1 / 28

How To Prepare For A CJIS Audit

Learn essential steps for preparing for a CJIS audit, including understanding the audit process, conducting self-audits, and ensuring compliance with CJIS Security Policy standards. Get insights on who conducts the audit, what is being audited, why audits are necessary, and when they take place. Discover the roles of the Texas DPS CJIS Security Team, audit triggers, on-site audit procedures, and how to address compliant and non-compliant outcomes. Stay ahead with self-audit tips for network diagrams, IT/network support requirements, and maintaining secure TLETS terminals.

lrichard
Download Presentation

How To Prepare For A CJIS Audit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. How To Prepare For A CJIS Audit

  2. How To Prepare For A CJIS Audit Overview • Who, What, Why and When • Audit Process • Self Audit Using Network diagram • Required Written Policies/Process • Available Resources

  3. PRAY

  4. Who conducts CJIS audit? • What is being audited? • Why are we being audited? • When does the audit take place? How To Prepare For A CJIS AuditHelps To Know

  5. How To Prepare For A CJIS AuditWho conducts CJIS Audit? • Texas DPS CJIS Security Team • Ensures all criminal justice and noncriminal justice agencies accessing TLETS meet requirements mandated by the CJIS Security Policy • Office created 2006 • CJIS Information Security Officer – Alan Ferretti • 12 Auditors • 1200 TLETS agencies • Audited 882 agencies

  6. How To Prepare For A CJIS AuditWhat is being audited? • CJIS Security Policy 5.0 Compliance • Establishes the minimum security requirements for Criminal Justice Information. • Version 5.0 has grown to four times the pages and two and a half times the requirements found in Version 4.5. • Technology continues to progress and be made available. • Security threats have continued to increase. • Version 5.0 is no longer a classified document. It is now considered a public document.

  7. How To Prepare For A CJIS AuditWhy is my agency being audited? • CJIS Security Policy Requirement • Every 3 years • Other audit triggers

  8. Audit Triggers

  9. How To Prepare For A CJIS AuditAudit Process • Schedule audit • 2 - 6 weeks notice • Follow up with email detailing instructions and recommendations • Formal notification by letter • Pre-Audit • Phone call • Clarify instructions • Answer Questions

  10. How To Prepare For A CJIS Audit Audit Process – On site Audit CJIS Security Policy Version 5 Audit Checklist

  11. How To Prepare For A CJIS Audit.Audit Process - Compliant • Compliant • Formal letter mail to agency • Next scheduled audit – 3 years unless event occurs that triggers audit

  12. How To Prepare For A CJIS Audit.Audit Process – Non-compliant • Non-compliant • Non -compliant letter, listing items out of compliance mailed to the agency • Agency given 30 days to correct noncompliant issues or its plan to correct noncompliant items • Compliant letter mailed to agency upon verification of correct items

  13. How To Prepare For A CJIS AuditSelf Audit - Network Diagram • Network Diagram • Depicts router(s), switch(s), and firewall(s) and lists their make and model? (Technical) 5.7.1.2 • Manufacturer supporting devices with updates? (Technical) • Network devices secured with locked doors? (WalkThrough) 5.9.1.3 & 5.9.1.4 • Restricted/Controlled area signage posted? (Walk Through) 5.9.1.1 • CJI data transmitted out side the secured network encrypted at a minimum 128 bit and is a FIPS 140-2 Certificate on file? (Technical) 5.10.1.2 • Network properly segmented from non law enforcement networks ? (Technical) 5.10.1.2 • Firewall in place between networks and Internet? (Technical) 5.10.1.1 • Firewall fails “close”? (Technical) 5.10.1.1

  14. How To Prepare For A CJIS AuditSelf Audit - Network Diagram • Network Diagram – IT /Network Support • If IT/Network Support personnel are: • Vendor • Security Addendum on file and does it include Texas Signatory Page? (Policy) 5.1.1.5 • Signed FBI Certification page? (Policy) 5.1.1.5 • Fingerprint based background check ? (Policy) 5.12.1.1 & 5.12.1.2 • Security Awareness Training completed (every 2 years) and documented ? (Policy) 5.2.2

  15. How To Prepare For A CJIS AuditSelf Audit - Network Diagram • Network Diagram • If IT/Network Support personnel are: • Non LE employees (i.e. city or county) • Signed Management Control Agreement on File (Policy) 5.1.1.4 • Fingerprint based back ground check (Policy) 5.12.1.1 • Security Awareness Training completed (every 2 years) and documented (Policy) 5.2.2 • If IT/Network Support personnel are: • LE employees • Fingerprint based back ground check (Policy) 5.12.1.1 • Security Awareness Training completed (every 2 years and documented (Policy) 5.2.2

  16. How To Prepare For A CJIS AuditSelf Audit - Network Diagram • Network Diagram • Depicts number of TLETS terminals? (Technical)5.7.1.2 • Operating system patched? (Walk Through) 5.10.4.1 • Anti-virus installed and operating and AV signature files updated? (Walk Through) 5.10.4.2 & 5.10.4.3 • Terminals kept behind secure doors, protected from unauthorized viewing & unauthorized visitors logged and escorted? (Walk Through) 5.9.1.3 • Restricted/Controlled area signage posted? (Walk Through) 5.9.1.1 • Session locked after 30 min of inactivity? (Interface) 5.5.5 • Media Control (Policy) 5.9.1.9 – How is equipment containing CJI Data exiting a secure location controlled? • Destruction (Policy) 5.8.4 & 5.8.2 – Written procedures for destroying electronic and physical media?

  17. How To Prepare For A CJIS AuditSelf Audit - Network Diagram • Network Diagram – • If terminal operators personnel are: • Vendor • Security Addendum on file and does it include Texas Signatory Page? (Policy) 5.1.1.5 • Signed FBI Certification page? (Policy) 5.1.1.5 • Fingerprint cards submitted to DPS ? (Policy) 5.12.1.1 & 5.12.1.2 • Security Awareness Training completed (every 2 years) and documented ? (Policy) 5.2.2

  18. How To Prepare For A CJIS AuditSelf Audit - Network Diagram • Network Diagram • If terminal operators personnel are: • Non LE employees (i.e. city or county) • Signed Management Control Agreement on File (Policy) 5.1.1.4 • Fingerprint cards submitted to DPS (Policy) 5.12.1.1 • Security Awareness Training completed (every 2 years) and documented (Policy) 5.2.2 • If terminal operators personnel are: • LE employees • Fingerprint card submitted to DPS (Policy) 5.12.1.1 • Security Awareness Training completed (every 2 years and documented (Policy) 5.2.2

  19. How To Prepare For A CJIS AuditSelf Audit - Network Diagram • Network Diagram • Mobiles (Technical) • Operating system patched. (Walk Through) 5.10.4.1 • Anti-virus installed and operating and AV signature files updated? (Walk Through) 5.10.4.2 & 5.10.4.3 • Firewall enabled (Walk Through) 5.10.4.4 • Vehicles locked when not in use (Walk Through) 5.9.1.3 • Listing of all wireless devices and contact number to disable them if the need arises. (Wireless) 5.5.7 & 5.5.71 • If transmitted outside secure location (PD, Vehicle) advance authentication required (Technical) 5.6.2.2 • CJI data transmitted out side the secured network encrypted at a minimum 128 bit and is a FIPS 140-2 Certificate on file? (Technical) 5.10.1.2

  20. How To Prepare For A CJIS AuditSelf Audit - Network Diagram • Network Diagram • Interface (CAD/RMS)? (Interface) • Operating system patched. (Walk Through) 5.10.4.1 • Anti-virus installed and operating and AV signature files updated? (Walk Through) 5.10.4.2 & 5.10.4.3 • Meets password requirements (Interface) 5.6.2.1 • Locks after 5 consecutive invalid log on attempts (Interface) 5.5.3 • NCIC & III transactions retain for 1 year (Interface) 5.4.7 • Log audit events (Interface) 5.4.1.1 • Meets audit retention, monitoring , alert and review requirements? (Interface) 5.4.2 & 5.4.3 • CAD/RMS kept behind secure doors, protected from unauthorized viewing & unauthorized visitors logged and escorted (WalkThrough) 5.9.1.3 & 5.9.1.4

  21. How To Prepare For A CJIS AuditSelf Audit - Network Diagram • Network Diagram • Interface (CAD/RMS)? (Interface-Continued) • Restricted/Controlled area signage posted (Walk Through) 5.9.1.1 • CJI data transmitted out side the secured network encrypted at a minimum 128 bit and is a FIPS 140-2 Certificate on file? (Technical) 5.10.1.2

  22. How To Prepare For A CJIS AuditSelf Audit - Network Diagram • Hosting/Hosted Agency • Inter-local Agency Agreement on file (Policy) 5.1.1.4 • If hosting agency – Depict hosted agency connection (encryption strength), name, and number of devices (Technical) 5.7.1.2 • If hosted agency – Depict hosting agency connection (encryption strength), name, and number of devices (Technical) 5.7.1.2 • CJI data transmitted out side the secured network encrypted at a minimum 128 bit and is a FIPS 140-2 Certificate on file? (Technical) 5.10.1.2

  23. How To Prepare For A CJIS AuditWritten Policies & Procedures • Security Awareness Training – 5.2.2 • Incident Response Plan – 5.3.1 • Procedures for revoking/removing CJI access – 5.51, 5.12.2 & 5.12.3 • Policy governing use of personally owned– 5.5.61 • Sanitization, and physical destruction procedures of electronic media before release or reuse – 5.8.3 & 5.8.4 • Disposal and or destruction of physical media – 5.9.1.2 • Security Alert and Advisories process – 5.5.1 • Process for validating user accounts – 5.5.1 • Policy forbidding transmitting CJI outside secure location -

  24. How To Prepare For A CJIS Audit Available Resources – CJIS Audit Team

  25. How To Prepare For A CJIS Audit Available Resources – Security Review Website http://www.txdps.state.tx.us/securityreview CJIS Security Policy CJIS Security Policy Audit Checklist Security Awareness Training Network Diagram Management Control Agreement FIPS 140-2 Certificates CJIS Security Addendum Policy Examples Security Advisories Agencies Scheduled To Be Audited Thru March 2013

  26. Miguel Scott Information Security Analyst TX Dept of Public Safety Office: 512-424-7912 Email: miguel.scott@dps.texas.gov

More Related