Alan Ferretti CJIS Information Security Officer



Similar documents
CJIS SECURITY POLICY: VERSION 5.2 CHANGES AND THE UPCOMING REQUIREMENTS.

Alan Ferretti CJIS Information Security Officer

How To Protect The Time System From Being Hacked

Physical Protection Policy Sample (Required Written Policy)

Security awareness training is not a substitute for the LEADS Security Policy.

PCI DSS Requirements - Security Controls and Processes

Protecting Criminal Justice Information: Achieving CJIS Compliance on Mobile Devices

Approved By: Agency Name Management

Lawrence Police Department Administrative Policy. August A. Access to CJIS sensitive data is only available to authorized users.

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

CJIS in the Cloud. Oregon State Police CJIS Statewide Training September 23 & 24, 2015

Virtualization Demystified

GENERAL ORDER DISTRICT OF COLUMBIA I. BACKGROUND

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

How To Write A Health Care Security Rule For A University

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.

PII Compliance Guidelines

ADM:49 DPS POLICY MANUAL Page 1 of 5

A Rackspace White Paper Spring 2010

Payment Card Industry Self-Assessment Questionnaire

Supplier Information Security Addendum for GE Restricted Data

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

CJIS Information Security Awareness Training for Texas

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

Retention & Destruction

Becoming PCI Compliant

Automated Regional Justice Information System (ARJIS) Acceptable Use Policy for Facial Recognition

Miami University. Payment Card Data Security Policy

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Identity Theft Prevention Program Compliance Model

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

CJIS Online Overview. CJIS Security Awareness Training & Testing Software

The Second National HIPAA Summit

Williamson County Technology Services Technology Project Questionnaire for Vendor (To be filled out withprospective solution provider)

HIPAA Security Alert

Compliance and Industry Regulations

Information Technology Branch Access Control Technical Standard

CJIS Information Technology Security Audit (ITSA) 2015 Program Update

Completed. Document Name. NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

NONCRIMINAL JUSTICE AGENCY USE OF CRIMINAL JUSTICE INFORMATION

BKDconnect Security Overview

DHHS Information Technology (IT) Access Control Standard

Central Agency for Information Technology

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Connecticut Justice Information System Security Compliance Assessment Form

Is Your Vendor CJIS-Certified?

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

LAW ENFORCEMENT INFORMATION NETWORK INFORMATION MANUAL

Cyber Self Assessment

HIPAA Privacy and Security Risk Assessment and Action Planning

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)

CJIS Online Security Awareness Training. Vendor Guide

DRAFT National Rural Water Association Identity Theft Program Model September 22, 2008

Music Recording Studio Security Program Security Assessment Version 1.1

Estate Agents Authority

CREDIT CARD PROCESSING POLICY AND PROCEDURES

SUPPLIER SECURITY STANDARD

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Research Information Security Guideline

PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name]

SECURELINK.COM COMPLIANCE AND INDUSTRY REGULATIONS

Implementation Guide

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Newcastle University Information Security Procedures Version 3

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

CJIS Online Security Awareness Training. TAC Guide

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

[BRING YOUR OWN DEVICE POLICY]

State of Texas. TEX-AN Next Generation. NNI Plan

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

HIPAA ephi Security Guidance for Researchers

PCI Requirements Coverage Summary Table

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

Security Policy for External Customers

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Payment Card Industry Data Security Standard

CYBER SECURITY POLICY For Managers of Drinking Water Systems

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

Standard CIP Cyber Security Systems Security Management

PCI DSS COMPLIANCE DATA

1B1 SECURITY RESPONSIBILITY

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

CHIS, Inc. Privacy General Guidelines

Transcription:

Alan Ferretti CJIS Information Security Officer

CJIS Technical Audit Overview Who, What, Why and When Audit Process Review Network Diagram Review Written Policies/Process Available Resources

Helps To Know. Who conducts a CJIS Technical audit? What is being audited? Why are you being audited? When does the audit take place?

WHO CONDUCTS THE TECHNICAL SECURITY AUDIT? Texas DPS CJIS Security Team Ensures all criminal justice accessing TLETS meet requirements mandated by the CJIS Security Policy Support other CRS/CJIS audits on technical issues Office created 2005 CJIS Information Security Officer Alan Ferretti 10 Auditors 1,200+ TLETS agencies

What is being audited? Audit of the 500+ shall statements in the CJIS Security Policy: Physical Security Network Diagrams Policies & Processes pertaining to CJI access, storage, and transmission.

WHY IS THE AGENCY BEING AUDITED? CJIS Security Policy requirement: Once every three years There are other audit triggers

Other audit triggers New Agency Security incident or exceptional event Any physical move Major system upgrade exceeding 25 % change from the original system

What is included in the audit? FBI & DPS Audit Programs UCR Sex Offenders Technical Access & Dissemination TCIC Network Diagram Policies Physical Security Mobiles Interface Software Walk Through

SECURITY AUDIT PROCESS DPS Technical Auditor Schedules the audit 2-4 weeks notice when possible Phone call to agency Set date and time, confirm contacts. Follow up with email to the Agency detailing instructions and send samples of following required policies: Agency Standard Operating Procedures (SOP) CJIS Security Audit - BLANK COPY CJIS Security Policy - CURRENT VERSION Disposal of Electronic & Physical Media Incident Response Plan Security Alert & Advisory Process Security Addendum Security Awareness Training - PDF REVIEW MATERIAL Respond to any agency questions

The auditor will arrive promptly on the date and time scheduled. Be ready, have local policies, network diagrams and related documentation on hand.

The auditor will introduce themselves. Ensure necessary staff are present. This may include IT Support, Administrative, and Managerial Personnel. The Audit will cover all areas of the CJIS Security Policy. Have a copy of the audit form available to follow along. Respond to each question clearly. Avoid vague responses, and explain local processes if necessary.

BASIC NETWORK DIAGRAM ELEMENTS Depicts routers, switches and firewalls with make and model. Annotates the different device types (PCs, laptops, phones) with quantity. Network properly segmented from non-law enforcement networks. Firewall in place between non-le networks and Internet. CJI data transmitted outside the secured network must be encrypted at a minimum of AES-128 bit and meet FIPS 140-2 standards. Agency name, date and For Official Use Only.

Be prepared to explain. Any technical elements VLANS, ACLs existing and how configured Encryption types between points Fiber connections Network segments not within the secured location Where CJI data is stored? How CJI data is protected?

Start gathering information IT /Network Support / Vendor Support Signed complete Security Addendum Management Control Agreements (MCA) Inter-local agreements, MOU Vendor/IT Security Awareness Training list FIPS certificates for any encryption Agency Personnel Security Awareness Training List Finger prints for everyone with Access.

Paperwork to have ready at audit Management Control Agreements / Security Addendums Security Awareness Training Documentation Incident Response w/contact Information Standard Operating Procedures (SOP) Must include processes for account management, remote access, personally owned information systems, media protection, personnel sanctions Mobile Policy (MDT if applicable) or BYOD Electronic & Physical Media Disposal Security Alert Process Network Diagram Memorandum of Understanding (MOU if applicable) FIPS Certificates (if applicable)

Computer and Network Security Computer Security Operating system patches applied are up to date. Anti-virus installed, functional and signature files updated. Session locked after 30 min of inactivity. Terminals kept behind secure doors, protected from unauthorized viewing. Visitors are escorted. Network Security Equipment has not met end of life (EOL). Equipment has patches applied and up to date. Equipment stored in secure area. Visitors are escorted.

Reviewing Vendor Software Software patches up to date CJI data transmitted outside the secured network is encrypted at a minimum 128 bit and is FIPS 140-2 certified Meets password requirements Locks after 5 consecutive invalid log on attempts NCIC & III transactions retained for 1 year Log audit events Meets audit retention, monitoring, alert and review requirements CJI data stored where? Remote access into network has Advanced Authentication and meets encryption requirements

SITE INSPECTION Be prepared to escort the auditor to areas within the agency. Dispatch, network closets, anywhere a terminal or access point may be located. The auditor will indicate what areas they need to visit. This may include patrol vehicles if MDTs are utilized. This may include other locations (DA, Jail, )

Physical Security Physical locks, doors and windows. Entry and exit secured. Challenge and identification of visitors. Authentication. Terminal Location. Positioned Securely. Session Lock, screen saver methods for securing terminals. Mobile Units, secured into enclosed vehicle, screen viewable Network / Equipment Room Locks Access Points, location and accessibility Offsite Areas (if applicable / media storage, communication equipment)

Reviewing Laptops Advanced Authentication (AA) being utilized outside the secure location. If required, encryption in use, FIPS certificates. List of devices (Aircards, etc). Incident Response Plan addressing device loss. Any policies addressing usage outside the secured location. Any Bring Your Own Device (BYOD) policies in place.

Reviewing Mobiles Advanced Authentication (AA) being utilized outside the secure location. If requested, Compensating Controls for AA email on file. Mobile Device Management (MDM) in place for tablets and phones. Incident Response Plan addressing mobile device loss. Any policies addressing usage outside the secured location. Any Bring Your Own Device (BYOD) policies in place.

Closeout The auditor will discuss any areas of weakness or non-compliance. Feel free to ask questions or request clarification of any items in question. Our goal is to ensure security and compliance; we can help you to identify weak areas.

AUDIT PROCESS - COMPLIANT Formal email to agency Next scheduled security review in 3 years

AUDIT PROCESS NON-COMPLIANT Non-compliant email listing items found Agency given 30 days to correct non-compliant issues or submit plan for correcting items Compliant email sent to agency upon verification of corrected items

Texas Audit Statistics In the 12 months ending August 31, 2014: There were 67 new agencies added for Audit. Current Total Agencies we audit is 1,227. Technical Security Auditors drove 99,310 miles. There were no accidents (Or speeding tickets) Completed 436 Technical Audits: 218 were Compliant 124 became Compliant 94 are still working issues

Top Reasons for non-compliance: Software, Patches, Updates Remote Support - Encryption/AA Security Awareness Training Local Agency Required Policies

Available Resources Security Review Website http://www.dps.texas.gov/securityreview CJIS Security Policy Security Awareness Training Resources Network Diagram Examples Management Control Agreement CJIS Security Addendum Security Newsletters Links for Cyber Training and LEEP info ListServ signup on bottom of home page

CJIS Audit Team Texas CJIS ISO, Alan Ferretti (512) 424-7186 Chip Burleson CJIS Auditor (512) 424-7401 Daniel Conte CJIS Auditor (512) 424-7137 Erwin Pruneda CJIS Auditor (512) 424-7911 Jeannette Cardenas CJIS Auditor (512) 424-7910 Oswald Enriquez CJIS Auditor (512) 424-7914 Linda Sims CJIS Auditor (512) 424-2937 firstname.lastname@dps.texas.gov (Open Position) Stephen Doc Petty CJIS Auditor (512) 424-7055 Deborah Wright Lead Tech. Auditor (512) 424-7876

CJIS Security Office Texas Department of Public Safety CJIS Technical Security Team 512-424-5686 security.committee@dps.texas.gov

Questions?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information