01.
General
Policy. The data stored in the ILETS, NCIC, and other criminal justice
information system files is documented criminal justice information. This
information must be protected to ensure its integrity and its correct, legal
and efficient storage, dissemination and use. It is incumbent upon an agency
accessing ILETS directly, or another system that has access to the ILETS
network, to implement the procedures necessary to make the access device secure
from any unauthorized use and to ensure ILETS is not subject to a malicious
disruption of service. ILETS access agencies must participate in ILETS training
and compliance activities to ensure that all agency personnel authorized to
access the ILETS network are instructed in the proper use and dissemination of
the information and that appropriate agency personnel are aware of security
requirements and of the dangers to network integrity. ILETS retains the
authority to disconnect an access agency or network connection when serious
security threats and vulnerabilities are detected.
02.
Definitions. The following
is a list of terms and their meanings as used in the ILETS security rule:
a. Computer interface capabilities means any
communication to ILETS allowing an agency to participate in the
system.
b. Firewall means a
collection of components placed between two (2) networks that keep the host
network secure by having the following properties:
i. All traffic from inside the network to
outside, and vice-versa, must pass through it;
ii. Only authorized traffic is allowed to
pass; and
iii. The components as a
whole are immune to unauthorized penetration and disablement.
c. ILETS Security Officer (ISO) is
the department staff member designated by the executive officer to monitor and
enforce agency compliance with site and network security
requirements.
d. Peer networks are
computer interfaces between cooperative governmental agencies in Idaho where
none of the participating entities exercise administrative or management
control over any other participating entity.
e. Interface agency is an agency that has
management control of a computer system directly connected to ILETS.
f. Untrusted system is a system that does not
employ sufficient hardware or software security measures to allow its use for
simultaneously processing a range of sensitive or confidential
information.
03.
Interface Agency Agreements. To ensure agencies having computer
interface capabilities to ILETS are fully aware of their duties and of the
consequences of failure to carry out those duties, a written and binding
Interface Agency Addendum must exist between ILETS and all interface agencies.
This agreement will clarify that the interface agency is equally responsible
for actions by secondary and affiliated systems connected through their site to
ILETS. Interface agencies must put in place similar subsidiary security
agreements with secondary and affiliated systems to protect its network and
ILETS.
04.
ILETS Security
Officer. The ILETS Security Officer is responsible for the following
duties:
a. Disseminating to user agencies
copies of ILETS security policies and guidelines;
b. Communicating to user agencies information
regarding current perceived security threats and providing recommended measures
to address the threats;
c.
Monitoring use of the ILETS network either in response to information about a
specific threat, or generally because of a perceived situation;
d. Directing an interface agency, through its
nominated contact, to rectify any omission in its duty of
responsibility;
e. When an agency
is unable or unwilling to co-operate, reporting the issue to the executive
officer and initiating the procedure for achieving an emergency disconnection;
and
f. Provide support and
coordination for investigations into breaches of security.
05.
Agency Security Contacts. A
terminal agency coordinator shall serve as that agency's security contact for
ILETS, unless another individual is specifically selected for this purpose and
approved by the ILETS Security Officer. ILETS primary sites shall ensure the
agency's security contact, or another person or position designated in an
incident contingency plan, can be contacted by the ILETS security officer at
any time.
06.
Peer
Networks. The security responsibilities of the operators of peer
networks connected to ILETS, with respect to their user organizations, are
parallel to those of ILETS user organizations in respect to their individual
users. The ILETS Security Officer shall ensure that a written agreement exists
between ILETS and an interface agency, signed by the agency heads, that
embodies these principles.
07.
Physical Security Standards. Interface agencies will observe
standards and procedures to ensure security of the physical premises and
computing equipment. The minimum standards and procedures include the
following:
a. Access to computer rooms will be
limited to staff who require access for the normal performance of their
duties.
b. Electrical power
protection devices to suppress surges, reduce static, and provide battery
backup in the event of a power failure will be used as necessary.
c. Computer system backups shall be stored in
a secure location with restricted access.
d. Network infrastructure components will be
controlled with access limited to support personnel with a demonstrated need
for access.
e. Physical labeling of
infrastructure components will be done to assist in proper identification.
Additionally, all components will be inventoried at regular intervals for asset
management and physical protection.
f. An interface agency must create and
enforce a password policy in which the agency is responsible for assigning
ILETS users a unique password. The password policy must require that a new
password be initiated by the user or agency every ninety (90) days.
08.
Network Security
Standards. User agencies must exercise appropriate security precautions
when connecting ILETS and computer systems linked to ILETS with external
untrusted systems. The primary objective of such precautions is to prevent
unauthorized access to sensitive information while still allowing authorized
users free access. The minimum standards and procedures include the following:
a. Agencies must routinely audit for and
remove unused or unneeded services/accounts, review accounts periodically, and
enforce aggressive and effective password strategies.
b. Agencies must ensure that the software
security features of the networks they manage are installed and functioning
correctly.
c. Agencies must monitor
network security on a regular basis. Adequate information concerning network
traffic and activity must be logged to ensure that breaches in network security
can be detected.
d. Agencies must
implement and maintain procedures to provide the ILETS network adequate
protection from intrusion by external and unauthorized sources.
e. No computer connected to the network can
have stored, on its disk(s) or in memory, information that would permit access
to other parts of the network. For example, scripts used in accessing a remote
host may not contain passwords.
f.
No connection to ILETS may be established utilizing dial-up communications.
Asynchronous communications connections should be limited and tightly
controlled as they pose a serious risk because they can circumvent any security
precaution enacted to protect networks from untrusted sources.
g. Network management protocols must be
limited to internal or trusted networks.
h. Any system having direct or indirect
access to the Internet via their computer network must have in place services
that allow no access to ILETS from the Internet. Organizations with large
distributed Wide Area Networks connecting many remote sites may choose to
incorporate many security layers and a variety of strategies. These strategies
must incorporate the implementation of a firewall to block network traffic, and
restriction of remote user access.
i. Agencies accessing ILETS directly or
through another agency, must insure that all telecommunications infrastructure
meets the FBI CJIS Security Policy for encryption standards.
j. No routing or IP Network Translations are
to be performed on individual access devices. All routing and translation must
be performed on a router or firewall device.