SAT Training Template. Agencies are responsible to administer the Security Awareness Training (SAT) to all personnel having access to CHRI as required by the FBI CJIS Security Policy, Policy Area 5.12. More information can be found at www.michigan.gov/cjicats.
Agencies are responsible to administer the Security Awareness Training (SAT) to all personnel having access to CHRI as required by the FBI CJIS Security Policy, Policy Area 5.12. More information can be found at www.michigan.gov/cjicats.
The Michigan State Police (MSP) has created a Noncriminal Justice Agency (NCJA) “template” for your use in implementing these requirements. The SAT Training Template is a fill-in PowerPoint for agency use. Agencies should complete all fields indicated in red as applicable to agency policy, procedure, and process. Any questions to the use of the template may be directed to the Audit & Training Section:
The FBI Criminal Justice Information Services (CJIS) is our nations largest and central repository of Criminal History Record Information (CHRI) assisting state’s law enforcement, governmental, public, and private entities by sharing information for criminal justice and noncriminal justice purposes.
Serves as our nations administrator for the appropriate security and management controls. As such, the FBI designates one criminal justice agency (on the CJIS network) as the CJIS Systems Agency (CSA) who is considered their point of contact in each state.
Michigan State Police
The CSA is duly authorized to oversee the security and management of all CJI (includes CHRI) exchanges within the State of Michigan. Responsible for setting, maintaining, enforcing and reporting compliance to the FBI CJIS Division for such exchanges.
Noncriminal Justice Agency
For the purpose of licensing and employment, certain authorized agencies request and receive fingerprint based CHRI. Making the Noncriminal Justice Agency (NCJA) the next responsible records management entity.
As an employee of an NCJA, these same security and management control responsibilities extend to you. Security Awareness Training is to identify your individual role and responsibilities, and equip you with the knowledge, resources, and tools necessary to ensure the appropriate security and management of CHRI.
Access to CJI/CHRI is limited to authorized personnel and for an authorized purpose as prescribed by [state and/or federal Law].
Use of CHRI is for and by authorized personnel as designated by your employer.
Individuals, businesses, and government organizations have become increasingly reliant on information technology systems. This fact makes protecting these assets more important than ever before.
Systems have become more complex and interconnected, increasing the potential risk with their operations.
Security training and the implementation of, is required by the FBI CJIS Security Policy (policy area 2, section 5.2. Security Awareness Training)
The term information security refers to protection of information and information technology (IT) systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide:
Agencies shall provide SAT to all personnel having
access to CHRI, within six (6) months of their
assignment and once every two (2) years thereafter.
CHRI is governed and protected by:
All are designed to reduce the risk of unauthorized access and misuse. Noncompliance of any of these will lead to disciplinary action according to agency [Policy, procedure, written process action]. Disciplinary action is determined by [Agency or Position of Authority] and in accordance with FBI CJIS Security Policy.
Is defined as:
Media must be protected at all times against any
unauthorized access to or routine viewing of computer
devices, access devices, and printed/stored data.
All media is to be handled with the upmost care and be marked copy and confidential so others having access to CHRI are also aware of the attention required when handling CHRI.
Agency[Policy, procedure, or written process] is provided and available [where available] to ensure media protection exists and carried out in the appropriate manner.
Is the protection of electronic and physical
CHRI media by:
Physical Security includes:
Electronic Security includes:
As outlined by the agency, it is the IT personnel's responsibility to install:
Visitor access to controlled areas where CHRI is
maintained and processed shall be avoided when ever
possible. If visitor access becomes necessary, all visitors
will be escorted by authorized personnel at all times while
in a controlled area. Agency [policy or procedure] exist to
prevent unauthorized access to CHRI and is your
responsibility to adhere to all agency requirements.
A vulnerability is a point where a system is
susceptible to attack.
Vulnerabilities may include:
A threat is an unintentional or deliberate event or
circumstance which could have an adverse impact on an
information system. Threats can come from internal or
external sources. There are three main categories of
Laws, policies, procedures, and written processes discussed through this training apply to CHRI received from the FBI CJIS for noncriminal justice purposes.
In general a NCJA purpose includes the use of CHRI for purposes authorized by federal or state law other than purposes relating to the administration of criminal justice, including but not limited to:
Any CHRI released to another authorized agency and that agency was not part of the original information
exchange shall be logged. See[policy, procedure,
written process]for logging details.
Disposal of sensitive data shall be securely disposed
of when no longer required.
When no longer using diskettes, tape cartridges,
ribbons, hard copies, print-outs, and other similar
items destroy them by cross-cut shredding or
Incineration and by authorized personnel.
DO NOT PLACE SENSITIVE DATA IN
Pertains to your agency issued computers, laptops, and handheld devices. Personally owned equipment and software [is/is not] allowed and guidance for such a instance can be located within agency [Policy, procedure, or written documentation].
You have NO EXPECTATION OF PRIVACY IN THEIR USE.
Physical and electronic media not under the direct supervision of an authorized personnel should be locked and secured any time not in use. If you know you are going to be away from your desk for an extended period of time, either shut down your system or lock your keyboard.
Agency [policy, procedure, written process] exists and is
available [where available] to ensure the appropriate
security and management controls are followed.
Be a minimum length of eight characters.
Not be a dictionary word or proper name.
Not be the same as the User ID.
Expire within a maximum of 90 days.
Not be identical to the previous ten passwords.
Not be transmitted in the clear outside the secure location.
Not be displayed when entered.Desktop Security
Social engineers don’t need to be “technically” savvy, they use their “people skills” to allow them in where they’re NOT suppose to be:
“Phishing” is the receipt of an email pretending to be from an on-line store, a financial institution, or an internet service provider with the intention of gaining personal information.
Sabotage is the deliberate action aimed at weakening another entity, the conscious withdrawal of efficiency generally directed at causing some change in workplace conditions.
Work related web use is necessary at times and for applicable purposes and [policy, procedure, or written process] exist to identify the security controls necessary to ensure and minimize the detrimental affects of viruses, worms, Trojan horses, and other malicious code.
Additionally, web use for personal reasons [is/is not allowed]and when used for such purposes shall be conducted in the same manner as outlined in [policy, procedure, or written process].
“Spam” is the unsolicited electronic messaging by outside entities also containing viruses, worms, Trojan horses, and other malicious code. It is detrimental to use e-mail blocking and junk mail functions to minimize impact.
Eavesdropping can also be a threat when heard by the wrong person seeking personal gain. Persons secretly listening to the conversations of others is a good way to learn about what should be confidential information. Ensure you are aware of your surroundings and environment and only discuss the details of CHRI with appropriate personnel.
A system alarm or similar indication from an intrusion detection tool (e.g., a UNIX user obtains privileged access without using authorized methods)
Suspicious entries in system or network accounting
Accounting discrepancies (e.g., Exceptional slow network activity, disconnection from network service or unusual network traffic
notices an 18-minute gap in the accounting log in which there is no correlation)
Unsuccessful logon attempts
New User accounts of unknown origin
Unusual log entries such as network connections to unfamiliar machines or services, login failures
New files of unknown origin and function
Unexplained addition, deletion, or modification of data
Poor system performance – System appears to be slower than normal and less responsive than expected
Unauthorized operation of a program or the addition of a sniffer application to capture network traffic or usernames/passwords
Port scanning (use of exploit and vulnerability scanner, remote requests for information about systems and/or users, or social engineering attempts)
Unusual usage times (statistically, more security incidents occur during non-working hours than any other time)
An indicated last time of usage of a account that does not correspond to the actual last time of usage for that account
Unusual usage patterns (e.g., programs are being compiled in the account of a user who does not know how to program)
Denial of service activity or inability of one or more users to login to an account; including admin/root logins to the consoleAre you being hacked? How to tell.
FBI CJIS information is sensitive information. Improper
access, use and dissemination is serious and may result in
the imposition of disciplinary action up to dismissal. Can
include termination of services, as well as state/federal
It is your responsibility to conform to the requirements of
the Rules of Behavior when using computers with access
to CHRI data. Failure to comply with rules of behavior
may constitute a security violation resulting in denial of
access to the system.
Upon completion of Security Awareness Training:
Complete applicable fields of the last page certificate, except for “Authorizing Name and Title” field. Once applicable fields are completed, print and provide to agency authorizer for verification signature.
Authorizing Name and Title