CJIS Compliance Protects against Sieges (of your Data Infrastructure)
CJIS compliance is a lot of things… Of high importance to those in charge of management and finances is that it’s mandatory. For those with feet on the ground, the resources provided by CJIS are invaluable. To those in charge of the data infrastructure, non-compliance lies hand in hand with vulnerable infrastructure which can be compromised.
What I kindly leave unsaid is that severe fines can result from non-compliance.
Let’s be clear about this though, CJIS compliance isn’t just some expectation to be met, it’s there for your own benefit.
Those in charge of IT and IT compliance at these law enforcement agencies need to primarily focus on three key policy areas, which are primarily related to the systems they manage. These policy areas are numbers 5.4, 5.5, and 5.6.
The original FBI document on CJIS compliancy runs over 200 pages in length, so here’s a brief look at those key sections which are most important to you.
“Agencies shall implement audit and accountability controls to increase the probability of authorized users conforming to a prescribed pattern of behavior.”
CJIS requires agencies to generate and maintain detailed reports of security-related events that occur on the systems used to access CJIS. The purpose of this is so:
Any security violations or questionable events can be tracked back to a specific user, date, time, system component, etc.
An administrator can quickly look over their audit reports and see any unusual behavior or patterns
Users will know their actions are audited and avoid questionable behavior.
“Access control provides the planning and implementation of mechanisms to restrict reading, writing, possessing and transmission of CJIS information...”
The information CJIS has is confidential; therefore, it must be protected and restricted from access to anyone except those whose access has been approved. Access control in this sense means ensuring that only people who need access to CJIS data for their job can access it, and that they are using their access privileges appropriately.
“The agency shall identify information system users and processes acting on behalf of users and authenticate the identities of those users or processes as a prerequisite to allowing access to agency information systems or services.”
In a nutshell, section six has a number of criteria which serve to improve the criteria used to prove the identities and credentials of those accessing CJIS information. This includes:
Individual login credentials.
Strength related password requirements.
Advanced Authentication Requirements (MFA, Biometric, etc.)
Many complain that these sections are some of the trickiest as far as compliancy and conversion are concerned. Fortunately we can help you with that! Check out our CJIS compliance checklist.