- Blog listing
- What You Need to Know About CJIS Policy Area 5
What You Need to Know About CJIS Policy Area 5
I’ve met with many IT service providers who work in law enforcement and are still unsure about what they need to do to ensure their organization is fully compliant with the CJIS guidelines by the September 2014 deadline. There’s a sense of panic setting in for many; after all, should an organization be found in non-compliance after the deadline, the agency as a whole could lose access to the information stored in the CJIS databases. Almost every officer and law enforcement professional accesses these resources daily.
Policy Areas 4-6 advise law enforcement agencies on the technical safeguards they need to have in place to access CJIS data without putting the entire system at risk.
In this blog article, I’m going to cover Policy Area 5: Access Control. It’s a lengthy and complex section, so I am going to focus on the most relevant areas, in other words, the areas law enforcement IT personnel tend to struggle with the most.
5.5 Policy Area 5: Access Control
“Access control provides the planning and implementation of mechanisms to restrict reading, writing, possessing and transmission of CJIS information...”
The bottom line here is that CJIS information is confidential; it must be protected from falling into the wrong hands. Access control means protecting this information by ensuring that only people that need access to CJIS data for their job can access it, and that they are using their access privileges appropriately.
5.5.1 Account Management
“The agency shall manage information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts…”
Agencies must be aware of who has access to CJIS data and access should only be granted to users who need it for their job role. Access rights and permissions should be assigned based on a user’s or group’s job role. Should a user’s role change, or if they are terminated, their access rights should be changed immediately.
To meet these compliance requirements, IT service providers should look for a security software solution that allows privileged administrators to:
- Assign passwords to users or groups based on their roles and level of authority.
- Easily prohibit employees that have been terminated from accessing all applications and systems. A centralized password management system that “syncs” with other applications—for example, cloud-based applications—ensures that a user’s access can be easily changed or removed as needed.
5.5.2 Access Enforcement
“The information system controls shall restrict access to privileged functions (deployed in hardware, software, and firmware) and security-relevant information to explicitly authorized personnel.”
Privileged functions, like changes to a program or system password, are of the utmost concern to CJIS. A user with the ability to change a system password or download malicious software could potentially compromise the entire CJIS system. To ensure compliance, your password management software should:
- Allow password permissions to be assigned to a group of privileged users.
- Allow administrators to see who has access to which passwords.
- Allow administrators to easily see and audit which users are assigned privileged accounts.
5.5.3 Unsuccessful Login Attempts
“..the system shall enforce a limit of no more than 5 invalid access attempts…”
Invalid login attempts are one of the most helpful “red flags” system administrators have in identifying (and addressing) a potential security threat. To comply with the above rule, your security software should:
- Allow administrators to customize failed login system responses to specify user lockout and administrator notification after 5 failed attempts.
5.5.5 System Lock
“The information system shall prevent further access to the system by initiating a session lock after a maximum of 30 minutes of inactivity…”
Basically, they’re trying to eliminate the possibility that a non-authorized person could access CJIS data simply because a user logged in and left their computer without logging out again. For example, a user could log into CJIS, leave the system running, and have their laptop stolen. To meet this guideline, your security software should:
- Lock a user out after 30 minutes of inactivity and require re-authentication to get back in.