How To Prepare For A CJIS Audit

How To Prepare For A CJIS AuditOverview

• Who, What, Why and When

• Audit Process

• Self Audit Using Network diagram

• Required Written Policies/Process

• Available Resources

PRAY

How To Prepare For A CJIS Audit

Helps To Know

Who conducts CJIS audit?

What is being audited?

Why are we being audited?

When does the audit take place?

How To Prepare For A CJIS Audit Who conducts CJIS Audit?

• Texas DPS CJIS Security Team− Ensures all criminal justice and noncriminal justice

agencies accessing TLETS meet requirements mandated by the CJIS Security Policy

− Office created 2006− CJIS Information Security Officer – Alan Ferretti− 12 Auditors− 1200 TLETS agencies− Audited 882 agencies

How To Prepare For A CJIS Audit What is being audited?

• CJIS Security Policy 5.0 Compliance— Establishes the minimum security requirements for

Criminal Justice Information.— Version 5.0 has grown to four times the pages and two and a

half times the requirements found in Version 4.5. Technology continues to progress and be made available. Security threats have continued to increase.

— Version 5.0 is no longer a classified document. It is now considered a public document.

How To Prepare For A CJIS Audit Why is my agency being audited?

• CJIS Security Policy Requirement• Every 3 years• Other audit triggers

Audit Triggers

Possible Audit TriggersRequires CJIS

Security Office’s Approval

Pre–Audit

Site Audit (within 30-60

days)

Tri-annual Audit. N/A Yes Yes

New Agency. Yes Yes Yes

Security Incident or Exceptional Event Yes Yes Yes

Adding new technology accessing, storing or processing CJIS data (ex. Handhelds, MDTs, Virtual Technology).

Yes Yes Yes

Any upgrade to the system exceeding 25% of the cost of the system being upgraded.

Yes Yes Yes

Adding a system to interface with TLETS (CAD/RMS). Yes Yes Yes

CJIS network addition or configuration change. Yes Yes Yes

Moving TLETS equipment to a new site. Yes Yes Yes

Request to host an agency or to be hosted by an agency. Yes Yes Yes

Increasing the number of terminals by 25% or greater. Yes Yes Yes

Increasing the number of terminals by less than 25% Yes No No

Swapping out network equipment (1 for 1). No No No

Adding a system not accessing CJIS data (ex. e-tickets). No No No

Any upgrade to the system which is NOT replacing or adding to like technology.

No No No

How To Prepare For A CJIS Audit Audit Process

• Schedule audit− 2 - 6 weeks notice− Follow up with email detailing instructions and

recommendations− Formal notification by letter

• Pre-Audit− Phone call− Clarify instructions− Answer Questions

How To Prepare For A CJIS AuditAudit Process – On site Audit

CJIS Security Policy Version 5 Audit Checklist

Section: PolicyWalk

Through Technical Wireless InterfaceQuestions 20 7 7 19 17

How To Prepare For A CJIS Audit. Audit Process - Compliant

• Compliant− Formal letter mail to agency− Next scheduled audit – 3 years unless event occurs that

triggers audit

How To Prepare For A CJIS Audit. Audit Process – Non-compliant

• Non-compliant− Non -compliant letter, listing items out of

compliance mailed to the agency− Agency given 30 days to correct noncompliant

issues or its plan to correct noncompliant items− Compliant letter mailed to agency upon

verification of correct items

FIREWALLMAKE AND MODEL

PES

Satellite Dish Bldg Roof

DPS Satellite

DPS Satellite Dish

Another Law Enforcement Agency

256 Bit AES Encryption

FOR OFFICIAL USE ONLYDATE

Any Law Enforcement Agency

40 MDTs

TXDPS VSAT Hub

TLETS MainframeCAD/RMS

SWITCHMAKE/MODEL

Internet

`7 TLETS Terminal

3DES 128 Bit Encryption

3DES 128 Bit Encryption

3DES 128 Bit Encryption

SWITCHMAKE/MODEL

`5 TLETS Terminal

5 MDTs

SWITCHMAKE/MODEL

ROUTERMAKE/MODEL

ROUTERMAKE/MODEL

`Sub Station

TLETS Terminal

3DES 128 Bit Encryption

Any Law Enforcement Agency

5 MDT

128

BIT 3

DES

ANY LAW ENFORCEMENT AGENCY Date

FOR OFFICIAL USE ONLY

How To Prepare For A CJIS Audit Self Audit - Network Diagram

• Network Diagram

− Depicts router(s), switch(s), and firewall(s) and lists their make and model? (Technical) 5.7.1.2

Manufacturer supporting devices with updates? (Technical) Network devices secured with locked doors? (Walk Through)

5.9.1.3 & 5.9.1.4 Restricted/Controlled area signage posted? (Walk Through)

5.9.1.1

− CJI data transmitted out side the secured network encrypted at a minimum 128 bit and is a FIPS 140-2 Certificate on file? (Technical) 5.10.1.2

− Network properly segmented from non law enforcement networks ? (Technical) 5.10.1.2

− Firewall in place between networks and Internet? (Technical) 5.10.1.1

− Firewall fails “close”? (Technical) 5.10.1.1

How To Prepare For A CJIS Audit Self Audit - Network Diagram

• Network Diagram – IT /Network Support• If IT/Network Support personnel are:

− Vendor Security Addendum on file and does it include Texas

Signatory Page? (Policy) 5.1.1.5 Signed FBI Certification page? (Policy) 5.1.1.5 Fingerprint based background check ? (Policy) 5.12.1.1 &

5.12.1.2 Security Awareness Training completed (every 2 years) and

documented ? (Policy) 5.2.2

How To Prepare For A CJIS Audit Self Audit - Network Diagram

• Network Diagram• If IT/Network Support personnel are:

− Non LE employees (i.e. city or county) Signed Management Control Agreement on File (Policy)

5.1.1.4 Fingerprint based back ground check (Policy) 5.12.1.1 Security Awareness Training completed (every 2 years) and

documented (Policy) 5.2.2• If IT/Network Support personnel are:

− LE employees• Fingerprint based back ground check (Policy) 5.12.1.1• Security Awareness Training completed (every 2 years and

documented (Policy) 5.2.2

How To Prepare For A CJIS Audit Self Audit - Network Diagram

• Network Diagram• Depicts number of TLETS terminals? (Technical) 5.7.1.2

− Operating system patched? (Walk Through) 5.10.4.1

− Anti-virus installed and operating and AV signature files updated? (Walk Through) 5.10.4.2 & 5.10.4.3

− Terminals kept behind secure doors, protected from unauthorized viewing & unauthorized visitors logged and escorted? (Walk Through) 5.9.1.3

− Restricted/Controlled area signage posted? (Walk Through) 5.9.1.1

− Session locked after 30 min of inactivity? (Interface) 5.5.5

− Media Control (Policy) 5.9.1.9 – How is equipment containing CJI Data exiting a secure location controlled?

− Destruction (Policy) 5.8.4 & 5.8.2 – Written procedures for destroying electronic and physical media?

How To Prepare For A CJIS Audit Self Audit - Network Diagram

• Network Diagram –• If terminal operators personnel are:

− Vendor Security Addendum on file and does it include Texas

Signatory Page? (Policy) 5.1.1.5 Signed FBI Certification page? (Policy) 5.1.1.5 Fingerprint cards submitted to DPS ? (Policy) 5.12.1.1 &

5.12.1.2 Security Awareness Training completed (every 2 years) and

documented ? (Policy) 5.2.2

How To Prepare For A CJIS Audit Self Audit - Network Diagram

• Network Diagram• If terminal operators personnel are:

− Non LE employees (i.e. city or county) Signed Management Control Agreement on File (Policy)

5.1.1.4 Fingerprint cards submitted to DPS (Policy) 5.12.1.1 Security Awareness Training completed (every 2 years) and

documented (Policy) 5.2.2• If terminal operators personnel are:

− LE employees• Fingerprint card submitted to DPS (Policy) 5.12.1.1• Security Awareness Training completed (every 2 years and

documented (Policy) 5.2.2

How To Prepare For A CJIS Audit Self Audit - Network Diagram

• Network Diagram• Mobiles (Technical)

• Operating system patched. (Walk Through) 5.10.4.1 • Anti-virus installed and operating and AV signature files

updated? (Walk Through) 5.10.4.2 & 5.10.4.3• Firewall enabled (Walk Through) 5.10.4.4• Vehicles locked when not in use (Walk Through) 5.9.1.3 • Listing of all wireless devices and contact number to disable

them if the need arises. (Wireless) 5.5.7 & 5.5.71• If transmitted outside secure location (PD, Vehicle) advance

authentication required (Technical) 5.6.2.2• CJI data transmitted out side the secured network encrypted at a

minimum 128 bit and is a FIPS 140-2 Certificate on file? (Technical) 5.10.1.2

How To Prepare For A CJIS Audit Self Audit - Network Diagram

• Network Diagram• Interface (CAD/RMS)? (Interface)

• Operating system patched. (Walk Through) 5.10.4.1 • Anti-virus installed and operating and AV signature files

updated? (Walk Through) 5.10.4.2 & 5.10.4.3• Meets password requirements (Interface) 5.6.2.1• Locks after 5 consecutive invalid log on attempts (Interface)

5.5.3• NCIC & III transactions retain for 1 year (Interface) 5.4.7• Log audit events (Interface) 5.4.1.1• Meets audit retention, monitoring , alert and review

requirements? (Interface) 5.4.2 & 5.4.3• CAD/RMS kept behind secure doors, protected from

unauthorized viewing & unauthorized visitors logged and escorted (Walk Through) 5.9.1.3 & 5.9.1.4

How To Prepare For A CJIS Audit Self Audit - Network Diagram

• Network Diagram

− Interface (CAD/RMS)? (Interface-Continued) Restricted/Controlled area signage posted (Walk Through)

5.9.1.1

− CJI data transmitted out side the secured network encrypted at a minimum 128 bit and is a FIPS 140-2 Certificate on file? (Technical) 5.10.1.2

How To Prepare For A CJIS Audit Self Audit - Network Diagram

• Hosting/Hosted Agency

− Inter-local Agency Agreement on file (Policy) 5.1.1.4

− If hosting agency – Depict hosted agency connection (encryption strength), name, and number of devices (Technical) 5.7.1.2

− If hosted agency – Depict hosting agency connection (encryption strength), name, and number of devices (Technical) 5.7.1.2

− CJI data transmitted out side the secured network encrypted at a minimum 128 bit and is a FIPS 140-2 Certificate on file? (Technical) 5.10.1.2

How To Prepare For A CJIS AuditWritten Policies & Procedures

• Security Awareness Training – 5.2.2• Incident Response Plan – 5.3.1• Procedures for revoking/removing CJI access –

5.51, 5.12.2 & 5.12.3• Policy governing use of personally owned– 5.5.61 • Sanitization, and physical destruction procedures of

electronic media before release or reuse – 5.8.3 & 5.8.4

• Disposal and or destruction of physical media – 5.9.1.2

• Security Alert and Advisories process – 5.5.1• Process for validating user accounts – 5.5.1• Policy forbidding transmitting CJI outside secure

location -

Jeannette Cardensa CJIS Auditor

(512) 424-7910

Dan ConteCJIS Auditor

(512) 424-7137

Ginger CoplenCJIS Auditor

(512) 424-7913

Alan FerrettiCJIS Information Security Officer(512) 424-7186

Oswald Enriquez CJIS Auditor

(512) 424-7914

Erwin Pruneda CJIS Auditor

(512) 424-7911

Linda Sims CJIS Auditor

(512) 424-2937

Miguel ScottInfo Sec Analyst512-424-7912

Deborah Wright CJIS Auditor

(512) 424-7876

first name.lastname@dps.texas.gov

How To Prepare For A CJIS AuditAvailable Resources – CJIS Audit Team

•http://www.txdps.state.tx.us/securityreview–CJIS Security Policy–CJIS Security Policy Audit Checklist–Security Awareness Training–Network Diagram–Management Control Agreement–FIPS 140-2 Certificates–CJIS Security Addendum–Policy Examples– Security Advisories–Agencies Scheduled To Be Audited Thru March 2013

How To Prepare For A CJIS AuditAvailable Resources – Security Review Website

Miguel ScottInformation Security AnalystTX Dept of Public SafetyOffice: 512-424-7912Email: miguel.scott@dps.texas.gov