In the previous blog on information exchange agreements, we explored various user cases in which agencies need to sign agreements regarding Criminal Justice Information (CJI) exchange. In this blog, we will focus on the security awareness training required for personnel who access CJI. It is to be understood that the basic security awareness training is to be given to all the people who are accessing CJI data. This training is to be given within six months of initial assessment and also need to be trained once in every two years. A Special Intelligence Bureau (SIB) chief or a CJIS Systems Officer (SIB/CSO) would need to accept the documentation related to the completion of security training from another agency. Accepting the documentation from another agency means that the accepting agency assumes the risk that the training may not meet all the requirements needed by the federal, local or state laws.
There can be several topics that are mentioned in an awareness campaign or session. In order to facilitate implementation and development of individual agency security awareness programs the guidelines below will be useful
As a minimum requirement, the guidelines mentioned below need to be addressed as a basic security awareness program for all authorized personnel who have access to Criminal Justice Information.
- General rules, responsibilities and required behavior with respect to usage of CJI
- Who to contact in case of an incident and the necessary actions needed to be taken
- Protection of media
- Implications of non-compliance to rules and regulations
- Protection of information subject to confidentiality
- Physical access to spaces and visitor control. It also mentions the applicable security policies in place and reporting that is required to be made in case of unauthorized access
- Social engineering
- Risks, threats and vulnerabilities associated in the process of handling CJI
- Proper marking and handling of CJI
- Matters relating to dissemination and destruction of information
Personnel with logical and physical access
In addition to the above basic guidelines, people with physical and logical access need to understand and follow the below mentioned guidelines
- General rules that outline the responsibilities and behavior related to usage of information systems
- Creation, usage and management of passwords
- Web Usage – monitoring of user activity and prohibited sites
- Specifics related to unknown attachments/emails
- Physical security- risks related to systems and data
- Protection that needs to be made with respect to Trojans, virus, malicious codes and malware
- Use of encryption techniques for transferring sensitive information over the Internet
- Issues related to access control
- Both information related and physical security with respect to laptops and their usage
- Issues associated with handheld devices and desktops as well
- Individual accountability including an explanation of what it means to the agency
- Specifics about if personally owned equipment is allowed by the agency or the state
- Specifics related to information security and confidential items, their usage, backup, archiving or destruction after its need is over.
Personnel with Information Technology Roles
Additionally, for people associated with information technology roles, there are a few other guidelines that need to be followed and are as mentioned below
- Measures were taken for the protection of network infrastructure
- Access control measures
- Backup and storage of data and if the approach is centralized or decentralized
- Protection of the system and information from Trojans, worms, and viruses including scanning and updating of virus definitions
- As part of the configuration management, application and system patches need to be applied
Security Training Records
A record of the individual security awareness training and also specific information system security training would be documented. These documents need to be maintained by SIB/CSO/Compact Officer. The maintenance of training records can also be delegated to local bodies as well.
In the next blog, we will discuss the next policy area which is Incident Response.
DoubleHorn is a leading Cloud Solutions Provider founded in January 2005 and based in Austin, Texas. Our solutions combine products from the leading Cloud providers and are carefully crafted to meet your requirements. As a trusted advisor, we help you choose the right solution, implement it and help you maintain our decade-old expertise as a Cloud Services Provider. If you are new to the cloud and not sure how to get started, contact us for a complimentary initial assessment at firstname.lastname@example.org or (855) 618-6423.