Sat training template
Download
1 / 35

SAT Training Template - PowerPoint PPT Presentation


  • 89 Views
  • Uploaded on

SAT Training Template. Agencies are responsible to administer the Security Awareness Training (SAT) to all personnel having access to CHRI as required by the FBI CJIS Security Policy, Policy Area 5.12. More information can be found at www.michigan.gov/cjicats.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' SAT Training Template' - ursula-ball


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Sat training template
SAT Training Template

Agencies are responsible to administer the Security Awareness Training (SAT) to all personnel having access to CHRI as required by the FBI CJIS Security Policy, Policy Area 5.12. More information can be found at www.michigan.gov/cjicats.

The Michigan State Police (MSP) has created a Noncriminal Justice Agency (NCJA) “template” for your use in implementing these requirements. The SAT Training Template is a fill-in PowerPoint for agency use. Agencies should complete all fields indicated in red as applicable to agency policy, procedure, and process. Any questions to the use of the template may be directed to the Audit & Training Section:

  • MSP-CJIC-ATS@michigan.gov

  • (517) 241-0621


Noncriminal justice agency ncja security awareness training

Noncriminal Justice Agency(NCJA) Security Awareness Training


Criminal justice information exchange history
Criminal Justice Information Exchange History

The FBI Criminal Justice Information Services (CJIS) is our nations largest and central repository of Criminal History Record Information (CHRI) assisting state’s law enforcement, governmental, public, and private entities by sharing information for criminal justice and noncriminal justice purposes.


Sat training template

FBI Criminal Justice Information Services

Serves as our nations administrator for the appropriate security and management controls. As such, the FBI designates one criminal justice agency (on the CJIS network) as the CJIS Systems Agency (CSA) who is considered their point of contact in each state.

Michigan State Police

The CSA is duly authorized to oversee the security and management of all CJI (includes CHRI) exchanges within the State of Michigan. Responsible for setting, maintaining, enforcing and reporting compliance to the FBI CJIS Division for such exchanges.

Noncriminal Justice Agency

For the purpose of licensing and employment, certain authorized agencies request and receive fingerprint based CHRI. Making the Noncriminal Justice Agency (NCJA) the next responsible records management entity.


How you the employee is connected
How “You” the Employee is Connected

As an employee of an NCJA, these same security and management control responsibilities extend to you. Security Awareness Training is to identify your individual role and responsibilities, and equip you with the knowledge, resources, and tools necessary to ensure the appropriate security and management of CHRI.


Access use
Access & Use

Access to CJI/CHRI is limited to authorized personnel and for an authorized purpose as prescribed by [state and/or federal Law].

Use of CHRI is for and by authorized personnel as designated by your employer.


Why security awareness training
Why Security Awareness Training?

Individuals, businesses, and government organizations have become increasingly reliant on information technology systems. This fact makes protecting these assets more important than ever before.

Systems have become more complex and interconnected, increasing the potential risk with their operations.

Security training and the implementation of, is required by the FBI CJIS Security Policy (policy area 2, section 5.2. Security Awareness Training)


Information system security
Information System Security

The term information security refers to protection of information and information technology (IT) systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide:

  • Security:to ensure that information is not compromised by any unauthorized individuals,

  • Confidentiality:to ensure that information is not disclosed to unauthorized individuals,

  • Integrity:to ensure that information and systems are not modified maliciously or accidentally.


Security awareness training sat begins
Security Awareness Training (SAT) Begins

Agencies shall provide SAT to all personnel having

access to CHRI, within six (6) months of their

assignment and once every two (2) years thereafter.

SAT Effects:

  • All personnel with access to CJI/CHRI

  • Personnel with physical and logical access

  • Personnel with information technology (IT) roles


Sat begins
SAT Begins

CHRI is governed and protected by:

  • Federal and state laws

  • Policies, memorandum, and regulation

  • NCJA policies, procedures, processes, and rules

All are designed to reduce the risk of unauthorized access and misuse. Noncompliance of any of these will lead to disciplinary action according to agency [Policy, procedure, written process action]. Disciplinary action is determined by [Agency or Position of Authority] and in accordance with FBI CJIS Security Policy.


Reporting of a security breach
Reporting of a Security Breach

Incident Reporting:

  • As an agency employee it is your responsibility to report any perceived or known security breaches regarding CHRI.

  • Reporting is required whether the CHRI breach is physical or through electronic devices.

  • All incidents are to be reported to [position authority].

  • You may refer to [policy or procedure] for the most current incident response protocol.


Security breach
Security Breach

Is defined as:

  • An act from outside an organization that bypasses or contravenes security policies, practices, or procedures. A similar internal act is called security violation.

  • The intentional or unintentional release of secure information to an un-trusted, unauthorized environment.

  • The unauthorized acquisition, access, use or disclosure of protected information which compromises the security or privacy of such information.


Media protection
Media Protection

Media must be protected at all times against any

unauthorized access to or routine viewing of computer

devices, access devices, and printed/stored data.

All media is to be handled with the upmost care and be marked copy and confidential so others having access to CHRI are also aware of the attention required when handling CHRI.

Agency[Policy, procedure, or written process] is provided and available [where available] to ensure media protection exists and carried out in the appropriate manner.


Media protection1
Media Protection

Is the protection of electronic and physical

CHRI media by:

  • Restricting media to authorized personnel only.

  • Securely storing within physically secured locations and controlled areas.

  • Protecting and controlling media anytime it is transported outside of controlled areas.

  • Disposing of media securely and only by an authorized personnel.


Media protection2
Media Protection

Physical Security includes:

  • Protection of information subject to confidentiality

  • Limitation of visitor access to controlled areas

  • Prevention of social engineering

  • Positioning of computer and system devices (lap tops, cellular phones, I-pads, or any kind of hand held devices used to access, process or store CHRI media) in such a way that prevents unauthorized personal gaining physical or visual access.

  • Locking of rooms, areas, or storage containers where CHRI media is accessed, processed and/or

    stored


Media protection3
Media Protection

Electronic Security includes:

  • Protection of information subject to confidentiality

  • Password use and management

  • Protection from viruses, worms, Trojan horses and other malicious code

  • Appropriate use and management of e-mail, spam and attachments

  • Appropriate web use

  • Use of encryption; for transmission of sensitive/confidential information through electronic means.

  • Backing up electronic media on a regular basis.


It personnel
IT Personnel

As outlined by the agency, it is the IT personnel's responsibility to install:

  • Protection from viruses, worms, Trojan horses, and other malicious code through electronic scanning and updating definitions.

  • Provide data backup and storage through centralized and decentralized approaches, when applicable.

  • Provide timely application of system patches as part of configuration management.

  • Provide access control measures.

  • Provide protection measures for agency Network infrastructure.


Visitors control
Visitors Control

Visitor access to controlled areas where CHRI is

maintained and processed shall be avoided when ever

possible. If visitor access becomes necessary, all visitors

will be escorted by authorized personnel at all times while

in a controlled area. Agency [policy or procedure] exist to

prevent unauthorized access to CHRI and is your

responsibility to adhere to all agency requirements.


Visitors control1
Visitors Control

  • Minimum requirements:

  • Lock the area, room or storage container when CHRI is unattended by an authorized personnel.

  • Position CHRI system devices and documents containing CHRI in such a way as to prevent unauthorized individuals from access and view.

  • Follow the encryption requirements set forth by the agency for electronic storage of CHRI.

  • Challenge strangers to the nature and business in the controlled area.

  • Report unusual or suspicious behavior to appropriate personnel.


Threats vulnerabilities and risks
Threats, Vulnerabilities, and Risks

A vulnerability is a point where a system is

susceptible to attack.

Vulnerabilities may include:

  • 1.Physical

  • 4.Natural

  • 5.Communication

  • 2.Human

  • 3.Hardware and Software


Threats vulnerabilities and risks1
Threats, Vulnerabilities, and Risks

A threat is an unintentional or deliberate event or

circumstance which could have an adverse impact on an

information system. Threats can come from internal or

external sources. There are three main categories of

threats:

  • Natural(fire, flood, lightning, power failures)

  • Unintentional(actions that occur due to lack of knowledge or through carelessness)

  • Intentional (a deliberate plan to harm or manipulate an information system, its software and/or data)


Dissemination
Dissemination

Laws, policies, procedures, and written processes discussed through this training apply to CHRI received from the FBI CJIS for noncriminal justice purposes.

In general a NCJA purpose includes the use of CHRI for purposes authorized by federal or state law other than purposes relating to the administration of criminal justice, including but not limited to:

  • [Employment suitability or Licensing]

    Any CHRI released to another authorized agency and that agency was not part of the original information

    exchange shall be logged. See[policy, procedure,

    written process]for logging details.


Destruction
Destruction

Disposal of sensitive data shall be securely disposed

of when no longer required.

When no longer using diskettes, tape cartridges,

ribbons, hard copies, print-outs, and other similar

items destroy them by cross-cut shredding or

Incineration and by authorized personnel.

DO NOT PLACE SENSITIVE DATA IN

TRASH CANS


Desktop security
Desktop Security

Pertains to your agency issued computers, laptops, and handheld devices. Personally owned equipment and software [is/is not] allowed and guidance for such a instance can be located within agency [Policy, procedure, or written documentation].

You have NO EXPECTATION OF PRIVACY IN THEIR USE.

Physical and electronic media not under the direct supervision of an authorized personnel should be locked and secured any time not in use. If you know you are going to be away from your desk for an extended period of time, either shut down your system or lock your keyboard.


Desktop security1
Desktop Security

Passwords“standard authentication”

  • An “electronic signature”

  • Ensures the user is who they say they are

  • Used in all instances of system access for the use, processing, and storage of electronic CHRI media

  • Used to restrict access to authorized personnel only

    Agency [policy, procedure, written process] exists and is

    available [where available] to ensure the appropriate

    security and management controls are followed.


Desktop security2

Passwords shall exist for all electronically

maintained media.

Be a minimum length of eight characters.

Not be a dictionary word or proper name.

Not be the same as the User ID.

Expire within a maximum of 90 days.

Not be identical to the previous ten passwords.

Not be transmitted in the clear outside the secure location.

Not be displayed when entered.

Desktop Security


Vulnerabilities and threats
Vulnerabilities and Threats

Threats include:

  • Eavesdropping

  • Unauthorized data access

  • Intrusions

  • Denial of Service

  • Theft

  • Social Engineering

  • Phishing

  • Sabotage

  • Web use

  • Spam

BEWARE!


Vulnerabilities and threats1
Vulnerabilities and Threats

Social engineers don’t need to be “technically” savvy, they use their “people skills” to allow them in where they’re NOT suppose to be:

  • Charm

  • Intimidation

  • Trickery

    “Phishing” is the receipt of an email pretending to be from an on-line store, a financial institution, or an internet service provider with the intention of gaining personal information.

    Sabotage is the deliberate action aimed at weakening another entity, the conscious withdrawal of efficiency generally directed at causing some change in workplace conditions.


Vulnerabilities and threats2
Vulnerabilities and Threats

Work related web use is necessary at times and for applicable purposes and [policy, procedure, or written process] exist to identify the security controls necessary to ensure and minimize the detrimental affects of viruses, worms, Trojan horses, and other malicious code.

Additionally, web use for personal reasons [is/is not allowed]and when used for such purposes shall be conducted in the same manner as outlined in [policy, procedure, or written process].

“Spam” is the unsolicited electronic messaging by outside entities also containing viruses, worms, Trojan horses, and other malicious code. It is detrimental to use e-mail blocking and junk mail functions to minimize impact.


Vulnerabilities and threats3
Vulnerabilities and Threats

Eavesdropping can also be a threat when heard by the wrong person seeking personal gain. Persons secretly listening to the conversations of others is a good way to learn about what should be confidential information. Ensure you are aware of your surroundings and environment and only discuss the details of CHRI with appropriate personnel.

  • Unauthorized data access, intrusions, denial of service, and theft can all contribute to the vulnerability of an agencies system and its up to you to ensure the security, confidentiality and integrity of CHRI while under your control.


Are you being hacked how to tell

A system alarm or similar indication from an intrusion detection tool (e.g., a UNIX user obtains privileged access without using authorized methods)

Suspicious entries in system or network accounting

Accounting discrepancies (e.g., Exceptional slow network activity, disconnection from network service or unusual network traffic

notices an 18-minute gap in the accounting log in which there is no correlation)

Unsuccessful logon attempts

New User accounts of unknown origin

Unusual log entries such as network connections to unfamiliar machines or services, login failures

New files of unknown origin and function

Unexplained addition, deletion, or modification of data

System crashes

Poor system performance – System appears to be slower than normal and less responsive than expected

Unauthorized operation of a program or the addition of a sniffer application to capture network traffic or usernames/passwords

Port scanning (use of exploit and vulnerability scanner, remote requests for information about systems and/or users, or social engineering attempts)

Unusual usage times (statistically, more security incidents occur during non-working hours than any other time)

An indicated last time of usage of a account that does not correspond to the actual last time of usage for that account

Unusual usage patterns (e.g., programs are being compiled in the account of a user who does not know how to program)

Denial of service activity or inability of one or more users to login to an account; including admin/root logins to the console

Are you being hacked? How to tell.


Standards of discipline
Standards of Discipline detection tool (e.g., a UNIX user obtains privileged access without using authorized methods)

FBI CJIS information is sensitive information. Improper

access, use and dissemination is serious and may result in

the imposition of disciplinary action up to dismissal. Can

include termination of services, as well as state/federal

criminal penalties.

It is your responsibility to conform to the requirements of

the Rules of Behavior when using computers with access

to CHRI data. Failure to comply with rules of behavior

may constitute a security violation resulting in denial of

access to the system.


Remember
Remember detection tool (e.g., a UNIX user obtains privileged access without using authorized methods)

  • You are the key to security, it begins withYOU.

  • It’s your responsibility to ensure you’re aware of and adhere to all policies and procedures regarding IT Security.

  • If you have any questions about the proper operation or security of computer systems entrusted to you, contact your local agency security officer.


Proof of training completion
Proof of Training Completion detection tool (e.g., a UNIX user obtains privileged access without using authorized methods)

Upon completion of Security Awareness Training:

Complete applicable fields of the last page certificate, except for “Authorizing Name and Title” field. Once applicable fields are completed, print and provide to agency authorizer for verification signature.


Sat training template
[Agency Name] detection tool (e.g., a UNIX user obtains privileged access without using authorized methods)Presents[Employee Name]with thisSecurity Awareness TrainingProof of CompletionOn[DATE]

Authorizing Name and Title