Criminal Justice and PII Section 5. Policy and Implementation Appendix A-K Various supporting information
Shared Management Philosophy The FBI employs a shared management philosophy: Federal Law Enforcement Local Law Enforcement State Law Enforcement Tribal Law Enforcement Similar relationship with the Compact Council and State Identification Bureaus: Noncriminal justice usage of criminal history records The Advisory Process Board, subcommittees, and working groups, collaborate with the FBI CJIS division to ensure that the CJIS Security Policy meets the evolving business, technology, and security needs.
CJIS SECURITY POLICY 1 CJIS APB 9 Subcommittees 5
Working Groups Security & Access Subcommittee NORTH CENTRAL WORKING GROUP W E ST E R N WORKING GROUP
Representation: NORTHEASTERN WORKING GROUP
SOUTHERN WORKING GROUP
Chairman: TBA VIce Chair: Joe Dominic- CA DOJ TJ Smith CA LASD Brenda Abaya- HI, DPS Jim Slater- MA Dept. Crim. Justice Blaine Koops MI County Sheriff Patrick Woods- MO HP Yosef Lehrman - NY NYPD Brad Truitt- TN Chris Kalina -WI DOJ
BiIl Phillips -AZ Nlets Charles Shaffer- FDLE The Advisory Policy Process Two Cycles Annually Topic Papers (Discussion items submitted)
Spring and Fall (APB Meets) Working Groups, Subcommittees, Board
FBI Director (Approval and sign off on Policy) Published Policy Results The Security Review Web Site (DPS) CJIS Security Policy Resource
Center (FBI) Highlight Policy Changes Security Awareness Training Required within six months of employment; biennially afterward It is the agencys responsibility to maintain CJIS Security Awareness training documentation Acceptance of training from another agency Awareness topics depends on level of access
Current options: Omnixx, Security Awareness PDF & Online POLICY CHANGES Security Awareness What's New? Differing levels of training
Level 1: Level 2: Level 3: Level 4: Personnel with unescorted access to secure areas Personnel that have physical contact with CJI Personnel that enter, query or modify CJI Personnel with Information Technology roles
LOGIN TO THE CJIS ONLINE https://www.cjisonline.com Incident Response Plan POLICY CHANGES 5.3: Incident Response Significant change in CJIS Security Policy Any incident involving criminal justice information (CJI) should be reported - physical
or digital Incident Response Access Control POLICY CHANGES 5.5: Access Control Provides the following planning and implementation of mechanisms to protect access to CJI and the modification of the systems which
process CJI: Account Management
Access Enforcement Unsuccessful Login Attempts System Use Notification Session Lock Remote Access Personally Owned Information Systems (BYOD) No CJI from Publicly Accessible Computers POLICY CHANGES 5.5: Access Control A few significant changes in CJIS Security Policy v5.4
Document the rationale, technical and administrative process for enabling remote access for privileged functions Established parameters for permitting Virtual Escorting for Remote Access Advanced Authentication POLICY CHANGES
Section 188.8.131.52 Policy Area 6: Identification and Authentication Clarification of Out-of-Band Authentication for AA 184.108.40.206 Advanced Authentication Advanced Authentication (AA) provides for additional security to the typical user identification and authentication of login ID and password, such as: biometric systems, user-based digital certificates (e.g. public key infrastructure (PKI)), smart cards, software tokens, hardware tokens, paper (inert) tokens, out-of bandauthenticators(retrievedviaaseparatecommunication
servicechannel-e.g.,authenticatorissentondemandvia textmessage,phonecall,etc.) Encryption 5.10 What's Changed? A few changes in CJIS Security Policy v5.4 Encryption exemption for "campus-like scenarios" Changes to 220.127.116.11 Virtualization - permits virtual segregation (Must be within line of sight, request must be
obtained through CSO) Faxing POLICY CHANGES Section 5.10.2 Policy Area 10: System and Communications Protection and Information Integrity 5.10.2 Facsimile Transmission of CJI
CJI transmitted via facsimile a single or multi-function device over a standard telephone line is exempt from encryption requirements. CJI transmitted external to a physically secure location using a facsimile server ; application or service which implements email-like technology shall meet the encryption requirements for CJI in transit as defined in Section 5.10. l POLICY CHANGES
Hardwired: Encryption Not Required Email-like: Encryption Required 182 Mobile Devices POLICY CHANGES Section 5.13
Policy Area 13: Mobile Devices Highlighted changes Include: 5.13.3 Wireless Device Risk Mitigations Organizations shall, at a minimum, ensure that cellular wireless devices: Use advanced authentication or CSO approved compensating controls as per Section 18.104.22.168.1. Employ malicious code protection or run a MDM system that facilitates the ability to provide anti-malware services from the agency level. Compensating Controls for AA
Applies only to smartphones and tablets Possession of agency issued device is a required part of control
Additional requirements mostly met by MDM Compensating Controls are temporary CSO approval and support required Meet the intent of the CJIS Security Policy AA requirement Provide a similar level of protection or security as the original AA requirement Not rely upon existing requirements for AA as compensating controls Submit email to [email protected]
Include Request for Compensating Controls in subject line. BYOD 1. Personally Owned Information Systems Not authorized to access CJI unless terms and conditions are specified.
When personally owned mobile devices (i.e. bring your own device [BYOD]) are authorized, they shall be controlled in accordance with the requirements in Policy Area 13: Mobile Devices. What's Coming in CJIS Policy? Stephen Doc Petty, CISSP, SSCP
CJIS ISO - Texas [email protected] What's Coming in CJIS Policy? Policy Section 5.13 The Mobile Security Task Force will continue to review areas for change and updates to the policy. New Task Force being established to focus on cloud services Mobile Device Management
(MDM) POLICY CHANGES Section 5.13 5.13.2: Mobile Devices 5.13.2 Mobile Device Management (MDM) MDM with centralized administration configured and implemented to perform at least the:
Remote locking of device Remote wiping of device Setting and locking device configuration Detection of rooted and jailbroken devices Enforcement of folder or disk level encryption
Application of mandatory policy settings on the device Detection of unauthorized configurations POLICY CHANGES Section 5.13 22.214.171.124.1: Mobile Devices Continued 5.13.2 Mobile Device Management (MDM) MDM with centralized administration configured and implemented to perform at least the:
Detection of unauthorized software or applications Ability to determine the location of agency controlled devices Prevention of unpatched devices from accessing CJI or CJI systems Automatic device wiping after a specified number of failed access attempts
What's Coming in CJIS Policy? Policy Section 5.10 The Security and Access (SA) Subcommittee has established a Cloud Task Force to review all cloud related topics, such as: Collection and Use of Metadata by Cloud Service Providers Security of CJIS Data Stored in Offshore Cloud
DPS and Vendor Contact We have some very strict rules now regarding DPS employees and vendor contact. To set up a call with the DPS CJIS Technical Audit staff, all the following must be true: 1. The vendor must have a contract with a Texas LE Agency. 2. The vendor must have an fully executed CJIS Security Addendum with the LE
Agency. 3. The agency must set up the call with DPS and be on the line. DPS and Vendor Contact The Agency can call the CJIS Technical Audit Team at any time. The Agency will need to ensure that due diligence is done regarding its vendor contract. The agency should specify that CJIS compliance is
required in the contract. There will be no exceptions to this. Questions? Thank you
Three IPAC transactions are required to collect all $300 (see next slide) Assumes IPAC must reference an Order/Line/Schedule in G-Invoicing. Solution: Buyer initiates the Order through G-Invoicing. Set up the Order to meet your requirements.
P. Skubic, M. Strauss, B. Abbott, P. Gutierrez, "Experimental Physics Investigations Using Colliding Beam Detectors at Fermilab and the Large Hadron Collider (LHC) (TASK A) 2010-2013 Renewal-Revision," DOE, $1.52M ... Bradley University (IL) Cameron University (OK) The Citadel (SC)
Adds more energy into the pool. Passion leads to greatness. Striving for greatness leads to Level 5 Leadership. Takeaways. Enduring great companies preserve their core values and purpose while constantly adapting to local as well as global changes. A good...
What we do as a part of the programme- deliver, teach, offer loans, etc. What are the resources used -funds, staff, equipment, curriculum, all materials. Tangible products or services produced as a result of the activities - usually can be...
Why? Incarcerated individuals are much more likely to have higher ACE scores, poorer SDoH, been exposed to violence, and suffer from PTSD. A trauma-informed approach may better help to address some of these criminogenic risk factors and can create a...
G.O.A.L. Nothing can replace the information gained by using your eyes on potential hazards. Walk around your vehicle to get a complete picture of what you are backing into. Walk the pavement surface looking for depressions and fixed objects, and...
Tend to be used as synonyms. Owing to growth opportunities, sales becomes a dominant mode leading to the spurt in distribution! Many of the woes in financial services emanate from an over-emphasis on distribution. Emerging markets need to beware! "Treating...
Writing Fables *Fables A fable is a short story, typically with animals as characters, conveying a moral. Some fables you may be familiar with include The Boy Who Cried Wolf, The Hare and the Tortoise, The Goose with the Golden...
Ready to download the document? Go ahead and hit continue!