record checks & security awareness training

1

Record Checks&

Security Awareness Training

2

Definitions:Access to Criminal Justice Information — The physical or logical (electronic) ability, right or privilege to view, modify or make use of Criminal Justice Information. (FBI CJIS Security Policy 5.2 Appendix A)

We Shred‘em!

3


4


I’m Marsha.

How can I help you?

5

Definitions:pro·cess noun \ˈprä-ˌses, ˈprō-, -səs\ b: a series of actions or operations conducing to an end; especially: a continuous operation

•“EW”•“EPO”•“EV”Enter CJI

• Employment Record Checks

• KCS• QWI• PRE-SENTENCEQUERY

CJI

•ELECTRONIC (RMS)•HARDCOPY (File cabinet)

STOREOr Print

CJI

•Shred•Overwrite•Degauss• Incinerate

DESTROY CJI

6

Definitions:pro·cess noun \ˈprä-ˌses, ˈprō-, -səs\ b: a series of actions or operations conducing to an end; especially: a continuous operation

7

Definitions:“During CJI processing” implies CJI is accessible for viewing, modifying or “making use of”

• CJI left on printers, copiers or fax machines

• CJI stored insecurely • unlocked file cabinets • Disorganized and in the open

8

Definitions:“During CJI processing” implies that CJI is accessible for viewing, modifying or “making use of”

• Computers unlocked with CJI application open

• Wiring closets unlocked• Network infrastructure left exposed

where packet sniffers or other spy devices could be introduced• If a person is alone with unencrypted

(plain text) CJI where security is out of CJA control

We Shred ‘Em!

9

When developing policies to ensure the security of Criminal Justice Information, the FBI and KCJIS must take into account several things. Not the least amongst these are Federal Regulations.Federal regulations are often based on research of industry standards and published recommendations of organizations such as the National Institute of Standards and Technology, or NIST.

10

WHY Record Checks ?????

• Having proper security measures against the insider threat is a critical component for the CJIS Security Policy.

A study conducted by the U.S. Secret Service and the Carnegie Mellon University Software Engineering Institute CERT Program analyzed 150 insider cyber crimes across U.S. critical infrastructure sectors…

11

WHY Record Checks ?????

• Having proper security measures against the insider threat is a critical component for the CJIS Security Policy.

According to one report from the study*, “…the cases of insider IT sabotage were among the more technically sophisticated attacks examined in the Insider Threat Study and resulted in substantial harm to people and organizations”.

* Moore, Andrew., Cappelli, Dawn., & Trzeciak, Randall. (2008). The "Big Picture" of Insider IT Sabotage Across U.S. Critical Infrastructures (CMU/SEI-2008-TR-009). Retrieved March 28, 2014, from the Software Engineering Institute, Carnegie Mellon University website: http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=8703

12

The study made 7 observations.OBSERVATION 1:

MOST INSIDERS HAD PERSONAL PREDISPOSITIONS THAT CONTRIBUTED TO THEIR RISK OF COMMITTING IT SABOTAGEPersonal predisposition: a characteristic historically linked to a propensity to exhibit malicious insider behavior.

Personal predispositions explain why some insiders carry out malicious acts, while coworkers who are exposed to the same conditions do not act maliciously. Personal predispositions can be recognized by certain types of observable characteristics [Band et al. 2006]:

• Serious mental health disorders—Sample observables from cases include alcohol and drug addiction, panic attacks, physical spouse abuse, and seizure disorders.

• Social skills and decision-making bias—Sample observables from cases include bullying and intimidation of coworkers, serious personality conflicts, unprofessional behavior, personal hygiene problems, and inability to conform to rules.

• A history of rule violations—Sample observables from cases include arrests, hacking, security violations, harassment complaints, and misuse of travel, time, and expenses.

All of the insiders in the MERIT cases who committed IT sabotage exhibited the influence of personal predispositions.

13

Policies Regarding Record Checks

5.12 Policy Area 12: Personnel Security Having proper security measures against the insider threat is a critical component for the CJIS Security Policy. This section’s security terms and requirements apply to all personnel who have access to unencrypted CJI including those individuals with only physical or logical access to devices that store, process or transmit unencrypted CJI.

For our purposes, “unencrypted” is synonymous with “plain text”, “readable”, or “actionable”. Actionable means ability to enter, modify or otherwise affect data.

14


5.12 Policy Area 12: Personnel Security

5.12.1 Personnel Security Policy and Procedures 5.12.1.1 Minimum Screening Requirements for Individuals Requiring Access to CJI: 1. To verify identification, a state of residency and national fingerprint-based record checks shall be conducted within 30 days of assignment for all personnel who have direct access to CJI and those who have direct responsibility to configure and maintain computer systems and networks with direct access to CJI.

15


5.12.1 Personnel Security Policy and Procedures 5.12.1.1 Minimum Screening Requirements for Individuals Requiring Access to CJI: 1. To verify identification, a state of residency and national fingerprint-based record

checks shall be conducted within 30 days of assignment for all personnel who have direct access to CJI and those who have direct responsibility to configure and maintain computer systems and networks with direct access to CJI.

9. Support personnel, contractors, and custodial workers with access to physically secure locations or controlled areas (during CJI processing) shall be subject to a state and national fingerprint-based record check unless these individuals are escorted by authorized personnel at all times.


18



5.12.1 Personnel Security Policy and Procedures 5.12.1.1 Minimum Screening Requirements for Individuals Requiring Access to CJI: 1. … However, if the person resides in a different state than that of the assigned agency, the agency shall conduct state (of the agency) and national fingerprint-based record checks and execute a NLETS CHRI IQ/FQ/AQ query using purpose code C, E, or J depending on the circumstances.

19


5.12.1 Personnel Security Policy and Procedures

5.12.1.1 Minimum Screening Requirements Within 30 days of CJI Access (prior to access for Private

Contractors) Submit fingerprints to KBI.

Submission initiates searches of Kansas, NCIC (QWA), and III (QH) for records associated with matching images.

NLETS (IQ) to state of person’s residency (Name based)

Further queries when indicated QR (III), FQ(NLets)

Record Checks

20


5.12.1 Personnel Security Policy and Procedures

5.12.1.1 Minimum Screening Requirements Within 30 days of CJI Access (prior to access for Private

Contractors)

Individual name–based records rechecks as specified above shall be conducted annually or whenever there is reasonable suspicion that an individual’s criminal history status has changed.

KCJIS requires ANNUAL NAME-BASED Rechecks:NCIC person files (QWA) + III (QH) [QWI gets both]NLets IQ state of residence or Kansas KQMW + KIQ

Record Checks

21


5.12.1.1 Minimum Screening Requirements 1 INTRODUCTION 1.1 Purpose 1.3 Relationship to Local Security Policy and Other Policies …local policy may augment, or increase the standards,

OPTIONAL :• Background Investigations (Interview acquaintances, etc.)• Employment History/References• DL

WHY would you?MOST INSIDERS HAD PERSONAL

PREDISPOSITIONS THAT CONTRIBUTED TO THEIR RISK OF COMMITTING IT

SABOTAGEEdward Snowden Bradley Manning

22


What’s notably NOT in policy:• Citizenship Requirement

• FBI CJIS: no restriction on non-US citizen

• KCJIS: Non-US citizens must be legally able to perform the work in or for the United States. Recommendations in Policy Part III

• Employment Policy• Security Policy only addresses ACCESS

to CJI

23


A teleconference with staff from the FBI CJIS ISO office and I.T. Security Audit team clarified that INTRA-state sharing of record check information between agencies is being allowed when the CSA is aware and approves of the procedures.That means agencies can again share record check results when:1. It is done within the purview of the CSA (in Kansas that is the KHP CJIS Unit).2. All agencies involved are in agreement.3. Paperwork is available to provide auditors evidence that:

a. The CSA knows which local agencies are involvedb. A Tracking mechanism for completed records checks is in place and known by all

stakeholders c. All local agencies know which agency conducted the record checks on which

personnel.

We are announcing the release of a revised KCJIS 114-RC form.

24



WHY ?

25

As cited in audit reports, periodicals, and conference presentations, it is generally understood by the IT security professional community that people are one of the weakest links in attempts to secure systems and networks. The “people factor” - not technology - is key to providing an adequate and appropriate level of security. If people are the key, but are also a weak link, more and better attention must be paid to this “asset.” From Introduction:Wilson, Mark, Hash, Joan (2003)Building and Information Technology Security Awareness and Training ProgramNIST Special Publication 800-50 October 2003National Institute of Standards and Technology, Technology Administration, U.S. Department of Commercehttp://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf

http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf


WHY ?

26

A robust and enterprise wide awareness and training program is paramount to ensuring that people understand their IT security responsibilities, organizational policies, and how to properly use and protect the IT resources entrusted to them.

From Introduction:Wilson, Mark, Hash, Joan (2003)Building and Information Technology Security Awareness and Training ProgramNIST Special Publication 800-50 October 2003National Institute of Standards and Technology, Technology Administration, U.S. Department of Commercehttp://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf

http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf

27

5.1.1.5 Private Contractor User Agreements and CJIS Security Addendum The CJIS Security Addendum is a uniform addendum to an agreement between the government agency and a private contractor, approved by the Attorney General of the United States, which specifically authorizes access to CHRI, limits the use of the information to the purposes for which it is provided, ensures the security and confidentiality of the information is consistent with existing regulations and the CJIS Security Policy, provides for sanctions, and contains such other provisions as the Attorney General may require.

Private contractors who perform criminal justice functions shall meet the same training and certification criteria required by governmental agencies performing a similar function, and shall be subject to the same extent of audit review as are local user agencies. All private contractors who perform criminal justice functions shall acknowledge, via signing of the CJIS Security Addendum Certification page, and abide by all aspects of the CJIS Security Addendum. The CJIS Security Addendum is presented in Appendix H. Modifications to the CJIS Security Addendum shall be enacted only by the FBI.

Policies Regarding Security Awareness Training

(in order of appearance)

28

5.2 Policy Area 2: Security Awareness Training Basic security awareness training shall be required within six months of initial assignment, and biennially thereafter, for all personnel who have access to CJI.



29

5.2 Policy Area 2: Security Awareness Training 5.2.1.1 All Personnel At a minimum, the following topics shall be addressed as baseline security awareness training for all authorized personnel with access to CJI: .



30

5.2 Policy Area 2: Security Awareness Training 5.2.1.2 Personnel with Physical and Logical Access In addition to 5.2.1.1 above, the following topics, at a minimum, shall be addressed as baseline security awareness training for all authorized personnel with both physical and logical access to CJI:



31

5.2 Policy Area 2: Security Awareness Training 5.2.1.3 Personnel with Information Technology Roles In addition to 5.2.1.1 and 5.2.1.2 above, the following topics at a minimum shall be addressed as baseline security awareness training for all Information Technology personnel (system administrators, security administrators, network administrators, etc.):



32

• The person uses Criminal Justice Information in any form • Radio or cell phone• Hard copy• Emailed• Faxed• Computer Terminal Access

• OpenFox• CAD• Record Management Systems• Case Management

Security Awareness Training REQUIRED If…

33

• The person is unescorted and will be unavoidably exposed to Criminal Justice Information during the course of their work.

• The person is given unescorted/unmonitored access to the computer network and infrastructure used by others to access Criminal Justice Information.


34

• The person is unescorted in places where CJI is regularly left unsecured easy for anyone to view.


35

WHO NEEDS WHAT

ROLE OF PERSONNEL

Access to Unencrypted

CJI and/or network

infrastructure ?

Escorted or

Monitored During

CJI Processi

ng

REQUIREMENTS:

RECORD CHECKSSecurity

Awareness Training Topics

Required

Agency Personnel with Computers for other than CJI

Not Authorized. But operate computers on same networkand have free access to facility, so may be exposed

NO 1. FINGERPRINT2. ANNUAL NAME

BASE

5.2.1.1 – 5.2.1.2

LEOs , Court Personnel, etc.without KCJIS access

YES• physical access

• hard copy NO

1. FINGERPRINT2. ANNUAL NAME

BASE 5.2.1.1

CJI terminal operators(Includes LEOs with MDTs)

Authorized Physical and electronic NO


BASE5.2.1.1 – 5.2.1.2

TACs & LASOsAuthorized Physical and electronic + Administration

NO1. FINGERPRINT2. ANNUAL NAME

BASE5.2.1.1 – 5.2.1.3

Agency I.T. YES NO1. FINGERPRINT2. ANNUAL NAME

BASE5.2.1.1 – 5.2.1.3

36

WHO NEEDS WHAT

ROLE OF PERSONNEL

Access to Unencrypted

CJI and/or network

infrastructure ?

Escorted or

Monitored During CJI Processin

g

REQUIREMENTS:

RECORD CHECKSSecurity

Awareness Training Topics

Required

City/County I.T. YES NO1. FINGERPRINT2. ANNUAL NAME

BASE5.2.1.1 – 5.2.1.3

Contract support - CAD/RMS other Criminal justice applications

YES - Authorized only after incorporating FBI Security Addendum into Contract.


BASE5.2.1.1 – 5.2.1.3

YESAuthenticate (5.9.1.7)Name Based recommended

NONE

Contract support - Basic Computer Hardware, Network and or office suite

Not Intended but may be exposed during on site work


BASE5.2.1.1 – 5.2.1.3


NONE

CONTRACT SHREDDINGSHRED OFFSITE NO


BASE5.2.1.1

AGENCY WITNESSEDSHRED ON SITE

YESAuthenticate (5.9.1.7) Name Based recommended

NONE

Custodial Personnel

Not Authorized


BASE5.2.1.1


NONE

37

For More Informationhttps://cjisaudit.khp.ks.gov/launchpad/

KCJIS INFORMATION SECURITY OFFICER DON CATHEY KANSAS HIGHWAY PATROL 122 SW 7th ST TOPEKA KS 66603-3847 Office: (785) 368-6518 Fax: (785) 296-0958 Cell: (785) 213-7135E-mail: [email protected]

SECURITY TRAINER/ AUDITORROD STROLEKANSAS HIGHWAY PATROL122 SW 7th STTOPEKA KS 66603-3847Office: (785) 368-6519Fax: (785) 296-0958Cell: (785) 249-9961E-mail: [email protected]

SECURITY TRAINER/ AUDITORTAMMIE HENDRIXKANSAS HIGHWAY PATROL122 SW 7th STTOPEKA KS 66603-3847Office: (785) 368-6514Fax: (785) 296-0958Cell: (785) 338-0052E-mail: [email protected]

SECURITY TRAINER/ AUDITORKIP BALLINGERKANSAS HIGHWAY PATROL2019 E IRON AVESALINA KS 67401-3406Office: (785) 822-1796Fax: (785) 822-1793Cell: (785) 452-0180E-mail [email protected]

https://cjisaudit.khp.ks.gov/launchpad/

record checks & security awareness training

Documents