4 CJIS Use Cases for Password Management
Reading over the FBI’s new guidelines for CJIS compliance, it can be hard to imagine how these rules and new protocols are actually going to be implemented across the country—particularly when it comes to password management. So many agencies and individuals are used to an environment in which password security is, well, nonexistent. As an IT service provider, you’ve surely seen what I’m talking about: passwords like “NewPassword1” in frequent use throughout the office; system passwords being shared openly from cubicle to cubicle; a list of passwords hanging next to a workspace—all as you cringe in your seat.
But the CJIS guidelines on password security make more sense when you look at how they can be applied practically in everyday life and operations. With a strong password management program, implementing these policies will not only ensure CJIS compliance—they’ll also make your job easier.
Here are some use cases for password management:
Use Case 1: In the Field
A detective leaves the office to speak with a potential witness. He’s equipped with his laptop, a mobile 4G radio for connecting back to the station with VPN software, and (of course) his smartphone. He stops at a local restaurant for lunch, and brings his laptop in to do more research. He plans on accessing the CJIS system for information on a criminal suspect.
Currently, the FBI considers a police vehicle to be a secure location and therefore advanced authentication isn’t required to access CJIS from his vehicle. However, in order to access CJIS from the restaurant (a non-secure location), advanced authentication (also called multi factor authentication or MFA) would be required. In addition to entering his login ID and password (something he knows) when opening his laptop, he has to present another security factor (like a code from a hardware token or a biometric scan) as well. He enters a one-time code that was automatically generated on a secure mobile app on his smartphone. His agency chose to go with this form of MFA because it was easy (he already has the phone on him) and affordable (no additional equipment required).
Use Case 2: Back at HQ
A detective returns to the station after being out all day, and logs on to her desktop to access data in a CJIS database.
As long as technical safeguards are in place, a police station would be considered a secure location. MFA wouldn’t be required to log on. The detective must log in with a unique username and password, however, so that there is an auditable log of her activity.
Use Case 3: A Personnel Change
An office worker with access to CJIS and other system resources is terminated.
With a centralized password management program that syncs with other applications (including cloud applications), an administrator can easily log in and remove all permissions from that user, blocking them from CJIS, network email systems, and other applications.
(Related blog post: take password security out of the hands of your employees altogether. If they don't know the passwords to access the systems, then password security is a breeze)
Use Case 4: Single Sign On
An officer uses single sign on to log in to his applications.
An officer begins the day at his desk, and authenticates with multi factor authentication, first entering his password and then the one-time code generated on his secure mobile app. After authenticating, he is taken to his single sign on (SSO) portal, where he can automatically sign in to all needed applications without needing to login again. When he heads out in his patrol car, he follows the same process-eliminating the need for repetitive logins and ensuring an enhanced level of security.