370 likes | 532 Views
Record Checks & Security Awareness Training . We Shred ‘ em !. Definitions:
E N D
Record Checks & Security Awareness Training
We Shred ‘em! Definitions: Access to Criminal Justice Information — Thephysicalor logical (electronic) ability, right or privilege to view, modify or make use of Criminal Justice Information.(FBI CJIS Security Policy 5.2 Appendix A)
Definitions: Access to Criminal Justice Information — Thephysicalor logical (electronic) ability, right or privilege to view, modify or make use of Criminal Justice Information.(FBI CJIS Security Policy 5.2 Appendix A)
Definitions: Access to Criminal Justice Information — Thephysicalor logical (electronic) ability, right or privilege to view, modify or make use of Criminal Justice Information.(FBI CJIS Security Policy 5.2 Appendix A) I’m Marsha. How can I help you?
Definitions: pro·cessnoun\ˈprä-ˌses, ˈprō-, -səs\ b: a series of actions or operations conducing to an end; especially: a continuous operation
Definitions: pro·cessnoun\ˈprä-ˌses, ˈprō-, -səs\ b: a series of actions or operations conducing to an end; especially: a continuous operation
Definitions: “During CJI processing” implies CJI is accessible for viewing, modifying or “making use of” CJI left on printers, copiers or fax machines CJI stored insecurely unlocked file cabinets Disorganized and in the open
Definitions: “During CJI processing” implies that CJI is accessible for viewing, modifying or “making use of” Computers unlocked with CJI application open Wiring closets unlocked Network infrastructure left exposed where packet sniffers or other spy devices could be introduced We Shred ‘Em! • If a person is alone with unencrypted (plain text) CJI where security is out of CJA control
When developing policies to ensure the security of Criminal Justice Information, the FBI and KCJIS must take into account several things. Not the least amongst these are Federal Regulations. • Federal regulations are often based on research of industry standards and published recommendations of organizations such as the National Institute of Standards and Technology, or NIST.
Having proper security measures against the insider threat is a critical component for the CJIS Security Policy. • A study conducted by the U.S. Secret Service and the Carnegie Mellon University Software Engineering Institute CERT Program analyzed 150 insider cyber crimes across U.S. critical infrastructure sectors… WHY Record Checks ?????
Having proper security measures against the insider threat is a critical component for the CJIS Security Policy. • According to one report from the study*, • “…the cases of insider IT sabotage were among the more technically sophisticated attacks examined in the Insider Threat Study and resulted in substantial harm to people and organizations”. WHY Record Checks ????? * Moore, Andrew., Cappelli, Dawn., & Trzeciak, Randall. (2008). The "Big Picture" of Insider IT Sabotage Across U.S. Critical Infrastructures (CMU/SEI-2008-TR-009). Retrieved March 28, 2014, from the Software Engineering Institute, Carnegie Mellon University website: http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=8703
The study made 7 observations. OBSERVATION 1: MOST INSIDERS HAD PERSONAL PREDISPOSITIONS THAT CONTRIBUTED TO THEIR RISK OF COMMITTING IT SABOTAGE Personal predisposition: a characteristic historically linked to a propensity to exhibit malicious insider behavior. Personal predispositions explain why some insiders carry out malicious acts, while coworkers who are exposed to the same conditions do not act maliciously. Personal predispositions can be recognized by certain types of observable characteristics [Band et al. 2006]: • Serious mental health disorders—Sample observables from cases include alcohol and drug addiction, panic attacks, physical spouse abuse, and seizure disorders. • Social skills and decision-making bias—Sample observables from cases include bullying and intimidation of coworkers, serious personality conflicts, unprofessional behavior, personal hygiene problems, and inability to conform to rules. • A history of rule violations—Sample observables from cases include arrests, hacking, security violations, harassment complaints, and misuse of travel, time, and expenses. All of the insiders in the MERIT cases who committed IT sabotage exhibitedthe influence of personalpredispositions.
Policies Regarding Record Checks 5.12 Policy Area 12: Personnel Security Having proper security measures against the insider threat is a critical component for the CJIS Security Policy. This section’s security terms and requirements apply to all personnel who have access to unencrypted CJI including those individuals with only physical or logical access to devices that store, process or transmit unencrypted CJI. For our purposes, “unencrypted” is synonymous with “plain text”, “readable”, or “actionable”. Actionable means ability to enter, modify or otherwise affect data.
Policies Regarding Record Checks 5.12 Policy Area 12: Personnel Security 5.12.1 Personnel Security Policy and Procedures 5.12.1.1 Minimum Screening Requirements for Individuals Requiring Access to CJI: 1. To verify identification, a state of residency and national fingerprint-based record checks shall be conducted within 30 days of assignment for all personnel who have direct access to CJI and those who have direct responsibility to configure and maintain computer systems and networks with direct access to CJI.
Policies Regarding Record Checks 5.12 Policy Area 12: Personnel Security 5.12.1 Personnel Security Policy and Procedures 5.12.1.1 Minimum Screening Requirements for Individuals Requiring Access to CJI: To verify identification, a state of residency and national fingerprint-based record checks shall be conducted within 30 days of assignment for all personnel who have direct access to CJI and those who have direct responsibility to configure and maintain computer systems and networks with direct access to CJI. 9. Support personnel, contractors, and custodial workers with access to physically secure locations or controlled areas (during CJI processing) shall be subject to a state and national fingerprint-based record check unless these individuals are escorted by authorized personnel at all times.
Policies Regarding Record Checks 5.12 Policy Area 12: Personnel Security 5.12.1 Personnel Security Policy and Procedures 5.12.1.1 Minimum Screening Requirements for Individuals Requiring Access to CJI: 1. … However, if the person resides in a different state than that of the assigned agency, the agency shall conduct state (of the agency) and national fingerprint-based record checks and execute a NLETS CHRI IQ/FQ/AQ query using purpose code C, E, or J depending on the circumstances.
Record Checks • 5.12 Policy Area 12: Personnel Security • 5.12.1 Personnel Security Policy and Procedures • 5.12.1.1 Minimum Screening Requirements • Within 30 days of CJI Access (prior to access for Private Contractors) • Submit fingerprints to KBI. • Submission initiates searches of Kansas, NCIC (QWA), and III (QH) for records associated with matching images. • NLETS (IQ) to state of person’s residency (Name based) • Further queries when indicated QR (III), FQ(NLets)
Record Checks • 5.12 Policy Area 12: Personnel Security • 5.12.1 Personnel Security Policy and Procedures • 5.12.1.1 Minimum Screening Requirements • Within 30 days of CJI Access (prior to access for Private Contractors) • Individual name–based records rechecks as specified above shall be conducted annually or whenever there is reasonable suspicion that an individual’s criminal history status has changed. • KCJIS requires ANNUAL NAME-BASED Rechecks: • NCIC person files (QWA) + III (QH) [QWI gets both] • NLets IQ state of residence or Kansas KQMW + KIQ
Policies Regarding Record Checks • 5.12.1.1 Minimum Screening Requirements • 1 INTRODUCTION • 1.1 Purpose • 1.3 Relationship to Local Security Policy and Other Policies • …local policy may augment, or increase the standards, • OPTIONAL : • Background Investigations (Interview acquaintances, etc.) • Employment History/References • DL • WHY would you? MOST INSIDERS HAD PERSONAL PREDISPOSITIONS THAT CONTRIBUTED TO THEIR RISK OF COMMITTING IT SABOTAGE Bradley Manning Edward Snowden
Policies Regarding Record Checks • What’s notably NOT in policy: • Citizenship Requirement • FBI CJIS: no restriction on non-US citizen • KCJIS: Non-US citizens must be legally able to perform the work in or for the United States. Recommendations in Policy Part III • Employment Policy • Security Policy only addresses ACCESS to CJI
Policies Regarding Record Checks • A teleconference with staff from the FBI CJIS ISO office and I.T. Security Audit team clarified that INTRA-state sharing of record check information between agencies is being allowed when the CSA is aware and approves of the procedures. • That means agencies can again share record check results when: • It is done within the purview of the CSA (in Kansas that is the KHP CJIS Unit). • All agencies involved are in agreement. • Paperwork is available to provide auditors evidence that: • The CSA knows which local agencies are involved • A Tracking mechanism for completed records checks is in place and known by all stakeholders • All local agencies know which agency conducted the record checks on which personnel. • We are announcing the release of a revised KCJIS 114-RC form.
As cited in audit reports, periodicals, and conference presentations, it is generally understood by the IT security professional community that people are one of the weakest links in attempts to secure systems and networks. The “people factor” - not technology - is key to providing an adequate and appropriate level of security. If people are the key, but are also a weak link, more and better attention must be paid to this “asset.” From Introduction: Wilson, Mark, Hash, Joan (2003) Building and Information Technology Security Awareness and Training Program NIST Special Publication 800-50 October 2003 National Institute of Standards and Technology, Technology Administration, U.S. Department of Commerce http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf Security Awareness Training WHY ?
A robust and enterprise wide awareness and training program is paramount to ensuring that people understand their IT security responsibilities, organizational policies, and how to properly use and protect the IT resources entrusted to them. From Introduction: Wilson, Mark, Hash, Joan (2003) Building and Information Technology Security Awareness and Training Program NIST Special Publication 800-50 October 2003 National Institute of Standards and Technology, Technology Administration, U.S. Department of Commerce http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf Security Awareness Training WHY ?
Policies Regarding Security Awareness Training (in order of appearance) 5.1.1.5 Private Contractor User Agreements and CJIS Security Addendum The CJIS Security Addendum is a uniform addendum to an agreement between the government agency and a private contractor, approved by the Attorney General of the United States, which specifically authorizes access to CHRI, limits the use of the information to the purposes for which it is provided, ensures the security and confidentiality of the information is consistent with existing regulations and the CJIS Security Policy, provides for sanctions, and contains such other provisions as the Attorney General may require. Private contractors who perform criminal justice functions shall meet the same training and certification criteria required by governmental agencies performing a similar function, and shall be subject to the same extent of audit review as are local user agencies. All private contractors who perform criminal justice functions shall acknowledge, via signing of the CJIS Security Addendum Certification page, and abide by all aspects of the CJIS Security Addendum. The CJIS Security Addendum is presented in Appendix H. Modifications to the CJIS Security Addendum shall be enacted only by the FBI.
Policies Regarding Security Awareness Training(in order of appearance) 5.2 Policy Area 2: Security Awareness Training Basic security awareness training shall be required within six months of initial assignment, and biennially thereafter, for all personnel who have access to CJI.
Policies Regarding Security Awareness Training(in order of appearance) 5.2 Policy Area 2: Security Awareness Training 5.2.1.1 All Personnel At a minimum, the following topics shall be addressed as baseline security awareness training for all authorized personnel with access to CJI: .
Policies Regarding Security Awareness Training(in order of appearance) 5.2 Policy Area 2: Security Awareness Training 5.2.1.2 Personnel with Physical and Logical Access In addition to 5.2.1.1 above, the following topics, at a minimum, shall be addressed as baseline security awareness training for all authorized personnel with both physical and logical access to CJI:
Policies Regarding Security Awareness Training(in order of appearance) 5.2 Policy Area 2: Security Awareness Training 5.2.1.3 Personnel with Information Technology Roles In addition to 5.2.1.1 and 5.2.1.2 above, the following topics at a minimum shall be addressed as baseline security awareness training for all Information Technology personnel (system administrators, security administrators, network administrators, etc.):
Security Awareness Training REQUIRED If… • The person uses Criminal Justice Information in any form • Radio or cell phone • Hard copy • Emailed • Faxed • Computer Terminal Access • OpenFox • CAD • Record Management Systems • Case Management
Security Awareness Training REQUIRED If… • The person is unescorted and will be unavoidably exposed to Criminal Justice Information during the course of their work. • The person is given unescorted/unmonitored access to the computer network and infrastructure used by others to access Criminal Justice Information.
Security Awareness Training REQUIRED If… • The person is unescorted in places where CJI is regularly left unsecured easy for anyone to view.
For More Informationhttps://cjisaudit.khp.ks.gov/launchpad/ KCJIS INFORMATION SECURITY OFFICER DON CATHEY KANSAS HIGHWAY PATROL 122 SW 7th ST TOPEKA KS 66603-3847 Office: (785) 368-6518 Fax: (785) 296-0958 Cell: (785) 213-7135 E-mail: dcathey@khp.ks.gov SECURITY TRAINER/ AUDITOR ROD STROLE KANSAS HIGHWAY PATROL 122 SW 7th ST TOPEKA KS 66603-3847 Office: (785) 368-6519 Fax: (785) 296-0958 Cell: (785) 249-9961 E-mail: rstrole@khp.ks.gov SECURITY TRAINER/ AUDITOR KIP BALLINGER KANSAS HIGHWAY PATROL 2019 E IRON AVE SALINA KS 67401-3406 Office: (785) 822-1796 Fax: (785) 822-1793 Cell: (785) 452-0180 E-mail kballing@khp.ks.gov SECURITY TRAINER/ AUDITOR TAMMIE HENDRIX KANSAS HIGHWAY PATROL 122 SW 7th ST TOPEKA KS 66603-3847 Office: (785) 368-6514 Fax: (785) 296-0958 Cell: (785) 338-0052 E-mail: thendrix@khp.ks.gov