Table of Contents

1.0 Introduction. 3

1.1      Purpose. 3

1.2      Resources. 3

1.3      Period of Applicability. 3

2.0 NCAtrak Overview.. 4

2.1      System Functionality. 4

2.2      System Technology. 5

2.3      NCA’s Technical Partner 5

3.0 Policies and Procedures. 6

3.1      Governance Policies and Procedures. 8

3.2      Operations and Maintenance Policies and Procedures. 10

3.3      Subscriber Services Policies and Procedures. 13

3.4      Security Management Policies and Procedures. 15

Figures

Figure 3.1: Responsibilities and Roles. 8

Figure 3.2: Service Management Reviews. 11

Figure B.1: Security Oversight 18

Figure B.2: Responsibilities and Roles. 20

Figure B.3: System Components and Access. 22

Appendices

Appendix A: Minimum Hardware and Software Specifications

Appendix B: Security Management Plan (SMP)

RECORD OF CHANGES

1.0 Introduction

NCAtrak is a computerized case tracking system developed to help Children’s Advocacy Centers track case specific information in a user-friendly manner.   NCAtrak development was funded through a cooperative agreement provided to National Children’s Alliance (NCA) by the U.S. Department of Justice, Office of Juvenile Justice and Delinquency Prevention (OJJDP).  NCA is responsible for the oversight of NCAtrak development, operations, support/ implementation services and maintenance. 

1.1     Purpose

NCA developed the NCAtrak Policies and Procedures for Beta Test Participants documentation to assist CACs in achieving a smooth NCAtrak implementation. This document provides all stakeholders with information about how NCAtrak is to be operated and maintained, including how to use and protect the data stored in the system.  Roles and responsibilities of individuals involved in managing, using or reviewing NCAtrak are clearly defined throughout.

1.2     Resources

Best Practices for information technology operations and maintenance were utilized to develop these policies and procedures, including those defined in the Information Technology Infrastructure Library (ITIL)[1]. These standards are globally recognized as providing the common language and de facto standards for information technology Infrastructure and Service Management.

Additionally, the security policies and procedures defined throughout this document were developed based upon:

• Recommendations inherent within the Code of Practice for Information Security Management (Guidelines for Management and Implementation), UK,
• Guidelines for information security  developed by the USA National Institute for Standards and Technology (NIST),
• Recommendations of the SysAdmin, Audit, Network, Security (SANS) Institute,
• policies and procedures from SAIC Internal Computer Security and Usage Policy, and
• Recommendations defined within the Healthcare Information Portability and Accountability Act (HIPAA) Privacy and Security Rules[2].

1.3      Period of Applicability 

NCAtrak Policies and Procedures for Beta Test Participants are in effect from October 1, 2004 – December 31, 2005 and are subject to change if necessary to protect the security of NCAtrak data and/or to improve the process of using NCAtrak for users.

2.0 NCAtrak Overview

NCAtrak is not designed to collect every piece of information generated by any agency involved in the investigation of abuse allegations or provision of services to child abuse victims. It is designed to allow CACs to meet the Case Tracking Standard for NCA accreditation and to ensure that children’s cases are followed throughout their involvement with the CAC and the criminal justice system. It is designed to help your team coordinate and share information so you know what has been done, and what still needs to be done to help a child through these difficult circumstances.

2.1     System Functionality

There are three primary functions of NCAtrak:

• Case Tracking

NCAtrak is designed to allow case information to be recorded and stored electronically in a secure database, and shared only by authorized personnel from agencies participating in the local CAC Multidisciplinary Team (MDT). The MDT typically includes Law Enforcement, Child Protective Services, Medical Services, Mental Health Services, Victims Advocacy, Prosecution, and the CAC.  The system allows CACs to determine who can view and/or edit their case data.   NCAtrak allows the team to:

·       know when a new case is created,

·       electronically refer a case for services to any other agency involved in the investigation or provision of services to the child,

·       track the progress of the child’s case as forensic interviews, medical exams, and MDT meetings are held, and

·       continue to track the activities supporting the child’s case until all agencies have completed their tasks and closed their case, including therapy, VA services, and all court activities,

·       view automatically generated reports within each case record that display information about the status of services offered to the child be each agency, results of case review, and results of the investigation, and

·       generate custom case reports that display just the needed data or a comprehensive report.

• Statistical Reporting

NCAtrak provides the team with the ability to easily generate electronic reports in support of center management efforts, case service oversight, national statistical research (i.e., the NCA bi-annual report), and statistics for funding reports (i.e., VOCA reports).

• Searching

NCAtrak provides the team with the ability to search the database by child, offender, case number and many other search criteria.  Cases related to the same incident of abuse or the same offender can be linked together for easy identification. The team can track any person across multiple cases.

2.2     System Technology

On-line, Full Service, Secure System

NCAtrak is available to CACs on-line. This format provides several key benefits including:

• easy accessibility for authorized  team members from authorized locations to improve case collaboration and scheduling,
• two-way data encryption for all data transmissions,
• minimal CAC equipment investment requirement,
• 24/365 security monitoring of infrastructure storing NCAtrak information at a fraction of the cost such levels of protection would incur if purchased by individual CACs, and
• data confidentiality and privacy managed at the local CAC level.

NCAtrak's web-based design gives CACs easy accessibility to the tools needed to improve the integrity of their case tracking data, increase communication between personnel working to investigate a case, and increase the availability of case records/historical data to improve investigation efforts.

CACs subscribe to the system and receive a full package of services that are provided to maintain, support, and secure the system as well as technical support.

Alternative Access – Software License

Some CACs may already have access to the type of technical facilities, hardware, and expertise necessary to host the application and database themselves. NCAtrak will also be made available in a format CACs can host with technical expertise and network resources supplied by the CAC. NCA’s primary goal is to get the on-line version operational, and then will work on a software license version.   Policies and procedures appropriate to the license format will be made available along with the software.

2.3     NCA’s Technical Partner

NCA has chosen to partner with Science Applications International Corporation (SAIC) to develop, host, operate, and maintain the NCAtrak System. As a leading provider of IT services and Information Security Service to the U.S. Government, SAIC provides all the benefits of a professional, physically secure web-hosting/application maintenance service provider with 24/365 security monitoring and response.  SAIC is a leading provider of IT Security to the Federal Government and has the facilities and experience to provide the services and meet the security requirements described in these policies and procedures. 

A few, select SAIC personnel are authorized to support NCAtrak only after signing non-disclosure agreements, completing a criminal background check, and receiving training regarding NCAtrak polices and procedures. The NCAtrak Management staff from SAIC, including the Project Manager, and the Security Officer for NCAtrak will participate in the NCAtrak Governing Board, NCAtrak Training, and will be available to CAC Directors.  

3.0 Policies and Procedures

Policies and Procedures are divided into policies relating to Governance, Operations and Maintenance, Subscriber Services, and Security Management. The chart below [See Figure 3.1] is provided to help the user of this document locate their areas of responsibility. The details of each policy follow throughout the remaining portion of this document.

Figure 3.1: Responsibilities and Roles

3.1     Governance Policies and Procedures

Oversight of NCAtrak

Policies:

1.     NCA is responsible for the oversight of the development, operation, support and maintenance of NCAtrak.

2.     NCA will create a governing board to assist with the oversight of NCAtrak.  

3.     NCA will appoint an NCAtrak Project Director who will coordinate and chair the NCAtrak Governing Board.

Procedures: 

·       NCA will utilize the expertise and counsel of NCAtrak users, technicians, and others, to provide leadership and guidance for the operations of NCAtrak.

·       The NCAtrak Governing Board will review performance reports, incident/problem reports, and change requests and make recommendations about how to maintain and/or improve the quality of the NCAtrak system based upon the total risks and benefits to the user CACs, the needs of CAC clients, available funding and/or opportunities to raise desired funds, and applicable legislation.

·       The NCAtrak Governing Board will meet face-to-face at least once annually and will have a minimum of 4 meetings to make recommendations during the course of a year. The Board may meet via electronic means, such as Web-ex, throughout the year.

Service Provider Oversight

Policies: 

4.     NCA is responsible for negotiating and managing service level agreements (SLAs) with any vendors that provide services in support of the operation of NCAtrak.

5.     All service level agreements (SLAs) must remain in compliance with the current version of the NCAtrak Policies and Procedures for Beta Test Participants.

Procedures:

·       NCA has engaged SAIC to provide system development, web-hosting operations and application maintenance. NCA is responsible for managing the contract with SAIC and for negotiating and managing SLAs with SAIC.  If either NCA or SAIC should decide not to renew their contract for these services, NCA will assume responsibility to procure these services from a qualified technical partner.

·       As future changes to the polices and procedures for NCAtrak are planned, or if changes to service levels are indicated by external factors (such as changes in technology, security, laws), NCA will coordinate needed changes with SAIC and modify the SLAs as appropriate to meet new NCAtrak needs.

·       NCA will implement a transition plan if a need arises to change technical partners so that down time for the system will be kept at a minimum and will occur during non-business hours.

Fiscal Management

Policy:  

6.     NCA will maintain responsibility for collecting any and all charges from CACs who use NCAtrak including the annual subscription fee required of all CACs utilizing NCAtrak.    

Procedures:  

·       NCA will invoice CACs using NCAtrak annually at the beginning of the calendar year.  CACs that begin using NCAtrak during the year will pay a pro-rated charge for that year and then will be charged on an annual basis.  

·       CACs will be required to pay an annual subscription fee.  The cost of the software, upgrades, and new releases as well as maintenance, hosting, initial training, and on-going support are all part of the fee.  The fee cannot be broken down, but is rather a complete charge.  The subscription fee will be guaranteed for a three-year period of time.  CACs will only have access to NCAtrak if they are in good standing with NCA.

3.2     Operations and Maintenance Policies and Procedures

Service Management

Policies:

7.     NCAtrak operations will be monitored and addressed through the use of performance logs and reports.  

Procedures: 

·       Routine performance reports (including but not limited to audit logs, activity logs, performance reports, incident reporting log, change request log, and automated monitors of server, firewall, and application performance [see Figure 3.2]) will be reviewed on a quarterly basis. The NCAtrak Governing Board will evaluate NCAtrak overall operations annually. Incidents, problems, and change requests will be prioritized based upon the threat or breach of security or performance standards and will be addressed by NCA and/or SAIC as a function of the daily operations and maintenance of NCAtrak.

·       Reports Access authorization for the logs and reports listed in Figure 3.2 will be made by NCA based upon the impact to system security to limit the potential of a leak and/or exploitation of potential system vulnerability.

Figure 3.2: Service Management Reviews

Availability, Performance, Capacity

Policies:

8.     Reasonable efforts will be made by NCA to keep NCAtrak available, performing solidly and able to track as many cases as each CAC data needs.

9.     Planned maintenance activities affecting system functionality or requiring system downtime will be scheduled to create the least impact during CAC business hours.  

Procedures:

NCA Service Level Agreements (SLAs) with SAIC stipulate:

·       reasonable effort will be made to have NCAtrak available on a 24/365 basis

·       SAIC will ensure network availability at 99% excluding planned outages and events outside of SAIC’s control, (including but not limited to non-performance by carriers and vendors, acts of war, or acts of God),

·       the standard maintenance window for scheduled downtimes is every Thursday between 5:00 a.m. – 7:00 a.m. EST,

·       standard maintenance that cannot occur during the maintenance window will be scheduled with 1-week prior notice,

·       SAIC holds SLAs with various carriers and vendors, (for example, providers of electrical and technical underpinnings for NCAtrak), and that these stipulate a 2-hour outage response, best effort resolution, with escalation every 2 hours,

·       SAIC will monitor NCAtrak servers for performance issues impacting the capacity of NCAtrak, and other documented abnormalities.  Alerts will be communicated to NCA via email or phone call within 24 hours of recognition of the alert,

·       SAIC will provide routine maintenance to the network, servers, and application, and software.

·       SAIC will maintain a Service Desk available by telephone or email for use by NCA and CAC Executive Directors or their designee to report and discuss NCAtrak maintenance needs.

Business Continuity Planning

Policies:

10.  NCA will define specific plans for restoring case tracking capabilities in the event that an uncontrollable interruption of service occurs (for example, a power outage, a natural disaster, or an act of terrorism).

Procedures:

NCA Service Level Agreements (SLAs) with SAIC stipulate:

·       SAIC will create a back-up version of the database and store that back-up in an off-site location

·       SAIC will configure and maintain a NCAtrak fail-over server in a manner that will provide an option for restoring NCAtrak on-line during a failure of either the web-server or the database server to maintain up-time while the down server is being repaired.

·       SAIC is insured for equipment replacement due to typical loss, (fire, flood, act of terrorism, etc.). It is understood that SAIC cannot predict, price, or provide warranty against every possible interruption or loss of service, however, SAIC will make reasonable efforts to restore services as soon as possible.

·       SAIC will communicate outage problems, anticipated resolution time and resolution status to NCA via email and/or phone alerts when problems occur and continually as updates become available.  If an outage occurs during business hours, NCA will notify CACs of the outage and anticipated resolution time.

·       SAIC will provide for the possibility of a need to back-out and restore a prior version during a change to the application or database.

Change/Release Management

Policy: 

11.  CAC Executive Directors will be able to request changes simply and easily.

12.  All changes to the system will be reviewed by the NCAtrak Governing Board and a decision to approve the change will be made by NCA based upon the total risks and benefits to the user CACs, the needs of CAC clients, available funding and/or opportunities to raise desired funds, and applicable legislation.

Procedures: 

·       All Change Requests will be managed using a system requirements management tool. CAC Executive Directors and designees will be able to log suggestions for changes through NCAtrak.

·       Prior to changes being made, an impact assessment will be completed to determine the impact to assets, users, security, services and support functions as well as the cost of the changes. If a need arises for a substantial change to the core functionality of the system, (for example, a significant change in the laws that govern Child Abuse, a significant change in technology, etc), CAC Directors using NCAtrak will be contacted and provided with an opportunity to participate in the discussions leading to approval of a final plan of action. NCA Approved changes will be grouped together as appropriate into releases for final cost, schedule, and work planning. Changes to the software and/or hardware that require new software development or a new technical architecture will be organized into detailed requirements. A design approach will be developed and approved by NCA. The work will be completed, tested, and prepared for release.  NCAtrak users will be notified when a new release is ready to roll-out if the release will impact the user’s interaction with the application, or if the release will require CACs to perform new or additional tasks in administering their use of the system at their location.  

Configuration/Asset^[3] Management

Policy: 

13.  A complete listing of all of the hardware, software, and documentation for the NCAtrak system will be maintained in order to manage versions, licenses, and security classifications for each. Back-ups of the database will also be logged and dated.

14.  Any desired modifications to NCAtrak assets will require an impact assessment to determine the overall impact of the change to all other assets. If modifications or changes are approved, a unique identifier will be assigned to each new version of each asset impacted as it is modified or changed and a copy of the old version will be maintained as appropriate.

Procedures: 

·       A Definitive Asset Library will be developed and maintained by NCA’s Technical Partner (SAIC) to define to indicate at any given moment the most current version in use as well as to provide a record of all previously authorized versions of each asset and the dates they were in use.

·       Impact assessments will be conducted by NCA, NCA’s Technical Partner, and/or the NCAtrak Governing Board as appropriate for the desired change.

3.3     Subscriber Services Policies and Procedures

Basic Service Package

Policies:

15.  NCA will define a package of basic services identifying those services that each CAC will receive when purchasing access to NCAtrak. The NCAtrak Governing Board will review the Basic Service Package annually for needed enhancements and/or modifications.

16.  Should a need arise for a significant change in these services, including but not limited to new Child Abuse laws and new security threats to the NCAtrak technology, NCA will notify all CAC Executive Directors using NCAtrak of the issues and impact to the Basic Services.

Procedures: 

·       Basic Services will be designated by a period of performance. See Appendix A for more information about basic services for the period of October 1, 2004 – September 30, 2005.

Training and Customization

Policies:

17.  NCA will provide training for CACs in multiple formats.

18.  NCA will aid each CAC in basic customization of the system to meet specific needs.

Procedures:  

NCA will partner with SAIC to provide training and customization services.  Training will be provided to CACs in the following formats:

·       Classroom Training/Customization Workshop: NCA will provide each CAC two days of hands-on training and customization services. This training/customization workshop is mandatory for each subscribing site.  Up to two representatives from each CAC may attend the workshop, which will be held in SAIC’s Oak Ridge, Tennessee facilities. Training costs will be covered by NCA; travel costs will be the responsibility of the CAC. CACs will not be able to begin using the system until they have completed the training.  To ensure this training event is as helpful as possible, initial customization for each CAC will be completed prior to training.   To aid in this process, customization materials will be completed by the participating CAC prior to the training event.   At the completion of this training:

·       participants will have a working knowledge of how to use NCAtrak

·       participants will have the materials and knowledge to training local professionals using the system

·       participants will learn to customize NCAtrak to fit the needs of their community.  

·       NCAtrak Expert Conference Services: NCA will provide each subscribing CAC up to three hours of expert phone help after the CAC has participated in the Classroom Training/Customization Workshop. This expert help can be used to obtain additional customization support, help train additional CAC staff, or simply obtain answers to questions.

·       Online Training: NCA will provide online training seminars via SAIC at various times to supplement the classroom training/customization workshop. Online training events can be utilized by CAC staff as ‘refresher’ courses or to help train additional CAC staff on NCAtrak.

Transferring Data

Policy:  

19.  CACs will have options regarding how to transfer data from existing case tracking systems.

Procedures:  

·       CACs with a case tracking system containing data that the CAC feels confident has integrity, may want to migrate that information into NCAtrak.  SAIC can help complete this migration electronically to allow the CAC to avoid an extensive data entry effort. CACs are responsible for the full cost of any data migration activities they may want to purchase in addition to their basic services.

·       Requesting CACs will be provided with a cost estimate on any additional services prior to the service initiation.  

3.4     Security Management Policies and Procedures

Security Roles and Responsibilities

Policies:

20.  NCAtrak security is the responsibility of NCAtrak users, the NCAtrak Governing Board, the Technical Partner, and all technical personnel supporting computer services at the local CAC and/or their partner agencies.

21.  NCA will appoint a NCA Security Officer for NCAtrak and endow them with oversight responsibilities/authority for the implementation and enforcement of security policies and procedures.

22.  CACs will appoint a Security Officer at their center to assist users with security at their center.

23.  The Technical Partner will designate a Security Officer for NCAtrak operations and maintenance to oversee security at the computer center.

Procedures:

·       The NCAtrak Security Officer will serve on the Governing Board, and will have a direct line of contact with the SAIC Security Officer 24/7.

·       Training materials regarding security responsibilities will be provided to all users of the system and technicians supporting the system, or computers used to access the system.

Security Management Plan[4]

Policies:

24.  A security management plan (SMP) will be developed, documented and implemented in order to prevent, detect, contain, and correct security violations [See Appendix B].

25.  Security roles, responsibilities and approaches will be clearly defined and documented in the SMP.

26.  The NCAtrak Governing Board will be responsible for ensuring that the SMP remains current, accurate and applicable.  

Procedures:

·       The NCAtrak Security Management Plan [Appendix B] was developed to define security procedures in detail and to identify and guide the implementation of security measures sufficient to reduce the risks and vulnerabilities for NCAtrak to a reasonable and appropriate level. The SMP defines the procedures and responsibilities for planning, implementing, evaluating, maintaining, reporting, and overseeing all aspects of NCAtrak security.  The Security Management Policies documented here and the SMP are specific to NCAtrak and are not designed to address all of the information security needs of a CAC. For example, there are no polices or procedures for storing forensic interview media at the CAC facility.

·       The SMP will be evaluated annually and the NCAtrak Governing Board will review the results of the evaluation. When changes are recommended, an impact assessment will be conducted and reviewed by the NCAtrak Governing Board prior to implementing the changes.  Changes to the SMP will require the approval of the NCAtrak Security Officer.

Appendix A

Minimum Hardware and Software Specifications

• Windows Operating System (2000, NT, or XP)
• Minimum 64 MB RAM
• Microsoft Internet Explorer 6.0
• Internet connectively from your local provider
• Adobe Acrobat Reader V. 6.0 or higher for reports
• Some type of virus/firewall protection
• Security Certificate (provided by NCAtrak)

Note: Numerous freeware peer-to-peers file sharing software programs such as Gnutella, Morpheus, Bearshare, or KaZaA facilitate file sharing over the Internet. The use of these types of programs is not acceptable for use on computers used to access NCAtrak. Only software approved by the CAC or MDT organization’s Director of IT Security may be used. If unsure, please contact the NCAtrak service desk. 

Appendix B

Security Management Plan

The Security Management Policies contained in the body of this document (see Section 3) and the Security Management Plan (SMP) defined in this appendix, are specific to NCAtrak and are not designed to address all of the information security needs of a CAC. For example, there are no polices or procedures for storing forensic interview media at the CAC facility. These polices and procedures have been developed based upon recommendations of the Code of Practice for Information Security Management (Guidelines for Management and Implementation), UK; USA National Institute for Standards and Technology (NIST) guidelines for information security; the SANS Institute; and HIPAA Privacy and Security Rules.  CACs can refer to these and many other references to assist them in the development of comprehensive information security plans for their centers.

B.1 Overview 

NCAtrak policy 22 requires that a security management plan be developed, documented and implemented in order to prevent, detect, contain, and correct security violations. The process of defining these procedures was informed by the risk assessment and mitigation planning efforts conducted by NCA and SAIC during the Development and Pilot test of NCAtrak. 

Security management is an on-going process of monitoring and identifying new risks. These procedures are designed to create a continuous cycle of implementing procedures, reporting and responding to incidents that threaten security, evaluating the effectiveness of the response and of the overall policies and procedures, and planning for modifications that are needed to address new security threats or improve security measures. 

Figure B.1: Security Oversight

B.2 Roles

Security is everyone’s responsibility. To simplify the assignment of responsibilities the following role definitions are specifically documented:

§  NCAtrak Governing Board – Responsible for oversight, conducting evaluations, reviewing results of impact studies, and planning for security NCAtrak needs of.

§  NCAtrak Security Officer – The NCAtrak Governing Board Chairperson is also the NCA Project Director and the NCA Security Officer for the NCAtrak system. This individual is responsible for implementing security procedures at NCA and overseeing the implementation of the contract with NCA’s Technical Partner (SAIC) as it relates to security procedures.

§  CAC Security Officer – Each CAC will identify one individual who will serve as a Security Officer within the CAC. This individual will have the responsibility for implementing security procedures for NCAtrak at the local CAC.  Their responsibilities extend to all of the personnel they authorize to access NCAtrak_, including local technicians supporting the use of NCAtrak for the center. The CAC Security Officer is not required to be experienced in information security but must be a trustworthy person who can oversee the implementation of procedures. 

§  SAIC Security Officer – SAIC will assign a person with the role of being the Security Officer for NCAtrak operations and maintenance. Their responsibilities also extend to all of the personnel they authorize to access NCAtrak and to those who do not have authorization to access the system but do provide for the infrastructure that supports NCAtrak operations. SAIC employees are governed by the SAIC Policy for Computer Usage and Security that meets the requirements of the NCAtrak Policies and Procedures for Beta Test Participants. 

B.3 Responsibility Overview

The NCAtrak SMP is divided into four sections, General Practices, Personnel Security, Physical Security, and Technical Security. Each section contains several sub-sections detailing specific security procedures, organizational responsibilities, and how the organizations coordinate with one another in implementing this procedure.  Below is a table that can be used to quickly locate areas of responsibility for each organization.  A “√” checkmark is used to indicate the organization(s) responsible for a specific procedure. 

Figure B.2: Responsibilities and Roles

B.4 Areas of Responsibility: General Practices

B.4.1 NCAtrak Asset Classification and Access Management 

Due to the nature of the information managed with NCAtrak_, some assets^[5] are considered to be “private and confidential” requiring specific authorization for access.  See Figure B.3 for a list of the assets and corresponding authorization methodology. 

Figure B.3: System Components and Access

NOTE: Reports generated from NCAtrak data and stored in any transferable format are considered private and confidential.  However, since the material is no longer within the boundaries of the NCAtrak database, the practices defined in the SMP no longer apply.   Local CAC security policies apply to this form of the data. 

All staff of NCA’s Technical Partner (SAIC), accessing any NCAtrak asset will be required to complete a criminal background check and non-disclosure agreement.   Access will be granted to staff of NCA’s Technical Partner based on the job duties of the staff requiring access. Authorization is based upon a “Need to Access” basis and not automatically granted to all. The Project Manager for NCAtrak at SAIC will maintain and make available to NCA, a list of staff with clearance as described above, their role in support of NCAtrak, and what they are authorized to access. l

B.4.2 Security Incident Reporting and Response 

A security incident is any event that violates the security of the hardware, software, or data caused by unauthorized action to access, modify, destroy, or disclose NCAtrak resources.  A security incident can be initiated deliberately or accidentally. It can be committed by an outsider (such as a hacker) or by an insider (such as an employee, a member of the MDT, or contracted technical support). 

NCA’s incident reporting and response plan includes 5 phases: 

1. Detection and Notification: NCAtrak utilizes multiple levels of system monitoring logs, and firewall monitoring tools to protect the system from successful intrusion by unauthorized persons. These tools are implemented by SAIC, 24 hours a day, 7 days a week. In the event that SAIC identifies a breach of security, SAIC will take appropriate immediate action and notify NCA as soon as possible. SAIC will also log the breach in the NCAtrak on-line incident log as soon as possible, and/or once the incident is contained. 

System users are also important to “front line” detection of potential security incidents.  If at any time, a user detects something that causes concern about the security of the system, the user should notify the CAC Security Officer. The user does not have to determine if the threat is valid or real. The user is only responsible for notifying their CAC Security Officer. If the Security Officer believes the threat to be immediate and a breach of security, he or she will immediately notify the NCAtrak Service Desk by phone, and log the incident in the on-line incident log after notifying the service desk. 

2. Assignment and Triage: Incidents phoned in to the Service Desk will be given a priority ranking by SAIC based upon their level of impact to security and system performance and will be addressed based upon that ranking. 

·       High - indicates an actual breach of security and data compromised

·       Medium - indicates a serious threat but no known breach of security

·       Low - indicates a potential vulnerability that may need investigation and possible mitigation.

The Incident log will also be routinely reviewed by SAIC as a function of their provision of NCAtrak Operations and Maintenance. These incidents will be given a priority ranking as well, using the same criteria listed above. 

3. Containment: The goal of containment is to take action to protect the data and reduce the opportunity for unauthorized access.  SAIC has authority to respond as needed to threats to or violations of security and then report as soon as possible to the NCAtrak Security Officer regarding the steps taken. When an incident is brought to the attention of SAIC, SAIC will work with NCA to coordinate response activities within SAIC, with NCA, and the impacted CACs, including when needed, coordination of disaster recovery procedures and contingency planning.  

NCA reserves the right to take the system off-line temporarily and/or deny access to a CAC and/or an individual when it is determined that it is necessary to protect the security of case records. NCAtrak will be restored on-line, and/or access approved again once the security threat has been addressed and reduce to an acceptable level.

4. Incident Investigation, Evidence Collection, and Analysis: SAIC will provide the NCAtrak Governing Board with post-incident findings so that steps can be taken if needed to resolve additional potential vulnerabilities  and prevent similar incidents from occurring in the future. For security purposes, access to the log details will be limited to the NCAtrak Staff at SAIC and the NCAtrak Security Officer. CAC Security Officers will not be notified of incidents unless the incident has resulted in a security violation that requires a response on the part of their CAC.  However, CAC Security Officers will be notified if an incident is logged from their CAC and will be able to participate in the resolution of that incident.

5. Remediation and Recovery: All actions approved by the NCAtrak Governing Board will be implemented to address residual vulnerabilities and prevent similar incidents in the future. 

B.4.3 Contingency Plan

The objective for the operation of NCAtrak is to keep the data available for CAC access 24/7/365, regardless of extenuating circumstances (i.e., equipment failure, fire, flood, tornadoes/high winds, earthquake, terrorist actions, social engineering and sabotage). SAIC’s security management focuses on prevention and risk mitigation—monitoring for and isolating potential vulnerabilities.   Some incidents are impossible to avoid and thus contingency planning is critical.

Contingency planning for NCAtrak  addresses ways to respond in the event of an incident that has the potential to cause damage or destruction to NCAtrak  or the data in the system – specifically, how we can protect and plan for events that might impact NCA servers. 

·       Data Back-up Plan: The NCAtrak servers are designed with several hard drives that automatically back-up each other to protect against a disk failure. In addition, copies of the encrypted NCAtrak  database are made and transported to a separate, physically secure storage location on SAIC property every week so that in the event of damage to the physical computer room, we will have a copy of the all the data in the system up to the most current week’s entries.

·       Disaster Recovery/Emergency Mode Operation Plan: The primary objective is to enable network operations for NCAtrak to survive a disaster and to re-establish normal business operations within a reasonable time frame. NCAtrak servers are also configured to provide for failover in the event of an equipment failure. SAIC’s staff will respond and engage the failover set-up and contact the hardware vendor for repair and/or warranty support if needed. 

SAIC has documented Emergency Procedures.  In the event of an emergency or disaster, SAIC will begin implementation of these procedures and contact the NCAtrak Security Officer as soon as possible. The NCAtrak Security Officer will communicate with CACs and keep them informed regarding the status of recovery and operations. The Emergency Procedures address the following:

• Activating the Disaster Recovery Plan
• Appointing a Recovery Manager
• Determination of Personnel Status
• Appointing Disaster Recovery Teams
• Protection of Resources 
• Local Area Network Recovery
• Wide Area Network Recovery
• Server Recovery
• Workstation Recovery
• Equipment Salvage and Damage Assessment
• Emergency Procurement Procedures

SAIC’s Emergency Procedures are reviewed and tested annually to be sure that all applications and data critical to recovery and emergency operations are accessible and that the plans are adequate to address potential situations.

Resources outside the control of SAIC, NCA, and CACs are also used to maintain the connectivity and access to NCAtrak, (for example, the electric company, the internet service providers, etc.) CACs should take measures to provide for access to case data that they might need in the event of an emergency that impacts one of these types of services making NCAtrak unavailable for an extended period of time. 

B.4.4 Evaluation of Security Plan

The NCAtrak Governing Board will conduct an annual evaluation of the security plan by seeking and compiling feedback from Security Officers, Users, and the NCA Governing Board and by reviewing the information contained in on-going security reports. The NCAtrak Governing Board will review these findings and any recommended changes will be defined. An impact assessment will then be conducted to determine efficacy and implementation strategy for any changes to the plan.  Final implementation of approved changes will take place after the assessment is completed.

B.5 Areas of Responsibility: Personnel Security

B.5.1 Security Awareness Training and Reminders 

It is the responsibility of the CAC Security Officer at each location using and/or supporting NCAtrak to ensure that the local staff has security training prior to using the system and at least one time annually thereafter.   NCA will provide the following resources to aid CAC Security Officers in this effort:

§  Classroom Training/Customization Workshop provided for each CAC prior to NCAtrak usage will provide training for two CAC representatives and assist participants in identifying ways to provide security training and provide reminders to their local users_.

§  NCA will provide on-line training on a variety of NCAtrak topics (including security) throughout the year. 

§  NCAtrak NEWS displays on each user’s homepage and is available for all Security Officers to post local security reminders and/or bulletins. 

B.5.2 Authorization, Supervision, and Termination Procedures for NCAtrak Users and technical support

Authorization: 

The NCAtrak Security Officer provides initial authority for any organization or person desiring to interact with NCAtrak. This authorization is limited to NCA, the NCAtrak Governing Board, SAIC as the Technical Partner, and CACs. In the case of CACs desiring to use NCAtrak, the Executive Director will apply for a subscription to NCA. Once a CAC is approved to access NCAtrak, NCA will notify SAIC so that the set-up for the CAC can be initiated. SAIC will ask the Executive Director of the CAC to provide the name of the person who will be responsible for the initial set-up of NCAtrak in their center; this person will also serve as the CAC Security Officer. This person should have working knowledge of the CAC’s team needs. A technician is not required. This access authorization provided by SAIC will be full access to customize the system for the local CAC. 

The CAC Security Officer provides authorization for all local users by creating a user account for each individual that will have access to the system, and by installing a security certificate on each computer that will be used to access NCAtrak. These two acts authorize who can access the system, what type of data they can access, and where they are located when they are accessing the data. For example, the CAC can assign a CPS case manager the ability to access NCAtrak for their CAC, edit all CPS data, and view all other case record data, from the computer terminal that is located at their desk at the CPS office. This means that the CPS case manager would NOT have access to any other CAC data, and that the CPS case manager would NOT be able to access NCAtrak from home.  

Step-by-step instructions for establishing these authorizations are defined in the NCAtrak training materials and CACs will have time to create their roles and responsibility structures during the Classroom Training/Customization Workshop.  NCA and SAIC will provide an opportunity for the CAC’s Team to participate in a conference call to discuss how their MDT coordinates and shares data, so that the CAC can set up adequate roles and privileges in NCAtrak for MDT users as desired. This process of setting up roles and types of access will continue during training.  The CAC will be required to send a representative to training, (preferably the Executive Director and Team Coordinator, CAC Security Officer, or primary data entry personnel). 

AT NO TIME WILL SAIC OR NCA AUTHORIZE OR PROVIDE ACCESS FOR ANYONE TO ANY CASE RECORD OR ADMINISTRATIVE DATA OTHER THAN THE DATA ENTERED BY THEIR OWN CAC, AND AS AUTHORIZED BY THEIR OWN CAC.

Supervision:

The CAC Security Officer will assume the following responsibilities for their local users: 

·       Using NCAtrak, authorize local users to have access by setting up their account.

·       Using NCAtrak, assign each user a role and types of access for each separate part of the Case Record data as well as for other administrative functions within NCAtrak

·       Provide the user with training about security prior to providing access to NCAtrak

·       Request from SAIC and install a security certificate on each approved user’s computer

·       Assess the level of access needed by technical support staff and provide training and supervision accordingly. For example, a technician might be responsible for installing virus protection software on computers that are authorized for accessing NCAtrak. In this case, the technician does not require access to the application or to any case record data. In another instance, the technician might be tasked with helping to pull reports together. There is a significant level of access to data required by technicians; therefore the person chosen for this task should meet the CAC criteria for being able to access case records. 

Termination:

·       CAC Security Officers for NCAtrak must disable accounts of users who no longer require access due to a change in role for the MDT, termination, or when indicated to address a security threat. This is done on-line within NCAtrak.

Security Officers for NCA and for SAIC are responsible for completing authorization, supervision, and termination procedures for each authorized user at their sites. 

B.5.3 Password Management 

Each CAC Security Officer will be responsible for managing passwords for their local user group. Each local user must be initially authorized and set-up in NCAtrak by the CAC Security Officer or their designee. During set-up a temporary password will be assigned.  Users are prompted to change their password the first time they log-in. 

Passwords are not to be shared or given out to any other person. They must be stored in a secure manner, (not on a sticky note on the computer screen or under the keyboard.) 

The user must change passwords every 90 days. The system will prompt the user when it is time to change the password.

Any CAC Security Officer has the right to disable a user’s password at any time it is deemed necessary to maintain security 

In order to protect from random attempts at unauthorized access NCAtrak is designed to lock out anyone after the 3^rd try at logging on with an unrecognized user name and password combination. Legitimate users will need their CAC Security Officer to re-enable the account, assign a temporary password, and then the user can change that to a confidential password on their next entry to the system. Logs will be maintained to monitor log-in activities.

B.6 Areas of Responsibility: Physical Security

B.6.1 NCAtrak Physical Facility Security

The SAIC web hosting facility is located in badge-controlled computer center that requires specific permission for access. This room is located in a building that is also badge controlled.  Logs are kept to record all visitors and the time of entry and departure from the building. Management responsibilities with respect to physical security of the SAIC hosting center include, but are not limited to:

·       Conducting a risk assessment to ensure that the computer system and its supporting environment are secure from natural hazards and dangers from adjacent facilities and/or areas 

·       Restricting access to computer centers through the use of door locks or electromagnetic keys 

·       Prohibiting removal of equipment and magnetic media from the area without appropriate authorization 

·       Conducting periodic reviews of the computer installation to ensure that a secure environment is maintained, including the maintenance of monitoring and security systems 

·       Ensuring that security procedures are followed for signing in guests and accompanying them while they are in a secured area 

·       Utilize adequate and appropriate types of firewalls to protect servers and monitor activity at the firewall to prevent and respond to security threats.

B.6.2 Workstation Security

Workstation security is the responsibility of each user of NCAtrak. Each user is responsible for protecting the security of their computer and access to NCAtrak data via their computer. 

·       Protecting the privacy of the data displayed on the screen:

Users are responsible for the data that is displayed on their screen and how visible it is to people working or standing nearby.

·       Protecting the computer from unauthorized access:

NCAtrak will automatically end an inactive session after 15 minutes but NCAtrak does not record if an original user has left the computer unattended in the middle of a session and another person has gained access (authorized or not) using the active session of the original user.    Users are responsible for data accessibility for the duration of an active session.

·       Protection from malicious software and/or viruses:

NCAtrak policy prohibits introducing into a computer used to access NCAtrak, any software or hardware intended to disrupt normal operations. This includes programs known to carry a destructive or nondestructive "virus," "worm," "logic bomb," or "Trojan Horse." Downloading software from the Internet can introduce security risks such as viruses, Trojan Horses, or "backdoors." In addition, these programs cause extra unneeded network traffic and may contain "ad ware" or "spy ware" that can violate confidentiality or track the habits of the user. Numerous freeware peer-to-peers file sharing software programs such as Gnutella, Morpheus, Bearshare, or KaZaA have been developed to facilitate file sharing over the Internet. The use of these types of programs is not acceptable for use on computers used to access NCAtrak. Only software approved by the CAC or MDT organization’s Director of IT Security may be used. If unsure, please contact the NCAtrak service desk. 

NCAtrak is not to be accessed via wireless technology. Sitting in any public location and using the system via wireless connection might potentially invite unauthorized access by hackers, etc. 

·       Use of Security Certificates to Authenticate Workstation:

NCAtrak is hosted via the internet to make it available to all authorized MDT team members, regardless of their physical work location. However, it is not available from all computers. Users will only be able to use a computer that has a security certificate installed. These are easy to use for CACs but are only available to the CAC Executive Director or designated CAC Security Officer who will see that each authorized user has access to a computer with an installed security certificate. Certificates must be renewed annually. Training will be provided to assist CACs with their certificates.

·       Imports to NCAtrak

NCAtrak does not have the capacity to allow photographs and other materials to be imported at this time.  This capability will be introduced in a later version of NCAtrak, successful security impact assessment outcomes.

·       Saving data from NCAtrak to the workstation hard drive or other media devices

Data saved to the computer hard drive, CD, Floppy, printer, or any other media device, or sent as an email page is the responsibility of the user and not within the scope of NCAtrak security policies. Users should follow the policies of their CAC and MDT agreements regarding the privacy and security of data transferred to any of these formats.

B.6.3 Device and Media Controls

Device and media controls procedures apply to the removal, re-use, and destruction of hardware and any type of media that contains NCAtrak data. A device could be a computer or a portable media device. Other media could include CD, floppy, paper, email, etc. It is important to note that NCAtrak Policies and Procedures for Beta Test Participants for security of devices and media extend only to the hardware and magnetic media at the SAIC location. NCAtrak cannot provide security for data transferred to any other media including the user’s hard drive, email, CD, paper, etc. because it is not within the securely hosted NCAtrak environment.  CAC policies regarding removal, re-use or destruction of hardware and media that contain NCAtrak data (computers, laptops, CD’s, floppies, email, printed materials), should be reviewed to be sure that all types of hardware and media are addressed. 

One additional note for CACs about hardware: If a laptop is authorized for use to access NCAtrak, (meaning a security certificate is installed on a laptop), that laptop could potentially be used from any location. CACs are advised to be certain the users understand that they are not allowed to use wireless connectivity to NCAtrak, and that they are aware of any potential violation of security that could occur if unauthorized users are in the same location with them when they are on-line. For example, a user could potentially take the laptop home, log-on to NCAtrak and access a case record, then get a phone call and walk away from the laptop. At that point, there is the opportunity for any other person in the home to view or potentially alter the data causing a security violation. 

·       At the SAIC hosting facility:

All NCAtrak hardware and magnetic media is identified with a unique ID. A log is maintained that tracks the entry, creation, removal, and return of all magnetic media. This process is somewhat similar to the processes used at the CAC locations for tracking case record media that is shared with law enforcement, courts, etc. 

Removal of hardware and magnetic media is prohibited without authorization from the NCAtrak Security Officer. The only routine removal of devices or media pre-approved via the service level agreements with SAIC is the weekly transport of encrypted database back-ups by authorized personnel to the secure storage location. All other removals require approval of the NCAtrak Security Officer.

NCAtrak servers and magnetic media are the property of NCA.  Magnetic media will be re-used only for NCAtrak backups. Re-use of servers would only be considered at such time as the servers need to be replaced.   If they are determined at any time to be available for re-use, (no longer usable for NCAtrak), the NCAtrak Security Officer will authorize either re-use or disposal. These servers will be purges prior to re-use or destruction.

B.7 Areas of Responsibility: Technical Security

B.7.1 User Authentication and Access Control

NCAtrak was designed to provide Security Officers with the capability to authenticate users and control access. 

·       Unique User Identification – All CACs and NCA are automatically assigned a unique user name and CAC identification number when their CAC account is established.  

·       Emergency Access Procedure – NCAtrak is designed with a “fail-over” server configuration to make is easier for SAIC administrators to bring the system back on-line in the event of a server failure. 

·       Automatic Log-off – NCAtrak is designed to automatically end the user’s session after 15 minutes of inactivity in the application. 

·       Encryption – All data transmissions are encrypted. The following data is encrypted in the database: Person Name in connection with any Case Record Data; Social Security Number in connection with any Case Record Data; all Dates of Birth, all Street Addresses, all Schools and places of Employment; and all passwords. Names of all people ever connected with a case record are stored separately from the case record in a table that provides users the ability to search the database for matches in a timely manner. The link between those names and their case data is encrypted.

B.7.2 Intrusion Detection and Audit Logs

SAIC will monitor NCAtrak for unauthorized intrusions and conduct assessments of vulnerability annually and in response to security violations. Audit logs will be automatically generated by NCAtrak. CAC Security Officers will have access to logs that record user activity for their users. SAIC will also use audit logs to monitor firewall activity, etc.  The following is a list of some of the logs that will be monitored:

·       Fail Log-in Attempts Log – This log records attempts to log-in to the system.

·       User Access Logs – This log records user names, when they log-in and when they log-out.

·       Last Edited by Log – This log displays at the bottom of each case record tab to indicate the last person who edited the data on the tab and the date and time of the edit. 

·       Firewall Monitor Log – This log displays all traffic passing through the firewall and all unauthorized attempts to break the firewall.

B.7.3 Transmission Security

Data transmitted to and from NCAtrak will be encrypted using 128-bit SSL encryption. Data that is e-mailed, printed, or copied and pasted to another file on the user hard drive is not encrypted. NCA cannot address the security needs of data in any of these formats. CAC Security Officers are advised to train their users regarding the local policies and procedures for data copied or printed to any other media format.