& Security Awareness Training 1 Definitions: Access to Criminal Justice Information Thephysical or logical (electronic) ability, right or privilege to view, modify or make use of Criminal Justice Information. (FBI CJIS Security Policy 5.2 Appendix A) 2 1
Definitions: Access to Criminal Justice Information Thephysical or logical (electronic) ability, right or privilege to view, modify or make use of Criminal Justice Information. (FBI CJIS Security Policy 5.2 Appendix A) 3 Definitions: Access to Criminal Justice Information Thephysical or logical (electronic) ability, right or privilege to view, modify or make use of Criminal Justice Information. (FBI CJIS Security Policy 5.2 Appendix A) I m Marsha. How can I help you? 4 2
Definitions: pro cess noun\ˈprä-ˌses, ˈprō-, -səs\ b:a series of actions or operations conducing to an end; especially: a continuous operation Enter CJI STORE Or Print CJI ELECTRONIC (RMS) HARDCOPY (File cabinet) DESTROY CJI Shred Overwrite Degauss Incinerate QUERY CJI 5 Definitions: pro cess noun \ˈprä-ˌses, ˈprō-, -səs\ b:a series of actions or operations conducing to an end; especially: a continuous operation 6 3
Definitions: During CJI processing implies CJI is accessible for viewing, modifying or making use of CJI left on printers, copiers or fax machines CJI stored insecurely unlocked file cabinets Disorganized and in the open 7 Definitions: During CJI processing implies that CJI is accessible for viewing, modifying or making use of Computers unlocked with CJI application open Wiring closets unlocked Network infrastructure left exposed where packet sniffers or other spy devices could be introduced If a person is alone with unencrypted (plain text) CJI where security is out of CJA control 8 4
When developing policies to ensure the security of Criminal Justice Information, the FBI and KCJIS must take into account several things. Not the least amongst these are Federal Regulations. Federal regulations are often based on research of industry standards and published recommendations of organizations such as the National Institute of Standards and Technology, or NIST. 9 WHY Record Checks????? Having proper security measures against the insider threat is a critical component for the CJIS Security Policy. A study conducted by the U.S. Secret Service and the Carnegie Mellon University Software Engineering Institute CERT Program analyzed 150 insider cyber crimes across U.S. critical infrastructure sectors 10 5
WHY Record Checks????? Having proper security measures against the insider threat is a critical component for the CJIS Security Policy. According to one report from the study*, the cases of insider IT sabotage were among the more technically sophisticated attacks examined in the Insider Threat Study and resulted in substantial harm to people and organizations. *Moore, Andrew., Cappelli, Dawn., & Trzeciak, Randall. (2008). The "Big Picture" of Insider IT Sabotage Across U.S. Critical Infrastructures (CMU/SEI-2008-TR-009). Retrieved March 28, 2014, from the Software Engineering Institute, Carnegie Mellon University website: http://resources.sei.cmu.edu/library/assetview.cfm?assetid=8703 11 The study made 7 observations. OBSERVATION 1: MOST INSIDERS HAD PERSONAL PREDISPOSITIONS THAT CONTRIBUTED TO THEIR RISK OF COMMITTING IT SABOTAGE Personal predisposition: a characteristic historically linked to a propensity to exhibit malicious insider behavior. Personal predispositions explain why some insiders carry out malicious acts, while coworkers who are exposed to the same conditions do not act maliciously. Personal predispositions can be recognized by certain types of observable characteristics [Band et al. 2006]: Serious mental health disorders Sample observables from cases include alcohol and drug addiction, panic attacks, physical spouse abuse, and seizure disorders. Social skills and decision-making bias Sample observables from cases include bullying and intimidation of coworkers, serious personality conflicts, unprofessional behavior, personal hygiene problems, and inability to conform to rules. A history of rule violations Sample observables from cases include arrests, hacking, security violations, harassment complaints, and misuse of travel, time, and expenses. All of the insiders in the MERIT cases who committed IT sabotage exhibited the influence of personal predispositions. 12 6
5.12 Policy Area 12: Personnel Security Having proper security measures against the insider threat is a critical component for the CJIS Security Policy. This section s security terms and requirements apply to all personnel who have access to unencrypted CJI including those individuals with only physical or logical access to devices that store, process or transmit unencrypted CJI. For our purposes, unencrypted is synonymous with plain text, readable, or actionable. Actionable means ability to enter, modify or otherwise affect data. 13 5.12 Policy Area 12: Personnel Security 5.12.1 Personnel Security Policy and Procedures 5.12.1.1 Minimum Screening Requirements for Individuals Requiring Access to CJI: 1. To verify identification, a state of residency and national fingerprint-based record checks shall be conducted within 30 days of assignment for all personnel who have direct access to CJI and those who have direct responsibility to configure and maintain computer systems and networks with direct access to CJI. 14 7
5.12 Policy Area 12: Personnel Security 5.12.1 Personnel Security Policy and Procedures 5.12.1.1 Minimum Screening Requirements for Individuals Requiring Access to CJI: 1. To verify identification, a state of residency and national fingerprint-based record checks shall be conducted within 30 days of assignment for all personnel who have direct access to CJI and those who have direct responsibility to configure and maintain computer systems and networks with direct access to CJI. 9. Support personnel, contractors, and custodial workers with access to physically secure locations or controlled areas (during CJI processing)shall be subject to a state and national fingerprint-based record check unless these individuals are escorted by authorized personnel at all times. 15 16 8
17 5.12 Policy Area 12: Personnel Security 5.12.1 Personnel Security Policy and Procedures 5.12.1.1 Minimum Screening Requirements for Individuals Requiring Access to CJI: 1. However, if the person resides in a different state than that of the assigned agency, the agency shall conduct state (of the agency) and national fingerprint-based record checks and execute a NLETS CHRI IQ/FQ/AQ query using purpose code C, E, or J depending on the circumstances. 18 9
5.12 Policy Area 12: Personnel Security 5.12.1 Personnel Security Policy and Procedures 5.12.1.1 Minimum Screening Requirements Within 30 days of CJI Access (prior to access for Private Contractors) Submit fingerprints to KBI. Submission initiates searches of Kansas, NCIC (QWA), and III (QH) for records associated with matching images. NLETS (IQ) to state of person s residency (Name based) Further queries when indicated QR (III), FQ(NLets) 19 5.12 Policy Area 12: Personnel Security 5.12.1 Personnel Security Policy and Procedures 5.12.1.1 Minimum Screening Requirements Within 30 days of CJI Access (prior to access for Private Contractors) Individual name based records rechecks as specified above shall be conducted annually or whenever there is reasonable suspicion that an individual s criminal history status has changed. KCJIS requires ANNUAL NAME-BASED Rechecks: NCIC person files (QWA) + III (QH) [QWI gets both] NLets IQ state of residence or Kansas KQMW + KIQ 20 10
5.12.1.1 Minimum Screening Requirements 1 INTRODUCTION 1.1 Purpose 1.3 Relationship to Local Security Policy and Other Policies local policy may augment, or increase the standards, OPTIONAL : Background Investigations (Interview acquaintances, etc.) Employment History/References DL Edward Snowden WHY would you? MOST INSIDERS HAD PERSONAL PREDISPOSITIONS THAT CONTRIBUTED TO THEIR RISK OF COMMITTING IT SABOTAGE 21 Bradley Manning What s notably NOT in policy: Citizenship Requirement FBI CJIS: no restriction on non-us citizen KCJIS: Non-US citizens must be legally able to perform the work in or for the United States. Recommendations in Policy Part III Employment Policy Security Policy only addresses ACCESS to CJI 22 11
A teleconference with staff from the FBI CJIS ISO office and I.T. Security Audit team clarified that INTRA-state sharing of record check information between agencies is being allowed when the CSA is aware and approves of the procedures. That means agencies can again share record check results when: 1.It is done within the purview of the CSA (in Kansas that is the KHP CJIS Unit). 2. All agencies involved are in agreement. 3. Paperwork is available to provide auditors evidence that: a. The CSA knows which local agencies are involved b.a Tracking mechanism for completed records checks is in place and known by all stakeholders c. All local agencies know which agency conducted the record checks on which personnel. We are announcing the release of a revised KCJIS 114-RC form. 23 24 12
Security Awareness Training WHY? As cited in audit reports, periodicals, and conference presentations, it is generally understood by the IT security professional community that people are one of the weakest links in attempts to secure systems and networks. The people factor -not technology -is key to providing an adequate and appropriate level of security. If people are the key, but are also a weak link, more and better attention must be paid to this asset. From Introduction: Wilson, Mark, Hash, Joan (2003) Building and Information Technology Security Awareness and Training Program NIST Special Publication 800-50 October 2003 National Institute of Standards and Technology, Technology Administration, U.S. Department of Commerce http://csrc.nist.gov/publications/nistpubs/800-50/nist-sp800-50.pdf 25 Security Awareness Training WHY? A robust and enterprise wide awareness and training program is paramount to ensuring that people understand their IT security responsibilities, organizational policies, and how to properly use and protect the IT resources entrusted to them. From Introduction: Wilson, Mark, Hash, Joan (2003) Building and Information Technology Security Awareness and Training Program NIST Special Publication 800-50 October 2003 National Institute of Standards and Technology, Technology Administration, U.S. Department of Commerce http://csrc.nist.gov/publications/nistpubs/800-50/nist-sp800-50.pdf 26 13
Security Awareness Training (in order of appearance) 5.1.1.5 Private Contractor User Agreements and CJIS Security Addendum The CJIS Security Addendum is a uniform addendum to an agreement between the government agency and a private contractor, approved by the Attorney General of the United States, which specifically authorizes access to CHRI, limits the use of the information to the purposes for which it is provided, ensures the security and confidentiality of the information is consistent with existing regulations and the CJIS Security Policy, provides for sanctions, and contains such other provisions as the Attorney General may require. Private contractors who perform criminal justice functions shall meet the same training and certification criteria required by governmental agencies performing a similar function, and shall be subject to the same extent of audit review as are local user agencies. All private contractors who perform criminal justice functions shall acknowledge, via signing of the CJIS Security Addendum Certification page, and abide by all aspects of the CJIS Security Addendum. The CJIS Security Addendum is presented in Appendix H. Modifications to the CJIS Security Addendum shall be enacted only by the FBI. 27 Security Awareness Training (in order of appearance) 5.2 Policy Area 2: Security Awareness Training Basic security awareness training shall be required within six months of initial assignment, and biennially thereafter, for all personnel who have access to CJI. 28 14
Security Awareness Training (in order of appearance) 5.2 Policy Area 2: Security Awareness Training 5.2.1.1 All Personnel At a minimum, the following topics shall be addressed as baseline security awareness training for all authorized personnel with access to CJI:. 29 Security Awareness Training (in order of appearance) 5.2 Policy Area 2: Security Awareness Training 5.2.1.2 Personnel with Physical and Logical Access In addition to 5.2.1.1 above, the following topics, at a minimum, shall be addressed as baseline security awareness training for all authorized personnel with both physical and logical access to CJI: 30 15
Security Awareness Training (in order of appearance) 5.2 Policy Area 2: Security Awareness Training 5.2.1.3 Personnel with Information Technology Roles In addition to 5.2.1.1 and 5.2.1.2 above, the following topics at a minimum shall be addressed as baseline security awareness training for all Information Technology personnel(system administrators, security administrators, network administrators, etc.): 31 Security Awareness Training REQUIRED If The person usescriminal Justice Information in any form Radio or cell phone Hard copy Emailed Faxed Computer Terminal Access OpenFox CAD Record Management Systems Case Management 32 16
Security Awareness Training REQUIRED If The person is unescorted and will be unavoidably exposed to Criminal Justice Information during the course of their work. The person is given unescorted/unmonitored access to the computer network and infrastructure used by others to access Criminal Justice Information. 33 Security Awareness Training REQUIRED If The person is unescortedin places where CJI is regularly left unsecured easy for anyone to view. 34 17
ROLE OF PERSONNEL Access to Unencrypted CJI and/or network infrastructure? Escorted or Monitored During CJI Processing RECORD CHECKS REQUIREMENTS: Security Awareness Training Topics Required Agency Personnel with Computers for other than CJI Not Authorized. But operate computers on same network andhave free access to facility, so may be exposed NO 2. ANNUAL NAME BASE 5.2.1.1 5.2.1.2 LEOs, Court Personnel, etc. without KCJIS access YES physical access hard copy NO 2. ANNUAL NAME BASE 5.2.1.1 CJI terminal operators (Includes LEOs with MDTs) Authorized Physical and electronic NO 2. ANNUAL NAME BASE 5.2.1.1 5.2.1.2 TACs & LASOs Authorized Physical and electronic + Administration NO 2. ANNUAL NAME BASE 5.2.1.1 5.2.1.3 Agency I.T. YES NO 35 2. ANNUAL NAME BASE 5.2.1.1 5.2.1.3 ROLE OF PERSONNEL Access to Unencrypted CJI and/or network infrastructure? Escorted or Monitored During CJI Processing City/County I.T. YES NO Contract support - CAD/RMS other Criminal justice applications Contract support -Basic Computer Hardware, Network and or office suite YES - Authorizedonly after incorporating FBI Security Addendum into Contract. Not Intended but may be exposed during on site work NO YES NO YES RECORD CHECKS REQUIREMENTS: Security Awareness Training Topics Required 2. ANNUAL NAME BASE 5.2.1.1 5.2.1.3 2. ANNUAL NAME BASE 5.2.1.1 5.2.1.3 Authenticate (5.9.1.7) Name Based recommended NONE 2. ANNUAL NAME BASE 5.2.1.1 5.2.1.3 Authenticate (5.9.1.7) Name Based recommended NONE CONTRACT SHREDDING SHRED OFFSITE AGENCY WITNESSED SHRED ON SITE NO YES 2. ANNUAL NAME BASE 5.2.1.1 Authenticate (5.9.1.7) Name Based recommended NONE Custodial Personnel Not Authorized NO YES 2. ANNUAL NAME BASE 5.2.1.1 Authenticate (5.9.1.7) Name Based recommended NONE 36 18
For More Information https://cjisaudit.khp.ks.gov/launchpad/ KCJIS INFORMATION SECURITY OFFICER DON CATHEY KANSAS HIGHWAY PATROL 122 SW 7th ST TOPEKA KS 66603-3847 Office: (785) 368-6518 Fax: (785) 296-0958 Cell: (785) 213-7135 E-mail: dcathey@khp.ks.gov SECURITY TRAINER/ AUDITOR ROD STROLE KANSAS HIGHWAY PATROL 122 SW 7th ST TOPEKA KS 66603-3847 Office: (785) 368-6519 Fax: (785) 296-0958 Cell: (785) 249-9961 E-mail: rstrole@khp.ks.gov SECURITY TRAINER/ AUDITOR KIP BALLINGER KANSAS HIGHWAY PATROL 2019 E IRON AVE SALINA KS 67401-3406 Office: (785) 822-1796 Fax: (785) 822-1793 Cell: (785) 452-0180 E-mail kballing@khp.ks.gov 37 SECURITY TRAINER/ AUDITOR TAMMIE HENDRIX KANSAS HIGHWAY PATROL 122 SW 7th ST TOPEKA KS 66603-3847 Office: (785) 368-6514 Fax: (785) 296-0958 Cell: (785) 338-0052 E-mail: thendrix@khp.ks.gov 19