Revised 4/2014

This training will discuss some of the duties of the Terminal Agency Coordinator (TAC), Local Agency Security Officer (LASO) and provide basic security awareness training.

Security awareness training is intended to provide LEADS users information on the threats and risks associated with criminal justice information and basic methods to mitigate these risks.

Security awareness training is required within six months of employment and every two years thereafter for all personnel who access LEADS data. This also includes IT personnel with access to systems that transmit, store, or process criminal justice information.

Security awareness training is not a substitute for the

LEADS Security Policy.

LEADS users and IT staff working with equipment that

transmits, processes, or stores LEADS data shall follow

all requirements outlined in the Security Policy.

The Security Policy can be downloaded from the

following link on terminals with access to the LEADS

network: http://10.19.240.41/cjismanuals/index.pl

Computerized Criminal History (CCH) - Is a Ohio fingerprint central

repository for arrest, conviction, and disposition data on adults and

juveniles arrested for felony and gross misdemeanor offenses. It is

frequently used during mandated background checks on individuals

seeking employment or licensing for various employed and

volunteer positions.

Criminal Justice Information (CJI) - The abstract term used to refer

to all LEADS provided data necessary for law enforcement and civil

agencies to perform their missions including, but not limited to,

biometric, identity history, biographic, property, and case/incident

data.

Law Enforcement Automated Data System (LEADS) - Serves as the

electronic communication network for Ohio’s criminal justice

communities and the gateway to NCIC.

National Crime Information Center (NCIC) - A computerized index of

open warrants, arrests, stolen property, missing persons, and

dispositions regarding felonies and serious misdemeanors.

III (“Triple-eye” for short) – is the Interstate Identification Index. III is

national index that holds the (Federal Bureau of Investigation) FBI’s

(Record of Arrest and Prosecution) RAP sheet that contains

information reported by local, state and federal law enforcement

agencies across the county. Requests associated to a record

housed in a particular state are directed to the originating State as

needed.

International Justice and Public Safety Network (NLETS) – (formerly

known as the National Law Enforcement Telecommunications

System) links together state, local, and federal law enforcement,

criminal justice and public safety agencies for the purpose of

exchanging information to support law enforcement. Information

from each state’s criminal records, driver records, vehicle

registration records, INTERPOL, Immigrations and Customs

Enforcement (ICE), License Plate Reader (LPR) records, and

national Amber Alerts.

Phishing – The practice of luring unsuspecting Internet users to a

fake Web site by using authentic-looking email with the real

organization's logo, in an attempt to steal passwords, financial or

personal information, or introduce a virus attack.

The TAC does not have to be a technical person, but will

need to be able to work with system administrators and

vendors to obtain required information.

Appointed by each terminal agency administrator.

Directly responsible to the agency administrator for the

operation and security of LEADS.

Serves as a point of contact for the State ISO and all

LEADS staff.

Understand how computer systems at the agency are

connected to LEADS and assist in maintaining network

topology documentation.

Submit updated diagrams and documentation for

approval prior to making any significant changes to the

network topology (adding a new system, external

network connection, etc.).

Maintain a record of any maintenance on systems by

non-agency personnel. Log the name of the technician

and the company doing the work, as well as the time

they start and finish.

Ensure all personnel with access to LEADS systems and data are provided security awareness training. Training must be completed biennially and a record of training must be maintained. For the minimum topics to be covered, please refer to the LEADS Security Policy (section 5.2.1).

Ensure only authorized personnel have access to LEADS systems. Personnel who do not have a fingerprint-based background check on file are considered unauthorized and required to be escorted by authorized personnel at all times.

Ensure all LEADS equipment and terminals are located in a secure room with limited access.

Report all suspected security incidents to LEADS

Control at 1-800-589-2077 to initiate contact with the

State Information Security Officer (ISO). Types of

incidents that should be reported include:

◦ Theft or intentional damage of LEADS equipment

◦ Hacking incidents

◦ Virus or malware infections

◦ Any other situation that could threaten LEADS

Violations of LEADS Administrative Rules and

instances of misuse shall be reported to the LEADS

Administrative staff at (614) 752-4382.

Ensure LEADS Security Policy compliance at the local

agency in partnership with the State ISO.

Develop a Computer Use and Security Policy.

Develop a Media Protection Policy.

Develop a Remote Access and Internet Use Policy (if

applicable to your agency’s operation).

Develop an agency Business Continuity/Disaster

Recovery Plan.

TAC Officers will need agency administrator support

with these tasks.

In addition to the TAC, each agency with LEADS access

shall appoint a LASO.

The LASO and the TAC can be the same person.

Collaborate with the TAC to report all suspected security

incidents to LEADS Control at 1-800-589-2077 to initiate

contact with the State ISO.

Identify who is using the LEADS approved hardware,

software, and firmware and ensure no unauthorized

individuals or processes have access to the same.

Identify and document how equipment is connected to

LEADS.

Ensure that personnel security screening procedures are

being followed as stated in the LEADS Security Policy.

Ensure the approved and appropriate security measures

are in place and working as expected.

State ISO

TAC

LASO

A technical security inspection will be conducted a

minimum of once every three years by a member of the

LEADS Security staff.

Technical security inspections are done on-site and can

take one to three hours, depending on the complexity

and size of the agency’s network.

The TAC and LASO are required to be present during

the inspection.

Agencies scheduled for technical security inspections

will receive a Pre-Audit Questionnaire that shall be

returned, along with a current network diagram, prior to

the inspection date. Please make arrangements for a

vendor/IT person to be available if you are unable to

answer technical questions about your systems or

policies.

A progressive sanction process has been established to

enforce the LEADS Administrative Rules and Security

Policy. Agencies found to be out of compliance with the

rules and/or policy may be subject to the sanction

process. For more information on the progressive

sanction process, please refer to the Ohio Revised Code

4501:2-10-11.

Criminal Justice Information (CJI) includes any and all

data that is transmitted or received through the LEADS.

The system configuration often contains sensitive details

(descriptions of applications, processes, procedures,

data structures, authorization processes, data flow, etc.)

Agencies shall protect system documentation from

unauthorized access consistent with provisions

described in Section 5.5 - Access Control in the LEADS

Security Policy.

Ensure the computer system is protected with a strong

password.

Ensure the computer is up-to-date with patches

(operating system, applications, anti-virus, and anti-

malware).

Practice smart internet habits when browsing. Be

selective of the sites you visit and check the security

level of web pages that require you to enter personal

information.

When entering personal information on a website, verify the website is encrypted (i.e. - uses HTTPS).

Systems processing, storing, transmitting CJI are required to be located in a physically secure area.

Users shall be given the least amount of privileges required on systems accessing and/or containing CJI.

Employ segregation of duties - the concept of having more than one person required to complete a task. This ensures that no single person is in a position to introduce fraudulent or malicious code/data without detection.

LEADS printouts contain CJI. The following shall apply

when dealing with printed LEADS data:

◦ Make printouts unreadable prior to disposal.

◦ Before exchanging LEADS data, agencies must have

formal agreements in place that specify security controls.

◦ Do not email, transport or store LEADS information on

electronic media unless it is encrypted.

The agency shall maintain written documentation of the steps taken to sanitize or destroy electronic media.

When hard drives, tape cartridges, USB drives, hard copies, print-outs, and other similar items are no longer needed - all media must be destroyed by shredding, burning, or any other method that renders the data unreadable.

The agency shall sanitize, that is, overwrite at least three times or degauss electronic media prior to disposal or release for reuse by unauthorized individuals.

Inoperable electronic media shall be destroyed (cut up, shredded, crushed, etc.).

Agencies shall ensure the sanitization or destruction is witnessed or carried out by authorized personnel.

Smartphones and tablets are examples of handheld

devices. Some of the threats to these types of devices

are:

◦ Loss, theft, or disposal

◦ Unauthorized access

◦ Malware

◦ Spam

◦ Electronic eavesdropping

◦ Electronic tracking (threat to security of data and safety of

law enforcement officer)

◦ Cloning (not as prevalent with later generation cellular

technologies)

To help mitigate the risks to handheld devices, agencies shall at a minimum:

◦ Apply available critical patches and upgrades to the operating system

◦ Configure for local device authentication

◦ Use advanced authentication

◦ Encrypt all CJI that resides on the device

◦ Erase cached information when sessions are terminated

◦ Employ personal firewall software

◦ Employ antivirus software

Strong passwords are required for all users accessing

LEADS systems.

Strong passwords are created by using the following

guidelines:

◦ Contain a minimum of 8 characters

◦ Include characters from the following categories:

Letters (upper and lower case)

Numbers

Special Characters

◦ Make the password appear to be a random sequence of

letters, numbers, and special characters. Dictionary words,

proper names or the user ID shall not be used.

Ensure all passwords changes are in accordance with

Section 5.6.2.1 of the LEADS Security Policy.

Passwords should be changed frequently. LEADS

requires users to change passwords every 60 days.

Do not reuse old passwords. LEADS prohibits reuse of

the previous 10 passwords.

Passwords shall never be shared or written down.

The LEADS network is protected by Cisco Clean Access

(CCA). CCA helps ensure LEADS terminals are kept up-

to-date and in compliance with the Security Policy.

Systems are scanned to ensure critical Windows

security patches are installed and up-to-date anti-virus

software is running upon each login.

CCA login sessions expire every seven days so systems

can be scanned. Clients must re-authenticate when

prompted to maintain connectivity to the secure criminal

justice network.

Anti-virus software is used to identify and remove

computer viruses, spyware, and malware.

Most modern anti-virus software can protect against a

wide range of worms, rootkits and trojans.

All systems with LEADS connectivity are required to

employ up-to-date virus protection software.

System is slow, freezes or crashes.

Unusual error messages are displayed.

Excessive uncommanded disk drive activity.

Applications don’t operate properly.

Multiple pop-ups windows appear on the screen.

When CJI is transported or at rest (stored electronically)

outside of the physically secure location it shall be

protected via cryptographic mechanisms (encryption).

When encryption is employed, the cryptographic module

used shall be certified to meet FIPS 140-2 standards.

Windows Update is a service provided by Microsoft that

provides updates for the Microsoft Windows operating

system.

Security updates are delivered on the second Tuesday

of each month (a.k.a. Patch Tuesday).

Windows Update can be configured to install updates

automatically, ensuring a computer is up-to-date and not

vulnerable to known computer worms and malware.

All computers are required to be kept up-to-date with the

latest security patches and service packs.

Social Engineering is the act of exploiting a human user to gain access to restricted systems and information (e.g. - Phishing). Use the following guidelines to prevent being a victim of social engineering: ◦ Verify identity of requestors.

◦ Be cautious when providing information via email or over

the phone.

◦ Remember, an emailer/caller may not be entitled to the information but may try to fool you by using lingo and buzz words.

◦ Do not share information with persons outside the criminal justice community - such as friends, family, acquaintances, or strangers.

Spam is the name given to unsolicited bulk email that appears in your inbox.

Most spam is advertising from dubious products, get-rich-quick schemes, or other attempts to solicit money and/or compromise the computer.

Never open unsolicited email, attachments, or reply to emails from an unknown source.

Be aware CJI could be compromised in any of the

following ways:

◦ Tampering with equipment (server, router, etc.) by

employee, vendor or unauthorized person.

◦ Theft of laptops, handheld devices, or any other device

which is used to access LEADS.

◦ Unauthorized remote access.

◦ Installing/downloading unauthorized software onto systems

and network components.

◦ Virus/malware infection.

◦ Creation of unauthorized user accounts.

◦ Unencrypted transmission of LEADS data over non-criminal

justice networks (wireless, county networks, telecom

carriers).

All devices with access to the LEADS network must have adequate physical security to protect against unauthorized access.

LEADS routers, switches, firewalls and interface servers must be located in a locked, limited access room.

All visitors and vendors must be accompanied by authorized personnel at all times when accessing secure areas.

LEADS terminals must be physically positioned so unauthorized persons are unable to view the screen and must employ session lock mechanisms after a maximum of 30 minutes of inactivity (does not apply to dispatch terminals).

A personally owned information system shall not be

authorized to access, process, store, or transmit CJI unless the agency has established and documented the specific terms and conditions for personally owned information system usage.

Any system that accesses CJI shall display an approved system use notification message that contains the following information:

◦ The user is accessing a restricted information system.

◦ System usage may be monitored, recorded, and is subject to audit.

◦ Unauthorized use of the system is prohibited and may be subject to criminal and/or civil penalties.

◦ Use of the system indicates consent to monitoring and recording.

If you become aware of any policy violation or a situation where LEADS data has been compromised, immediately contact LEADS Control at 1-800-589-2077 and begin gathering information for the Computer Incident Report Form (LEADS Security Policy Appendix E).

Depending on the severity of the incident, LEADS Control will direct you to LEADS Security staff or the State ISO.

“You are the key to security, it begins with you.”

All users are responsible for adherence to the

requirements documented in the LEADS Security Policy.

Please refer to the Security Policy or contact LEADS

Control at 1-800-589-2077 with any questions regarding

proper operation or security of computer systems.