Presentation Transcript

1. LASO 101 – 2013Oregon State PoliceLaw Enforcement Data SystemsCriminal Justice Information Services Division

   Jennifer Hlad, LEDS & OUCR Trainer
2. Definitions & Acronyms: CJIS: Criminal Justice Information Services CSA: CJIS Systems Agencies TAC: Terminal Agency Coordinator – LEDS Representative LASO: Local Agency Security Officer, the agency contact for CJIS Training (see CJIS Policy v5.2 section 3.2.9 for role defined) CJI: Criminal Justice Information, any FBI CJIS provided data CJA: Criminal Justice Agency/Agencies NCJA: Noncriminal Criminal Justice Agency/Agencies
3. Definitions & Acronyms: ISO: Information Security Officer (see CJIS Policy v5.2 section 3.2.8 for role defined) APB: The Advisory Policy Board, a federal entity FBI: Federal Bureau of Investigation NIST: National Institute of Standards & Technology
4. What is the CJIS Security Policy? The essential premise of the CJIS Security Policy is to provide appropriate controls to protect the full lifecycle of CJI, whether at rest or in transit. The CJIS Security Policy provides: Guidance for the creation, viewing, modification, transmission, dissemination, storage and destruction of CJI. Rules & Mandates for every contractor, private entity, non criminal justice agency representative, or member of a criminal justice entity – with access to, or who operate in support of, criminal justice services and information.
5. Who can be a LASo? The LASO can be the LEDS Rep. A member of the Local IT Department A member of the your contracted IT Department A member of the city IT Department A member of the county IT Department Not necessarily within the agency, this role of IT supervision can be contracted out to a master IT department, EG: Sheriff’s Office uses the main County IT Department for this role. The LASO is not required to administer the CJIS Security Training. The agency will maintain the CJIS Security Training records at the local level. This can be the LEDS Rep., LASO or other appointed person.
6. What is a LASO required to do? Identify who is using the CSA approved hardware, software, and firmware and ensure no unauthorized individuals or processes have access to the same. Identify and document how the equipment is connected to the state system. Ensure that personnel security screening procedures are being followed as stated in the latest CJIS Security Policy. Ensure the approved and appropriate security measures are in place and working as expected. Support policy compliance and ensure the CSA ISO is promptly informed of security incidents.
7. Identifying usage of LEDS hardware, software, and firmware Largely an IT role wherein it is decided what hardware (Toughbook's, PC’s, routers, switches, application use to access the state system such as WebLEDS, Forsecom, etc.) will be utilized within the agency
8. Ensuring no unauthorized individuals or processes have access to LEDS Agencies shall manage information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. This is important for employees leaving your agency – make sure you disable the web accounts so they cannot be accessed. Your agency should handle this by implementing a policy that covers access to LEDS for new, terminated or transferred employees.
9. Identify & document how the equipment is connected to the state system The Network Diagrams as highlighted in appendix C of the CJIS Security Policy V5.2 This is a Network Diagram of conceptual connections between various agencies:
10. Network Diagrams continued
11. Network Diagrams continued
12. Network Diagrams continued
13. Ensure that personnel security screening procedures are being followed CJIS Security fingerprinting, typically reverted to the LEDS Representative. Fingerprint employee and submit prints to ID Services - within 30 days of employment Must be fingerprinted for each new law enforcement agency (lateral hires) Forms available: http://www.oregon.gov/OSP/ID/cjis.shtml Email the ID Services fingerprint staff at OSP.CJIS@state.or.us with any questions. Don’t forget to email the ID Services staff once an employee has separated your agency to inactivate their CJIS Security flag for your agency.
14. Ensure the approved and appropriate security measures are in place This is very unique to your agency and how you’ve structured your IT needs and your LEDS access infrastructure. See CJIS Security Policy V5.2 appendix J & K to reference various infrastructure requirements.
15. Once your agency has established their internal policies addressing the needed CJIS Security Awareness topics, make sure all employees follow policies, have access to the policies, are aware of the policies and aware of the consequences for breaching policy. See provided sample protocols which you can customize to your agency and agency needs. Support CJIS Security policy compliance
16. This is reflected in an Incident Response Plan implemented within your agency. Detailed requirements of the Incident Response Plan are outlined in section 5.3 of the CJIS Security Policy v5.2. See included example policy in your packet. ensure the CSA ISO is promptly informed of security incidents
17. Maintenance of CJIS Training Records has been designated to the local level It is your agencies responsibility to maintain CJIS Security Awareness training documentation. CJIS Security Awareness training shall be required within six months of initial assignment, and biennially thereafter, for all personnel who have access to CJI. There are three (3) types of access to CJI: Level 1: Physical Access Level 2: Physical and/or Logical Level 3: Personnel with Information Technology roles OSP has provided a way for agencies to maintain your records online using the CJIS Online Portal. Documentation on how to use this portal has been provided in you packet.
18. Physical Access Question: Who has physical access? Answer: Anyone who has unescorted (eyes on at all times) access to areas that process or store CJI. Common examples include the following roles: Janitors Building maintenance Radio technician vendors Anyone given unfettered walking access to your secured location.
19. Physical and/or Logical access Question: Who has physical and/or logical access? Answer: Any individual that has login credentials to a LEDS terminal.
20. Personnel with Information Technology roles Question: What does this mean? Answer: Anyone that has unescorted access to networking equipment such as: routers switches and hubs or servers processing or storing CJI. Access can be as simple a key to the door that secures this equipment. This can also be as complex as vendors with VPN access (unescorted) to systems that process CJI.

21. Questions?

22. Contact Info Jennifer Hlad, LEDS Training SpecialistJennifer.Hlad@state.or.us 503-934-2341 (Desk)503-378-2121 (Fax) Greg Verharst, CJIS Information Security Officer Greg.Verharst@state.or.us 503-378-3055 Ext. 55002 (Desk) 503-364-2661 (Fax)