ETIME Security Requirements

eTIME Security Requirements
VERSION HISTORY
1.0 October 19, 2000 Original draft, author Gerry Coleman
OBJECTIVE	STRATEGY	TECHNOLOGY
Only authorized users shall have access to eTIME.	Assign every user a unique user name. (It is acceptable to use a combination of user name and agency to assure uniqueness statewide.)	A centralized user identity and authentication system.
	Every user shall be associated with an agency. No individual has standing to use the system without the authority of a criminal justice agency. Persons employed by multiple agencies shall have different identities and permission profiles for each employment situation. A single person may require multiple identities for the same employer (e.g., different jobs with significantly different permission profiles).	A centralized user identity and authentication system.
	Users who lose their authorization by change in employment situation or training accreditation shall be removed promptly from the authorization list.	Operational procedure.
	Authorized users shall be prohibited from sharing their identity with others by policy, and restricted from doing so to the extent practical by technology.	User authentication: Passwords, secure cards, biometrics, automatic inactivity disconnect, user certificates.
	Authorized users shall not have a disqualifying criminal background record.	Fingerprint-supported background checks at CIB and FBI.
	All vendor and other agency personnel who have "administrator" rights to any server or network equipment authorized to connect to eTIME, and all vendor and other agency personnel who conduct transactions on eTIME for testing purposes shall be identified and shall not have a disqualifying criminal background record.	User identification, and fingerprint-supported background checks at CIB and FBI.
	Authorized users shall be restricted in their use of eTIME based upon their training and certification, re-certification status, and employment requirements.	User authorizations shall be enforced by each eTIME application according to its own requirements.
	In general, authorized users shall be permitted to access eTIME from any location. A class of users, e.g., dispatchers in a 24x7 facility, may be granted generous access permissions based on the tactical nature of their work. In this case, the permission profile shall be location specific.	User authentication: Passwords, secure cards, biometrics, automatic inactivity disconnect, user certificates.
Protect data integrity. This objective is applicable to data stored in files held by data services -- especially CIB hot files and criminal history.	Restrict access by connection source and protocol. As a general rule, authorized users should be permitted access from anywhere, but any site may be prohibited access for administrative reasons. TELNET and other risky protocols may be prohibited by policy.	Firewall
	Limit the number of persons who are authorized to add, change, delete records	User authorizations. Training, certification, and re-certification requirements.
	Recovery mechanisms. No data record set shall be more than 24 hours away from a recoverable backup.	Databases, daily backups, warehousing
	For hot file records, a designated agency validation officer shall validate every record 90 days after entry and once each year thereafter.	A "validation" application.
	Track responsibility for record maintenance.	Log record changes by date, time, and user. Make the most recent change visible on record responses. Protect the log from any alteration.
Protect data visibility	Restrict access	Firewall
	Limit the number of persons who are authorized to make record inquiry. Depending on the rules of each data service, permissions shall be definable (1) at the data service level; (2) at the file level; (3) at the record level; and/or (4) by type of transaction.	User authorizations. Training, certification, and re-certification requirements. In general, access rules are defined by the owner of the data service.
	Encrypt data on radio frequency transmissions; on common carrier network segments; through any public Internet segment or equipment; on any local network segment shared with non-criminal justice data; and on any local network segment not under the management control of a criminal justice agency.	Secure socket layer connections, and server certificates issued by a trusted certificate authority. 128-bit encryption. Where unencrypted segments are necessary, private and dedicated wiring under the management control of a criminal justice agency.
	Physical security	To the extent possible, servers and configurable network hardware (switches, routers, etc.) should be located in locked facilities with controlled access. Users should take reasonable precautions to prevent unauthorized viewing of terminal equipment screens, printouts, etc.
Limit unauthorized intrusion and access attempts.	Log all user access attempts -successful or unsuccessful. Examine these logs daily for patterns of hacking.	A centralized user identity and authentication system. Filter software and report programs to identify hacking event profiles.
	Log all connection attempts -- successful or unsuccessful. Examine these logs daily for patterns of hacking. Be alert for other patterns of probing for IP addresses, ports, and system status.	Intrusion detection, filter and report programs, alarms.
	Be able to identify a when system configuration options are different from one day to the next. Account for all changes and report to agency security officers. Be alert for configuration changes that represent a hacking pattern.	Configuration management procedures, automatic profile monitoring, logs
	Configuration management shall be a joint responsibility between security officers and system administrators. Security officers shall be prevented from making configuration changes. System administrators shall be unable to make changes that are invisible and unreported to security officers.	Configuration management procedures, logs, reports
	User identity, authentication, and authorization management shall be a joint responsibility between training officers and user profile administrators. Training officers shall be prevented from making user identity and configuration changes. User profile administrators shall be unable to make changes that are invisible and unreported to training officers.	User identification, authentication, authorization systems and procedures
	An up-to-date network configuration map showing the topology of the network and equipment, each interface to local agencies, each connection to the public internet, and primary configuration parameters shall be available to managers and officers on request. Each interface agency shall maintain a similar, up-to-date network configuration map available on request.	Network mapping software, configuration management utilities
	Every unaccounted configuration change and suspicious hacking attempt shall be investigated. ISP's and interface agencies shall be notified immediately of any bad behavior from their accounts. ISP's and interface agencies who refuse to assist or are uncooperative in investigation or prevention shall be barred from connection to eTIME. An event response report shall be prepared for every significant event. Security officers shall be notified, and they shall be responsible to notify management staff, affected agencies, and the security officers in other data service agencies.	Event response procedures.
Security systems will be evaluated and improved periodically.	A yearly security audit shall be conducted. At a minimum, this audit shall examine (1) a sample of authorized users to validate their employment and training certification status; (2) a desk review of logs, event response reports, configuration change procedures, and network documentation; (3) a physical review of system and network equipment; and (4) from a sample of interface agencies, remote site audits.	Audit policy and practice.
	An audit report shall identify system and network strengths and weaknesses. The audit report and response shall be available for review by data service managers.