CJIS SECURITY POLICY v5.5 1 Hour presentation goal Highlight changes only – do not go into depth. Attempt to leave time for some discussion regarding upcoming focus areas and question period. Stephen “Doc” Petty, CJIS ISO - Texas
CJIS Security Policy version 5.5 TCJUIG Agenda History of the CJIS Security Policy The Advisory Policy Board Policy Creation Highlight Policy changes Areas of Focus MDM / Mobile Devices AA Compensating Controls Cloud Services Vendor Contact Changes Resources & Questions Policy changes: Security awareness Incident Response Audit Logs Access Controls Advanced Authentication Encryption Faxing
Policy Areas Section 1. Introduction Section 2. CJIS Security Policy Approach Section 3. Roles and Responsibilities Section 4. Criminal Justice and PII Section 5. Policy and Implementation Appendix A-K Various supporting information Will focus on Section 5 of the Policy as it relates to the security and implementation.
Shared Management Philosophy The FBI employs a shared management philosophy: Federal Law Enforcement Local Law Enforcement State Law Enforcement Tribal Law Enforcement Similar relationship with the Compact Council and State Identification Bureaus: Noncriminal justice usage of criminal history records The Advisory Process Board, subcommittees, and working groups, collaborate with the FBI CJIS division to ensure that the CJIS Security Policy meets the evolving business, technology, and security needs. Wrap a story around this, visitor log change as example, white paper, and recommendation use APB topic paper as example. 200 people have looked at this before changes. FBI did not pass Amarillo, however the overall message did result in change to how sign-in sheets were being looked at.
CJIS SECURITY POLICY 5 Working Groups 9 Subcommittees 1 CJIS APB Working Groups - Five Regional Groups (approximately 30 members each) Subcommittees- Nine, Topic Specific which include 18 Task Forces (Subject Matter Experts) Advisory Policy Board (APB) is comprised of appr. 37 members
Security & Access Subcommittee Representation: NORTH CENTRAL WORKING GROUP Chairman: TBA VIce Chair: Joe Dominic- CA DOJ TJ Smith –CA LASD Brenda Abaya- HI, DPS Jim Slater- MA Dept. Crim. Justice Blaine Koops MI County Sheriff Patrick Woods- MO HP Yosef Lehrman - NY NYPD Brad Truitt- TN Chris Kalina -WI DOJ BiIl Phillips -AZ Nlets Charles Shaffer- FDLE NORTHEASTERN WORKING GROUP Green states have representation within SA. Green states represent a large diverse area of the United States, representation from each working group on the committee. This group of individuals include ISOs, CSOs, sworn law enforcement and technical experts. Retirement of Alan Ferretti. WESTERN WORKING GROUP SOUTHERN WORKING GROUP
The Advisory Policy Process Two Cycles Annually Topic Papers (Discussion items submitted) Spring and Fall (APB Meets) Working Groups, Subcommittees, Board FBI Director (Approval and sign off on Policy) APB meets twice yearly – once in summer and again in Fall Discuss and vote on changes to be incorporated into the new version of FBI CJIS Policy.
Published Policy Results Results in established National Policy which is published annually in July / August Timeframe.
The Security Review Web Site (DPS) http://www.dps.texas.gov/securityreview/ Two sites we recommend for current and validated material.
CJIS Security Policy Resource Center (FBI) http://www.fbi.gov/about-us/cjis/cjis-security-policy-resource-center/view
Highlight Policy Changes
Security Awareness Training Required within six months of employment; biennially afterward It is the agency’s responsibility to maintain CJIS Security Awareness training documentation Acceptance of training from another agency Awareness topics depends on level of access Current options: Omnixx, Security Awareness PDF & Online Security Awareness Training. Required within 6 month, every two years and documented Current options – Omnixx, PDF & CJIS Online PDF taken by Level 1, 2, 3 only IT Level 4 – completed in CJIS Online
POLICY CHANGES Security Awareness What's New? Differing levels of training Level 1: Personnel with unescorted access to secure areas Level 2: Personnel that have physical contact with CJI Level 3: Personnel that enter, query or modify CJI Level 4: Personnel with Information Technology roles Are the levels As of 10-6-16 they added a 4th level. Spanish version – Level 1 (Only) Expiration Report
LOGIN TO THE CJIS ONLINE https://www.cjisonline.com CJIS Online website: TAC – login as Local Agency Administrator One account only it is tied to agency’s ORI Vendors can have multiple admin accounts
Incident Response Plan Management of Incidents Incident Handling Collection of Evidence Incident Response Training Incident Monitoring
POLICY CHANGES 5.3: Incident Response Significant change in CJIS Security Policy Any incident involving criminal justice information (CJI) should be reported - physical or digital This is significant and is largely due to the issues of lost hand-held devices continuing to be one of our agencies biggest threats. Potential compromised data is key. Attempt to clarify both physical and digital, hardcopies included which may become compromised. Printed CCH taken out of patrol vehicle, etc.(serving warrants). Includes physical Also note changes in reporting needs for hand held devices.
Incident Response This form is used for reporting incidents within the State of Texas. It is the same form referred to within the FBI CJIS Policy however the contact names located at the bottom are specific to our state officials. Please use this (available from our website) as the FBI representatives will be referring you back to these contacts for reporting purposes and support.
Access Control
POLICY CHANGES 5.5: Access Control Provides the following planning and implementation of mechanisms to protect access to CJI and the modification of the systems which process CJI: Account Management Access Enforcement Unsuccessful Login Attempts System Use Notification Session Lock Remote Access Personally Owned Information Systems (BYOD) No CJI from Publicly Accessible Computers These are areas involving Access Control. Changes to this area are specific to Remote Access.
POLICY CHANGES 5.5: Access Control A few significant changes in CJIS Security Policy v5.4 Document the rationale, technical and administrative process for enabling remote access for privileged functions Established parameters for permitting Virtual Escorting for Remote Access Highlight the need to address remote access to CJI. Virtual Escorting can be used for access to systems other than privileged functions as long as requirements are met.
Advanced Authentication Continuing in the access control, highlight changes and clarifications regarding AA
Policy Area 6: Identification and Authentication POLICY CHANGES Section 5.6.2.2 Policy Area 6: Identification and Authentication Clarification of Out-of-Band Authentication for AA 5.6.2.2 Advanced Authentication Advanced Authentication (AA) provides for additional security to the typical user identification and authentication of login ID and password, such as: biometric systems, user-based digital certificates (e.g. public key infrastructure (PKI)), smart cards, software tokens, hardware tokens, paper (inert) tokens, out-of band authenticators (retrieved via a separate communication service channel- e.g., authenticator is sent on demand via text message, ph one call, etc.) When user-based certificates are used for authentication purposes, they shall: Be specific to an individual user and not to a particular device. Prohibit multiple users from utilizing the same certificate. Require the user to “activate” that certificate for each use in some manner (e.g., passphrase or user-specific PIN).
Encryption Continuing in the access control, highlight changes and clarifications regarding AA
5.10 What's Changed? A few changes in CJIS Security Policy v5.4 Encryption exemption for "campus-like scenarios" Changes to 5.10.3.2 Virtualization - permits virtual segregation (Must be within line of sight, request must be obtained through CSO) Acknowledge and permit use of virtualized segmentation for specific cases Must be within line of sight Agency must control the fiber Request must be obtained through CSO
Faxing
POLICY CHANGES Section 5.10.2 Policy Area 10: System and Communications Protection and Information Integrity 5.10.2 Facsimile Transmission of CJI CJI transmitted via facsimile a single or multi-function device over a standard telephone line is exempt from encryption requirements. CJI transmitted external to a physically secure location using a facsimile server ; application or service which implements email-like technology shall meet the encryption requirements for CJI in transit as defined in Section 5.10. l
POLICY CHANGES “Hardwired”: Encryption Not Required 182 Email-like: Encryption Required
Mobile Devices Discuss MDM Mobile Device Management and expanded use of smart phones, tablets within LE
Policy Area 13: Mobile Devices Highlighted changes Include: POLICY CHANGES Section 5.13 Policy Area 13: Mobile Devices Highlighted changes Include: 5.13.3 Wireless Device Risk Mitigations Organizations shall, at a minimum, ensure that cellular wireless devices: Use advanced authentication or CSO approved compensating controls as per Section 5.13.7.2.1. Employ malicious code protection or run a MDM system that facilitates the ability to provide anti-malware services from the agency level. Outlines need for MDM solution to meet compensating controls Specific to AA compensation only
Compensating Controls for AA Applies only to smartphones and tablets Possession of agency issued device is a required part of control Additional requirements mostly met by MDM Compensating Controls are temporary CSO approval and support required Meet the intent of the CJIS Security Policy AA requirement Provide a similar level of protection or security as the original AA requirement Not rely upon existing requirements for AA as compensating controls Highlight that this only applies to Cell Phones and Tablets
Submit email to security.committee@dps.texas.gov. Include “Request for Compensating Controls” in subject line.
BYOD Personally Owned Information Systems Not authorized to access CJI unless terms and conditions are specified. When personally owned mobile devices (i.e. bring your own device [BYOD]) are authorized, they shall be controlled in accordance with the requirements in Policy Area 13: Mobile Devices. Policy must be established along with control measures to meet CJIS Policy requirements. BYOD policies will be reviewed to ensure that requirements are met. BYOD agencies are not eligible for compensating controls and must meet AA requirement.
What's Coming in CJIS Policy? Also have continuing mobile task force Stephen “Doc” Petty, CISSP, SSCP CJIS ISO - Texas Stephen.petty@dps.texas.gov
What's Coming in CJIS Policy? Policy Section 5.13 The Mobile Security Task Force will continue to review areas for change and updates to the policy. New Task Force being established to focus on cloud services Two task forces, one for cloud and one for mobile, Look for changes in section 13 of the policy – dealing with mobile devices.
Mobile Device Management (MDM)
Section 5.13 5.13.2: Mobile Devices POLICY CHANGES 5.13.2 Mobile Device Management (MDM) MDM with centralized administration configured and implemented to perform at least the: Remote locking of device Remote wiping of device Setting and locking device configuration Detection of “rooted” and “jailbroken” devices Enforcement of folder or disk level encryption Application of mandatory policy settings on the device Detection of unauthorized configurations Minimum
5.13.7.2.1: Mobile Devices Continued POLICY CHANGES Section 5.13 5.13.7.2.1: Mobile Devices Continued 5.13.2 Mobile Device Management (MDM) MDM with centralized administration configured and implemented to perform at least the: Detection of unauthorized software or applications Ability to determine the location of agency controlled devices Prevention of unpatched devices from accessing CJI or CJI systems Automatic device wiping after a specified number of failed access attempts
What's Coming in CJIS Policy? Policy Section 5.10 The Security and Access (SA) Subcommittee has established a Cloud Task Force to review all cloud related topics, such as: Collection and Use of Metadata by Cloud Service Providers Security of CJIS Data Stored in Offshore Cloud Computing Facilities FedRAMP/Trustmark concept Look for changes within section 10 of the policy dealing with cloud specific issues and services. A task force is being established for this area much like what was done to address mobile computing. Consider the used car concept here. One you rent, the other you own. With cloud services you (agency) no longer have physical control over your data. Important to be aware of where your data resides – talk to vendors, ask questions and ask for guidance when needed.
POLICY CHANGES Step #2 Select
DPS and Vendor Contact
DPS and Vendor Contact We have some very strict rules now regarding DPS employees and vendor contact. To set up a call with the DPS CJIS Technical Audit staff, all the following must be true: 1. The vendor must have a contract with a Texas LE Agency. 2. The vendor must have an fully executed CJIS Security Addendum with the LE Agency. 3. The agency must set up the call with DPS and be on the line.
DPS and Vendor Contact The Agency can call the CJIS Technical Audit Team at any time. The Agency will need to ensure that due diligence is done regarding its vendor contract. The agency should specify that CJIS compliance is required in the contract. There will be no exceptions to this. DPS Office of General Counsel – w/o security addendum provides bidding issues for contracts.
Questions?
Thank you