1 / 35

SAT Training Template

SAT Training Template. Agencies are responsible to administer the Security Awareness Training (SAT) to all personnel having access to CHRI as required by the FBI CJIS Security Policy, Policy Area 5.12. More information can be found at www.michigan.gov/cjicats.

ursula-ball
Download Presentation

SAT Training Template

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SAT Training Template Agencies are responsible to administer the Security Awareness Training (SAT) to all personnel having access to CHRI as required by the FBI CJIS Security Policy, Policy Area 5.12. More information can be found at www.michigan.gov/cjicats. The Michigan State Police (MSP) has created a Noncriminal Justice Agency (NCJA) “template” for your use in implementing these requirements. The SAT Training Template is a fill-in PowerPoint for agency use. Agencies should complete all fields indicated in red as applicable to agency policy, procedure, and process. Any questions to the use of the template may be directed to the Audit & Training Section: • MSP-CJIC-ATS@michigan.gov • (517) 241-0621

  2. Noncriminal Justice Agency(NCJA) Security Awareness Training

  3. Criminal Justice Information Exchange History The FBI Criminal Justice Information Services (CJIS) is our nations largest and central repository of Criminal History Record Information (CHRI) assisting state’s law enforcement, governmental, public, and private entities by sharing information for criminal justice and noncriminal justice purposes.

  4. FBI Criminal Justice Information Services Serves as our nations administrator for the appropriate security and management controls. As such, the FBI designates one criminal justice agency (on the CJIS network) as the CJIS Systems Agency (CSA) who is considered their point of contact in each state. Michigan State Police The CSA is duly authorized to oversee the security and management of all CJI (includes CHRI) exchanges within the State of Michigan. Responsible for setting, maintaining, enforcing and reporting compliance to the FBI CJIS Division for such exchanges. Noncriminal Justice Agency For the purpose of licensing and employment, certain authorized agencies request and receive fingerprint based CHRI. Making the Noncriminal Justice Agency (NCJA) the next responsible records management entity.

  5. How “You” the Employee is Connected As an employee of an NCJA, these same security and management control responsibilities extend to you. Security Awareness Training is to identify your individual role and responsibilities, and equip you with the knowledge, resources, and tools necessary to ensure the appropriate security and management of CHRI.

  6. Access & Use Access to CJI/CHRI is limited to authorized personnel and for an authorized purpose as prescribed by [state and/or federal Law]. Use of CHRI is for and by authorized personnel as designated by your employer.

  7. Why Security Awareness Training? Individuals, businesses, and government organizations have become increasingly reliant on information technology systems. This fact makes protecting these assets more important than ever before. Systems have become more complex and interconnected, increasing the potential risk with their operations. Security training and the implementation of, is required by the FBI CJIS Security Policy (policy area 2, section 5.2. Security Awareness Training)

  8. Information System Security The term information security refers to protection of information and information technology (IT) systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide: • Security:to ensure that information is not compromised by any unauthorized individuals, • Confidentiality:to ensure that information is not disclosed to unauthorized individuals, • Integrity:to ensure that information and systems are not modified maliciously or accidentally.

  9. Security Awareness Training (SAT) Begins Agencies shall provide SAT to all personnel having access to CHRI, within six (6) months of their assignment and once every two (2) years thereafter. SAT Effects: • All personnel with access to CJI/CHRI • Personnel with physical and logical access • Personnel with information technology (IT) roles

  10. SAT Begins CHRI is governed and protected by: • Federal and state laws • Policies, memorandum, and regulation • NCJA policies, procedures, processes, and rules All are designed to reduce the risk of unauthorized access and misuse. Noncompliance of any of these will lead to disciplinary action according to agency [Policy, procedure, written process action]. Disciplinary action is determined by [Agency or Position of Authority] and in accordance with FBI CJIS Security Policy.

  11. Reporting of a Security Breach Incident Reporting: • As an agency employee it is your responsibility to report any perceived or known security breaches regarding CHRI. • Reporting is required whether the CHRI breach is physical or through electronic devices. • All incidents are to be reported to [position authority]. • You may refer to [policy or procedure] for the most current incident response protocol.

  12. Security Breach Is defined as: • An act from outside an organization that bypasses or contravenes security policies, practices, or procedures. A similar internal act is called security violation. • The intentional or unintentional release of secure information to an un-trusted, unauthorized environment. • The unauthorized acquisition, access, use or disclosure of protected information which compromises the security or privacy of such information.

  13. Media Protection Media must be protected at all times against any unauthorized access to or routine viewing of computer devices, access devices, and printed/stored data. All media is to be handled with the upmost care and be marked copy and confidential so others having access to CHRI are also aware of the attention required when handling CHRI. Agency[Policy, procedure, or written process] is provided and available [where available] to ensure media protection exists and carried out in the appropriate manner.

  14. Media Protection Is the protection of electronic and physical CHRI media by: • Restricting media to authorized personnel only. • Securely storing within physically secured locations and controlled areas. • Protecting and controlling media anytime it is transported outside of controlled areas. • Disposing of media securely and only by an authorized personnel.

  15. Media Protection Physical Security includes: • Protection of information subject to confidentiality • Limitation of visitor access to controlled areas • Prevention of social engineering • Positioning of computer and system devices (lap tops, cellular phones, I-pads, or any kind of hand held devices used to access, process or store CHRI media) in such a way that prevents unauthorized personal gaining physical or visual access. • Locking of rooms, areas, or storage containers where CHRI media is accessed, processed and/or stored

  16. Media Protection Electronic Security includes: • Protection of information subject to confidentiality • Password use and management • Protection from viruses, worms, Trojan horses and other malicious code • Appropriate use and management of e-mail, spam and attachments • Appropriate web use • Use of encryption; for transmission of sensitive/confidential information through electronic means. • Backing up electronic media on a regular basis.

  17. IT Personnel As outlined by the agency, it is the IT personnel's responsibility to install: • Protection from viruses, worms, Trojan horses, and other malicious code through electronic scanning and updating definitions. • Provide data backup and storage through centralized and decentralized approaches, when applicable. • Provide timely application of system patches as part of configuration management. • Provide access control measures. • Provide protection measures for agency Network infrastructure.

  18. Visitors Control Visitor access to controlled areas where CHRI is maintained and processed shall be avoided when ever possible. If visitor access becomes necessary, all visitors will be escorted by authorized personnel at all times while in a controlled area. Agency [policy or procedure] exist to prevent unauthorized access to CHRI and is your responsibility to adhere to all agency requirements.

  19. Visitors Control • Minimum requirements: • Lock the area, room or storage container when CHRI is unattended by an authorized personnel. • Position CHRI system devices and documents containing CHRI in such a way as to prevent unauthorized individuals from access and view. • Follow the encryption requirements set forth by the agency for electronic storage of CHRI. • Challenge strangers to the nature and business in the controlled area. • Report unusual or suspicious behavior to appropriate personnel.

  20. Threats, Vulnerabilities, and Risks A vulnerability is a point where a system is susceptible to attack. Vulnerabilities may include: • 1.Physical • 4.Natural • 5.Communication • 2.Human • 3.Hardware and Software

  21. Threats, Vulnerabilities, and Risks A threat is an unintentional or deliberate event or circumstance which could have an adverse impact on an information system. Threats can come from internal or external sources. There are three main categories of threats: • Natural(fire, flood, lightning, power failures) • Unintentional(actions that occur due to lack of knowledge or through carelessness) • Intentional (a deliberate plan to harm or manipulate an information system, its software and/or data)

  22. Dissemination Laws, policies, procedures, and written processes discussed through this training apply to CHRI received from the FBI CJIS for noncriminal justice purposes. In general a NCJA purpose includes the use of CHRI for purposes authorized by federal or state law other than purposes relating to the administration of criminal justice, including but not limited to: • [Employment suitability or Licensing] Any CHRI released to another authorized agency and that agency was not part of the original information exchange shall be logged. See[policy, procedure, written process]for logging details.

  23. Destruction Disposal of sensitive data shall be securely disposed of when no longer required. When no longer using diskettes, tape cartridges, ribbons, hard copies, print-outs, and other similar items destroy them by cross-cut shredding or Incineration and by authorized personnel. DO NOT PLACE SENSITIVE DATA IN TRASH CANS

  24. Desktop Security Pertains to your agency issued computers, laptops, and handheld devices. Personally owned equipment and software [is/is not] allowed and guidance for such a instance can be located within agency [Policy, procedure, or written documentation]. You have NO EXPECTATION OF PRIVACY IN THEIR USE. Physical and electronic media not under the direct supervision of an authorized personnel should be locked and secured any time not in use. If you know you are going to be away from your desk for an extended period of time, either shut down your system or lock your keyboard.

  25. Desktop Security Passwords“standard authentication” • An “electronic signature” • Ensures the user is who they say they are • Used in all instances of system access for the use, processing, and storage of electronic CHRI media • Used to restrict access to authorized personnel only Agency [policy, procedure, written process] exists and is available [where available] to ensure the appropriate security and management controls are followed.

  26. Passwords shall exist for all electronically maintained media. Be a minimum length of eight characters. Not be a dictionary word or proper name. Not be the same as the User ID. Expire within a maximum of 90 days. Not be identical to the previous ten passwords. Not be transmitted in the clear outside the secure location. Not be displayed when entered. Desktop Security

  27. Vulnerabilities and Threats Threats include: • Eavesdropping • Unauthorized data access • Intrusions • Denial of Service • Theft • Social Engineering • Phishing • Sabotage • Web use • Spam BEWARE!

  28. Vulnerabilities and Threats Social engineers don’t need to be “technically” savvy, they use their “people skills” to allow them in where they’re NOT suppose to be: • Charm • Intimidation • Trickery “Phishing” is the receipt of an email pretending to be from an on-line store, a financial institution, or an internet service provider with the intention of gaining personal information. Sabotage is the deliberate action aimed at weakening another entity, the conscious withdrawal of efficiency generally directed at causing some change in workplace conditions.

  29. Vulnerabilities and Threats Work related web use is necessary at times and for applicable purposes and [policy, procedure, or written process] exist to identify the security controls necessary to ensure and minimize the detrimental affects of viruses, worms, Trojan horses, and other malicious code. Additionally, web use for personal reasons [is/is not allowed]and when used for such purposes shall be conducted in the same manner as outlined in [policy, procedure, or written process]. “Spam” is the unsolicited electronic messaging by outside entities also containing viruses, worms, Trojan horses, and other malicious code. It is detrimental to use e-mail blocking and junk mail functions to minimize impact.

  30. Vulnerabilities and Threats Eavesdropping can also be a threat when heard by the wrong person seeking personal gain. Persons secretly listening to the conversations of others is a good way to learn about what should be confidential information. Ensure you are aware of your surroundings and environment and only discuss the details of CHRI with appropriate personnel. • Unauthorized data access, intrusions, denial of service, and theft can all contribute to the vulnerability of an agencies system and its up to you to ensure the security, confidentiality and integrity of CHRI while under your control.

  31. A system alarm or similar indication from an intrusion detection tool (e.g., a UNIX user obtains privileged access without using authorized methods) Suspicious entries in system or network accounting Accounting discrepancies (e.g., Exceptional slow network activity, disconnection from network service or unusual network traffic notices an 18-minute gap in the accounting log in which there is no correlation) Unsuccessful logon attempts New User accounts of unknown origin Unusual log entries such as network connections to unfamiliar machines or services, login failures New files of unknown origin and function Unexplained addition, deletion, or modification of data System crashes Poor system performance – System appears to be slower than normal and less responsive than expected Unauthorized operation of a program or the addition of a sniffer application to capture network traffic or usernames/passwords Port scanning (use of exploit and vulnerability scanner, remote requests for information about systems and/or users, or social engineering attempts) Unusual usage times (statistically, more security incidents occur during non-working hours than any other time) An indicated last time of usage of a account that does not correspond to the actual last time of usage for that account Unusual usage patterns (e.g., programs are being compiled in the account of a user who does not know how to program) Denial of service activity or inability of one or more users to login to an account; including admin/root logins to the console Are you being hacked? How to tell.

  32. Standards of Discipline FBI CJIS information is sensitive information. Improper access, use and dissemination is serious and may result in the imposition of disciplinary action up to dismissal. Can include termination of services, as well as state/federal criminal penalties. It is your responsibility to conform to the requirements of the Rules of Behavior when using computers with access to CHRI data. Failure to comply with rules of behavior may constitute a security violation resulting in denial of access to the system.

  33. Remember • You are the key to security, it begins withYOU. • It’s your responsibility to ensure you’re aware of and adhere to all policies and procedures regarding IT Security. • If you have any questions about the proper operation or security of computer systems entrusted to you, contact your local agency security officer.

  34. Proof of Training Completion Upon completion of Security Awareness Training: Complete applicable fields of the last page certificate, except for “Authorizing Name and Title” field. Once applicable fields are completed, print and provide to agency authorizer for verification signature.

  35. [Agency Name]Presents[Employee Name]with thisSecurity Awareness TrainingProof of CompletionOn[DATE] Authorizing Name and Title

More Related