Understanding CJIS Policies and Implementation using FileCloud

CJIS Security Policy entails information security requirements, guidelines, and agreements documenting the will of law enforcement and criminal justice agencies for protecting the sources, transmission, storage, and generation of Criminal Justice Information (CJI). The Criminal Justice Information (CJIS) Security Policy provides a secure model of laws, standards, and elements of published and vetted policies for accomplishing the mission across the broad spectrum of the criminal justice and noncriminal justice communities.

The prime focus of the CJIS Security Policy is to implement the proper controls necessary to secure the full lifecycle of CJI, both at rest and in transit. It applies to a private entity, contractor, noncriminal justice agency representative, or member of a criminal justice entity that utilizes or has access to criminal justice services and information.

Because the magnitude of cyberattacks has increased over the years, CJIS has had to adapt. CJIS came up with a set of standards for organizations, cloud vendors for software as a service (SaaS), local agencies, and corporate networks, etc. These standards must be complied with by those parties to ensure best practices for wireless networks, remote access, data encryption, and multiple-step authentication.

Ground Rules of CJIS

The policies proposed by CJIS encompass best practices in wireless networking, remote access, data encryption, and multiple authentications. Some basic rules include:

  • A limit of 5 unsuccessful login attempts by a user accessing CJIS
  • Event logging various login activities, including password changes
  • Weekly audit reviews
  • Active account management moderation
  • Session lock after 30 minutes of inactivity
  • Access restriction based on physical location, job assignment, time of day, and network address

 

Policy and Implementation Using FileCloud

We will now go through a high-level overview of the 13 policy areas of the CJIS Security Policy v5.3 and how FileCloud will help you implement these

Policy Area 1—Information Exchange Agreements

Organizations dealing with CJI must have signed written agreements documenting the full length of their interaction and the relevant security policies and procedures in place between them to ensure appropriate safeguards. CJIS policy incorporates procedures on how information is handled and what should be in user agreements. Companies and agencies that use CJI must include specific processes and parameters in their information exchange agreements, including:

  • Audits
  • Dissemination
  • Hit confirmation
  • Logging
  • Quality assurance
  • Pre-employment screening
  • Security
  • Timeliness
  • Training
  • Use of systems
  • Validation

FileCloud understands this is a shared responsibility between the parties and has the provision to implement the information exchange policy in the enterprise edition.

Policy Area 2—Security Awareness Training

Basic security awareness training should be given in the initial six months and biennially for all personnel who have access to CJI. Records of individual basic security awareness training and specific information system security training shall be documented and updated. This is the customer’s responsibility to make sure the training is made available to all the personnel having access to the information and keep the training documents up to date.

Policy Area 3—Incident Response

Agencies must incorporate operational incident handling capability for malicious computer attacks against agency information systems to include adequate preparation, detection, analysis, containment, recovery, and user response activities. Agencies must also track, document, and report incidents to appropriate officials. Incident-related information can be obtained from different sources including audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. The agency should incorporate the experience from ongoing incident handling activities into the incident response procedures and implement the procedures accordingly.

Policy Area 4—Auditing and Accountability

Agencies must provide for the ability to generate audit records of their systems for defined events. FileCloud Server has extensive auditing support and every operation in FileCloud Server is logged. By providing options to record every action with What, When, Who, and How attributes, FileCloud gives customers the best possible audit data to satisfy CJIS compliance. FileCloud has the capability to record logs of all events, Metadata, timestamps, the outcome of events. FileCloud can also help you create audit reports. FileCloud also has the capability to retain these audit reports/logs for a year or until the information is no longer needed.

Policy Area 5—Access Control

One of the more complex Policy Areas, an Agency’s IT organization, will implement multiple mechanisms addressing login management systems, remote access, virtual private network (VPN) solutions certified to the FIPS 140-2 standard and enact policies and controls for Wi-Fi, Bluetooth and cellular devices.

FileCloud can be used to implement access control policies (identity-based policies, role-based policies, rule-based policies) and associated access enforcement mechanisms (access control lists, access control matrices, cryptography). It can enforce a limit of no more than 5 consecutive invalid access attempts by a user, initiate session lock after 30 min of inactivity, automated mechanisms to facilitate the monitoring and control of remote access methods.

Policy Area 6 — Identification and Authentication

Agencies must uniquely identify users and processes acting on behalf of users.

Admins have the ability to set permissions for each individual user. Access permissions are generally enforced uniformly regardless of location and access method (web browser, FileCloud drive, WebDAV, FileCloud sync, mobile/tablet app). Admins can also set an expiration date for a user, after which the user permissions will expire and will no longer have access to the FileCloud system. Admin can also disable the user for a certain period of time. FileCloud password policy management allows admins to set minimum password length for user accounts and account lockout after failed logins. Account lockout prevents brute force password attacks by immediately locking out the access point after multiple failed login attempts.

Most security threats today are a result of compromised user credentials. With FileCloud’s two-factor authentication, users can require an extra 2FA code as part of the user authentication process. The additional login step requires users to verify their identity using a 2FA code sent via email creating a double-check for every authentication.

Policy Area 7 — Configuration Management

The goal is to allow only qualified and authorized individuals’ access to information system components for purposes of initiating changes, including upgrades and modifications. FileCloud system administrators can configure and view the complete list of shares created by users and locked files and folders. The User Shares Report includes information such as user name, location, expiration, and share type (private or public). The User Locks Report provides a list of files locked by users. FileCloud monitors all user logins and activities including deletion, uploads, and downloads. In addition, FileCloud provides tools to filter activities using a date range, user names, and text search.

Policy Area 8 — Media Protection

Media protection policy and procedures shall be documented and implemented to ensure that access to electronic and physical media in all forms is restricted to authorized individuals. Procedures shall be defined for securely handling, transporting, and storing media.

With FileCloud, you can encrypt Managed Disk Storage for compliance and security reasons. If a FIPS-enabled FileCloud license is installed, there is a new option in the Admin Portal to enable FileCloud to run in FIPS mode in FileCloud Server version 19.1 and later.

Policy Area 9 — Physical Protection

Physical protection policy and procedures shall be documented and implemented to ensure CJI and information system hardware, software, and media are physically protected through access control measures.

FileCloud protects the confidentiality and integrity of your files in transit and at rest.

  • AES 256-bit encryption to store files at rest.
  • SSL/TLS secure tunnel for file transmission.
  • Site-specific, customer-managed encryption keys in a multi-tenant setup. Each tenant gets their own set of encryption keys.

 Policy Area 10—Systems and Communications Protection and Information Integrity

Communications safeguards must be employed to ensure the security and integrity of data across the network both in motion and at rest.

FileCloud security includes 256-bit AES SSL encryption at Rest, Active Directory integration, two-factor authentication, granular user and file-sharing permissions, client application security policies, anti-virus scanning, unlimited file versioning, recycle bin, file locking, endpoint device protection, and comprehensive CJIS compliant audit trail.

Policy Area 11 — Formal Audits

Formal audits are conducted to ensure compliance with applicable statutes, regulations, and policies. These audits will be executed by either the FBI CJIS Audit Unit (CAU) or the state’s lead CJIS Systems Agency (CSA).

Policy Area 12 — Personnel Security

Agencies must provide security screenings consisting of state of residence and national fingerprint-based record checks for all personnel with either physical or logical access to unencrypted CJI. This applies to agency personnel, vendors, and contractors.

Policy Area 13 — Mobile Devices

Long overdue; this section provides detailed guidance regarding employing mobile devices, e.g. cellular-enabled smartphones and tablets. Here you’ll find minimum functions required to manage mobile devices and an introduction to the concept of compensating controls in order to bridge the inherent technical limitations of some devices.

Conclusion

FileCloud Server is the commercial of the shelf software solution that helps businesses securely share, manage, and govern enterprise content. FileCloudsoftware provides the necessary capabilities for organizations to obtain compliance with CJIS. The enduser is responsible for utilizing suitable FileCloud capabilities as well as managing and maintaining the environment where FileCloud is being hosted to ensure CJIS’s requirements are being met. FileCloud aids with your CJIS compliance efforts under the shared responsibility model.

 

References

https://itlaw.wikia.org/wiki/Criminal_Justice_Information_Services_Security_Policy