Jennifer Hlad, LEDS & OUCR Trainer LASO 101 – 2013 OREGON STATE POLICE LAW ENFORCEMENT DATA SYSTEMS CRIMINAL JUSTICE INFORMATION SERVICES DIVISION.

Slides:



Advertisements
Similar presentations
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Advertisements

Understanding CJIS Online
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
NAU HIPAA Awareness Training
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Washington State Patrol Non-Criminal Justice Agency
Department of Transportation Support Services Branch ODOT Procurement Office Intergovernmental Agreements 455 Airport Rd. SE, Bldg K Salem, OR
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
NONCRIMINAL JUSTICE AGENCY USE OF CRIMINAL JUSTICE INFORMATION
Understanding CJIS Online
August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Accessible IT Policy in K-12 Education Pat Brown AccessIT University of Washington
Computer Security: Principles and Practice
CJIS Security Policy.
Payment Card Industry (PCI) Data Security Standard
Session 3 – Information Security Policies
Network security policy: best practices
DEED WorkForce Center Reception and Resource Area Certification Program Module 2 Unit 1b: WorkForce Center System II Learning Objectives III.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
Securing Information in the Higher Education Office.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Responding to a Security Incident Maryland Security Day March 2, 2004 Joy Hughes, CIO
Public Employees Retirement System October 31, 2007 Eric Sokol, CSD Administrator Jeffrey Marecic, ISD Administrator Senate Bill 583 Implementation.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
1 Defense Health Agency Privacy and Civil Liberties Office Data Sharing Program Overview Ms. Rita DeShields DHA Data Sharing Compliance Manager August.
1 CIP Cyber Security – Personnel & Training Steve Garn CIP Compliance Workshop Baltimore, MD August 19-20, 2009 © ReliabilityFirst Corporation.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
ANTI-MONEY LAUNDERING COMPLIANCE PROGRAM FCM TRAINING
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.
National Model Scanning Tour “Communications”. The Iowa Department of Public Safety administers a trusted statewide network of servers, PCs, service.
Privacy Act United States Army (Managerial Training)
Chapter 8 Auditing in an E-commerce Environment
ISO DOCUMENT CONTROL. ISO Environmental Management Systems2 Lesson Learning Goals At the end of this lesson you should be able to: 
Sample Test Security Training February 11; 2016 Office of the State Superintendent of Education Assessment Team 1.
February 2, 2016 | Chicago NFA Cybersecurity Workshop.
Information Security tools for records managers Frank Rankin.
1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
Information Management and the Departing Employee.
Federal Information Security Management Act (F.I.S.M.A.) [ Justin Killian ]
Introduction to Procurement for Public Housing Authorities Getting Started: Basic Administrative Requirements Unit 1.
Chapter 3 “A Case Study of Effectively Implemented Information Systems Security Policy[1]” John Doran, CST554, Spring 2008.
BTEC NAT Unit 15 - Organisational Systems Security ORGANISATIONAL SYSTEMS SECURITY Unit 15 Lecture 7 EMPLOYMENT CONTRACTS & CODES OF CONDUCT.
Slide 1 Standard Operating Procedures. Slide 2 Goal To review the standard operating procedures Creating the informed consent document Obtaining informed.
Department of Children and Families Care Provider Background Screening Clearinghouse.
SECURITY AND ELECTRONIC COMMUNICATIONS WHAT YOU NEED TO KNOW FOR YOUR AUDIT.
Non-Criminal Justice Agency User Agreement
Nassau Association of School Technologists
Data Security and Privacy Overview: NJDOE’s Approach to Cybersecurity
Fingerprint-Based Criminal History Check Compliance
Background Screening Overview (Processing A New Applicant)
Red Flags Rule An Introduction County College of Morris
RECORDS AND INFORMATION
County HIPAA Review All Rights Reserved 2002.
Introduction to Disability and IT: Policy Development
EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO
Criminal Justice Information Services
Fingerprint Based Criminal History Records
TECHNOLOGY PROTECTION
Student Data Privacy: National Trends and Wyoming’s Role
OSU Controlled Substances Training Module for Researchers
Protecting Student Data
IT Security Audit Summary
Presentation transcript:

Jennifer Hlad, LEDS & OUCR Trainer LASO 101 – 2013 OREGON STATE POLICE LAW ENFORCEMENT DATA SYSTEMS CRIMINAL JUSTICE INFORMATION SERVICES DIVISION

DEFINITIONS & ACRONYMS: CJIS: Criminal Justice Information Services CSA: CJIS Systems Agencies TAC: Terminal Agency Coordinator – LEDS Representative LASO: Local Agency Security Officer, the agency contact for CJIS Training (see CJIS Policy v5.2 section for role defined) CJI: Criminal Justice Information, any FBI CJIS provided data CJA: Criminal Justice Agency/Agencies NCJA: Noncriminal Criminal Justice Agency/Agencies

DEFINITIONS & ACRONYMS: ISO: Information Security Officer (see CJIS Policy v5.2 section for role defined) APB: The Advisory Policy Board, a federal entity FBI: Federal Bureau of Investigation NIST: National Institute of Standards & Technology

WHAT IS THE CJIS SECURITY POLICY? The essential premise of the CJIS Security Policy is to provide appropriate controls to protect the full lifecycle of CJI, whether at rest or in transit. The CJIS Security Policy provides: Guidance for the creation, viewing, modification, transmission, dissemination, storage and destruction of CJI. Rules & Mandates for every contractor, private entity, non criminal justice agency representative, or member of a criminal justice entity – with access to, or who operate in support of, criminal justice services and information.

WHO CAN BE A LASO? The LASO can be the LEDS Rep. A member of the Local IT Department A member of the your contracted IT Department A member of the city IT Department A member of the county IT Department Not necessarily within the agency, this role of IT supervision can be contracted out to a master IT department, EG: Sheriff’s Office uses the main County IT Department for this role. The LASO is not required to administer the CJIS Security Training. The agency will maintain the CJIS Security Training records at the local level. This can be the LEDS Rep., LASO or other appointed person.

WHAT IS A LASO REQUIRED TO DO? 1.Identify who is using the CSA approved hardware, software, and firmware and ensure no unauthorized individuals or processes have access to the same. 2.Identify and document how the equipment is connected to the state system. 3.Ensure that personnel security screening procedures are being followed as stated in the latest CJIS Security Policy. 4.Ensure the approved and appropriate security measures are in place and working as expected. 5.Support policy compliance and ensure the CSA ISO is promptly informed of security incidents.

IDENTIFYING USAGE OF LEDS HARDWARE, SOFTWARE, AND FIRMWARE Largely an IT role wherein it is decided what hardware (Toughbook's, PC’s, routers, switches, application use to access the state system such as WebLEDS, Forsecom, etc.) will be utilized within the agency

ENSURING NO UNAUTHORIZED INDIVIDUALS OR PROCESSES HAVE ACCESS TO LEDS Agencies shall manage information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. This is important for employees leaving your agency – make sure you disable the web accounts so they cannot be accessed. Your agency should handle this by implementing a policy that covers access to LEDS for new, terminated or transferred employees.

IDENTIFY & DOCUMENT HOW THE EQUIPMENT IS CONNECTED TO THE STATE SYSTEM The Network Diagrams as highlighted in appendix C of the CJIS Security Policy V5.2 This is a Network Diagram of conceptual connections between various agencies:

NETWORK DIAGRAMS CONTINUED

ENSURE THAT PERSONNEL SECURITY SCREENING PROCEDURES ARE BEING FOLLOWED CJIS Security fingerprinting, typically reverted to the LEDS Representative. Fingerprint employee and submit prints to ID Services - within 30 days of employment Must be fingerprinted for each new law enforcement agency (lateral hires) Forms available: the ID Services fingerprint staff at with any Don’t forget to the ID Services staff once an employee has separated your agency to inactivate their CJIS Security flag for your agency.

ENSURE THE APPROVED AND APPROPRIATE SECURITY MEASURES ARE IN PLACE This is very unique to your agency and how you’ve structured your IT needs and your LEDS access infrastructure. See CJIS Security Policy V5.2 appendix J & K to reference various infrastructure requirements.

SUPPORT CJIS SECURITY POLICY COMPLIANCE Once your agency has established their internal policies addressing the needed CJIS Security Awareness topics, make sure all employees follow policies, have access to the policies, are aware of the policies and aware of the consequences for breaching policy. See provided sample protocols which you can customize to your agency and agency needs.

ENSURE THE CSA ISO IS PROMPTLY INFORMED OF SECURITY INCIDENTS This is reflected in an Incident Response Plan implemented within your agency. Detailed requirements of the Incident Response Plan are outlined in section 5.3 of the CJIS Security Policy v5.2. See included example policy in your packet.

MAINTENANCE OF CJIS TRAINING RECORDS HAS BEEN DESIGNATED TO THE LOCAL LEVEL It is your agencies responsibility to maintain CJIS Security Awareness training documentation. CJIS Security Awareness training shall be required within six months of initial assignment, and biennially thereafter, for all personnel who have access to CJI. There are three (3) types of access to CJI: Level 1:Physical Access Level 2:Physical and/or Logical Level 3:Personnel with Information Technology roles OSP has provided a way for agencies to maintain your records online using the CJIS Online Portal. Documentation on how to use this portal has been provided in you packet.

PHYSICAL ACCESS Question:Who has physical access? Answer:Anyone who has unescorted (eyes on at all times) access to areas that process or store CJI. Common examples include the following roles: Janitors Building maintenance Radio technician vendors Anyone given unfettered walking access to your secured location.

PHYSICAL AND/OR LOGICAL ACCESS Question:Who has physical and/or logical access? Answer:Any individual that has login credentials to a LEDS terminal.

PERSONNEL WITH INFORMATION TECHNOLOGY ROLES Question:What does this mean? Answer:Anyone that has unescorted access to networking equipment such as: routers switches and hubs or servers processing or storing CJI. Access can be as simple a key to the door that secures this equipment. This can also be as complex as vendors with VPN access (unescorted) to systems that process CJI.

QUESTIONS?

CONTACT INFO Jennifer Hlad, LEDS Training Specialist (Desk) (Fax) Greg Verharst, CJIS Information Security Officer Ext (Desk) (Fax)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.