Security and Privacy Training Quiz

Questions and Answers

All personnel requiring unescorted access to secure locations must complete security and privacy training.

True

Training records must be retained for a minimum of ______ years.

3

When must literacy training be taken?

Before accessing CJI

Every year after initial training

Within 30 days of a security event

All of the above (correct)

What is a threat actor?

A person or group that intentionally causes harm, exploits vulnerabilities, or gains unauthorized access.

Which of the following is a type of social engineering?

All of the above

______ is when an unauthorized person manipulates their way into a restricted area.

Tailgating

What should agencies do to minimize vulnerabilities?

All of the above

What is generative AI?

A machine learning model that uses existing data to create new content.

It is safe to input Criminal Justice Information into generative AI tools.

False

Match the following terms with their definitions:

Phishing = Tricking users into sharing personal information through deceptive emails Quid pro quo = Requesting sensitive information in exchange for a service Shoulder surfing = Observing a user to obtain confidential data Tailgating = Manipulating entry into a secure area by following an authorized person

What is the CJIS Systems Agency (CSA)?

The agency responsible for establishing and administering an information technology security program.

Which of the following is included in Criminal History Record Information (CHRI)? (Select all that apply)

Arrest descriptions and notations

What does the Interstate Identification Index (III) allow federal, state, and local agencies to do?

Determine if an individual has a criminal record anywhere in the country

CHRI should only be accessed for authorized purposes.

True

What is Personally Identifiable Information (PII)?

Information that can be used to distinguish or trace an individual's identity.

The two most popular methods for physical media disposal are __________ and __________.

shredding, incineration

Access to Criminal Justice Information (CJI) is primarily intended for what purpose?

Criminal justice purposes

Publicly accessible content applies to systems controlled by the organization and without authentication.

True

What principle requires individuals to have only the access they need to perform their duties?

Least Privilege

What should be done upon the termination of personnel regarding access to CJI?

Access must be immediately discontinued.

Low-level staff can access CJI without restrictions.

False

Agencies must develop and document an access control policy that is reviewed __________ and after any security incidents.

annually

Which of the following are examples of mobile devices?

All of the above

What is a security incident?

A violation of the CJIS Security Policy

What kind of access should agencies control for mobile devices?

Managed access control points.

Incident response training should only be provided once.

False

What should be done with devices that have been rooted or jailbroken?

They should not be used to process, store, or transmit CJI data.

Mobile Device Management (MDM) includes the capability of ______ wiping of a device.

remote

What must be documented by agency-level policies regarding external systems?

Assurances of necessary controls for compliance.

Which of the following is NOT a threat to cellular devices?

User training

Match the following incident response phases with their descriptions:

Preparation = Establishing and training an incident response team Detection and analysis = Identifying a security incident and assessing its impact Containment = Controlling attacks and damage Recovery = Restoring affected systems to normal operation

Who should be notified immediately upon any suspected incident?

Local Agency Security Officer (LASO) or Information Security Officer (ISO).

Agencies must notify all agencies that may be affected by a personnel change if an employee is part of a Non-Criminal Justice Agency.

True

What should agencies develop and maintain to ensure physical security?

A list of authorized individuals

Access points to a physically secure location must be controlled, and individual access authorizations should be __________ before granting access.

verified

What must agencies monitor to detect security incidents?

Physical access to secure locations

Locks or entry codes should be changed only if they are lost or compromised.

False

Which of the following is NOT a physical access device mentioned?

Video Conferencing System

What is the maximum duration of inactivity before a device should be automatically locked?

30 minutes

Which identifiers are used within an information system?

All of the above

Malware refers to programs designed to enhance the security of data.

False

What is the process of converting information into a readable format called?

Decryption

Study Notes

Security and Privacy Training

• Personnel requiring unescorted access to locations handling Criminal Justice Information (CJI) must complete security and privacy training.
• Training completion is mandated by the FBI CJIS Security Policy before access to the system and is required annually thereafter.
• All training records must be retained for a minimum of 3 years by the Federal, State, or Local Agencies.

Security and Privacy Literacy

• Understanding potential threats, vulnerabilities, and risks related to security and privacy is essential for effective literacy.
• Literacy training must occur before accessing CJI and must be repeated annually or within 30 days of a security event.
• Short sessions may cover updates on recent attack schemes or changes in security policies.
• A threat actor intentionally exploits vulnerabilities, can be a cybercriminal, hacker, or insider threat motivated by various factors.
• Types of threats include natural (e.g., lightning), intentional (e.g., malicious attacks), and unintentional (e.g., accidental data deletion).
• Personnel are significant threats to an agency’s security, either intentionally or unintentionally.

Insider Threat

• Proper security measures against insider threats are integral to CJIS Security.
• Indicators of potential insider threats include job dissatisfaction, unauthorized access attempts, workplace violence, and policy violations.

Social Engineering and Mining

• Social mining involves gathering information to support future attacks.
• Social engineering tricks individuals into revealing sensitive information through tactics like phishing, impersonation, and baiting.
• Phishing sends deceptive emails to gather private information, sometimes through spear phishing targeting specific individuals and quishing which uses QR codes.
• Pretexting and impersonation involve creating backstories to manipulate individuals into disclosing information.
• Baiting and scareware lure users with false promises or threats, while quid pro quo offers services in exchange for sensitive data.
• Tailgating (or piggybacking) and shoulder surfing are common tactics for unauthorized access and data collection.

Minimize Vulnerability

• To minimize vulnerabilities, agencies should keep antivirus software updated, monitor user activity, and report unusual behaviors.
• Establish communication channels for reporting insider threat indicators or social engineering incidents.

Using Generative AI

• Generative AI refers to machine learning models creating new content based on existing data.
• Examples include language translation, content creation, cybersecurity support, and image generation.
• Best practices when using generative AI include avoiding the input of CJI or personal information and carefully monitoring outputs for accuracy.

Security Alerts and Advisories

• Agencies should regularly receive and document security alerts/advisories about information systems and take appropriate actions.
• Automated mechanisms should be employed to disseminate security information agency-wide.

Roles and Responsibilities

• CJIS Systems Agency (CSA): Establishes an IT security program within its user community.
• CJIS Systems Officer (CSO): Administers the CJIS network within the organization.
• Information Security Officer (ISO): Acts as a liaison with FBI CJIS Division on security matters.
• Criminal Justice Agency (CJA): Administers criminal justice functions as per statutes or orders.
• Terminal Agency Coordinator (TAC): Acts as a point-of-contact for CJIS access issues.
• Local Agency Security Officer (LASO): Manages information security concerns at the local level.
• Authorized Recipient Security Officer (ARSO): Oversees information security adherence by contractors.

Agency Responsibilities

• Agencies accessing CJI must follow FBI CJIS Security Policy requirements and maintain up-to-date internal policies on information security.
• Individual users bear responsibility for their conduct in handling CJI.

Criminal Justice Information

• Criminal Justice Information (CJI) includes data provided by CJIS necessary for law enforcement functioning.
• National Crime Information Center (NCIC) sytematizes a database for use by all law enforcement agencies.
• Interstate Identification Index (III) ties together state and federal criminal history records, allowing lawful access for authorized purposes only.
• Sensitive NCIC records encompass areas like criminal history, supervised release, and identity theft, requiring careful handling and protection.### Violent Person File and National Instant Criminal Background Check System (NICS)
• NICS is used to conduct background checks for firearm purchases, aimed at preventing denied transactions.

NCIC Non-Restricted Files

• Non-restricted files within NCIC include records on boats, guns, missing persons, protection orders, vehicles, and wanted persons.
• Categories of files in NCIC:
  • CHRI (Criminal History Record Information)
  • Restricted Files
  • Non-Restricted Files

Personally Identifiable Information (PII)

• PII refers to data that can identify an individual, such as:
  • Name
  • Social Security Number
  • Biometric records (fingerprints, retina scans)
  • Driver's license or passport number
  • Personal addresses (physical or email)
• PII originating from FBI CJIS data must be handled according to agency policies to safeguard privacy.

Criminal Justice Information (CJI) Security

• The CJIS Security Policy establishes minimum standards for accessing, using, and disseminating CJI.
• Local policies may enhance but not lessen the restrictions set by CJIS standards.

Information Handling

• Protect CJI from unauthorized disclosure, alteration, or misuse.

Authorized Purposes for CJI Use

• CJI and CHRI are primarily accessed for criminal justice purposes, including:
  • Detection, apprehension, prosecution, and rehabilitation of criminal offenders.
• Noncriminal Justice purposes include employment suitability, licensing, immigration matters, and national security clearances.

Prohibitions and Authorized Use

• CJI cannot be queried for personal benefit and must only be used for authorized purposes.
• Information obtained from the III (Interstate Identification Index) must be used only for its intended purpose.

CJI Dissemination

• CJI should be shared strictly on a need-to-know basis, ensuring secure communication methods are used:
  • Phone communications should be limited and verified.
  • Email transmission must have appropriate security protections.
  • Faxing is permitted with encryption unless sent over standard phone lines.
  • Texting via regular SMS is deemed insecure.

Media Access and Storage

• Access to both digital and non-digital media that contain CJI should be restricted to authorized individuals.
• Examples of digital media include USB drives, CDs, external hard drives, etc.
• Non-digital media comprises paper files, microfilm, and fax records.

Media Disposal

• Procedures for secure disposal must minimize risks, including shredding and incineration of hard copies.
• If physical destruction isn't feasible, data must be overwritten three times.

Access, Use, and Dissemination Penalties

• Unauthorized activities concerning CJI may result in criminal penalties or employment termination.
• Agencies must enact formal sanctions for personnel not complying with security policies.

Access Control

• Access control regulates who can access CJI systems, requiring an annual review of policies.
• Access should be based on valid authorizations and intended system use.
• Personnel must be screened prior to receiving CJI access, including background checks.

Personnel Security

• All staff, including contractors, need screening before access to CJI.
• Changes in personnel assignments necessitate access reviews; access must be suspended immediately upon termination.

Physical Security

• Areas processing or storing CJI must be physically secured.
• Measures should include well-monitored access points, visitor controls, and physical access devices.

Controlled Areas

• If full security controls cannot be met, designate controlled areas with controlled access, encryption, and secure hard copy storage.
• Monitor all visits and maintain accurate access records for a year.### Security Protocols for CJI Areas
• Access to Criminal Justice Information (CJI) is limited strictly to authorized personnel only.
• Areas containing CJI must be locked when unattended to maintain security.
• All personnel are responsible for maintaining the physical security of these areas.

System Security Overview

• System Security, also known as IT Security, encompasses hardware and software that protects information integrity and processing.

Access Control Mechanisms

• Access to CJI should be restricted by specific objects such as datasets and files, defining user capabilities (read, write, delete).
• A system use notification must be shown to users before accessing restricted systems, detailing monitoring, usage consequences, and consent to monitoring.

Session Management

• Automatic device lock, such as a password-protected screensaver, must activate after 30 minutes of inactivity.
• Exceptions apply for devices related to criminal justice functions or those located in secure areas.
• Active user sessions should terminate automatically upon logout or after predetermined inactivity.

User Identification and Authentication

• Each authorized user must be uniquely identified and authenticated.
• Identification examples include User IDs, Agency IDs (ORI), and device identifiers (MAC or IP addresses).
• Identifiers cannot be reassigned for at least one year.

Authentication Methods

• Authentication verifies the identity confirming access rights, requiring adherence to defined FBI CJIS Security Policy.
• Multi-factor authentication (MFA) strengthens security by using different verification factors: knowledge (password), possession (smart card), and inherence (biometrics).
• Passwords must meet stringent requirements:
  • Minimum of 8 characters, changed every 90 days.
  • Cannot be the same as user IDs, proper names, or dictionary words and must not be displayed during entry.

System and Communication Protection

• Ensures secure information flow via appropriate boundary and transmission protection mechanisms.
• Encryption converts sensitive data into a code, while decryption returns it to a readable format.

Malicious Code Protection

• Malware includes any covert program undermining data confidentiality, integrity, or availability.
• Agencies should utilize virus protection software and ensure malware defenses are updated, especially for systems with internet access.

Spam and Spyware Protection

• Implement protection on organizational emails and internet access points to manage unsolicited messages effectively.
• Protection should include detection and response capabilities for both spam and spyware threats.

Wireless Access Security

• Wireless connections require robust encryption and authentication measures pre-defined by agency policy.
• Bluetooth technology, while useful, poses security threats and should be regulated by organizational policies regarding its use.

Risk Mitigation for Wireless Devices

• Multi-factor authentication, encryption of CJI, personal firewalls, and regular updates are vital practices.
• Cached information should be erased at session termination, and critical patches must be applied.

Mobile Device Security Standards

• Mobile devices include portable computing devices and pose risks like loss, unauthorized access, and malware.
• Agencies must outline requirements and guidelines for mobile devices controlling CJI access.

Mobile Device Management (MDM)

• MDM software oversees configurations, application usage, and device protection, ensuring controls such as remote locking or wiping.
• Unauthorized modifications, like rooting or jailbreaking, strictly prohibit CJI processing.

Remote Access Control

• Remote access allows users temporary connection through external networks but must be managed and monitored.
• Documentation regarding technical and administrative procedures for remote access must be part of the information system’s security plan.

Guidelines for External System Use

• External systems accessing agency-controlled information require independent assessments to ensure adequate security controls.
• Agencies can opt to prohibit the use of any external systems.

Use of Personally Owned Devices

• All personnel are prohibited from using personal systems for accessing CJI unless documented terms are established.

Publicly Accessible Computers

• Public terminals must not be used for any CJI-related activities. Examples include library computers, hotel business centers, and public kiosks.

Audit Monitoring and Reporting

• Agencies must assign responsibilities for regular audit record review (weekly) to identify unusual or inappropriate activities.

Description

Test your knowledge on security and privacy training requirements for personnel. This quiz covers essential topics such as training retention periods, literacy training, threat actors, and types of social engineering tactics. Prepare to enhance your understanding of security protocols.