Record Checks. Security Awareness Training

Record Checks

&

Security Awareness

Training

Definitions:

Access to Criminal Justice Information — Thephysicalor logical

(electronic) ability, right or privilege to view, modify or make use of Criminal Justice Information.(FBI CJIS Security Policy 5.2 Appendix A)

Definitions:

Access to Criminal Justice Information — Thephysicalor logical

(electronic) ability, right or privilege to view, modify or make use of

Criminal Justice Information.(FBI CJIS Security Policy 5.2 Appendix A)

3

Definitions:

Access to Criminal Justice Information — Thephysicalor logical

(electronic) ability, right or privilege to view, modify or make use of

Criminal Justice Information.(FBI CJIS Security Policy 5.2 Appendix A)

4

I’m Marsha. How can I help you?

Definitions:

pro·cess

noun

\

ˈ

prä-

ˌ

ses,

ˈ

prō-, -s

ə

s\

especially:a continuous operation

5 Enter CJI QUERY CJI •ELECTRONIC (RMS) •HARDCOPY (File cabinet) STORE Or Print CJI •Shred •Overwrite •Degauss •Incinerate DESTROY CJI

Definitions:

pro·cessnoun\ˈprä-ˌses, ˈprō-, -səs\

b:a series of actions or operations conducing to an end;

Definitions:

“During CJI processing”

implies CJI is accessible for viewing, modifying or

“making use of

”

•

CJI left on printers, copiers or fax machines

•

CJI stored insecurely

• Disorganized and in the open

7

Definitions:

“During CJI processing”

implies that CJI is accessible for viewing, modifying or “making use of”

•

Computers unlocked with CJI application open

•

Wiring closets unlocked

•

Network infrastructure left exposed where packet

sniffers or other spy devices could be introduced

8

• If a person is alone with unencrypted (plain text) CJI where security is out of CJA control

9

When developing policies to ensure the security of

Criminal Justice Information, the FBI and KCJIS must

take into account several things. Not the least amongst

these are Federal Regulations.

Federal regulations are often based on research of

industry standards and published recommendations of

organizations such as the National Institute of

Standards and Technology, or NIST.

WHY

Record

Checks

?????

•

Having proper security measures against the

insider threat is a critical component for the

CJIS Security Policy

A study conducted by the U.S. Secret Service

and the Carnegie Mellon University Software

Engineering Institute CERT Program analyzed

150 insider cyber crimes across U.S. critical

infrastructure sectors…

WHY

Record

Checks

?????

11

• Having proper security measures against the insider threat is a critical component for the CJIS Security Policy.

According to one report from the study*,

“…the cases of insider IT sabotage were

among the more technically sophisticated

attacks examined in the

Insider Threat Study

and resulted in substantial harm to people and

organizations”.

*Moore, Andrew., Cappelli, Dawn., & Trzeciak, Randall. (2008).

The "Big Picture" of Insider IT Sabotage Across U.S. Critical Infrastructures (CMU/SEI-2008-TR-009). Retrieved March 28, 2014, from the Software Engineering Institute, Carnegie Mellon University website: http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=8703

The study made 7 observations.

OBSERVATION 1:

MOST INSIDERS HAD

PERSONAL PREDISPOSITIONS THAT CONTRIBUTED TO

THEIR RISK OF COMMITTING IT SABOTAGE

Personal predisposition: a characteristic historically linked to a propensity to exhibit malicious insider behavior.

Personal predispositions explain why some insiders carry out malicious acts, while coworkers who are exposed to the same conditions do not act maliciously. Personal predispositions can be recognized by certain types of observable characteristics [Band et al. 2006]:

• Serious mental health disorders—Sample observables from cases include alcohol and drug addiction, panic attacks, physical spouse abuse, and seizure disorders.

• Social skills and decision-making bias—Sample observables from cases include bullying and intimidation of coworkers, serious personality conflicts, unprofessional behavior, personal hygiene problems, and inability to conform to rules.

• A history of rule violations—Sample observables from cases include arrests, hacking, security violations, harassment complaints, and misuse of travel, time, and expenses.

All of the insiders in the MERIT cases who committed IT sabotage exhibitedthe influence of personal predispositions.

Policies Regarding

Record Checks

Having proper security measures against the insider threat is a critical component for the CJIS Security Policy. This section’s security terms and requirements

apply to all personnel who have access to unencrypted CJI

including those individuals with only physical or logical access to devices that store, process or transmit unencrypted CJI.

For our purposes, “unencrypted” is synonymous with “plain text”, “readable”, or “actionable”. Actionable means ability to enter, modify or otherwise affect data.

13

Policies Regarding

Record Checks

5.12.1 Personnel Security Policy and Procedures

5.12.1.1 Minimum Screening Requirements for Individuals Requiring Access to CJI:

1. To verify identification, a state of residency and national

fingerprint-based record checks shall be conducted within 30 days of assignment for all personnel who have direct access to CJI and those who have direct responsibility to configure and maintain computer systems and networks with direct access to CJI.

5.12 Policy Area 12: Personnel Security

5.12.1 Personnel Security Policy and Procedures

5.12.1.1 Minimum Screening Requirements for Individuals Requiring Access to CJI:

1. To verify identification, a state of residency and national fingerprint-based record checks shall be conducted within 30 days of assignment for all personnel who have direct access to CJI and those who have direct responsibility to configure and maintain computer systems and networks with direct access to CJI.

9. Support personnel, contractors, and custodial workers with

access to physically secure locations or controlled areas

(during CJI processing)shall be subject to a state and national fingerprint-based record check unless these individuals are escorted by authorized personnel at all times.

Policies Regarding

Record Checks

15

17

Policies Regarding

Record Checks

5.12.1 Personnel Security Policy and Procedures

5.12.1.1 Minimum Screening Requirements for Individuals Requiring Access to CJI:

1. … However, if the person resides in a different state than that of the assigned agency, the agency shall conduct state (of the agency) and national fingerprint-based record checks and execute a NLETS CHRI IQ/FQ/AQ query using purpose code C, E, or J

5.12 Policy Area 12: Personnel Security

5.12.1 Personnel Security Policy and Procedures

5.12.1.1

Minimum Screening Requirements

Within 30 days of CJI Access (prior to access for Private Contractors)

Submit fingerprints to KBI.

Submission initiates searches of Kansas, NCIC (QWA), and III (QH) for records associated with matching images.

NLETS (IQ) to state of person’s residency

Further queries when indicated

Record Checks

19

5.12 Policy Area 12: Personnel Security

5.12.1 Personnel Security Policy and Procedures

5.12.1.1

Minimum Screening Requirements

Within 30 days of CJI Access (prior to access for Private Contractors) Individual name–based records rechecks as specified above shall be conducted annually or whenever there is reasonable suspicion that an individual’s criminal history status has changed.

KCJIS requires ANNUAL NAME-BASED Rechecks:

NCIC person files (QWA) + III (QH) [QWI gets both]

NLets IQ state of residence or Kansas KQMW + KIQ

Record Checks

Policies Regarding

Record Checks

5.12.1.1 Minimum Screening Requirements

1 INTRODUCTION 1.1 Purpose

1.3 Relationship to Local Security Policy and Other Policies

…local policy may augment, or increase the standards, OPTIONAL :

• Background Investigations (Interview acquaintances, etc.)

• Employment History/References

• DL

WHY would you?

21

MOST INSIDERS HAD PERSONAL PREDISPOSITIONS THAT CONTRIBUTED TO THEIR RISK OF COMMITTING

IT SABOTAGE

Edward Snowden Bradley Manning

Policies Regarding

Record Checks

What’s notably NOT in policy:

•

Citizenship Requirement

•

FBI CJIS: no restriction on non-US citizen

•

KCJIS: Non-US citizens must be legally able to

perform the work in or for the United States.

Recommendations in Policy Part III

•

Employment Policy

Policies Regarding

Record Checks

23

A teleconference with staff from the FBI CJIS ISO office and I.T. Security Audit team clarified that INTRA-state sharing of record check information between agencies is being allowed when the CSA is aware and approves of the procedures.

That means agencies can again share record check results when:

1. It is done within the purview of the CSA (in Kansas that is the KHP CJIS Unit). 2. All agencies involved are in agreement.

3. Paperwork is available to provide auditors evidence that: a. The CSA knows which local agencies are involved

b. A Tracking mechanism for completed records checks is in place and known by all stakeholders

c. All local agencies know which agency conducted the record checks on which personnel.

We are announcing the release of a revised KCJIS 114-RC form.

Policies Regarding

Record Checks

Security Awareness

Training

WHY ?

25

As cited in audit reports, periodicals,

and conference presentations, it is generally understood by the IT security professional community that people are one of the weakest links in attempts to secure systems and networks.

The “people factor” - not technology - is key to

providing an adequate and appropriate level of

security

If people are the key, but are also a weak link, more and better attention must be paid to this “asset.”

From Introduction: Wilson, Mark, Hash, Joan (2003)

Building and Information Technology Security Awareness and Training Program NIST Special Publication 800-50 October 2003

National Institute of Standards and Technology, Technology Administration, U.S. Department of Commerce

http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf

Security Awareness

Training

WHY ?

A robust and enterprise wide awareness and training

program is paramount to ensuring that people

understand their IT security responsibilities

,

organizational policies, and how to properly use and

protect the IT resources entrusted to them.

From Introduction: Wilson, Mark, Hash, Joan (2003)

5.1.1.5 Private Contractor User Agreements and CJIS Security Addendum

The CJIS Security Addendum is a uniform addendum to an agreement between the government agency and a private contractor, approved by the Attorney General of the United States, which specifically authorizes access to CHRI, limits the use of the information to the purposes for which it is provided, ensures the security and confidentiality of the information is consistent with existing regulations and the CJIS Security Policy, provides for sanctions, and contains such other provisions as the Attorney General may require.

Private contractors who perform criminal justice functions shall meet the same training and certification criteria required by governmental agencies performing a similar function, and shall be subject to the same extent of audit review as are local user agencies. All private contractors who perform criminal justice functions shall acknowledge, via signing of the CJIS Security Addendum Certification page, and abide by all aspects of the CJIS Security Addendum. The CJIS Security Addendum is presented in Appendix H. Modifications to the CJIS Security Addendum shall be enacted only by the FBI.

Policies Regarding

Security Awareness Training

(in order of appearance)

27

5.2 Policy Area 2:

Security Awareness Training

Policies Regarding

Security Awareness Training

(in order of appearance)

5.2 Policy Area 2:

Security Awareness Training

At a minimum, the following topics shall be addressed as

baseline security awareness training for all authorized personnel with access to CJI: .

Policies Regarding

Security Awareness Training

(in order of appearance)

29

5.2 Policy Area 2:

Security Awareness Training

5.2.1.2 Personnel with Physical and Logical Access In addition to 5.2.1.1 above, the following topics, at a minimum, shall be

addressed as baseline security awareness training for all authorized personnel with both physical and logical access to CJI:

Policies Regarding

Security Awareness Training

(in order of appearance)

5.2 Policy Area 2:

Security Awareness Training

In addition to 5.2.1.1 and 5.2.1.2 above, the following topics at a minimum shall be addressed as baseline security awareness training for all Information Technology personnel(system administrators, security administrators, network administrators, etc.):

Policies Regarding

Security Awareness Training

(in order of appearance)

31

• The person

uses

• Radio or cell phone

• Hard copy

• Emailed

• Faxed

• Computer Terminal Access

• OpenFox

• CAD

• Record Management Systems

• Case Management

32

Security Awareness Training

• The person is unescorted and will be unavoidably exposed to Criminal Justice Information during the course of their work.

• The person is

given unescorted/unmonitored

access

used by others to access Criminal Justice Information.

33

Security Awareness Training

REQUIRED If…

•

The person is

unescorted

in places

where

CJI is

regularly left unsecured

easy for anyone to view.

Security Awareness Training

35 ROLE OF PERSONNEL Accessto Unencrypted CJI and/or network infrastructure ? Escorted or Monitored During CJI Processing REQUIREMENTS: RECORD CHECKS Security Awareness Training Topics Required

Agency Personnel with Computers for other than CJI

Not Authorized. But operate computers on same network and have free access to facility, so may be exposed

NO 1. FINGERPRINT

2. ANNUAL NAME BASE 5.2.1.1 – 5.2.1.2

LEOs , Court Personnel, etc. without KCJIS access

YES

• physical access

•hard copy

NO 1. FINGERPRINT_{2. ANNUAL NAME BASE 5.2.1.1}

CJI terminal operators

(Includes LEOs with MDTs)

Authorized Physical and

electronic NO

1. FINGERPRINT

2. ANNUAL NAME BASE 5.2.1.1 – 5.2.1.2

TACs & LASOs Authorized Physical and electronic +

Administration NO

1. FINGERPRINT

2. ANNUAL NAME BASE 5.2.1.1 – 5.2.1.3

Agency I.T. YES NO 1. FINGERPRINT_{2. ANNUAL NAME BASE} 5.2.1.1 – 5.2.1.3

36 ROLE OF PERSONNEL Accessto Unencrypted CJI and/or network infrastructure ? Escorted or Monitored During CJI Processing REQUIREMENTS: RECORD CHECKS Security Awareness Training Topics Required

City/County I.T. YES NO 1. FINGERPRINT_{2. ANNUAL NAME BASE} 5.2.1.1 – 5.2.1.3

Contract support -CAD/RMS other Criminal justice applications

YES - Authorized only after incorporating FBI Security Addendum into Contract.

NO 1. FINGERPRINT_{2. ANNUAL NAME BASE} 5.2.1.1 – 5.2.1.3

YES Authenticate (5.9.1.7)_{Name Based recommended} NONE Contract support - Basic

Computer Hardware, Network and or office suite

Not Intended but may be exposed during on site work

NO 1. FINGERPRINT_{2. ANNUAL NAME BASE} 5.2.1.1 – 5.2.1.3

YES Authenticate (5.9.1.7)_{Name Based recommended} NONE

CONTRACT SHREDDING

SHRED OFFSITE NO 1. FINGERPRINT_{2. ANNUAL NAME BASE} 5.2.1.1

AGENCY WITNESSED

SHRED ON SITE YES

Authenticate (5.9.1.7)

Name Based recommended NONE

Custodial Personnel Not Authorized

NO 1. FINGERPRINT_{2. ANNUAL NAME BASE} 5.2.1.1

37

For More Information

KCJIS INFORMATION SECURITY OFFICER

DON CATHEY

KANSAS HIGHWAY PATROL 122 SW 7th ST TOPEKA KS 66603-3847 Office: (785) 368-6518 Fax: (785) 296-0958 Cell: (785) 213-7135 E-mail: [email protected]

SECURITY TRAINER/ AUDITOR

ROD STROLE

KANSAS HIGHWAY PATROL 122 SW 7th ST TOPEKA KS 66603-3847 Office: (785) 368-6519 Fax: (785) 296-0958 Cell: (785) 249-9961 E-mail: [email protected]

SECURITY TRAINER/ AUDITOR

TAMMIE HENDRIX

KANSAS HIGHWAY PATROL 122 SW 7th ST TOPEKA KS 66603-3847 Office: (785) 368-6514 Fax: (785) 296-0958 Cell: (785) 338-0052 E-mail: [email protected] SECURITY TRAINER/ AUDITOR

KIP BALLINGER

KANSAS HIGHWAY PATROL 2019 E IRON AVE SALINA KS 67401-3406 Office: (785) 822-1796 Fax: (785) 822-1793 Cell: (785) 452-0180 E-mail [email protected]