In the previous blog on auditing and accountability, we discussed the various events that the information system needs to monitor and audit and in this blog, we will discuss the next policy area- Access Control. This policy area broadly covers the planning and execution of mechanisms for restricting, writing, reading, processing and transmitting CJIS information. It also defines the restriction of modification of applications, information systems, communication configurations and services allowing access to CJIS information. There are additional access control requirements for mobile devices accessing CJI.
The agency must manage all information system accounts which include establishment, activation, modification, review, disabling and removal of accounts. The agencies should also ensure that they validate all the information system account at least once a year and document all the validation process. This process of documentation and validation of accounts may be delegated to local agencies if need be. Management of accounts includes identification of different account types (system, individual or a group), establishing conditions for group membership as well as an assignment of associated authorizations. It is of prime importance that the agency should identify who are the authorized users of the information system and must specify the access privileges/rights to them. Agencies should grant access to information systems based on
1. Approval of all personnel security criteria
2. Valid need-to-share/need-to-know that is determined by assigned official duties
The agency responsible for the creation of accounts should be notified when
- The need-to-share or need-to-know usage of the information system by the user changes
- A user is transferred, terminated or his associated accounts are disabled, secured or removed.
The information system needs to enforce several authorizations to control the access to system and access to information. Privileged functions that are deployed in hardware, firmware and software need to be restricted by the information system to only a privileged few authorized personnel. This authorized personnel includes a system, security, and network administrators and other personnel that have access to system administration, control and monitoring. Few such access controls include
The agency should approve individual access privileges and also should enforce logical and physical access restrictions associated with changes made to the information system. The agency should generate, review and retain such records that reflect all the changes being made. It is to be noted that the agency should enforce the most restrictive of access controls and set of privileges/rights that are required for the users to perform a specific task. This needs to done to ensure that the risk to criminal justice information (CJI) is mitigated. Access to CJI should be limited only to authorized personnel who have the need and right to know. Furthermore, the agency also should maintain the logs related to access privilege changes for a period of one year or at least equal to the retention policy of the company- whichever is greater.
System Access Control
Access control mechanisms enabling access to CJI should be restricted by an object (volumes, data sets, records, and files) including the explicit ability to write, read, modify and delete objects. Access controls should be in place for all IT systems to
- Prevent concurrent active sessions for a single user identification, for those applications that are accessing CJI. However, there can be an exception in case the authority is needed for operational business needs. Agencies must maintain necessary documents that define the parameters of operational business needs for maintaining multiple concurrent active sessions.
- Ensure that only authorized personnel can add or remove component devices, dial-up connections and alter or remove programs.
Access Control Criteria
Control of access to CJI by the agency should be based on one or more of the following:
- Physical location
- Job assignment or roles of the user who is seeking access
- Network addresses
- Logical location
- Day-of-week/month and time-of-day restrictions
Access Control Mechanisms
In the process of setting up access controls, agencies should use one or more of the following mechanisms
- Resource restrictions: For resources that the user doesn’t have access to, access to specific functions is always restricted by not allowing users to request information, functions or other resources. Major types of resource restrictions include network devices, menus and database views.
- Access control lists (ACLs): These ACLs include a list of users who have the permission to use a particular system resource and the type of access they been authorized to use.
- Application Level: Apart from applying the access control restrictions at the system level, there should be access enforcement mechanisms that need to be applied at the application level as well
- Encryption: the information that is encrypted needs to be decrypted and those possessing the appropriate key should be able to access the encrypted information. Encryption is a strong access control mechanism but it should be backed up by proper key management as well.
Unsuccessful Login Attempts
Depending on the technical feasibility, the IT system should limit the number of invalid access attempts to not more than five for users attempting to access CJI. The system should be able to automatically lock the access for 10 minutes unless released by an administrator
System Use Notification
The system should display a system use notification before granting access, informing users with the various uses and monitoring rules of the system. System use notification should mention the following aspects
- That the system usage may be monitored and recorded and may be subject to audit
- That the user is accessing information from a restricted information system
- That the use of the system indicates the user consent to recording and monitoring
- That the unauthorized use of the system may invite civil/criminal penalties
There should be a provision for automatic session lock in the event of inactivity for a period of 30 minutes and the user should use appropriate credentials to unlock the system. Users should also initiate session lock in their absence to ensure that unauthorized users don’t use CJI data.
The agency should authorize, monitor and control all forms of remote access to the information system. The agency should use automated mechanisms to allow for monitoring and control of remote access methods. By using managed control access points, the agency shall control all the remote accesses. Agencies should maintain the documentation of which privileged functions need to be accessed remotely in the security plan for the information system.
Personally Owned Information Systems
A personally owned device may never be allowed to access, store, process or delete CJI data until and unless there is a documented and established record allowing such a purpose. The process for mobile devices or Bring Your Own Devices (BYOD) is more elaborate.
Publicly Owned Information Systems
Accessing, modifying and transmitting CJI through publicly accessible computers is restricted explicitly, examples of such computers include but not limited to public kiosk computers, public library computers, convention center computers and hotel business computers.
In the next blog, we will discuss the next policy area – Identification and Authentication
DoubleHorn is a leading Cloud Solutions Provider founded in January 2005 and based in Austin, Texas. Our offerings combine products from the leading Cloud providers and are carefully designed to meet the emerging technology requirements of Government agencies and Enterprises. As a Cloud Services Broker, we advise in selecting the right solution, implement, maintain and offer a single source for billing and support of multiple Cloud products. If you are new to the cloud and not sure how to get started, contact us for a complimentary initial assessment at email@example.com or (855) 618-6423.