CJIS Audit Compliance Services
Looking for a CJIS compliance partner?
We specialize in helping law enforcement agencies and their government counterparts achieve and maintain CJIS compliance by using our many years of experience working with Police Departments and Sheriff’s Offices throughout Florida.
Our IT and network technicians have all undergone full-spectrum background checks and have been digitally fingerprinted by local and regional law enforcement offices, and all our technicians have completed all required CJIS training and certification requirements.
Contact one of our CJIS specialists today for a free consultation on how we can assist you with your compliance and infrastructure needs – we will also be glad to give you several clients references from other law enforcement agencies we’ve helped with their CJIS needs.
CJIS Background Information
What is Criminal Justice Information (CJI) as it pertains to Criminal Justice Information Services or CJIS? Criminal Justice Information as it pertains CJIS to is very specific in that it is any information that is obtained through the National Criminal Justice Data System including NCIC/IAFIS/NICS. Information that is obtained outside of these systems while still criminal information is not considered CJI under the CJIS Compliance standard.
What is not officially CJI is information obtained outside of these systems such as interviews or reports generated by your agency. But it can be quickly turned into CJI by any information that is derived from NCIC/IAFIS/NICS such as a name, an address, or even a phone number that is auto-populated in your agency system.
Due to the intermingling of these systems, it is easier to consider all records data as CJI.
What should I do if there is an incident involving CJI data on my workstation, laptop, tablet, notepad, etc.? Should an incident occur, your policy should include the following aspects and should be managed based on the level of severity of the incident.
The severity should be broken down into three levels:
- High-Level Incident – impacts the network or criminal justice information.
- Medium Level Incident – impacts one system or non-critical system.
- Low-Level Incident – is of little or no risk to network or the CJI system.
The organization should identify the security breach, investigate, and remediate based on the following steps:
- Confirm the discovery of the compromised resource
- Evaluate the incident
- Identify the system or systems of information affected
- Review all preliminary details
- Assign a level of severity based on the three levels (High, Medium, or Low)
- Determine how the breach occurred including the time of initial compromise
- Examine the system and audit logs for irregularities
- Contain and control the incident to prevent further unauthorized access or additional damage
- Remediate the incident
- Document all steps throughout the process
We want to retire our old equipment that stored criminal justice information and surplus or dispose of it. What can we do?
For you to release the equipment it is required that you sanitize the data before release. The suggested method of sanitization is destruction. If destruction is not an option such as with a leased copier or all in one device, then the data must be overwritten.
Several options for sanitization are available including:
- Contact Verteks data security professionals and we will use a chain-of-custody confirmed pickup, destruction, and documentation of your hard drives.
- The hard drive/media must be overwritten at least three times. Several specialized wiping solutions are available to overwrite the system multiple times.
- Destruction of the data device. Several methods include but are not limited to:
- Drilling multiple holes in the hard drive
- Shredding the drive in a special shredder
- Target Practice. (Several of our LEOs preferred method)
Whichever method you use, be sure that the storage device is always handled by a CJIS certified member of your organization.
Are there any special password policies or requirements that we must use to allow access to CJI systems?
There are several requirements associated with access and use of CJI systems. These systems include but are not limited to any system that touches the secure CJI system such as Servers, HCI, SAN, NAS, Centralized Storage, Desktops, Laptops, Routers, Switches, Wi-Fi, Windows Active Directory, Email, and applications. Each user who accesses CJI must have a unique username and password. All users must be uniquely identified and cannot share identification and passwords with other users.
For the best possible account protection, we strongly recommend Multi-Factor Authentication (MFA) – a system that protects each account by requiring a confirmation of a ‘push’ signal upon login, usually to a cellphone, but can also be a digital token.
For traditional password protection, all passwords should include the following at a minimum:
- Be a minimum length of eight (8) characters on all systems
- Be a dictionary word or proper name
- Not be the same as the username
- Expire within a maximum of 90 calendar days
- Not be the same as the previous ten (10) passwords
- Not be transmitted in the clear outside the secure location
- Not be displayed when entered
How we can help with CJIS standards and FDLE audits?
Here are some of the most popular services we are asked to perform by Police Departments and Sheriff’s Offices:
- We can conduct a pre-audit for CJIS compliance. Our Certified Information Systems Auditor (CISA) will perform a network and data security evaluation based on FDLE and CJIS standards, and create a gap analysis showing you what areas need to be addressed prior to an audit. We can also help you resolve the shortfalls and mitigate any risks.
- Our CISA auditors are trained and experienced using the NIST SP 800-53 Rev. 4 Controls that outside auditors will use to evaluate your systems – so we can give you the practical advice and guidance you need to be completely prepared for any audit.
- We can assist in the implementation of a multi-factor authentication system to secure your user accounts from being hacked by either brute-force or by a dictionary attack.
- We can implement a new configuration on your firewalls at both your main office any remote offices or substations to guarantee they meet all FIPS 140-2 requirements for cryptography.
- We can assist with IT policy and procedure creation and maintenance so that you have clearly written and compliant policies that meet and exceed audit requirements.
- We can help with setup of advanced logging systems required by CJIS and FDLE for your Windows servers, network infrastructure and firewalls.
Verteks Consulting specializes in CJIS Compliance. Get assistance on your CJIS Audits today!