8/24/2012
1
For Official Use Only 1
SLED Overview of the FBICriminal Justice Information Services
(CJIS) Security PolicyVersion 5.18/09/2012
For Official Use Only 2
This session will be an overview of the FBICriminal Justice Information Services(CJIS) Security 5.1 policy and how itpertains and applies to municipal courtclerks, magistrates, judges and other courtstaff who are receiving NCIC criminaljustice information.
For Official Use Only 3
Security policy
The essential premise of the CJIS SecurityPolicy is to provide appropriate controls toprotect the full lifecycle of CJI, whether at rest orin transit. The CJIS Security Policy providesguidance for the creation, viewing, modification,transmission, dissemination, storage, anddestruction of CJI data. This policy applies toevery individual—contractor, private entity,noncriminal justice agency representative, ormember of a criminal justice entity—with accessto, or who operate in support of, criminal justiceservices and information.
8/24/2012
2
For Official Use Only 4
What is (NCIC) National CrimeInformation Center
NCIC 2000 is a nationwide, computerizedinformation system established as a service toall local, state, federal, and international criminaljustice agencies.
The goal of NCIC 2000 is to help the criminaljustice community perform its duties by providingand maintaining a computerized filing system ofaccurate and timely documented criminal justiceinformation.
For Official Use Only 5
The NCIC 2000 data bank can best bedescribed as a computerized index ofdocumented criminal justice informationconcerning crimes and criminals of nationwideinterest. NCIC files also include missing andunidentified person files, persons files who posea threat to officer and public safety, as well asstolen property files.
All state and local agencies participating in theNCIC 2000 System are required to adhere to thesecurity guidelines that can be found in theFBI/CJIS Security Policy 5.1
For Official Use Only 6
The NCIC 2000 System stores vastamounts of criminal justice informationwhich can be instantly retrieved by and/orfurnished to any authorized agency and isa virtually uninterrupted operation 24hours a day, 7 days a week
8/24/2012
3
For Official Use Only 7
Types of queries
For Official Use Only 8
Types of queries
For Official Use Only 9
NCIC stats
In January 1967 when NCIC became operational, itincluded five files, which contained 356,784 records. Inits first year of operation, NCIC processed approximately2.4 million transactions, or an average of 5,479transactions daily. Last year NCIC processed 2.4 billiontransactions. Recently, NCIC experienced a new one-day record of 8.6 million transactions. Presently, NCICcontains 19 files with over 15 million records, of whichnearly 1.7 million are in the wanted persons file. NCICservices more than 90,000 user agencies and averages7.5 million transactions per day. Currently on theaverage South Carolina performs 350,000 + transactionsper day.
8/24/2012
4
For Official Use Only 10
The local/regional computer availabilitygoals shall be 100 percent with 96 percentas minimum.
Equipment and/or technologicalincompatibility shall not be sufficientjustification for any agency to operateoutside of the normal CSA configuration.
For Official Use Only 11
The data stored in the NCIC 2000 System andthe III File are documented criminal justiceinformation and must be protected to ensurecorrect, legal, and efficient dissemination anduse. It is incumbent upon an agency operatingan NCIC 2000 infrastructure to implement thenecessary procedures to make that componentsecure from any unauthorized use. Anydeparture from this responsibility warrants theremoval of the offending component from furtherNCIC 2000 participation.
For Official Use Only 12
Throughout the last several years, there havebeen significant changes in the CJIScommunity’s telecommunications and systemsarchitecture. As a result of technologicaladvances, the FBI Director authorized a securitymanagement structure to specifically addresstechnical security controls, policy revision,oversight, training, and security incidentresolution and notification.
8/24/2012
5
For Official Use Only 13
In addition to the changes there have been asignificant number of the larger and moreimportant computer systems in this country thathave been successfully penetrated byindividuals whose reasons ran the gamete frommonetary profit to ideologic principles. If theNational Crime Information Center (NCIC) isgoing to function efficiently and effectively intoday's society System Security must be anomni-present element of its everyday operation.
For Official Use Only 14
Therefore the CJIS Advisory Policy Board(APB) adopted new policies in the areas ofidentification, authentication, encryption,wireless applications, dial-up access,Internet access, public networks, andfirewalls to address security concerns.
For Official Use Only 15
A Federal Working Group and severalregional Working Groups were establishedto recommend policy and procedures forthe programs administered by the FBICJIS Division.
These Working Groups are alsoresponsible for the review of operationaland technical issues related to theoperation of or policy for these programs.
8/24/2012
6
For Official Use Only 16
The FBI uses hardware and software controls tohelp ensure System security. However, finalresponsibility for the maintenance of the securityand confidentiality of criminal justice informationis shared with the individual agenciesparticipating in the NCIC 2000 System and theIT departments who support the agencies.Further information regarding System securitycan be obtained from the FBI/CJIS SecurityPolicy 5.1
For Official Use Only 17
The essential premise of the CJIS SecurityPolicy is to provide appropriate controls toprotect the full lifecycle of CJI, whether at rest orin transit. The CJIS Security Policy providesguidance for the creation, viewing, modification,transmission, dissemination, storage, anddestruction of CJI data. This policy applies toevery individual—contractor, private entity,noncriminal justice agency representative, ormember of a criminal justice entity—with accessto, or who operate in support of, criminal justiceservices and information.
For Official Use Only 18
Policy Purpose
To provide minimum security requirements associatedwith the creation, viewing, modification, transmission,dissemination, storage, or destruction of Criminal JusticeInformation or CJI.
To provide a baseline security policy for Local, State,and Federal agencies to build their policies upon. (It isthe minimum standard a local policy must follow).
The policy covers roles and responsibilities as well asthe 12 areas of compliance.
8/24/2012
7
For Official Use Only 19
Roles and Responsibilities – StateISO
SLED will appoint an Information SecurityOfficer (ISO) who has the responsibility toestablish and maintain information securitypolicy, assesses threats andvulnerabilities, performs risk and controlassessments, oversees the governance ofsecurity operations, and establishesinformation security training andawareness programs.
For Official Use Only 20
Roles and Responsibilities stateCSO
Each state must have a CJIS SecurityOfficer (CSO) assigned by the head of theCJIS Systems Agency (CSA)(SLED) whois responsible for enforcing security policyrules over ALL agencies, users, anddevices accessing CJI information via thestate CSA(SLED).
For Official Use Only 21
Roles and Responsibilities – LocalLevel
Each local agency accessing CriminalJustice Information or CJI is required tohave a Terminal Access Coordinator(TAC) and a Local Access Security Officer(LASO) to oversee that the CJIS SecurityPolicy is being abided by locally. Theycan be the same person.
8/24/2012
8
For Official Use Only 22
Terminal Agency Coordinator(TAC)
The TAC serves as the point-of-contact atthe local agency for matters relating toCJIS information access. A TACadministers CJIS systems programs withinthe local agency and oversees theagency’s compliance with CJIS systemspolicies.
The TAC is the Agency Coordinator (AC)
For Official Use Only 23
AC of the CGA
The AC is a staff member of the CGA whomanages agreements, responsible for thesupervision and integrity of the system,training and continuing education ofemployees as required. 3.2.7
For Official Use Only 24
Agency Coordinator (AC)
The AC shall be responsible for thesupervision and integrity of the system,training and continuing education ofemployees and operators, scheduling ofinitial training and testing, and certificationtesting and all required reports by NCIC.
8/24/2012
9
For Official Use Only 25
The AC shall:
Understand the communications, recordscapabilities, and needs of the individualwhich is accessing federal and staterecords through or because of itsrelationship with the CGA.
Receive information from the CGA (e.g.,system updates) and disseminate it toappropriate individuals.
For Official Use Only 26
The AC shall:
Maintain up-to-date records of allemployees or contractors who access thesystem, including name, date of birth,social security number, date fingerprintcard(s) submitted, date security clearanceissued, and date initially trained, tested,certified or recertified (if applicable).
For Official Use Only 27
The AC shall:
Schedule new operators for thecertification exam as well as schedulecertified operators for biennial re-certification testing within thirty (30) daysprior to the expiration of certification.Schedule operators for other mandatedclass.
8/24/2012
10
For Official Use Only 28
The AC shall:
The AC will not permit anuntrained/untested or non-certifiedemployee or contractor to access CJI orsystems supporting CJI where access toCJI can be gained.
For Official Use Only 29
The AC shall:
Provide completed applicant fingerprintcards on each Contractor employee whoaccesses the system to the CJA (or,where appropriate, CSA) for criminalbackground investigation prior to suchemployee accessing the system.
For Official Use Only 30
Local Agency Security Officer(LASO)
The primary Information Security contactbetween a local law enforcement agency andthe CSA
The LASO actively represents their agency in allmatters pertaining to Information Security,disseminates Information Security alerts andother material to their constituents, maintainsInformation Security documentation (includingsystem configuration data), assists withInformation Security audits of hardware andprocedures, and keeps the CSA informed as toany Information Security needs and problems.
8/24/2012
11
For Official Use Only 31
Roles and Responsibilities –Outsourcing of CJI Administration
The responsibility for the management ofthe approved security requirements shallremain with the Criminal Justice Agency.
Thus the outsourcing of the state CSO andISO positions is not allowed.
Thus the outsourcing of local TAC andLASO positions is not allowed
For Official Use Only 32
Roles and Responsibilities – LocalPoints of Contact
Local or municipal entities should refer allCJIS Security procedural or technicalquestions to their local criminal justiceagency’s TAC or LASO. They are thelocal point of contact.
If the local TAC or LASO does not have ananswer they can refer to the state CSO forassistance.
For Official Use Only 33
Illegal Dissemination of CJI and PIICan Lead to Penalties
Improper access and dissemination of anyCJI data including CHRI may result inadministrative sanctions, termination, andstate and federal penalties.
Refer to S.C. Financial Fraud and IdentityTheft Law for more information.
8/24/2012
12
For Official Use Only 34
What does the policy cover?
1. Information Exchange Agreements.
2. Awareness Training
3. Incident Response
4. Auditing and Accountability
5. Access Control
6. Identification and Authentication
For Official Use Only 35
What does the policy cover? (cont.)
7. Configuration Management
8. Media Protection
9. Physical Protection
10. Systems & Communications Protectionand Information Integrity
11. Formal Audits
12. Personnel Security
For Official Use Only 36
Information Exchange AgreementsPolicy Area 1
Criminal Justice Information requires protectionthroughout its life which is why agreements need to be inplace between each agency sharing CJI data. Theseagreements must specify security controls meeting theCJIS Security Policy requirements and be in placebefore any CJI can be exchanged.
Agreements should state the policies, standards,sanctions, governance, auditing, services accessed andpolicy compliance required for the user agency
CJI exchange includes e-mail, instant messaging, webservices, facsimile, hard copy, and the informationsystems sending, receiving, and storing CJI.
8/24/2012
13
For Official Use Only 37
Some Agreement Types
User
Service
Management Control *
Inter-Agency *
CJIS Security Addendum *
Civil Agency User Agreement
Livescan/Latent Fingerprint Sharing
For Official Use Only 38
Agreements requiredfor NCJA
Management Control agreement - grants the criminal justiceagency management control over the operations of the non-criminal justice agency as they relate to access to the LawEnforcement Data System network and services.
Required between CJA and the NCJA which provides services to the CJA(dispatching, record keeping, computer services, etc.).
"Management Control" means the authority to set and enforce: (a) Priorities; (b) Standards for the selection, supervision and termination of personnel;
and (c) Policy governing the operation of computers, circuits, and
telecommunications terminals used to process, store, or transmitinformation to or receive information from the Law Enforcement DataSystem.
For Official Use Only 39
Agreements requiredfor NCJA cont’
Inter-Agency – agreement between two agencies thatstates standards, policy, and access required of theparties
State CSA to non-criminal justice agency (DSIT) Local criminal justice agency to non-criminal
justice agency (county or city)
Security Addendum Criminal Justice Agency & private contractor
(each employee) Non-criminal Justice Agency & private contractor
(each employee
8/24/2012
14
For Official Use Only 40
ExampleCJA supported by NCJA
SLED is CSA SLED’s enterprise extends to Metropolitan PD Metropolitan City IT department performs IT administration of PD
network with some private contractors
Agreements Needed CJA user agreement between SLED and Metropolitan PD Inter-agency agreement between Metropolitan City IT and
Metropolitan PD Management control agreement between Metropolitan PD and
Metropolitan City IT Security Addendum between Metropolitan City IT and Private
contractors
For Official Use Only 41
5.2 Policy Area 2: SecurityAwareness Training
Security awareness training shall be requiredbefore an initial assignment for all personnelwho have access to CJI. The CSO/CSA mayaccept the documentation of the completion ofsecurity awareness training from anotheragency. Accepting such documentation fromanother agency means that the acceptingagency assumes the risk that the training maynot meet a particular requirement or processrequired by federal, state, or local laws.
For Official Use Only 42
Security Awareness TrainingPolicy Area 2
Security awareness training is mandatory forthose with roles in the support, administration orgeneral access to criminal justice information.
All criminal justice employees, non-criminaljustice employees, contractors, vendors, etc.
The level of training is dependent on the role ofthe individual – IT support requires the highestlevel of training.
8/24/2012
15
For Official Use Only 43
Security Awareness TrainingPolicy Area 2
Training must be performed every twoyears
The management control criminal justiceagency designated person (TAC, LASO,ISO, CSO, NCIC coordinator) isresponsible for coordinating and verifyingthe completion of this requirement for theirrespective agency
For Official Use Only 44
Incident ResponsePolicy Area 3
The information security officer at SLEDhas been identified as the POC onsecurity-related issues for the CSA andrespective agencies in the state.
The ISO is responsible for ensuringLASOs (local agency security officer)institute the CSA incident responsereporting procedures at the local level.
For Official Use Only 45
Policy Directive - 5.3
Agencies shall:
(i) establish an operational incident handlingcapability for agency information systemsthat includes adequate preparation,detection, analysis, containment, recovery,and user response activities;
(ii) track, document, and report incidents toappropriate agency officials and/orauthorities
8/24/2012
16
For Official Use Only 46
Responsibilities for incidentresponse
Agencies whether criminal justice or non-criminal justice, that areresponsible for the administration of criminal justice, dispatching,record keeping, or computer services for CJI all are required tofollow the CJIS policy incident reporting requirements.
Four critical tasks must be followed with incidents: Incident Handling Collection of evidence Incident Response training Incident Monitoring
These procedures may be audited by SLED and/or the FBI duringthe required technical and policy audits.
For Official Use Only 47
Auditing and AccountabilityPolicy Area 4
Agencies shall implement audit andaccountability controls to increase the probabilityof authorized users conforming to a prescribedpattern of behavior.
Agencies shall carefully access the inventory ofcomponents that compose their informationsystems to determine which security controls areapplicable to the various components.
For Official Use Only 48
Logging Events
Policy 5.4 states specific logging requirements
Specific events must be logged
Content to log on each event is specified
Monitoring, analysis and log reporting actions
Response to logged events
Log retention is 365 days
Other requirements exist for NCIC, III and CJISaccess and information logging
8/24/2012
17
For Official Use Only 49
Access ControlPolicy Area 5
Access control provides the planning andimplementation of mechanisms to restrictreading, writing, processing and transmission ofCJIS information and the modification ofinformation systems, applications, services andcommunication configurations allowing accessto CJIS information.
Access control includes physical in addition tological access.
For Official Use Only 50
User Access Control
Always assign least privilege to accounts
Use Job duties, Physical, logical or networklocation, and Date/Time restrictions for access.
All employee status changes must be reportedand accounts adjusted as required.
Policy guidelines state requirements for annualvalidation of accounts, logging of access andinactivity or failed log in attempts (policy 5.5)
For Official Use Only 51
Access Control Recommendations
System administrator access must be tightlyregulated.
Only allow remote admin access in emergencysituations.
Don’t allow remote access for group accounts
Always provide System Notifications orWarnings to users logging on.
Use approved mechanisms to control thisaccess. Policy 5.5.2.3 and 5.5.2.4
Security must be FIPS 140-2.
8/24/2012
18
For Official Use Only 52
CJI Access Restrictions
CJI access is not allowed from personallyowned or public computers.
No CJI over Bluetooth at this time due tonot FIPS140-2 approved encryptionstandard.
CJI over Wireless and Cellular must becarefully regulated following policy 5.5.7
For Official Use Only 53
Identification and AuthenticationPolicy Area 6
All users must be properly identified priorto access to any agency informationsystems or services.
Follow password policies for all access tothe criminal justice infrastructure ornetwork where CJI is transmitted as listedin 5.6.2.1
For Official Use Only 54
Advanced Authentication
Advanced Authentication (AA) is requiredwhen users are accessing CJI informationvia a network that is not deemed secureby the SLED ISO. Policy 5.6.2.2
Advanced Authentication is the useadditional identifiers on top of login ID andpassword that may include PKI, biometric,smart cards tokens, software tokens etc…
8/24/2012
19
For Official Use Only 55
Configuration ManagementPolicy Area 7
The goal is to allow only qualified andauthorized individuals access toinformation system components forpurposes of initiating changes, includingupgrades, and modifications.
Thus agencies must restrict who hasconfiguration management permissions
For Official Use Only 56
Configuration ManagementRequirements
All network changes must provide adetailed network topography diagram tothe SLED ISO anytime there is a proposednetwork change or a network change hasoccurred.
Agencies must protect all systemconfiguration documentation fromunauthorized access.
For Official Use Only 57
Media ProtectionPolicy Area 8
Procedures must be defined for securelyhandling, transporting, and storing mediaboth electronic and physical.
Procedures must also be in place for thesanitation and disposal of electronic andphysical media that meet policies.
All entities accessing CJI media must bevetted authorized personnel.
Specific policies are in policy 5.8
8/24/2012
20
For Official Use Only 58
Physical ProtectionPolicy Area 9
All CJI and associated information systems mustbe in a physically secure location.
This can be a facility, area, room or group ofrooms with controls described in 5.9.1.1 –5.9.1.9
Personnel security for access to the area mustfollow policy area 12
The location is subject to the managementcontrol of the CJA and must follow all criminaljustice policies.
For Official Use Only 59
Physical protection
A security perimeter should be established andposted as such.
A list of authorized personnel with access mustbe maintained.
All physical access points to the secure areamust be controlled.
All physical access to the IT systems andtransmission lines shall be controlled.
The display or view of information from outsidethis controlled area must prevent unauthorizedviewing.
For Official Use Only 60
Visitor Control
Visitors must be authenticated beforeauthorizing escorted access.
Access records shall be maintainedfollowing the policy requirements in 5.9.1.8
Items entering and exiting the area shallbe controlled and authorized
8/24/2012
21
For Official Use Only 61
Non-criminal justice agencies or contractorsmust follow these procedures to report incidentsto the LASO at the criminal justice agency theysupport. (Who signed the management controlagreement?)
The criminal justice agency LASO will reportthese incidents to the SLED ISO who will in turncommunicate the details to the FBI CJIS ISO.
For Official Use Only 62
Systems & CommunicationsProtection and Information Integrity
Policy Area 10
Examples range from boundary andtransmission protection to securing virtualenvironments.
Information flow enforcement betweeninterconnected systems shall be controlled.
For Official Use Only 63
Information Flow
Information flow regulates where the information
allowed to travel within the IT system and between
IT systems.
CJI can not be transmitted unencrypted acrossthe public network
Outside traffic that claims to be from the agencymust be blocked
Web requests from the public network not froman internal web proxy should not be passed.
8/24/2012
22
For Official Use Only 64
Layers of protection
CJI and system shall provide boundaryprotection as established in policy 5.10.1.1
Encryption standards must be met policy5.10.1.2, SLED has additionalrequirements for encryption AES 256.
Intrusion detection/prevention tools shallbe in place following policy 5.10.1.3
VoIP and facsimile policies shall also beimplemented per policy 5.10.1.4
For Official Use Only 65
Information Technology security
IT security is hardware and/or softwareused to assure the integrity and protectionof information and the means ofprocessing it.
Many criminal justice data systems andnetworks are interconnected to oneanother and the Internet.
As such, those systems and networks arevulnerable to exploitation by unauthorizedindividuals.
For Official Use Only 66
Partitioning
Specific controls must be in place to use thistechnology with Criminal justice information andProcessing.
The application, service, or system shall: Separate user functionality (including UI
services) form information system management. Separate UI services from information storage
and management services either physically orlogically. Guidelines for achieving this arespecified in 5.10.3.1
8/24/2012
23
For Official Use Only 67
Virtualization
All security controls in the policy apply tovirtualization.
Additional controls exist in policy 5.10.3.2
Isolate host from virtual machine
Maintain audit logs for all virtual hosts and machines(store these outside of virtual environment)
Physically separate Internet facing virtual machinesfrom virtual machines that process CJI
Critical device drivers shall be contained in a separateguest.
For Official Use Only 68
Virtualization
Addition technical security controls are suggested.
These include:
Encrypt network traffic between virtual machineand host
Implement IDS and IPS within the virtualmachine environment
Virtually firewall each virtual machine from eachother or physically firewall each with anapplication layer firewall controlling protocols
Segregate the administrative duties for the host
For Official Use Only 69
System & Information Integrity
The agency shall develop and implementa local policy for installing relevant securitypatches, service packs and hot fixes.
The policy must include items andprocedures (policy 5.10.4.1) for installingthese ‘fixes’.
Malicious code, spam and firewallprotection must be implemented followingpolicy 5.10.4.2 - 5.10.4.3
8/24/2012
24
For Official Use Only 70
Formal AuditsPolicy Area 11
Formal audits are conducted on IT services, secureareas, personnel and policies by SLED and the FBI.
Regular audit are triennial but can be conducted morefrequently.
The FBI has the authority to conduct unannouncedsecurity inspections and scheduled audits of thefacilities.
All agencies CJA and NCJA are subject to the auditrequirements and inspections.
Responses to audit findings must be addressed in anaccepted manner by the CJA, SLED and FBI.
Failure to correct deficiencies will result in sanctions.
For Official Use Only 71
Personnel SecurityPolicy Area 12
All personnel who have access tounencrypted criminal justice information(CJI) including those with only physical orlogical access must be screened.
All requests for access must be cleared bythe CJA who maintains managementcontrol. The TAC or LASO is the point ofcontact for these requests.
For Official Use Only 72
Background Checks
Notification of subsequent arrest and/orconvictions for those who have access must besent to the CSO to determine if access shouldbe continued.
Support personnel, contractors, custodialworkers, and others with access to physicallysecure or controlled locations shall be subject tothese regulations unless escorted by anauthorized person at all times.
8/24/2012
25
For Official Use Only 73
Personnel screening for contractorsand vendors
In addition to requirements in policy 5.12.1.1, the followitems are in place: The contracting government agency (CGA) shall coordinate the
background check prior to granting access with the criminal justiceagency that has management control.
If a record of any kind if found, the CGA will be notified and accessis delayed pending a review by the CJA. The CGA must notify thecontractor appointed security officer.
All felony convictions are disqualifications for access. Arrest warrants are disqualifications for access. The CGA shall maintain a list of personnel who have been
authorized for access and shall provide a current list to the CSOwhen requested.
The CGA can request the CSO to review any denials.
For Official Use Only 74
Maintenance after grantingphysical or logical access
Upon termination or separation, the individual’saccess shall immediately be terminated.
Reassignments or transfers shall result inactions such as closing and establishing newaccounts and changing system accessauthorizations.
A formal sanctions process for failure to complywith established information security policiesand procedures shall be documented,distributed and enforced. This should beavailable during an audit.
For Official Use Only 75
Background Checks
A state of residency and national fingerprintbackground check is require for unescortedaccess AND all personnel who have directaccess to CJI and all those who have ITresponsibility.
Any felony conviction will result in accessdenied.
If a record of any kind exists, access can not begranted until the CSO (SLED) reviews anddetermines if access is appropriate.
8/24/2012
26
For Official Use Only 76
System & Information Integrity
Any mobile device by design (laptops, handhelds,
PDA etc) must employ personal firewall protection.
A minimum list of activities performed by the personalfirewall is listed in policy 5.10.4.4 Manage program access to the Internet
Block unsolicited requests to connect to the device
Filter incoming traffic by IP, protocol or destination port
Maintain and IP traffic log
Security alerts and advisories must be received by theagency and policies must be in place for handling theinformation. Policy 5.10.4.5
For Official Use Only 77
Information Technology security
A vulnerability is a condition or weaknessin (or the absence of):
Security Procedures
Technical Controls
Physical Controls
Other controls that could be exploited by athreat.
For Official Use Only 78
Information Technology security
All systems and networks havevulnerabilities.
The goal of security is to minimize thosevulnerabilities.
Vulnerabilities include, but not limited tophysical, natural, hardware and software.
8/24/2012
27
For Official Use Only 79
Information Technology security
Vulnerabilities Examples
Physical: The placement of a computer in anon-secure location.
Natural: a server connected to a power sourcewithout a surge protector or backup powersupply.
Hardware: a connection to the Internet without afirewall.
Software: not updating the computer operatingsystem when updates are issued.
For Official Use Only 80
Information Technology security
Security Points of Contact
Identify who is using the hardware/softwareand ensure that no unauthorized users haveaccess to same.
Identify and document how the equipment isconnected to the state system.
Ensure that personnel security screeningprocedures are being followed as stated in theCJIS Security Policy
For Official Use Only 81
Information Technology security
Ensure that appropriate hardware securitymeasures are in place
Support policy compliance and keep thestate ISO informed of security incidents.
8/24/2012
28
For Official Use Only 82
Remember
The local agency may complement theCJIS Security Policy with a local policy, orthe agency may develop their own stand-alone security policy; however, the CJISSecurity Policy shall always be theminimum standard and local policy mayaugment, or increase the standards, butshall not detract from the CJIS SecurityPolicy standards.
For Official Use Only 83
Remember
This Policy governs the operation of computers,access devices, circuits, hubs, routers, firewalls,and other components that comprise andsupport a telecommunications network andrelated CJIS systems used to process, store, ortransmit CJI, guaranteeing the priority,confidentiality, integrity, and availability ofservice needed by the criminal justicecommunity.
For Official Use Only 84
Remember
Responsibility for the management control ofnetwork security shall remain with the CJA.Management control of network securityincludes the authority to enforce the standardsfor the selection, supervision, and separation ofpersonnel who have access to CJI; set andenforce policy governing the operation of circuitsand network equipment used to transmit CJISdata; and to guarantee the priority service asdetermined by the criminal justice community.
8/24/2012
29
For Official Use Only 85
Remember
Private contractors who perform criminaljustice functions shall meet all policies fortraining and certification criteria requiredby governmental agencies performing asimilar function, and shall be subject tothe same extent of audit review as arelocal user agencies.
Additional screening requirements exist inthe security policy 5.1
For Official Use Only 86
Remember
All private contractors who performcriminal justice functions shallacknowledge, via signing of the SecurityAddendum Certification page, and abideby all aspects of the CJIS SecurityAddendum.
For Official Use Only 87
Agreements
User Agreements – states policy, standards, sanctions,governance, auditing, services accessed and policycompliance required or the user agency
Agreements Needed
CJA user agreement between SLED and court agency
Inter-agency agreement between Metropolitan City ITand Metropolitan court agency
Management control agreement between Metropolitancourt agency and Metropolitan City IT
Security Addendum between Metropolitan City IT andPrivate contractors (TAC needs copies)
8/24/2012
30
For Official Use Only 88
Contacts/ and Steps to gain access
Contact the CSO office in writing requestingaccess to NCIC data.
Once received the CSO office will forward thisrequest to the FBI for an NCIC ORI assignment.Any court that hears civil cases only (with theexception of domestic violence and stalkingcases) does not qualify for an NCIC 2000 ORIassignment.
Contact person for the CSO office is MillieGalloway at [email protected] or 803-896-7142
For Official Use Only 89
Contacts/ and Steps to gain access
When the ORI has been established theCSO office will send an InformationExchange Agreement to the court.
Completed security addendums betweenagency and IT vendor.
The Court will perform TAC/LASOassignment
Security Awareness Training performed onall individuals.
For Official Use Only 90
Contacts/ and Steps to gain access
Completed finger print checks on allindividuals.
Completed state of residency Check on allindividuals.
Once those checks have been performedthen the court will send the completed SiteSurvey and Topology for approval.