CJIS Training.docx

Full Transcript

**[LESSON 1: INTRODUCTION]**

1. **Security and Privacy Training**

a. **All personnel whose duties require them to have unescorted
access to a physically secure location that processes or stores
Criminal Justice Information (CJI) must complete security and
privacy training.**

b. The FBI CJIS Security Policy requires that all personnel fitting
the above criteria must complete this training:

i. ***Before ***authorizing access to the system, information,
or performing assigned duties

ii. ***Every year*** after the initial training

c. **Training Record Retention:** FBI Security Policy requires that
all training records must be kept current and be maintained for
a **minimum of 3 years** by the Federal, State, or Local Agency.

**[LESSON 2: LITERACY TRAINING AND AWARENESS]**

2. **Security and Privacy Literacy**

d. Security and Privacy Literacy is understanding the threats,
vulnerabilities, and risks associated with security and privacy.
It is also knowing how to maintain security and personal privacy
and to respond to suspected incidents.

e. **Literacy training** must be taken at the following times:

f. ***Before ***accessing CJI

g. ***Every year ***after the initial training

h. ***Within 30 days*** of any security event for all users
involved in the event

i. When required by system changes.

j. After the initial training, subsequent literacy training may be
satisfied by one or more short ad hoc sessions, including topics
such as recent attack schemes, changes to organizational
security and privacy policies, revised security and privacy
expectations, or a subset of topics from the initial training.

k. A **threat actor** is a person or group that intentionally
causes harm, exploits vulnerabilities, or gains unauthorized
access to digital devices or computer systems. Threat actors can
include cybercriminals, hackers, thrill-seekers, and insider
threat, with motivations of profit, ideology, satisfaction, and
discontent.

iii. Threat examples are:

1. Natural -- Lightning, heat, or water

2. Intentional- someone wanting to cause harm.

l. Unintentional- someone accidentally erasing a file from playing
around.

m. **One of the greatest threats to an agency\'s security, whether
intentional or unintentional, **\
**is [its own personnel]!**

3. **Insider Threat**

n. Having proper security measures against the insider threat is a
critical component of CJIS Security. Possible indicators of
potential insider threat can include behaviors such as:

iv. Inordinate, long-term job dissatisfaction

v. Attempts to gain access to information not required for job
performance.

vi. Unexplained access to financial resources

vii. Bullying or harassment of fellow employees

viii. Workplace violence

ix. Other serious violations of policies, procedures,
directives, regulations, rules, or practices

4. **Social Engineering and Mining**

o. **Social mining** is an attempt to gather information about the
organization that may be used to support future attacks.

p. **Social engineering** is an attempt to trick an individual into
revealing information or taking an action that can be used to
attack systems or networks. 

x. **Examples of Commonly Uses Types of Social Engineering**

3. **Phishing **is a digital form of social engineering
that uses authentic-looking emails to trick users into
sharing personal information. It usually includes a link
that takes the user to a fake website. If you cannot
verify the source, do not open the link. Report
suspicious messages to your IT team.

a. **Spear Phishing** is a type of phishing where a
specific user or group of users is targeted because
of their position (such as a company's
administrators).

b. **Quishing**, short for QR code phishing, is a type
of phishing where a QR code is used to trick users
into visiting malicious websites or downloading
malware.

q. **Social media exploitation** is where the attacker uses
information found on a user's social media profiles to create a
targeted phishing attack.

xi. **Pretexting **and **Impersonation **is where the attacker
creates a fictional backstory that is used to manipulate
someone into providing private information or to influence
behavior. Attackers will often impersonate a person of
authority, co-worker, or trusted organization to engage in
back-and-forth communication prior to launching a targeted
spear phishing attack. 

4. **Fake IT Support calls** are a common form of
impersonation where someone pretends to be an authorized
user or administrator in an attempt to gain illicit
access to protected data systems. The attacker has
enough information to sound credible, and they ask the
user for some bit of information that will allow the
attacker to gain access to the desired system.

xii. **Baiting **is the use of a false promise to lure the user
into a trap, including enticing ads that lead to malicious
sites or encourage users to download a malware-infected
application.

5. **Scareware **is a type of baiting where the use of
false alarms or fictitious threats lure the user into a
trap. One example is the attacker convincing a user that
their system is infected with malware and that they
should install software granting remote access. Another
example is the attacker claiming to have sensitive
videos which will be released if the user does not pay.

6. **Quid pro quo** is a type of baiting where the attacker
requests the exchange of some type of sensitive
information such as critical data, login credentials, or
monetary value in exchange for a service. For example, a
user might receive a phone call from an attacker who,
posed as a technology expert, offers free IT assistance
or technology improvements in exchange for login
credentials. 

xiii. **Tailgating**, also known as "piggybacking", is where an
unauthorized person manipulates their way into a restricted
area, such as impersonating a well-known role (e.g.,
delivery driver or custodian worker) or asking a user to
"hold the door". 

7. **Thread-jacking** is a type of digital tailgating where
the attacker replies to an existing email exchange,
inserting themselves into a legitimate conversation.

8. **Shoulder Surfing**: **Shoulder surfing** is where an
unauthorized person stands near a user to get the user's
password or other data from the user\'s computer
monitor. Users should take the following precautions to
prevent shoulder surfing:

c. Angle your computer so that other people cannot see
what you are typing.

d. Use a privacy screen to make your screen less
visible to others.

e. If possible, sit or stand with your back to a wall
when entering a password on a device in public.

f. Try to avoid viewing restricted information in
public.

g. Shield forms from viewing when filling out
paperwork.

h. Use strong passwords to make it more difficult for
someone to guess what you typed.

i. Remember to lock your computer or device when you
leave your desk.

xiv. A **vulnerability **is any weakness in (or absence of)
security procedures, technical controls, physical controls,
or other controls that could be exploited by a threat.

9. Examples are:

j. **Physical:** placement of computer in a non-secure
location.

k. **Natural:** a server connected to a power source
without a protector or backup power supply.

l. **Hardware:** connection without a firewall.

m. **Software:** not updating Window operating system
when updates are issued.

xv. Criminal justice data systems and networks that are
connected to one another and the internet are especially
vulnerable to exploitation by unauthorized individuals.


5. **Minimize Vulnerability**.

r. To minimize vulnerabilities, agencies should:

xvi. Take steps to protect against viruses, worms, trojan
horses, and other malicious code by keeping antivirus
software up to date.

xvii. Monitor user activity to ensure improper use is
prohibited.

xviii. Challenge strangers or report unusual activity around
CJI.

s. Organizations should establish channels through which employees
and management can communicate concerns regarding potential
indicators of insider threat or potential instances of social
engineering and data mining in accordance with established
policies and procedures.

6. **Using Generative AI**

t. Generative AI (Artificial Intelligence) refers to a machine
learning model that uses existing data to create new content,
based on input from the user.

u. **Examples of generative AI include:**

- Language translation

- Content creation (e.g., public relations communications,
documentation)

- Safety and training enhancement (e.g., course creation, tailored
coaching)

- Cybersecurity support (e.g., threat detection and analysis)

- Image generation (e.g., restoration of damaged images, face aging)

v. **Best Practices When Using Generative AI**

xix. If using ChatGPT or other off-the-shelf model (i.e., an
application which is not specifically customized or designed
for your organization):

10. Never input any CJI or personally identifiable
information.

11. Turn off history if using a generative AI tool that
enables that choice.

12. Closely monitor the generated results for factual
errors, biased or inappropriate statements, and
incorrect or misleading information which is presented
as if it were true.

7. **Security Alerts and Advisories**

w. As a part of ongoing security awareness, agencies should:

xx. Receive information system security alerts/advisories on a
regular basis.

xxi. Issue alerts/advisories to appropriate personnel.

xxii. Document the types of actions to be taken in response to
security alerts/advisories.

xxiii. Take appropriate actions in response.

xxiv. Employ automated mechanisms to make security alert and
advisory information available throughout the agency as
appropriate.

8. **LESSON 3: ROLES AND RESPONSIBILITIES:**

x. **Agency Definitions and Roles**

xxv. **[CJIS Systems Agency (CSA])** is the agency
responsible for establishing and administering an
information technology security program throughout their
user community, including local levels.  There is only one
CSA per state or federal organization.

13. **[CJIS Systems Officer (CSO)]** is an
individual located within the CSA responsible for the
administration of the CJIS network within the
organization.

14. **[Information Security Officer
(ISO)]** serves as the security
point-of-contact to the FBI CJIS Division. The ISO is
also responsible for documenting and providing
assistance for implementing security-related controls
within the organization.

xxvi. **[Criminal Justice Agency (CJA)]** is a
governmental agency that performs the administration of
criminal justice pursuant to a statute or executive order.
Examples include courts, prisons, state and federal
inspector general offices, police departments, etc.

15. **[Terminal Agency Coordinator
(TAC)] **serves as the point-of-contact at
the local agency for matters relating to CJIS
information access.

xxvii. **Noncriminal Justice Agency (NCJA)** is a government,
private, or public agency that provides services primarily
for purposes other than the administration of criminal
justice. Examples of noncriminal justice agencies that might
access CJI include a 911 communications center that performs
dispatching functions for a criminal justice agency
(government), a bank needing access to criminal justice
information for hiring purposes (private), or a county
school board that uses criminal history record information
to assist in employee hiring decisions (public).

y. **Organizational Personnel with Information Security
Responsibilities** are responsible for ensuring the
confidentiality, integrity, and availability of CJI and the
implementation of technology in compliance with the CJIS
Security Policy.

xxviii. **Local Agency Security Officer (LASO)** serves as the
primary Information Security contact between a local law
enforcement agency and the CSA. The LASO actively represents
their agency in all matters pertaining to Information
Security, including disseminating security alerts and
maintaining security documentation.

xxix. **Authorized Recipient Security Officer
(ARSO)** coordinates and oversees information security by
ensuring that the approved fingerprint processing contractor
adheres to the CJIS Security Policy, verifying the
completion of CJIS Security and Privacy Training, and
communicating with the FBI CJIS Division on matters relating
to information security.

z. **Agency Responsibilities**

xxx. Agencies that access CJI are required to adhere to all
technical and procedural requirements of the FBI CJIS
Security Policy. They are also required to develop and
publish internal information security policies, including
penalties for misuse, and maintain a set of current written
policies and procedures on how misuse of CJI will be
handled.

a. **Individual User responsibilities**

xxxi. Individuals are responsible for maintaining their own
conduct, as it pertains to CJI. Individual user
responsibilities include the following.

b. 

c. **Top 5 Daily Security Rules:**

d. **Contractor/Vendor Responsibilities**

xxxii. Private contractors who perform criminal justice
functions must meet the same training and certification
criteria required by governmental agencies performing a
similar function. They are also subject to the same audit
review as a local agency.

xxxiii. **CJIS Security Addendum**

16. All private contractors who perform criminal justice
functions must sign the **CJIS Security Addendum**, an
addendum to the agreement between a criminal justice
agency and a private contractor.

17. The Security Addendum includes security provisions for
contractors

18. **Addendums Include:**

n. Ensures the security and confidentiality of the
information consistent with existing regulations.

o. Authorizes access to CJI

p. Limits the use of the information for the purposes
for which it is provided

q. Provides for sanctions (penalties)

19. This security addendum shall be incorporated in the
agreement that specifies the contractor's scope and
purpose for providing services.

9. **LESSON 4: WHAT IS CJIS?**

e. In the United States, the individual right to privacy is
protected by the US Constitution***[. The Privacy Act of
1974]*** further protects personal privacy from
misuse by regulating
the **collection**, **maintenance**, **use**,
and **dissemination** of information by criminal justice
agencies.

f. **Criminal Justice Information:**

xxxiv. [**Criminal Justice
Information** **(CJI)**]** **is the term used to
refer to all of the FBI Criminal Justice Information
Services (CJIS) Division provided data necessary for law
enforcement and civil agencies to perform their work.  

xxxv. CJI can include any of the following:

xxxvi. 

xxxvii. **National Crime Information Center (NCIC)**, located
in West Virginia, is a computerized database of CJI
available to law enforcement agencies nationwide.

xxxviii. xxxix. **NLETS** -Another important organization in
the communication of criminal justice information is NLETS,
a computer-based message switching system that connects
every state, local, and federal law enforcement, justice,
and public safety agency for the purposes of sharing and
exchanging critical information.

g. **[Criminal History Record Information:]**

xl. Some NCIC records have greater restrictions due to the
sensitive nature of the information. Examples of NCIC
Information:

xli. **Criminal History Record Information
(CHRI)** is [arrest-based data] collected by
both national and state criminal justice agencies. CHRI is
sometimes informally referred to as "restricted data".

xlii. **CHRI Data** includes**:**

20. Arrest descriptions and notations.

21. Other formal criminal charges

22. Conviction status

23. Sentencing data

24. Incarceration or correctional supervision

25. Probation and parole information

xliii. **Interstate Identification Index (III)** is a "pointer"
system that ties FBI criminal history files and state-level
files maintained by each state into a national system.
Federal, state, and local criminal justice agencies can use
the III to conduct searches to determine whether an
individual has a criminal record anywhere in the country. If
a record exists, that agency can then be pointed to the
federal or state file from which the record may be obtained
online. The information obtained from the III is CHRI and
should be accessed only for an authorized purpose. **[All
users must provide a reason for all III
inquiries.]**

xliv. ***[The restricted files, which should be protected as
CHRI, are as follows:]***

26. Gang Files

27. Threat Screening Center Files

28. Supervised Release Files

29. National Sex Offender Registry Files

30. Historical Protection Order Files

31. Identity Theft Files

32. Protective Interest Files

33. Person With Information (PWI) data in Missing Persons
Files

34. Violent Person File

35. National Instant Criminal Background Check System (NICS)
Denied Transaction

h. **NCIC Non-Restricted Files**

r. All NCIC files which cannot be classified as CHRI or as an
NCIC Restricted File are considered **NCIC Non-Restricted
Files**. Examples of non-restricted files include Boats,
Guns, Missing Persons, Protection Orders, Vehicles, and
Wanted Persons.

i. **Personally Identifiable Information (PII):** Personally
Identifiable Information (PII) is information which can be used
to distinguish or trace an individual's identity, either alone
or when combined with other personal or identifying information
(e.g., date of birth, place of birth, gender, race, etc.).

xlv. **Examples of PII include:**

36. Name

37. Social security number

38. Biometric records (such as fingerprints, retina scans,
facial geometry)

39. Driver's License or Passport number

40. Personal address information (including physical or
email addresses)

xlvi. Any FBI CJIS provided data maintained by an agency
(including education, financial transactions, medical
history, and criminal or employment history) may include
PII.

xlvii. PII should be extracted from CJI for the purpose of
official business only. Agencies must develop policies,
based on state and local privacy rules, to ensure
appropriate controls are applied when handling PII extracted
from CJI.

10. **[LESSON 5: Proper Access, Use, & Dissemination of
CJI:]** *Note: This section applies to the access, use,
and dissemination of Criminal History Record Information (CHRI),
NCIC Restricted Files Information, NCIC Non-Restricted Files
Information, and NCIC Non-Restricted Files Information Penalties.*

j. The CJIS Security Policy provides the [minimum
standard] for the proper access, use, and
dissemination of CJI. Local policy may **increase** the
standards but should not reduce restrictions from those set by
the CJIS Security Policy.

k. **Information Handling**

xlviii. Procedures for the handling and storage of information
shall be established to protect that information from
unauthorized disclosure, alteration, or misuse.

l. **Authorized Purposes**

xlix. Access to and use of CJI and CHRI is primarily for
criminal justice purposes. In some cases, access can be
granted for the performance of a noncriminal justice
function in certain circumstances, as authorized by federal
or state law.

l. **criminal justice purposes **include criminal
identification and the collection, storage, and
dissemination of criminal history record information. Types
of criminal identification are:

41. Detection                                        

42. Apprehension

43. Pre-trial release

44. Post-trial release

45. Prosecution

46. Adjudication

47. Detention

48. Correctional supervision

49. Rehabilitation of accused persons or criminal offenders

li. **noncriminal justice purposes** for using criminal history
records may include:

50. Employment suitability

51. Licensing determinations

52. Immigration and naturalization matters

53. National security clearances

m. **[CJI should never be queried for personal
benefit.]**

n. **Authorized Usage**

lii. Once CHRI has been obtained from the III system it must be
used for the **same **authorized purpose for which it was
requested.

liii. **Examples of authorized usage and the corresponding
purpose codes**

54. John Doe is hired to perform some plumbing work at a
local police department. The department runs a III check
using purpose code C for site security. One month later,
he applies for an employment position at the same local
police department. Rather than use the information from
the previous search, a new III check must be performed
with purpose code J for employment suitability. ***Note:
These are only example codes. Please refer to your
agency's policy for your authorized purpose codes.***

o. **[CJI Dissemination]**

liv. CJI should be disclosed only on a need-to-know,
right-to-know basis. This means that CJI should never be
shared with [anyone] who does not require the
information for their official duties.

lv. Special consideration should be made in all methods of
communication to protect CJI from unauthorized disclosure:

55. **Phone/Radio:** Voice transmission of a criminal
history should be limited. Details should only be given
over cell phone or radio when an officer determines that
the CJI is needed immediately to further an
investigation or in situations affecting the safety of
an officer or the general public.

56. **Email:** Email may be a compliant method to
disseminate CJI provided that the email service has the
appropriate spam and antivirus protections in place and
meets the encryption and authentication requirements for
CJI in transit. Always verify the recipient's
authorization ***before ***sending CJI in an email.

57. [**Faxing:**] An agency may use a facsimile
(fax) machine to send CJI, provided that both the
sending and receiving agencies have an Originating
Agency Identifier (ORI) and are authorized to receive
CJI. The encryption requirements for CJI in transit must
be used unless the fax is being sent over a standard
telephone line. \*Always verify the receiving agency's
authenticity ***before ***sending a fax transmission.

58. [**Text/Chat:**] Texting using the cellular
service provider's regular SMS or MMS functions
is [not] considered secure or appropriate
for transmission of CJI data. 

p. **[Media Access]**

lvi. Access to all **digital media** and **non-digital media**
should be restricted to authorized individuals.

lvii. An example of restricting access to digital media would be to
only allow the system development team to access a flash drive
containing system design specifications.

lviii. **[Digital Media-]**examples of digital (i.e.,
electronic) media include:

59. Diskettes

60. Magnetic Tapes

61. CD/DVD

62. External or removable hard drives

63. USB Flash Drives

lix. **[Non-digital Media-]** examples of non-digital
(physical) media are:

64. [Paper]

65. [Microfilm]

66. [Fax ribbon]

lx. An example of restricting access to non-digital media would be to
only allow authorized users to access hard copies of case file
information stored in a locked filing cabinet.

q. **Media Storage**

lxi. Digital and non-digital media should be securely stored and
physically controlled within a physically secure location or
controlled area.  Encryption of CJI on digital media should be
employed when physical and personnel restrictions are not
feasible.

lxii. **[Secure storage]** of media includes:

67. Locked drawer, desk, or cabinet

68. Controlled media library

lxiii. [**Physically**] controlling stored media
includes:

69. Conducting inventories

70. Ensuring procedures are in place to allow users to check out
and return media.

71. Maintaining accountability for stored media

r. **Media Disposal**

lxiv. Formal procedures for the secure disposal of physical media
shall minimize the risk of compromising sensitive information.
Proper disposal or destruction should be witnessed or carried
out by authorized personnel.

lxv. If physical destruction is not possible, it must be
overwritten [at least 3 times] to prevent
unauthorized access to previously stored data.

lxvi. **Physical Media Disposal**

72. If hard copies no longer need to be
retained, **shredding **and **incineration **are the two
most popular methods for destruction.

s. **Access, Use, and Dissemination Penalties**

lxvii. Unauthorized **requests**, **receipt**, **release**, **interception**, **dissemination**,
or **discussion **of CJI is a serious violation and may result
in the following:

73. **Criminal Penalties**

74. **Termination of Employment**

lxviii. **Personnel Sanctions**

75. Agencies must have a formal sanctions process for personnel
failing to comply with established information security
policies and procedures. 

76. The agency will perform a formal disciplinary process for
any personnel who fail to comply with the security policies
and procedures.

lxix. Continued misuse of CJI could result in an agency being denied
access until the violations have been corrected.

11. **LESSON 6: ACCESS CONTROL**

t. **Access control** is the regulation of access between active
entities (i.e., users or processes acting on behalf of users)
and passive entities (i.e., devices, files, records, domains) in
organizational systems.

u. **Access Control Policy**

lxx. Agencies must develop and document an access control policy
which must be reviewed ***annually ***and ***following any
security incidents*** involving unauthorized access to CJI
or systems used to process, store, or transmit CJI.

lxxi. An individual with security responsibilities should be
designated to manage the development, documentation, and
dissemination of the access control policy and procedures.

v. **Access Control Criteria**

lxxii. Authorized access to the system should be based on:

77. Valid access authorizations (i.e., privileges)

78. Intended system usage.

79. Attributes associated with the user\'s account (see
AC-2(d)(3) in the Security Policy for a list of possible
attributes)

lxxiii. **Individual Access**

80. Individuals should have access to elements of their
personally identifiable information (PII) through either
an automated (e.g., application interface) or manual
process (e.g., request forms). This access helps
individuals to develop an understanding about how their
PII is being processed. It can also help individuals
ensure that their data is accurate.

lxxiv. **Publicly Accessible Content**

81. Publicly accessible content applies to systems that are
controlled by the organization and accessible to the
public, typically without identification or
authentication. An example of publicly accessible
content would be any information on the website for the
organization which does not require the user to login to
view.

82. An individual authorized to make information publicly
accessible should be designated and trained to review
the proposed content to ensure that publicly accessible
information does not contain nonpublic information.
[**Content on publicly accessible systems should
additionally be
reviewed *quarterly**** *]for nonpublic
information and removed, if discovered.

83. **Posting of information on non-organizational systems
(e.g., non-organizational public websites, forums, and
social media) should be covered in organizational
policy. **

w. **Access Enforcement**

lxxv. Approved authorizations for logical access to information
and system resources should be enforced in accordance with
applicable access control policies.

lxxvi. When enforcing access control policies, there are two
important **[security principles]** which should
be implemented: **Least Privilege and Separation of
Duties.**

lxxvii. **Least Privilege**- The security principle of **least
privilege** is where individuals are granted only the most
restrictive set of access privileges required to perform
their official duties. This limits access to CJI to only
authorized personnel with the need and the right to know. 

lxxviii. **Separation of Duties** - The security principle
of **separation of duties** is the division of roles and
responsibilities so that different individuals perform each
function related to administrative duties. For example,
those with the ability to create and assign user access to
the system should not be able to access the audit logs that
contain the evidence of the account actions.

x. **Personnel Security**

lxxix. **Having proper personnel security measures against the
insider threat is a critical component of information
security.**

lxxx. **Screening Requirements**

84. All personnel, including contractors and vendors, must
be screened prior to being granted access to CJI. 

85. The following are the minimum requirements for screening
individuals needing access to CJI:

s. All personnel who will have unescorted access to
unencrypted CJI must be screened ***prior*** to
being granted access to CJI (including contractors
and vendors)

t. Screening must include state of residency and
national fingerprint-based records checks.

u. All requests for access must be made as specified by
the CSO, and only the CSO or their designee (from an
authorized criminal justice agency) may approve
access to CJI

v. If a record [of any kind] exists, access
to CJI will not be granted until the CSO or their
designee reviews the matter to determine if access
is appropriate.

w. The granting agency must maintain a list of
personnel who have authorized access to CJI

x. It is recommended that individual background
re-investigations be conducted ***every five
years.***

86. Checks are not necessary if the individual is always
escorted by authorized personnel.

lxxxi. **Transfers:**

87. CJI access authorizations **[must be
reviewed]** when personnel are reassigned or
transferred to other positions within the agency. If
changes need to be made, all appropriate actions must be
taken such as closing and establishing accounts and
modifying system access authorizations.

lxxxii. **Termination:**

88. Upon termination of personnel, the agency
must ***[immediately ]***discontinue access
to any local agency systems which can access CJI. If the
employee is an employee of a Non-Criminal Justice Agency
or a Contractor, the employer must notify all agencies
that may be affected by the personnel change.

12. **LESSON 7: PHYSICAL SECURITY**

y. The areas that process or store Criminal Justice Information
(CJI) should be physically secure to prevent unauthorized
access.

13. **Physical Access Authorizations**

z. To ensure physical security and prevent unauthorized access to
physically secure areas, agencies must:

lxxxiii. Develop and maintain a list of individuals with
authorized access to any physically secure location.

lxxxiv. Issue authorization credentials (e.g., ID badges,
identification cards, etc.) for access to the physically
secure location.

a. All access points to a physically secure location must be
controlled, and individual access authorizations should be
verified before granting access.

b. **Physical Controls**

lxxxv. Physical controls required for securing locations where
CJI is stored, processed, or transmitted include:

89. **Physical Access Devices -**Security devices (e.g.,
keyed locks, digital locks, biometric readers, card
readers, etc.) should be used to prevent unauthorized
users from accessing the secure area. Locks or entry
codes should be changed in the event that keys are lost,
entry codes are compromised, or users possessing keys or
entry codes are transferred or terminated.

90. **Monitoring Physical Access -** Agencies should monitor
physical access to physically secure locations to detect
and respond to security incidents. Examples of physical
access monitoring include the employment of guards,
video surveillance cameras, and sensor devices.

91. **Access Control for Display Medium -** Agencies must
position information system devices in such a way as to
prevent unauthorized individuals from accessing and
viewing CJI.

92. **Delivery and Removal -** Agencies must authorize and
control information system-related items entering and
exiting the physically secure location.

93. **Visitor Control -** Visitors should be **[escorted at
all times]** and all activity within the
physically secure location should be monitored. [Records
of visitor access should be kept for ***one
year***] and should include the visitor's
name and organization, signature, forms of
identification, date of access, entry and departure
times, purpose of visit, and the name and organization
of individual being visited.

c. **Controlled Areas:**

lxxxvi. If an agency cannot meet all of the controls required
for establishing a physically secure location but has an
operational need to access or store CJI, the agency shall
designate an area, room, or storage container as a
controlled area for the purpose of day-to-day CJI access or
storage.

lxxxvii. The controlled area should have the following
security measures:

94. **Hard Copy Storage -**Store hard copies containing CJI
in such a manner as to prevent unauthorized or
inadvertent access.

95. **Electronic Encryption-** Follow the encryption
requirements in the CJIS Security Policy for CJI data at
rest.

96. **Hidden from Plain View -**Position information system
devices and documents containing CJI in such a way as to
prevent unauthorized individuals from access and view.
In this example, the computer is facing outside the
secure area, so it is [not] secure.

97. **Authorized Personnel Only-**Limit access to the
area *only *to those personnel authorized by the agency
to access or view CJI.

98. **Locked Area -**Lock the area, room, or storage
container when unattended.

14. **STOP: It is the responsibility of *[all personnel]* to
help ensure that these areas stay secure. Be aware of the physical
security precautions in place and follow these safety measures at
all times.**


15. **LESSON 8: SYSTEM SECURITY:**

d. **System Security**, or IT Security, is hardware or software
used to assure the integrity and protection of information and
the means of processing it. 

lxxxviii. **[System Access Control ]**

99. Access control mechanisms to enable systems access to
CJI should be restricted by object (e.g., data set,
files, records), including the ability to read, write,
or delete the objects.

y. [System Use Notification]

i. A system use notification must be displayed to
users ***before ***granting access to the
system.

ii. The notification should include the following
information:

1. The user is accessing a restricted
information system.

2. System usage may be monitored, recorded, and
subject to audit.

3. Unauthorized use of the system is prohibited
and may be subject to criminal and/or civil
penalties.

4. Use of the system indicates consent to
monitoring and recording.

z. [Session Lock]

iii. To prevent unauthorized access to the system,
an automatic device lock---such as
a **screensaver with a password**---should be
initiated within ***30 minutes*** of
inactivity. 

iv. For safety reasons, the following may be exempt
from this requirement:

5. Devices that are part of a criminal justice
conveyance (e.g., an enclosed mobile vehicle
used for the purposes of criminal justice
activities)

6. Devices that are used to perform dispatch
functions and located within a physically
secure location.

7. Terminals designated solely for the purpose
of receiving alert notifications (i.e.,
receive only terminals \[ROT\]) used within
a physically secure location facilities that
remain staffed when in operation. [
]

8. *Note: A device lock
is **[not] **a substitute for
logging out of the information system.
Device locks are intended to
be temporary actions when users stop work
and move away from the immediate vicinity
but do not want to log out.*

a. [Session Termination]

v. Once a user has logged out, the user session
should be automatically terminated. Other events
which might trigger automatic termination of the
session include organization-defined periods of
user inactivity, targeted responses to certain
types of incidents, or time-of-day restrictions
on system use.

lxxxix. **[Identification and Authentication]**

100. Each organizational user who is authorized to store,
process, or transmit CJI must be uniquely identified and
authenticated. 

101. *Note: Organizations may allow some user actions
without requiring identification or authentication.
Examples include when individuals access public websites
or when a fax is received.*

b. **[Identification ]**

vi. **Identification **is a unique representation of
an individual user, machine, or other entity
within an information system usually in the form
of a simple character string.

vii. Examples of Identifiers include:

9. Personal Identifier (i.e., User ID)

10. Agency Identifier (i.e., ORI)\
*Note: The FBI authorized originating agency
identifier (ORI) must be used on each CJIS
systems transaction.*

11. Device Identifier (e.g., Media Access
Control \[MAC\] addresses, Internet Protocol
\[IP\] addresses, device-unique tokens)

viii. Identifiers that have been previously used by
an individual, group, role, service, or device
may not be assigned to any other individual,
group, role, service, or device for at
least ***one year***.

c. **[Authentication ]**

ix. **Authentication** refers to mechanisms or
processes to verify the identity of a user,
process, or device, as a prerequisite to
allowing access to a system's resources.
Software or systems approved to access
CJI---whether provided by the State/Federal
agency, developed by a local agency, or
purchased from a vendor---must follow the
authentication requirements defined in the FBI
CJIS Security Policy.

12. *[Multi-factor authentication (MFA)
]*

a. Multi-factor authentication requires the
use of two or more different factors to
achieve authentication. Verifying
multiple factors provides a higher level
of confidence that the requester is
legitimate. 

i. Authentication factors include:

ii. Something you know (e.g., a password
or PIN)

iii. Something you have (e.g., a smart
card or application that generates a
one-time password)

iv. Something you are (e.g., a
fingerprint or facial recognition).

13. *[Passwords]*

b. *Note: For a full list of password
requirements, see section IA-5(1)(a) on
Memorized Secret Authenticators and
Verifiers in the CJIS Security Policy.*

c. If basic password standards are being
followed, user-chosen passwords must:

v. Be a minimum of 8 characters. 

vi. Be changed at least every ***90
calendar days***

vii. Not be the same as the User ID

viii. Not be a proper name.

ix. Not be a dictionary word.

x. Not be identical to the previous 10
passwords.

xi. Not be displayed when entered.

xii. Not be transmitted outside of the
secure domain.

xc. **[System and Communication Protection]**

102. System and communications protection helps safeguard
the flow of information within an information system
through boundary and transmission protection.

d. **Encryption**

x. **Encryption **is the process of converting
information or data into a code to prevent
unauthorized access. **Decryption **is the
process of converting the information back from
its encrypted state into a readable format.

xci. **[System and Information integrity]**

103. System and information integrity helps ensure that the
information being accessed has not been tampered with or
damaged by an error in the information system.

e. *[Malicious Code Protection (Malware)]*

xi. Malicious code, also known as **malware**,
refers to a program that is covertly inserted
into another program with the intent to
compromise the confidentiality, integrity, or
availability of the data. Examples of malware
include viruses, worms, adware, and ransomware.

xii. To protect against malicious code, agencies
should:

14. Employ virus protection to detect and
eradicate malware at critical points
throughout the network and on all
workstations, servers, and mobile computing
devices on the network.

15. **For all systems with internet
access:** malicious code protection should
include automatic updates.

16. **For all systems *not *connected to the
internet:** implement local procedures to
ensure malicious code protection is kept
current.

f. *[Spam & Spyware Protection]*

xiii. Spam and spyware protection must be
implemented on all organizational email systems,
removable media (e.g., USB memory sticks,
external hard drives, etc.), and all internet
access points.

xiv. Spam and spyware protection should include:

17. Spam protection at critical information
system entry points (e.g., firewalls,
electronic mail servers, remote-access
servers)

18. Spyware protection at workstations, servers,
and mobile computing devices on the network

19. Spam and spyware protection designed to
detect and take appropriate action on
unsolicited messages and spyware/adware.

xcii. **[Wireless Access]**

104. Wireless access to the system should be protected using
appropriate encryption and authentication. Agencies must
establish the configuration requirements, connection
requirements, and implementation guidance for each type
of authorized wireless access prior*** ***to allowing
the connection.

g. Bluetooth

xv. Bluetooth technology has been integrated into
many types of devices, including cell phones,
laptops, automobiles, printers, keyboards, mice,
headsets, and biometric capture devices. 

xvi. Like other wireless technologies, Bluetooth is
susceptible to threats, such as eavesdropping
and message modification. Organizational
security policy should determine the use of
Bluetooth and its associated devices based on
the organization\'s operational processes.

105. **Wireless Device Risk Mitigations**

h. To reduce the risks associated with wireless
devices, the following practices should be
implemented:

xvii. Use multi-factor authentication.

xviii. Encrypt all CJI on the device.

xix. Employ personal firewalls.

xx. Employ anti-virus software.

xxi. Configure for local device authentication.

xxii. Erase cached information when session is
terminated.

xxiii. Apply available critical patches and
upgrades to the operating system.

xxiv. Disable wireless capabilities in devices when
not needed for essential organizational
functions.

i. [Wireless Device Malicious Code
Protection]

xxv. Agencies that allow wireless devices, such as
smartphones and tablets, to access CJI should
have an approval process for all software used
on those devices. Wireless devices should be
regularly scanned for the presence of
unauthorized software, viruses, and other
malicious code using Mobile Device Management
(MDM) software or native capabilities in the
device, if available.

106. **Mobile Device Security**

j. A **mobile device **is any computing device that is
small enough to easily be carried by a single
individual, can operate without a physical
connection, stores data locally, and includes a
self-contained power source (i.e., a battery).
Mobile devices include pagers, cell phones, personal
digital assistants (PDAs), laptops, and other
portable computing devices.

xxvi. Cellular Device

20. A cellular device is any device that is
capable of employing cellular technology,
including smartphones (i.e., Blackberry,
iPhones, etc.), tablets, and PDAs. Threats
to cellular handheld devices are mainly due
to their size, portability, and services.

21. Examples of threats to cellular devices
include:

d. Loss, theft, or disposal

e. Unauthorized access

f. Malware

g. Spam

h. Electronic eavesdropping

i. Electronic tracking

j. Cloning

k. **Access Control for Mobile Devices**

xxvii. Agencies must establish configurations
requirements, connections requirements, and
implementation guidance for
organization-controlled mobile devices,
including when devices are outside of controlled
areas.

l. **Mobile Device Management (MDM)**

xxviii. Mobile Device Management (MDM) is software
which can provide the centralized oversight of
configuration control, application usage, and
device protection and recovery. 

xxix. For direct access to CJI on a mobile device,
MDM should include the following controls: 

22. Remote locking of device

23. Remote wiping of device

24. Setting and locking device configuration

25. Detection of "rooted" and "jailbroken"
devices.

26. Enforcement of folder or disk level
encryption

27. Application of mandatory policy settings on
the device

28. Detection of unauthorized configurations

29. Detection of unauthorized software or
application.

30. Ability to determine the location of
agency-controlled devices.

31. Prevention of unpatched devices from
accessing CJI or CJI systems

32. Automatic device wiping after a specified
number of failed access attempts

m. STOP: Devices that have had any unauthorized changes
made to them, such as being rooted or jailbroken,
should **[not]** be used to process,
store, or transmit CJI data at any time.

107. **Remote Access**

n. **Remote access** is any temporary access to an
agency's information system by a user through an
external, non-agency-controlled network such as the
internet. 

o. All remote accesses must be monitored and controlled
by the agency through managed access control points.
Remote Access may be permitted for executing
privileged commands *only for compelling operational
needs*. Documentation on the technical and
administrative process for enabling remote access
must be included in the security plan for the
information system.

108. **Use of External Systems**

p. An** external system **is any system which can
access organization-controlled information but is
not directly controlled by the organization.

q. If the agency opts to allow the use of external
systems, assurances should be made via independent
assessment, attestations, or other means that the
external systems contain the necessary controls. The
use of external systems and any method to ensure
compliance should be documented by agency-level
policies.

r. Alternatively, agencies may opt to prohibit the use
of any external systems.

109. **Personally Owned Information Systems**

s. Personally owned information systems
should **[not]** be used to access,
process, store, or transmit CJI unless the agency
has established and documented the specific terms
and conditions for personally owned information
system usage.

110. **Publically Accessible Computers**

t. Publicly accessible computers
should **[not]** be used to access,
process, store or transmit CJI.

u. Examples of publicly accessible computers include
(but not limited to): 

xxx. Hotel business center computers

xxxi. Convention center computers

xxxii. Public library computers

xxxiii. Public kiosk computers

111. **Audit Monitoring, Analysis, & Reporting**

v. Agencies must designate an individual or position to
perform the following audit monitoring, analysis,
and reporting activities:

xxxiv. Review system audit records ***weekly*** for
indications of inappropriate or unusual
activity.

xxxv. Analyze system audit records for the potential
impact of the inappropriate or unusual activity.

xxxvi. Report findings to appropriate officials.

xxxvii. Adjust the level of audit record review
when there is a change in risk based on law
enforcement information, intelligence
information, or other credible sources of
information.

16. **LESSON 9: INCIDENT RESPONSE**

e. **Security Incidents**

xciii. A **security incident** is a violation of the CJIS
Security Policy that threatens the confidentiality,
integrity, or availability of CJI.

112. **Incident Indicators**

w. Security incidents are not always obvious. In some
cases, you may only see *indicators *of an
incident. 

x. Examples of indicators include: 

xxxviii. New user accounts are mysteriously
created which bypass standard procedures.

xxxix. Sudden high activity on an account that has
had little or no activity for months.

xl. Data modification or deletion.

xli. Changes in file lengths or modification dates

xlii. New files with novel or strange names appear.

xliii. Attempts to write to system files.

xliv. Unexplained poor system performance

xlv. The system unexpectedly crashes without clear
reasons.

xlvi. Denial of service

xlvii. Suspicious probes

xlviii. Suspicious browsing

f. **Security Incident Policy**

xciv. Agencies must develop and document an incident response
policy which must be reviewed and
updated ***annually ***and ***following any security
incidents*** involving unauthorized access to CJI or systems
used to process, store, or transmit CJI.

xcv. All personnel with unescorted logical or physical access to
unencrypted CJI should be made aware of this policy, as well
as the procedures to facilitate the implementation of the
policy.

113. **Incident Response Training**

y. Incident Response Training should train the user in
identifying and reporting suspicious activities from
external and internal sources. It must be provided
to system users according to their assigned roles
and responsibilities ***prior ***to being given
system access or assuming an incident response role
or responsibility. Subsequent training must be
provided ***annually ***and ***when required by
system changes***.

z. Examples of training according to a user's assigned
role:

xlix. **Normal User** -needs to know who to call or
how to recognize an incident.

l. **System Administrator -** needs additional
training on how to handle incidents.

li. **Incident Responder** - may need more specific
training on forensics, data collection
techniques, reporting, system recovery, and
system restoration.

a. Incident Response training must also be reviewed and
updated ***annually ***and ***following any security
incidents*** involving unauthorized access to CJI or
systems used to process, store, or transmit CJI.

b. Examples of events which may lead to an update to
the incident response training: 

lii. Testing that was planned.

liii. Response to an actual incident (lessons
learned) 

liv. Audit or assessment findings. 

lv. Changes in applicable laws or regulations.

114. **Incident Response Testing**

c. The incident response capability for the system must
be tested ***annually ***using the following
methods:

lvi. tabletop or walk-through exercises,

lvii. simulations (parallel or full interrupt), or

lviii. other agency-appropriate tests.

d. This testing should be coordinated with other
related organizational plans, such as disaster
recovery plans, business continuity plans, crisis
communications plans, and other organizational
emergency plans.

115. **Incident Handling**:

e. There are four phases in the incident response life
cycle which will assist in the handling of a
security incident: 

lix. ***Preparation** -* involves establishing and
training an incident response team and acquiring
the necessary tools and resources to manage an
incident.

lx. ***Detection and analysis*** - begin when a
security incident has occurred. The method of
attack, as well as the impact to the systems and
personnel involved must be determined.

lxi. ***Containment** *activities for computer
security incidents involve decision-making and
the application of strategies to help control
attacks and damage, cease attack activities, or
reduce the impact or damage caused by the
incident.

lxii. ***Eradication** *efforts for a computer
security incident involve removal of the
security threat, including removal of latent
threats (e.g., malware, invalid user accounts,
etc.) and identification of any vulnerabilities
caused by the incident.

lxiii. ***Recovery ***efforts for incidents involve
restoration of affected systems to normal
operation.

lxiv. ***Post-incident activities*** involve the
reflection, compilation, and analysis of the
activities that occurred leading to the security
incident, and the actions taken by those
involved in the security incident.

f. Agencies should incorporate the lessons learned from
ongoing incident handling activities into the
incident response procedures. 

g. The incident handling process should be supported
using automated mechanisms (e.g., online incident
management systems and tools that support the
collection of live response data).

h. Examples of Incident Response Lifecycle are:

lxv. A local police department implements malware
detection on their network and trained staff how
to recognize possible suspicious
activity. ***Preparation***

lxvi. A local police department notified their state
ISO that suspicious network activity from a
known botnet was detected on their
network. ***Detection***

lxvii. The state ISO began the process of
collecting all pertinent information about this
incident and requested that the local police
department confirm that their malware signatures
were up to date. ***Analysis.***

The state ISO contacted both the FBI CJIS ISO
and state CSO to relay the preliminary details
of this incident.

The state ISO gathered the remainder of the
information from the local police department and
submitted a completed incident response form to
the FBI CJIS ISO. ***Analysis.***

lxviii. The state ISO continued to monitor the
situation, passing relevant details to the FBI
CJIS ISO, until the botnet was determined to be
eliminated from the local police department's
infrastructure. ***Containment, Eradication,
Recovery.***

lxix. Subsequent investigations determined that the
botnet was restricted to the department's
administrative infrastructure and thus no CJI
was compromised. ***Post-Incident Activity.***

116. **Reporting Security Events**

i. Report any incidents or unusual activity to your
agency contact, Local Agency Security Officer
(LASO), or Information Security Officer
(ISO) ***immediately***.

j. All personnel are required to report any suspected
incident, regardless of how minor it might seem.

lxx. **Security Incident Reports**

33. The following information should be included
in the incident report:

k. Date of Incident

l. Location of Incident

m. Systems Affected

n. Method of detection

o. Description of Incident

p. Actions taken / resolution.

q. Date & Contact information for agency.

34. Once the incident has been confirmed, the
CJIS Systems Officer (CSO), State
Identification Bureau (SIB) Chief, or
Interface Agency Official should be
notified.

35. Incident information should also be provided
to the supplier of the product or service
related to any systems or system components
involved in the incident (as well as any
other organizations involved in the supply
chain).

117. **Incident Response Assistance**

k. Automated incident response support resources which
offer advice and assistance (e.g., help desks,
assistance groups, incident response ticketing
systems with tracking information available, etc.)
should be provided to users of the system for
handling and reporting incidents.

17. **LESSON 10: CONCLUSION:**

g. As a reminder, this training must be completed ***every
year*** to remain compliant with the FBI CJIS Security Policy.

h.