350 likes | 362 Views
Obtain the fill-in PowerPoint template by Michigan State Police for implementing the Security Awareness Training (SAT) required for accessing Criminal History Record Information (CHRI) as per FBI CJIS Security Policy. Ensure compliance with CHRI access rules.
E N D
SAT Training Template Agencies are responsible to administer the Security Awareness Training (SAT) to all personnel having access to CHRI as required by the FBI CJIS Security Policy, Policy Area 5.2. More information can be found at www.michigan.gov/cjicats. The Michigan State Police (MSP) has created a Noncriminal Justice Agency (NCJA) “template” for your use in implementing these requirements. The SAT Training Template is a fill-in PowerPoint for agency use. Agencies should complete all fields indicated in red as it applies to agency policy, procedure, and process. Any questions to the use of the template may be directed to the Audit & Training Section: • MSP-CJIC-ATS@michigan.gov • 517-284-3079
Noncriminal Justice Agency(NCJA) Security Awareness Training
Criminal Justice Information Exchange History The FBI Criminal Justice Information Services (CJIS) is our nation’s central repository of Criminal History Record Information (CHRI) assisting states’ law enforcement, governmental, public, and private entities by sharing information for criminal justice and noncriminal justice purposes.
FBI Criminal Justice Information Services Serves as our nation’s administrator for the appropriate security and management controls. As such, the FBI designates one criminal justice agency (on the CJIS network) as the CJIS Systems Agency (CSA) who is considered their point of contact in each state. Michigan State Police The CSA is duly authorized to oversee the security and management of all CJI (including CHRI) exchanges within the State of Michigan. Responsible for setting, maintaining, enforcing and reporting compliance to the FBI CJIS Division for such exchanges. Noncriminal Justice Agency For the purpose of licensing and employment, certain authorized agencies request and receive fingerprint based CHRI. Making the Noncriminal Justice Agency (NCJA) the next responsible records management entity.
How “You” the Employee are Connected As an employee of a NCJA, these same security and management control responsibilities extend to you. Security Awareness Training is to identify your individual role and responsibilities, and equip you with the knowledge, resources, and tools necessary to ensure the appropriate security and management of CHRI.
Access & Use Access to CJI/CHRI is limited to authorized personnel and for an authorized purpose as prescribed by [state and/or federal Law]. Use of CHRI is for and by authorized personnel as designated by your employer.
Why Security Awareness Training? Individuals, businesses, and government organizations have become increasingly reliant on information technology systems. This fact makes protecting these assets more important than ever before. Systems have become more complex and interconnected, increasing the potential risk with their operations. Security training and the implementation of, is required by the FBI CJIS Security Policy (policy area 2, section 5.2. Security Awareness Training)
Information System Security The term information security refers to the protection of information and information technology (IT) systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide: • Security:to ensure that information is not compromised by any unauthorized individuals. • Confidentiality:to ensure that information is not disclosed to unauthorized individuals. • Integrity:to ensure that information and systems are not modified maliciously or accidentally.
Security Awareness Training (SAT) Begins Agencies shall provide SAT to all personnel having access to CHRI, within six (6) months of their assignment and once every two (2) years thereafter. SAT Effects: • All personnel with access to CJI/CHRI. • Personnel with physical and logical access. • Personnel with information technology (IT) roles.
SAT Begins CHRI is governed and protected by: • Federal and state laws. • Policies, memorandum, and regulation. • NCJA policies, procedures, processes, and rules. All are designed to reduce the risk of unauthorized access and misuse. Noncompliance of any of these will lead to disciplinary action according to agency [Policy, procedure, written process action]. Disciplinary action is determined by [Agency or Position of Authority] and in accordance with FBI CJIS Security Policy.
Reporting of a Security Breach Incident Reporting: • As an agency employee it is your responsibility to report any perceived or known security breaches regarding CHRI. • Reporting is required whether the CHRI breach is physical or through electronic devices. • All incidents are to be reported to [position authority]. • You may refer to [policy or procedure] for the most current incident response protocol.
Security Breach Is defined as: • An act from outside an organization that bypasses or contravenes security policies, practices, or procedures. A similar internal act is called a security violation. • The intentional or unintentional release of secure information to an untrusted, unauthorized environment. • The unauthorized acquisition, access, use or disclosure of protected information which compromises the security or privacy of such information.
Media Protection Media must be protected at all times against any unauthorized access to or routine viewing of computer devices, access devices, and printed/stored data. All media is to be handled with the upmost care and be marked copy and confidential so others having access to CHRI are also aware of the attention required when handling CHRI. Agency[Policy, procedure, or written process] is provided and available [where available] to ensure media protection exists and carried out in the appropriate manner.
Media Protection Is the protection of electronic and physical CHRI media by: • Restricting media to authorized personnel only. • Storing media within physically secure locations and controlled areas. • Protecting and controlling media anytime it is transported outside of controlled areas. • Disposing of media securely and only by an authorized personnel.
Media Protection Physical Security includes: • Protection of information subject to confidentiality. • Limitation of visitor access to controlled areas. • Prevention of social engineering attacks. • Positioning of computer and system devices (lap tops, cellular phones, I-pads, or any kind of hand held devices used to access, process or store CHRI media) in such a way that prevents unauthorized personnel gaining physical or visual access. • Locking of rooms, areas, or storage containers where CHRI media is accessed, processed and/or stored.
Media Protection Electronic Security includes: • Protection of information subject to confidentiality. • Password use and management. • Protection from viruses, worms, Trojan horses and other malicious code. • Appropriate use and management of e-mail, spam and attachments. • Appropriate web use. • Use of encryption for transmission of sensitive/confidential information through electronic means. • Backing up electronic media on a regular basis. • Sanitize digital media prior to disposal or release for reuse by unauthorized individuals.
IT Personnel As outlined by the agency, it is the IT personnel's responsibility to install: • Protection from viruses, worms, Trojan horses, and other malicious code through electronic scanning and updating definitions. • Provide data backup and storage through centralized and decentralized approaches, when applicable. • Provide timely application of system patches as part of configuration management. • Provide access control measures. • Provide protection measures for agency Network infrastructure.
Visitor Control Visitor access to controlled areas where CHRI is maintained and processed shall be avoided whenever possible. If visitor access becomes necessary, all visitors will be escorted by authorized personnel at all times while in a controlled area. Agency [policy or procedure] exists to prevent unauthorized access to CHRI and is your responsibility to adhere to all agency requirements.
Visitor Control • Minimum requirements: • Lock the area, room or storage container when CHRI is unattended by an authorized personnel. • Position CHRI system devices and documents containing CHRI in such a way as to prevent unauthorized individuals from access and view. • Follow the encryption requirements set forth by the agency for electronic storage of CHRI. • Challenge strangers to the nature and business in the controlled area. • Report unusual or suspicious behavior to appropriate personnel.
Threats, Vulnerabilities, and Risks A vulnerability is a point where a system is susceptible to attack. Vulnerabilities may include: • 1. Physical. • 4. Natural. • 5. Communication. • 2. Human. • 3. Hardware and Software.
Threats, Vulnerabilities, and Risks A threat is an unintentional or deliberate event or circumstance which could have an adverse impact on an information system. Threats can come from internal or external sources. There are three main categories of threats: • Natural(fire, flood, lightning, power failures). • Unintentional(actions that occur due to lack of knowledge or through carelessness). • Intentional (a deliberate plan to harm or manipulate an information system, its software and/or data).
Dissemination Laws, policies, procedures, and written processes discussed through this training apply to CHRI received from the FBI CJIS for noncriminal justice purposes. In general, the use of CHRI by a NCJA is for purposes authorized by federal or state law other than purposes relating to the administration of criminal justice, including but not limited to: • [Employment suitability or Licensing] Any CHRI released to another authorized agency, and that agency was not part of the original information exchange, shall be logged. See[policy, procedure, written process]for logging details.
Destruction Sensitive data shall be securely disposed of when no longer required. When no longer using diskettes, tape cartridges, ribbons, hard copies, print-outs, and other similar items destroy them by cross-cut shredding or Incineration and by authorized personnel. DO NOT PLACE SENSITIVE DATA IN TRASH CANS
Desktop Security Pertains to your agency issued computers, laptops, and handheld devices. Personally owned equipment and software [is/is not] allowed and guidance for such an instance can be located within agency [Policy, procedure, or written documentation]. You have NO EXPECTATION OF PRIVACY IN THEIR USE. Physical and electronic media not under the direct supervision of an authorized personnel should be locked and secured any time not in use. If you know you are going to be away from your desk for an extended period of time, either shut down your system or lock your keyboard.
Desktop Security Passwords are an example of “standard authentication” • Is an “electronic signature”. • Ensures the user is who they say they are. • Used in all instances of system access for the use, processing, and storage of electronic CHRI media. • Used to restrict access to authorized personnel only. Agency [policy, procedure, written process] exists and is available [where available] to ensure the appropriate security and management controls are followed.
Passwords shall exist for all electronically maintained media. Be a minimum length of eight characters. Not be a dictionary word or proper name. Not be the same as the User ID. Expire within a maximum of 90 days. Not be identical to the previous ten passwords. Not be transmitted in the clear outside the secure location. Not be displayed when entered. Desktop Security
Vulnerabilities and Threats Threats include: • Eavesdropping • Unauthorized data access • Intrusions • Denial of Service • Theft • Social Engineering • Phishing • Sabotage • Web use • Spam BEWARE!
Vulnerabilities and Threats Social engineers do not need to be “technically” savvy, they use their “people skills” to allow them in where they are NOT supposed to be: • Charm. • Intimidation. • Trickery. “Phishing” is the receipt of an email pretending to be from an online store, a financial institution, or an internet service provider with the intention of gaining personal information. Sabotage is the deliberate action aimed at weakening another entity, the conscious withdrawal of efficiency generally directed at causing some change in workplace conditions.
Vulnerabilities and Threats Work related web use is necessary at times and for applicable purposes and [policy, procedure, or written process] exist to identify the security controls necessary to ensure and minimize the detrimental affects of viruses, worms, Trojan horses, and other malicious code. Additionally, web use for personal reasons [is/is not allowed]and when used for such purposes shall be conducted in the same manner as outlined in [policy, procedure, or written process]. “Spam” is the unsolicited electronic messaging by outside entities also containing viruses, worms, Trojan horses, and other malicious code. It is essential to use email blocking and junk mail filtering functions to minimize impact.
Vulnerabilities and Threats Eavesdropping can also be a threat when conversations are heard by the wrong person seeking personal gain. Persons secretly listening to the conversations of others is a good way to learn about what should be confidential information. Ensure you are aware of your surroundings and environment and only discuss the details of CHRI with appropriate personnel. • Unauthorized data access, intrusions, denial of service, and theft can all contribute to the vulnerability of an agencies system, and it’s up to you to ensure the security, confidentiality and integrity of CHRI while under your control.
A system alarm or similar indication from an intrusion detection tool (e.g., a UNIX user obtains privileged access without using authorized methods). Suspicious entries in system or network accounting. Accounting discrepancies (e.g., Exceptional slow network activity, disconnection from network service or unusual network traffic. Notices an 18-minute gap in the accounting log in which there is no correlation). Unsuccessful logon attempts. New User accounts of unknown origin. Unusual log entries such as network connections to unfamiliar machines or services, login failures. New files of unknown origin and function. Unexplained addition, deletion, or modification of data. System crashes. Poor system performance – System appears to be slower than normal and less responsive than expected. Unauthorized operation of a program or the addition of a sniffer application to capture network traffic or usernames/passwords. Port scanning (use of exploit and vulnerability scanner, remote requests for information about systems and/or users, or social engineering attempts). Unusual usage times (statistically, more security incidents occur during non-working hours than any other time). An indicated last time of usage of an account that does not correspond to the actual last time of usage for that account. Unusual usage patterns (e.g., programs are being compiled in the account of a user who does not know how to program). Denial of service activity or inability of one or more users to login to an account; including admin/root logins to the console. Are you being hacked? How to tell.
Standards of Discipline FBI CJIS information is sensitive information. Improper access, use and dissemination is serious and may result in the imposition of disciplinary action up to dismissal. Action(s) can include termination of services, as well as state/federal criminal penalties. It is your responsibility to conform to the requirements set forth by your agency when using computers with access to CHRI data. Failure to comply with these rules of behavior may constitute a security violation resulting in denial of access to the system.
Remember • You are the key to security; it begins withYOU. • It is your responsibility to ensure you are aware of and adhere to all policies and procedures regarding IT Security. • If you have any questions about the proper operation or security of computer systems entrusted to you, contact your local agency security officer.
Proof of Training Completion Upon completion of Security Awareness Training: Complete applicable fields of the last page certificate, except for “Authorizing Name and Title” field. Once applicable fields are completed, print and provide to agency authorizer for verification signature.
[Agency Name]Presents[Employee Name]with thisNCJA Security Awareness TrainingProof of CompletionOn[DATE] Authorizing Name and Title