The previous blog on physical protection helped us in understanding the various security measures that need to be taken to ensure protection of Criminal Justice Information (CJI) in a physically secure location. In this blog, we will discuss one of the most important policy areas of CJIS which is System and Communications Protection and Information Integrity.
CJIS Compliance - System, Communications Protection & Information Integrity
1. CJIS Compliance - System, Communications
Protection & Information Integrity
The previous blog on physical protection helped us in understanding the various security
measures that need to be taken to ensure protection of Criminal Justice Information (CJI) in a
physically secure location. In this blog, we will discuss one of the most important policy areas of
CJIS which is System and Communications Protection and Information Integrity.
2. Information Flow Enforcement
The network infrastructure should be in control of the flow of information between
interconnected systems. The system shall control the movement of data from one place to
another in a secure manner. Specific examples of flow control can be found in devices that
engage in protection of boundaries such as gateways, proxies, firewalls, routers, tunnels and
guards. A few such examples that are better expressed as flow control rather than access control
are:
Block outside traffic that purports to be from within the agency.
Prevent Criminal Justice Information from being transmitted over a public network in an
unencrypted form.
Do not send any web requests to a public network that don’t originate from the internal
web proxy.
Boundary Protection
The agency should:
Control access to networks that are processing Criminal Justice Information
Ensure that all the connections to external systems, the Internet and IT systems occur
through interfaces that are controlled by the agency.
Ensure that in the event of operational failure of boundary protection devices; there
shouldn’t be any unauthorized leak of information outside the IT system boundary.
Employ techniques and tools to detect attacks, monitor events and identify unauthorized
users.
Agencies also need to allocate publicly accessible information system components to
separate sub networks with isolated network interfaces. This helps the agency in being
safe even if these public networks are compromised; the main secure network is immune.
Encryption
Encrypting the data is of prime importance and there are stringent conditions that need to be
followed. The encryption needs to be a minimum 128 bit and when Criminal Justice Information
is being transmitted outside the physically secure location, appropriate encryption mechanisms
need to be put in place. Even while CJI is at rest, encryption mechanisms need to be put in place
to ensure maximum security. The cryptographic module used to encrypt data shall be certified to
meet the stringent FIPS-140-2 standards
Intrusion Detection Tools and Techniques
The agency should implement host-based and/or network-based intrusion detection tools. The
State Identification Bureau (SIB)/CJIS Systems Agency (CSA) additionally should:
Check the outbound and inbound communications for unauthorized and unusual
activities.
3. Employ automated tools to offer support to monitoring system that detect system-level
attacks.
The agencies shall also send individual intrusion detection logs to a centralized logging
facility where the analysis of these logs is done to study the pattern of attack and how can
we prevent further intrusions.
Voice over Internet Protocol
VoIP is an extremely popular tool that several organizations use. Although it offers several
operational and cost advantages over the legacy telephone systems, VoIP networks have a
myriad of security challenges that need to be addressed. Therefore, in line with the
communication protection, agencies that are employing VoIP in their networks should adhere to
the following rules.
Establish implementation guidance and usage restrictions for VoIP technologies
Change the default password on VoIP switches and IP phones
Utilize Virtual Local Area (VLAN) network to segment data traffic from VoIP traffic
Cloud Computing
The organizations transitioning to cloud environment are generally confronted with the
challenges and the opportunities that the technology provides. Although the cost savings
outweigh the rest, loss of control over data is a serious point to ponder over when it comes to
CJIS Compliance security. In the light of these, it is suggested that the organizations take
appropriate decisions after reviewing the cloud computing white paper and also the cloud
assessment that is found on NIST special publications and on FBI.gov. The capabilities of the
cloud service providers and their policies would also help the organizations to decide if they can
offer services that are compliant with the requirements laid down by CJIS Compliance Security
Policy.
It is also to be noted that the metadata derived from CJI shouldn’t be put to use by cloud service
providers for any purpose whatsoever. Furthermore, the service provider is also prohibited from
scanning any data files or email and use it for data mining, building analytics, advertising or for
improving the quality of services they provide.
Facsimile Transmission of Criminal Justice Information
When transmitting CJI through facsimile, encryption requirements needn’t be followed.
Partitioning and Virtualization
In the view of increasing scarcity of resources, organizations are resorting to centralization of
system administration, services and applications. Hence, it is important to secure these
virtualized machines and partitions as well
4. Partitioning
There shall be a clear separation between IT system management functionality and user
functionality and the service, application or information system should create such a separation
either logically or physically. Separation may be achieved by any one of the following methods.
Different central processing units (CPUs)
Different computers
Different network addresses
Separate instances of the operating system
Any other methods that are approved by FBI CJIS ISO
Virtualization
It may be noted that virtualized environments are authorized for noncriminal justice as well as
criminal justice activities. Over and above the security controls described above, there are further
more controls that need to be implemented in a virtualized environment.
Maintain the audit logs for all the hosts and virtual machines and these logs need to be
stored outside the virtual environment of the host.
The organization needs to isolate the virtual machine from the host which means that the
users of virtual machines can’t access the host firmware, files etc.
Critical device drivers should be contained within a separate guest.
Internet facing virtual machines such as portal servers and web servers should be
physically separate from those virtual machines which are involved in CJI processes
internally.
System and Information Integrity Policy and Procedures
Patch Management
As and when a new security patch is released, it is of prime importance that the patches are
applied to ensure information security. Patch requirements that are found during incident
response activities, security assessments and continuous monitoring also need to be addressed.
Local policies should include items such as
Rollback capabilities need to be given while installing updates, or patches etc.
Thorough testing of appropriate patches well before installation.
Centralized management of patches
Automatic updates need to be activated without the intervention of a user.
5. Malicious Code Protection
The agency needs to implement malicious code protection, which includes automatic updates for
all the system that have access to Internet. Even the systems with no Internet access need to be
updated regularly to reflect the latest status. In addition, the agency should employ virus
detection and protection programs that identify and eradicate malicious codes such as worms,
viruses and Trojan horses.
Spam and Spyware Protection
The agency should:
Utilize spyware protection at servers, on all mobile computing devices, and workstations
on the network
Utilize the spam protection programs at all important points of entry of information such
as electronic mail servers, firewalls and remote-access servers.
Security Alerts and Advisories
The agency should:
Receive security advisories/alerts about the information system regularly
Issue advisories/alerts to the appropriate people
Document all the types of actions that need to be taken in response to the security alerts
Take suitable action
Install automated mechanisms that enable availability of advisory and security alert
information throughout the agency as appropriate.
Information Input Restrictions
The agency shall ensure that the information input to any connection to FBI CJIS Compliance
services is restricted only to authorized individuals. Restrictions on these personnel with
authorization to input information to the IT system may be extended beyond the general access
controls employed by the system.
DoubleHorn is one of the leading Cloud Solutions Providers founded in January 2005 and based
in Austin, Texas. We are capable of offering Cloud Solutions that meet CJIS requirements.
Contact us for a complimentary initial assessment at solutions@doublehorn.com or (855) 618-
6423.