Security policy 8/24/2012

Transcription

1 SLED Overview of the FBI Criminal Justice Information Services (CJIS) Security Policy Version 5.1 8/09/2012 CJISD-ITS-DOC ForOfficialUse Only 1 This session will be an overview of the FBI Criminal Justice Information Services (CJIS) Security 5.1 policy and how it pertains and applies to municipal court clerks, magistrates, judges and other court staff who are receiving NCIC criminal justice information. ForOfficialUse Only 2 Security policy The essential premise of the CJIS Security Policy is to provide appropriate controls to protect the full lifecycle of CJI, whether at rest or in transit. The CJIS Security Policy provides guidance for the creation, viewing, modification, transmission, dissemination, storage, and destruction of CJI data. This policy applies to every individual contractor, private entity, noncriminal justice agency representative, or member of a criminal justice entity with access to, or who operate in support of, criminal justice services and information. ForOfficialUse Only 3 1

2 What is (NCIC) National Crime Information Center NCIC 2000 is a nationwide, computerized information system established as a service to all local, state, federal, and international criminal justice agencies. The goal of NCIC 2000 is to help the criminal justice community perform its duties by providing and maintaining a computerized filing system of accurate and timely documented criminal justice information. ForOfficialUse Only 4 The NCIC 2000 data bank can best be described as a computerized index of documented criminal justice information concerning crimes and criminals of nationwide interest. NCIC files also include missing and unidentified person files, persons files who pose a threat to officer and public safety, as well as stolen property files. All state and local agencies participating in the NCIC 2000 System are required to adhere to the security guidelines that can be found in the FBI/CJIS Security Policy 5.1 ForOfficialUse Only 5 The NCIC 2000 System stores vast amounts of criminal justice information which can be instantly retrieved by and/or furnished to any authorized agency and is a virtually uninterrupted operation 24 hours a day, 7 days a week ForOfficialUse Only 6 2

3 Types of queries ForOfficialUse Only 7 Types of queries ForOfficialUse Only 8 NCIC stats In January 1967 when NCIC became operational, it included five files, which contained 356,784 records. In its first year of operation, NCIC processed approximately 2.4 million transactions, or an average of 5,479 transactions daily. Last year NCIC processed 2.4 billion transactions. Recently, NCIC experienced a new oneday record of 8.6 million transactions. Presently, NCIC contains 19 files with over 15 million records, of which nearly 1.7 million are in the wanted persons file. NCIC services more than 90,000 user agencies and averages 7.5 million transactions per day. Currently on the average South Carolina performs 350,000 + transactions per day. ForOfficialUse Only 9 3

4 The local/regional computer availability goals shall be 100 percent with 96 percent as minimum. Equipment and/or technological incompatibility shall not be sufficient justification for any agency to operate outside of the normal CSA configuration. ForOfficialUse Only 10 The data stored in the NCIC 2000 System and the III File are documented criminal justice information and must be protected to ensure correct, legal, and efficient dissemination and use. It is incumbent upon an agency operating an NCIC 2000 infrastructure to implement the necessary procedures to make that component secure from any unauthorized use. Any departure from this responsibility warrants the removal of the offending component from further NCIC 2000 participation. ForOfficialUse Only 11 Throughout the last several years, there have been significant changes in the CJIS community s telecommunications and systems architecture. As a result of technological advances, the FBI Director authorized a security management structure to specifically address technical security controls, policy revision, oversight, training, and security incident resolution and notification. ForOfficialUse Only 12 4

5 In addition to the changes there have been a significant number of the larger and more important computer systems in this country that have been successfully penetrated by individuals whose reasons ran the gamete from monetary profit to ideologic principles. If the National Crime Information Center (NCIC) is going to function efficiently and effectively in today's society System Security must be an omni-present element of its everyday operation. ForOfficialUse Only 13 Therefore the CJIS Advisory Policy Board (APB) adopted new policies in the areas of identification, authentication, encryption, wireless applications, dial-up access, Internet access, public networks, and firewalls to address security concerns. ForOfficialUse Only 14 A Federal Working Group and several regional Working Groups were established to recommend policy and procedures for the programs administered by the FBI CJIS Division. These Working Groups are also responsible for the review of operational and technical issues related to the operation of or policy for these programs. ForOfficialUse Only 15 5

6 The FBI uses hardware and software controls to help ensure System security. However, final responsibility for the maintenance of the security and confidentiality of criminal justice information is shared with the individual agencies participating in the NCIC 2000 System and the IT departments who support the agencies. Further information regarding System security can be obtained from the FBI/CJIS Security Policy 5.1 ForOfficialUse Only 16 The essential premise of the CJIS Security Policy is to provide appropriate controls to protect the full lifecycle of CJI, whether at rest or in transit. The CJIS Security Policy provides guidance for the creation, viewing, modification, transmission, dissemination, storage, and destruction of CJI data. This policy applies to every individual contractor, private entity, noncriminal justice agency representative, or member of a criminal justice entity with access to, or who operate in support of, criminal justice services and information. ForOfficialUse Only 17 Policy Purpose To provide minimum security requirements associated with the creation, viewing, modification, transmission, dissemination, storage, or destruction of Criminal Justice Information or CJI. To provide a baseline security policy for Local, State, and Federal agencies to build their policies upon. (It is the minimum standard a local policy must follow). The policy covers roles and responsibilities as well as the 12 areas of compliance. ForOfficialUse Only 18 6

7 Roles and Responsibilities State ISO SLED will appoint an Information Security Officer (ISO) who has the responsibility to establish and maintain information security policy, assesses threats and vulnerabilities, performs risk and control assessments, oversees the governance of security operations, and establishes information security training and awareness programs. ForOfficialUse Only 19 Roles and Responsibilities state CSO Each state must have a CJIS Security Officer (CSO) assigned by the head of the CJIS Systems Agency (CSA)(SLED) who is responsible for enforcing security policy rules over ALL agencies, users, and devices accessing CJI information via the state CSA(SLED). ForOfficialUse Only 20 Roles and Responsibilities Local Level Each local agency accessing Criminal Justice Information or CJI is required to have a Terminal Access Coordinator (TAC) and a Local Access Security Officer (LASO) to oversee that the CJIS Security Policy is being abided by locally. They can be the same person. ForOfficialUse Only 21 7

8 Terminal Agency Coordinator (TAC) The TAC serves as the point-of-contact at the local agency for matters relating to CJIS information access. A TAC administers CJIS systems programs within the local agency and oversees the agency s compliance with CJIS systems policies. The TAC is the Agency Coordinator (AC) ForOfficialUse Only 22 AC of the CGA The AC is a staff member of the CGA who manages agreements, responsible for the supervision and integrity of the system, training and continuing education of employees as required ForOfficialUse Only 23 Agency Coordinator (AC) The AC shall be responsible for the supervision and integrity of the system, training and continuing education of employees and operators, scheduling of initial training and testing, and certification testing and all required reports by NCIC. ForOfficialUse Only 24 8

9 The AC shall: Understand the communications, records capabilities, and needs of the individual which is accessing federal and state records through or because of its relationship with the CGA. Receive information from the CGA (e.g., system updates) and disseminate it to appropriate individuals. ForOfficialUse Only 25 The AC shall: Maintain up-to-date records of all employees or contractors who access the system, including name, date of birth, social security number, date fingerprint card(s) submitted, date security clearance issued, and date initially trained, tested, certified or recertified (if applicable). ForOfficialUse Only 26 The AC shall: Schedule new operators for the certification exam as well as schedule certified operators for biennial recertification testing within thirty (30) days prior to the expiration of certification. Schedule operators for other mandated class. ForOfficialUse Only 27 9

10 The AC shall: The AC will not permit an untrained/untested or non-certified employee or contractor to access CJI or systems supporting CJI where access to CJI can be gained. ForOfficialUse Only 28 The AC shall: Provide completed applicant fingerprint cards on each Contractor employee who accesses the system to the CJA (or, where appropriate, CSA) for criminal background investigation prior to such employee accessing the system. ForOfficialUse Only 29 Local Agency Security Officer (LASO) The primary Information Security contact between a local law enforcement agency and the CSA The LASO actively represents their agency in all matters pertaining to Information Security, disseminates Information Security alerts and other material to their constituents, maintains Information Security documentation (including system configuration data), assists with Information Security audits of hardware and procedures, and keeps the CSA informed as to any Information Security needs and problems. ForOfficialUse Only 30 10

11 Roles and Responsibilities Outsourcing of CJI Administration The responsibility for the management of the approved security requirements shall remain with the Criminal Justice Agency. Thus the outsourcing of the state CSO and ISO positions is not allowed. Thus the outsourcing of local TAC and LASO positions is not allowed ForOfficialUse Only 31 Roles and Responsibilities Local Points of Contact Local or municipal entities should refer all CJIS Security procedural or technical questions to their local criminal justice agency s TAC or LASO. They are the local point of contact. If the local TAC or LASO does not have an answer they can refer to the state CSO for assistance. ForOfficialUse Only 32 Illegal Dissemination of CJI and PII Can Lead to Penalties Improper access and dissemination of any CJI data including CHRI may result in administrative sanctions, termination, and state and federal penalties. Refer to S.C. Financial Fraud and Identity Theft Law for more information. ForOfficialUse Only 33 11

12 What does the policy cover? 1. Information Exchange Agreements. 2. Awareness Training 3. Incident Response 4. Auditing and Accountability 5. Access Control 6. Identification and Authentication ForOfficialUse Only 34 What does the policy cover? (cont.) 7. Configuration Management 8. Media Protection 9. Physical Protection 10. Systems & Communications Protection and Information Integrity 11. Formal Audits 12. Personnel Security ForOfficialUse Only 35 Information Exchange Agreements Policy Area 1 Criminal Justice Information requires protection throughout its life which is why agreements need to be in place between each agency sharing CJI data. These agreements must specify security controls meeting the CJIS Security Policy requirements and be in place before any CJI can be exchanged. Agreements should state the policies, standards, sanctions, governance, auditing, services accessed and policy compliance required for the user agency CJI exchange includes , instant messaging, web services, facsimile, hard copy, and the information systems sending, receiving, and storing CJI. ForOfficialUse Only 36 12

13 Some Agreement Types User Service Management Control * Inter-Agency * CJIS Security Addendum * Civil Agency User Agreement Livescan/Latent Fingerprint Sharing ForOfficialUse Only 37 Agreements required for NCJA Management Control agreement - grants the criminal justice agency management control over the operations of the noncriminal justice agency as they relate to access to the Law Enforcement Data System network and services. Required between CJA and the NCJA which provides services to the CJA (dispatching, record keeping, computer services, etc.). "Management Control" means the authority to set and enforce: (a) Priorities; (b) Standards for the selection, supervision and termination of personnel; and (c) Policy governing the operation of computers, circuits, and telecommunications terminals used to process, store, or transmit information to or receive information from the Law Enforcement Data System. ForOfficialUse Only 38 Agreements required for NCJA cont Inter-Agency agreement between two agencies that states standards, policy, and access required of the parties State CSA to non-criminal justice agency (DSIT) Local criminal justice agency to non-criminal justice agency (county or city) Security Addendum Criminal Justice Agency & private contractor (each employee) Non-criminal Justice Agency & private contractor (each employee ForOfficialUse Only 39 13

14 Example CJA supported by NCJA SLED is CSA SLED s enterprise extends to Metropolitan PD Metropolitan City IT department performs IT administration of PD network with some private contractors Agreements Needed CJA user agreement between SLED and Metropolitan PD Inter-agency agreement between Metropolitan City IT and Metropolitan PD Management control agreement between Metropolitan PD and Metropolitan City IT Security Addendum between Metropolitan City IT and Private contractors ForOfficialUse Only Policy Area 2: Security Awareness Training Security awareness training shall be required before an initial assignment for all personnel who have access to CJI. The CSO/CSA may accept the documentation of the completion of security awareness training from another agency. Accepting such documentation from another agency means that the accepting agency assumes the risk that the training may not meet a particular requirement or process required by federal, state, or local laws. ForOfficialUse Only 41 Security Awareness Training Policy Area 2 Security awareness training is mandatory for those with roles in the support, administration or general access to criminal justice information. All criminal justice employees, non-criminal justice employees, contractors, vendors, etc. The level of training is dependent on the role of the individual IT support requires the highest level of training. ForOfficialUse Only 42 14

15 Security Awareness Training Policy Area 2 Training must be performed every two years The management control criminal justice agency designated person (TAC, LASO, ISO, CSO, NCIC coordinator) is responsible for coordinating and verifying the completion of this requirement for their respective agency ForOfficialUse Only 43 Incident Response Policy Area 3 The information security officer at SLED has been identified as the POC on security-related issues for the CSA and respective agencies in the state. The ISO is responsible for ensuring LASOs (local agency security officer) institute the CSA incident response reporting procedures at the local level. ForOfficialUse Only 44 Policy Directive Agencies shall: (i) establish an operational incident handling capability for agency information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; (ii) track, document, and report incidents to appropriate agency officials and/or authorities ForOfficialUse Only 45 15

16 Responsibilities for incident response Agencies whether criminal justice or non-criminal justice, that are responsible for the administration of criminal justice, dispatching, record keeping, or computer services for CJI all are required to follow the CJIS policy incident reporting requirements. Four critical tasks must be followed with incidents: Incident Handling Collection of evidence Incident Response training Incident Monitoring These procedures may be audited by SLED and/or the FBI during the required technical and policy audits. ForOfficialUse Only 46 Auditing and Accountability Policy Area 4 Agencies shall implement audit and accountability controls to increase the probability of authorized users conforming to a prescribed pattern of behavior. Agencies shall carefully access the inventory of components that compose their information systems to determine which security controls are applicable to the various components. ForOfficialUse Only 47 Logging Events Policy 5.4 states specific logging requirements Specific events must be logged Content to log on each event is specified Monitoring, analysis and log reporting actions Response to logged events Log retention is 365 days Other requirements exist for NCIC, III and CJIS access and information logging ForOfficialUse Only 48 16

17 Access Control Policy Area 5 Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information. Access control includes physical in addition to logical access. ForOfficialUse Only 49 User Access Control Always assign least privilege to accounts Use Job duties, Physical, logical or network location, and Date/Time restrictions for access. All employee status changes must be reported and accounts adjusted as required. Policy guidelines state requirements for annual validation of accounts, logging of access and inactivity or failed log in attempts (policy 5.5) ForOfficialUse Only 50 Access Control Recommendations System administrator access must be tightly regulated. Only allow remote admin access in emergency situations. Don t allow remote access for group accounts Always provide System Notifications or Warnings to users logging on. Use approved mechanisms to control this access. Policy and Security must be FIPS ForOfficialUse Only 51 17

18 CJI Access Restrictions CJI access is not allowed from personally owned or public computers. No CJI over Bluetooth at this time due to not FIPS140-2 approved encryption standard. CJI over Wireless and Cellular must be carefully regulated following policy ForOfficialUse Only 52 Identification and Authentication Policy Area 6 All users must be properly identified prior to access to any agency information systems or services. Follow password policies for all access to the criminal justice infrastructure or network where CJI is transmitted as listed in ForOfficialUse Only 53 Advanced Authentication Advanced Authentication (AA) is required when users are accessing CJI information via a network that is not deemed secure by the SLED ISO. Policy Advanced Authentication is the use additional identifiers on top of login ID and password that may include PKI, biometric, smart cards tokens, software tokens etc ForOfficialUse Only 54 18

19 Configuration Management Policy Area 7 The goal is to allow only qualified and authorized individuals access to information system components for purposes of initiating changes, including upgrades, and modifications. Thus agencies must restrict who has configuration management permissions ForOfficialUse Only 55 Configuration Management Requirements All network changes must provide a detailed network topography diagram to the SLED ISO anytime there is a proposed network change or a network change has occurred. Agencies must protect all system configuration documentation from unauthorized access. ForOfficialUse Only 56 Media Protection Policy Area 8 Procedures must be defined for securely handling, transporting, and storing media both electronic and physical. Procedures must also be in place for the sanitation and disposal of electronic and physical media that meet policies. All entities accessing CJI media must be vetted authorized personnel. Specific policies are in policy 5.8 ForOfficialUse Only 57 19

20 Physical Protection Policy Area 9 All CJI and associated information systems must be in a physically secure location. This can be a facility, area, room or group of rooms with controls described in Personnel security for access to the area must follow policy area 12 The location is subject to the management control of the CJA and must follow all criminal justice policies. ForOfficialUse Only 58 Physical protection A security perimeter should be established and posted as such. A list of authorized personnel with access must be maintained. All physical access points to the secure area must be controlled. All physical access to the IT systems and transmission lines shall be controlled. The display or view of information from outside this controlled area must prevent unauthorized viewing. ForOfficialUse Only 59 Visitor Control Visitors must be authenticated before authorizing escorted access. Access records shall be maintained following the policy requirements in Items entering and exiting the area shall be controlled and authorized ForOfficialUse Only 60 20

21 Non-criminal justice agencies or contractors must follow these procedures to report incidents to the LASO at the criminal justice agency they support. (Who signed the management control agreement?) The criminal justice agency LASO will report these incidents to the SLED ISO who will in turn communicate the details to the FBI CJIS ISO. ForOfficialUse Only 61 Systems & Communications Protection and Information Integrity Policy Area 10 Examples range from boundary and transmission protection to securing virtual environments. Information flow enforcement between interconnected systems shall be controlled. ForOfficialUse Only 62 Information Flow Information flow regulates where the information allowed to travel within the IT system and between IT systems. CJI can not be transmitted unencrypted across the public network Outside traffic that claims to be from the agency must be blocked Web requests from the public network not from an internal web proxy should not be passed. ForOfficialUse Only 63 21

22 Layers of protection CJI and system shall provide boundary protection as established in policy Encryption standards must be met policy , SLED has additional requirements for encryption AES 256. Intrusion detection/prevention tools shall be in place following policy VoIP and facsimile policies shall also be implemented per policy ForOfficialUse Only 64 Information Technology security IT security is hardware and/or software used to assure the integrity and protection of information and the means of processing it. Many criminal justice data systems and networks are interconnected to one another and the Internet. As such, those systems and networks are vulnerable to exploitation by unauthorized individuals. ForOfficialUse Only 65 Partitioning Specific controls must be in place to use this technology with Criminal justice information and Processing. The application, service, or system shall: Separate user functionality (including UI services) form information system management. Separate UI services from information storage and management services either physically or logically. Guidelines for achieving this are specified in ForOfficialUse Only 66 22

23 Virtualization All security controls in the policy apply to virtualization. Additional controls exist in policy Isolate host from virtual machine Maintain audit logs for all virtual hosts and machines (store these outside of virtual environment) Physically separate Internet facing virtual machines from virtual machines that process CJI Critical device drivers shall be contained in a separate guest. ForOfficialUse Only 67 Virtualization Addition technical security controls are suggested. These include: Encrypt network traffic between virtual machine and host Implement IDS and IPS within the virtual machine environment Virtually firewall each virtual machine from each other or physically firewall each with an application layer firewall controlling protocols Segregate the administrative duties for the host ForOfficialUse Only 68 System & Information Integrity The agency shall develop and implement a local policy for installing relevant security patches, service packs and hot fixes. The policy must include items and procedures (policy ) for installing these fixes. Malicious code, spam and firewall protection must be implemented following policy ForOfficialUse Only 69 23

24 Formal Audits Policy Area 11 Formal audits are conducted on IT services, secure areas, personnel and policies by SLED and the FBI. Regular audit are triennial but can be conducted more frequently. The FBI has the authority to conduct unannounced security inspections and scheduled audits of the facilities. All agencies CJA and NCJA are subject to the audit requirements and inspections. Responses to audit findings must be addressed in an accepted manner by the CJA, SLED and FBI. Failure to correct deficiencies will result in sanctions. ForOfficialUse Only 70 Personnel Security Policy Area 12 All personnel who have access to unencrypted criminal justice information (CJI) including those with only physical or logical access must be screened. All requests for access must be cleared by the CJA who maintains management control. The TAC or LASO is the point of contact for these requests. ForOfficialUse Only 71 Background Checks Notification of subsequent arrest and/or convictions for those who have access must be sent to the CSO to determine if access should be continued. Support personnel, contractors, custodial workers, and others with access to physically secure or controlled locations shall be subject to these regulations unless escorted by an authorized person at all times. ForOfficialUse Only 72 24

25 Personnel screening for contractors and vendors In addition to requirements in policy , the follow items are in place: The contracting government agency (CGA) shall coordinate the background check prior to granting access with the criminal justice agency that has management control. If a record of any kind if found, the CGA will be notified and access is delayed pending a review by the CJA. The CGA must notify the contractor appointed security officer. All felony convictions are disqualifications for access. Arrest warrants are disqualifications for access. The CGA shall maintain a list of personnel who have been authorized for access and shall provide a current list to the CSO when requested. The CGA can request the CSO to review any denials. ForOfficialUse Only 73 Maintenance after granting physical or logical access Upon termination or separation, the individual s access shall immediately be terminated. Reassignments or transfers shall result in actions such as closing and establishing new accounts and changing system access authorizations. A formal sanctions process for failure to comply with established information security policies and procedures shall be documented, distributed and enforced. This should be ForOfficialUse available Only during an audit. 74 Background Checks A state of residency and national fingerprint background check is require for unescorted access AND all personnel who have direct access to CJI and all those who have IT responsibility. Any felony conviction will result in access denied. If a record of any kind exists, access can not be granted until the CSO (SLED) reviews and determines if access is appropriate. ForOfficialUse Only 75 25

26 System & Information Integrity Any mobile device by design (laptops, handhelds, PDA etc) must employ personal firewall protection. A minimum list of activities performed by the personal firewall is listed in policy Manage program access to the Internet Block unsolicited requests to connect to the device Filter incoming traffic by IP, protocol or destination port Maintain and IP traffic log Security alerts and advisories must be received by the agency and policies must be in place for handling the information. Policy ForOfficialUse Only 76 Information Technology security A vulnerability is a condition or weakness in (or the absence of): Security Procedures Technical Controls Physical Controls Other controls that could be exploited by a threat. ForOfficialUse Only 77 Information Technology security All systems and networks have vulnerabilities. The goal of security is to minimize those vulnerabilities. Vulnerabilities include, but not limited to physical, natural, hardware and software. ForOfficialUse Only 78 26

27 Information Technology security Vulnerabilities Examples Physical: The placement of a computer in a non-secure location. Natural: a server connected to a power source without a surge protector or backup power supply. Hardware: a connection to the Internet without a firewall. Software: not updating the computer operating system when updates are issued. ForOfficialUse Only 79 Information Technology security Security Points of Contact Identify who is using the hardware/software and ensure that no unauthorized users have access to same. Identify and document how the equipment is connected to the state system. Ensure that personnel security screening procedures are being followed as stated in the CJIS Security Policy ForOfficialUse Only 80 Information Technology security Ensure that appropriate hardware security measures are in place Support policy compliance and keep the state ISO informed of security incidents. ForOfficialUse Only 81 27

28 Remember The local agency may complement the CJIS Security Policy with a local policy, or the agency may develop their own standalone security policy; however, the CJIS Security Policy shall always be the minimum standard and local policy may augment, or increase the standards, but shall not detract from the CJIS Security Policy standards. ForOfficialUse Only 82 Remember This Policy governs the operation of computers, access devices, circuits, hubs, routers, firewalls,and other components that comprise and support a telecommunications network and related CJIS systems used to process, store, or transmit CJI, guaranteeing the priority,confidentiality, integrity, and availability of service needed by the criminal justice community. ForOfficialUse Only 83 Remember Responsibility for the management control of network security shall remain with the CJA. Management control of network security includes the authority to enforce the standards for the selection, supervision, and separation of personnel who have access to CJI; set and enforce policy governing the operation of circuits and network equipment used to transmit CJIS data; and to guarantee the priority service as determined by the criminal justice community. ForOfficialUse Only 84 28

29 Remember Private contractors who perform criminal justice functions shall meet all policies for training and certification criteria required by governmental agencies performing a similar function, and shall be subject to the same extent of audit review as are local user agencies. Additional screening requirements exist in the security policy 5.1 ForOfficialUse Only 85 Remember All private contractors who perform criminal justice functions shall acknowledge, via signing of the Security Addendum Certification page, and abide by all aspects of the CJIS Security Addendum. ForOfficialUse Only 86 Agreements User Agreements states policy, standards, sanctions, governance, auditing, services accessed and policy compliance required or the user agency Agreements Needed CJA user agreement between SLED and court agency Inter-agency agreement between Metropolitan City IT and Metropolitan court agency Management control agreement between Metropolitan court agency and Metropolitan City IT Security Addendum between Metropolitan City IT and Private contractors (TAC needs copies) ForOfficialUse Only 87 29

30 Contacts/ and Steps to gain access Contact the CSO office in writing requesting access to NCIC data. Once received the CSO office will forward this request to the FBI for an NCIC ORI assignment. Any court that hears civil cases only (with the exception of domestic violence and stalking cases) does not qualify for an NCIC 2000 ORI assignment. Contact person for the CSO office is Millie Galloway at or ForOfficialUse Only 88 Contacts/ and Steps to gain access When the ORI has been established the CSO office will send an Information Exchange Agreement to the court. Completed security addendums between agency and IT vendor. The Court will perform TAC/LASO assignment Security Awareness Training performed on all individuals. ForOfficialUse Only 89 Contacts/ and Steps to gain access Completed finger print checks on all individuals. Completed state of residency Check on all individuals. Once those checks have been performed then the court will send the completed Site Survey and Topology for approval. ForOfficialUse Only 90 30

31 The End ForOfficialUse Only 91 31