information security officer training · 7/24/2015 · systems processing, storing, transmitting...
TRANSCRIPT
Revised 4/2014
This training will discuss some of the duties of the Terminal Agency Coordinator (TAC), Local Agency Security Officer (LASO) and provide basic security awareness training.
Security awareness training is intended to provide LEADS users information on the threats and risks associated with criminal justice information and basic methods to mitigate these risks.
Security awareness training is required within six months of employment and every two years thereafter for all personnel who access LEADS data. This also includes IT personnel with access to systems that transmit, store, or process criminal justice information.
Security awareness training is not a substitute for the
LEADS Security Policy.
LEADS users and IT staff working with equipment that
transmits, processes, or stores LEADS data shall follow
all requirements outlined in the Security Policy.
The Security Policy can be downloaded from the
following link on terminals with access to the LEADS
network: http://10.19.240.41/cjismanuals/index.pl
Computerized Criminal History (CCH) - Is a Ohio fingerprint central
repository for arrest, conviction, and disposition data on adults and
juveniles arrested for felony and gross misdemeanor offenses. It is
frequently used during mandated background checks on individuals
seeking employment or licensing for various employed and
volunteer positions.
Criminal Justice Information (CJI) - The abstract term used to refer
to all LEADS provided data necessary for law enforcement and civil
agencies to perform their missions including, but not limited to,
biometric, identity history, biographic, property, and case/incident
data.
Law Enforcement Automated Data System (LEADS) - Serves as the
electronic communication network for Ohio’s criminal justice
communities and the gateway to NCIC.
National Crime Information Center (NCIC) - A computerized index of
open warrants, arrests, stolen property, missing persons, and
dispositions regarding felonies and serious misdemeanors.
III (“Triple-eye” for short) – is the Interstate Identification Index. III is
national index that holds the (Federal Bureau of Investigation) FBI’s
(Record of Arrest and Prosecution) RAP sheet that contains
information reported by local, state and federal law enforcement
agencies across the county. Requests associated to a record
housed in a particular state are directed to the originating State as
needed.
International Justice and Public Safety Network (NLETS) – (formerly
known as the National Law Enforcement Telecommunications
System) links together state, local, and federal law enforcement,
criminal justice and public safety agencies for the purpose of
exchanging information to support law enforcement. Information
from each state’s criminal records, driver records, vehicle
registration records, INTERPOL, Immigrations and Customs
Enforcement (ICE), License Plate Reader (LPR) records, and
national Amber Alerts.
Phishing – The practice of luring unsuspecting Internet users to a
fake Web site by using authentic-looking email with the real
organization's logo, in an attempt to steal passwords, financial or
personal information, or introduce a virus attack.
The TAC does not have to be a technical person, but will
need to be able to work with system administrators and
vendors to obtain required information.
Appointed by each terminal agency administrator.
Directly responsible to the agency administrator for the
operation and security of LEADS.
Serves as a point of contact for the State ISO and all
LEADS staff.
Understand how computer systems at the agency are
connected to LEADS and assist in maintaining network
topology documentation.
Submit updated diagrams and documentation for
approval prior to making any significant changes to the
network topology (adding a new system, external
network connection, etc.).
Maintain a record of any maintenance on systems by
non-agency personnel. Log the name of the technician
and the company doing the work, as well as the time
they start and finish.
Ensure all personnel with access to LEADS systems and data are provided security awareness training. Training must be completed biennially and a record of training must be maintained. For the minimum topics to be covered, please refer to the LEADS Security Policy (section 5.2.1).
Ensure only authorized personnel have access to LEADS systems. Personnel who do not have a fingerprint-based background check on file are considered unauthorized and required to be escorted by authorized personnel at all times.
Ensure all LEADS equipment and terminals are located in a secure room with limited access.
Report all suspected security incidents to LEADS
Control at 1-800-589-2077 to initiate contact with the
State Information Security Officer (ISO). Types of
incidents that should be reported include:
◦ Theft or intentional damage of LEADS equipment
◦ Hacking incidents
◦ Virus or malware infections
◦ Any other situation that could threaten LEADS
Violations of LEADS Administrative Rules and
instances of misuse shall be reported to the LEADS
Administrative staff at (614) 752-4382.
Ensure LEADS Security Policy compliance at the local
agency in partnership with the State ISO.
Develop a Computer Use and Security Policy.
Develop a Media Protection Policy.
Develop a Remote Access and Internet Use Policy (if
applicable to your agency’s operation).
Develop an agency Business Continuity/Disaster
Recovery Plan.
TAC Officers will need agency administrator support
with these tasks.
In addition to the TAC, each agency with LEADS access
shall appoint a LASO.
The LASO and the TAC can be the same person.
Collaborate with the TAC to report all suspected security
incidents to LEADS Control at 1-800-589-2077 to initiate
contact with the State ISO.
Identify who is using the LEADS approved hardware,
software, and firmware and ensure no unauthorized
individuals or processes have access to the same.
Identify and document how equipment is connected to
LEADS.
Ensure that personnel security screening procedures are
being followed as stated in the LEADS Security Policy.
Ensure the approved and appropriate security measures
are in place and working as expected.
State ISO
TAC
LASO
A technical security inspection will be conducted a
minimum of once every three years by a member of the
LEADS Security staff.
Technical security inspections are done on-site and can
take one to three hours, depending on the complexity
and size of the agency’s network.
The TAC and LASO are required to be present during
the inspection.
Agencies scheduled for technical security inspections
will receive a Pre-Audit Questionnaire that shall be
returned, along with a current network diagram, prior to
the inspection date. Please make arrangements for a
vendor/IT person to be available if you are unable to
answer technical questions about your systems or
policies.
A progressive sanction process has been established to
enforce the LEADS Administrative Rules and Security
Policy. Agencies found to be out of compliance with the
rules and/or policy may be subject to the sanction
process. For more information on the progressive
sanction process, please refer to the Ohio Revised Code
4501:2-10-11.
Criminal Justice Information (CJI) includes any and all
data that is transmitted or received through the LEADS.
The system configuration often contains sensitive details
(descriptions of applications, processes, procedures,
data structures, authorization processes, data flow, etc.)
Agencies shall protect system documentation from
unauthorized access consistent with provisions
described in Section 5.5 - Access Control in the LEADS
Security Policy.
Ensure the computer system is protected with a strong
password.
Ensure the computer is up-to-date with patches
(operating system, applications, anti-virus, and anti-
malware).
Practice smart internet habits when browsing. Be
selective of the sites you visit and check the security
level of web pages that require you to enter personal
information.
When entering personal information on a website, verify the website is encrypted (i.e. - uses HTTPS).
Systems processing, storing, transmitting CJI are required to be located in a physically secure area.
Users shall be given the least amount of privileges required on systems accessing and/or containing CJI.
Employ segregation of duties - the concept of having more than one person required to complete a task. This ensures that no single person is in a position to introduce fraudulent or malicious code/data without detection.
LEADS printouts contain CJI. The following shall apply
when dealing with printed LEADS data:
◦ Make printouts unreadable prior to disposal.
◦ Before exchanging LEADS data, agencies must have
formal agreements in place that specify security controls.
◦ Do not email, transport or store LEADS information on
electronic media unless it is encrypted.
The agency shall maintain written documentation of the steps taken to sanitize or destroy electronic media.
When hard drives, tape cartridges, USB drives, hard copies, print-outs, and other similar items are no longer needed - all media must be destroyed by shredding, burning, or any other method that renders the data unreadable.
The agency shall sanitize, that is, overwrite at least three times or degauss electronic media prior to disposal or release for reuse by unauthorized individuals.
Inoperable electronic media shall be destroyed (cut up, shredded, crushed, etc.).
Agencies shall ensure the sanitization or destruction is witnessed or carried out by authorized personnel.
Smartphones and tablets are examples of handheld
devices. Some of the threats to these types of devices
are:
◦ Loss, theft, or disposal
◦ Unauthorized access
◦ Malware
◦ Spam
◦ Electronic eavesdropping
◦ Electronic tracking (threat to security of data and safety of
law enforcement officer)
◦ Cloning (not as prevalent with later generation cellular
technologies)
To help mitigate the risks to handheld devices, agencies shall at a minimum:
◦ Apply available critical patches and upgrades to the operating system
◦ Configure for local device authentication
◦ Use advanced authentication
◦ Encrypt all CJI that resides on the device
◦ Erase cached information when sessions are terminated
◦ Employ personal firewall software
◦ Employ antivirus software
Strong passwords are required for all users accessing
LEADS systems.
Strong passwords are created by using the following
guidelines:
◦ Contain a minimum of 8 characters
◦ Include characters from the following categories:
Letters (upper and lower case)
Numbers
Special Characters
◦ Make the password appear to be a random sequence of
letters, numbers, and special characters. Dictionary words,
proper names or the user ID shall not be used.
Ensure all passwords changes are in accordance with
Section 5.6.2.1 of the LEADS Security Policy.
Passwords should be changed frequently. LEADS
requires users to change passwords every 60 days.
Do not reuse old passwords. LEADS prohibits reuse of
the previous 10 passwords.
Passwords shall never be shared or written down.
The LEADS network is protected by Cisco Clean Access
(CCA). CCA helps ensure LEADS terminals are kept up-
to-date and in compliance with the Security Policy.
Systems are scanned to ensure critical Windows
security patches are installed and up-to-date anti-virus
software is running upon each login.
CCA login sessions expire every seven days so systems
can be scanned. Clients must re-authenticate when
prompted to maintain connectivity to the secure criminal
justice network.
Anti-virus software is used to identify and remove
computer viruses, spyware, and malware.
Most modern anti-virus software can protect against a
wide range of worms, rootkits and trojans.
All systems with LEADS connectivity are required to
employ up-to-date virus protection software.
System is slow, freezes or crashes.
Unusual error messages are displayed.
Excessive uncommanded disk drive activity.
Applications don’t operate properly.
Multiple pop-ups windows appear on the screen.
When CJI is transported or at rest (stored electronically)
outside of the physically secure location it shall be
protected via cryptographic mechanisms (encryption).
When encryption is employed, the cryptographic module
used shall be certified to meet FIPS 140-2 standards.
Windows Update is a service provided by Microsoft that
provides updates for the Microsoft Windows operating
system.
Security updates are delivered on the second Tuesday
of each month (a.k.a. Patch Tuesday).
Windows Update can be configured to install updates
automatically, ensuring a computer is up-to-date and not
vulnerable to known computer worms and malware.
All computers are required to be kept up-to-date with the
latest security patches and service packs.
Social Engineering is the act of exploiting a human user to gain access to restricted systems and information (e.g. - Phishing). Use the following guidelines to prevent being a victim of social engineering: ◦ Verify identity of requestors.
◦ Be cautious when providing information via email or over
the phone.
◦ Remember, an emailer/caller may not be entitled to the information but may try to fool you by using lingo and buzz words.
◦ Do not share information with persons outside the criminal justice community - such as friends, family, acquaintances, or strangers.
Spam is the name given to unsolicited bulk email that appears in your inbox.
Most spam is advertising from dubious products, get-rich-quick schemes, or other attempts to solicit money and/or compromise the computer.
Never open unsolicited email, attachments, or reply to emails from an unknown source.
Be aware CJI could be compromised in any of the
following ways:
◦ Tampering with equipment (server, router, etc.) by
employee, vendor or unauthorized person.
◦ Theft of laptops, handheld devices, or any other device
which is used to access LEADS.
◦ Unauthorized remote access.
◦ Installing/downloading unauthorized software onto systems
and network components.
◦ Virus/malware infection.
◦ Creation of unauthorized user accounts.
◦ Unencrypted transmission of LEADS data over non-criminal
justice networks (wireless, county networks, telecom
carriers).
All devices with access to the LEADS network must have adequate physical security to protect against unauthorized access.
LEADS routers, switches, firewalls and interface servers must be located in a locked, limited access room.
All visitors and vendors must be accompanied by authorized personnel at all times when accessing secure areas.
LEADS terminals must be physically positioned so unauthorized persons are unable to view the screen and must employ session lock mechanisms after a maximum of 30 minutes of inactivity (does not apply to dispatch terminals).
A personally owned information system shall not be
authorized to access, process, store, or transmit CJI unless the agency has established and documented the specific terms and conditions for personally owned information system usage.
Any system that accesses CJI shall display an approved system use notification message that contains the following information:
◦ The user is accessing a restricted information system.
◦ System usage may be monitored, recorded, and is subject to audit.
◦ Unauthorized use of the system is prohibited and may be subject to criminal and/or civil penalties.
◦ Use of the system indicates consent to monitoring and recording.
If you become aware of any policy violation or a situation where LEADS data has been compromised, immediately contact LEADS Control at 1-800-589-2077 and begin gathering information for the Computer Incident Report Form (LEADS Security Policy Appendix E).
Depending on the severity of the incident, LEADS Control will direct you to LEADS Security staff or the State ISO.
“You are the key to security, it begins with you.”
All users are responsible for adherence to the
requirements documented in the LEADS Security Policy.
Please refer to the Security Policy or contact LEADS
Control at 1-800-589-2077 with any questions regarding
proper operation or security of computer systems.