CJIS Security Policy Version 5.4, 10/06/2015

Slides:

Advertisements

Similar presentations

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Advertisements

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

How To Prepare For A CJIS Audit

DICOM INTERNATIONAL DICOM INTERNATIONAL CONFERENCE & SEMINAR April 8-10, 2008 Chengdu, China DICOM Security Eric Pan Agfa HealthCare.

Security+ Guide to Network Security Fundamentals

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Business Data Communications, Fourth Edition Chapter 10: Network Security.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.

CJIS Security Policy.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.

PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP

Network security policy: best practices

CJIS Security Policy v5.4 Changes

Section Seven: Information Systems Security Note: All classified markings contained within this presentation are for training purposes only.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

Module 14: Configuring Server Security Compliance

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Network Security Lecture 9 Presented by: Dr. Munam Ali Shah.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Auditing Information Systems (AIS)

Module 9 Configuring Messaging Policy and Compliance.

Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.

Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 7 Authentication Methods and Requirements.

NETWORKING & SYSTEM UPDATES

Secure FTP implementation on DATMS-U Walter L. Coley, Jr JAG/CCM.

IS3220 Information Technology Infrastructure Security

Why EMS? What benefit does EMS provide O365 customers Manage Mobile Productivity Increase IT ProductivitySimplify app delivery and deployment LOB Apps.

HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.

KeepItSafe Solution Suite Securely control and manage all of your data backups with ease, from a single location. KeepItSafe Online Backup KeepItSafe.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Information Security Standards 2016 Update IIPS Security Standards Committee Roderick Brower - Chair.

Information Security KRISHNAKUMAR RAGHAVAN (KK) NASWA's Information Technology Support Center 1.

CJIS SECURITY POLICY v5.5 1 Hour presentation goal

Summary of Changes PCI DSS V. 3.1 to V. 3.2

Safeguarding CDI - compliance with DFARS

Deployment Planning Services

Chapter 7. Identifying Assets and Activities to Be Protected

Suggestion for Summarizing Process of the Principles

DATA SECURITY FOR MEDICAL RESEARCH

ETSI Software Reconfiguration Overview

Critical Security Controls

Tim Carter Sales Director Sybase Confidential Propriety.

Security and Encryption

Control system network security issues and recommendations

Tim Carter Sales Director Sybase Confidential Propriety.

NERC CIP Implementation – Lessons Learned and Path Forward

Direct Attached Storage and Introduction to SCSI

IS4550 Security Policies and Implementation

Unit 27: Network Operating Systems

County HIPAA Review All Rights Reserved 2002.

IS4680 Security Auditing for Compliance

Contact Center Security Strategies

How to Mitigate the Consequences What are the Countermeasures?

E-Lock ProSigner ProSigner means “Professional Signer” signifying the software that can apply legally enforceable Advanced electronic signatures to electronic.

EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO

HIPAA Security Standards Final Rule

Cengage Learning: Computer Networking from LANs to WANs

Protocol Application TCP/IP Layer Model

Security in SDR & cognitive radio

Designing IIS Security (IIS – Internet Information Service)

Tyler Technologies presents: What you need to know about upcoming changes to your New World ERP technical environment in Scott Alan Miller MCP,

Quality Management Software

Presentation transcript:

CJIS Security Policy Version 5.4, 10/06/2015 Stephen “Doc” Petty, CISSP, SSCP CJIS Technical Auditor Texas Dept of Public Safety

Policy Changes

What’s New in 5.4 2.3 Risk Based Compliance Approach 5.5.6 Remote Access (Virtual Escorting) 5.6.2.2 Advanced Authentication (Clarify Certificates) 5.10.1.2 Encryption Exception 5.10.3.2 Virtualization and Partitioning (Clarification) Whats Ahead? Explore upcoming topics of APB discussion Q&A Open discussion for questions and concerns

Risk Based Compliance

2.3 Risk Based Compliance Under CJIS Security Policy Approach, Begin a more risk based approach to compliance measures. Section 2.3 Risk versus Realism Executive Summary integrating Risk-Based Compliance and Requirements Tiering into the Policy.

Virtual Escorting

5.5.6 Remote Access Section 5.5.6 Remote Access Virtual Escorting – compelling operational needs Process must be documented within security plan Must meet 5 requirements as outlined within policy.

AA Certificates

5.6.2.2 Advanced Authentication •Clarifying the Types of Certificates: Must be specific to an individual user and not to a particular device. Prohibit multiple users from utilizing the same certificate. Require the user to “activate” that certificate for each use in some manner (e.g., passphrase or user-specific PIN).

Encryption Exception

5.10.1.2 Encryption Exception Encryption shall not be required if the transmission medium meets all the following requirements: The agency owns, operates, manages, or protects the medium. Medium terminates within physically secure locations at both ends with no interconnections between. Physical access to the medium is controlled by the agency using the requirements in Section 5.9.1 and 5.12 Protection includes safeguards (e.g., acoustic, electric, electromagnetic, and physical) and if feasible countermeasures (e.g., alarms, notifications ) to permit its use for the transmission of unencrypted information through an area of lesser classification or control. With prior approval of the CSO. (Alan Ferretti has been assigned).

Virtualization

5.10.3.2 Virtualization and Partitioning (Clarification) Clarification of Virtualization and Partitioning in the CJIS Security Policy. Isolate host from virtual machine Maintain audit logs Physically separate from virtual machines( if internet facing). Critical Drivers should be specific to the virtual machine. No sharing - secured as independently as possible.

For Future Consideration…

Faxing Requirements Update to include up-to-date facsimile technology. CJI being transmitted via email-like technology shall meet encryption requirements in transit as defined in Section 5.10

Section 5.13 Mobile Devices Add FIPS compliant secure protocols (e.g. SFTP, HTTPS, SNMP, over TLS, etc.) for all management access and authentication. Disable non-FPS compliant secure access to the management interface. Verify equipment compliance and function prior to and after any deployment outside of the U.S.

Mobile Device Management Add the following configurations to the required abilities of MDM solution: Detection of unauthorized software or application. Ability to determine location of agency controlled devices. Prevention of unpatched devices from accessing CJI or CJI systems. Automatic device wiping after a specified number of failed access attempts.

LEO Website (LEEP) APB will be discussing Transport Layer 1.2 implementation and how this may effect agencies; Impacted browsers, etc. Now using true two factor authentication (TLS and out of band e.g., PIN)

Contacts Alan Ferretti (512) 424-7186 alan.ferretti@dps.texas.gov Stephen “Doc” Petty (512) 424-7055 stephen.petty@dps.texas.gov

Questions?