Presentation is loading. Please wait.

Presentation is loading. Please wait.

CALEA Filings and Procedural Steps Mary Eileen McLaughlin Merit – Director Technical Operations January 31, 2006.

PublishDarren Thompson Modified over 9 years ago

Similar presentations

Presentation on theme: "CALEA Filings and Procedural Steps Mary Eileen McLaughlin Merit – Director Technical Operations January 31, 2006."— Presentation transcript:

1 CALEA Filings and Procedural Steps Mary Eileen McLaughlin Merit – Director Technical Operations January 31, 2006

2 Agenda Key dates Requirements Review of forms to be filed Resources for forms, explanations, examples, cover letters Other recommended internal policies DISCLAIMER This presentation in no way should be considered legal advice. It is a review of Merit’s understanding of and plans for CALEA filings.

3 Three Key Dates February 12, 2007 –Entities that the FCC believes need to be CALEA compliant must file the FCC form 445 –File with FCC and with FBI March 12, 2007 –Entities filing form 445 file a Systems Security and Integrity Plan –File with FCC and Homeland Security Bureau May 14, 2007 –Entities must have network compliance, –Unless on form 445 another date, and rationale was noted

4 Form 445 due February 12 th Pretty Simple Name, state, contact info, parent company (e.g.,R&E net that is part of a university) FCC Registration number (FRN) –Must get one at www.fcc.gov, CORES link which is COmmission REgistration Systemwww.fcc.gov –FCC Registration is required to conduct business with the FCC –Merit has FRN because of USF work –This number will be used to uniquely identify you in all transactions with the FCC cont.

5 Form 445, cont. Filer’s 499 ID –Form 499 is only required if a network pays into Universal Service, Telecommunications Relay Service, Number Administration, Local Number Portability Support Mechanisms –Merit doesn’t, and likely no R&E nets do; universities, libraries certainly don’t Filer checks whether it will be compliant by 5/14/07 or not cont.

6 Form 445, cont. Compliance method is identified by a checkbox –Proprietary/Custom or 3 rd party Write the standard used (Draft Standard PTSC-LAES-2006-084R6) Proprietary/custom solution –Merit will get legal advice, but the assumption is that our solution is neither –Check if DOJ has been consulted -- Merit has not Check if Filer is using a Trusted Third Party, and if so, who;

7 Form 445, cont. Trusted Third Parties (TTPs) Can: Assist in meeting filer’s CALEA obligations Provide LEAs the electronic surveillance information those agencies require – In an acceptable format Services include: processing requests for intercepts, conducting electronic surveillance, and delivering relevant information to LEAs. The entity (not the TTP) remains responsible for, –Ensuring the timely delivery of call-identifying information and call content –And for protecting subscriber privacy, as required by CALEA. cont.

8 Form 445, cont. If filer won’t be compliant by 5/14, state why: –Equipment – identify equipment by model type/manufacturer that is responsible for the delay –Network installation – brief description of circumstances contributing to delay –Manufacturer support -- brief description of circumstances contributing to delay –Other – any other circumstances Also describe Mediation actions – what steps being taken to resolve the circumstances causing delay cont.

9 Form 445, cont. Note: “Lack of final standard” isn’t on the list of reasons for delay in compliance –FBI quote: “Their [telecom standards organizations] previous foot-dragging was one of the complaints of the Joint Law Enforcement Petition for Expedited Rulemaking that resulted in the FCC's Second Report and Order.” –“An entity does not need to know the exact specifics of a standard to comply with the FCC's SS&I and Monitoring Report requirement. Solutions vendors know which standard they will build to and only minor Software changes will be required.” (!) Finally, a company officer of the Filer signs FCC Form 445 and it’s filed

10 System Security and Integrity Plan Purpose Ensure that interception can be activated only in accordance with appropriate legal authorization With affirmative intervention of an individual officer of the entity In accordance with regulations prescribed by FCC And to ensure LEAs get the information Also, apparently not onerous

11 Very Different SSI Examples Printouts in workshop binder Blank “templates” at Educause website –Highly recommended because they take 2 nd R&O and incorporate terms into plan 2-page plan by U.S. LEC 4-page plan by Honeybee Networks 15-page plan by MetroPCS Merit plans to be brief –Will draft a plan by end of February and circulate to the community for comment/reference

12 SSI Components - General Appoint a senior officer or employee to ensure that activation only in accordance with lawful authorization –Name and job function –24/7 contact information Merit plans to identify our CEO and an alternate, and have our NOC be the 24/7 contact point Process to report any act of compromise of lawful intercept or unlawful surveillance

13 SSI Components – Record Retention Must maintain secure and accurate record of interception of communications –Legal or not –In the form of a “Certification” Certification includes: –Identifying number/address –Start date –Identify of LEA officer –Name of person signing the legal authorization –Type of interception –Name of employee overseeing –Signed by employee overseeing Must maintain records for a reasonable period of time as determined by entity

14 So…Required Forms Not Onerous What may be more difficult is to actually act on a subpoena –Few and far between –People change jobs –CALEA and other laws differ Merit recommends that every network organization have a network “abuse” policy –Recommend that it be reviewed annually, e.g., at budget time –Or pick a time – like changing batteries in the home smoke detector with daylight savings time changes

15 Merit’s Network Abuse Policy Example Topics Included Triaging abuse complaints – Serious is: –Life or physical well being is threatened –Data could be destroyed, or confidential data exposed –DDOS attack Actions –Refer complainant to his ISP if not serious (e.g., spam) –Open incident report –Open NOC trouble ticket, escalate –Management approval for some action

16 Network Abuse Policy Being Revised CALEA requires new procedures Today, we “only release information about individuals to the organization with which they are associated, not to third parties” –Today, LEAs are always 3 rd parties –If there is a CALEA request, this doesn’t fit –In fact, we can’t let the organization know Today we have a management approval chain, and no one employee makes a decision or takes action –If there is a CALEA request, this doesn’t fit We will revise our internal network abuse policies and share with the community –Perhaps in parallel with the SSI draft

17 References – www.fcc.govwww.fcc.gov Public Notice - Compliance Monitoring Report –DA 06-2512, December 14, 2006 –OMB Control Number 3060-0809 Public Notice - Systems Security and Integrity Filing Requirement –DA 06-2512, December 14, 2006 –OMB Control Number 3060-0809 Systems Security and Integrity Plans components –CALEA of 1994 – Pub.L. No. 103-414, 108 Stat. 4279 –FCC 64 FR 51469, Sept. 23, 1999 –FCC 2 nd Report and Order, May 12, 2006, Appendix B, page 44, for SSI (useful definitions)

18 References, cont. Easiest source: Educause CALEA resource page –http://www.educause.edu/Browse/645?PARE NT_ID=698http://www.educause.edu/Browse/645?PARE NT_ID=698 –Includes FCC public notices, forms, example cover letter for SSI, other background www.askcalea.gov (FBI site) www.askcalea.gov

Download ppt "CALEA Filings and Procedural Steps Mary Eileen McLaughlin Merit – Director Technical Operations January 31, 2006."

Similar presentations

HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website: www.mc.vanderbilt.edu/HIPAA.

HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
Confidentiality and HIPAA

Confidentiality and HIPAA
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
‘ Technology that manages your people with you’ Copyright Townhouse Consulting Ltd The Absence Management System.

‘ Technology that manages your people with you’ Copyright Townhouse Consulting Ltd The Absence Management System.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
Fiducianet, inc. tm 1 Presented by H. Michael Warren, President fiducianet, inc. VoIP Technology Perspectives Law Enforcement Concerns & CALEA Compliance.

Fiducianet, inc. tm 1 Presented by H. Michael Warren, President fiducianet, inc. VoIP Technology Perspectives Law Enforcement Concerns & CALEA Compliance.
CALEA Compliance in 2006 H. Michael Warren Vice President, Fiduciary Services NeuStar, Inc February 2006.

CALEA Compliance in 2006 H. Michael Warren Vice President, Fiduciary Services NeuStar, Inc February 2006.
6-1 Full and Fair Reporting Electronic Presentation by Douglas Cloud Pepperdine University Chapter F6.

6-1 Full and Fair Reporting Electronic Presentation by Douglas Cloud Pepperdine University Chapter F6.
Policing the Internet: Higher Education Law and Policy Rodney Petersen, Policy Analyst Wendy Wigen, Policy Analyst EDUCAUSE.

Policing the Internet: Higher Education Law and Policy Rodney Petersen, Policy Analyst Wendy Wigen, Policy Analyst EDUCAUSE.
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
Requirements under Title II of the ADA November 18, 2010.

Requirements under Title II of the ADA November 18, 2010.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
QC/QA Mary Malarkey Director, Division of Case Management Office of Compliance and Biologics Quality Center for Biologics Evaluation and Research March.

QC/QA Mary Malarkey Director, Division of Case Management Office of Compliance and Biologics Quality Center for Biologics Evaluation and Research March.
Network security policy: best practices

Network security policy: best practices
HIPAA Basic Training for Privacy and Information Security Vanderbilt University Medical Center VUMC HIPAA Website: www.mc.vanderbilt.edu/HIPAA HIPAA Basic.

HIPAA Basic Training for Privacy and Information Security Vanderbilt University Medical Center VUMC HIPAA Website: HIPAA Basic.

Similar presentations

Ads by Google