Information Technology Security
|This directive is for internal use only and does not enlarge an employee’s civil liability in any way. The directive should not be construed as creating a higher duty of care, in an evidentiary sense, with respect to third party civil claims against employees. Violations of this directive, if proven, can only form the basis of a complaint by the San Juan County Sheriff’s Office for non-judicial administrative action in accordance with the rules and laws governing employee discipline.|
|DIRECTIVE TYPE: POLICY||SUBJECT: Information Technology Security||NUMBER: IT-601.00|
|APPROVED BY: Sheriff Ken Christesen||EFFECTIVE DATE: 8/14/2016|
|NMLEA STANDARDS: Not Applicable||LAST MODIFIED: 6/21/2016||LAST REVIEW: 6/21/2016|
The purpose of this policy is to establish written guidelines governing the secure use of technology, based upon protocols mandated by the FBI and best practices as established by the SANS Institute.
Appropriate measures must be taken when using secure devices to ensure the confidentiality, integrity, and availability of sensitive information. Access to sensitive information, including protected Criminal Justice Information (CJI), must be restricted to authorized users only. Employees using secure devices must minimize the possibility of unauthorized access to both sensitive information and Criminal Justice Information (CJI).
The following definitions shall apply for the purposes of this policy:
- Active Directory – A directory service implemented by Microsoft for Windows domain networks that is used for:
- Authenticating and authorizing all users and computers.
- Assigning and enforcing computer security policy
- Installing or updating software.
- Administrative Privileges/Local Administrative Rights – The highest level of permission that is granted to a technology user on a stand-alone computer. This level of permission allows the user to install software, change configuration settings, and manipulate the computer without hindrance. This is also referred to as "root", "Local Administrator" or "super-user" privileges.
- Advanced Encryption Standard (AES) – A specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001
- Bit – The basic unit of information in computing and digital communications.
- Cloud Services – Software running on one or more servers that allow centralized data storage with online access to computer services and resources using the internet. Examples include: iTunes, Dropbox, Google Drive.
- Criminal Justice Information/Criminal History Record Information (CJI/CHRI) – This is defined as any criminal information that is sensitive in nature and obtained from local, state, and federal databases, including:
- Interstate Identification Index,
- MVD records,
- Any other files or databases deemed as CJI or CHRI by the New Mexico Department of Public Safety or the FBI.
- Domain – A group of computers and devices on a network that are administered as a unit with common rules and procedures.
- Domain Administrator Privileges – This is the highest level of permission that is granted on a domain. This level of permission allows the user administrative privileges on individual machines within a domain as well as the ability to make domain-wide changes that alter how all machines function in that domain.
- Encryption – A process by which data is transformed into a format that renders it unreadable without access to the encryption key and knowledge of the process used.
- Encryption Algorithm – A mathematical procedure for performing encryption on data.
- Group Policy – A feature of the Microsoft Windows NT family of operating systems that control the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment. May also be referred to as Active Directory Group Policy.
- Information Technology – The use of computers and telecommunications equipment to store, retrieve, transmit and manipulate data. Commonly referred to as “IT.”
- IT Department – Personnel assigned to the Sheriff’s Office IT Division who are specifically authorized to perform repair and/or maintenance work to related Sheriff’s Office owned equipment.
- Local Security Policy – A feature of the Microsoft Windows NT family of operating systems that control the working environment of user accounts and computer accounts in the absence of an Active Directory server. These policies operate independently of Group Policy.
- Logical Access – A type of access to data and non–tangible technological equipment such as websites or other technology that does not have a physical interface.
- Network – A group of interconnected computers, machines, or other electronic devices that communicate with each other for the purpose of exchanging information.
- Personally Owned Devices – Any electronic device that is not owned wholly or in part by the San Juan County Sheriff’s Office.
- Physical Access – Accessing equipment or technology directly, or otherwise physically working with technology and not via remote access.
- Remote Access – A type of access to technological equipment that involves remote control, or other technology that allows a user to control an item of technology without physically being present at that device.
- Secure Device – Any electronic device belonging to the Sheriff’s Office that has been authorized to connect to the Sheriff’s Office network in a manner that allows it to authenticate with Active Directory.
- Sensitive Data – Any data that is considered not-publicly releasable. Examples include CHRI, CJI, and any ongoing investigatory information.
- Server – A computer or computer program that manages access to a centralized resource or service in a network.
- Workstation – A desktop computer terminal, typically networked and more powerful than a personal computer.
In order to restrict access to authorized users only, the San Juan County Sheriff's Office will implement physical and technical safeguards (such as passwords, group policy, etc.) for all secure devices that have the ability to access electronic Criminal Justice Information (CJI).
These safeguards include:
- Restricting physical access to secure devices to authorized personnel only;
- Securing workstations (screen lock or logout) prior to leaving an area to prevent unauthorized access;
- Complying with all applicable password procedures;
- Ensuring secure devices are used for official purposes only;
- Prohibiting the installation of unauthorized or illegal software on secure devices;
- Storing all sensitive information on secure network servers only;
- Ensuring portable secure devices that contain sensitive information cannot be viewed or accessed by unauthorized individuals;
- Ensuring that monitors are positioned away from public view. If necessary, the installation of privacy screen filters or other physical barriers to prevent public viewing;
- Ensuring secure workstations are left powered on but logged off in order to facilitate after-hours updates. This includes exiting running applications and closing open documents; and
- Ensuring that all devices use a surge protector (not just a power strip) or a UPS (battery backup) unless otherwise specified by the device manufacturer.
On secure devices, the Sheriff's Office IT Department will approve individual access privileges and enforce physical, logical, and remote access restrictions associated with changes to the information system; and generate, retain, and review records reflecting all such changes.
The Sheriff's Office IT Department will assign the most restrictive set of rights/privileges or access permissions needed by users for the performance of their job duties and tasks.
In order to mitigate risk to CJI and other sensitive data, the Sheriff's Office IT Department will not implement more privilege than is needed for the performance of specific duties and operations, or to use information systems as necessary.
A log of all access privilege changes will be kept and maintained for a minimum of one year.
Domain administrator privileges are restricted to the IT Department or its designee(s) only.
The Sheriff's Office IT Department will use a combination of Active Directory Group Policy, Local Security Policies, and any other industry standard security means to ensure compliance with this policy.
Any device that is capable of transmitting or becoming infected with a computer virus will have approved anti-virus software installed and maintained whenever anti-virus software is available for the device.
All passwords in use at the Sheriff’s Office must adhere to the following rules:
- No less than 8 characters in length.
- Must contain a special character.
- Must contain a number.
- Must be changed every 90 days.
- Must be unique (cannot re-use a prior password – up to 10 passwords in history).
- Must not be a variation of your name.
Service accounts such as database server passwords, networking hardware passwords, and accounts that cannot login to a computer or server directly are exempt from the 90 day requirement, but must be changed upon any change to who has access to such passwords. Additionally, such passwords must be changed at least annually by the Sheriff’s Office IT Department.
When an employee or volunteer separates from employment, all of their previously assigned devices must be turned into the Sheriff’s Office IT Department. Depending on whether the device is to be re-issued to another employee or sent to county surplus, the data on the device will be wiped using the manufacturer’s data wipe procedures or destroyed using current industry recommended secure data destruction practices, respectively.
Only personnel in the IT Department are authorized to wipe Sheriff’s Office electronic devices.
Suspicion of the device being utilized in the commission of an illegal act creates an exception to the data wipe procedure. In these cases, the device will be sent to the appropriate investigative division for analysis.
Furthermore, the Sheriff, Undersheriff, or Administrative Captain can require the data on any Sheriff's Office owned device to be preserved for internal affairs purposes.
Use of CJI/CHRI information must follow the security guidelines as defined in the FBI CJIS Security Policy Manual (accessed through the FBI website at www.fbi.gov), including procedures for the physical or electronic handling and storage of information to protect it from unauthorized disclosure, alteration, and/or misuse. The use of CJI/CHRI for any purpose other than that allowed by federal law is considered misuse.
In the event intentional misuse of CJI/CHRI data is discovered, it must be immediately reported to the Sheriff's Office IT Department who will then report the misuse to the New Mexico Department of Public Safety NCIC Division.
Misuse of CJI/CHRI will be subject to disciplinary action up to and including termination of employment, and may carry federal penalties.
PERSONALLY OWNED DEVICES
Personally owned devices are prohibited from being placed on the Sheriff’s Office network unless otherwise specified in this policy.
Only software that has been tested, licensed and approved by the Sheriff’s Office IT Department may be installed on secure devices and servers.
All software must be legally procured and properly licensed to the San Juan County Sheriff’s Office.
Software personally owned by the end-user of the device may be installed provided it is approved and installed by the Sheriff's Office IT Department and its installation does not violate any applicable laws or county policies.
Manual device updates may only be performed by the Sheriff’s Office IT Department or its designee(s).
Software vendors may perform installation, maintenance, and updates to their proprietary software only while under the direct supervision of the IT Department or its designee(s).
Employees are prohibited from using personal cloud services on secure devices. Any cloud services accounts to be used on secure devices will be established by the Sheriff’s Office IT Department. These accounts may only be terminated by the Sheriff’s Office IT Department.
Remote access to secure devices by outside vendors must be done only under the direct supervision of the IT Department.
Department issued cellular telephones and tablets are considered secure devices regardless of their direct ability to access CJI/CHRI, due to the availability of sensitive department information including but not limited to internal phone lists, schedules, etc.
SECURE DEVICES – USE BY PERSONS NOT EMPLOYED BY SJCSO
All use and viewing of secure devices by persons not employed by the San Juan County Sheriff's Office is expressly forbidden unless that person has undergone and passed a III based background check, regardless of how the person is using the device or what data is visible to them at the time of use.
SECURING DEVICES WHEN NOT IN USE
All devices must be secured by either logging off or locking when not in physical use. The Sheriff’s Office IT Department may use Active Directory Group Policies to enforce this rule.
It is the responsibility of the individual employee to ensure that all secure devices are not able to be viewed either directly or indirectly with non-Sheriff’s Office employees, either through locking of the device or otherwise obscuring it from view.
REPORTING SECURITY EVENTS
All employees of the San Juan County Sheriff’s Office are mandated to immediately report any event that causes them to suspect that a secure device has been compromised in any way by an outside source to the Sheriff’s Office IT Department. This includes virus notifications, unusual computer behavior, and any other event that would cause the employee to suspect there is an IT security breach.
SHERIFF’S OFFICE IT RESPONSE TO SECURITY EVENTS
The Sheriff’s Office IT Department will take all reports of IT security events seriously. Documentation will be made of the suspected security event, to include date and time of the event, actions taken to correct the situation, and impact of the event on the security of the Sheriff’s Office data. Any event that is suspected of compromising CJI/CHRI data must also be reported to the New Mexico Department of Public Safety, Information Security Officer.
INTERNET ONLY CONNECTIONS
The Sheriff’s Office IT Department, may, as needed, establish wired and wireless network connections that have security protocols in place preventing access to all network services except for external internet sites. These connections at no time will have access to any secure devices or CJI/CHRI data. Personally owned devices are allowed to connect to networks identified as “Internet Only Connections.”
Due to the ever-evolving nature of data encryption technology, it is the responsibility of the Sheriff’s Office IT Department to determine the most effective application and protocols on a case-by-case basis to provide encryption for devices, files, and network systems that secures all sensitive data using AES-128 bit or stronger encryption algorithms.
All employees and volunteers of the San Juan County Sheriff’s Office must, within 30 days of employment or assignment, undergo an initial training that covers this policy and any security policies required by the New Mexico Department of Public Safety and the FBI. Retraining must occur every two years.
Anyone with physical, remote, or logical access to any secure facility, electronics, or CJI/CHRI must undergo and pass a fingerprinted background check within 30 days of employment or assignment.
- FBI CJIS Security Policy, Personnel Sanctions
- FBI CJIS Security Policy, Information Handling
- SANS Institute