Meeting the requirements of any policy, let alone the CJIS Security Policy, can be frustrating, difficult and resource intensive.
This week we are going to look into how to meet the Security Awareness Training requirements of the CJIS Security Policy in the easiest and most resource-sparing way (both in terms of personnel time and cost $$).
Naturally, before we can comply with any requirement we need to know exactly what it is we’re trying to comply with. So let’s take a look at the current requirements.
First thing we have to realize is that the requirements for security awareness training are dependent on the role of the individual. Depending on what one’s role is in an organization, their training may be different from others in the same organization. Equally as important to realize is that the training topics required by the CJIS Security Policy are only “baseline guidance” and can be expanded/enhanced by the CJIS Systems Officer.
Let’s look into the CJIS Security Policy Security Awareness Training requirement in a little more detail……
Basic security awareness training is required within six months of initial assignment and biennially thereafter for all personnel who have access to Criminal Justice Information (CJI). Ok, that’s easiest enough to understand, but what topics do they need to be trained in?
Let’s look at what training EVERYONE needs to have. Any person that has access to ANY CJI needs to complete security awareness training that covers the following topics:
1. Rules that describe responsibilities and expected behavior with regard to CJI usage
2. Implications of noncompliance
3. Incident response (points of contact; individual actions)
4. Media protection
5. Visitor control and physical access to spaces – discuss applicable physical security policy and procedures (e.g. challenge strangers, report unusual activity)
6. Protect confidentiality information (e.g. destruction of hardcopies)
7. Proper handling and markings of CJI
8. Threats, vulnerabilities and risks associated with handling of CJI
9. Social engineering
10. Dissemination and destruction
In addition to the above topics, any person that has both physical and logical access to CJI needs to complete security awareness training that covers the additional topics of:
1. Rules that describe responsibilities and expected behavior with regard to information system usage
2. Password usage and management (including creation, change frequency and protection)
3. Protection from malicious code such as viruses, worms and trojan horses
4. Unknown email/attachments
5. Web usage (acceptable use and monitoring of user activity)
7. Physical security (re: increases in risks to system and data)
8. Handheld device security issues that address both physical and wireless aspects
9. Use of encryption and the transmission of sensitive/confidential information (policy, procedures and technical contacts for assistance)
10. Laptop security that addresses both physical and information security
11. Personally owned equipment and software (acceptable use, copyrights, licensing)
12. Access control issues (least privilege, separation of duties)
13. Individual accountability (define from an agency perspective)
14. Use of acknowledgement statements (access to system, passwords, personal use and gain, etc)
15. Desktop security (use of screen savers, restricting visitors’ view of information, mitigation of “shoulder surfing,” battery backup of system, authorized access to system, etc)
16. Protect information subject to confidentiality concerns (information contained in systems, archives, backups – until no longer needed and destroyed)
17. Threats, vulnerabilities and risks associated with accessing CJIS systems and service
Finally, in addition to all the topics in both of the above lists, any person who holds an Information Technology role (e.g. a system, network or security administrator) needs to complete security awareness training that covers the additional topics of:
1. Protection from viruses, worms, Trojan horses, and other malicious code (scanning systems and data, definition/signature updates)
2. Data backup and storage (approach, protection, etc)
3. Timely application of system patches (part of overall configuration management process)
4. Access control measures
5. Network infrastructure protection measures
Also worth mentioning is the requirement to maintain records of individual security awareness training. These records should be kept by the CSO, SIB Chief and/or Compact Officer unless delegated to the local level.
Now that we know what’s required (who needs to have security awareness training, what topics need to be included, when and how often training needs to occur, and the need to keep individual records), how can your agency comply with this in the easiest and most resource-sparing way?
Even though there can be considerable work and resources needed to develop an agency security awareness training plan that includes the requisite training materials, initially training/re-training individuals, and maintaining/tracking this training, the CJIS ACE team can help. We have implemented compliant, cost-effective solutions that have utilized tried and true security awareness training strategies and software.
Want to talk more about these strategies and solutions? Want to deal with the Security Awareness Training requirement in the easiest way?
Until next time, be safe.
Were you forwarded this newsletter and find the content useful? Then please take a few seconds and subscribe to our newsletter.
CJIS ACE is a division at DCI that helps law enforcement agencies comply with the FBI CJIS Security Policy and NCIC requirements. CJIS ACE services are designed to help you be pro-active in strengthening your agency’s information security profile and comply with any other security policies that may be required (e.g. a State or County IT Security Policy). CJIS ACE brings real-world experience at the ready to assist your agency’s personnel in navigating the daunting and complicated path through audits and information security policy compliance.
Let us deal with your audit and compliance hassles…
You already have enough to worry about.