The CJIS Security Policy – Analyzing the 13 Policy Areas: Part II
Better than a sleeping pill or a riveting read?
In our last blog post, Alan Ferretti, CJIS Security Analyst and Subject Matter Expert of the CJIS ACE Division at Diverse Computing, and I covered the first four sections of the CJIS Security Policy. We will continue with Section 5 and its thirteen Policy areas and how they impact you and your agency. You will find out why it is called the Policy and Implementation Section for good reason.
The first Policy area addresses Information Exchange agreements. The policies for information exchange are designed to prevent unauthorized disclosure, alteration or misuse. The information exchange agreements shall commit both parties to the terms of the agreement. Different agreements are put in place depending on whether the parties involved are Criminal Justice Agencies (CJA) or Non-Criminal Justice Agencies (NCJA). It is through these agreements that a law enforcement agency can receive support from vendors or other governmental agencies.
The second Policy area covers the Security Awareness training requirements. There are four levels of training required depending on the role the person plays in accessing Criminal Justice Information (CJI). An agency may develop its own training program and keep track of each individuals training status. Training is required every two years. There are also excellent commercial products for CJIS Security awareness training, such as the system available from Peak Performance. You should remember the challenge with training isn’t the training itself, but rather the tracking of the people that need it and managing when they need to take it again.
The third Policy Area, Incident Response, defines the reporting requirements of both accidental and malicious attacks that expose CJI. Roles and responsibilities are defined and all employees, contractors, and third party users must be made aware of the reporting requirements.
Auditing and Accountability is found in the fourth Policy area. The auditable events, what must be logged, and the content of those logs are all defined. National Crime Information Center (NCIC) and Interstate Identification Index (III) tractions and their retention is also defined.
Policy area five covers Access Control. The criteria for controlling access is defined as the mechanisms for access control. This is the policy area that defines and requires a System Use Notification as well as a session lock. There are three exceptions defined to the session lock requirement. This is also the area that allows the concept of remote access and virtual escorting. The usage of personally owned mobile devices (BYOD) is discussed as is publicly accessible computers.
Policy Area six covers Identification and Authentication for systems that process, store, or transmit CJI. Each person with access must be uniquely identified. Originating Agency Identifiers (ORI) and their usage is also explained. The requirements for Passwords and PINs used in authentication are defined. Advanced Authentication (AA) is introduced and a decision tree is provided to identify if AA is required or not. The Policy includes many very good use-cases.
Policy Area seven is where you will find the requirement for each agency having a Network Diagram and what the requirements are for this diagram. There are also network diagram examples provided in Appendix C.
We will stop here, just a little of half way through the Policy Areas in Section 5. Look next week for the continuation of the Policy Areas in Section 5.
About Alan Ferretti
Alan Ferretti is a CJIS Security Analyst and Subject Matter Expert of the CJIS ACE Division at Diverse Computing ( www.diversecomputing.com ). He retired as the CJIS ISO for the State of Texas after 13 years of service. He was also the Chairman of the APB CJIS Security and Access Subcommittee. (the group that originates and vets changes to the CJIS Security Policy). Contact Alan directly at firstname.lastname@example.org or (850) 656-3333 ext.293.
We welcome your comments and suggestions to help us continually improve your Azure Government experience. To stay up to date on all things Azure Government, be sure to subscribe to our RSS feed and to receive emails, click “Subscribe by Email!” on the Azure Government Blog. To experience the power of Azure Government for your organization, sign up for an Azure Government Trial.