SlideShare uma empresa Scribd logo

Understanding CJIS Identification and Authentication

‱
‱
DoubleHorn
DoubleHorn

In this blog we will understand few other nuances that are associated with CJIS Identification and Authentication. It is very important for an agency to identify users of information systems and also the processes that act on behalf of users and also needs to authenticate them before allowing access to information system or services of the agency.

Governo e ONGs
1 de 6
Baixar para ler offline
Understanding CJIS Identification and Authentication In the previous blog on access control, we discussed the various steps that an agency should take in order to restrict unauthorized access to confidential Criminal Justice Information (CJI). In this blog we will understand few other nuances that are associated with CJIS Identification and Authentication. It is very important for an agency to identify users of information systems and also the processes that act on behalf of users and also needs to authenticate them before allowing access to information system or services of the agency. Identification Policy and Procedures Each user who is authorized to use, access, store, process or transmits CJI data is to be uniquely identified. Even system administrators and users responsible for system maintenance also need to be identified. The unique identifier can be a username, serial number, badge number or a unique alphanumeric identifier. Additionally, the agencies should identify themselves uniquely before a user s allowed to access or perform duties on a system. It is the responsibility of the agency to ensure that the user IDs belong to authorized users and the list needs to be updated regularly to include the names of new users and delete the names of former users.
Use of Originating Agency Identifiers in Transactions and Information Exchanges To identify the sending agency and to ensure that a proper level of access is attributed to every transaction, agencies shall use an originating agency identifier (ORI) that has been authorized by the FBI. The original identifier between the State Identification Bureau (SIB)/CJIS Systems Agency (CSA)/Channeler and a requesting agency should be the ORI and other identifiers such as an access device mnemonic, personal identifier or user identification or the IP address. Agencies shall act as a servicing agency and on behalf of the authorized agencies perform transactions based on the queries of the requesting agency. These agencies performing inquiry transactions may use the requesting agency’s ORI when acting on the behalf of another agency. In other cases, the agency can use its ORI to perform inquiry transactions on behalf of another requesting agency only if there are procedures and means in place to provide a proper audit trail for the specified retention period. In such cases where the agency performing the transaction needn’t necessarily is the same agency requesting the transaction, the SIB/channeler/CSA must ensure that the ORI for all the transactions can be traced through an audit trail, to the agency that has requested the transactions. Authentication Policy and Procedures There should be robust processes and mechanisms to verify users once they are uniquely identified by the agency. The SIB/CSA shall develop an authentication strategy which decentralizes the daily administration and establishment of security measures for accessing Criminal Justice Information ( CJI). The identity of each user needs to be validated at either at CSA, local agency, Channeler or SIB level. This authentication strategy needs to be a part of the agency’s policy and audit compliance. The FBI CJIS Division shall identify as well as authenticate all the users who directly establish web-based interactive sessions with FBI CJIS services. Furthermore, FBI CJIS Division would also limit its authentication only of the ORI of all message-based sessions between itself and its customer agencies and not the individual user level authentication as it is already done at the SIB, CSA, Channeler or local agency level. Standard Authenticators Standard authenticators include biometrics, tokens, personal identification numbers (PIN) and passwords. Users wouldn’t be allowed to use same PIN or password in the same logon sequence. The attributes of a secure password that is used to authenticate the user include many parameters that are listed below 1. Passwords shall not be same as the user ID 2. Shall be a minimum length of eight (8) characters 3. Shall have an expiry period of 90 days
4. Shall not be proper name or a dictionary word 5. Shall not be displayed during the time of entry or after entry 6. Shall not be transmitted outside the secure location 7. Shall not be identical to the previous ten (10) passwords Personal Identification Number (PIN) In the cases where the agency uses PIN as a standard mode for authentication, all the attributes followed for the standard authenticators need to be followed. In case the agency is using PIN in conjunction with a token or a certificate then the following guidelines need to be followed. 1. Pin should be a minimum of six (6) digits 2. Shouldn’t have sequential patterns (eg:345678) 3. Shouldn’t have repeating digits (e.g.: 2233344) 4. Should have an expiry period of one year. 5. Shouldn’t be same as the user ID. 6. Shall not be transmitted outside the secure location 7. Shall not be displayed during the time of entry or after entry 8. Shouldn’t be identical to three (3) previous PINs However, there is an exception to this when the PIN is being used for local device authentication. In this case, only requirement to be fulfilled is that the PIN needs to have six (6) digits. Advanced Authentication Depending on the need additional security may be enforced and advanced authentication provides such added security to the conventional user identification and authentication using login ID and password. These additional security measures can be biometric systems, smart cards, hardware tokens, user-based public key infrastructure (PKI) or “risk based authentication” that includes various advanced processes of authenticating a user.
Advanced Authentication Policy and Rationale The necessity to use or not to use Advanced Authentication (AA) is dependent on several factors such as technical, personnel, physical and technical security controls that are associated with user location and whether CJI is accessed indirectly or directly. AA needn’t be required for users that request accessing CJI data from within the perimeter of a physically secure location that meets the technical security controls. Furthermore, it need not be enforced if the user cannot conduct transactional activities on the state as well as national repositories, services (indirect access) or applications. In the event of these technical security standards not being met, AA should be enforced even if the request for CJI originates within the physically secure location. The original intent of AA is to meet the standards of two-factor authentication. Two-factor authentication involves use of two of the three options to authenticate a user. These include what do you now (password), something you have (hardware token) and what you are (biometric). CSO approved compensating controls to meet the AA requirement on the appliances such as such as smartphones, iPads and tablets issued by the agency are permitted. Compensating controls are those temporary controls that are implemented in place of AA control measures when the agency is unable to meet the requirement due to business constraints or legitimate technical reasons. These compensating controls shall: 1. Provide same level of security or protection as the original AA requirement 2. Meet the intention of CJIS security policy AA requirement 3. Shall not depend on existing requirements for AA as compensating controls There is an elaborate process that helps the decision makers in deciding whether or not AA is required. An advanced authentication decision tree aids the decision makers in making informed decisions about enforcing AA when users access CJI. Identifier and Authenticator Management The agencies should establish authenticator and identifier management processes. Identifier Management In order to facilitate proper management of user identifiers, agencies should 1. Identify every user uniquely 2. Verify their identification
3. Receive authorization to issue a user identifier from a competent agency official 4. Issue the said user identifier to intended parties 5. Disable a specific user identifier after a predetermined period of inactivity 6. Archive the old user identifiers Authenticator Management For the management of information system authenticators, agencies should 1. Define the initial authenticator content 2. Establish administrative procedures to distribute initial authenticators, for compromised/lost or damaged authenticators and for revoking authenticators 3. Be changing default authenticators after installation of IT systems 4. Should refresh/change authenticators periodically Assertions Identity providers also can be used to identify individuals and ascertain their identity to a trusted broker or a service. This broker in turn would assert identity to a service. These assertion mechanisms that would be used to communicate the results of a remote authentication to other parties would be 1. Signed digitally by a trusted entity (i.e. the service provider) 2. Procured directly from a trusted entity using a protocol in which the trusted entity authenticates to the relying party using secure protocol that authenticates the user cryptographically and hence protects the assertion. It is to be noted that assertions that are generated by a verifier would expire 12 hours post generation and wouldn't be accepted by the relying party thereafter. That is a comprehensive look at CJIS Identification and Authentication. In the next blog we will discuss the policy area - Configuration Management DoubleHorn is a leading Cloud Solutions Provider founded in January 2005 and based in Austin, Texas. Our offerings combine products from the leading Cloud providers and are carefully designed to meet the emerging technology requirements of Government agencies and Enterprises. As a Cloud Services Broker, we advise in selecting the right solution, implement,
maintain and offer single source for billing and support of multiple Cloud products. If you are new to the cloud and not sure how to get started, contact us for a complimentary initial assessment at solutions@doublehorn.com or (855) 618-6423.

Recomendados

Bptt Chinh Phuc My Nhan
Bptt Chinh Phuc My NhanBptt Chinh Phuc My Nhan
Bptt Chinh Phuc My Nhan
buiduongduong
 
Humberto Espindola
Humberto EspindolaHumberto Espindola
Humberto Espindola
Licurgo Oliveira
 
MenĂș abril
MenĂș abrilMenĂș abril
MenĂș abril
SoniaVargas1
 
Ń‰ĐŸĐŽĐ”ĐœĐžĐș
Ń‰ĐŸĐŽĐ”ĐœĐžĐșŃ‰ĐŸĐŽĐ”ĐœĐžĐș
Ń‰ĐŸĐŽĐ”ĐœĐžĐș
MakcSheva
 
Tiempo libre ocio educa
Tiempo libre ocio educaTiempo libre ocio educa
Tiempo libre ocio educa
Alexander Perdomo
 
Apresentação valongo
Apresentação valongoApresentação valongo
Apresentação valongo
geobaltar
 
textilschule gross siegharts
textilschule gross sieghartstextilschule gross siegharts
textilschule gross siegharts
Alexander Homolka
 
Licenciamento de Personagens como Estratégia de Marketing e Publicidade Infan...
Licenciamento de Personagens como Estratégia de Marketing e Publicidade Infan...Licenciamento de Personagens como Estratégia de Marketing e Publicidade Infan...
Licenciamento de Personagens como Estratégia de Marketing e Publicidade Infan...
Felipe Rocha
 

Recomendados

Bptt Chinh Phuc My Nhan
Bptt Chinh Phuc My NhanBptt Chinh Phuc My Nhan
Bptt Chinh Phuc My Nhan
buiduongduong
 
Humberto Espindola
Humberto EspindolaHumberto Espindola
Humberto Espindola
Licurgo Oliveira
 
MenĂș abril
MenĂș abrilMenĂș abril
MenĂș abril
SoniaVargas1
 
Ń‰ĐŸĐŽĐ”ĐœĐžĐș
Ń‰ĐŸĐŽĐ”ĐœĐžĐșŃ‰ĐŸĐŽĐ”ĐœĐžĐș
Ń‰ĐŸĐŽĐ”ĐœĐžĐș
MakcSheva
 
Tiempo libre ocio educa
Tiempo libre ocio educaTiempo libre ocio educa
Tiempo libre ocio educa
Alexander Perdomo
 
Apresentação valongo
Apresentação valongoApresentação valongo
Apresentação valongo
geobaltar
 
textilschule gross siegharts
textilschule gross sieghartstextilschule gross siegharts
textilschule gross siegharts
Alexander Homolka
 
Licenciamento de Personagens como Estratégia de Marketing e Publicidade Infan...
Licenciamento de Personagens como Estratégia de Marketing e Publicidade Infan...Licenciamento de Personagens como Estratégia de Marketing e Publicidade Infan...
Licenciamento de Personagens como Estratégia de Marketing e Publicidade Infan...
Felipe Rocha
 
Finance strategies for adaptation. Presentation for CANCC
Finance strategies for adaptation. Presentation for CANCCFinance strategies for adaptation. Presentation for CANCC
Finance strategies for adaptation. Presentation for CANCC
NAP Global Network
 
1935 CONSTITUTION REPORT IN RIPH FINALLS
1935 CONSTITUTION REPORT IN RIPH FINALLS1935 CONSTITUTION REPORT IN RIPH FINALLS
1935 CONSTITUTION REPORT IN RIPH FINALLS
arandianics
 
2024: The FAR, Federal Acquisition Regulations, Part 31
2024: The FAR, Federal Acquisition Regulations, Part 312024: The FAR, Federal Acquisition Regulations, Part 31
2024: The FAR, Federal Acquisition Regulations, Part 31
JSchaus & Associates
 
Financing strategies for adaptation. Presentation for CANCC
Financing strategies for adaptation. Presentation for CANCCFinancing strategies for adaptation. Presentation for CANCC
Financing strategies for adaptation. Presentation for CANCC
NAP Global Network
 
call girls in Raghubir Nagar (DELHI) 🔝 >àŒ’9953056974 🔝 genuine Escort Service ...
call girls in Raghubir Nagar (DELHI) 🔝 >àŒ’9953056974 🔝 genuine Escort Service ...call girls in Raghubir Nagar (DELHI) 🔝 >àŒ’9953056974 🔝 genuine Escort Service ...
call girls in Raghubir Nagar (DELHI) 🔝 >àŒ’9953056974 🔝 genuine Escort Service ...
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
AHMR volume 10 number 1 January-April 2024
AHMR volume 10 number 1 January-April 2024AHMR volume 10 number 1 January-April 2024
AHMR volume 10 number 1 January-April 2024
Scalabrini Institute for Human Mobility in Africa
 
best call girls in Pune - 450+ Call Girl Cash Payment 8005736733 Neha Thakur
best call girls in Pune - 450+ Call Girl Cash Payment 8005736733 Neha Thakurbest call girls in Pune - 450+ Call Girl Cash Payment 8005736733 Neha Thakur
best call girls in Pune - 450+ Call Girl Cash Payment 8005736733 Neha Thakur
SUHANI PANDEY
 
The U.S. Budget and Economic Outlook (Presentation)
The U.S. Budget and Economic Outlook (Presentation)The U.S. Budget and Economic Outlook (Presentation)
The U.S. Budget and Economic Outlook (Presentation)
Congressional Budget Office
 
Akurdi ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Akurdi ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Akurdi ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Akurdi ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
tanu pandey
 
VIP Model Call Girls Shikrapur ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Shikrapur ( Pune ) Call ON 8005736733 Starting From 5K t...VIP Model Call Girls Shikrapur ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Shikrapur ( Pune ) Call ON 8005736733 Starting From 5K t...
SUHANI PANDEY
 
A Press for the Planet: Journalism in the face of the Environmental Crisis
A Press for the Planet: Journalism in the face of the Environmental CrisisA Press for the Planet: Journalism in the face of the Environmental Crisis
A Press for the Planet: Journalism in the face of the Environmental Crisis
Christina Parmionova
 
Call Girls Chakan Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Chakan Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Chakan Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Chakan Call Me 7737669865 Budget Friendly No Advance Booking
roncy bisnoi
 
Call Girls Nanded City Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Nanded City Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Nanded City Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Nanded City Call Me 7737669865 Budget Friendly No Advance Booking
roncy bisnoi
 
Scaling up coastal adaptation in Maldives through the NAP process
Scaling up coastal adaptation in Maldives through the NAP processScaling up coastal adaptation in Maldives through the NAP process
Scaling up coastal adaptation in Maldives through the NAP process
NAP Global Network
 
Call On 6297143586 Viman Nagar Call Girls In All Pune 24/7 Provide Call With...
Call On 6297143586 Viman Nagar Call Girls In All Pune 24/7 Provide Call With...Call On 6297143586 Viman Nagar Call Girls In All Pune 24/7 Provide Call With...
Call On 6297143586 Viman Nagar Call Girls In All Pune 24/7 Provide Call With...
tanu pandey
 
Tuvalu Coastal Adaptation Project (TCAP)
Tuvalu Coastal Adaptation Project (TCAP)Tuvalu Coastal Adaptation Project (TCAP)
Tuvalu Coastal Adaptation Project (TCAP)
NAP Global Network
 
2024: The FAR, Federal Acquisition Regulations, Part 30
2024: The FAR, Federal Acquisition Regulations, Part 302024: The FAR, Federal Acquisition Regulations, Part 30
2024: The FAR, Federal Acquisition Regulations, Part 30
JSchaus & Associates
 
World Press Freedom Day 2024; May 3rd - Poster
World Press Freedom Day 2024; May 3rd - PosterWorld Press Freedom Day 2024; May 3rd - Poster
World Press Freedom Day 2024; May 3rd - Poster
Christina Parmionova
 
celebrity 💋 Agra Escorts Just Dail 8250092165 service available anytime 24 hour
celebrity 💋 Agra Escorts Just Dail 8250092165 service available anytime 24 hourcelebrity 💋 Agra Escorts Just Dail 8250092165 service available anytime 24 hour
celebrity 💋 Agra Escorts Just Dail 8250092165 service available anytime 24 hour
Call Girls in Nagpur High Profile
 
Antisemitism Awareness Act: pénaliser la critique de l'Etat d'Israël
Antisemitism Awareness Act: pénaliser la critique de l'Etat d'IsraëlAntisemitism Awareness Act: pénaliser la critique de l'Etat d'Israël
Antisemitism Awareness Act: pénaliser la critique de l'Etat d'Israël
EdouardHusson
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 

Mais conteĂșdo relacionado

Último

call girls in Raghubir Nagar (DELHI) 🔝 >àŒ’9953056974 🔝 genuine Escort Service ...
call girls in Raghubir Nagar (DELHI) 🔝 >àŒ’9953056974 🔝 genuine Escort Service ...call girls in Raghubir Nagar (DELHI) 🔝 >àŒ’9953056974 🔝 genuine Escort Service ...
call girls in Raghubir Nagar (DELHI) 🔝 >àŒ’9953056974 🔝 genuine Escort Service ...
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
best call girls in Pune - 450+ Call Girl Cash Payment 8005736733 Neha Thakur
best call girls in Pune - 450+ Call Girl Cash Payment 8005736733 Neha Thakurbest call girls in Pune - 450+ Call Girl Cash Payment 8005736733 Neha Thakur
best call girls in Pune - 450+ Call Girl Cash Payment 8005736733 Neha Thakur
SUHANI PANDEY
 
Akurdi ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Akurdi ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Akurdi ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Akurdi ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
tanu pandey
 
VIP Model Call Girls Shikrapur ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Shikrapur ( Pune ) Call ON 8005736733 Starting From 5K t...VIP Model Call Girls Shikrapur ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Shikrapur ( Pune ) Call ON 8005736733 Starting From 5K t...
SUHANI PANDEY
 
Call Girls Chakan Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Chakan Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Chakan Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Chakan Call Me 7737669865 Budget Friendly No Advance Booking
roncy bisnoi
 
Call Girls Nanded City Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Nanded City Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Nanded City Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Nanded City Call Me 7737669865 Budget Friendly No Advance Booking
roncy bisnoi
 
Call On 6297143586 Viman Nagar Call Girls In All Pune 24/7 Provide Call With...
Call On 6297143586 Viman Nagar Call Girls In All Pune 24/7 Provide Call With...Call On 6297143586 Viman Nagar Call Girls In All Pune 24/7 Provide Call With...
Call On 6297143586 Viman Nagar Call Girls In All Pune 24/7 Provide Call With...
tanu pandey
 
celebrity 💋 Agra Escorts Just Dail 8250092165 service available anytime 24 hour
celebrity 💋 Agra Escorts Just Dail 8250092165 service available anytime 24 hourcelebrity 💋 Agra Escorts Just Dail 8250092165 service available anytime 24 hour
celebrity 💋 Agra Escorts Just Dail 8250092165 service available anytime 24 hour
Call Girls in Nagpur High Profile
 

Último (20)

Finance strategies for adaptation. Presentation for CANCC
Finance strategies for adaptation. Presentation for CANCCFinance strategies for adaptation. Presentation for CANCC
Finance strategies for adaptation. Presentation for CANCC
 
1935 CONSTITUTION REPORT IN RIPH FINALLS
1935 CONSTITUTION REPORT IN RIPH FINALLS1935 CONSTITUTION REPORT IN RIPH FINALLS
1935 CONSTITUTION REPORT IN RIPH FINALLS
 
2024: The FAR, Federal Acquisition Regulations, Part 31
2024: The FAR, Federal Acquisition Regulations, Part 312024: The FAR, Federal Acquisition Regulations, Part 31
2024: The FAR, Federal Acquisition Regulations, Part 31
 
Financing strategies for adaptation. Presentation for CANCC
Financing strategies for adaptation. Presentation for CANCCFinancing strategies for adaptation. Presentation for CANCC
Financing strategies for adaptation. Presentation for CANCC
 
call girls in Raghubir Nagar (DELHI) 🔝 >àŒ’9953056974 🔝 genuine Escort Service ...
call girls in Raghubir Nagar (DELHI) 🔝 >àŒ’9953056974 🔝 genuine Escort Service ...call girls in Raghubir Nagar (DELHI) 🔝 >àŒ’9953056974 🔝 genuine Escort Service ...
call girls in Raghubir Nagar (DELHI) 🔝 >àŒ’9953056974 🔝 genuine Escort Service ...
 
AHMR volume 10 number 1 January-April 2024
AHMR volume 10 number 1 January-April 2024AHMR volume 10 number 1 January-April 2024
AHMR volume 10 number 1 January-April 2024
 
best call girls in Pune - 450+ Call Girl Cash Payment 8005736733 Neha Thakur
best call girls in Pune - 450+ Call Girl Cash Payment 8005736733 Neha Thakurbest call girls in Pune - 450+ Call Girl Cash Payment 8005736733 Neha Thakur
best call girls in Pune - 450+ Call Girl Cash Payment 8005736733 Neha Thakur
 
The U.S. Budget and Economic Outlook (Presentation)
The U.S. Budget and Economic Outlook (Presentation)The U.S. Budget and Economic Outlook (Presentation)
The U.S. Budget and Economic Outlook (Presentation)
 
Akurdi ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Akurdi ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Akurdi ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Akurdi ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
 
VIP Model Call Girls Shikrapur ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Shikrapur ( Pune ) Call ON 8005736733 Starting From 5K t...VIP Model Call Girls Shikrapur ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Shikrapur ( Pune ) Call ON 8005736733 Starting From 5K t...
 
A Press for the Planet: Journalism in the face of the Environmental Crisis
A Press for the Planet: Journalism in the face of the Environmental CrisisA Press for the Planet: Journalism in the face of the Environmental Crisis
A Press for the Planet: Journalism in the face of the Environmental Crisis
 
Call Girls Chakan Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Chakan Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Chakan Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Chakan Call Me 7737669865 Budget Friendly No Advance Booking
 
Call Girls Nanded City Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Nanded City Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Nanded City Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Nanded City Call Me 7737669865 Budget Friendly No Advance Booking
 
Scaling up coastal adaptation in Maldives through the NAP process
Scaling up coastal adaptation in Maldives through the NAP processScaling up coastal adaptation in Maldives through the NAP process
Scaling up coastal adaptation in Maldives through the NAP process
 
Call On 6297143586 Viman Nagar Call Girls In All Pune 24/7 Provide Call With...
Call On 6297143586 Viman Nagar Call Girls In All Pune 24/7 Provide Call With...Call On 6297143586 Viman Nagar Call Girls In All Pune 24/7 Provide Call With...
Call On 6297143586 Viman Nagar Call Girls In All Pune 24/7 Provide Call With...
 
Tuvalu Coastal Adaptation Project (TCAP)
Tuvalu Coastal Adaptation Project (TCAP)Tuvalu Coastal Adaptation Project (TCAP)
Tuvalu Coastal Adaptation Project (TCAP)
 
2024: The FAR, Federal Acquisition Regulations, Part 30
2024: The FAR, Federal Acquisition Regulations, Part 302024: The FAR, Federal Acquisition Regulations, Part 30
2024: The FAR, Federal Acquisition Regulations, Part 30
 
World Press Freedom Day 2024; May 3rd - Poster
World Press Freedom Day 2024; May 3rd - PosterWorld Press Freedom Day 2024; May 3rd - Poster
World Press Freedom Day 2024; May 3rd - Poster
 
celebrity 💋 Agra Escorts Just Dail 8250092165 service available anytime 24 hour
celebrity 💋 Agra Escorts Just Dail 8250092165 service available anytime 24 hourcelebrity 💋 Agra Escorts Just Dail 8250092165 service available anytime 24 hour
celebrity 💋 Agra Escorts Just Dail 8250092165 service available anytime 24 hour
 
Antisemitism Awareness Act: pénaliser la critique de l'Etat d'Israël
Antisemitism Awareness Act: pénaliser la critique de l'Etat d'IsraëlAntisemitism Awareness Act: pénaliser la critique de l'Etat d'Israël
Antisemitism Awareness Act: pénaliser la critique de l'Etat d'Israël
 

Destaque

How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 

Destaque (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

Understanding CJIS Identification and Authentication

  • 1. Understanding CJIS Identification and Authentication In the previous blog on access control, we discussed the various steps that an agency should take in order to restrict unauthorized access to confidential Criminal Justice Information (CJI). In this blog we will understand few other nuances that are associated with CJIS Identification and Authentication. It is very important for an agency to identify users of information systems and also the processes that act on behalf of users and also needs to authenticate them before allowing access to information system or services of the agency. Identification Policy and Procedures Each user who is authorized to use, access, store, process or transmits CJI data is to be uniquely identified. Even system administrators and users responsible for system maintenance also need to be identified. The unique identifier can be a username, serial number, badge number or a unique alphanumeric identifier. Additionally, the agencies should identify themselves uniquely before a user s allowed to access or perform duties on a system. It is the responsibility of the agency to ensure that the user IDs belong to authorized users and the list needs to be updated regularly to include the names of new users and delete the names of former users.
  • 2. Use of Originating Agency Identifiers in Transactions and Information Exchanges To identify the sending agency and to ensure that a proper level of access is attributed to every transaction, agencies shall use an originating agency identifier (ORI) that has been authorized by the FBI. The original identifier between the State Identification Bureau (SIB)/CJIS Systems Agency (CSA)/Channeler and a requesting agency should be the ORI and other identifiers such as an access device mnemonic, personal identifier or user identification or the IP address. Agencies shall act as a servicing agency and on behalf of the authorized agencies perform transactions based on the queries of the requesting agency. These agencies performing inquiry transactions may use the requesting agency’s ORI when acting on the behalf of another agency. In other cases, the agency can use its ORI to perform inquiry transactions on behalf of another requesting agency only if there are procedures and means in place to provide a proper audit trail for the specified retention period. In such cases where the agency performing the transaction needn’t necessarily is the same agency requesting the transaction, the SIB/channeler/CSA must ensure that the ORI for all the transactions can be traced through an audit trail, to the agency that has requested the transactions. Authentication Policy and Procedures There should be robust processes and mechanisms to verify users once they are uniquely identified by the agency. The SIB/CSA shall develop an authentication strategy which decentralizes the daily administration and establishment of security measures for accessing Criminal Justice Information ( CJI). The identity of each user needs to be validated at either at CSA, local agency, Channeler or SIB level. This authentication strategy needs to be a part of the agency’s policy and audit compliance. The FBI CJIS Division shall identify as well as authenticate all the users who directly establish web-based interactive sessions with FBI CJIS services. Furthermore, FBI CJIS Division would also limit its authentication only of the ORI of all message-based sessions between itself and its customer agencies and not the individual user level authentication as it is already done at the SIB, CSA, Channeler or local agency level. Standard Authenticators Standard authenticators include biometrics, tokens, personal identification numbers (PIN) and passwords. Users wouldn’t be allowed to use same PIN or password in the same logon sequence. The attributes of a secure password that is used to authenticate the user include many parameters that are listed below 1. Passwords shall not be same as the user ID 2. Shall be a minimum length of eight (8) characters 3. Shall have an expiry period of 90 days
  • 3. 4. Shall not be proper name or a dictionary word 5. Shall not be displayed during the time of entry or after entry 6. Shall not be transmitted outside the secure location 7. Shall not be identical to the previous ten (10) passwords Personal Identification Number (PIN) In the cases where the agency uses PIN as a standard mode for authentication, all the attributes followed for the standard authenticators need to be followed. In case the agency is using PIN in conjunction with a token or a certificate then the following guidelines need to be followed. 1. Pin should be a minimum of six (6) digits 2. Shouldn’t have sequential patterns (eg:345678) 3. Shouldn’t have repeating digits (e.g.: 2233344) 4. Should have an expiry period of one year. 5. Shouldn’t be same as the user ID. 6. Shall not be transmitted outside the secure location 7. Shall not be displayed during the time of entry or after entry 8. Shouldn’t be identical to three (3) previous PINs However, there is an exception to this when the PIN is being used for local device authentication. In this case, only requirement to be fulfilled is that the PIN needs to have six (6) digits. Advanced Authentication Depending on the need additional security may be enforced and advanced authentication provides such added security to the conventional user identification and authentication using login ID and password. These additional security measures can be biometric systems, smart cards, hardware tokens, user-based public key infrastructure (PKI) or “risk based authentication” that includes various advanced processes of authenticating a user.
  • 4. Advanced Authentication Policy and Rationale The necessity to use or not to use Advanced Authentication (AA) is dependent on several factors such as technical, personnel, physical and technical security controls that are associated with user location and whether CJI is accessed indirectly or directly. AA needn’t be required for users that request accessing CJI data from within the perimeter of a physically secure location that meets the technical security controls. Furthermore, it need not be enforced if the user cannot conduct transactional activities on the state as well as national repositories, services (indirect access) or applications. In the event of these technical security standards not being met, AA should be enforced even if the request for CJI originates within the physically secure location. The original intent of AA is to meet the standards of two-factor authentication. Two-factor authentication involves use of two of the three options to authenticate a user. These include what do you now (password), something you have (hardware token) and what you are (biometric). CSO approved compensating controls to meet the AA requirement on the appliances such as such as smartphones, iPads and tablets issued by the agency are permitted. Compensating controls are those temporary controls that are implemented in place of AA control measures when the agency is unable to meet the requirement due to business constraints or legitimate technical reasons. These compensating controls shall: 1. Provide same level of security or protection as the original AA requirement 2. Meet the intention of CJIS security policy AA requirement 3. Shall not depend on existing requirements for AA as compensating controls There is an elaborate process that helps the decision makers in deciding whether or not AA is required. An advanced authentication decision tree aids the decision makers in making informed decisions about enforcing AA when users access CJI. Identifier and Authenticator Management The agencies should establish authenticator and identifier management processes. Identifier Management In order to facilitate proper management of user identifiers, agencies should 1. Identify every user uniquely 2. Verify their identification
  • 5. 3. Receive authorization to issue a user identifier from a competent agency official 4. Issue the said user identifier to intended parties 5. Disable a specific user identifier after a predetermined period of inactivity 6. Archive the old user identifiers Authenticator Management For the management of information system authenticators, agencies should 1. Define the initial authenticator content 2. Establish administrative procedures to distribute initial authenticators, for compromised/lost or damaged authenticators and for revoking authenticators 3. Be changing default authenticators after installation of IT systems 4. Should refresh/change authenticators periodically Assertions Identity providers also can be used to identify individuals and ascertain their identity to a trusted broker or a service. This broker in turn would assert identity to a service. These assertion mechanisms that would be used to communicate the results of a remote authentication to other parties would be 1. Signed digitally by a trusted entity (i.e. the service provider) 2. Procured directly from a trusted entity using a protocol in which the trusted entity authenticates to the relying party using secure protocol that authenticates the user cryptographically and hence protects the assertion. It is to be noted that assertions that are generated by a verifier would expire 12 hours post generation and wouldn't be accepted by the relying party thereafter. That is a comprehensive look at CJIS Identification and Authentication. In the next blog we will discuss the policy area - Configuration Management DoubleHorn is a leading Cloud Solutions Provider founded in January 2005 and based in Austin, Texas. Our offerings combine products from the leading Cloud providers and are carefully designed to meet the emerging technology requirements of Government agencies and Enterprises. As a Cloud Services Broker, we advise in selecting the right solution, implement,
  • 6. maintain and offer single source for billing and support of multiple Cloud products. If you are new to the cloud and not sure how to get started, contact us for a complimentary initial assessment at solutions@doublehorn.com or (855) 618-6423.