NC CJIN Governing Board. 13 October, 2011. George A. White



Similar documents
Today s Presenters: Doug Blenman Jr. Steven Doggart. How to Comply with FBI CJIS Security Policy

Advanced Authentication Methods Determining the Best Fit for Your Agency. Strong Authentication. Simplified.

White Paper 2 Factor + 2 Way Authentication to Criminal Justice Information Services. Table of Contents. 1. Two Factor and CJIS

CA Technologies Solutions for Criminal Justice Information Security Compliance

CJIS SECURITY POLICY: VERSION 5.2 CHANGES AND THE UPCOMING REQUIREMENTS.

Data risks and Technology Trends. Stephen Reyes Saltmarsh, Cleaveland & Gund

Alan Ferretti CJIS Information Security Officer

Protecting Criminal Justice Information: Achieving CJIS Compliance on Mobile Devices

Establishing A Multi-Factor Authentication Solution. Report to the Joint Legislative Oversight Committee on Information Technology

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Who s There? A Methodology for Selecting Authentication Credentials. VA-SCAN October 5, 2009 Mary Dunker dunker@vt.edu

Virtualization Demystified

GFIPM Supporting all Levels of Government Toward the Holy Grail of Single Sign-on

Derived credentials. NIST SP ( 5.3.5) provides for long term derived credentials

The Convergence of IT Security and Physical Access Control

Leveraging Authentication

Audio: This overview module contains an introduction, five lessons, and a conclusion.

About the white paper: The pressure to demonstrate compliance with standards and regulations such as Sarbanes Oxley, HIPAA, PCI DSS and Basel II,

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

YEAR TWO. Total Credits 3 Total Credits 6 Total Credits 3 Total Credits 6 Total Credits 6

Device-Centric Authentication and WebCrypto

The Benefits of an Industry Standard Platform for Enterprise Sign-On

Authentication Levels. White Paper April 23, 2014

API-Security Gateway Dirk Krafzig

Executive Summary P 1. ActivIdentity

Fall 2015 An Empower Federal Credit Union Publication. New online Banking. Important Information Inside: The new way to login pg3

IDENTITY MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

ATTENTION: End users should take note that Main Line Health has not verified within a Citrix

Two Factor Authentication (TFA; 2FA) is a security process in which two methods of authentication are used to verify who you are.

Software Token Security & Provisioning: Innovation Galore!

One Platform for all your Print, Scan and Device Management

MyKey is the digital signature software governed by Malaysia s Digital Signature Act 1997 & is accepted by the courts of law in Malaysia.

CJIS Online Administrator Manual

Two-Factor Authentication over Mobile: Simplifying Security and Authentication

CJIS Division Update

Research Information Security Guideline

Criminal Justice Information System (CJIS) Vendor Policy Guidelines

Biometrics: Advantages for Employee Attendance Verification. InfoTronics, Inc. Farmington Hills, MI

HSPD-12 Implementation Architecture Working Group Concept Overview. Version 1.0 March 17, 2006

RSA SecurID Software Token Security Best Practices Guide

Williamson County Technology Services Technology Project Questionnaire for Vendor (To be filled out withprospective solution provider)

Arkansas Department of Information Systems Arkansas Department of Finance and Administration

How to create an Expense Report through iexpense in the iphone Mobile App

French Justice Portal. Authentication methods and technologies. Page n 1

Physical Protection Policy Sample (Required Written Policy)

PAYROLL REDUCING YOUR COST OF LABOR ONE PAY PERIOD AT A TIME AUTOMATED TIMEKEEPING

Introducing etoken. What is etoken?

Minnesota State Colleges and Universities System Guideline Chapter 5 Administration

AUTHENTIFIERS. Authentify Authentication Factors for Constructing Flexible Multi-Factor Authentication Processes

Arkansas Crime Information Center. ACIC Training Policy

ONE PLATFORM FOR ALL YOUR PRINT, SCAN, AND DEVICE MANAGEMENT

Workspot, Inc. RSA SecurID Ready Implementation Guide. Partner Information. Last Modified: September 16, Product Information Partner Name

How To Use Uniflow

Arcot Systems, Inc. Securing Digital Identities. FPKI-TWG Mobility Solutions Today s Speaker Tom Wu Principal Software Engineer

CJIS in the Cloud. Oregon State Police CJIS Statewide Training September 23 & 24, 2015

Alternative authentication what does it really provide?

NOAA HSPD-12 PIV-II Implementation October 23, Who is responsible for implementation of HSPD-12 PIV-II?

Multi-Factor Authentication Core User Policy and Procedures

Trends in Mobile Authentication. cnlab security ag, obere bahnhofstr. 32b, CH-8640 rapperswil-jona

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Advanced Authentication

GOALS (2) The goal of this training module is to increase your awareness of HSPD-12 and the corresponding technical standard FIPS 201.

Trust Elevation Using Risk-Based Multifactor Authentication. Cathy Tilton

Entrust IdentityGuard

Advanced Authentication

The Convergence of IT Security and Physical Access Control

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

Effective Date: Subject Matter Experts / Approval(s): TAC: LASO: C/ISO: Front Desk: Technology Support Lead: Agency Head:

Get Smart Card Ready. How to Recover Your Old (Expired) Certificates

White Paper What is Noah Mobile?

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication

SAML for EPCS (Electronic Prescription of Controlled Substances)

Strong Identity Authentication for First Responders

Biometrics, Tokens, & Public Key Certificates

Global Mobile Technologies Guide for Zenprise Enrollment for IOS devices (ipad, iphones)

Authentication Tokens

Security and Usability

mydeq Help Line (844)

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version and higher

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

Multi-Factor Authentication Job Aide

22 nd NISS Conference

Smart Cards, Biometrics and Tokens for VLANs and Subnet Access

ADM:49 DPS POLICY MANUAL Page 1 of 5

Modern Multi-factor and Remote Access Technologies

Multi-factor authentication

ECCA 2014 Conference Santander

Slide 1. Slide 2. Agenda

Application Installation/Setup

Scalable Authentication

PHIN Systems Security and Two Factor Authentication. Raja Kailar, Ph.D. Senior Security Consultant, IRMO/CDC

Administration Guide Modular Authentication Services (NMAS) April 2013

Tired of running to the post office and the bank to get your customers payments

Project Title slide Project: PCI. Are You At Risk?

Criminal Justice Information Services (CJIS) Security Policy

Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication.

CJIS Information Technology Security Audit (ITSA) 2015 Program Update

PrivateServer HSM Integration with Microsoft IIS

ADVANCE AUTHENTICATION TECHNIQUES

A Feasible and Cost Effective Two-Factor Authentication for Online Transactions

Transcription:

Advanced Authentication NC CJIN Governing Board 13 October, 2011 George A. White FBI CJIS ISO

Brief Policy History Two year development Fully vetted by all state representation Criminal and civil Requirements and transition documents published Transition dates applied Audit cycles incorporate transition

Authentication Changes Protect the Criminal Justice Information Identifying the user vs. the device Knowing where the user is located Technical controls as well as physical and personnel controls Advanced authentication

Authentication Authentication isthe process of verifying a claimedidentity identity, determining if the subject is really who he/she claims to be. It is based on at least one of the following three factors: something a person has (smart card, token, key, swipe card, badge) something a person knows (password, passphrase, PIN) something a person is (fingerprint, voice, retina/iris characteristics) *Strong, or two factor, authentication contains two out of these three methods. 4

Advanced Authentication A single form of authentication (standard authentication* = password) is not a very secure means of authentication. Therefore, many organizations have introduced into policy a second means, or form of, authenticating a person s identity. *Standard Authentication (Password) requirements can be found in the CSP in Section 5.6.2.1 For the purpose of the CJIS Security Policy (CSP), the process of requiring more than a single factor of authentication is most often referred to as Advanced Authentication, or AA. 5

Policy Definition Added security functionality, in addition to the typical user identification and authentication of login ID and password, such as: biometric systems, public key infrastructure (PKI), smart cards, software tokens, hardware tokens, or Riskbased Authentication that includes a software token element comprised of a number of factors. 6

When AA is Required Advanced Authentication and the CJIS Security Policy The requirement to use AA is dependent upon the physical, personnel and technical security controls associated with the user s location. Therefore: AA shall not be required for users requesting access to CJI from within a physically secure location (defined in Section 5.9) and when the technical security controls have been met (defined in Sections 5.5 and 5.10) AA is required when it can t be determined from where a user is originating, e.g. utilizing wireless or web The CSP offers a flow chart, or decision tree, to help agencies determine when AA is required. (Figure 8 and Figure 9 of Section 5.6.2.2.2) 7

Advanced Authentication Some means of AA are: Means and Methods of Advanced Authentication Biometric systems (fingerprint readers, retina scanners, etc.) User based public key infrastructure (PKI) Smart cards Software tokens (tokens stored on electronic device, i.e. pin numbers or one time passwords) Hardware tokens (RSA tokens, etc) Paper(inert) tokens (a homemade One Time Password styled, e.g. bingo cards ) A Risk based Authentication which includes a software token element comprised of a number of factors, such as network information, user information, positive device identification (i.e. device forensics, user pattern analysis and user binding), user profiling, and high risk challenge/response questions 8

Challenges Mobile Environment Type of device doesn t matter Tablet, Android, iphone, ipad, etc. It s how the CJI is accessed or stored Technical Assertions From Device Between Applications Resources Cost Knowledge 9

Advanced Authentication Advanced Authentication Use within Your CJIS Community It is important to recognize that the FBI and CJIS does NOT certify/endorse any single vendor product regardless of what any vendor tells you. So, how will the CJIS ISO Program help you? The CJIS ISO Program will: Provide an analysis of a proposed solution/product brought to us by an ISO request as it would be implemented within your network to the requirements of the CSP Offer advice and suggestions based off a completed analysis of a proposed solution/product Answer any questions or concerns to add clarity to the AA requirements of the CSP 10

Questions Any Questions??

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information