Idaho Admin. Code r. 11.10.01.024

Current through September 2, 2024
Section 11.10.01.024 - ILETS SECURITY
01.General Policy. The data stored in the ILETS, NCIC, and other criminal justice information system files is documented criminal justice information. This information must be protected to ensure its integrity and its correct, legal and efficient storage, dissemination and use. It is incumbent upon an agency accessing ILETS directly, or another system that has access to the ILETS network, to implement the procedures necessary to make the access device secure from any unauthorized use and to ensure ILETS is not subject to a malicious disruption of service. ILETS access agencies must participate in ILETS training and compliance activities to ensure that all agency personnel authorized to access the ILETS network are instructed in the proper use and dissemination of the information and that appropriate agency personnel are aware of security requirements and of the dangers to network integrity. ILETS retains the authority to disconnect an access agency or network connection when serious security threats and vulnerabilities are detected.
02.Definitions. The following is a list of terms and their meanings as used in the ILETS security rule:
a. Computer interface capabilities means any communication to ILETS allowing an agency to participate in the system.
b. Firewall means a collection of components placed between two (2) networks that keep the host network secure by having the following properties:
i. All traffic from inside the network to outside, and vice-versa, must pass through it;
ii. Only authorized traffic is allowed to pass; and
iii. The components as a whole are immune to unauthorized penetration and disablement.
c. ILETS Security Officer (ISO) is the department staff member designated by the executive officer to monitor and enforce agency compliance with site and network security requirements.
d. Peer networks are computer interfaces between cooperative governmental agencies in Idaho where none of the participating entities exercise administrative or management control over any other participating entity.
e. Interface agency is an agency that has management control of a computer system directly connected to ILETS.
f. Untrusted system is a system that does not employ sufficient hardware or software security measures to allow its use for simultaneously processing a range of sensitive or confidential information.
03.Interface Agency Agreements. To ensure agencies having computer interface capabilities to ILETS are fully aware of their duties and of the consequences of failure to carry out those duties, a written and binding Interface Agency Addendum must exist between ILETS and all interface agencies. This agreement will clarify that the interface agency is equally responsible for actions by secondary and affiliated systems connected through their site to ILETS. Interface agencies must put in place similar subsidiary security agreements with secondary and affiliated systems to protect its network and ILETS.
04.ILETS Security Officer. The ILETS Security Officer is responsible for the following duties:
a. Disseminating to user agencies copies of ILETS security policies and guidelines;
b. Communicating to user agencies information regarding current perceived security threats and providing recommended measures to address the threats;
c. Monitoring use of the ILETS network either in response to information about a specific threat, or generally because of a perceived situation;
d. Directing an interface agency, through its nominated contact, to rectify any omission in its duty of responsibility;
e. When an agency is unable or unwilling to co-operate, reporting the issue to the executive officer and initiating the procedure for achieving an emergency disconnection; and
f. Provide support and coordination for investigations into breaches of security.
05.Agency Security Contacts. A terminal agency coordinator shall serve as that agency's security contact for ILETS, unless another individual is specifically selected for this purpose and approved by the ILETS Security Officer. ILETS primary sites shall ensure the agency's security contact, or another person or position designated in an incident contingency plan, can be contacted by the ILETS security officer at any time.
06.Peer Networks. The security responsibilities of the operators of peer networks connected to ILETS, with respect to their user organizations, are parallel to those of ILETS user organizations in respect to their individual users. The ILETS Security Officer shall ensure that a written agreement exists between ILETS and an interface agency, signed by the agency heads, that embodies these principles.
07.Physical Security Standards. Interface agencies will observe standards and procedures to ensure security of the physical premises and computing equipment. The minimum standards and procedures include the following:
a. Access to computer rooms will be limited to staff who require access for the normal performance of their duties.
b. Electrical power protection devices to suppress surges, reduce static, and provide battery backup in the event of a power failure will be used as necessary.
c. Computer system backups shall be stored in a secure location with restricted access.
d. Network infrastructure components will be controlled with access limited to support personnel with a demonstrated need for access.
e. Physical labeling of infrastructure components will be done to assist in proper identification. Additionally, all components will be inventoried at regular intervals for asset management and physical protection.
f. An interface agency must create and enforce a password policy in which the agency is responsible for assigning ILETS users a unique password. The password policy must require that a new password be initiated by the user or agency every ninety (90) days.
08.Network Security Standards. User agencies must exercise appropriate security precautions when connecting ILETS and computer systems linked to ILETS with external untrusted systems. The primary objective of such precautions is to prevent unauthorized access to sensitive information while still allowing authorized users free access. The minimum standards and procedures include the following:
a. Agencies must routinely audit for and remove unused or unneeded services/accounts, review accounts periodically, and enforce aggressive and effective password strategies.
b. Agencies must ensure that the software security features of the networks they manage are installed and functioning correctly.
c. Agencies must monitor network security on a regular basis. Adequate information concerning network traffic and activity must be logged to ensure that breaches in network security can be detected.
d. Agencies must implement and maintain procedures to provide the ILETS network adequate protection from intrusion by external and unauthorized sources.
e. No computer connected to the network can have stored, on its disk(s) or in memory, information that would permit access to other parts of the network. For example, scripts used in accessing a remote host may not contain passwords.
f. No connection to ILETS may be established utilizing dial-up communications. Asynchronous communications connections should be limited and tightly controlled as they pose a serious risk because they can circumvent any security precaution enacted to protect networks from untrusted sources.
g. Network management protocols must be limited to internal or trusted networks.
h. Any system having direct or indirect access to the Internet via their computer network must have in place services that allow no access to ILETS from the Internet. Organizations with large distributed Wide Area Networks connecting many remote sites may choose to incorporate many security layers and a variety of strategies. These strategies must incorporate the implementation of a firewall to block network traffic, and restriction of remote user access.
i. Agencies accessing ILETS directly or through another agency, must insure that all telecommunications infrastructure meets the FBI CJIS Security Policy for encryption standards.
j. No routing or IP Network Translations are to be performed on individual access devices. All routing and translation must be performed on a router or firewall device.

Idaho Admin. Code r. 11.10.01.024

Effective March 23, 2022