Criminal Justice Information Services, or CJIS compliance, is perhaps one of the most important compliance standard of all. The policies and departments of CJIS were established in 1992 and comprise the largest division of the FBI. This compliance is what keeps professionals in criminal justice and law enforcement (at local, state, and federal levels) in agreement about standards for data security and encryption. CJIS databases contain what you might expect: all necessary information for detaining criminals, performing background checks, and tracking criminal activity.
It is safe to say that if CJIS compliance weren’t in place, it could mean the difference between criminal operations being shut down and law officials lacking the capacity to do so.
Since the sophistication and frequency of cyberattacks has only increased over the years, CJIS has had to adapt accordingly. CJIS devised a set of standards for organizations, cloud vendors for software as a service (SaaS), local agencies, and corporate networks alike. These standards must be adhered to by those parties to ensure best practices concerning wireless networks, remote access, data encryption, and multiple-step authentication.
We’re sure we don’t have to stress that it’s imperative that organizations who fall under these regulations become CJIS compliant, and meet the key requirements.
Ground Rules for CJI Compliance
Some of the basic rules for CJIS compliance include:
5 unsuccessful login attempts (mac) by a user accessing CJIS
Monitoring various login activities, such as password changes
Performing weekly audit review
Actively moderating account management
Locking off users’ sessions after a half hour of inactivity
Restricted access due to physical location, job assignment, time of day, and network address
The CJIS database is a central database of criminal justice information (CJI), and this information is collected via law enforcer analytics and statistics. As you might have concluded from even just these basic rules, CJIS access and control is strict and complex, and rightfully so.
If your organization isn’t 100 percent compliant, the authorities will be alerted to this fact very quickly. Compliance regulations like these must followed exactly, but understandably, some organizations will have more challenges than others keeping compliant.
Multi-Factor Authentication and Encryption
FBI Security Policy section 126.96.36.199.1, also known as the Advanced Authentication Requirement, obliges organizations to use multi-factor authentication if employees are accessing CJI. This is alike to using a debit or credit card that requires pin input.
A recurrent strategy for multi-factor authentication is to use software applications or physical devices that generate unique, one-time passwords with time limits. Multi-factor authentication is a key policy area that should be on every business’ CJIS checklist along with data encryption.
Encrypting files and emails add one more layer of complexity for criminals trying to gain access to CJI and other vital information. The compliance also governs proper ways to handle the challenges of sending email that won’t compromise CJI.
For CJIS best practices, training for your staff should be frequent, with sufficient documentation and knowledge circulation to ensure that everyone is on the same page regarding complete compliance. Your security protocols and password requirements should be the same across your entire organization.
CJI can seriously affect both the organizations and the public at large. If you are unsure of which strategies will be feasible to achieve a state of readiness with this compliance, you should consider engaging compliance consultants. You’ll be thankful you did, for sake of safety for your staff and the public.
If you want to get an in-depth plan to maintain complete CJIS compliance for your organization, schedule a scoping call with Foresite’s compliance experts.