The previous blog on physical protection helped us in understanding the various security measures that need to be taken to ensure the protection of Criminal Justice Information (CJI) in a physically secure location. In this blog, we will discuss one of the most important policy areas of CJIS which is System and Communications Protection and Information Integrity of CJIS Compliance.
Information Flow Enforcement
The network infrastructure should be in control of the flow of information between interconnected systems. The system shall control the movement of data from one place to another in a secure manner. Specific examples of flow control can be found in devices that engage in protection of boundaries such as gateways, proxies, firewalls, routers, tunnels, and guards. A few such examples that are better expressed as flow control rather than access control are:
- Block outside traffic that purports to be from within the agency.
- Prevent Criminal Justice Information from being transmitted over a public network in an unencrypted form.
- Do not send any web requests to a public network that don’t originate from the internal web proxy.
Boundary Protection of CJIS Compliance
The agency should:
- Control access to networks that are processing Criminal Justice Information
- Ensure that all the connections to external systems, the Internet, and IT systems occur through interfaces that are controlled by the agency.
- Ensure that in the event of operational failure of boundary protection devices; there shouldn’t be any unauthorized leak of information outside the IT system boundary.
- Employ techniques and tools to detect attacks, monitor events and identify unauthorized users.
- Agencies also need to allocate publicly accessible information system components to separate sub-networks with isolated network interfaces. This helps the agency in being safe even if these public networks are compromised; the main secure network is immune.
Encrypting the data is of prime importance and there are stringent conditions that need to be followed. The encryption needs to be a minimum 128 bit and when Criminal Justice Information is being transmitted outside the physically secure location, appropriate encryption mechanisms need to be put in place. Even while CJI is at rest, encryption mechanisms need to be put in place to ensure maximum security. The cryptographic module used to encrypt data shall be certified to meet the stringent FIPS-140-2 standards
Intrusion Detection Tools and Techniques
The agency should implement host-based and/or network-based intrusion detection tools. The State Identification Bureau (SIB)/CJIS Systems Agency (CSA) additionally should:
- Check the outbound and inbound communications for unauthorized and unusual activities.
- Employ automated tools to offer support to the monitoring system that detects system-level attacks.
- The agencies shall also send individual intrusion detection logs to a centralized logging facility where the analysis of these logs is done to study the pattern of attack and how can we prevent further intrusions.
Voice over Internet Protocol
VoIP is an extremely popular tool that several organizations use. Although it offers several operational and cost advantages over the legacy telephone systems, VoIP networks have a myriad of security challenges that need to be addressed. Therefore, in line with the communication protection, agencies that are employing VoIP in their networks should adhere to the following rules.
- Establish implementation guidance and usage restrictions for VoIP technologies
- Change the default password on VoIP switches and IP phones
- Utilize Virtual Local Area (VLAN) network to segment data traffic from VoIP traffic
The organizations transitioning to a cloud environment are generally confronted with the challenges and the opportunities that the technology provides. Although the cost savings outweigh the rest, loss of control over data is a serious point to ponder over when it comes to CJIS Compliance security. In the light of these, it is suggested that the organizations take appropriate decisions after reviewing the cloud computing white paper and also the cloud assessment that is found in NIST special publications and on FBI.gov. The capabilities of the cloud service providers and their policies would also help the organizations to decide if they can offer services that are compliant with the requirements laid down by CJIS Compliance Security Policy.
It is also to be noted that the metadata derived from CJI shouldn’t be put to use by cloud service providers for any purpose whatsoever. Furthermore, the service provider is also prohibited from scanning any data files or email and use it for data mining, building analytics, advertising or for improving the quality of services they provide.
Facsimile Transmission of Criminal Justice Information
When transmitting CJI through facsimile, encryption requirements needn’t be followed.
Partitioning and Virtualization
In the view of increasing scarcity of resources, organizations are resorting to a centralization of system administration, services, and applications. Hence, it is important to secure these virtualized machines and partitions as well
There shall be a clear separation between IT system management functionality and user functionality and the service, application or information system should create such a separation either logically or physically. Separation may be achieved by any one of the following methods.
- Different central processing units (CPUs)
- Different computers
- Different network addresses
- Separate instances of the operating system
- Any other methods that are approved by FBI CJIS ISO
It may be noted that virtualized environments are authorized for noncriminal justice as well as criminal justice activities. Over and above the security controls described above, there are furthermore controls that need to be implemented in a virtualized environment.
- Maintain the audit logs for all the hosts and virtual machines and these logs need to be stored outside the virtual environment of the host.
- The organization needs to isolate the virtual machine from the host which means that the users of virtual machines can’t access the host firmware, files etc.
- Critical device drivers should be contained within a separate guest.
- Internet-facing virtual machines such as portal servers and web servers should be physically separate from those virtual machines which are involved in CJI processes internally.
System and Information Integrity Policy and Procedures
As and when a new security patch is released, it is of prime importance that the patches are applied to ensure information security. Patch requirements that are found during incident response activities, security assessments and continuous monitoring also need to be addressed. Local policies should include items such as
- Rollback capabilities need to be given while installing updates, or patches etc.
- Thorough testing of appropriate patches well before installation.
- Centralized management of patches
- Automatic updates need to be activated without the intervention of a user.
Malicious Code Protection
The agency needs to implement malicious code protection, which includes automatic updates for all the system that has access to the Internet. Even the systems with no Internet access need to be updated regularly to reflect the latest status. In addition, the agency should employ virus detection and protection programs that identify and eradicate malicious codes such as worms, viruses, and Trojan horses.
Spam and Spyware Protection
The agency should:
- Utilize spyware protection on servers, on all mobile computing devices, and workstations on the network
- Utilize the spam protection programs at all important points of entry of information such as electronic mail servers, firewalls, and remote-access servers.
Security Alerts and Advisories
The agency should:
- Receive security advisories/alerts about the information system regularly
- Issue advisories/alerts to the appropriate people
- Document all the types of actions that need to be taken in response to the security alerts
- Take suitable action
- Install automated mechanisms that enable availability of advisory and security alert information throughout the agency as appropriate.
Information Input Restrictions
The agency shall ensure that the information input to any connection to FBI CJIS Compliance services is restricted only to authorized individuals. Restrictions on this personnel with authorization to input information to the IT system may be extended beyond the general access controls employed by the system.
DoubleHorn is one of the leading Cloud Solutions Providers founded in January 2005 and based in Austin, Texas. We are capable of offering Cloud Solutions that meet CJIS requirements. Contact us for a complimentary initial assessment at firstname.lastname@example.org or (855) 618-6423.