Privacy, Access and Security

1
Privacy, Access and Security

• Norma Jean Schaefer
• ITC/ISO
• Kansas Bureau of Investigation

2
KBIs current applications

• Law enforcement switch - NCIC/NLETS
• KBI web server - NCIC/NLETS and KS Criminal
  history
• KBI web server - Abstracts criminal
  justice/selected public agencies
• Web based Incident-base reporting statistics
• Sex offenders
• Missing persons

3
KBIs current applications

• Electronic collection of data KIBRS, arrest
  data and KDRs.
• AFIS - Electronic receipt of arrest data and
  fingerprints (livescans).

4
KBIs future applications

• Hot Files BOLO, misdemeanor warrants,
  protection orders, etc.
• Web server Sell abstracts to the public.

5
Privacy

• KBI is investigating releasing to the public
  arrest only data (in abstracts), not just
  convictions.
• Concerns on how we will query names from the
  repository for these public abstracts Name,
  SSN, date of birth.

6
How do our customers access these applications?

• Internet

7
KBI security objectives

• Protect systems and data at the KBI.
• Firewall
• Protect the transmission on public networks.
• Encryption
• Identify the user.
• Strong Authentication
• Identify the device used in the transaction.
• PKI

8
Security challenges

• Educating users about security.
• Educating policy makers about security.
• Educating network providers about security.
• Getting vendors to implement security in their
  systems (AFIS)
• Microsoft NT - Outlook

9
Security challenges

• Incorporating security into new and legacy
  applications.
• Using strong authentication in all applications.
• KISS.
• Maintaining the security system physically and
  financially.
• Staffing.

10
Policy challenges

• Create policies for convenience.
• Create policies to say we have policies.
• Thick versus thin.
• We have created policies but no way to enforce
  them or audit them.

11
I wouldnt change a thing!

• Kansas has been operational 20 months.
• 6000 users
• 700 desktops

12
Conclusion

• Are we secure today?
• Will we be secure tomorrow?
• Is using the Internet worth the risk?

13
KBI Security Philosophy

• A good security plan will address security
  objectives and policies. Our mind set is that we
  really do not have a security system, rather an
  on-going security plan and direction. Our
  security system is simply where we are at any
  given moment.
• - Ron Rohrer, KBI