CJIS Panel

Report
How To Prepare For A CJIS Audit
How To Prepare For A CJIS Audit
Overview
•Who, What, Why and When
•Audit Process
•Self Audit Using Network diagram
•Required Written Policies/Process
•Available Resources
PRAY
How To Prepare For A CJIS Audit
Helps To Know
Who conducts CJIS audit?
What is being audited?
Why are we being audited?
When does the audit take place?
How To Prepare For A CJIS Audit
Who conducts CJIS Audit?
•Texas DPS CJIS Security Team
− Ensures all criminal justice and noncriminal justice
agencies accessing TLETS meet requirements mandated
by the CJIS Security Policy
− Office created 2006
− CJIS Information Security Officer – Alan Ferretti
− 12 Auditors
− 1200 TLETS agencies
− Audited 882 agencies
How To Prepare For A CJIS Audit
What is being audited?
•CJIS Security Policy 5.0 Compliance
— Establishes the minimum security requirements for
Criminal Justice Information.
— Version 5.0 has grown to four times the pages and two and a
half times the requirements found in Version 4.5.
 Technology continues to progress and be made available.
 Security threats have continued to increase.
— Version 5.0 is no longer a classified document. It is now
considered a public document.
How To Prepare For A CJIS Audit
Why is my agency being audited?
•CJIS Security Policy Requirement
•Every 3 years
•Other audit triggers
Audit Triggers
Requires CJIS
Security Office’s
Approval
Pre–
Audit
Site Audit
(within 30-60
days)
Tri-annual Audit.
N/A
Yes
Yes
New Agency.
Yes
Yes
Yes
Security Incident or Exceptional Event
Yes
Yes
Yes
Adding new technology accessing, storing or processing
CJIS data (ex. Handhelds, MDTs, Virtual Technology).
Yes
Yes
Yes
Any upgrade to the system exceeding 25% of the cost of
the system being upgraded.
Yes
Yes
Yes
Adding a system to interface with TLETS (CAD/RMS).
Yes
Yes
Yes
CJIS network addition or configuration change.
Yes
Yes
Yes
Moving TLETS equipment to a new site.
Yes
Yes
Yes
Request to host an agency or to be hosted by an agency.
Yes
Yes
Yes
Increasing the number of terminals by 25% or greater.
Yes
Yes
Yes
Increasing the number of terminals by less than 25%
Yes
No
No
Swapping out network equipment (1 for 1).
No
No
No
Adding a system not accessing CJIS data (ex. e-tickets).
No
No
No
Any upgrade to the system which is NOT replacing or
adding to like technology.
No
No
No
Possible Audit Triggers
How To Prepare For A CJIS Audit
Audit Process
•Schedule audit
− 2 - 6 weeks notice
− Follow up with email detailing instructions and
recommendations
− Formal notification by letter
•Pre-Audit
− Phone call
− Clarify instructions
− Answer Questions
How To Prepare For A CJIS Audit
Audit Process – On site Audit
CJIS Security Policy Version 5
Audit Checklist
Section:
Policy
Walk
Through
Questions
20
7
Technical
Wireless
Interface
7
19
17
How To Prepare For A CJIS Audit.
Audit Process - Compliant
•Compliant
− Formal letter mail to agency
− Next scheduled audit – 3 years unless event occurs that
triggers audit
How To Prepare For A CJIS Audit.
Audit Process – Non-compliant
•Non-compliant
− Non -compliant letter, listing items out of
compliance mailed to the agency
− Agency given 30 days to correct noncompliant
issues or its plan to correct noncompliant items
− Compliant letter mailed to agency upon
verification of correct items
DPS Satellite
256 Bit AES
Encryption
Satellite Dish
Bldg Roof
DPS Satellite Dish
PES
TXDPS VSAT Hub
3 DE
S1
Encr 28 Bit
yptio
n
Internet
ROUTER
MAKE/MODEL
CAD/RMS
3DES 128 Bit
Encryption
3 DE
S1
Encr 28 Bit
yptio
n
FIREWALL
MAKE AND MODEL
TLETS Mainframe
ROUTER
MAKE/MODEL
SWITCH
MAKE/MODEL
SWITCH
MAKE/MODEL
40 MDTs
3DES 128 Bit
Encryption
`
Sub Station
TLETS Terminal
Another Law Enforcement
Agency
SWITCH
MAKE/MODEL
`
5 TLETS Terminal
`
7 TLETS Terminal
FOR OFFICIAL USE ONLY
DATE
Any Law Enforcement Agency
5 MDTs
ANY LAW ENFORCEMENT AGENCY
Date
FOR OFFICIAL USE ONLY
12
8
B
IT
3D
ES
Any Law Enforcement
Agency
5 MDT
How To Prepare For A CJIS Audit
Self Audit - Network Diagram
•Network Diagram
−Depicts router(s), switch(s), and firewall(s) and lists their make and
model? (Technical) 5.7.1.2
Manufacturer supporting devices with updates? (Technical)
Network devices secured with locked doors? (Walk Through)
5.9.1.3 & 5.9.1.4
Restricted/Controlled area signage posted? (Walk Through)
5.9.1.1
−CJI data transmitted out side the secured network encrypted at a
minimum 128 bit and is a FIPS 140-2 Certificate on file? (Technical)
5.10.1.2
−Network properly segmented from non law enforcement networks ?
(Technical) 5.10.1.2
−Firewall in place between networks and Internet? (Technical)
5.10.1.1
−Firewall fails “close”? (Technical) 5.10.1.1
How To Prepare For A CJIS Audit
Self Audit - Network Diagram
•Network Diagram – IT /Network Support
•If IT/Network Support personnel are:
−Vendor
Security Addendum on file and does it include Texas
Signatory Page? (Policy) 5.1.1.5
Signed FBI Certification page? (Policy) 5.1.1.5
Fingerprint based background check ? (Policy) 5.12.1.1 &
5.12.1.2
Security Awareness Training completed (every 2 years)
and documented ? (Policy) 5.2.2
How To Prepare For A CJIS Audit
Self Audit - Network Diagram
•Network Diagram
•If IT/Network Support personnel are:
−Non LE employees (i.e. city or county)
Signed Management Control Agreement on File (Policy)
5.1.1.4
Fingerprint based back ground check (Policy) 5.12.1.1
Security Awareness Training completed (every 2 years)
and documented (Policy) 5.2.2
•If IT/Network Support personnel are:
−LE employees
•Fingerprint based back ground check (Policy) 5.12.1.1
•Security Awareness Training completed (every 2 years and
documented (Policy) 5.2.2
How To Prepare For A CJIS Audit
Self Audit - Network Diagram
•Network Diagram
•Depicts number of TLETS terminals? (Technical) 5.7.1.2
−Operating system patched? (Walk Through) 5.10.4.1
−Anti-virus installed and operating and AV signature files
updated? (Walk Through) 5.10.4.2 & 5.10.4.3
−Terminals kept behind secure doors, protected from
unauthorized viewing & unauthorized visitors logged and
escorted? (Walk Through) 5.9.1.3
−Restricted/Controlled area signage posted? (Walk Through)
5.9.1.1
−Session locked after 30 min of inactivity? (Interface) 5.5.5
−Media Control (Policy) 5.9.1.9 – How is equipment
containing CJI Data exiting a secure location controlled?
−Destruction (Policy) 5.8.4 & 5.8.2 – Written procedures for
destroying electronic and physical media?
How To Prepare For A CJIS Audit
Self Audit - Network Diagram
•Network Diagram –
•If terminal operators personnel are:
−Vendor
Security Addendum on file and does it include Texas
Signatory Page? (Policy) 5.1.1.5
Signed FBI Certification page? (Policy) 5.1.1.5
Fingerprint cards submitted to DPS ? (Policy) 5.12.1.1 &
5.12.1.2
Security Awareness Training completed (every 2 years)
and documented ? (Policy) 5.2.2
How To Prepare For A CJIS Audit
Self Audit - Network Diagram
•Network Diagram
•If terminal operators personnel are:
−Non LE employees (i.e. city or county)
Signed Management Control Agreement on File (Policy)
5.1.1.4
Fingerprint cards submitted to DPS (Policy) 5.12.1.1
Security Awareness Training completed (every 2 years)
and documented (Policy) 5.2.2
•If terminal operators personnel are:
−LE employees
•Fingerprint card submitted to DPS (Policy) 5.12.1.1
•Security Awareness Training completed (every 2 years and
documented (Policy) 5.2.2
How To Prepare For A CJIS Audit
Self Audit - Network Diagram
•Network Diagram
•Mobiles (Technical)
•Operating system patched. (Walk Through) 5.10.4.1
•Anti-virus installed and operating and AV signature files
updated? (Walk Through) 5.10.4.2 & 5.10.4.3
•Firewall enabled (Walk Through) 5.10.4.4
•Vehicles locked when not in use (Walk Through) 5.9.1.3
•Listing of all wireless devices and contact number to disable
them if the need arises. (Wireless) 5.5.7 & 5.5.71
•If transmitted outside secure location (PD, Vehicle) advance
authentication required (Technical) 5.6.2.2
•CJI data transmitted out side the secured network encrypted at
a minimum 128 bit and is a FIPS 140-2 Certificate on file?
(Technical) 5.10.1.2
How To Prepare For A CJIS Audit
Self Audit - Network Diagram
•Network Diagram
•Interface (CAD/RMS)? (Interface)
•Operating system patched. (Walk Through) 5.10.4.1
•Anti-virus installed and operating and AV signature files
updated? (Walk Through) 5.10.4.2 & 5.10.4.3
•Meets password requirements (Interface) 5.6.2.1
•Locks after 5 consecutive invalid log on attempts (Interface)
5.5.3
•NCIC & III transactions retain for 1 year (Interface) 5.4.7
•Log audit events (Interface) 5.4.1.1
•Meets audit retention, monitoring , alert and review
requirements? (Interface) 5.4.2 & 5.4.3
•CAD/RMS kept behind secure doors, protected from
unauthorized viewing & unauthorized visitors logged and
escorted (Walk Through) 5.9.1.3 & 5.9.1.4
How To Prepare For A CJIS Audit
Self Audit - Network Diagram
•Network Diagram
−Interface (CAD/RMS)? (Interface-Continued)
Restricted/Controlled area signage posted (Walk Through)
5.9.1.1
−CJI data transmitted out side the secured network encrypted at a
minimum 128 bit and is a FIPS 140-2 Certificate on file? (Technical)
5.10.1.2
How To Prepare For A CJIS Audit
Self Audit - Network Diagram
•Hosting/Hosted Agency
−Inter-local Agency Agreement on file (Policy) 5.1.1.4
−If hosting agency – Depict hosted agency connection (encryption
strength), name, and number of devices (Technical) 5.7.1.2
−If hosted agency – Depict hosting agency connection (encryption
strength), name, and number of devices (Technical) 5.7.1.2
−CJI data transmitted out side the secured network encrypted at a
minimum 128 bit and is a FIPS 140-2 Certificate on file? (Technical)
5.10.1.2
How To Prepare For A CJIS Audit
Written Policies & Procedures
•Security Awareness Training – 5.2.2
•Incident Response Plan – 5.3.1
•Procedures for revoking/removing CJI access – 5.51,
5.12.2 & 5.12.3
•Policy governing use of personally owned– 5.5.61
•Sanitization, and physical destruction procedures of
electronic media before release or reuse – 5.8.3 &
5.8.4
•Disposal and or destruction of physical media –
5.9.1.2
•Security Alert and Advisories process – 5.5.1
•Process for validating user accounts – 5.5.1
•Policy forbidding transmitting CJI outside secure
location -
How To Prepare For A CJIS Audit
Available Resources – CJIS Audit Team
Jeannette Cardensa
CJIS Auditor
(512) 424-7910
Dan Conte
CJIS Auditor
(512) 424-7137
Ginger Coplen
CJIS Auditor
(512) 424-7913
Alan Ferretti
CJIS Information
Security Officer
(512) 424-7186
Oswald Enriquez
CJIS Auditor
(512) 424-7914
Erwin Pruneda
CJIS Auditor
(512) 424-7911
Linda Sims
CJIS Auditor
(512) 424-2937
Miguel Scott
Info Sec Analyst
512-424-7912
Deborah Wright
CJIS Auditor
(512) 424-7876
first [email protected]
How To Prepare For A CJIS Audit
Available Resources – Security Review Website
•http://www.txdps.state.tx.us/securityreview
–CJIS Security Policy
–CJIS Security Policy Audit Checklist
–Security Awareness Training
–Network Diagram
–Management Control Agreement
–FIPS 140-2 Certificates
–CJIS Security Addendum
–Policy Examples
– Security Advisories
–Agencies Scheduled To Be Audited Thru March 2013
Miguel Scott
Information Security Analyst
TX Dept of Public Safety
Office: 512-424-7912
Email: [email protected]

similar documents