Security awareness training is not a substitute for the LEADS Security Policy.

Transcription

1 Revised 4/2014

2 This training will discuss some of the duties of the Terminal Agency Coordinator (TAC), Local Agency Security Officer (LASO) and provide basic security awareness training. Security awareness training is intended to provide LEADS users information on the threats and risks associated with criminal justice information and basic methods to mitigate these risks. Security awareness training is required within six months of employment and every two years thereafter for all personnel who access LEADS data. This also includes IT personnel with access to systems that transmit, store, or process criminal justice information.

3 Security awareness training is not a substitute for the LEADS Security Policy. LEADS users and IT staff working with equipment that transmits, processes, or stores LEADS data shall follow all requirements outlined in the Security Policy. The Security Policy can be downloaded from the following link on terminals with access to the LEADS network:

4 Computerized Criminal History (CCH) - Is a Ohio fingerprint central repository for arrest, conviction, and disposition data on adults and juveniles arrested for felony and gross misdemeanor offenses. It is frequently used during mandated background checks on individuals seeking employment or licensing for various employed and volunteer positions. Criminal Justice Information (CJI) - The abstract term used to refer to all LEADS provided data necessary for law enforcement and civil agencies to perform their missions including, but not limited to, biometric, identity history, biographic, property, and case/incident data. Law Enforcement Automated Data System (LEADS) - Serves as the electronic communication network for Ohio s criminal justice communities and the gateway to NCIC.

5 National Crime Information Center (NCIC) - A computerized index of open warrants, arrests, stolen property, missing persons, and dispositions regarding felonies and serious misdemeanors. III ( Triple-eye for short) is the Interstate Identification Index. III is national index that holds the (Federal Bureau of Investigation) FBI s (Record of Arrest and Prosecution) RAP sheet that contains information reported by local, state and federal law enforcement agencies across the county. Requests associated to a record housed in a particular state are directed to the originating State as needed.

6 International Justice and Public Safety Network (NLETS) (formerly known as the National Law Enforcement Telecommunications System) links together state, local, and federal law enforcement, criminal justice and public safety agencies for the purpose of exchanging information to support law enforcement. Information from each state s criminal records, driver records, vehicle registration records, INTERPOL, Immigrations and Customs Enforcement (ICE), License Plate Reader (LPR) records, and national Amber Alerts. Phishing The practice of luring unsuspecting Internet users to a fake Web site by using authentic-looking with the real organization's logo, in an attempt to steal passwords, financial or personal information, or introduce a virus attack.

7 The TAC does not have to be a technical person, but will need to be able to work with system administrators and vendors to obtain required information. Appointed by each terminal agency administrator. Directly responsible to the agency administrator for the operation and security of LEADS. Serves as a point of contact for the State ISO and all LEADS staff.

8 Understand how computer systems at the agency are connected to LEADS and assist in maintaining network topology documentation. Submit updated diagrams and documentation for approval prior to making any significant changes to the network topology (adding a new system, external network connection, etc.). Maintain a record of any maintenance on systems by non-agency personnel. Log the name of the technician and the company doing the work, as well as the time they start and finish.

9 Ensure all personnel with access to LEADS systems and data are provided security awareness training. Training must be completed biennially and a record of training must be maintained. For the minimum topics to be covered, please refer to the LEADS Security Policy (section 5.2.1). Ensure only authorized personnel have access to LEADS systems. Personnel who do not have a fingerprint-based background check on file are considered unauthorized and required to be escorted by authorized personnel at all times. Ensure all LEADS equipment and terminals are located in a secure room with limited access.

10 Report all suspected security incidents to LEADS Control at to initiate contact with the State Information Security Officer (ISO). Types of incidents that should be reported include: Theft or intentional damage of LEADS equipment Hacking incidents Virus or malware infections Any other situation that could threaten LEADS Violations of LEADS Administrative Rules and instances of misuse shall be reported to the LEADS Administrative staff at (614)

11 Ensure LEADS Security Policy compliance at the local agency in partnership with the State ISO. Develop a Computer Use and Security Policy. Develop a Media Protection Policy. Develop a Remote Access and Internet Use Policy (if applicable to your agency s operation). Develop an agency Business Continuity/Disaster Recovery Plan. TAC Officers will need agency administrator support with these tasks.

12 In addition to the TAC, each agency with LEADS access shall appoint a LASO. The LASO and the TAC can be the same person. Collaborate with the TAC to report all suspected security incidents to LEADS Control at to initiate contact with the State ISO.

13 Identify who is using the LEADS approved hardware, software, and firmware and ensure no unauthorized individuals or processes have access to the same. Identify and document how equipment is connected to LEADS. Ensure that personnel security screening procedures are being followed as stated in the LEADS Security Policy. Ensure the approved and appropriate security measures are in place and working as expected.

14 State ISO TAC LASO

15 A technical security inspection will be conducted a minimum of once every three years by a member of the LEADS Security staff. Technical security inspections are done on-site and can take one to three hours, depending on the complexity and size of the agency s network. The TAC and LASO are required to be present during the inspection.

16 Agencies scheduled for technical security inspections will receive a Pre-Audit Questionnaire that shall be returned, along with a current network diagram, prior to the inspection date. Please make arrangements for a vendor/it person to be available if you are unable to answer technical questions about your systems or policies.

17 A progressive sanction process has been established to enforce the LEADS Administrative Rules and Security Policy. Agencies found to be out of compliance with the rules and/or policy may be subject to the sanction process. For more information on the progressive sanction process, please refer to the Ohio Revised Code 4501:

18 Criminal Justice Information (CJI) includes any and all data that is transmitted or received through the LEADS. The system configuration often contains sensitive details (descriptions of applications, processes, procedures, data structures, authorization processes, data flow, etc.) Agencies shall protect system documentation from unauthorized access consistent with provisions described in Section Access Control in the LEADS Security Policy.

19 Ensure the computer system is protected with a strong password. Ensure the computer is up-to-date with patches (operating system, applications, anti-virus, and antimalware). Practice smart internet habits when browsing. Be selective of the sites you visit and check the security level of web pages that require you to enter personal information.

20 When entering personal information on a website, verify the website is encrypted (i.e. - uses HTTPS). Systems processing, storing, transmitting CJI are required to be located in a physically secure area. Users shall be given the least amount of privileges required on systems accessing and/or containing CJI. Employ segregation of duties - the concept of having more than one person required to complete a task. This ensures that no single person is in a position to introduce fraudulent or malicious code/data without detection.

21 LEADS printouts contain CJI. The following shall apply when dealing with printed LEADS data: Make printouts unreadable prior to disposal. Before exchanging LEADS data, agencies must have formal agreements in place that specify security controls. Do not , transport or store LEADS information on electronic media unless it is encrypted.

22 The agency shall maintain written documentation of the steps taken to sanitize or destroy electronic media. When hard drives, tape cartridges, USB drives, hard copies, print-outs, and other similar items are no longer needed - all media must be destroyed by shredding, burning, or any other method that renders the data unreadable. The agency shall sanitize, that is, overwrite at least three times or degauss electronic media prior to disposal or release for reuse by unauthorized individuals. Inoperable electronic media shall be destroyed (cut up, shredded, crushed, etc.). Agencies shall ensure the sanitization or destruction is witnessed or carried out by authorized personnel.

23 Smartphones and tablets are examples of handheld devices. Some of the threats to these types of devices are: Loss, theft, or disposal Unauthorized access Malware Spam Electronic eavesdropping Electronic tracking (threat to security of data and safety of law enforcement officer) Cloning (not as prevalent with later generation cellular technologies)

24 To help mitigate the risks to handheld devices, agencies shall at a minimum: Apply available critical patches and upgrades to the operating system Configure for local device authentication Use advanced authentication Encrypt all CJI that resides on the device Erase cached information when sessions are terminated Employ personal firewall software Employ antivirus software

25 Strong passwords are required for all users accessing LEADS systems. Strong passwords are created by using the following guidelines: Contain a minimum of 8 characters Include characters from the following categories: Letters (upper and lower case) Numbers Special Characters Make the password appear to be a random sequence of letters, numbers, and special characters. Dictionary words, proper names or the user ID shall not be used.

26 Ensure all passwords changes are in accordance with Section of the LEADS Security Policy. Passwords should be changed frequently. LEADS requires users to change passwords every 60 days. Do not reuse old passwords. LEADS prohibits reuse of the previous 10 passwords. Passwords shall never be shared or written down.

27 The LEADS network is protected by Cisco Clean Access (CCA). CCA helps ensure LEADS terminals are kept upto-date and in compliance with the Security Policy. Systems are scanned to ensure critical Windows security patches are installed and up-to-date anti-virus software is running upon each login. CCA login sessions expire every seven days so systems can be scanned. Clients must re-authenticate when prompted to maintain connectivity to the secure criminal justice network.

28 Anti-virus software is used to identify and remove computer viruses, spyware, and malware. Most modern anti-virus software can protect against a wide range of worms, rootkits and trojans. All systems with LEADS connectivity are required to employ up-to-date virus protection software.

29 System is slow, freezes or crashes. Unusual error messages are displayed. Excessive uncommanded disk drive activity. Applications don t operate properly. Multiple pop-ups windows appear on the screen.

30 When CJI is transported or at rest (stored electronically) outside of the physically secure location it shall be protected via cryptographic mechanisms (encryption). When encryption is employed, the cryptographic module used shall be certified to meet FIPS standards.

31 Windows Update is a service provided by Microsoft that provides updates for the Microsoft Windows operating system. Security updates are delivered on the second Tuesday of each month (a.k.a. Patch Tuesday). Windows Update can be configured to install updates automatically, ensuring a computer is up-to-date and not vulnerable to known computer worms and malware. All computers are required to be kept up-to-date with the latest security patches and service packs.

32 Social Engineering is the act of exploiting a human user to gain access to restricted systems and information (e.g. - Phishing). Use the following guidelines to prevent being a victim of social engineering: Verify identity of requestors. Be cautious when providing information via or over the phone. Remember, an er/caller may not be entitled to the information but may try to fool you by using lingo and buzz words. Do not share information with persons outside the criminal justice community - such as friends, family, acquaintances, or strangers.

33 Spam is the name given to unsolicited bulk that appears in your inbox. Most spam is advertising from dubious products, getrich-quick schemes, or other attempts to solicit money and/or compromise the computer. Never open unsolicited , attachments, or reply to s from an unknown source.

34 Be aware CJI could be compromised in any of the following ways: Tampering with equipment (server, router, etc.) by employee, vendor or unauthorized person. Theft of laptops, handheld devices, or any other device which is used to access LEADS. Unauthorized remote access. Installing/downloading unauthorized software onto systems and network components. Virus/malware infection. Creation of unauthorized user accounts. Unencrypted transmission of LEADS data over non-criminal justice networks (wireless, county networks, telecom carriers).

35 All devices with access to the LEADS network must have adequate physical security to protect against unauthorized access. LEADS routers, switches, firewalls and interface servers must be located in a locked, limited access room. All visitors and vendors must be accompanied by authorized personnel at all times when accessing secure areas. LEADS terminals must be physically positioned so unauthorized persons are unable to view the screen and must employ session lock mechanisms after a maximum of 30 minutes of inactivity (does not apply to dispatch terminals).

36 A personally owned information system shall not be authorized to access, process, store, or transmit CJI unless the agency has established and documented the specific terms and conditions for personally owned information system usage.

37 Any system that accesses CJI shall display an approved system use notification message that contains the following information: The user is accessing a restricted information system. System usage may be monitored, recorded, and is subject to audit. Unauthorized use of the system is prohibited and may be subject to criminal and/or civil penalties. Use of the system indicates consent to monitoring and recording.

38 If you become aware of any policy violation or a situation where LEADS data has been compromised, immediately contact LEADS Control at and begin gathering information for the Computer Incident Report Form (LEADS Security Policy Appendix E). Depending on the severity of the incident, LEADS Control will direct you to LEADS Security staff or the State ISO.

39 You are the key to security, it begins with you. All users are responsible for adherence to the requirements documented in the LEADS Security Policy. Please refer to the Security Policy or contact LEADS Control at with any questions regarding proper operation or security of computer systems.