CJIS Security Policy - Orange County, Florida
U. S. Department of JusticeFederal Bureau of InvestigationCriminal Justice Information Services DivisionCriminal Justice Information Services (CJIS)Security PolicyVersion 5.906/01/2020CJISD-ITS-DOC-08140-5.9Prepared by:CJIS Information Security OfficerApproved by:CJIS Advisory Policy Board
EXECUTIVE SUMMARYLaw enforcement needs timely and secure access to services that provide data wherever andwhenever for stopping and reducing crime. In response to these needs, the Advisory Policy Board(APB) recommended to the Federal Bureau of Investigation (FBI) that the Criminal JusticeInformation Services (CJIS) Division authorize the expansion of the existing security managementstructure in 1998. Administered through a shared management philosophy, the CJIS SecurityPolicy contains information security requirements, guidelines, and agreements reflecting the willof law enforcement and criminal justice agencies for protecting the sources, transmission, storage,and generation of Criminal Justice Information (CJI). The Federal Information SecurityManagement Act of 2002 provides further legal basis for the APB approved management,operational, and technical security requirements mandated to protect CJI and by extension thehardware, software and infrastructure required to enable the services provided by the criminaljustice community.The essential premise of the CJIS Security Policy is to provide appropriate controls to protect thefull lifecycle of CJI, whether at rest or in transit. The CJIS Security Policy provides guidance forthe creation, viewing, modification, transmission, dissemination, storage, and destruction of CJI.This Policy applies to every individual—contractor, private entity, noncriminal justice agencyrepresentative, or member of a criminal justice entity—with access to, or who operate in supportof, criminal justice services and information.The CJIS Security Policy integrates presidential directives, federal laws, FBI directives and thecriminal justice community’s APB decisions along with nationally recognized guidance from theNational Institute of Standards and Technology. The Policy is presented at both strategic andtactical levels and is periodically updated to reflect the security requirements of evolving businessmodels. The Policy features modular sections enabling more frequent updates to address emergingthreats and new security measures. The provided security criteria assists agencies with designingand implementing systems to meet a uniform level of risk and security protection while enablingagencies the latitude to institute more stringent security requirements and controls based on theirbusiness model and local needs.The CJIS Security Policy strengthens the partnership between the FBI and CJIS Systems Agencies(CSA), including, in those states with separate authorities, the State Identification Bureaus (SIB).Further, as use of criminal history record information for noncriminal justice purposes continuesto expand, the CJIS Security Policy becomes increasingly important in guiding the National CrimePrevention and Privacy Compact Council and State Compact Officers in the secure exchange ofcriminal justice records.The Policy describes the vision and captures the security concepts that set the policies, protections,roles, and responsibilities with minimal impact from changes in technology. The Policy empowersCSAs with the insight and ability to tune their security programs according to their risks, needs,budgets, and resource constraints while remaining compliant with the baseline level of security setforth in this Policy. The CJIS Security Policy provides a secure framework of laws, standards, andelements of published and vetted policies for accomplishing the mission across the broad spectrumof the criminal justice and noncriminal justice communities.06/01/2020CJISD-ITS-DOC-08140-5.9i
CHANGE MANAGEMENTRevisionChange DescriptionCreated/Changed byDateApproved By5Policy RewriteSecurity PolicyWorking Group2/9/2011See SignaturePageCJIS ISO ProgramOffice7/13/2012APB & CompactCouncilCJIS ISO ProgramOffice8/9/2013APB & CompactCouncilCJIS ISO ProgramOffice8/4/2014APB & CompactCouncilCJIS ISO ProgramOffice10/6/2015APB & CompactCouncilCJIS ISO ProgramOffice6/1/2016APB & CompactCouncilCJIS ISO ProgramOffice6/5/2017APB & CompactCouncilCJIS ISO ProgramOffice08/16/2018APB & CompactCouncilCJIS ISO ProgramOffice06/01/2019APB & CompactCouncilCJIS ISO ProgramOffice06/01/2020APB & te CalendarYear 2011 APBapproved changes andadministrative changesIncorporate CalendarYear 2012 APBapproved changes andadministrative changesIncorporate CalendarYear 2013 APBapproved changes andadministrative changesIncorporate CalendarYear 2014 APBapproved changes andadministrative changesIncorporate CalendarYear 2015 APBapproved changes andadministrative changesIncorporate CalendarYear 2016 APBapproved changes andadministrative changesIncorporate CalendarYear 2017 APBapproved changes andadministrative changesIncorporate CalendarYear 2018 APBapproved changes andadministrative changesIncorporate CalendarYear 2019 APBapproved changes andadministrative changes06/01/2020CJISD-ITS-DOC-08140-5.9ii
SUMMARY OF CHANGESVersion 5.9APB Approved Changes1. Section 5.13.2 Mobile Device Management (MDM): add clarifying language, Fall2019, APB#18, SA#3, Mobile Device Management (MDM) Requirements in the CJISSecurity Policy.2. Appendix H, Security Addendum: add example of contract addendum, Fall 2019,APB#18, SA#7, Audit of Vendor Contracts with Authorized Criminal Justice Agencies(CJAs).3. NOTE: There were no Spring 2019 APB actions.Administrative Changes11. Section 5.6.2.2.2 Advanced Authentication Decision Tree: updated the tree descriptionto account for direct and indirect access to CJI.2. Figures 9 and 10: updated both figures to account for direct and indirect access to CJI.KEY TO APB APPROVED CHANGES (e.g. “Fall 2013, APB#11, SA#6, add language, FutureCSP for Mobile Devices”):Fall 2013 – Advisory Policy Board cycle and yearAPB# – Advisory Policy Board Topic numberSA# – Security and Access Subcommittee Topic numberSummary of changeTopic title1Administrative changes are vetted through the Security and Access Subcommittee and not the entire APB process.06/01/2020CJISD-ITS-DOC-08140-5.9iii
TABLE OF CONTENTSExecutive Summary . iChange Management . iiSummary of Changes . iiiTable of Contents . ivList of Figures . ix1 Introduction .11.1 Purpose.11.2 Scope .11.3 Relationship to Local Security Policy and Other Policies .11.4 Terminology Used in This Document.21.5 Distribution of the CJIS Security Policy .22 CJIS Security Policy Approach .32.1 CJIS Security Policy Vision Statement.32.2 Architecture Independent .32.3 Risk Versus Realism .33 Roles and Responsibilities .43.1 Shared Management Philosophy.43.2 Roles and Responsibilities for Agencies and Parties .43.2.1 CJIS Systems Agencies (CSA) .53.2.2 CJIS Systems Officer (CSO) .53.2.3 Terminal Agency Coordinator (TAC) .63.2.4 Criminal Justice Agency (CJA).63.2.5 Noncriminal Justice Agency (NCJA) .63.2.6 Contracting Government Agency (CGA) .73.2.7 Agency Coordinator (AC) .73.2.8 CJIS Systems Agency Information Security Officer (CSA ISO) .73.2.9 Local Agency Security Officer (LASO) .83.2.10 FBI CJIS Division Information Security Officer (FBI CJIS ISO) .83.2.11 Repository Manager .93.2.12 Compact Officer .94 Criminal Justice Information and Personally Identifiable Information .104.1 Criminal Justice Information (CJI) .104.1.1 Criminal History Record Information (CHRI) .104.2 Access, Use and Dissemination of Criminal History Record Information (CHRI), NCICRestricted Files Information, and NCIC Non-Restricted Files Information .114.2.1 Proper Access, Use, and Dissemination of CHRI .114.2.2 Proper Access, Use, and Dissemination of NCIC Restricted Files Information .114.2.3 Proper Access, Use, and Dissemination of NCIC Non-Restricted FilesInformation.114.2.3.1 For Official Purposes .114.2.3.2 For Other Authorized Purposes .124.2.3.3 CSO Authority in Other Circumstances .124.2.4 Storage .124.2.5 Justification and Penalties .1206/01/2020CJISD-ITS-DOC-08140-5.9iv
4.2.5.1 Justification .124.2.5.2 Penalties .124.3 Personally Identifiable Information (PII).125 Policy and Implementation .145.1 Policy Area 1: Information Exchange Agreements .155.1.1 Information Exchange .155.1.1.1 Information Handling.155.1.1.2 State and Federal Agency User Agreements .155.1.1.3 Criminal Justice Agency User Agreements .165.1.1.4 Interagency and Management Control Agreements .165.1.1.5 Private Contractor User Agreements and CJIS Security Addendum.165.1.1.6 Agency User Agreements .175.1.1.7 Outsourcing Standards for Channelers .175.1.1.8 Outsourcing Standards for Non-Channelers .185.1.2 Monitoring, Review, and Delivery of Services .185.1.2.1 Managing Changes to Service Providers .185.1.3 Secondary Dissemination .185.1.4 Secondary Dissemination of Non-CHRI CJI .185.2 Policy Area 2: Security Awareness Training .205.2.1 Basic Security Awareness Training .205.2.1.1 Level One Security Awareness Training .205.2.1.2 Level Two Security Awareness Training .205.2.1.3 Level Three Security Awareness Training .215.2.1.4 Level Four Security Awareness Training .215.2.2 LASO Training .225.2.3 Security Training Records .225.3 Policy Area 3: Incident Response .245.3.1 Reporting Security Events .245.3.1.1 Reporting Structure and Responsibilities.245.3.1.1.1 FBI CJIS Division Responsibilities . 245.3.1.1.2 CSA ISO Responsibilities . 245.3.2 Management of Security Incidents .255.3.2.1 Incident Handling.255.3.2.2 Collection of Evidence .255.3.3 Incident Response Training .255.3.4 Incident Monitoring.255.4 Policy Area 4: Auditing and Accountability .275.4.1 Auditable Events and Content (Information Systems) .275.4.1.1 Events .275.4.1.1.1 Content . 285.4.2 Response to Audit Processing Failures .285.4.3 Audit Monitoring, Analysis, and Reporting .285.4.4 Time Stamps .285.4.5 Protection of Audit Information .285.4.6 Audit Record Retention .285.4.7 Logging NCIC and III Transactions .294.2.5.1 Justification .1206/01/2020CJISD-ITS-DOC-08140-5.9v
5.5 Policy Area 5: Access Control .305.5.1 Account Management .305.5.2 Access Enforcement .305.5.2.1 Least Privilege .315.5.2.2 System Access Control .315.5.2.3 Access Control Criteria .315.5.2.4 Access Control Mechanisms .315.5.3 Unsuccessful Login Attempts .325.5.4 System Use Notification.325.5.5 Session Lock .325.5.6 Remote Access .335.5.6.1 Personally Owned Information Systems .335.5.6.2 Publicly Accessible Computers .335.6 Policy Area 6: Identification and Authentication .355.6.1 Identification Policy and Procedures .355.6.1.1 Use of Originating Agency Identifiers in Transactions and InformationExchanges .355.6.2 Authentication Policy and Procedures .355.6.2.1 Standard Authenticators .365.6.2.1.1 Password . 365.6.2.1.2 Personal Identification Number (PIN) . 385.6.2.1.3 One-time Passwords (OTP) . 385.6.2.2 Advanced Authentication.385.6.2.2.1 Advanced Authentication Policy and Rationale . 395.6.2.2.2 Advanced Authentication Decision Tree . 395.6.3 Identifier and Authenticator Management Management.415.6.3.2 Authenticator Management .425.6.4 Assertions .425.7 Policy Area 7: Configuration Management .485.7.1 Access Restrictions for Changes .485.7.1.1 Least Functionality.485.7.1.2 Network Diagram.485.7.2 Security of Configuration Documentation .485.8 Policy Area 8: Media Protection .495.8.1 Media Storage and Access .495.8.2 Media Transport .495.8.2.1 Digital Media during Transport .495.8.2.2 Physical Media in Transit .495.8.3 Digital Media Sanitization and Disposal .495.8.4 Disposal of Physical Media .495.9 Policy Area 9: Physical Protection .515.9.1 Physically Secure Location .515.9.1.1 Security Perimeter .515.9.1.2 Physical Access Authorizations .515.9.1.3 Physical Access Control .5106/01/2020CJISD-ITS-DOC-08140-5.9vi
5.9.1.4 Access Control for Transmission Medium .515.9.1.5 Access Control for Display Medium .515.9.1.6 Monitoring Physical Access .525.9.1.7 Visitor Control .525.9.1.8 Delivery and Removal .525.9.2 Controlled Area .525.10 Policy Area 10: System and Communications Protection and Information Integrity .535.10.1 Information Flow Enforcement .535.10.1.1 Boundary Protection .535.10.1.2 Encryption .545.10.1.2.1 Encryption for CJI in Transit . 545.10.1.2.2 Encryption for CJI at Rest. 555.10.1.2.3 Public Key Infrastructure (PKI) Technology . 555.10.1.3 Intrusion Detection Tools and Techniques .555.10.1.4 Voice over Internet Protocol .565.10.1.5 Cloud Computing .565.10.2 Facsimile Transmission of CJI .575.10.3 Partitioning and Virtualization .575.10.3.1 Partitioning.575.10.3.2 Virtualization .585.10.4 System and Information Integrity Policy and Procedures .585.10.4.1 Patch Management .585.10.4.2 Malicious Code Protection .595.10.4.3 Spam and Spyware Protection .595.10.4.4 Security Alerts and Advisories .595.10.4.5 Information Input Restrictions .605.11 Policy Area 11: Formal Audits .615.11.1 Audits by the FBI CJIS Division.615.11.1.1 Triennial Compliance Audits by the FBI CJIS Division .615.11.1.2 Triennial Security Audits by the FBI CJIS Division .615.11.2 Audits by the CSA.615.11.3 Special Security Inquiries and Audits .625.11.4 Compliance Subcommittees .625.12 Policy Area 12: Personnel Security .635.12.1 Personnel Screening Requirements for Individuals Requiring Unescorted Access toUnencrypted CJI .635.12.2 Personnel Termination .645.12.3 Personnel Transfer .645.12.4 Personnel Sanctions.645.13 Policy Area 13: Mobile Devices .665.13.1 Wireless Communications Technologies .665.13.1.1 802.11 Wireless Protocols .665.13.1.2 Cellular Devices .675.13.1.2.1 Cellular Service Abroad . 685.13.1.2.2 Voice Transmissions Over Cellular Devices . 685.13.1.3 Bluetooth .6806/01/2020CJISD-ITS-DOC-08140-5.9vii
5.13.1.4 Mobile Hotspots .685.13.2 Mobile Device Management (MDM) .695.13.3 Wireless Device Risk Mitigations .695.13.4 System Integrity .705.13.4.1 Patching/Updates .705.13.4.2 Malicious Code Protection .705.13.4.3 Personal Firewall .705.13.5 Incident Response .715.13.6 Access Control .715.13.7 Identification and Authentication .715.13.7.1 Local Device Authentication .715.13.7.2 Advanced Authentication.725.13.7.2.1 Compensating Controls . 725.13.7.3 Device Certificates .72Appendices . A-1Appendix A Terms and Definitions .
Criminal Justice Information Services (CJIS) Security Policy Version 5. 9. 06/01/2020. CJISD-ITS-DOC-08140-5.9 Prepared by: CJIS Information Security Officer . . Section 5.6.2.2.2 Advanced Authentication Decision Tree: updated the tree description to account for direct and indirect access to CJI. 2. Figures 9 and 10: updated both figures to .
Data Profile for Orange County 2018-1003 1. Orange County 140,853 County average in NC 56,087 a Source: 2. Orange County 398 County average in NC 463 a Source: 3. Orange County 6 County average in NC 6.7 c Source: 4. Orange County 1 Source: 5. B Orange County 45,190 County average in NC 34,568 a Source: 6. B Orange County 3 County average in .
Criminal Justice Information Services (CJIS) Security Policy Version 5.9 06/01/2020 CJISD-ITS-DOC-08140-5.9 Prepared by: CJIS Information Security Officer . Section 5.6.2.2.2 Advanced Authentication Decision Tree: updated the tree description to account for direct and indirect access to CJI. 2.
Criminal Justice Information Services (CJIS) Security Policy Version 5.9 06/01/2020 CJISD-ITS-DOC-08140-5.9 Prepared by: CJIS Information Security Officer . Section 5.6.2.2.2 Advanced Authentication Decision Tree: updated the tree description to account for direct and indirect access to CJI. 2. Figures 9 and 10: updated both figures to .
The FBI's CJIS Security Policy (Section 5.6.2.2) requires organizations to implement advanced authentication controls to securely and properly access the CJIS database from non-secure locations. Learn the reasons behind this policy change, understand the strategy for advanced authentication and review the options available to
For information on homeless resources throughout Orange County, please contact 211. ORANGE COUNTY HOUSING AUTHORITY 1770 North Broadway Santa Ana, CA 92706 (714) 480-2700 Website: www.ochousing.org The Orange County Housing Authority (OCHA) administers rental assistance programs throughout Orange County except the cities of
It is an honor for Orange County REALTORS to write a welcome letter for this inaugural edition of the 2018-19 Orange County Guide to Property Taxes prepared by the Orange County Auditor-Controller's department and to sponsor this report so that copies of it can be made readily available to Orange County taxpayers. OC REALTORS, who have long been
Criminal Justice Information Services (CJIS) Advisory Policy Board June 6-7, 2012 Buffalo, New York Draft as of 05/31/12 Wednesday, June 6, 2012 8:30 a.m. - 8:40 a.m. --Board Convenes Mr. R. Scott Trent Designated Federal Officer CJIS Division Federal Bureau of Investigation Roll Call Colonel Steven F. Cumoletti Chairman
ARTIFICIAL INTELLIGENCE, STRATEGIC STABILITY AND NUCLEAR RISK vincent boulanin, lora saalman, petr topychkanov, fei su and moa peldán carlsson June 2020. STOCKHOLM INTERNATIONAL PEACE RESEARCH INSTITUTE SIPRI is an independent international institute dedicated to research into conflict, armaments, arms control and disarmament. Established in 1966, SIPRI provides data, analysis and .