slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
How To Prepare For A CJIS Audit PowerPoint Presentation
Download Presentation
How To Prepare For A CJIS Audit

Loading in 2 Seconds...

  share
play fullscreen
1 / 28
tress

How To Prepare For A CJIS Audit - PowerPoint PPT Presentation

240 Views
Download Presentation
How To Prepare For A CJIS Audit
An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. How To Prepare For A CJIS Audit

  2. How To Prepare For A CJIS Audit Overview • Who, What, Why and When • Audit Process • Self Audit Using Network diagram • Required Written Policies/Process • Available Resources

  3. PRAY

  4. Who conducts CJIS audit? • What is being audited? • Why are we being audited? • When does the audit take place? How To Prepare For A CJIS AuditHelps To Know

  5. How To Prepare For A CJIS AuditWho conducts CJIS Audit? • Texas DPS CJIS Security Team • Ensures all criminal justice and noncriminal justice agencies accessing TLETS meet requirements mandated by the CJIS Security Policy • Office created 2006 • CJIS Information Security Officer – Alan Ferretti • 12 Auditors • 1200 TLETS agencies • Audited 882 agencies

  6. How To Prepare For A CJIS AuditWhat is being audited? • CJIS Security Policy 5.0 Compliance • Establishes the minimum security requirements for Criminal Justice Information. • Version 5.0 has grown to four times the pages and two and a half times the requirements found in Version 4.5. • Technology continues to progress and be made available. • Security threats have continued to increase. • Version 5.0 is no longer a classified document. It is now considered a public document.

  7. How To Prepare For A CJIS AuditWhy is my agency being audited? • CJIS Security Policy Requirement • Every 3 years • Other audit triggers

  8. Audit Triggers

  9. How To Prepare For A CJIS AuditAudit Process • Schedule audit • 2 - 6 weeks notice • Follow up with email detailing instructions and recommendations • Formal notification by letter • Pre-Audit • Phone call • Clarify instructions • Answer Questions

  10. How To Prepare For A CJIS Audit Audit Process – On site Audit CJIS Security Policy Version 5 Audit Checklist

  11. How To Prepare For A CJIS Audit.Audit Process - Compliant • Compliant • Formal letter mail to agency • Next scheduled audit – 3 years unless event occurs that triggers audit

  12. How To Prepare For A CJIS Audit.Audit Process – Non-compliant • Non-compliant • Non -compliant letter, listing items out of compliance mailed to the agency • Agency given 30 days to correct noncompliant issues or its plan to correct noncompliant items • Compliant letter mailed to agency upon verification of correct items

  13. How To Prepare For A CJIS AuditSelf Audit - Network Diagram • Network Diagram • Depicts router(s), switch(s), and firewall(s) and lists their make and model? (Technical) 5.7.1.2 • Manufacturer supporting devices with updates? (Technical) • Network devices secured with locked doors? (WalkThrough) 5.9.1.3 & 5.9.1.4 • Restricted/Controlled area signage posted? (Walk Through) 5.9.1.1 • CJI data transmitted out side the secured network encrypted at a minimum 128 bit and is a FIPS 140-2 Certificate on file? (Technical) 5.10.1.2 • Network properly segmented from non law enforcement networks ? (Technical) 5.10.1.2 • Firewall in place between networks and Internet? (Technical) 5.10.1.1 • Firewall fails “close”? (Technical) 5.10.1.1

  14. How To Prepare For A CJIS AuditSelf Audit - Network Diagram • Network Diagram – IT /Network Support • If IT/Network Support personnel are: • Vendor • Security Addendum on file and does it include Texas Signatory Page? (Policy) 5.1.1.5 • Signed FBI Certification page? (Policy) 5.1.1.5 • Fingerprint based background check ? (Policy) 5.12.1.1 & 5.12.1.2 • Security Awareness Training completed (every 2 years) and documented ? (Policy) 5.2.2

  15. How To Prepare For A CJIS AuditSelf Audit - Network Diagram • Network Diagram • If IT/Network Support personnel are: • Non LE employees (i.e. city or county) • Signed Management Control Agreement on File (Policy) 5.1.1.4 • Fingerprint based back ground check (Policy) 5.12.1.1 • Security Awareness Training completed (every 2 years) and documented (Policy) 5.2.2 • If IT/Network Support personnel are: • LE employees • Fingerprint based back ground check (Policy) 5.12.1.1 • Security Awareness Training completed (every 2 years and documented (Policy) 5.2.2

  16. How To Prepare For A CJIS AuditSelf Audit - Network Diagram • Network Diagram • Depicts number of TLETS terminals? (Technical)5.7.1.2 • Operating system patched? (Walk Through) 5.10.4.1 • Anti-virus installed and operating and AV signature files updated? (Walk Through) 5.10.4.2 & 5.10.4.3 • Terminals kept behind secure doors, protected from unauthorized viewing & unauthorized visitors logged and escorted? (Walk Through) 5.9.1.3 • Restricted/Controlled area signage posted? (Walk Through) 5.9.1.1 • Session locked after 30 min of inactivity? (Interface) 5.5.5 • Media Control (Policy) 5.9.1.9 – How is equipment containing CJI Data exiting a secure location controlled? • Destruction (Policy) 5.8.4 & 5.8.2 – Written procedures for destroying electronic and physical media?

  17. How To Prepare For A CJIS AuditSelf Audit - Network Diagram • Network Diagram – • If terminal operators personnel are: • Vendor • Security Addendum on file and does it include Texas Signatory Page? (Policy) 5.1.1.5 • Signed FBI Certification page? (Policy) 5.1.1.5 • Fingerprint cards submitted to DPS ? (Policy) 5.12.1.1 & 5.12.1.2 • Security Awareness Training completed (every 2 years) and documented ? (Policy) 5.2.2

  18. How To Prepare For A CJIS AuditSelf Audit - Network Diagram • Network Diagram • If terminal operators personnel are: • Non LE employees (i.e. city or county) • Signed Management Control Agreement on File (Policy) 5.1.1.4 • Fingerprint cards submitted to DPS (Policy) 5.12.1.1 • Security Awareness Training completed (every 2 years) and documented (Policy) 5.2.2 • If terminal operators personnel are: • LE employees • Fingerprint card submitted to DPS (Policy) 5.12.1.1 • Security Awareness Training completed (every 2 years and documented (Policy) 5.2.2

  19. How To Prepare For A CJIS AuditSelf Audit - Network Diagram • Network Diagram • Mobiles (Technical) • Operating system patched. (Walk Through) 5.10.4.1 • Anti-virus installed and operating and AV signature files updated? (Walk Through) 5.10.4.2 & 5.10.4.3 • Firewall enabled (Walk Through) 5.10.4.4 • Vehicles locked when not in use (Walk Through) 5.9.1.3 • Listing of all wireless devices and contact number to disable them if the need arises. (Wireless) 5.5.7 & 5.5.71 • If transmitted outside secure location (PD, Vehicle) advance authentication required (Technical) 5.6.2.2 • CJI data transmitted out side the secured network encrypted at a minimum 128 bit and is a FIPS 140-2 Certificate on file? (Technical) 5.10.1.2

  20. How To Prepare For A CJIS AuditSelf Audit - Network Diagram • Network Diagram • Interface (CAD/RMS)? (Interface) • Operating system patched. (Walk Through) 5.10.4.1 • Anti-virus installed and operating and AV signature files updated? (Walk Through) 5.10.4.2 & 5.10.4.3 • Meets password requirements (Interface) 5.6.2.1 • Locks after 5 consecutive invalid log on attempts (Interface) 5.5.3 • NCIC & III transactions retain for 1 year (Interface) 5.4.7 • Log audit events (Interface) 5.4.1.1 • Meets audit retention, monitoring , alert and review requirements? (Interface) 5.4.2 & 5.4.3 • CAD/RMS kept behind secure doors, protected from unauthorized viewing & unauthorized visitors logged and escorted (WalkThrough) 5.9.1.3 & 5.9.1.4

  21. How To Prepare For A CJIS AuditSelf Audit - Network Diagram • Network Diagram • Interface (CAD/RMS)? (Interface-Continued) • Restricted/Controlled area signage posted (Walk Through) 5.9.1.1 • CJI data transmitted out side the secured network encrypted at a minimum 128 bit and is a FIPS 140-2 Certificate on file? (Technical) 5.10.1.2

  22. How To Prepare For A CJIS AuditSelf Audit - Network Diagram • Hosting/Hosted Agency • Inter-local Agency Agreement on file (Policy) 5.1.1.4 • If hosting agency – Depict hosted agency connection (encryption strength), name, and number of devices (Technical) 5.7.1.2 • If hosted agency – Depict hosting agency connection (encryption strength), name, and number of devices (Technical) 5.7.1.2 • CJI data transmitted out side the secured network encrypted at a minimum 128 bit and is a FIPS 140-2 Certificate on file? (Technical) 5.10.1.2

  23. How To Prepare For A CJIS AuditWritten Policies & Procedures • Security Awareness Training – 5.2.2 • Incident Response Plan – 5.3.1 • Procedures for revoking/removing CJI access – 5.51, 5.12.2 & 5.12.3 • Policy governing use of personally owned– 5.5.61 • Sanitization, and physical destruction procedures of electronic media before release or reuse – 5.8.3 & 5.8.4 • Disposal and or destruction of physical media – 5.9.1.2 • Security Alert and Advisories process – 5.5.1 • Process for validating user accounts – 5.5.1 • Policy forbidding transmitting CJI outside secure location -

  24. How To Prepare For A CJIS Audit Available Resources – CJIS Audit Team

  25. How To Prepare For A CJIS Audit Available Resources – Security Review Website http://www.txdps.state.tx.us/securityreview CJIS Security Policy CJIS Security Policy Audit Checklist Security Awareness Training Network Diagram Management Control Agreement FIPS 140-2 Certificates CJIS Security Addendum Policy Examples Security Advisories Agencies Scheduled To Be Audited Thru March 2013

  26. Miguel Scott Information Security Analyst TX Dept of Public Safety Office: 512-424-7912 Email: miguel.scott@dps.texas.gov