MAIL AUDIT QUESTIONNAIRE

Transcription

1 MAIL AUDIT QUESTIONNAIRE Complete and return by due date to: Crime Information Bureau, P.O. Box 2718, Madison, WI , or to Completion may require input by information technology (IT) personnel that maintain your terminals or network. ORI Agency Address Date City / State Specific Location of Agency Badgernet Router : Zip Router Serial Number After Hours Agency Information Technology Contact Name: Phone Number AGENCY AGREEMENT Review and complete the enclosed TIME System Agency Agreement between CIB and your agency. Provide the completed agreement to CIB. This agreement acknowledges your agency s acceptance of and adherence to TIME System / CJIS policy, procedures and rules. TAC Each agency having TIME System access must designate an individual employed by the criminal justice agency as TIME Agency Coordinator (TAC). Any exceptions must be coordinated with and approved by CIB. The agency TAC is: TAC First Name MI Last Name Address TAC First Name MI Last Name Address WORKSTATIONS/PSN LIST Review, complete, and sign the enclosed list of TIME System terminals/etime users for your agency. Are all TIME System terminals and stored/ printed data secure within the department to protect against any unauthorized viewing or access? Does your agency have Mobile Data Computers (MDCs) that access the TIME System? 1

2 o If yes, how does your agency provide MDC certification training, via on-line modules or does an Agency Assigned Instructor (AAI) provide the training? Using online modules Provided by Agency Assigned Instructor AAI First Name MI Last Name AAI First Name MI Last Name OTHER AGENCY AGREEMENTS Does your agency provide TIME System services or information (DOT printouts, criminal history printouts, etc.) to any other agency (prosecutor, DNR etc.)? If yes, please list the names of those agencies and provide a copy of signed agreements between your department and these agencies. Attach a separate sheet if necessary. Does your agency obtain hardware, software and/or help desk support from a Noncriminal Justice Agency (NCJA) such as a private company, software vendor or city / county information technology department (IT)? If yes, does your agency have a management control agreement between your agency and the agency that is supporting your systems? If yes, does you agency require all personnel from the NCJA agency with physical and/or logical access to secure locations and potentially criminal justice information read/sign the CJIS Security Addendum? 2

3 Does your agency outsource dispatching functions, contracting with a Noncriminal Justice Agency (NCJA) to perform criminal justice functions on your agency behalf (i.e. Governmental agencies (911 centers) that handle dispatching functions for a LE agency)? If yes, does your agency have a management control agreement between your agency and the NCJA that performs criminal justice functions on your behalf? CRIMINAL HISTORIES Enclosed are two lists of criminal histories and a list of Return of Firearms queries performed by your agency. Complete the lists by answering the three questions for each inquiry. Do you provide criminal history information/printouts to any other authorized agency (prosecutor, city attorney, etc.)? o If yes, is the person you provided the criminal history information uniquely identified in the attention line of the query? If not identified in the attention line, does your agency log this dissemination as secondary dissemination? Does your agency maintain this secondary dissemination log for at least one year? ORI UPDATES Enclosed are printouts of your agency information as currently listed in Nlets ORION and NCIC ORI files. Review for accuracy, and make any necessary changes. Does your agency operate 24 hours per day? TIME SYSTEM NEWSLETTERS The CIB website, contains the TIME System Newsletter updating users on new functions and policy. Does your agency distribute the newsletters to personnel that access the TIME System? VALIDATION Does your agency validate CIB / NCIC person and/or property records entered with your ORI? N/A (not applicable) If yes, who is responsible for validating these records? Validation Officer First Name MI Last Name Address Validation Officer First Name MI Last Name Address 3

4 If No or NA (not applicable), please provide further explanation. Does your agency contact the court clerk during the validation of warrants and/or protection orders to ensure the warrant and/or protection order is still active? How does your agency contact the clerk of court and document the results? Does your agency contact complainants for missing person, identity theft victim, and stolen property records during validation to ensure the person and/or property is still missing? How does your agency contact complainants and document the results? Does your agency perform the required second person review of all record entries, modifications, and supplements? How does your agency perform and document the second person review? Does your agency have written policies/procedures regarding validation? PERSONNEL SECURITY (CJIS Policy Section 5.12) Does your agency perform thorough background screening of all personnel who have access to the TIME System, CJIS systems, and/or criminal justice information, including submission of fingerprints to the FBI and CIB? Does your agency perform thorough background screening of all IT/vendor personnel that maintain network hardware, terminals, servers, etc. that access the TIME System and CJIS systems including submission of fingerprints to the FBI and CIB? Does your agency have personnel that reside in another state? If yes, for all personnel of your agency that reside in another state, is a check of the Nlets criminal history file done from that state of residency? Does your agency comply with the CJIS Personnel Security Policy and Procedures requirements (5.12.1) including the request of a variance from the CSO for convicted felons? 4

5 How does your agency document the results of the background screening? Does your agency have written policies regarding discipline of personnel that violate TIME System policies and/or rules? TIME SYSTEM ROSTERS Enclosed you will find rosters of TIME System personnel within your agency. Please review the rosters, indicate a status, and complete as instructed. SECURITY AWARENESS TRAINING (CJIS Policy Section 5.2) Does your agency require security awareness training within six months of access and biennially thereafter, for all personnel who have access to criminal justice information? All personnel who have access to criminal justice information would include users that have login access to the TIME System, users that have access to TIME System printouts, unescorted janitorial personnel, all IT personnel that maintain network hardware, terminals, servers, etc. that access the TIME and CJIS systems, etc. Security awareness training is part of standard TIME System certification level training. For those personnel that do not require TIME System certification, security awareness training is available as an online module via the TRAIN (Training Resources Available on the Internet) site or by using the Security Awareness Handout found on the CIB website PHYSICAL SECURITY (CJIS Policy Section 5.9) Are the boundaries of your physically secure location posted and secured? Does your agency control all physical access points to your secure facility including but not limited to access to the data center, telecommunication equipment and wiring closets? Does your agency maintain a list of individuals who have authorized access to the secure locations? Does your agency verify individuals have authorization before granting them access? Yes No Does your agency verify the identity of visitors before granting access to the secure location? Does your agency escort visitors at all times and monitor visitor activity? Is all TIME System hardware (workstations, servers, etc) located within your physically secure location? If yes, does your agency control access to the data center/equipment closet where the hardware is stored? If no, do you have a Management Control Agreement between your agency and the agency that maintains the hardware (City/County IT)? Please provide a copy of the agreement. 5

6 Does your agency have written physical protection policies and procedures to ensure criminal justice information, hardware, and software is physically protected? MEDIA PROTECTION (CJIS Policy Section 5.8) Digital media means digital storage media including memory devices in laptops and computers (hard drives) and any removable, transportable digital memory media, such as magnetic tape or disk, optical disk, flash drives, external hard drives, digital memory card, etc. Physical media includes printouts, printed documents, printed imagery, etc. Does your agency securely store digital and physical media within the physically secure location? Does your agency restrict access to digital and physical media to authorized individuals? Does your agency protect criminal justice information during transport outside of the secure location? Is transport of criminal justice information outside the secured area restricted to authorized personnel? Does your agency prohibit users from ing criminal justice information? If no, is the encrypted to meet FIPS NIST standards? DIGITAL MEDIA DISPOSAL (CJIS Policy Section 5.8.3) Does your agency sanitize or degauss digital media (this would also include hard drives from leased or rented copiers and/or printers that scan, print or copy CJI or PII) prior to disposal or release for reuse? If yes, please explain in detail what product is used and how the digital media is sanitized or degaussed? Does your agency destroy inoperable digital media? If yes, please explain in detail what product (if applicable) is used and/or how the digital media is destroyed? Is the sanitization or destruction of digital media witnessed or carried out by authorized personnel? 6

7 PHYSICAL MEDIA DISPOSAL (CJIS Policy Section 5.8.4) Does your agency securely dispose of physical (paper) media containing criminal justice information? If yes, please explain in detail how the physical media is disposed of? Is the disposal or destruction of physical (paper) media witnessed or carried out by authorized personnel? Does your agency have written policies and/or procedures related to the above media protection requirements? IDENTIFICATION and AUTHENTICATION (CJIS Policy Section 5.6) These questions pertain to TIME/CJIS Systems access, not to the overall agency communications network. TIME/CJIS systems access includes direct access via Portal 100 or other software, mobile data computer (MDC) access, and access via records management or computer aided dispatch software (i.e. New World, ProPhoenix, Spillman, Visionair etc.) Does your agency require unique identification for all IT and/or vendor personnel who administer and/or maintain the TIME/CJIS systems network? Does your agency require unique identification for all personnel who access the TIME/CJIS Systems? Does your agency prevent users from sharing userids for the TIME/CJIS systems? Does your agency keep the list of authorized users current by adding new users and disabling or deleting former users? Does your agency validate the list of authorized TIME/CJIS system users and their access authorizations at least annually? If yes, is the validation process documented in your policies? Does your agency have written policies and/or procedures related to the above identification and authentication requirements? ACCESS CONTROL / NETWORK / SYSTEMS (CJIS Policy Section 5.5) Does your agency ensure only authorized personnel can add, change or remove component devices, and remove or alter programs? Does your agency enforce a session lock after a maximum of 30 minutes of inactivity on the TIME/CJIS systems? (Devices that are a part of a criminal justice conveyance or used to perform dispatch functions and located within a secure location, or terminals designated solely for the purpose of receiving alert notifications used within physically secured locations that remain staffed when in operation, are exempt.) 7

8 Does your agency allow multiple concurrent sessions for users accessing TIME/CJIS systems? If yes, does your agency have documented procedures outlining the operational business need for the multiple concurrent active sessions? Does your agency have written policies and/or procedures related to the above access control requirements? Does your agency prohibit the use of publicly accessible computers to access, process, store or transmit criminal justice information? (Publicly accessible computers include/are not limited to: hotel business center computers, convention center computers, public library computers, public kiosk computers, etc.) Does your agency utilize a personal firewall on all mobile devices used to access the TIME/CJIS systems (i.e. laptops, tablets, smart phones, etc.)? Does your agency have procedures in place to disable wireless equipment if it is lost or stolen? Yes No SMART PHONES and TABLETS (CJIS Policy Section 5.13) Does your agency use any wireless devices (smartphones or tablets) to access, process, store or transmit criminal justice information via the TIME/CJIS systems? If no, skip to Personally Owned Device section. Does your agency assure that these devices have not been rooted, jail broken, or have had any unauthorized changes made to the device? Does the agency use a Mobile Device Manager (MDM) to control Smartphone / Tablet devices that access criminal justice information (CJI)? If yes, is the MDM capable of the following: Remote locking of device Remote wiping of device Setting and locking device configuration Detection of rooted and jail broken devices Enforce folder or disk level encryption Application of mandatory policy settings on the device Detection of unauthorized configurations or software/applications If yes, is CJI only transferred between authorized applications and storage areas of the device (CJIS sandbox where CJI cannot be copied or pasted from CJI app onto personal applications like Facebook, Twitter, or personal ing)? Does your agency protect Smartphone / Tablet devices with a personal firewall? If yes, does the personal firewall provide ALL of the following: Manage program access to the Internet Block unsolicited requests to connect to the PC 8

9 Filter Incoming traffic by IP address or protocol Filter Incoming traffic by destination ports Maintain an IP traffic log If no, does your agency use a Mobile Device Management (MDM) system that facilitates the ability to provide firewall services from the agency level? Does your agency protect Smartphone / Tablet devices with virus protection? If no, does your agency use a Mobile Device Management (MDM) system that facilitates the ability to provide antivirus services from the agency level? PERSONALLY OWNED DEVICES (CJIS Policy Section ) Does your agency allow personally owned devices to access, process, store or transmit criminal justice information via the TIME/CJIS systems? If no, skip to Temporary Remote Access section. If yes, has your agency established and documented in written policy the specific terms and conditions for such personally owned device usage? If yes, what type of advanced authentication (in addition to userid and password) is used? (I.e. biometrics, user-based public key infrastructure, smart or proximity cards, tokens, risk based authentication, etc.). If yes, is this access connection via a personally owned device encrypted with a cryptographic module that meets FIPS standards? TEMPORARY REMOTE ACCESS (CJIS Policy Section 5.5.6) Does your agency authorize, monitor, and control all methods of temporary remote access to your network/software/systems? (Remote access is any temporary access to an agency s information system by a user (or an information system) communicating temporarily through an external, non-agency-controlled network (e.g. the Internet.) If no, skip to System and Communications Protection section. Please indicate below, those that apply, regarding temporary remote access: BadgerTraCs (maintenance purposes) IT personnel (maintenance or troubleshooting purposes) Vendor personnel (software/hardware maintenance purposes) Others, please explain further: 9

10 What product is used by the above users to obtain temporary remote access? Does your agency permit Virtual Escorting for remote access? If yes, is the session monitored at all times by an authorized escort? If yes, is the escort familiar with the systems/area in which the work is being performed? If yes, does the escort have the ability to end the session at any time? If yes, is the connection that is used by the remote administrative personnel encrypted and the encryption is FIPS NIST Certified? If yes, is the remote administrative personnel identified prior to access and authenticated prior to or during the session (authentication may be accomplished prior to the session via an Advanced Authentication (AA) solution or during the session via active teleconference with the escort throughout the session)? If you do not meet all of the above conditions for Virtual Escorting, what form of advanced authentication (in addition to userid and password) is used? Biometrics (authentication at the local agency level not the local device) Smart Cards Proximity Cards Tokens (One time passwords) User-Based Public Key Infrastructure Risked-Based Authentication Other: Please provide detailed explanation. Is the connection used for temporary remote access encrypted with a cryptographic module that meets FIPS standards? Does your agency require unique identification for all persons authorized for remote access to the information system? Does your agency enforce the following password rules for remote access to the information system? Minimum length of 8 characters Cannot be a dictionary word or proper name Cannot be the same as the userid Expire within a maximum of every 90 calendar days Cannot be identical to the previous 10 passwords Cannot be transmitted in the clear outside the secure domain Cannot be displayed when entered Cannot be shared 10

11 Does your agency have written policies and/or procedures related to the above network system requirements? SYSTEM/COMMUNICATION PROTECTION/INFORMATION INTEGRITY (CJIS Policy AREA 5.10) Does your agency utilize a firewall to prevent unauthorized access to criminal justice information and all network components providing access to the TIME/CJIS systems? Is malicious code (virus) protection implemented on all information technology systems that transmit and/or store criminal justice information? If yes, is the protection enabled at start-up? If yes, is automatic resident scanning employed? If yes, does that include automatic updates for systems with Internet access? If yes, are systems without Internet access regularly updated manually? Does your agency employ spam and spyware protection at critical information system entry points, workstations, servers and mobile devices? Does your agency apply routine patches to all software and components in a timely manner? Does your agency have written policies and/or procedures related to the above communications protection requirements? CLOUD COMPUTING (CJIS Policy Section ) Does your agency utilize a Cloud Provider to host or store related information systems, applications, or criminal justice information (CJI)? If no, skip to INCIDENT RESPONSE section. Is the CJI encrypted (FIPS 140-2) prior to entering the cloud? If CJI is stored unencrypted within a 3 rd party cloud, are the following requirements met? Security Addendums have been signed by all unescorted private contractor personnel? Personnel Security requirements have been completed by all unescorted private contractor personnel? Security Awareness Training has been completed by all unescorted private contractor personnel? Criminal Justice Agency (CJA) maintains management control of all CJI? All CJI is stored within a physically secure location or encrypted (This means that CJA knows where their CJI is physically being stored and has verified the location is secure from unauthorized personnel)? Media Disposal is carried out by authorized personnel or witnessed by authorized personnel? CJA can provide a network diagram that depicts CJI in the cloud environment? 11

12 Private Contractors with access are uniquely identified? Remote access is determined by CJA administration and requires Advanced Authentication from non secure locations? Audit logs are maintained and can be accessed following security incidents? All technical security measures should be met in cloud adequate boundary protection, information flow enforcement/cji is separated from non-crim. applications/information systems, malicious code/spam/spyware on critical access points? Does your agency prevent the Cloud Provider from using metadata derived from CJI for any purpose? Does your agency prevent the Cloud Provider from scanning or data files for the purpose of building analytics, data mining, advertising, or improving the services provided? INCIDENT RESPONSE (CJIS Policy Area 5.3) Does your agency receive information system security alerts and/or advisories on a regular basis? If yes, do you issue these alerts and advisories to appropriate personnel? If yes, does your agency document the types of actions to be taken in response to security alerts and/or advisories? If yes, does your agency take appropriate actions in response? Does your agency employ automated mechanisms to make security alert and advisory information available throughout the agency as appropriate? If your agency has not experienced a possible information security incident, please answer the questions in this section based on your anticipated response if such an incident were to occur. Does your agency have an information security incident response policy/procedure? If yes, does the policy include the following: o Adequate preparation o Detection o Analysis o Containment o Eradication o Recovery o User response activities o Tracking of information security incidents o Documentation of information security incidents o Automated mechanisms (a device that operates automatically under predetermined conditions) to support the incident handling Are all agency employees, contractors and third party users aware of the agency incident reporting procedures? Does your agency promptly report possible security incidents to the Crime Information Bureau? 12