Law enforcement agencies on local, state and federal levels are involved in accessing and dealing with Criminal Justice Information (CJI) databases to track criminal activities, criminal histories and other sensitive data as directed by the CJIS Division of the U.S. Federal Bureau of Investigation (FBI).
Criminal Justice Information Services or CJIS compliance is one of the most crucial compliance standards for legal organizations and entities dealing with criminal justice information.
Therefore, government agencies are bound to strictly follow the CJIS standards to safeguard criminal justice information while handling and processing criminal justice data.
Protecting such data is a legal requirement that can result in heavy consequences if the standards are ignored.
It was observed in 2019 that the city’s police department in the U.S. was found to be non-compliant with several elements of CJIS Security Policy, which resulted in the police department’s loss of access to CJI databases leading to the disruption of the major city operations.
Let’s discuss in this blog the areas of CJIS compliance security policy and how to comply with them to avoid serious consequences!
What is CJIS Compliance?
The Criminal Justice Information Services, or CJIS, was first established in 1992 and currently remains the largest division of the Federal Bureau of Investigation (FBI). In the United States, CJIS serves as the centralized source of criminal data for Government agencies and other authorized third parties.
Several departments, such as the National Crime Information Center NCIC and Integrated Automated Fingerprint Identification System (IAFIS), fall under the CJIS division.
The CJIS is responsible for monitoring criminal activities using analytics and statistics and maintaining the record on their databases. Government entities have access to all this information whenever they require it.
With rising concerns about cybersecurity attacks, data breaches and privacy protection, CJIS formulated the security standards for different organizations and presented the CJIS Security Policy.
As expected by Cybersecurity Ventures:
Security is vital when it comes to protecting criminal justice information. Organizations must ensure that their systems and processes meet the requirements and standards of the CJIS Security Policy.
Let's dive deeper into the topic!
The FBI CJIS Security Policy
The CJIS Security Policy comprises 15 policy areas that aim to protect criminal justice data from unauthorized access, information disclosure, misuse, and cybercrime threats. The areas are listed below:
Information Exchange Agreements
Before sharing or exchanging information between agencies, there should be a formal user agreement that highlights specific security controls committed and signed by both agencies respectively.
The organizations or agencies must specify in the user agreement document the systems and services that can be accessed and the security policies that must be followed by the agencies while handling criminal data. The agreement must include:
-
Audits
-
Logging
-
Quality assurance
-
Pre-employment screening
-
Security
-
Timeliness
-
Training
-
Use of systems
Security Awareness and Training
Everyone must undergo security training before accessing and managing criminal justice information for legitimate purposes.
The training is required to explain the roles and responsibilities of individuals and how to maintain the integrity and security of CJI at all levels.
Incident Response
All incidents and data breaches need to be reported to the Justice Department. There must be proper procedures formulated by organizations to detect, analyze and recover all major incidents in a timely manner.
Auditing and Accountability
All organizations must generate audit reports for defined activities and events related to data security. The following events should be logged in an audit report:
-
Successful and Unsuccessful login attempts
-
Assign, create, edit and delete user permissions on accounts
-
Attempts to modify, access and destroy audit log files
-
Attempts to modify passwords
-
Date and time of events
-
Type of actions or events
Access Control
The type and level of access must be allocated to each user accessing the criminal justice information. The least privileged access must enforce the restrictive set of permissions as needed by the user to secure all sorts of criminal data by all means.
There should be access control criteria on a need-to-know basis based on the job, location, IP address etc.
Identification and Authentication
Organizations requiring access to sensitive legal records must have standard identification and authentication methods to authenticate account users. For example, passwords and multifactor authentication.
Configuration Management
Only authorized individuals should have access to information system components for the purpose of initiating changes, upgrades and modifications.
Planned or unplanned changes to the hardware, software and firmware components must be documented and done by authorized personnel only.
Media Protection
Documented and implemented media protection policies and procedures ensure that access to digital or non-digital media in all forms is restricted to authorized individuals using authenticated methods and processes.
Physical Protection
Physical protection policy and procedures shall be documented and implemented to ensure CJI and information system hardware, software and media are physically protected through access control measures.
System and Communication Protection
Information systems, applications and communications must have the capability to ensure system integrity through detection and protection against unauthorized access and modifications done to the software. Prevent unencrypted data transmission across the public network.
All data transmitted outside the defined secure physical location shall be immediately protected via FIPS 140-2 certified encryption with at least 128-bit strength in transit and at rest to secure information.
How to Meet CJIS Compliance Security Standards?
Governmental organizations such as law enforcement agencies, as well as non-criminal justice organizations that require access to the CJIS database, need to be compliant in their practices for storing, managing and sharing criminal justice information (CJI).
This raises concern for legal organizations regarding how to secure their confidential data in accordance with the standards presented by CJIS compliance security policy areas.
Let's take an example!
Law enforcement agencies are frequently involved in collecting digital evidence and other case-relevant data; how do they ensure that their data is protected and is not being misused or tampered with?
In addition to security concerns, another big challenge is the huge volumes of sensitive criminal data in digital form!
What can be done to overcome these challenges?
The solution is simple...
They need to have CJIS-compliant software that makes their job easier and solves all their security-related challenges. Software that is competent enough to follow the rules and regulations set by the legal compliances.
So, what are the advantages of using CJIS-compliant software for evidence management?
The solution that is fully compliant with CJIS compliance serves as the centralized repository for all types of data. The following functions can be performed in accordance with CJIS security policy:
-
Secure storage of data – AES 256-bit encryption
-
Secure data sharing with restricted options
-
Data management – Searching, indexing and filtering.
-
Generate Audit log report
-
Redaction – Individual's privacy protection
-
Role-Based Access Control
-
SSO authentication
Read more on CJIS-Compliant Cloud Storage Software.
Nowadays, multiple vendors are available in the market that are fully compliant with various compliance requirements and are efficient in digital evidence management capabilities. One of them is VIDIZMO’s Digital Evidence Management System (DEMS).
Resolve All Your Compliance Challenges with VIDIZMO
VIDIZMO DEMS is the centralized platform to ingest, store, manage, and share digital evidence (videos, audio recordings, images and documents) with top-notch security and trusted AI features.
With 20 years of experience in the video management industry and maintaining security at every step, VIDIZMO integrates with several systems and applications in order to help commercial and government organizations meet complete compliance requirements such as CJIS, HIPAA, FOIA etc., for data storage and management and offers a flexible range of deployment options, including Azure Government Cloud and AWS Cloud, On-premise and hybrid infrastructure.
So, how can you meet the security standards with VIDIZMO DEMS?
Some of the key capabilities of VIDIZMO DEMS are as follows:
-
Provides FIPS 140-2 compliant AES-256 encryption at rest and in transit with other security features, including password protection, the reason for access, SSL protection and much more.
-
Integration with multiple SSO identity providers and provides IAM services for user authentication.
-
Role-Based Access Control, where each user is assigned a specific role to access the system with the default set of permissions.
-
Provides Tamper Detection through SHA cryptographic hash values, which helps to detect any alterations or modifications in digital files.
-
Automatic detection and redaction of faces, people and custom objects such as license plates, weapons and vehicles visible in video evidence before sharing with third parties.
But that’s just the tip of the iceberg!
Get in touch with the experts...
Or you can opt for our product demo!
Posted by VIDIZMO Team
We at VIDIZMO are experts in secure and compliant video streaming and digital evidence management. Our aim is to help educate such that you can better utilize your video data.