8/24/2012
SLED Overview of the FBI
Criminal Justice Information Services
(CJIS) Security Policy
Version 5.1
8/09/2012
CJISD-ITS-DOC-08140-5.0
[email protected]
For Official Use Only

1
This session will be an overview of the FBI
Criminal Justice Information Services
(CJIS) Security 5.1 policy and how it
pertains and applies to municipal court
clerks, magistrates, judges and other court
staff who are receiving NCIC criminal
justice information.
For Official Use Only
2
Security policy

The essential premise of the CJIS Security
Policy is to provide appropriate controls to
protect the full lifecycle of CJI, whether at rest or
in transit. The CJIS Security Policy provides
guidance for the creation, viewing, modification,
transmission, dissemination, storage, and
destruction of CJI data. This policy applies to
every individual—contractor, private entity,
noncriminal justice agency representative, or
member of a criminal justice entity—with access
to, or who operate in support of, criminal justice
services and information.
For Official Use Only
3
1
8/24/2012
What is (NCIC) National Crime
Information Center


NCIC 2000 is a nationwide, computerized
information system established as a service to
all local, state, federal, and international criminal
justice agencies.
The goal of NCIC 2000 is to help the criminal
justice community perform its duties by providing
and maintaining a computerized filing system of
accurate and timely documented criminal justice
information.
For Official Use Only


The NCIC 2000 data bank can best be
described as a computerized index of
documented criminal justice information
concerning crimes and criminals of nationwide
interest. NCIC files also include missing and
unidentified person files, persons files who pose
a threat to officer and public safety, as well as
stolen property files.
All state and local agencies participating in the
NCIC 2000 System are required to adhere to the
security guidelines that can be found in the
FBI/CJIS Security Policy 5.1
For Official Use Only

4
5
The NCIC 2000 System stores vast
amounts of criminal justice information
which can be instantly retrieved by and/or
furnished to any authorized agency and is
a virtually uninterrupted operation 24
hours a day, 7 days a week
For Official Use Only
6
2
8/24/2012
Types of queries
For Official Use Only
7
Types of queries
For Official Use Only
8
NCIC stats

In January 1967 when NCIC became operational, it
included five files, which contained 356,784 records. In
its first year of operation, NCIC processed approximately
2.4 million transactions, or an average of 5,479
transactions daily. Last year NCIC processed 2.4 billion
transactions. Recently, NCIC experienced a new oneday record of 8.6 million transactions. Presently, NCIC
contains 19 files with over 15 million records, of which
nearly 1.7 million are in the wanted persons file. NCIC
services more than 90,000 user agencies and averages
7.5 million transactions per day. Currently on the
average South Carolina performs 350,000 + transactions
per day.
For Official Use Only
9
3
8/24/2012
The local/regional computer availability
goals shall be 100 percent with 96 percent
as minimum.
 Equipment and/or technological
incompatibility shall not be sufficient
justification for any agency to operate
outside of the normal CSA configuration.

For Official Use Only

The data stored in the NCIC 2000 System and
the III File are documented criminal justice
information and must be protected to ensure
correct, legal, and efficient dissemination and
use. It is incumbent upon an agency operating
an NCIC 2000 infrastructure to implement the
necessary procedures to make that component
secure from any unauthorized use. Any
departure from this responsibility warrants the
removal of the offending component from further
NCIC 2000 participation.
For Official Use Only

10
11
Throughout the last several years, there have
been significant changes in the CJIS
community’s telecommunications and systems
architecture. As a result of technological
advances, the FBI Director authorized a security
management structure to specifically address
technical security controls, policy revision,
oversight, training, and security incident
resolution and notification.
For Official Use Only
12
4
8/24/2012

In addition to the changes there have been a
significant number of the larger and more
important computer systems in this country that
have been successfully penetrated by
individuals whose reasons ran the gamete from
monetary profit to ideologic principles. If the
National Crime Information Center (NCIC) is
going to function efficiently and effectively in
today's society System Security must be an
omni-present element of its everyday operation.
For Official Use Only

13
Therefore the CJIS Advisory Policy Board
(APB) adopted new policies in the areas of
identification, authentication, encryption,
wireless applications, dial-up access,
Internet access, public networks, and
firewalls to address security concerns.
For Official Use Only
14
A Federal Working Group and several
regional Working Groups were established
to recommend policy and procedures for
the programs administered by the FBI
CJIS Division.
 These Working Groups are also
responsible for the review of operational
and technical issues related to the
operation of or policy for these programs.

For Official Use Only
15
5
8/24/2012

The FBI uses hardware and software controls to
help ensure System security. However, final
responsibility for the maintenance of the security
and confidentiality of criminal justice information
is shared with the individual agencies
participating in the NCIC 2000 System and the
IT departments who support the agencies.
Further information regarding System security
can be obtained from the FBI/CJIS Security
Policy 5.1
For Official Use Only

16
The essential premise of the CJIS Security
Policy is to provide appropriate controls to
protect the full lifecycle of CJI, whether at rest or
in transit. The CJIS Security Policy provides
guidance for the creation, viewing, modification,
transmission, dissemination, storage, and
destruction of CJI data. This policy applies to
every individual—contractor, private entity,
noncriminal justice agency representative, or
member of a criminal justice entity—with access
to, or who operate in support of, criminal justice
services and information.
For Official Use Only
17
Policy Purpose

To provide minimum security requirements associated
with the creation, viewing, modification, transmission,
dissemination, storage, or destruction of Criminal Justice
Information or CJI.

To provide a baseline security policy for Local, State,
and Federal agencies to build their policies upon. (It is
the minimum standard a local policy must follow).

The policy covers roles and responsibilities as well as
the 12 areas of compliance.
For Official Use Only
18
6
8/24/2012
Roles and Responsibilities – State
ISO

SLED will appoint an Information Security
Officer (ISO) who has the responsibility to
establish and maintain information security
policy, assesses threats and
vulnerabilities, performs risk and control
assessments, oversees the governance of
security operations, and establishes
information security training and
awareness programs.
For Official Use Only
19
Roles and Responsibilities state
CSO

Each state must have a CJIS Security
Officer (CSO) assigned by the head of the
CJIS Systems Agency (CSA)(SLED) who
is responsible for enforcing security policy
rules over ALL agencies, users, and
devices accessing CJI information via the
state CSA(SLED).
For Official Use Only
20
Roles and Responsibilities – Local
Level

Each local agency accessing Criminal
Justice Information or CJI is required to
have a Terminal Access Coordinator
(TAC) and a Local Access Security Officer
(LASO) to oversee that the CJIS Security
Policy is being abided by locally. They
can be the same person.
For Official Use Only
21
7
8/24/2012
Terminal Agency Coordinator
(TAC)
The TAC serves as the point-of-contact at
the local agency for matters relating to
CJIS information access. A TAC
administers CJIS systems programs within
the local agency and oversees the
agency’s compliance with CJIS systems
policies.
 The TAC is the Agency Coordinator (AC)

For Official Use Only
22
AC of the CGA

The AC is a staff member of the CGA who
manages agreements, responsible for the
supervision and integrity of the system,
training and continuing education of
employees as required. 3.2.7
For Official Use Only
23
Agency Coordinator (AC)

The AC shall be responsible for the
supervision and integrity of the system,
training and continuing education of
employees and operators, scheduling of
initial training and testing, and certification
testing and all required reports by NCIC.
For Official Use Only
24
8
8/24/2012
The AC shall:

Understand the communications, records
capabilities, and needs of the individual
which is accessing federal and state
records through or because of its
relationship with the CGA.
Receive information from the CGA (e.g.,
system updates) and disseminate it to
appropriate individuals.
For Official Use Only
25
The AC shall:

Maintain up-to-date records of all
employees or contractors who access the
system, including name, date of birth,
social security number, date fingerprint
card(s) submitted, date security clearance
issued, and date initially trained, tested,
certified or recertified (if applicable).
For Official Use Only
26
The AC shall:

Schedule new operators for the
certification exam as well as schedule
certified operators for biennial recertification testing within thirty (30) days
prior to the expiration of certification.
Schedule operators for other mandated
class.
For Official Use Only
27
9
8/24/2012
The AC shall:

The AC will not permit an
untrained/untested or non-certified
employee or contractor to access CJI or
systems supporting CJI where access to
CJI can be gained.
For Official Use Only
28
The AC shall:

Provide completed applicant fingerprint
cards on each Contractor employee who
accesses the system to the CJA (or,
where appropriate, CSA) for criminal
background investigation prior to such
employee accessing the system.
For Official Use Only
29
Local Agency Security Officer
(LASO)


The primary Information Security contact
between a local law enforcement agency and
the CSA
The LASO actively represents their agency in all
matters pertaining to Information Security,
disseminates Information Security alerts and
other material to their constituents, maintains
Information Security documentation (including
system configuration data), assists with
Information Security audits of hardware and
procedures, and keeps the CSA informed as to
any Information Security needs and problems.
For Official Use Only
30
10
8/24/2012
Roles and Responsibilities –
Outsourcing of CJI Administration

The responsibility for the management of
the approved security requirements shall
remain with the Criminal Justice Agency.

Thus the outsourcing of the state CSO and
ISO positions is not allowed.

Thus the outsourcing of local TAC and
LASO positions is not allowed
For Official Use Only
31
Roles and Responsibilities – Local
Points of Contact

Local or municipal entities should refer all
CJIS Security procedural or technical
questions to their local criminal justice
agency’s TAC or LASO. They are the
local point of contact.

If the local TAC or LASO does not have an
answer they can refer to the state CSO for
assistance.
For Official Use Only
32
Illegal Dissemination of CJI and PII
Can Lead to Penalties
Improper access and dissemination of any
CJI data including CHRI may result in
administrative sanctions, termination, and
state and federal penalties.
 Refer to S.C. Financial Fraud and Identity
Theft Law for more information.

For Official Use Only
33
11
8/24/2012
What does the policy cover?
Information Exchange Agreements.
Awareness Training
Incident Response
Auditing and Accountability
Access Control
Identification and Authentication
1.
2.
3.
4.
5.
6.
For Official Use Only
34
What does the policy cover? (cont.)
7.
8.
9.
10.
11.
12.
Configuration Management
Media Protection
Physical Protection
Systems & Communications Protection
and Information Integrity
Formal Audits
Personnel Security
For Official Use Only
35
Information Exchange Agreements
Policy Area 1



Criminal Justice Information requires protection
throughout its life which is why agreements need to be in
place between each agency sharing CJI data. These
agreements must specify security controls meeting the
CJIS Security Policy requirements and be in place
before any CJI can be exchanged.
Agreements should state the policies, standards,
sanctions, governance, auditing, services accessed and
policy compliance required for the user agency
CJI exchange includes e-mail, instant messaging, web
services, facsimile, hard copy, and the information
systems sending, receiving, and storing CJI.
For Official Use Only
36
12
8/24/2012
Some Agreement Types
User
Service
 Management Control *
 Inter-Agency *
 CJIS Security Addendum *
 Civil Agency User Agreement
 Livescan/Latent Fingerprint Sharing


For Official Use Only
37
Agreements required
for NCJA
Management Control agreement - grants the criminal justice
agency management control over the operations of the noncriminal justice agency as they relate to access to the Law
Enforcement Data System network and services.
Required between CJA and the NCJA which provides services to the CJA
(dispatching, record keeping, computer services, etc.).
"Management Control" means the authority to set and enforce:
 (a) Priorities;
 (b) Standards for the selection, supervision and termination of personnel;
and
 (c) Policy governing the operation of computers, circuits, and
telecommunications terminals used to process, store, or transmit
information to or receive information from the Law Enforcement Data
System.
For Official Use Only
38
Agreements required
for NCJA cont’
Inter-Agency – agreement between two agencies that
states standards, policy, and access required of the
parties


State CSA to non-criminal justice agency (DSIT)
Local criminal justice agency to non-criminal
justice agency (county or city)
Security Addendum


Criminal Justice Agency & private contractor
(each employee)
Non-criminal Justice Agency & private contractor
(each employee
For Official Use Only
39
13
8/24/2012
Example
CJA supported by NCJA
SLED is CSA
 SLED’s enterprise extends to Metropolitan PD
 Metropolitan City IT department performs IT administration of PD
network with some private contractors
Agreements Needed
 CJA user agreement between SLED and Metropolitan PD
 Inter-agency agreement between Metropolitan City IT and
Metropolitan PD
 Management control agreement between Metropolitan PD and
Metropolitan City IT
 Security Addendum between Metropolitan City IT and Private
contractors
For Official Use Only
40
5.2 Policy Area 2: Security
Awareness Training

Security awareness training shall be required
before an initial assignment for all personnel
who have access to CJI. The CSO/CSA may
accept the documentation of the completion of
security awareness training from another
agency. Accepting such documentation from
another agency means that the accepting
agency assumes the risk that the training may
not meet a particular requirement or process
required by federal, state, or local laws.
For Official Use Only
41
Security Awareness Training
Policy Area 2

Security awareness training is mandatory for
those with roles in the support, administration or
general access to criminal justice information.

All criminal justice employees, non-criminal
justice employees, contractors, vendors, etc.
The level of training is dependent on the role of
the individual – IT support requires the highest
level of training.
For Official Use Only
42
14
8/24/2012
Security Awareness Training
Policy Area 2

Training must be performed every two
years

The management control criminal justice
agency designated person (TAC, LASO,
ISO, CSO, NCIC coordinator) is
responsible for coordinating and verifying
the completion of this requirement for their
respective agency
For Official Use Only
43
Incident Response
Policy Area 3

The information security officer at SLED
has been identified as the POC on
security-related issues for the CSA and
respective agencies in the state.

The ISO is responsible for ensuring
LASOs (local agency security officer)
institute the CSA incident response
reporting procedures at the local level.
For Official Use Only
44
Policy Directive - 5.3
Agencies shall:
(i) establish an operational incident handling
capability for agency information systems
that includes adequate preparation,
detection, analysis, containment, recovery,
and user response activities;
(ii) track, document, and report incidents to
appropriate agency officials and/or
authorities
For Official Use Only
45
15
8/24/2012
Responsibilities for incident
response
Agencies whether criminal justice or non-criminal justice, that are
responsible for the administration of criminal justice, dispatching,
record keeping, or computer services for CJI all are required to
follow the CJIS policy incident reporting requirements.
Four critical tasks must be followed with incidents:
 Incident Handling
 Collection of evidence
 Incident Response training
 Incident Monitoring
These procedures may be audited by SLED and/or the FBI during
the required technical and policy audits.
For Official Use Only
46
Auditing and Accountability
Policy Area 4

Agencies shall implement audit and
accountability controls to increase the probability
of authorized users conforming to a prescribed
pattern of behavior.

Agencies shall carefully access the inventory of
components that compose their information
systems to determine which security controls are
applicable to the various components.
For Official Use Only
47
Logging Events
Policy 5.4 states specific logging requirements
 Specific events must be logged
 Content to log on each event is specified
 Monitoring, analysis and log reporting actions
 Response to logged events
 Log retention is 365 days
 Other requirements exist for NCIC, III and CJIS
access and information logging
For Official Use Only
48
16
8/24/2012
Access Control
Policy Area 5


Access control provides the planning and
implementation of mechanisms to restrict
reading, writing, processing and transmission of
CJIS information and the modification of
information systems, applications, services and
communication configurations allowing access
to CJIS information.
Access control includes physical in addition to
logical access.
For Official Use Only
49
User Access Control




Always assign least privilege to accounts
Use Job duties, Physical, logical or network
location, and Date/Time restrictions for access.
All employee status changes must be reported
and accounts adjusted as required.
Policy guidelines state requirements for annual
validation of accounts, logging of access and
inactivity or failed log in attempts (policy 5.5)
For Official Use Only
50
Access Control Recommendations






System administrator access must be tightly
regulated.
Only allow remote admin access in emergency
situations.
Don’t allow remote access for group accounts
Always provide System Notifications or
Warnings to users logging on.
Use approved mechanisms to control this
access. Policy 5.5.2.3 and 5.5.2.4
Security must be FIPS 140-2.
For Official Use Only
51
17
8/24/2012
CJI Access Restrictions
CJI access is not allowed from personally
owned or public computers.
 No CJI over Bluetooth at this time due to
not FIPS140-2 approved encryption
standard.
 CJI over Wireless and Cellular must be
carefully regulated following policy 5.5.7

For Official Use Only
52
Identification and Authentication
Policy Area 6
All users must be properly identified prior
to access to any agency information
systems or services.
 Follow password policies for all access to
the criminal justice infrastructure or
network where CJI is transmitted as listed
in 5.6.2.1

For Official Use Only
53
Advanced Authentication
Advanced Authentication (AA) is required
when users are accessing CJI information
via a network that is not deemed secure
by the SLED ISO. Policy 5.6.2.2
 Advanced Authentication is the use
additional identifiers on top of login ID and
password that may include PKI, biometric,
smart cards tokens, software tokens etc…

For Official Use Only
54
18
8/24/2012
Configuration Management
Policy Area 7
The goal is to allow only qualified and
authorized individuals access to
information system components for
purposes of initiating changes, including
upgrades, and modifications.
 Thus agencies must restrict who has
configuration management permissions

For Official Use Only
55
Configuration Management
Requirements
All network changes must provide a
detailed network topography diagram to
the SLED ISO anytime there is a proposed
network change or a network change has
occurred.
 Agencies must protect all system
configuration documentation from
unauthorized access.

For Official Use Only
56
Media Protection
Policy Area 8
Procedures must be defined for securely
handling, transporting, and storing media
both electronic and physical.
 Procedures must also be in place for the
sanitation and disposal of electronic and
physical media that meet policies.
 All entities accessing CJI media must be
vetted authorized personnel.
 Specific policies are in policy 5.8

For Official Use Only
57
19
8/24/2012
Physical Protection
Policy Area 9




All CJI and associated information systems must
be in a physically secure location.
This can be a facility, area, room or group of
rooms with controls described in 5.9.1.1 –
5.9.1.9
Personnel security for access to the area must
follow policy area 12
The location is subject to the management
control of the CJA and must follow all criminal
justice policies.
For Official Use Only
58
Physical protection





A security perimeter should be established and
posted as such.
A list of authorized personnel with access must
be maintained.
All physical access points to the secure area
must be controlled.
All physical access to the IT systems and
transmission lines shall be controlled.
The display or view of information from outside
this controlled area must prevent unauthorized
viewing.
For Official Use Only
59
Visitor Control
Visitors must be authenticated before
authorizing escorted access.
 Access records shall be maintained
following the policy requirements in 5.9.1.8
 Items entering and exiting the area shall
be controlled and authorized

For Official Use Only
60
20
8/24/2012

Non-criminal justice agencies or contractors
must follow these procedures to report incidents
to the LASO at the criminal justice agency they
support. (Who signed the management control
agreement?)

The criminal justice agency LASO will report
these incidents to the SLED ISO who will in turn
communicate the details to the FBI CJIS ISO.
For Official Use Only
61
Systems & Communications
Protection and Information Integrity
Policy Area 10
Examples range from boundary and
transmission protection to securing virtual
environments.
 Information flow enforcement between
interconnected systems shall be controlled.

For Official Use Only
62
Information Flow
Information flow regulates where the information
allowed to travel within the IT system and between
IT systems.
 CJI can not be transmitted unencrypted across
the public network
 Outside traffic that claims to be from the agency
must be blocked
 Web requests from the public network not from
an internal web proxy should not be passed.
For Official Use Only
63
21
8/24/2012
Layers of protection
CJI and system shall provide boundary
protection as established in policy 5.10.1.1
 Encryption standards must be met policy
5.10.1.2, SLED has additional
requirements for encryption AES 256.
 Intrusion detection/prevention tools shall
be in place following policy 5.10.1.3
 VoIP and facsimile policies shall also be
implemented per policy 5.10.1.4

For Official Use Only
64
Information Technology security
IT security is hardware and/or software
used to assure the integrity and protection
of information and the means of
processing it.
 Many criminal justice data systems and
networks are interconnected to one
another and the Internet.
 As such, those systems and networks are
vulnerable to exploitation by unauthorized
individuals.

For Official Use Only
65
Partitioning
Specific controls must be in place to use this
technology with Criminal justice information and
Processing.
The application, service, or system shall:
 Separate user functionality (including UI
services) form information system management.
 Separate UI services from information storage
and management services either physically or
logically. Guidelines for achieving this are
specified in 5.10.3.1
For Official Use Only
66
22
8/24/2012
Virtualization


All security controls in the policy apply to
virtualization.
Additional controls exist in policy 5.10.3.2




Isolate host from virtual machine
Maintain audit logs for all virtual hosts and machines
(store these outside of virtual environment)
Physically separate Internet facing virtual machines
from virtual machines that process CJI
Critical device drivers shall be contained in a separate
guest.
For Official Use Only
67
Virtualization
Addition technical security controls are suggested.
These include:
 Encrypt network traffic between virtual machine
and host
 Implement IDS and IPS within the virtual
machine environment
 Virtually firewall each virtual machine from each
other or physically firewall each with an
application layer firewall controlling protocols
 Segregate the administrative duties for the host
For Official Use Only
68
System & Information Integrity
The agency shall develop and implement
a local policy for installing relevant security
patches, service packs and hot fixes.
 The policy must include items and
procedures (policy 5.10.4.1) for installing
these ‘fixes’.
 Malicious code, spam and firewall
protection must be implemented following
policy 5.10.4.2 - 5.10.4.3

For Official Use Only
69
23
8/24/2012
Formal Audits
Policy Area 11






Formal audits are conducted on IT services, secure
areas, personnel and policies by SLED and the FBI.
Regular audit are triennial but can be conducted more
frequently.
The FBI has the authority to conduct unannounced
security inspections and scheduled audits of the
facilities.
All agencies CJA and NCJA are subject to the audit
requirements and inspections.
Responses to audit findings must be addressed in an
accepted manner by the CJA, SLED and FBI.
Failure to correct deficiencies will result in sanctions.
For Official Use Only
70
Personnel Security
Policy Area 12
All personnel who have access to
unencrypted criminal justice information
(CJI) including those with only physical or
logical access must be screened.
 All requests for access must be cleared by
the CJA who maintains management
control. The TAC or LASO is the point of
contact for these requests.

For Official Use Only
71
Background Checks


Notification of subsequent arrest and/or
convictions for those who have access must be
sent to the CSO to determine if access should
be continued.
Support personnel, contractors, custodial
workers, and others with access to physically
secure or controlled locations shall be subject to
these regulations unless escorted by an
authorized person at all times.
For Official Use Only
72
24
8/24/2012
Personnel screening for contractors
and vendors
In addition to requirements in policy 5.12.1.1, the follow
items are in place:
 The contracting government agency (CGA) shall coordinate the
background check prior to granting access with the criminal justice
agency that has management control.
 If a record of any kind if found, the CGA will be notified and access
is delayed pending a review by the CJA. The CGA must notify the
contractor appointed security officer.
 All felony convictions are disqualifications for access.
 Arrest warrants are disqualifications for access.
 The CGA shall maintain a list of personnel who have been
authorized for access and shall provide a current list to the CSO
when requested.
 The CGA can request the CSO to review any denials.
For Official Use Only
73
Maintenance after granting
physical or logical access



Upon termination or separation, the individual’s
access shall immediately be terminated.
Reassignments or transfers shall result in
actions such as closing and establishing new
accounts and changing system access
authorizations.
A formal sanctions process for failure to comply
with established information security policies
and procedures shall be documented,
distributed and enforced. This should be
available during an audit.
For Official Use Only
74
Background Checks



A state of residency and national fingerprint
background check is require for unescorted
access AND all personnel who have direct
access to CJI and all those who have IT
responsibility.
Any felony conviction will result in access
denied.
If a record of any kind exists, access can not be
granted until the CSO (SLED) reviews and
determines if access is appropriate.
For Official Use Only
75
25
8/24/2012
System & Information Integrity
Any mobile device by design (laptops, handhelds,
PDA etc) must employ personal firewall protection.

A minimum list of activities performed by the personal
firewall is listed in policy 5.10.4.4





Manage program access to the Internet
Block unsolicited requests to connect to the device
Filter incoming traffic by IP, protocol or destination port
Maintain and IP traffic log
Security alerts and advisories must be received by the
agency and policies must be in place for handling the
information. Policy 5.10.4.5
For Official Use Only
76
Information Technology security
A vulnerability is a condition or weakness
in (or the absence of):
 Security Procedures
 Technical Controls
 Physical Controls
 Other controls that could be exploited by a
threat.

For Official Use Only
77
Information Technology security
All systems and networks have
vulnerabilities.
 The goal of security is to minimize those
vulnerabilities.
 Vulnerabilities include, but not limited to
physical, natural, hardware and software.

For Official Use Only
78
26
8/24/2012
Information Technology security
 Vulnerabilities Examples
Physical: The placement of a computer in a
non-secure location.
Natural: a server connected to a power source
without a surge protector or backup power
supply.
Hardware: a connection to the Internet without a
firewall.
Software: not updating the computer operating
system when updates are issued.
For Official Use Only
79
Information Technology security

Security Points of Contact
Identify who is using the hardware/software
and ensure that no unauthorized users have
access to same.
 Identify and document how the equipment is
connected to the state system.
 Ensure that personnel security screening
procedures are being followed as stated in the
CJIS Security Policy

For Official Use Only
80
Information Technology security
Ensure that appropriate hardware security
measures are in place
 Support policy compliance and keep the
state ISO informed of security incidents.

For Official Use Only
81
27
8/24/2012
Remember

The local agency may complement the
CJIS Security Policy with a local policy, or
the agency may develop their own standalone security policy; however, the CJIS
Security Policy shall always be the
minimum standard and local policy may
augment, or increase the standards, but
shall not detract from the CJIS Security
Policy standards.
For Official Use Only
82
Remember

This Policy governs the operation of computers,
access devices, circuits, hubs, routers, firewalls
,and other components that comprise and
support a telecommunications network and
related CJIS systems used to process, store, or
transmit CJI, guaranteeing the priority
,confidentiality, integrity, and availability of
service needed by the criminal justice
community.
For Official Use Only
83
Remember

Responsibility for the management control of
network security shall remain with the CJA.
Management control of network security
includes the authority to enforce the standards
for the selection, supervision, and separation of
personnel who have access to CJI; set and
enforce policy governing the operation of circuits
and network equipment used to transmit CJIS
data; and to guarantee the priority service as
determined by the criminal justice community.
For Official Use Only
84
28
8/24/2012
Remember
Private contractors who perform criminal
justice functions shall meet all policies for
training and certification criteria required
by governmental agencies performing a
similar function, and shall be subject to
the same extent of audit review as are
local user agencies.
 Additional screening requirements exist in
the security policy 5.1

For Official Use Only
85
Remember

All private contractors who perform
criminal justice functions shall
acknowledge, via signing of the Security
Addendum Certification page, and abide
by all aspects of the CJIS Security
Addendum.
For Official Use Only
86
Agreements






User Agreements – states policy, standards, sanctions,
governance, auditing, services accessed and policy
compliance required or the user agency
Agreements Needed
CJA user agreement between SLED and court agency
Inter-agency agreement between Metropolitan City IT
and Metropolitan court agency
Management control agreement between Metropolitan
court agency and Metropolitan City IT
Security Addendum between Metropolitan City IT and
Private contractors (TAC needs copies)
For Official Use Only
87
29
8/24/2012
Contacts/ and Steps to gain access



Contact the CSO office in writing requesting
access to NCIC data.
Once received the CSO office will forward this
request to the FBI for an NCIC ORI assignment.
Any court that hears civil cases only (with the
exception of domestic violence and stalking
cases) does not qualify for an NCIC 2000 ORI
assignment.
Contact person for the CSO office is Millie
Galloway at [email protected] or 803896-7142
For Official Use Only
88
Contacts/ and Steps to gain access
When the ORI has been established the
CSO office will send an Information
Exchange Agreement to the court.
 Completed security addendums between
agency and IT vendor.
 The Court will perform TAC/LASO
assignment
 Security Awareness Training performed on
all individuals.

For Official Use Only
89
Contacts/ and Steps to gain access
Completed finger print checks on all
individuals.
 Completed state of residency Check on all
individuals.
 Once those checks have been performed
then the court will send the completed Site
Survey and Topology for approval.

For Official Use Only
90
30
8/24/2012
www.sled.sc.gov
[email protected]
[email protected]
The End
For Official Use Only
91
31