The CJIS Security Policy – Analyzing the 13 Policy Areas: Part I
Better than a sleeping pill or a riveting read?
Recently Alan Ferretti and I were talking about compliance for agencies and lamented on the fact that most people malign the CJIS Security Policy as a good cure for insomnia. It seems you can’t attend a conference where a speaker doesn’t make a joke about it. When in fact, the Policy is important to all law enforcement practitioners and forms the basis for the protection of Criminal Justice Information (CJI). Being compliant takes a commitment at all levels – from an agency, to the technical staff that supports them, out to the vendors with their essential products used daily by law enforcement. Compliance is essential and is based on the Policy.
To be clear, we are not going to claim the CJIS Security Policy belongs on a best-seller list or that it is a must read, but given the energy and commitment that has been put into developing it and keeping it fresh over the years, it deserves a look. There is of course that pesky audit that gets done every few years that could also be a bit of an incentive!
To help guide you through the Policy, we will share in our next few blogs insights into it. We will start at the beginning and go to the end discussing all 13 sections. We will not make this a comprehensive list of the “shall” statements, but will hit those we feel should be called out. Our goal is to get you to review the Policy, again or for the first time, by sharing our insights and thoughts. We will do our best to make this a non-threatening event. We promise you will not fall asleep!
Section 1 is often mistakenly skipped over. After all, it only has four “shall” statements and is only two pages long. However, it does pack some good information into these two pages. It is this section you find the statement that the CJIS Security Policy sets the minimum requirements for all things to do with Criminal Justice Information (CJI). This section also deals with the Policy and its relationship with applicable local polices. This area also gives permission to freely share the Policy. That didn’t used to be the case, but it is now.
Section 2 is the shortest section in the Policy at one page and contains no “shall” statements. Its role is to introduce the concept of a Shared Management Philosophy. The Policy isn’t just written and put in place by the FBI. The Advisory Policy Board (APB) collaborates with the FBI CJIS Division to develop the Policy. Both the FBI and the APB together look at the Policy from a risk versus the reality of resource constraints. Its goal is to make the Policy as real-world applicable as possible. The APB is made up of various law enforcement practitioners and organizations representing all levels and locations of law enforcement across the country.
With almost 50 “shall” statements, Section 3 is a very important section. This section defines the roles and responsibilities of those involved in the processing, storage, and transmission of CJI. It starts with the CJIS System Officer (CSO), the only role that can’t be outsourced, and goes through the Terminal Agency Coordinators (TAC) responsibilities, Local Agency Security Officers (LASO) duties at the local agency level, and Information Security Officer (ISO) responsibilities at the State and Federal levels.
This section also provides the definition of a Criminal Justice Agency as well as a Non-Criminal Justice Agency. It defines important terms found in the CJIS Security Addendum and documents the responsibilities of the Compact Officer and Repository Manager .
It is critical you understand what is expected of you in your role, and this is where it is defined by the Policy.
This section is all about the data and how it may be used. The term CJI is defined, as is Criminal History Record Information (CHRI) data. The proper access, use, and dissemination are described for both restricted and non-restricted files. Also, the Personally Identifiable Information (PII) data found in the FBI files is defined and its allowed usage explained. This Section only has about ten “shall” statements, but is none the less it is a very important section.
This blog reviews four of the five major sections of the Policy. These sections don’t contain any technical jargon and can be easily understood by anyone with experience as a criminal justice practitioner. It is well worth your time to read and understand them.
Our next blog will review Section 5, commonly referred to as the Technical Requirements section. With its thirteen Policy Sections, Section 5 forms the basis for how you need to address any technology implementation at any agency.
About Alan Ferretti
Alan Ferretti is a CJIS Security Analyst and Subject Matter Expert of the CJIS ACE Division at Diverse Computing (www.diversecomputing.com). He retired as the CJIS ISO for the State of Texas after 13 years of service. He was also the Chairman of the APB CJIS Security and Access Subcommittee. (the group that originates and vets changes to the CJIS Security Policy). Contact Alan directly at firstname.lastname@example.org or (850) 656-3333 ext.293.