmitted out side the secured network encrypted at a minimum 128 bit and is a FIPS 140-2 Certificate on file? (Technical) 5.10.1.2
− Network properly segmented from non law enforcement networks ? (Technical) 5.10.1.2
− Firewall in place between networks and Internet? (Technical) 5.10.1.1
− Firewall fails “close”? (Technical) 5.10.1.1
How To Prepare For A CJIS Audit Self Audit - Network Diagram
• Network Diagram – IT /Network Support• If IT/Network Support personnel are:
− Vendor Security Addendum on file and does it include Texas
Signatory Page? (Policy) 5.1.1.5 Signed FBI Certification page? (Policy) 5.1.1.5 Fingerprint based background check ? (Policy) 5.12.1.1 &
5.12.1.2 Security Awareness Training completed (every 2 years) and
documented ? (Policy) 5.2.2
How To Prepare For A CJIS Audit Self Audit - Network Diagram
• Network Diagram• If IT/Network Support personnel are:
− Non LE employees (i.e. city or county) Signed Management Control Agreement on File (Policy)
5.1.1.4 Fingerprint based back ground check (Policy) 5.12.1.1 Security Awareness Training completed (every 2 years) and
documented (Policy) 5.2.2• If IT/Network Support personnel are:
− LE employees• Fingerprint based back ground check (Policy) 5.12.1.1• Security Awareness Training completed (every 2 years and
documented (Policy) 5.2.2
How To Prepare For A CJIS Audit Self Audit - Network Diagram
• Network Diagram• Depicts number of TLETS terminals? (Technical) 5.7.1.2
− Operating system patched? (Walk Through) 5.10.4.1
− Anti-virus installed and operating and AV signature files updated? (Walk Through) 5.10.4.2 & 5.10.4.3
− Terminals kept behind secure doors, protected from unauthorized viewing & unauthorized visitors logged and escorted? (Walk Through) 5.9.1.3
− Restricted/Controlled area signage posted? (Walk Through) 5.9.1.1
− Session locked after 30 min of inactivity? (Interface) 5.5.5
− Media Control (Policy) 5.9.1.9 – How is equipment containing CJI Data exiting a secure location controlled?
− Destruction (Policy) 5.8.4 & 5.8.2 – Written procedures for destroying electronic and physical media?
How To Prepare For A CJIS Audit Self Audit - Network Diagram
• Network Diagram –• If terminal operators personnel are:
− Vendor Security Addendum on file and does it include Texas
Signatory Page? (Policy) 5.1.1.5 Signed FBI Certification page? (Policy) 5.1.1.5 Fingerprint cards submitted to DPS ? (Policy) 5.12.1.1 &
5.12.1.2 Security Awareness Training completed (every 2 years) and
documented ? (Policy) 5.2.2
How To Prepare For A CJIS Audit Self Audit - Network Diagram
• Network Diagram• If terminal operators personnel are:
− Non LE employees (i.e. city or county) Signed Management Control Agreement on File (Policy)
5.1.1.4 Fingerprint cards submitted to DPS (Policy) 5.12.1.1 Security Awareness Training completed (every 2 years) and
documented (Policy) 5.2.2• If terminal operators personnel are:
− LE employees• Fingerprint card submitted to DPS (Policy) 5.12.1.1• Security Awareness Training completed (every 2 years and
documented (Policy) 5.2.2
How To Prepare For A CJIS Audit Self Audit - Network Diagram
• Network Diagram• Mobiles (Technical)
• Operating system patched. (Walk Through) 5.10.4.1 • Anti-virus installed and operating and AV signature files
updated? (Walk Through) 5.10.4.2 & 5.10.4.3• Firewall enabled (Walk Through) 5.10.4.4• Vehicles locked when not in use (Walk Through) 5.9.1.3 • Listing of all wireless devices and contact number to disable
them if the need arises. (Wireless) 5.5.7 & 5.5.71• If transmitted outside secure location (PD, Vehicle) advance
authentication required (Technical) 5.6.2.2• CJI data transmitted out side the secured network encrypted at a
minimum 128 bit and is a FIPS 140-2 Certificate on file? (Technical) 5.10.1.2
How To Prepare For A CJIS Audit Self Audit - Network Diagram
• Network Diagram• Interface (CAD/RMS)? (Interface)
• Operating system patched. (Walk Through) 5.10.4.1 • Anti-virus installed and operating and AV signature files
updated? (Walk Through) 5.10.4.2 & 5.10.4.3• Meets password requirements (Interface) 5.6.2.1• Locks after 5 consecutive invalid log on attempts (Interface)
5.5.3• NCIC & III transactions retain for 1 year (Interface) 5.4.7• Log audit events (Interface) 5.4.1.1• Meets audit retention, monitoring , alert and review
requirements? (Interface) 5.4.2 & 5.4.3• CAD/RMS kept behind secure doors, protected from
unauthorized viewing & unauthorized visitors logged and escorted (Walk Through) 5.9.1.3 & 5.9.1.4
How To Prepare For A CJIS Audit Self Audit - Network Diagram
• Network Diagram
− Interface (CAD/RMS)? (Interface-Continued) Restricted/Controlled area signage posted (Walk Through)
5.9.1.1
− CJI data transmitted out side the secured network encrypted at a minimum 128 bit and is a FIPS 140-2 Certificate on file? (Technical) 5.10.1.2
How To Prepare For A CJIS Audit Self Audit - Network Diagram
• Hosting/Hosted Agency
− Inter-local Agency Agreement on file (Policy) 5.1.1.4
− If hosting agency – Depict hosted agency connection (encryption strength), name, and number of devices (Technical) 5.7.1.2
− If hosted agency – Depict hosting agency connection (encryption strength), name, and number of devices (Technical) 5.7.1.2
− CJI data transmitted out side the secured network encrypted at a minimum 128 bit and is a FIPS 140-2 Certificate on file? (Technical) 5.10.1.2
How To Prepare For A CJIS AuditWritten Policies & Procedures
• Security Awareness Training – 5.2.2• Incident Response Plan – 5.3.1• Procedures for revoking/removing CJI access –
5.51, 5.12.2 & 5.12.3• Policy governing use of personally owned– 5.5.61 • Sanitization, and physical destruction procedures of
electronic media before release or reuse – 5.8.3 & 5.8.4
• Disposal and or destruction of physical media – 5.9.1.2
• Security Alert and Advisories process – 5.5.1• Process for validating user accounts – 5.5.1• Policy forbidding transmitting CJI outside secure
location -
Jeannette Cardensa CJIS Auditor
(512) 424-7910
Dan ConteCJIS Auditor
(512) 424-7137
Ginger CoplenCJIS Auditor
(512) 424-7913Alan Ferretti
CJIS Information Security Officer(512) 424-7186
Oswald Enriquez CJIS Auditor
(512) 424-7914
Erwin Pruneda CJIS Auditor
(512) 424-7911
Linda Sims CJIS Auditor
(512) 424-2937
Miguel ScottInfo Sec Analyst512-424-7912
Deborah Wright CJIS Auditor
(512) 424-7876first [email protected]
How To Prepare For A CJIS AuditAvailable Resources – CJIS Audit Team
•http://www.txdps.state.tx.us/securityreview–CJIS Security Policy–CJIS Security Policy Audit Checklist–Security Awareness Training–Network Diagram–Management Control Agreement–FIPS 140-2 Certificates–CJIS Security Addendum–Policy Examples– Security Advisories–Agencies Scheduled To Be Audited Thru March 2013
How To Prepare For A CJIS AuditAvailable Resources – Security Review Website
Miguel ScottInformation Security AnalystTX Dept of Public SafetyOffice: 512-424-7912Email: [email protected]