TECHNICAL SECURITY QUESTIONNAIRE

Transcription

1 TECHNICAL SECURITY QUESTIONNAIRE 2017 Complete and return by due date to: Crime Information Bureau, P.O. Box 2718, Madison, WI , or to Completion may require input by information technology personnel that maintain your terminals or network. Agency Name ORI Agency Address Date City / State Specific Location of Agency Badgernet Router Zip Router Serial Number After Hours Agency Information Technology Contact Name Phone Number LASO Every agency having access to CJIS data through their own network must designate someone as Local Agency Security Officer (LASO). The LASO for this agency has been designated as: LASO First Name MI Last Name Phone Number Fax Number address The Local Agency Security Officer is responsible for identifying who is using the hardware/software and ensuring that no unauthorized users have access to same, identifying and documenting how the equipment is connected to the state system in a topological drawing, ensuring that personnel security screening procedures are being followed, ensuring that appropriate security measures are in place, supporting policy compliance, and keeping the CIB Information Security Officer informed of security incidents. NETWORK DIAGRAM (CJIS Policy Section 5.7) Provide a topological drawing depicting the interconnectivity of the agency network to the TIME/CJIS systems. A sample is attached at the end of this questionnaire. The drawing must include: All communication paths, circuits and other components used for connection, beginning with the agency owned system(s) and traversing through all interconnected systems to Badgernet. Depict all entry points into the network including any hardware components that are used to isolate the network from other networks at the agency. The location of all components (e.g. firewalls, routers, switches, hubs, servers, encryption devices, and computer workstations). Do not show each workstation; the number of clients is sufficient. Depict the beginning point of data encryption and the point where data is decrypted. Identify each segment of the network that encrypted data passes through. Identify the transmission methods (data circuit, microwave, cellular technologies, fiber optics, copper wiring, etc.) being used to transmit or receive TIME/CJIS systems data. Clearly indicate the boundaries of your criminal justice facility in relation to the equipment illustrated on the diagram FOR OFFICIAL USE ONLY markings. The agency name and date (day, month, and year) drawing was created or updated. 1

2 SECURITY AWARENESS TRAINING (CJIS Policy Section 5.2) Does your agency require security awareness training within six months of access and biennially thereafter, for all personnel who have access to criminal justice information? All personnel who have access to criminal justice information would include users that have login access to the TIME System, users that have access to TIME System printouts, unescorted janitorial personnel, all IT personnel that maintain network hardware, terminals, servers, etc. that access the TIME and CJIS systems, etc. Security awareness training is part of standard TIME System certification level training. For those personnel that do not require TIME System certification, security awareness training is available as an online module via the TRAIN (Training Resources Available on the Internet) site or by using the Security Awareness Handout found on the CIB website PHYSICAL SECURITY (CJIS Policy Section 5.9) Are the boundaries of your physically secure location posted and secured? Does your agency control all physical access points to your secure facility including but not limited to access to the data center, telecommunication equipment and wiring closets? Does your agency maintain a list of individuals who have authorized access to the secure locations? Does your agency verify individuals have authorization before granting them access? Yes No Does your agency verify the identity of visitors before granting access to the secure location? Does your agency escort visitors at all times and monitor visitor activity? Is all TIME System hardware (workstations, servers, etc) located within your physically secure location? If yes, does your agency control access to the data center/equipment closets? If no, do you have a Management Control Agreement between your agency and the agency that maintains the hardware (City/County IT)? Please provide a copy of the agreement. Does your agency have written physical protection policies and procedures to ensure criminal justice information, hardware, and software are physically protected? MEDIA PROTECTION (CJIS Policy Section 5.8) Digital media means digital storage media including memory devices in laptops and computers (hard drives) and any removable, transportable digital memory media, such as magnetic tape or disk, optical disk, flash drives, external hard drives, digital memory card, etc. Physical media includes printouts, printed documents, printed imagery, etc. Does your agency securely store digital and physical media within the physically secure location? Does your agency restrict access to digital and physical media to authorized individuals? 2

3 Does your agency protect criminal justice information during transport outside of the secure location? Is transport of criminal justice information outside the secured area restricted to authorized personnel? Does your agency prohibit users from ing criminal justice information? If no, is the encrypted to meet FIPS NIST standards? DIGITAL MEDIA DISPOSAL (CJIS Policy Section 5.8.3) Does your agency sanitize or degauss digital media (this would also include hard drives from leased or rented copiers and/or printers that scan, print or copy CJI or PII) prior to disposal or release for reuse? 2017 If yes, please explain in detail what product is used and how the digital media is sanitized or degaussed? Does your agency destroy inoperable digital media? If yes, please explain in detail what product (if applicable) is used and/or how the digital media is destroyed? Is the sanitization or destruction of digital media witnessed or carried out by authorized personnel? PHYSICAL MEDIA DISPOSAL (CJIS Policy Section 5.8.4) Does your agency securely dispose of physical (paper) media containing criminal justice information? If yes, please explain in detail how the physical media is disposed of? Is the disposal or destruction of physical (paper) media witnessed or carried out by authorized personnel? Does your agency have written policies and/or procedures related to the above media protection requirements? 3

4 IDENTIFICATION and AUTHENTICATION (CJIS Policy Section 5.6) These questions pertain to TIME/CJIS Systems access, not to the overall agency communications network. TIME/CJIS systems access includes direct access via Portal 100 or other software, mobile data computer (MDC) access, and access via records management or computer aided dispatch software (i.e. New World, ProPhoenix, Spillman, Visionair etc.). Does your agency require unique identification for all IT and/or vendor personnel who administer and/or maintain the TIME/CJIS systems network? Does your agency require unique identification for all personnel who access the TIME/CJIS Systems? Does your agency prevent users from sharing userids for the TIME/CJIS systems? Does your agency keep the list of authorized users current by adding new users and disabling or deleting former users? Does your agency validate the list of authorized TIME/CJIS system users and their access authorizations at least annually? If yes, is the validation process documented in your policies? Does your agency enforce the following password rules for TIME/CJIS system access? Minimum length of 8 characters Cannot be a dictionary word or proper name Cannot be the same as the userid Expire within a maximum of every 90 calendar days Cannot be identical to the previous 10 passwords Cannot be transmitted in the clear outside the secure domain Cannot be displayed when entered Cannot be shared Does your agency utilize a Personal Identification Number (PIN) in conjunction with a certificate or token for the purpose of Advanced Authentication? If yes does your agency enforce the following PIN attributes? Minimum of 6 digits Have no repeating digits i.e., Have no sequential patterns i.e., Not the same as the userid Expire within a maximum of 365 calendar days Cannot be identical to the previous 3 PINs Cannot be transmitted in the clear outside the secure location Cannot be displayed when entered Does your agency have written policies and/or procedures related to the above identification and authentication requirements? 4

5 ACCESS CONTROL / NETWORK / SYSTEMS (CJIS Policy Section 5.5) Does your agency manage (establish, modify, disable, etc.) TIME/CJIS system accounts? Yes No If yes, do you assign the most restrictive set of rights based on specific duties? If yes, do you maintain logs for at least 1 year of access privilege changes? Does your agency ensure only authorized personnel can add, change or remove component devices, and remove or alter programs? Does your agency limit users to no more than 5 consecutive invalid access attempts to the TIME/CJIS systems before automatically locking the account for at least 10 minutes? Does your agency enforce a session lock after a maximum of 30 minutes of inactivity on the TIME/CJIS systems? (Devices that are a part of a criminal justice conveyance or used to perform dispatch functions and located within a secure location, or terminals designated solely for the purpose of receiving alert notifications used within physically secured locations that remain staffed when in operation, are exempt.) Does your agency allow multiple concurrent sessions for users accessing TIME/CJIS systems? If yes, does your agency have documented procedures outlining the operational business need for the multiple concurrent active sessions? Does your agency have written policies and/or procedures related to the above access control requirements? Does your agency prohibit the use of publicly accessible computers to access, process, store or transmit criminal justice information? Publicly accessible computers include/are not limited to: hotel business center computers, convention center computers, public library computers, public kiosk computers, etc. Public Segments (CJIS Policy Section 5.10) Does your agency transmit criminal justice information outside the physically secure location (i.e., public segments such as leased circuits or circuits connecting two or more buildings)? If yes, is this data encrypted with a cryptographic module that meets FIPS standards? Does your agency utilize a telecommunication infrastructure that is shared by criminal justice and non-criminal justice users (i.e. same local area network used by police and fire department)? If yes, is the criminal justice information encrypted with a cryptographic module that meets FIPS standards? If no, is the criminal justice information logically separated (e.g. use of protected secure VLAN with access control lists) to prevent non-criminal justice users from accessing the data? 5

6 MOBILE DEVICES (CJIS Policy Section 5.13) Does your agency use wireless, Internet, dial-up, cellular, or any other non-hardwired methodologies, to access the TIME/CJIS systems or to transfer criminal justice information? (This includes mobile devices in police conveyances and handheld devices. i.e. cellular, Bluetooth, satellite, microwave, and land mobile radio (LMR).) If yes, is the criminal justice information transmitted using a wireless methodology encrypted with a cryptographic module that meets FIPS standards? If yes, are the devices that use this non-hardwired methodology to access the TIME/CJIS systems or to transfer criminal justice information located within a physically secure location (police vehicles as defined by the CJIS Security Policy are considered secure locations) If yes, can the mobile devices be removed from the secure location and still access the TIME/CJIS systems or transfer criminal justice information? o If no, please explain how your agency prohibits the device from being removed from the secure location/police vehicle? o If yes, has your agency deployed a form of advanced authentication as outlined in the CJIS Security policy (in additional to userid and password)? o If yes, describe what form of advanced authentication is used, how it is used, and where the advanced authentication has been deployed in your network. Does your agency enforce the following password rules for wireless system access? Minimum length of 8 characters Cannot be a dictionary word or proper name Cannot be the same as the userid Expire within a maximum of every 90 calendar days Cannot be identical to the previous 10 passwords Cannot be transmitted in the clear outside the secure domain Cannot be displayed when entered Cannot be shared Does your agency utilize a personal firewall on all devices used to access the TIME/CJIS systems that are mobile by design (i.e. MDC laptops)? Are procedures in place to disable wireless equipment if it is lost or stolen? 6

7 WIRELESS LAN (CJIS Policy Section 5.13) Does your agency use a wireless LAN to access criminal justice information? If no, skip to Smart Phones and Tablets section Are wireless links or server access points password protected to ensure protection from unauthorized system access? Does your agency use ALL of the below: Perform validation testing to ensure rogue APs (Access Points) do not exist in the Wireless Local Area Network (WLAN) and to fully understand the wireless network security posture? Maintain a complete inventory of all Access Points (APs) and wireless devices? Place APs in secured areas to prevent unauthorized physical access and user manipulation? Test AP range boundaries to determine the precise extent of the wireless coverage and design the AP wireless coverage to limit the coverage area to only what is needed for operational purposes: Enable user authentication and encryption mechanisms for the management interface of the AP? Ensure that all APs have strong administrative passwords and ensure that all passwords are changed in accordance with section ? Ensure that reset function on APs is used only when needed and is only invoked by authorized personnel. Restore the AP s to the latest security settings, when the reset functions are used, to ensure the factory default settings are not utilized? Change the default service set identified (SSID) in the APs. Disable the broadcast SSID feature so that the client SSID must match that of the AP. Validate that the SSID character string does not contain any agency identifiable information (division, department, street, etc) or services? Enable all security features of the wireless product, including the cryptographic authentication, firewall, and other privacy features? Ensure that encryption key sizes are at least 128-bits and the default shared keys are replaced by unique keys? Ensure that the ad hoc mode has been disabled? Disable all nonessential management protocols on the APs and disable hypertext transfer protocol (HTTP) when not needed or protect HTTP access with authentication and encryption? Enable logging (if supported) and review the logs on recurring basis per local policy. At a minimum logs shall be reviewed monthly? Insulate, virtually (e.g. virtual local area network (VLAN) and ACLs) or physically (e.g. firewalls), the wireless network from the operational wired infrastructure. Limit access between wireless networks and the wired network to only operational needs? When disposing of access points that will no longer be used by the agency, clear access point configuration to prevent disclosure of network configurations, keys, passwords, etc? 7

8 Does your agency require the cryptographic module NIST, CSE, certified to meet the FIPS requirements? (Are you using WEP, WPA or WPA2? If not WPA2, then you are not in compliance. WEP & WPA are NOT FIPS certified.) Does your agency allow mobile devices to be used as a wireless access point or WiFi hotspot? Does your agency only allow connection from agency authorized devices? SMART PHONES and TABLETS (CJIS Policy Section 5.13) Does your agency use any wireless devices (smartphones or tablets) to access, process, store, or transmit criminal justice information via the TIME/CJIS systems? 2017 If no, skip to Personally Device section. Does your agency assure that these devices have not been rooted, jail broken, or have had any unauthorized changes made to the device? Does the agency use a Mobile Device Manager (MDM) to control Smartphone / Tablet devices that access criminal justice information (CJI)? If yes, is the MDM capable of the following: Remote locking of device Remote wiping of device Setting and locking device configuration Detection of rooted and jail broken devices Enforce folder or disk level encryption Application of mandatory policy settings on the device Detection of unauthorized configurations or software/applications If yes, is CJI only transferred between authorized applications and storage areas of the device (CJIS sandbox where CJI cannot be copied or pasted from CJI app onto personal applications like Facebook, Twitter, or personal ing)? Does your agency protect Smartphone / Tablet devices with a personal firewall? If yes, does the personal firewall provide ALL of the following: Manage program access to the Internet Block unsolicited requests to connect to the PC Filter incoming traffic by IP address or protocol Filter incoming traffic by destination ports Maintain an IP traffic log If no, does your agency use a Mobile Device Management (MDM) system that facilitates the ability to provide firewall services from the agency level? Does your agency protect Smartphone / Tablet devices with virus protection? 8

9 If no, does your agency use a Mobile Device Management (MDM) system that facilitates the ability to provide antivirus services from the agency level? PERSONALLY OWNED DEVICES (CJIS Policy Section ) Does your agency allow personally owned devices to access, process, store or transmit criminal justice information via the TIME/CJIS systems? If no, skip to Temporary Remote Access section. If yes, has your agency established and documented in written policy the specific terms and conditions for such personally owned device usage? If yes, what type of advanced authentication (in addition to userid and password) is used? (i.e. biometrics, user-based public key infrastructure, smart or proximity cards, tokens, risk based authentication, etc.). If yes, is this access connection via a personally owned device encrypted with a cryptographic module that meets FIPS standards? TEMPORARY REMOTE ACCESS (CJIS Policy Section 5.5.6) Does your agency authorize, monitor, and control all methods of temporary remote access to your network/software/systems? (Remote access is any temporary access to an agency s information system by a user (or an information system) communicating temporarily through an external, non-agency-controlled network (e.g. the Internet.) If no, skip to System and Communications Protection section. Please indicate below, those that apply, regarding temporary remote access: BadgerTraCs (maintenance purposes) IT personnel (maintenance or troubleshooting purposes) Vendor personnel (software/hardware maintenance purposes) Others, please explain further: What product is used by the above users to obtain temporary remote access? Does your agency permit Virtual Escorting for remote access? 9

10 If yes, is the session monitored at all times by an authorized escort? If yes, is the escort familiar with the systems/area in which the work is being performed? If yes, does the escort have the ability to end the session at any time? If yes, is the connection that is used by the remote administrative personnel encrypted and the encryption is FIPS NIST Certified? If yes, is the remote administrative personnel identified prior to access and authenticated prior to or during the session (authentication may be accomplished prior to the session via an Advanced Authentication (AA) solution or during the session via active teleconference with the escort throughout the session)? If you do not meet all of the above conditions for Virtual Escorting, what form of advanced authentication (in addition to userid and password) is used? Biometrics (authentication at the local agency level not the local device) Smart Cards Proximity Cards Tokens (One time passwords) User-Based Public Key Infrastructure Risked-Based Authentication Other: Please provide detailed explanation. Is the connection used for temporary remote access encrypted with a cryptographic module that meets FIPS standards? Does your agency require unique identification for all persons authorized for remote access to the information system? Does your agency enforce the following password rules for remote access to the information system? Minimum length of 8 characters Cannot be a dictionary word or proper name Cannot be the same as the userid Expire within a maximum of every 90 calendar days Cannot be identical to the previous 10 passwords Cannot be transmitted in the clear outside the secure domain Cannot be displayed when entered Cannot be shared Does your agency have written policies and/or procedures related to the above network system requirements?

11 SYSTEM/COMMUNICATION PROTECTION/INFO INTEGRITY (CJIS Policy Section 5.10) Has your agency implemented network-based and/or host-based intrusion detection tools? If yes, does your agency monitor inbound and outbound communications for unusual or unauthorized activities? If yes, does your agency send individual intrusion detection logs to a central logging facility where correlation and analysis will be accomplished as a system wide instruction detection effort? If yes, does your agency employ automated tools to support near-real-time analysis of events in support of detecting system level attacks? Does your agency utilize a firewall to prevent unauthorized access to criminal justice information and all network components providing access to the TIME/CJIS systems? Does your agency ensure connections to the Internet, other external networks, or systems occur through controlled interfaces? (e.g. proxies, gateways, routers, firewalls, encrypted tunnels) Does your agency ensure that boundary protection devices do not release unauthorized information if a failure occurs? (The device should fail closed versus fail open.) Are all publicly accessible information system components (e.g. public Web servers) divided into separate sub-networks with separate network interfaces? Does your agency electronically store CJI at rest (i.e. stored digitally) outside the physically secure location? If yes, is the data encrypted to the FIPS standards? If yes, does your agency use a passphrase to unlock the cipher? If yes, does the passphrase meet the following requirements? o Is at least 10 characters? o Cannot be a dictionary word? o Include at least 1 upper case letter, 1 lower case letter, 1 number or 1 special character? o Can be changed when previously authorized personnel no longer require access? Does your agency host criminal justice information related systems or applications in a virtualized environment? If yes, are these systems/applications separate from non-criminal justice and/or internet facing systems/applications (hosted on a different physical machine)? If yes, do these systems/applications reside on the same host as non-criminal justice systems/applications (same physical machine but on different blades)? If yes, is the source location for installers for critical software drivers, contained on a separate quest or physical host? If yes, are user privileges in the virtual systems/applications limited to prevent unauthorized operators from performing administrative functions or accessing host files? 11

12 If yes, does your agency maintain audit logs for all virtual machines and hosts and store the logs outside the host s virtual environment? Is malicious code (virus) protection implemented on all information technology systems that transmit and/or store criminal justice information? If yes, is the protection enabled at start-up? If yes, is automatic resident scanning employed? If yes, does that include automatic updates for systems with Internet access? If yes, are systems without Internet access regularly updated manually? Does your agency employ spam and spyware protection at critical information system entry points, workstations, servers and mobile devices? Does your agency apply routine patches to all software and components in a timely manner? Does your agency have written policies and/or procedures related to the above communications protection requirements? CLOUD COMPUTING (CJIS Policy Section ) Does your agency utilize a Cloud Provider to host or store related information systems, applications, or criminal justice (CJI) information? If no, skip to INCIDENT RESPONSE section. Is the CJI encrypted (FIPS 140-2) prior to entering the cloud? If CJI is stored unencrypted within a 3 rd party cloud, are the following requirements met? Security Addendums have been signed by all unescorted private contractor personnel? Personnel Security requirements have been completed by all unescorted private contractor personnel? Security Awareness Training has been completed by all unescorted private contractor personnel? Criminal justice agency (CJA) maintains management control of all CJI? All CJI is stored within a physically secure location or encrypted (This means that CJA knows where their CJI is physically being stored and has verified the location is secure from unauthorized personnel)? Media Disposal is carried out by authorized personnel or witnessed by authorized personnel? CJA can provide a network diagram that depicts CJI in the cloud environment? Private Contractors with access are uniquely identified? Remote access is determined by CJA administration and requires Advanced Authentication from non secure locations? Audit logs are maintained and can be accessed following security incidents? 12

13 All technical security measures should be met in cloud adequate boundary protection, information flow enforcement/cji is separated from non-crim applications/information systems, malicious code/spam/spyware on critical access points? Does your agency prevent the Cloud Provider from using metadata derived from CJI for any purpose? Does your agency prevent the Cloud Provider from scanning or data files for the purpose of building analytics, data mining, advertising, or improving the services provided? INCIDENT RESPONSE (CJIS Policy Section 5.3) Does your agency receive information system security alerts and/or advisories on a regular basis? If yes, do you issue these alerts and advisories to appropriate personnel? If yes, does your agency document the types of actions to be taken in response to security alerts and/or advisories? If yes, does your agency take appropriate actions in response? Does your agency employ automated mechanisms to make security alert and advisory information available throughout the agency as appropriate? If your agency has not experienced a possible information security incident, please answer the questions in this section based on your anticipated response if such an incident were to occur. Does your agency have an information security incident response policy/procedure? If yes, does the policy include the following: o Adequate preparation o Detection o Analysis o Containment o Eradication o Recovery o User response activities o Tracking of information security incidents o Documentation of information security incidents o Automated mechanisms to support the incident handling process Are all agency employees, contractors and third party users aware of the agency incident reporting procedures? Does your agency promptly report possible security incidents to the Crime Information Bureau? Yes No 13

14