SAT Training TemplateSAT Training TemplateAgencies are responsible to administer the Security Awareness Training (SAT) to all personnel having access to CHRI as required by the FBI CJIS Security Policy, Policy Area 5.12. More information can be found at www.michigan.gov/cjicats.

The Michigan State Police (MSP) has created a Noncriminal Justice Agency (NCJA) “template” for your use in implementing these requirements. The SAT Training Template is a fill-in PowerPoint for agency use. Agencies should complete all fields indicated in red as applicable to agency policy, procedure, and process. Any questions to the use of the template may be directed to the Audit & Training Section:

•MSP-CJIC-ATS@michigan.gov•(517) 241-0621

Noncriminal Justice Noncriminal Justice AgencyAgency(NCJA)(NCJA)

Security Awareness Security Awareness TrainingTraining

Criminal Justice Information Criminal Justice Information Exchange HistoryExchange History

The FBI Criminal Justice Information Services (CJIS) is The FBI Criminal Justice Information Services (CJIS) is our nations largest and central repository of Criminal our nations largest and central repository of Criminal History Record Information (CHRI) assisting state’s law History Record Information (CHRI) assisting state’s law enforcement, governmental, public, and private entities enforcement, governmental, public, and private entities by sharing information for criminal justice and noncriminal by sharing information for criminal justice and noncriminal justice purposes. justice purposes.

Michigan State Police

FBI Criminal Justice Information Services

Noncriminal Justice Agency

Serves as our nations administrator for the appropriate security and management controls. As such, the FBI designates one criminal justice agency (on the CJIS network) as the CJIS Systems Agency (CSA) who is considered their point of contact in each state.

The CSA is duly authorized to oversee the security and management of all CJI (includes CHRI) exchanges within the State of Michigan. Responsible for setting, maintaining, enforcing and reporting compliance to the FBI CJIS Division for such exchanges.

For the purpose of licensing and employment, certain authorized agencies request and receive fingerprint based CHRI. Making the Noncriminal Justice Agency (NCJA) the next responsible records management entity.

How How “YOU,” “YOU,” the Employee, are the Employee, are ConnectedConnected

As an employee of an NCJA, these same security As an employee of an NCJA, these same security and management control responsibilities extend to and management control responsibilities extend to you. Security Awareness Training is to identify you. Security Awareness Training is to identify your individual role and responsibilities, and equip your individual role and responsibilities, and equip you with the knowledge, resources, and tools you with the knowledge, resources, and tools necessary to ensure the appropriate security and necessary to ensure the appropriate security and management of CHRI.management of CHRI.

Access & UseAccess & Use

Access to CJI/CHRI is limited to authorized personnel Access to CJI/CHRI is limited to authorized personnel and for an authorized purpose as prescribed by and for an authorized purpose as prescribed by [insert [insert state and/or federal Law authoring CHRI access]state and/or federal Law authoring CHRI access]..

Use of CHRI is for and by authorized personnel as Use of CHRI is for and by authorized personnel as designated by your agency.designated by your agency.

Why Security Awareness Why Security Awareness Training?Training?

Systems have become more complex and interconnected, increasing the potential risk with their operations.

Security training and the implementation of, is required by the FBI CJIS Security Policy (policy area 2, section 5.2. Security Awareness Training)

Individuals, businesses, and government organizations have become increasingly reliant on information technology systems. This fact makes protecting these assets more important than ever before.

Information System SecurityInformation System Security

• SECURITY: to ensure that information is not compromised by any unauthorized individuals,

• CONFIDENTIALITY: to ensure that information is not disclosed to unauthorized individuals,

• INTEGRITY: to ensure that information and systems are not modified maliciously or accidentally.

The term information security refers to protection of information and information technology (IT) systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide:

Security Awareness Training (SAT) Security Awareness Training (SAT) BeginsBegins

Agencies shall provide SAT to all personnel having

access to CHRI, within six (6) months of their

assignment and once every two (2) years thereafter.

SAT Effects: All personnel with access to CJI/CHRI Personnel with physical and logical access Personnel with information technology (IT)

roles

SAT BeginsSAT Begins

CHRI is governed and protected by:

• Federal and state laws• Policies, memorandum, and regulation• NCJA policies, procedures, processes, and rules

All are designed to reduce the risk of unauthorized access and misuse. Noncompliance of any of these will lead to disciplinary action according to agency [Insert agency policy, procedure, written process action]. Disciplinary action is determined by [Insert agency name or Position of Authority] and in accordance with FBI CJIS Security Policy.

Reporting of a Security BreachReporting of a Security Breach

• Reporting is required whether the CHRI breach is physical or through electronic devices.

• All incidents are to be reported to [Insert agency position [Insert agency position authority]authority].

• You may refer to [insert agency policy or procedure] [insert agency policy or procedure] for the most current incident response protocol.

• As an agency employee it is your responsibility to report any perceived or known security breaches regarding CHRI.

Incident Reporting:

Security BreachSecurity Breach

Is defined as:

• The intentional or unintentional release of secure information to an un-trusted, unauthorized environment.

• The unauthorized acquisition, access, use or disclosure of protected information which compromises the security or privacy of such information.

• An act from outside an organization that bypasses or contravenes security policies, practices, or procedures. A similar internal act is called security violation.

Media ProtectionMedia ProtectionMedia must be protected at all times against anyunauthorized access to or routine viewing of computerdevices, access devices, and printed/stored data.

All media is to be handled with the upmost care and be marked copy and confidential so others having access to CHRI are also aware of the attention required when handling CHRI.

Agency [Insert agency policy, procedure, or written process] is provided and available [Insert location where document is available for review] to ensure media protection exists and carried out in the appropriate manner.

Media ProtectionMedia Protection

Is the protection of electronic and physicalCHRI media by:

• Restricting media to authorized personnel only.

• Securely storing within physically secured locations and controlled areas.

• Protecting and controlling media anytime it is transported outside of controlled areas.

• Disposing of media securely and only by an authorized personnel.

Media ProtectionMedia Protection

Physical Security includes:

• Protection of information subject to confidentiality

• Limitation of visitor access to controlled areas

• Prevention of social engineering

• Positioning of computer and system devices (lap tops, cellular phones, I-pads, or any kind of hand held devices used to access, process or store CHRI media) in such a way that prevents unauthorized personal gaining physical or visual access.

• Locking of rooms, areas, or storage containers where CHRI media is accessed, processed and/or

stored

Media ProtectionMedia Protection

Electronic Security includes:• Protection of information subject to confidentiality

• Password use and management

• Protection from viruses, worms, Trojan horses and other malicious code

• Appropriate use and management of e-mail, spam and attachments

• Appropriate web use

• Use of encryption; for transmission of sensitive/confidential information through electronic means.

• Backing up electronic media on a regular basis.

IT PersonnelIT PersonnelAs outlined by the agency, it is the IT personnel's responsibility to install:

•Protection from viruses, worms, Trojan horses, and other malicious code through electronic scanning and updating definitions.

•Provide data backup and storage through centralized and decentralized approaches, when applicable.

•Provide timely application of system patches as part of configuration management.

•Provide access control measures.

•Provide protection measures for agency Network infrastructure.

Visitors ControlVisitors ControlVisitor access to controlled areas where CHRI is

maintained and processed shall be avoided when ever

possible. If visitor access becomes necessary, all visitors

will be escorted by authorized personnel at all times while

in a controlled area. Agency [insert agency policy or

procedure] exists to prevent unauthorized access to CHRI

and is your responsibility to adhere to all agency requirements.

Visitors ControlVisitors Control

• Lock the area, room or storage container when CHRI is unattended by an authorized personnel.

• Position CHRI system devices and documents containing CHRI in such a way as to prevent unauthorized individuals from access and view.

• Follow the encryption requirements set forth by the agency for electronic storage of CHRI.

• Challenge strangers to the nature and business in the controlled area.

• Report unusual or suspicious behavior to appropriate personnel.

Minimum requirements:

Threats, Vulnerabilities, and RisksThreats, Vulnerabilities, and RisksA vulnerability is a point where a system is

susceptible to attack.

Vulnerabilities may include:

4. Natural

2. Human 5. Communication

3. Hardware and Software

1. Physical

Threats, Vulnerabilities, and RisksThreats, Vulnerabilities, and Risks

A threat is an unintentional or deliberate event orcircumstance which could have an adverse impact on aninformation system. Threats can come from internal orexternal sources. There are three main categories ofthreats:

• Natural (fire, flood, lightning, power failures)(fire, flood, lightning, power failures)

• Unintentional (actions that occur due to lack of knowledge or (actions that occur due to lack of knowledge or through carelessness)through carelessness)

• Intentional (a deliberate plan to harm or manipulate an (a deliberate plan to harm or manipulate an information system, its software and/or data)information system, its software and/or data)

DisseminationDisseminationLaws, policies, procedures, and written processes discussed through this training apply to CHRI received from the FBI CJIS for noncriminal justice purposes.

In general a NCJA purpose includes the use of CHRI for purposes authorized by federal or state law other than purposes relating to the administration of criminal justice, including but not limited to:

• [Insert employment suitability or Licensing law agency is using to access CHRI]

Any CHRI released to another authorized agency and that agency was not part of the original information

exchange shall be logged. See [insert agency policy,

procedure, written process] for logging details..

DestructionDestruction

Sensitive data data shall be securely disposedshall be securely disposed

of when no longer required. of when no longer required.

When no longer using diskettes, tape cartridges,When no longer using diskettes, tape cartridges,

ribbons, hard copies, print-outs, and other similarribbons, hard copies, print-outs, and other similar

items destroy them by cross-cut shredding oritems destroy them by cross-cut shredding or

Incineration and by authorized personnel.Incineration and by authorized personnel.

DO NOT PLACE SENSITIVE DATA IN TRASH CANS

Desktop SecurityDesktop Security

Pertains to your agency issued computers, laptops, and handheld devices. Personally owned equipment and software [select: is or is not] allowed and guidance for such a instance can be located within agency [insert agency policy, procedure, or written documentation].

You have NO EXPECTATION OF PRIVACY IN THEIR USE.

Physical and electronic media not under the direct supervision of an authorized personnel should be locked and secured any time not in use. If you know you are going to be away from your desk for an extended period of time, either shut down your system or lock your keyboard.

Desktop SecurityDesktop Security

Passwords “standard authentication”

• An “electronic signature”• Ensures the user is who they say they are• Used in all instances of system access for the use,

processing, and storage of electronic CHRI media• Used to restrict access to authorized personnel only

Agency [insert agency policy, procedure, written process][insert agency policy, procedure, written process]exists and is available [Insert location where document is [Insert location where document is

available for review] available for review] to ensure the appropriate security and management controls are followed.

Desktop SecurityDesktop Security

Passwords shall exist for all electronicallymaintained media.

Be a minimum length of eight characters. Not be a dictionary word or proper name. Not be the same as the User ID. Expire within a maximum of 90 days. Not be identical to the previous ten passwords. Not be transmitted in the clear outside the secure

location. Not be displayed when entered.

Vulnerabilities and ThreatsVulnerabilities and Threats

Threats include:

• Eavesdropping• Unauthorized data access• Intrusions• Denial of Service• Theft

• Social Engineering • Phishing• Sabotage• Web use• Spam

Vulnerabilities and ThreatsVulnerabilities and Threats

Social engineers don’t need to be “technically” savvy, they use Social engineers don’t need to be “technically” savvy, they use their “people skills” to allow them in where they’re their “people skills” to allow them in where they’re NOT suppose to be:suppose to be:•CharmCharm•IntimidationIntimidation•TrickeryTrickery

““Phishing” is the receipt of an email pretending to be from Phishing” is the receipt of an email pretending to be from an on-line store, a financial institution, or an internet an on-line store, a financial institution, or an internet service provider with the intention of gaining personal service provider with the intention of gaining personal information.information.

Sabotage is the deliberate action aimed at weakening Sabotage is the deliberate action aimed at weakening another entity, the conscious withdrawal of efficiency another entity, the conscious withdrawal of efficiency generally directed at causing some change in workplace generally directed at causing some change in workplace conditions.conditions.

Vulnerabilities and ThreatsVulnerabilities and ThreatsWork related web use is necessary at times and for applicable purposes and [insert agency policy, procedure, or written process] exists to identify the security controls necessary to ensure and minimize the detrimental affects of viruses, worms, Trojan horses, and other malicious code.

Additionally, web use for personal reasons [Select: is or is not allowed] and when used for such purposes shall be conducted in the same manner as outlined in [insert agency policy, procedure, or written process].

“Spam” is the unsolicited electronic messaging by outside entities also containing viruses, worms, Trojan horses, and other malicious code. It is detrimental to use e-mail blocking and junk mail functions to minimize impact.

Vulnerabilities and ThreatsVulnerabilities and ThreatsEavesdropping can also be a threat when heard by the wrong person seeking personal gain. Persons secretly listening to the conversations of others is a good way to learn about what should be confidential information. Ensure you are aware of your surroundings and environment and only discuss the details of CHRI with appropriate personnel.

Unauthorized data access, intrusions, denial of service, and theft can all contribute to the vulnerability of an agencies system and its up to you to ensure the security, confidentiality and integrity of CHRI while under your control.

Are you being hacked? How to tell.Are you being hacked? How to tell.• A system alarm or similar indication A system alarm or similar indication

from an intrusion detection tool (e.g., a from an intrusion detection tool (e.g., a UNIX user obtains privileged access UNIX user obtains privileged access without using authorized methods)without using authorized methods)

• Suspicious entries in system or Suspicious entries in system or network accountingnetwork accounting

• Accounting discrepancies (e.g., Accounting discrepancies (e.g., Exceptional slow network activity, Exceptional slow network activity, disconnection from network service or disconnection from network service or unusual network trafficunusual network traffic

• Notices an 18-minute gap in the Notices an 18-minute gap in the accounting log in which there is no accounting log in which there is no correlation)correlation)

• Unsuccessful logon attemptsUnsuccessful logon attempts• New User accounts of unknown originNew User accounts of unknown origin• Unusual log entries such as network Unusual log entries such as network

connections to unfamiliar machines or connections to unfamiliar machines or services, login failuresservices, login failures

• New files of unknown origin and New files of unknown origin and functionfunction

• Unexplained addition, deletion, or Unexplained addition, deletion, or modification of datamodification of data

• System crashesSystem crashes

• Poor system performance – System Poor system performance – System appears to be slower than normal and appears to be slower than normal and less responsive than expected less responsive than expected

• Unauthorized operation of a program Unauthorized operation of a program or the addition of a sniffer application or the addition of a sniffer application to capture network traffic or to capture network traffic or usernames/passwordsusernames/passwords

• Port scanning (use of exploit and Port scanning (use of exploit and vulnerability scanner, remote requests vulnerability scanner, remote requests for information about systems and/or for information about systems and/or users, or social engineering attempts)users, or social engineering attempts)

• Unusual usage times (statistically, Unusual usage times (statistically, more security incidents occur during more security incidents occur during non-working hours than any other non-working hours than any other time)time)

• An indicated last time of usage of a An indicated last time of usage of a account that does not correspond to account that does not correspond to the actual last time of usage for that the actual last time of usage for that accountaccount

• Unusual usage patterns (e.g., Unusual usage patterns (e.g., programs are being compiled in the programs are being compiled in the account of a user who does not know account of a user who does not know how to program)how to program)

• Denial of service activity or inability of Denial of service activity or inability of one or more users to login to an one or more users to login to an account; including admin/root logins account; including admin/root logins to the consoleto the console

Standards of DisciplineStandards of DisciplineFBI CJIS information is sensitive information. Improper

access, use and dissemination is serious and may result in

the imposition of disciplinary action up to dismissal. Can

include termination of services, as well as state/federal

criminal penalties.

It is your responsibility to conform to the requirements ofthe Rules of Behavior when using computers with accessto CHRI data. Failure to comply with rules of behaviormay constitute a security violation resulting in denial ofaccess to the system.

RememberRemember

• You are the key to security, it begins withYou are the key to security, it begins with YOU.

• It’s your responsibility to ensure you’re aware of and It’s your responsibility to ensure you’re aware of and adhere to all policies and procedures adhere to all policies and procedures regarding IT regarding IT Security.Security.

• If you have any questions about the proper operation or If you have any questions about the proper operation or security of computer systems entrusted to you, contact security of computer systems entrusted to you, contact your local agency security officer.your local agency security officer.

Proof of Training Completion

Upon completion of Security Awareness Upon completion of Security Awareness Training:Training:

Complete applicable fields of the last page Complete applicable fields of the last page certificate, except for “Authorizing Name and certificate, except for “Authorizing Name and Title” field. Once applicable fields are Title” field. Once applicable fields are completed, print and provide to agency completed, print and provide to agency authorizer for verification signature.authorizer for verification signature.

[Insert Agency Name][Insert Agency Name]PresentsPresents[Insert Employee [Insert Employee Name]Name]with thiswith this

Security Awareness Security Awareness TrainingTrainingProof of CompletionProof of CompletionOnOn[Insert DATE][Insert DATE]

LASO Name and Title