Bill Tatun
Jan 25, 2019
The Easy Way to Meet the CJIS Security Awareness Training Requirement
Meeting the requirements of any policy, let alone the CJIS Security Policy, can be frustrating, difficult and resource intensive.
This week we are going to look into how to meet the Security Awareness Training requirements of the CJIS Security Policy in the easiest and most resource-sparing way (both in terms of personnel time and cost $$).
Naturally, before we can comply with any requirement we need to know exactly what it is we’re trying to comply with. So let’s take a look at the current requirements.
First thing we have to realize is that the requirements for security awareness training are dependent on the role of the individual. Depending on what one’s role is in an organization, their training may be different from others in the same organization. Equally as important to realize is that the training topics required by the CJIS Security Policy are only “baseline guidance” and can be expanded/enhanced by the CJIS Systems Officer.
Let’s look into the CJIS Security Policy Security Awareness Training requirement in a little more detail……
Basic security awareness training is required within six months of initial assignment and biennially thereafter for all personnel who have access to Criminal Justice Information (CJI). Ok, that’s easiest enough to understand, but what topics do they need to be trained in?
Let’s look at what training EVERYONE needs to have. Any person that has access to ANY CJI needs to complete security awareness training that covers the following topics:
Rules that describe responsibilities and expected behavior with regard to CJI usage
Implications of noncompliance
Incident response (points of contact; individual actions)
Media protection
Visitor control and physical access to spaces – discuss applicable physical security policy and procedures (e.g. challenge strangers, report unusual activity)
Protect confidentiality information (e.g. destruction of hardcopies)
Proper handling and markings of CJI
Threats, vulnerabilities and risks associated with handling of CJI
Social engineering
Dissemination and destruction
In addition to the above topics, any person that has both physical and logical access to CJI needs to complete security awareness training that covers the additional topics of:
Rules that describe responsibilities and expected behavior with regard to information system usage
Password usage and management (including creation, change frequency and protection)
Protection from malicious code such as viruses, worms and trojan horses
Unknown email/attachments
Web usage (acceptable use and monitoring of user activity)
Spam
Physical security (re: increases in risks to system and data)
Handheld device security issues that address both physical and wireless aspects
Use of encryption and the transmission of sensitive/confidential information (policy, procedures and technical contacts for assistance)
Laptop security that addresses both physical and information security
Personally owned equipment and software (acceptable use, copyrights, licensing)
Access control issues (least privilege, separation of duties)
Individual accountability (define from an agency perspective)
Use of acknowledgement statements (access to system, passwords, personal use and gain, etc)
Desktop security (use of screen savers, restricting visitors’ view of information, mitigation of “shoulder surfing,” battery backup of system, authorized access to system, etc)
Protect information subject to confidentiality concerns (information contained in systems, archives, backups – until no longer needed and destroyed)
Threats, vulnerabilities and risks associated with accessing CJIS systems and services
Finally, in addition to all the topics in both of the above lists, any person who holds an Information Technology role (e.g. a system, network or security administrator) needs to complete security awareness training that covers the additional topics of:
Protection from viruses, worms, Trojan horses, and other malicious code (scanning systems and data, definition/signature updates)
Data backup and storage (approach, protection, etc)
Timely application of system patches (part of overall configuration management process)
Access control measures
Network infrastructure protection measures
Also worth mentioning is the requirement to maintain records of individual security awareness training. These records should be kept by the CSO, SIB Chief and/or Compact Officer unless delegated to the local level.
Now that we know what’s required (who needs to have security awareness training, what topics need to be included, when and how often training needs to occur, and the need to keep individual records), how can your agency comply with this in the easiest and most resource-sparing way?
Even though there can be considerable work and resources needed to develop an agency security awareness training plan that includes the requisite training materials, initially training/re-training individuals, and maintaining/tracking this training, the CJIS ACE team can help. We have implemented compliant, cost-effective solutions that have utilized tried and true security awareness training strategies and software.
Want to talk more about these strategies and solutions? Want to deal with the Security Awareness Training requirement in the easiest way?
Give me a call at: 850-778-3207, or email me: wtatun@diversecomputing.com.
Until next time, be safe.