Record Checks. Security Awareness Training
|
|
- Allen Pope
- 8 years ago
- Views:
Transcription
1 & Security Awareness Training 1 Definitions: Access to Criminal Justice Information Thephysical or logical (electronic) ability, right or privilege to view, modify or make use of Criminal Justice Information. (FBI CJIS Security Policy 5.2 Appendix A) 2 1
2 Definitions: Access to Criminal Justice Information Thephysical or logical (electronic) ability, right or privilege to view, modify or make use of Criminal Justice Information. (FBI CJIS Security Policy 5.2 Appendix A) 3 Definitions: Access to Criminal Justice Information Thephysical or logical (electronic) ability, right or privilege to view, modify or make use of Criminal Justice Information. (FBI CJIS Security Policy 5.2 Appendix A) I m Marsha. How can I help you? 4 2
3 Definitions: pro cess noun\ˈprä-ˌses, ˈprō-, -səs\ b:a series of actions or operations conducing to an end; especially: a continuous operation Enter CJI STORE Or Print CJI ELECTRONIC (RMS) HARDCOPY (File cabinet) DESTROY CJI Shred Overwrite Degauss Incinerate QUERY CJI 5 Definitions: pro cess noun \ˈprä-ˌses, ˈprō-, -səs\ b:a series of actions or operations conducing to an end; especially: a continuous operation 6 3
4 Definitions: During CJI processing implies CJI is accessible for viewing, modifying or making use of CJI left on printers, copiers or fax machines CJI stored insecurely unlocked file cabinets Disorganized and in the open 7 Definitions: During CJI processing implies that CJI is accessible for viewing, modifying or making use of Computers unlocked with CJI application open Wiring closets unlocked Network infrastructure left exposed where packet sniffers or other spy devices could be introduced If a person is alone with unencrypted (plain text) CJI where security is out of CJA control 8 4
5 When developing policies to ensure the security of Criminal Justice Information, the FBI and KCJIS must take into account several things. Not the least amongst these are Federal Regulations. Federal regulations are often based on research of industry standards and published recommendations of organizations such as the National Institute of Standards and Technology, or NIST. 9 WHY Record Checks????? Having proper security measures against the insider threat is a critical component for the CJIS Security Policy. A study conducted by the U.S. Secret Service and the Carnegie Mellon University Software Engineering Institute CERT Program analyzed 150 insider cyber crimes across U.S. critical infrastructure sectors 10 5
6 WHY Record Checks????? Having proper security measures against the insider threat is a critical component for the CJIS Security Policy. According to one report from the study*, the cases of insider IT sabotage were among the more technically sophisticated attacks examined in the Insider Threat Study and resulted in substantial harm to people and organizations. *Moore, Andrew., Cappelli, Dawn., & Trzeciak, Randall. (2008). The "Big Picture" of Insider IT Sabotage Across U.S. Critical Infrastructures (CMU/SEI-2008-TR-009). Retrieved March 28, 2014, from the Software Engineering Institute, Carnegie Mellon University website: 11 The study made 7 observations. OBSERVATION 1: MOST INSIDERS HAD PERSONAL PREDISPOSITIONS THAT CONTRIBUTED TO THEIR RISK OF COMMITTING IT SABOTAGE Personal predisposition: a characteristic historically linked to a propensity to exhibit malicious insider behavior. Personal predispositions explain why some insiders carry out malicious acts, while coworkers who are exposed to the same conditions do not act maliciously. Personal predispositions can be recognized by certain types of observable characteristics [Band et al. 2006]: Serious mental health disorders Sample observables from cases include alcohol and drug addiction, panic attacks, physical spouse abuse, and seizure disorders. Social skills and decision-making bias Sample observables from cases include bullying and intimidation of coworkers, serious personality conflicts, unprofessional behavior, personal hygiene problems, and inability to conform to rules. A history of rule violations Sample observables from cases include arrests, hacking, security violations, harassment complaints, and misuse of travel, time, and expenses. All of the insiders in the MERIT cases who committed IT sabotage exhibited the influence of personal predispositions. 12 6
7 5.12 Policy Area 12: Personnel Security Having proper security measures against the insider threat is a critical component for the CJIS Security Policy. This section s security terms and requirements apply to all personnel who have access to unencrypted CJI including those individuals with only physical or logical access to devices that store, process or transmit unencrypted CJI. For our purposes, unencrypted is synonymous with plain text, readable, or actionable. Actionable means ability to enter, modify or otherwise affect data Policy Area 12: Personnel Security Personnel Security Policy and Procedures Minimum Screening Requirements for Individuals Requiring Access to CJI: 1. To verify identification, a state of residency and national fingerprint-based record checks shall be conducted within 30 days of assignment for all personnel who have direct access to CJI and those who have direct responsibility to configure and maintain computer systems and networks with direct access to CJI. 14 7
8 5.12 Policy Area 12: Personnel Security Personnel Security Policy and Procedures Minimum Screening Requirements for Individuals Requiring Access to CJI: 1. To verify identification, a state of residency and national fingerprint-based record checks shall be conducted within 30 days of assignment for all personnel who have direct access to CJI and those who have direct responsibility to configure and maintain computer systems and networks with direct access to CJI. 9. Support personnel, contractors, and custodial workers with access to physically secure locations or controlled areas (during CJI processing)shall be subject to a state and national fingerprint-based record check unless these individuals are escorted by authorized personnel at all times
9 Policy Area 12: Personnel Security Personnel Security Policy and Procedures Minimum Screening Requirements for Individuals Requiring Access to CJI: 1. However, if the person resides in a different state than that of the assigned agency, the agency shall conduct state (of the agency) and national fingerprint-based record checks and execute a NLETS CHRI IQ/FQ/AQ query using purpose code C, E, or J depending on the circumstances. 18 9
10 5.12 Policy Area 12: Personnel Security Personnel Security Policy and Procedures Minimum Screening Requirements Within 30 days of CJI Access (prior to access for Private Contractors) Submit fingerprints to KBI. Submission initiates searches of Kansas, NCIC (QWA), and III (QH) for records associated with matching images. NLETS (IQ) to state of person s residency (Name based) Further queries when indicated QR (III), FQ(NLets) Policy Area 12: Personnel Security Personnel Security Policy and Procedures Minimum Screening Requirements Within 30 days of CJI Access (prior to access for Private Contractors) Individual name based records rechecks as specified above shall be conducted annually or whenever there is reasonable suspicion that an individual s criminal history status has changed. KCJIS requires ANNUAL NAME-BASED Rechecks: NCIC person files (QWA) + III (QH) [QWI gets both] NLets IQ state of residence or Kansas KQMW + KIQ 20 10
11 Minimum Screening Requirements 1 INTRODUCTION 1.1 Purpose 1.3 Relationship to Local Security Policy and Other Policies local policy may augment, or increase the standards, OPTIONAL : Background Investigations (Interview acquaintances, etc.) Employment History/References DL Edward Snowden WHY would you? MOST INSIDERS HAD PERSONAL PREDISPOSITIONS THAT CONTRIBUTED TO THEIR RISK OF COMMITTING IT SABOTAGE 21 Bradley Manning What s notably NOT in policy: Citizenship Requirement FBI CJIS: no restriction on non-us citizen KCJIS: Non-US citizens must be legally able to perform the work in or for the United States. Recommendations in Policy Part III Employment Policy Security Policy only addresses ACCESS to CJI 22 11
12 A teleconference with staff from the FBI CJIS ISO office and I.T. Security Audit team clarified that INTRA-state sharing of record check information between agencies is being allowed when the CSA is aware and approves of the procedures. That means agencies can again share record check results when: 1.It is done within the purview of the CSA (in Kansas that is the KHP CJIS Unit). 2. All agencies involved are in agreement. 3. Paperwork is available to provide auditors evidence that: a. The CSA knows which local agencies are involved b.a Tracking mechanism for completed records checks is in place and known by all stakeholders c. All local agencies know which agency conducted the record checks on which personnel. We are announcing the release of a revised KCJIS 114-RC form
13 Security Awareness Training WHY? As cited in audit reports, periodicals, and conference presentations, it is generally understood by the IT security professional community that people are one of the weakest links in attempts to secure systems and networks. The people factor -not technology -is key to providing an adequate and appropriate level of security. If people are the key, but are also a weak link, more and better attention must be paid to this asset. From Introduction: Wilson, Mark, Hash, Joan (2003) Building and Information Technology Security Awareness and Training Program NIST Special Publication October 2003 National Institute of Standards and Technology, Technology Administration, U.S. Department of Commerce 25 Security Awareness Training WHY? A robust and enterprise wide awareness and training program is paramount to ensuring that people understand their IT security responsibilities, organizational policies, and how to properly use and protect the IT resources entrusted to them. From Introduction: Wilson, Mark, Hash, Joan (2003) Building and Information Technology Security Awareness and Training Program NIST Special Publication October 2003 National Institute of Standards and Technology, Technology Administration, U.S. Department of Commerce
14 Security Awareness Training (in order of appearance) Private Contractor User Agreements and CJIS Security Addendum The CJIS Security Addendum is a uniform addendum to an agreement between the government agency and a private contractor, approved by the Attorney General of the United States, which specifically authorizes access to CHRI, limits the use of the information to the purposes for which it is provided, ensures the security and confidentiality of the information is consistent with existing regulations and the CJIS Security Policy, provides for sanctions, and contains such other provisions as the Attorney General may require. Private contractors who perform criminal justice functions shall meet the same training and certification criteria required by governmental agencies performing a similar function, and shall be subject to the same extent of audit review as are local user agencies. All private contractors who perform criminal justice functions shall acknowledge, via signing of the CJIS Security Addendum Certification page, and abide by all aspects of the CJIS Security Addendum. The CJIS Security Addendum is presented in Appendix H. Modifications to the CJIS Security Addendum shall be enacted only by the FBI. 27 Security Awareness Training (in order of appearance) 5.2 Policy Area 2: Security Awareness Training Basic security awareness training shall be required within six months of initial assignment, and biennially thereafter, for all personnel who have access to CJI
15 Security Awareness Training (in order of appearance) 5.2 Policy Area 2: Security Awareness Training All Personnel At a minimum, the following topics shall be addressed as baseline security awareness training for all authorized personnel with access to CJI:. 29 Security Awareness Training (in order of appearance) 5.2 Policy Area 2: Security Awareness Training Personnel with Physical and Logical Access In addition to above, the following topics, at a minimum, shall be addressed as baseline security awareness training for all authorized personnel with both physical and logical access to CJI: 30 15
16 Security Awareness Training (in order of appearance) 5.2 Policy Area 2: Security Awareness Training Personnel with Information Technology Roles In addition to and above, the following topics at a minimum shall be addressed as baseline security awareness training for all Information Technology personnel(system administrators, security administrators, network administrators, etc.): 31 Security Awareness Training REQUIRED If The person usescriminal Justice Information in any form Radio or cell phone Hard copy ed Faxed Computer Terminal Access OpenFox CAD Record Management Systems Case Management 32 16
17 Security Awareness Training REQUIRED If The person is unescorted and will be unavoidably exposed to Criminal Justice Information during the course of their work. The person is given unescorted/unmonitored access to the computer network and infrastructure used by others to access Criminal Justice Information. 33 Security Awareness Training REQUIRED If The person is unescortedin places where CJI is regularly left unsecured easy for anyone to view
18 ROLE OF PERSONNEL Access to Unencrypted CJI and/or network infrastructure? Escorted or Monitored During CJI Processing RECORD CHECKS REQUIREMENTS: Security Awareness Training Topics Required Agency Personnel with Computers for other than CJI Not Authorized. But operate computers on same network andhave free access to facility, so may be exposed NO 2. ANNUAL NAME BASE LEOs, Court Personnel, etc. without KCJIS access YES physical access hard copy NO 2. ANNUAL NAME BASE CJI terminal operators (Includes LEOs with MDTs) Authorized Physical and electronic NO 2. ANNUAL NAME BASE TACs & LASOs Authorized Physical and electronic + Administration NO 2. ANNUAL NAME BASE Agency I.T. YES NO ANNUAL NAME BASE ROLE OF PERSONNEL Access to Unencrypted CJI and/or network infrastructure? Escorted or Monitored During CJI Processing City/County I.T. YES NO Contract support - CAD/RMS other Criminal justice applications Contract support -Basic Computer Hardware, Network and or office suite YES - Authorizedonly after incorporating FBI Security Addendum into Contract. Not Intended but may be exposed during on site work NO YES NO YES RECORD CHECKS REQUIREMENTS: Security Awareness Training Topics Required 2. ANNUAL NAME BASE ANNUAL NAME BASE Authenticate ( ) Name Based recommended NONE 2. ANNUAL NAME BASE Authenticate ( ) Name Based recommended NONE CONTRACT SHREDDING SHRED OFFSITE AGENCY WITNESSED SHRED ON SITE NO YES 2. ANNUAL NAME BASE Authenticate ( ) Name Based recommended NONE Custodial Personnel Not Authorized NO YES 2. ANNUAL NAME BASE Authenticate ( ) Name Based recommended NONE 36 18
19 For More Information KCJIS INFORMATION SECURITY OFFICER DON CATHEY KANSAS HIGHWAY PATROL 122 SW 7th ST TOPEKA KS Office: (785) Fax: (785) Cell: (785) SECURITY TRAINER/ AUDITOR ROD STROLE KANSAS HIGHWAY PATROL 122 SW 7th ST TOPEKA KS Office: (785) Fax: (785) Cell: (785) SECURITY TRAINER/ AUDITOR KIP BALLINGER KANSAS HIGHWAY PATROL 2019 E IRON AVE SALINA KS Office: (785) Fax: (785) Cell: (785) kballing@khp.ks.gov 37 SECURITY TRAINER/ AUDITOR TAMMIE HENDRIX KANSAS HIGHWAY PATROL 122 SW 7th ST TOPEKA KS Office: (785) Fax: (785) Cell: (785) thendrix@khp.ks.gov 19
Effective Date: Subject Matter Experts / Approval(s): TAC: LASO: C/ISO: Front Desk: Technology Support Lead: Agency Head:
Policy Title: Effective Date: Revision Date: Subject Matter Experts / Approval(s): TAC: LASO: C/ISO: Front Desk: Technology Support Lead: Agency Head: Every 2 years or as needed Purpose: The purpose of
More informationPhysical Protection Policy Sample (Required Written Policy)
Physical Protection Policy Sample (Required Written Policy) 1.0 Purpose: The purpose of this policy is to provide guidance for agency personnel, support personnel, and private contractors/vendors for the
More informationApproved By: Agency Name Management
Policy Title: Effective Date: Revision Date: Approval(s): LASO: CSO: Agency Head: Media Protection Policy Every 2 years or as needed Purpose: The intent of the Media Protection Policy is to ensure the
More informationCJIS VENDOR AGREEMENT CJIS COMPUTER SYSTEMS COLORADO BUREAU OF INVESTIGATION
1. Purpose: CJIS VENDOR AGREEMENT CJIS COMPUTER SYSTEMS COLORADO BUREAU OF INVESTIGATION The intent of this agreement and the policies and procedures herein is to facilitate compliance in Colorado with
More informationFingerprint-Based Background Check Responsibilities for Non-Criminal Justice Agencies and Users
Fingerprint-Based Background Check Responsibilities for Non-Criminal Justice Agencies and Users Version 1.2 Hawaii Criminal Justice Data Center March 20, 2014 Table of Contents Table of Contents... 2 I.
More informationInformation Technology. Security Awareness Training for Administrative Personnel
Information Technology Security Awareness Training for Administrative Personnel This training information is intended for criminal justice Administrative Personnel without direct access to IDACS/CJIS systems.
More informationAPPENDIX H SECURITY ADDENDUM
APPENDIX H SECURITY ADDENDUM The following pages contain the legal authority, purpose, and genesis of the Criminal Justice Information Services Security Addendum (H2-H4); the Security Addendum itself (H5-H6);
More informationGENERAL ORDER DISTRICT OF COLUMBIA I. BACKGROUND
GENERAL ORDER DISTRICT OF COLUMBIA Subject CJIS Security Topic Series Number SPT 302 12 Effective Date March 28, 2014 Related to: GO-SPT-302.08 (Metropolitan Police Department (MPD) Wide Area Network)
More informationLawrence Police Department Administrative Policy. August 2013. A. Access to CJIS sensitive data is only available to authorized users.
Lawrence Police Department Administrative Policy SUBJECT Criminal Justice Information System (CJIS) APPLIES TO All Personnel EFFECTIVE DATE REVISED DATE August 2013 APPROVED BY Chief of Police TOTAL PAGES
More informationSecurity awareness training is not a substitute for the LEADS Security Policy.
Revised 4/2014 This training will discuss some of the duties of the Terminal Agency Coordinator (TAC), Local Agency Security Officer (LASO) and provide basic security awareness training. Security awareness
More informationSTATE OF KANSAS OFFICE OF THE ATTORNEY GENERAL Through the KANSAS BUREAU OF INVESTIGATION INSTRUCTIONS
STATE OF KANSAS OFFICE OF THE ATTORNEY GENERAL Through the KANSAS BUREAU OF INVESTIGATION INSTRUCTIONS RENEWAL OF PRIVATE DETECTIVE LICENSE *Complete this renewal form if you are an employee, owner, partner,
More informationCriminal Justice Information Services (CJIS) Security Policy
U. S. Department of Justice Federal Bureau of Investigation Criminal Justice Information Services Division Criminal Justice Information Services (CJIS) Security Policy Version 5.0 Prepared by: CJIS Information
More informationHow To Protect The Time System From Being Hacked
WISCONSIN TIME SYSTEM Training Materials TIME SYSTEM SECURITY AWARENESS HANDOUT Revised 11/21/13 2014 Security Awareness Handout All System Security The TIME/NCIC Systems are criminal justice computer
More informationRisk Mitigation Strategies: Lessons Learned from Actual Insider Attacks
Risk Mitigation Strategies: Lessons Learned from Actual Insider Attacks Dawn M. Cappelli Andrew P. Moore CERT Program Software Engineering Institute Carnegie Mellon University 04/09/08 Session Code:DEF-203
More informationCJIS Division Update
CJIS Division Update Oregon State Police Criminal Justice Information Services Division Kendele Miyasaki, Training Coordinator Russ Hoskins, Training Specialist CJIS/LEDS Contact Information Criminal Justice
More informationLAW ENFORCEMENT INFORMATION NETWORK INFORMATION MANUAL
LAW ENFORCEMENT INFORMATION NETWORK INFORMATION MANUAL The Michigan Law Enforcement Information Network (LEIN) is a statewide computerized information system established in 1967 as a service to Michigan
More information803 CMR: DEPARTMENT OF CRIMINAL JUSTICE INFORMATION SERVICES 803 CMR 7.00: CRIMINAL JUSTICE INFORMATION SYSTEM (CJIS)
803 CMR 7.00: CRIMINAL JUSTICE INFORMATION SYSTEM (CJIS) Section 7.01: Purpose and Scope 7.02: Definitions 7.03: Criminal Justice Agency (CJA) Access to Criminal Justice Information System (CJIS) 7.04:
More informationArkansas Crime Information Center. ACIC Training Policy
Arkansas Crime Information Center ACIC Training Policy pg. 1 Approved by the ACIC Supervisory Board December 4, 2015 ACIC Training Policy Training is necessary for the proper and effective use of the state
More informationInformation Technology Security Awareness Training
Information Technology Security Awareness Training Rev. Dec. 27, 2011 Information System To understand the importance of information system security or information technology security, you first need to
More information140-2-.04 Criminal Justice Information Exchange and Dissemination.
140-2-.04 Criminal Justice Information Exchange and Dissemination. (1) Exchange and dissemination of criminal justice information by criminal justice agencies: (a) Criminal justice agencies shall exchange
More informationSouth Carolina Law Enforcement Division Criminal Justice Information System (CJIS)
South Carolina Law Enforcement Division Criminal Justice Information System (CJIS) USER AGREEMENT AND SYSTEM RESPONSIBILITIES Introduction The South Carolina Criminal Justice Information and Communications
More informationCJIS Information Technology Security Audit (ITSA) 2015 Program Update
CJIS Information Technology Security Audit (ITSA) 2015 Program Update Greg Verharst CJIS Information Security Officer Greg.Verharst@state.or.us (503) 934-2335 The 4 W s of CJIS Audits Who receives Information
More informationFBI CJIS SECURITY ADDENDUM
FBI CJIS SECURITY ADDENDUM The following is an expanded version of the FBI Criminal Justice Information Services (CJIS) Security Addendum. This document was created in order to assist Texas agencies and
More informationSECURITY and MANAGEMENT CONTROL OUTSOURCING STANDARD For NON-CHANNELERS
SHP-570A 1/14 SECURITY and MANAGEMENT CONTROL OUTSOURCING STANDARD For NON-CHANNELERS The goal of this document is to provide adequate security and integrity for criminal history record information (CHRI)
More informationNoncriminal Justice Agency Guide
\ Arkansas Crime Information Center Noncriminal Justice Agency Guide 1 Contents Acronym Glossary... 4 Introduction... 5 Overview & History... 5 Arkansas... 5 Use of Criminal History Record Information
More informationInsider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage. CERT Insider Threat Center
Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage CERT Insider Threat Center April 2011 NOTICE: THIS TECHNICAL DATA IS PROVIDED PURSUANT TO GOVERNMENT CONTRACT
More information12 NCAC 04H.0102 DEFINITIONS As used in this Chapter: (1) "ACIIS" means Canada's Automated Criminal Intelligence and Information System.
12 NCAC 04H.0102 DEFINITIONS As used in this Chapter: (1) "ACIIS" means Canada's Automated Criminal Intelligence and Information System. (2) "Administration of criminal justice" means the: (a) detection
More informationInformation Technology Security Audit (ITSA) Report
U.S. Department of Justice Federal Bureau of Investigation Criminal Justice Information Services Division Information Technology Security Audit (ITSA) Report California March 214 Table of Contents EXECUTIVE
More informationCampus and Workplace Violence Prevention
Campus and Workplace Violence 1 Prevention SECTION I Policy SUNYIT is committed to providing a safe learning and work environment for the college community. The College will respond promptly to threats,
More informationK C J I S N E W S N E W S F R O M B I O L O G Y C A S E W O R K J O H N G A U N T T, K B I, B I O L O G Y S E C T I O N
V O L U M E 1 6, I S S U E 4 K C J I S N E W S N O V E M B E R 2 0 1 4 I N S I D E T H I S I S S U E : N E W S F R O M B I O L O G Y E X P U N G E M E N T P R O C E S S R E M E M B E R T O B E V I G I
More informationSouth Carolina Law Enforcement Division Criminal Justice Information System (CJIS)
South Carolina Law Enforcement Division Criminal Justice Information System (CJIS) USER AGREEMENT AND SYSTEM RESPONSIBILITIES Introduction The South Carolina Criminal Justice Infonnation and Communications
More informationCriminal Justice Information Services (CJIS) Security Policy
U. S. Department of Justice Federal Bureau of Investigation Criminal Justice Information Services Division Criminal Justice Information Services (CJIS) Security Policy Version 5.5 06/01/2016 Prepared by:
More informationK C J I S N E W S N E W F A C E S A T T H E K H P B Y : C A P T A I N R A N D Y D. M O O N KHP
V O L U M E 1 6, I S S U E 2 K C J I S N E W S M A Y 2 0 1 4 N E W F A C E S A T T H E K H P B Y : C A P T A I N R A N D Y D. M O O N KHP I N S I D E T H I S I S S U E : W I N D O W S X P 2-3 E N D O F
More informationCJIS Online Administrator Manual
CJIS Online Administrator Manual CJIS Online is used for Security Awareness Training and Certification. All personnel, having access to Criminal Justice Information (CJI), are required to have Security
More informationFLORIDA DEPARTMENT OF JUVENILE JUSTICE PROCEDURE
PROCEDURE Title: Florida Crime Information Center (FCIC), National Crime Information Center (NCIC), Criminal Justice Network (CJNet), Judicial Inquiry System (JIS), and Driver And Vehicle Information Database
More informationAlan Ferretti CJIS Information Security Officer
Alan Ferretti CJIS Information Security Officer CJIS Technical Audit Overview Who, What, Why and When Audit Process Review Network Diagram Review Written Policies/Process Available Resources Helps To Know.
More informationCRIMINAL JUSTICE AGENCY ACCESS AGREEMENT
ASSIGNED ORI: Al.0050] 3C CRIMINAL JUSTICE AGENCY ACCESS AGREEMENT This document constitutes an agreement between the Commission (Commission), an agency of the State of Alabama with headquarters at 20
More informationCriminal Justice Information Services (CJIS) Security Policy
U. S. Department of Justice Federal Bureau of Investigation Criminal Justice Information Services Division Criminal Justice Information Services (CJIS) Security Policy Version 5.3 Prepared by: CJIS Information
More informationCriminal Justice Information Services (CJIS) Security Policy
U. S. Department of Justice Federal Bureau of Investigation Criminal Justice Information Services Division Criminal Justice Information Services (CJIS) Security Policy Version 5.4 Prepared by: CJIS Information
More informationINFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL
INFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL 1 INTRODUCTION The County of Imperial Information & Technical Services (ITS) Security Policy is the foundation of the County's electronic information
More informationCompliance and Industry Regulations
Compliance and Industry Regulations Table of Contents Introduction...1 Executive Summary...1 General Federal Regulations and Oversight Agencies...1 Agency or Industry Specific Regulations...2 Hierarchy
More informationAPPROPRIATE USE OF DIGITAL COMMUNICATIONS AND TECHNOLOGIES POLICY
REGISTER OF POLICIES, PROCEDURES AND BY-LAWS APPROPRIATE USE OF DIGITAL COMMUNICATIONS AND TECHNOLOGIES POLICY Code: Policy 2.11 Date of Coming into Force: June 27, 2011 Number of Pages: 6 Origin: Education/
More informationCJIS Information Security Awareness Training for Texas
CJIS Information Security Awareness Training for Texas Objectives This Information Security Awareness Training is designed to equip those who access the data that moves through TLETS with basic tools needed
More informationNCJA CRIMINAL HISTORY RECORD INFORMATION(CHRI) GUIDELINES
Idaho State Police NCJA CRIMINAL HISTORY RECORD INFORMATION(CHRI) GUIDELINES Non-Criminal Justice Agency User Training Manual and Self-Inspection Checklist gwalker 01/15/2013 Idaho State Police Service
More informationSecurity Awareness Training CJIS SECURITY POLICY V5.4 POLICY AREA 2
Security Awareness Training CJIS SECURITY POLICY V5.4 POLICY AREA 2 Level 1: Baseline security awareness training for all authorized personnel with access to CJI. Level 2: Personnel with both physical
More informationFISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS
TABLE OF CONTENTS General Topics Purpose and Authorities Roles and Responsibilities Policy and Program Waiver Process Contact Abbreviated Sections/Questions 7.1 What is the purpose of this chapter? 7.2
More informationSUBCHAPTER 4H ORGANIZATIONAL FUNCTIONS AND DEFINITIONS
Original DATE PRINTED 0 NCAC 0H.00 is adopted with changes as published in :0 NCR 00 as follows: SUBCHAPTER H ORGANIZATIONAL FUNCTIONS AND DEFINITIONS SECTION.000 GENERAL PROVISIONS NCAC 0H.00 SCOPE (a)
More informationSeptember 2011 Report No. 12-002
John Keel, CPA State Auditor An Audit Report on The Criminal Justice Information System at the Department of Public Safety and the Texas Department of Criminal Justice Report No. 12-002 An Audit Report
More informationFISMA Implementation Project
FISMA Implementation Project The Associated Security Standards and Guidelines Dr. Ron Ross Computer Security Division Information Technology Laboratory 1 Today s Climate Highly interactive environment
More informationCITY OF BOULDER *** POLICIES AND PROCEDURES
CITY OF BOULDER *** POLICIES AND PROCEDURES CONNECTED PARTNER EFFECTIVE DATE: SECURITY POLICY LAST REVISED: 12/2006 CHRISS PUCCIO, CITY IT DIRECTOR CONNECTED PARTNER SECURITY POLICY PAGE 1 OF 9 Table of
More informationIndex .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY
Information Security Section: General Operations Title: Information Security Number: 56.350 Index POLICY.100 POLICY STATEMENT.110 POLICY RATIONALE.120 AUTHORITY.130 APPROVAL AND EFFECTIVE DATE OF POLICY.140
More informationYEAR TWO. Total Credits 3 Total Credits 6 Total Credits 3 Total Credits 6 Total Credits 6
FALL 1 START (Online) WINTER 1 (FIRST 8 WEEKS) WINTER 2 (SECOND 8 WEEKS) PUB 5409 3 PUB 5419 3 PUB 5429 3 PUB 5439 3 PUB 5459 3 CJI 0510 3 CJI 0520 3 PUB 5469 3 Total Credits 3 Total Credits 6 Total Credits
More informationMICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL. Doug A. Ringler, C.P.A., C.I.A. AUDITOR GENERAL ENTERPRISE DATA WAREHOUSE
MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT PERFORMANCE AUDIT OF THE ENTERPRISE DATA WAREHOUSE DEPARTMENT OF TECHNOLOGY, MANAGEMENT, AND BUDGET August 2014 Doug A. Ringler, C.P.A., C.I.A. AUDITOR
More informationCONSOLIDATED RECORDS MANAGEMENT SYSTEM (CRMS) USER AGREEMENT
CONSOLIDATED RECORDS MANAGEMENT SYSTEM (CRMS) USER AGREEMENT I. PURPOSE STATEMENT The TENNESSEE FUSION CENTER (TFC) is an initiative of the Tennessee Bureau of Investigation (TBI) and the Department of
More informationCJIS in the Cloud. Oregon State Police CJIS Statewide Training September 23 & 24, 2015
CJIS in the Cloud Oregon State Police CJIS Statewide Training September 23 & 24, 2015 Stephen Exley, CISSP Senior Consultant/Technical Analyst FBI CJIS ISO Program Cloud Computing Famous Quotes on Cloud
More informationPennsylvania State Police COMMONWEALTH LAW ENFORCEMENT ASSISTANCE NETWORK ADMINISTRATIVE REGULATIONS. Version 4.7
Pennsylvania State Police COMMONWEALTH LAW ENFORCEMENT ASSISTANCE NETWORK ADMINISTRATIVE REGULATIONS Version 4.7 Bureau of Communications and Information Services 1800 Elmerton Avenue Harrisburg, PA 17110
More informationThe Key to Successful Monitoring for Detection of Insider Attacks
The Key to Successful Monitoring for Detection of Insider Attacks Dawn M. Cappelli Randall F. Trzeciak Robert Floodeen Software Engineering Institute CERT Program Session ID: GRC-302 Session Classification:
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
More informationU.S. Department of the Interior's Federal Information Systems Security Awareness Online Course
U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course Rules of Behavior Before you print your certificate of completion, please read the following Rules of Behavior
More informationInformation Security and Privacy. WHAT are the Guidelines? HOW is it to be done? WHY is it done?
Information Security and Privacy WHAT are the Guidelines? HOW is it to be done? WHY is it done? 1 WHAT are the guidelines O Be in compliance of Federal/State Laws O Federal: O HIPAA - 1996 O HITECH - 2009
More informationCA Technologies Solutions for Criminal Justice Information Security Compliance
WHITE PAPER OCTOBER 2014 CA Technologies Solutions for Criminal Justice Information Security Compliance William Harrod Advisor, Public Sector Cyber-Security Strategy 2 WHITE PAPER: SOLUTIONS FOR CRIMINAL
More informationTHE GEORGIA CRIME INFORMATION CENTER Georgia Guide for Non Criminal Justice Agency Access to Criminal History Record Information (Rev.
THE GEORGIA CRIME INFORMATION CENTER Georgia Guide for Non Criminal Justice Agency Access to Criminal History Record Information (Rev. February 2010) 1 Table of Contents Introduction... 3 Authority...
More informationInformation Technology Security Training Requirements APPENDIX A. Appendix A Learning Continuum A-1
APPENDIX A Appendix A Learning Continuum A-1 Appendix A Learning Continuum A-2 APPENDIX A LEARNING CONTINUUM E D U C A T I O N Information Technology Security Specialists and Professionals Education and
More informationAWS Criminal Justice Information Services (CJIS) Workbook
AWS Criminal Justice Information Services (CJIS) Workbook November 2015 (CJIS Security Version 5.4) 2016, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document is provided
More informationGAO INFORMATION SECURITY. FBI Needs to Address Weaknesses in Critical Network
GAO United States Government Accountability Office Report to the Honorable F. James Sensenbrenner Jr., House of Representatives April 2007 INFORMATION SECURITY FBI Needs to Address Weaknesses in Critical
More informationThe CERT Top 10 List for Winning the Battle Against Insider Threats
The CERT Top 10 List for Winning the Battle Against Insider Threats Dawn Cappelli CERT Insider Threat Center Software Engineering Institute Carnegie Mellon University Session ID: STAR-203 Session Classification:
More informationHIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries
More informationLIFESTREAM BEHAVIORAL CENTER, INC. JOINT NOTICE OF PRIVACY PRACTICES. Effective Date: April 14, 2003
LIFESTREAM BEHAVIORAL CENTER, INC. JOINT NOTICE OF PRIVACY PRACTICES Effective Date: April 14, 2003 THIS DOCUMENT DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET
More informationManaged Hosting & Datacentre PCI DSS v2.0 Obligations
Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version
More informationInfoSec Academy Forensics Track
Fundamental Courses Foundational Courses InfoSec Academy Specialized Courses Advanced Courses Certification Preparation Courses Certified Information Systems Security Professional (CISSP) Texas Security
More informationCNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background:
1. Do you implement virus controls and filtering on all systems? Anti-Virus anti-virus software packages look for patterns in files or memory that indicate the possible presence of a known virus. Anti-virus
More informationSpotlight On: Insider Threat from Trusted Business Partners
Spotlight On: Insider Threat from Trusted Business Partners February 2010 Robert M. Weiland Andrew P. Moore Dawn M. Cappelli Randall F. Trzeciak Derrick Spooner This work was funded by Copyright 2010 Carnegie
More informationRecession Calls for Better Change Management Separation of duties, logging paramount in times of great, rapid change
Recession Calls for Better Change Management Separation of duties, logging paramount in times of great, rapid change Rebecca Herold, CIPP, CISSP, CISA, CISM, FLMI Final Draft for March 2009 CSI Alert I
More informationSecure Web Applications. The front line defense
Secure Web Applications The front line defense Agenda Web Application Security Threat Overview Exploiting Web Applications Common Attacks & Preventative techniques Developing Secure Web Applications -Security
More informationNONCRIMINAL JUSTICE AGENCY USE OF CRIMINAL JUSTICE INFORMATION
NONCRIMINAL JUSTICE AGENCY USE OF CRIMINAL JUSTICE INFORMATION PRESENTED BY: MICHIGAN STATE POLICE CRIMINAL JUSTICE INFORMATION CENTER SECURITY & ACCESS SECTION A PROUD tradition of SERVICE through EXCELLENCE,
More informationSECURELINK.COM COMPLIANCE AND INDUSTRY REGULATIONS
COMPLIANCE AND INDUSTRY REGULATIONS INTRODUCTION Multiple federal regulations exist today requiring government organizations to implement effective controls that ensure the security of their information
More informationTHE GEORGIA CRIME INFORMATION CENTER 2011 Georgia Guide for Non Criminal Justice Agency Access to Criminal History Record Information
THE GEORGIA CRIME INFORMATION CENTER 2011 Georgia Guide for Non Criminal Justice Agency Access to Criminal History Record Information 1 Table of Contents Introduction... 3 Authority... 3 Umbrella Statute...
More informationResults Oriented Change Management
Results Oriented Change Management Validating Change Policy through Auditing Abstract Change management can be one of the largest and most difficult tasks for a business to implement, monitor and control
More informationWestern Australian Auditor General s Report. Information Systems Audit Report
Western Australian Auditor General s Report Information Systems Audit Report Report 10 June 2012 Auditor General s Overview The Information Systems Audit Report is tabled each year by my Office. It summarises
More informationIs Your Vendor CJIS-Certified?
A Thought Leadership Profile Symantec SHUTTERSTOCK.COM Is Your Vendor CJIS-Certified? How to identify a vendor partner that can help your agency comply with new federal security standards for accessing
More informationChange Management: Automating the Audit Process
Change Management: Automating the Audit Process Auditing Change Management for Regulatory Compliance Abstract Change management can be one of the largest and most difficult tasks for a business to implement,
More informationU.S. Department of Justice. Becoming A. Special Agent. U.S. Department of Justice Office of the Inspector General INVESTIGATIONS DIVISION
U.S. Department of Justice Office of the Inspector General Becoming A Special Agent INVESTIGATIONS DIVISION OFFICE OF THE INSPECTOR GENERAL U.S. Department of Justice The OIG plays an integral role in
More informationBusiness Case. for an. Information Security Awareness Program
Business Case (BS.ISAP.01) 1 (9) Business Case for an Information Security Business Case (BS.ISAP.01) 2 Contents 1. Background 3 2. Purpose of This Paper 3 3. Business Impact 3 4. The Importance of Security
More informationExelon Nuclear Unescorted Access Requirements Frequently Asked Questions
What follows is an explanation of the processes required for a contractor to obtain unescorted access (photo security badge) at any of the Exelon Nuclear facilities. This document is presented in a (FAQ)
More informationPrivacy Impact Assessment for the Volunteer/Contractor Information System
Federal Bureau of Prisons Privacy Impact Assessment for the Volunteer/Contractor Information System Issued by: Sonya D. Thompson Deputy Assistant Director/CIO Reviewed by: Approved by: Vance E. Hitch,
More informationINTERNATIONAL ASSOCIATION OF CHIEFS OF POLICE. Guiding Principles on Cloud Computing in Law Enforcement
INTERNATIONAL ASSOCIATION OF CHIEFS OF POLICE Guiding Principles on Cloud Computing in Law Enforcement Cloud computing technologies offer substantial potential benefits to law enforcement and government
More informationDeciphering the Safe Harbor on Breach Notification: The Data Encryption Story
Deciphering the Safe Harbor on Breach Notification: The Data Encryption Story Healthcare organizations planning to protect themselves from breach notification should implement data encryption in their
More informationInformation Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done?
Information Security and Privacy WHAT is to be done? HOW is it to be done? WHY is it done? 1 WHAT is to be done? O Be in compliance of Federal/State Laws O Federal: O HIPAA O HITECH O State: O WIC 4514
More informationIntroduction DEFINITIONS
Pennsylvania Commission on Crime and Delinquency Guidelines and Technology Standards for the Collection and Transmission of Booking Center Captured Offenders' Identification Information Table of Contents
More informationUSD #102 Employee Technology Use Handbook
USD #102 Employee Technology Use Handbook New technology is always on the horizon. An attempt to identify all technologies and list possible misuses of them is impossible. Therefore, throughout this technology
More informationKamala D. Harris Attorney General California Department of Justice
Electronic Recording Delivery System Addendum to the following ERDS Handbooks: Baseline Requirements and Technology Standards System Certification Computer Security Auditor Kamala D. Harris Attorney General
More informationWellesley College Whistleblower Policy Adopted April 2009
Wellesley College Whistleblower Policy Adopted April 2009 1. General Wellesley College (the "College") requires all employees (including faculty) to observe high standards of business and personal ethics
More informationThe Wellcome Trust Sanger Institute IT Acceptable Use Policy (AUP) Version 1.8
The Wellcome Trust Sanger Institute IT Acceptable Use Policy (AUP) Version 1.8 Introduction The IT systems must be used in a reasonable manner and in such a way that does not affect their efficient operation,
More informationUnderstanding Nebraska's Protection Orders
Understanding Nebraska's Protection Orders A guide for victims, law enforcement and service providers. What is a Protection Order? A protection order is a special type of order issued by a Judge which
More informationSenate Bill 9 Background Checks for Education A Reference Guide January 1, 2008
Senate Bill 9 Background Checks for Education A Reference Guide January 1, 2008 TABLE OF CONTENTS SB9 OVERVIEW... 3 DEFINITIONS... 4 THE FINGERPRINTING PROCESS:... 6 SUMMARY OF REQUIREMENTS FROM THE BILL...
More informationTYPES, PREVALENCE, AND PREVENTION OF CYBERCRIME. Haya Fetais & Mohammed Shabana. Saint Leo University COM- 510
TYPES, PREVALENCE, AND PREVENTION OF CYBERCRIME Haya Fetais & Mohammed Shabana Saint Leo University COM- 510 November 23, 2014 Introduction Globalization and technological developments have infiltrated
More informationTenth Judicial Circuit of Florida Information Systems Acceptable Use Guidelines Polk, Hardee and Highlands Counties as of January 2014
Tenth Judicial Circuit of Florida Information Systems Acceptable Use s Polk, Hardee and Highlands Counties as of January 2014 The following guidelines define the acceptable use of information technology
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More information