{"id":5665,"date":"2017-03-28T11:00:35","date_gmt":"2017-03-28T15:00:35","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/azuregov\/?p=5665"},"modified":"2017-03-28T11:00:35","modified_gmt":"2017-03-28T15:00:35","slug":"the-cjis-security-policy-analyzing-the-13-policy-areas","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/azuregov\/the-cjis-security-policy-analyzing-the-13-policy-areas\/","title":{"rendered":"The CJIS Security Policy \u2013 Analyzing the 13 Policy Areas: Part I"},"content":{"rendered":"<p><em><span>Better than a sleeping pill or a riveting read?<\/span><\/em><\/p>\n<p>Recently Alan Ferretti and I were talking about compliance for agencies and lamented on the fact that most people malign\u00a0 the CJIS Security Policy as a good cure for insomnia. It seems you can\u2019t attend a conference where a speaker doesn\u2019t make a joke about it. When in fact, the Policy is important to all law enforcement practitioners and forms the basis for the protection of Criminal Justice Information (CJI). Being compliant takes a commitment at all levels &#8211; from an agency, to the technical staff that supports them, out to the vendors with their essential products used daily by law enforcement. Compliance is essential and is based on the Policy.<\/p>\n<p>To be clear, we are not going to claim the CJIS Security Policy belongs on a best-seller list or that it is a must read, but given the energy and commitment that has been put into developing it and keeping it fresh over the years, it deserves a look. There is of course that pesky audit that gets done every few years that could also be a bit of an incentive!<\/p>\n<p>To help guide you through the Policy, we will share in our next few blogs insights into it. We will start at the beginning and go to the end discussing all 13 sections. We will not make this a comprehensive list of the \u201cshall\u201d statements, but will hit those we feel should be called out. Our goal is to get you to review the Policy, again or for the first time, by sharing our insights and thoughts. We will do our best to make this a non-threatening event. We promise you will not fall asleep!<\/p>\n<h3>Section 1.<\/h3>\n<p>Section 1 is often mistakenly skipped over. After all, it only has four \u201cshall\u201d statements and is only two pages long. However, it does pack some good information into these two pages. It is this section you find the statement that the <em>CJIS Security Policy sets the minimum requirements for all things to do with Criminal Justice Information (CJI)<\/em>. This section also deals with the Policy and its relationship with applicable local polices. This area also gives permission to freely share the Policy. That didn\u2019t used to be the case, but it is now.<\/p>\n<h3>Section 2.<\/h3>\n<p>Section 2 is the shortest section in the Policy at one page and contains no \u201cshall\u201d statements. Its role is to introduce the concept of a <em>Shared Management Philosophy<\/em>. The Policy isn\u2019t just written and put in place by the FBI. The Advisory Policy Board (APB) collaborates with the FBI CJIS Division to develop the Policy. Both the FBI and the APB together look at the Policy from a risk versus the reality of resource constraints.\u00a0 Its goal is to make the Policy as real-world applicable as possible. The APB is made up of various law enforcement practitioners and organizations representing all levels and locations of law enforcement across the country.<\/p>\n<h3>Section 3.<\/h3>\n<p>With almost 50 \u201cshall\u201d statements, Section 3 is a very important section. <em><\/em><em>This<\/em><em> section defines the roles and responsibilities of those involved in the processing, storage, and transmission of CJI.<\/em> It starts with the CJIS System Officer (CSO), the only role that can\u2019t be outsourced, and goes through the Terminal Agency Coordinators (TAC) responsibilities, Local Agency Security Officers (LASO) duties at the local agency level, and Information Security Officer (ISO) responsibilities at the State and Federal levels.<\/p>\n<p>This section also provides the definition of a Criminal Justice Agency as well as a Non-Criminal Justice Agency. It defines important terms found in the CJIS Security Addendum and documents the responsibilities of the Compact Officer and Repository Manager .<\/p>\n<p>It is critical you understand what is expected of you in your role, and this is where it is defined by \u00a0the Policy.<\/p>\n<h3>Section 4.<\/h3>\n<p><em>This section is all about the data and how it may be used.<\/em> The term CJI is defined, as is Criminal History Record Information (CHRI) data. The proper access, use, and dissemination are described for both restricted and non-restricted files. Also, the Personally Identifiable Information (PII) data found in the FBI files is defined and its allowed usage explained. This Section only has about ten \u201cshall\u201d statements, but is none the less it is a very important section.<\/p>\n<h3>Summary<\/h3>\n<p>This blog reviews four of the five major sections of the Policy. These sections don\u2019t contain any technical jargon and can be easily understood by anyone with experience as a criminal justice practitioner. \u00a0It is well worth your time to read and understand them.<\/p>\n<p>Our next blog will review Section 5, commonly referred to as the Technical Requirements section. With its thirteen Policy Sections, Section 5 forms the basis for how you need to address any technology implementation at any agency.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/azuregov\/the-cjis-security-policy-analyzing-the-13-policy-areas-part-ii\/\">Part II<\/a><\/p>\n<p><a href=\"https:\/\/blogs.msdn.microsoft.com\/azuregov\/2017\/04\/11\/the-cjis-security-policy-analyzing-the-13-policy-areas-part-iii\/\">Part III<\/a><\/p>\n<h3>About Alan Ferretti<\/h3>\n<p>Alan Ferretti is a CJIS Security Analyst and Subject Matter Expert of the CJIS ACE Division at Diverse Computing (<a href=\"http:\/\/www.diversecomputing.com\/\">www.diversecomputing.com<\/a>). He retired as the CJIS ISO for the State of Texas after 13 years of service. He was also the Chairman of the APB CJIS Security and Access Subcommittee. (the group that originates and vets changes to the CJIS Security Policy). Contact Alan directly at aferretti@diversecomputing.com or (850) 656-3333 ext.293.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Better than a sleeping pill or a riveting read? Recently Alan Ferretti and I were talking about compliance for agencies and lamented on the fact that most people malign\u00a0 the CJIS Security Policy as a good cure for insomnia. It seems you can\u2019t attend a conference where a speaker doesn\u2019t make a joke about it. [&hellip;]<\/p>\n","protected":false},"author":1772,"featured_media":20423,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2,25],"tags":[95,165,505],"class_list":["post-5665","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-announcements","category-portalpreview","tag-azure-government","tag-cjis","tag-security-policy"],"acf":[],"blog_post_summary":"<p>Better than a sleeping pill or a riveting read? Recently Alan Ferretti and I were talking about compliance for agencies and lamented on the fact that most people malign\u00a0 the CJIS Security Policy as a good cure for insomnia. It seems you can\u2019t attend a conference where a speaker doesn\u2019t make a joke about it. [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/posts\/5665","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/users\/1772"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/comments?post=5665"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/posts\/5665\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/media\/20423"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/media?parent=5665"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/categories?post=5665"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/tags?post=5665"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}