CA Technologies Solutions for Criminal Justice Information Security Compliance

Transcription

1 WHITE PAPER OCTOBER 2014 CA Technologies Solutions for Criminal Justice Information Security Compliance William Harrod Advisor, Public Sector Cyber-Security Strategy

2 2 WHITE PAPER: SOLUTIONS FOR CRIMINAL JUSTICE INFORMATION SECURITY COMPLIANCE ca.com Table of Contents Executive Summary 3 Section 1: 4 Criminal Justice Information Security Compliance Section 2: 5 CJIS Security Policy Requirements Section 3: 6 CJIS Policy Detailed Requirements Section 4: 12 Conclusions

3 3 WHITE PAPER: SOLUTIONS FOR CRIMINAL JUSTICE INFORMATION SECURITY COMPLIANCE ca.com Executive Summary Challenge The Criminal Justice Information Services (CJIS) Security Policy includes a number of technical safeguards designed to protect and secure criminal justice information. Compliance with this policy is mandatory for any agencies requiring access to Federal Bureau of Investigation (FBI) CJIS Division systems and information. Opportunity CA Technologies provides a number of solutions that can address key requirements within the CJIS Security Policy and help your agency achieve and maintain compliance going forward. Benefits Agencies with access to FBI CJIS systems and information are subject to formal audits by the FBI and may also be subject to special security inquiries and informal audits when alleged security violations are suspected. CA Technologies provides a comprehensive suite of solutions that can secure access to criminal justice information, enable compliance with FBI security requirements and streamline the audit process going forward.

4 4 WHITE PAPER: SOLUTIONS FOR CRIMINAL JUSTICE INFORMATION SECURITY COMPLIANCE ca.com Section 1 Criminal Justice Information Security Compliance The Criminal Justice Information Services (CJIS) Security Policy represents a shared responsibility between the Federal Bureau of Investigation s Criminal Justice Information Services Division, the CJIS Systems Agency (CSA) and State Identification Bureaus (SIB). The purpose of the policy is to establish minimum security requirements to protect and secure various types of criminal justice information, including: Biometric Data data derived from one or more intrinsic physical or behavioral traits of humans typically for the purpose of uniquely identifying individuals from within a population. Used to identify individuals, to include: fingerprints, palm prints, iris scans, and facial recognition data. Identity History Data textual data that corresponds with an individual s biometric data, providing a history of criminal and/or civil events for the identified individual. Biographic Data information about individuals associated with a unique case, and not necessarily connected to identity data. Biographic data does not provide a history of an individual, only information related to a unique case. Property Data information about vehicles and property associated with a crime. Case/Incident History information about the history of criminal incidents.

5 5 WHITE PAPER: SOLUTIONS FOR CRIMINAL JUSTICE INFORMATION SECURITY COMPLIANCE ca.com Section 2 CJIS Security Policy Requirements The CJIS Security Policy outlines a number of administrative, procedural and technical controls agencies must have in place to protect criminal justice information. Our experience is that agencies will generally have many of the administrative and procedural controls already in place, but will need to implement additional technical safeguards in order to be in complete compliance with the mandate. CA Technologies provides a number of security solutions to address the more technical requirements described in this policy, as highlighted in the figure below: Policy Area 1 Policy Area 2 Policy Area 3 Policy Requirement Information Exchange Agreements Security Awareness Training Incident Response CA Technologies Facilitates Compliance Policy Area 4 Auditing and Accountability 4 Policy Area 5 Access Control 4 Policy Area 6 Identification and Authentication 4 Policy Area 7 Configuration Management 4 Policy Area 8 Policy Area 9 Policy Area 10 Policy Area 11 Media Protection Physical Protection Systems and Communications Protection and Information Integrity 4 Formal Audits Policy Area 12 Personnel Security 4

6 6 WHITE PAPER: SOLUTIONS FOR CRIMINAL JUSTICE INFORMATION SECURITY COMPLIANCE ca.com Section 3 CJIS Policy Detailed Requirements Policy Area 4: Auditing and Accountability Agencies shall implement audit and accountability controls to increase the probability of authorized users conforming to a prescribed pattern of behavior Auditable Events and Content (Information Systems) The agency s information system shall generate audit records for defined events. These defined events include identifying significant events which need to be audited as relevant to the security of the information system. The following events shall be logged: Successful and unsuccessful system log-on attempts Successful and unsuccessful attempts to access, create, write, delete or change permission on a user account, file, directory or other system resource Successful and unsuccessful attempts to change account passwords Successful and unsuccessful actions by privileged accounts Successful and unsuccessful attempts for users to access, modify, or destroy the audit log file All CA Technologies security solutions from our web-based single sign-on and strong authentication solutions to our host-based and virtualization access control solutions generate secure, detailed audit records. The specific events defined within CJIS security policy will need to be collected potentially across a variety of platforms, as well as at different layers where users may potentially access data (application, database, operating system, etc.). Can aggregate and correlate these events in a single location for compliance monitoring and reporting Audit Monitoring, Analysis, and Reporting The responsible management official shall designate an individual or position to review/analyze information system audit records for indications of inappropriate or unusual activity, investigate suspicious activity or suspected violations, to report findings to appropriate officials, and to take necessary actions. Audit review/ analysis shall be conducted at a minimum once a week. While the review of audit logs is primarily a procedural control, CA Privileged Identity Suite can be used to schedule the weekly reports for review and sign-off by designated individuals Protection of Audit Information The agency s information system shall protect audit information and audit tools from modification, deletion and unauthorized access. Audit logs both collected and generated by CA Privileged Identity Suite are a protected resource. They cannot be modified, moved or removed by users on the system, even those with privileged (root, administrator) access.

7 7 WHITE PAPER: SOLUTIONS FOR CRIMINAL JUSTICE INFORMATION SECURITY COMPLIANCE ca.com Policy Area 5: Access Control Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information Account Management The agency shall manage information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. The agency shall validate information system accounts at least annually and shall document the validation process. The validation and documentation of accounts can be delegated to local agencies. The CA Technologies suite of security products is uniquely focused on identity and access management and data governance. We have a number of solutions, including our CA Identity Manager product that is designed to address common account management issues, including automated provisioning, deprovisioning, selfservice and delegation. CA Identity Governance works in conjunction with CA Identity Manager or on a stand-alone basis to help ensure that roles are properly established within your organization. CA Identity Governance also provides a robust entitlement review capability that is commonly used to automate the account validation process and provide documentation and support for compliance objectives such as CJIS Access Enforcement Access to the system and contained information. The information system controls shall restrict access to privileged functions (deployed in hardware, software, and firmware) and security-relevant information to explicitly authorized personnel. Access control policies (e.g., identity-based policies, role-based policies, rulebased policies) and associated access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) shall be employed by agencies to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains) in the information system. Agencies shall control access to CJI based on one or more of the following: Job assignment or function (i.e., the role) of the user seeking access Physical location Logical location Network addresses (e.g., users from sites within a given agency may be permitted greater access than those from outside) Time-of-day and day-of-week/month restrictions CA Privileged Identity Suite is a host-based access control solution that is commonly used in high-security environments to control privileged user access. With broad platform support and deep kernel integration, CA Privileged Identity Suite serves as a central policy enforcement point to manage and scope what privileged users can do and access on your critical systems. With CA Privileged Identity Suite, complex granular rules can be created to protect critical resources and govern who and how those resources are accessed. These rules can incorporate many of the criteria outlined in the CJIS Security Policy. With additional integrations from our web and strong authentication solutions (CA Single Sign-On [CA SSO] and CA Strong Authentication) we can support and enforce any combination of CJIS rules to create a comprehensive access enforcement capability.

8 8 WHITE PAPER: SOLUTIONS FOR CRIMINAL JUSTICE INFORMATION SECURITY COMPLIANCE ca.com Unsuccessful Login Attempts Where technically feasible, the system shall enforce a limit of no more than five consecutive invalid access attempts by a user (attempting to access CJI or systems with access to CJI). The system shall automatically lock the account/ node for a 10 minute time period unless released by an administrator. Depending on whether the user is accessing a web-based application or attempting to sign onto a server or workstation, CA Technologies can address this requirement: Web-based resources CA SSO provides a central mechanism to enforce account policies, including lockout policy and duration for your web-based applications. Host-based resources CA Privileged Identity Suite provides a central mechanism to enforce account policies, including lockout policy and duration for your servers System Use Notification The information system shall display an approved system use notification message, before granting access, informing potential users of various usages and monitoring rules. System use notifications can be configured within CA SSO Session Lock The information system shall prevent further access to the system by initiating a session lock after a maximum of 30 minutes of inactivity, and the session lock remains in effect until the user reestablishes access using appropriate identification and authentication procedures. Session Locks can be established with CA SSO for web-based resources and CA Privileged Identity Suite for direct server access Remote Access The agency shall authorize, monitor, and control all methods of remote access to the information system. Remote access is any temporary access to an agency s information system by a user (or an information system) communicating temporarily through an external, nonagency-controlled network (e.g., the Internet). Depending on whether the user is accessing a web-based application or attempting to sign onto a server or workstation, CA Technologies can address this requirement: Web-based resources: CA SSO, CA Strong Authentication and CA Risk Authentication work together to help manage and protect remote access to critical web based resources. We have the ability to detect not only who is attempting to access resources remotely, but also from where and how (home computer, iphone, tablet device, etc.). Our unique profiling capability is able to identify suspicious remote activity based on a variety of variables and dynamically adjust access control requirements based on the perceived risk of that transaction. Host-based resources: CA Privileged Identity Suite can create and enforce central policies to prevent users from logging into servers remotely (non-agency-controlled network).

9 9 WHITE PAPER: SOLUTIONS FOR CRIMINAL JUSTICE INFORMATION SECURITY COMPLIANCE ca.com Policy Area 6: Identification and Authentication The agency shall identify information system users and processes acting on behalf of users and authenticate the identities of those users or processes as a prerequisite to allowing access to agency information systems or services Identification Policy and Procedures Each person who is authorized to store, process, and/or transmit CJI shall be uniquely identified. A unique identification shall also be required for all persons who administer and maintain the system(s) that access CJI or networks leveraged for CJI transit. The unique identification can take the form of a full name, badge number, serial number, or other unique alphanumeric identifier. Agencies shall require users to identify themselves uniquely before the user is allowed to perform any actions on the system. Agencies shall ensure that all user IDs belong to currently authorized users. Identification data shall be kept current by adding new users and disabling and/or deleting former users. CA Identity Governance can help your organization evaluate existing accounts for signs of security issues (use of shared id s, orphan accounts, etc.) and create a rolebased access model that will support CJIS compliance objectives going forward. CA Identity Manager can automate the provisioning of accounts based on your organization s particular authorization process (e.g. background checks, etc.). In addition, CA Identity Manager also provides segregation of duties enforcement, account self-service and delegation capabilities, as well as automated synchronization with authoritative user stores (HR databases, etc.) Authentication Policy and Procedures Each individual s identity shall be authenticated at either the local agency, CSA, SIB or Channeler level. The authentication strategy shall be part of the agency s audit for policy compliance. The FBI CJIS Division shall identify and authenticate all individuals who establish direct web-based interactive sessions with FBI CJIS Services. The FBI CJIS Division shall authenticate the ORI of all message-based sessions between the FBI CJIS Division and its customer agencies but will not further authenticate the user nor capture the unique identifier for the originating operator because this function is performed at the local agency, CSA, SIB or Channeler level. Agencies shall follow the secure password attributes, below, to authenticate an individual s unique ID. Passwords shall: Be a minimum length of eight (8) characters on all systems Not be a dictionary word or proper name Not be the same as the Userid Expire within a maximum of 90 calendar days Not be identical to the previous ten (10) passwords Not be transmitted in the clear outside the secure location Not be displayed when entered CA SSO, CA Strong Authentication and CA Risk Authentication work together to provide a comprehensive authentication infrastructure that supports standards-based identity federation between and amongst various member agencies. We fully support the password complexity requirements defined in the CJIS Security Policy and also provide the most advanced, risk-based authentication capabilities on the market, including device-forensics, pattern analysis, support for knowledge based authentication (KBA) and more. The CJIS Security Policy mandates that Advanced Authentication be used to verify user access in certain conditions. Methods cited in the policy include biometric systems, user-based public key infrastructure (PKI), smart cards, software tokens, hardware tokens, paper (inert) tokens, or Risk-based Authentication that includes a software token element comprised of a number of factors, such as network information, user information, positive device identification (i.e. device forensics, user pattern analysis and user binding), user profiling, and high-risk challenge/response questions.

10 10 WHITE PAPER: SOLUTIONS FOR CRIMINAL JUSTICE INFORMATION SECURITY COMPLIANCE ca.com Policy Area 7: Configuration Management Planned or unplanned changes to the hardware, software, and/or firmware components of the information system can have significant effects on the overall security of the system. The goal is to allow only qualified and authorized individuals access to information system components for purposes of initiating changes, including upgrades, and modifications Least Functionality The agency shall configure the application, service, or information system to provide only essential capabilities and shall specifically prohibit and/ or restrict the use of specified functions, ports, protocols, and/or services. CA Privileged Identity Suite restricts access to critical systems resources, including ports, protocols and services. Configuration changes can be managed through CA Privileged Identity Suite s password vaulting capabilities, which provide a controlled method for privileged users to access systems and make authorized changes to the environment. In virtualized environments, CA Privileged Identity Suite can also monitor host configurations for unauthorized changes and automates the remediation of configuration drift. Policy Area 10: System and Communication Protection and Information Integrity Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency s virtualized environment. In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information Information Flow The network infrastructure shall control the flow of information between interconnected systems. The CJIS Security Policy requires that a number of controls be placed at the boundary to protect criminal justice information. CA Data Protection provides a network boundary appliance that can detect leakage of criminal justice information or prevent that information from being transmitted unencrypted across the internal network.

11 11 WHITE PAPER: SOLUTIONS FOR CRIMINAL JUSTICE INFORMATION SECURITY COMPLIANCE ca.com # Requirement Partitioning and Virtualization Virtualized environments are authorized for criminal justice and non-criminal justice activities. In addition to the security controls described in this policy, the following additional controls shall be implemented in a virtual environment: Isolate the host from the virtual machine. In other words, virtual machine users cannot access host files, firmware, etc. Maintain audit logs for all virtual machines and hosts and store the logs outside the hosts virtual environment. Virtual Machines that are Internet facing (web servers, portal servers, etc.) shall be physically separate from Virtual Machines that process CJI internally. Device drivers that are critical shall be contained within a separate guest. The following are additional technical security control best practices and should be implemented wherever feasible: Encrypt network traffic between the virtual machine and host. Implement IDS and IPS monitoring within the virtual machine environment. Virtually firewall each virtual machine from each other (or physically firewall each virtual machine from each other with an application layer firewall) and ensure that only allowed protocols will transact. Segregate the administrative duties for the host. CA Technologies Solution CA Privileged Identity Suite for Virtual Environments provides fine grained access controls and host hardening capabilities for your virtual infrastructure. While CA Privileged Identity Suite does not provide encryption or intrusion detection capabilities, it does handle all of the other CJIS virtualization requirements, including host-vm isolation, enhanced auditing and logging capabilities, virtual firewalling and segregation of duties/privileged access control. Policy Area 12: Personnel Termination Having proper security measures against the insider threat is a critical component for the CJIS Security Policy. This section s security terms and requirements apply to all personnel who have access to unencrypted CJI including those individuals with only physical or logical access to devices that store, process or transmit unencrypted CJI Personnel Termination The agency, upon termination of individual employment, shall immediately terminate access to CJI. While the CJIS Security Policy suggests this requirement may be satisfied by procedural controls, CA Identity Manager can automate this process so that user access to CJI systems and data is automatically deprovisioned when users are terminated.

12 12 WHITE PAPER: SOLUTIONS FOR CRIMINAL JUSTICE INFORMATION SECURITY COMPLIANCE ca.com Section 4: Conclusions Agencies with access to FBI CJIS systems and information are subject to formal audits by the FBI and may also be subject to special security inquiries and informal audits when alleged security violations are suspected. CA Technologies provides a comprehensive suite of solutions that can secure access to criminal justice information, enable compliance with FBI security requirements and streamline the audit process going forward. Policy Requirement CA Single Sign-On CA Identity Manager CA Identity Governance CA Data Protection CA Strong Authentication and CA Risk Authentication CA Privileged Identity Suite Policy Area Auditing and Accountability. 4 Policy Area 5 Access Control Policy Area 6 Identification and Authentication Policy Area 7 Configuration Management 4 4 Policy Area 10 Systems and Communications Protection and Information Integrity 4 4 Policy Area 12 Personnel Security 4

13 13 WHITE PAPER: SOLUTIONS FOR CRIMINAL JUSTICE INFORMATION SECURITY COMPLIANCE Connect with CA Technologies at ca.com CA Technologies (NASDAQ: CA) creates software that fuels transformation for companies and enables them to seize the opportunities of the application economy. Software is at the heart of every business, in every industry. From planning to development to management and security, CA is working with companies worldwide to change the way we live, transact and communicate across mobile, private and public cloud, distributed and mainframe environments. Learn more at ca.com. Copyright 2014 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. CA assumes no responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law, CA provides this document as is without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or non-infringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised in advance of the possibility of such damages. CA does not provide legal advice. Neither this document nor any software product referenced herein serves as a substitute for your compliance with any laws (including but not limited to any act, statute, regulation, rule, directive, standard, policy, administrative order, executive order, and so on (collectively, Laws ), referenced herein or any contract obligations with any third parties. You should consult with competent legal counsel regarding any such Laws or contract obligations. CS200_94653_1014