CJIS Security Policy Resource Center
Table of Contents
- Executive Summary
- Change Management
- Summary of Changes
- Table of Contents
- List of Figures
- 1 Introduction
- 1.1 Purpose
- 1.2 Scope
- 1.3 Relationship to Local Security Policy and Other Policies
- 1.4 Terminology Used in This Document
- 1.5 Distribution of the CJIS Security Policy
- 2 CJIS Security Policy Approach
- 2.1 CJIS Security Policy Vision Statement
- 2.2 Architecture Independent
- 2.3 Risk Versus Realism
- 3 Roles and Responsibilities
- 3.1 Shared Management Philosophy
- 3.2 Roles and Responsibilities for Agencies and Parties
- 3.2.1 CJIS Systems Agencies (CSA)
- 3.2.2 CJIS Systems Officer (CSO)
- 3.2.3 Terminal Agency Coordinator (TAC)
- 3.2.4 Criminal Justice Agency (CJA)
- 3.2.5 Noncriminal Justice Agency (NCJA)
- 3.2.6 Contracting Government Agency (CGA)
- 3.2.7 Agency Coordinator (AC)
- 3.2.8 CJIS Systems Agency Information Security Officer (CSA ISO)
- 3.2.9 Local Agency Security Officer (LASO)
- 3.2.10 FBI CJIS Division Information Security Officer (FBI CJIS ISO)
- 3.2.11 Repository Manager
- 3.2.12 Compact Officer
- 4 Criminal Justice Information and Personally Identifiable Information
- 4.1 Criminal Justice Information (CJI)
- 4.1.1 Criminal History Record Information (CHRI)
- 4.2 Access, Use and Dissemination of Criminal History Record Information (CHRI), NCIC Restricted Files Information, and NCIC Non-Restricted Files Information
- 4.2.1 Proper Access, Use, and Dissemination of CHRI
- 4.2.2 Proper Access, Use, and Dissemination of NCIC Restricted Files Information
- 4.2.3 Proper Access, Use, and Dissemination of NCIC Non-Restricted Files Information
- 4.2.3.1 For Official Purposes
- 4.2.3.2 For Other Authorized Purposes
- 4.2.3.3 CSO Authority in Other Circumstances
- 4.2.4 Storage
- 4.2.5 Justification and Penalties
- 4.2.5.1 Justification
- 4.2.5.2 Penalties
- 4.3 Personally Identifiable Information (PII)
- 5 Policy and Implementation
- 5.1 Policy Area 1: Information Exchange Agreements
- 5.1.1 Information Exchange
- 5.1.1.1 Information Handling
- 5.1.1.2 State and Federal Agency User Agreements
- 5.1.1.3 Criminal Justice Agency User Agreements
- 5.1.1.4 Interagency and Management Control Agreements
- 5.1.1.5 Private Contractor User Agreements and CJIS Security Addendum
- 5.1.1.6 Agency User Agreements
- 5.1.1.7 Outsourcing Standards for Channelers
- 5.1.1.8 Outsourcing Standards for Non-Channelers
- 5.1.2 Monitoring, Review, and Delivery of Services
- 5.1.2.1 Managing Changes to Service Providers
- 5.1.3 Secondary Dissemination
- 5.1.4 Secondary Dissemination of Non-CHRI CJI
- 5.1.5 References/Citations/Directives
- 5.2 Policy Area 2: Security Awareness Training
- 5.2.1 Awareness Topics
- 5.2.1.1 Level One Security Awareness Training
- 5.2.1.2 Level Two Security Awareness Training
- 5.2.1.3 Level Three Security Awareness Training
- 5.2.1.4 Level Four Security Awareness Training
- 5.2.2 Security Training Records
- 5.2.3 References/Citations/Directives
- 5.3 Policy Area 3: Incident Response
- 5.3.1 Reporting Security Events
- 5.3.1.1 Reporting Structure and Responsibilities
- 5.3.1.1.1 FBI CJIS Division Responsibilities
- 5.3.1.1.2 CSA ISO Responsibilities
- 5.3.2 Management of Security Incidents
- 5.3.2.1 Incident Handling
- 5.3.2.2 Collection of Evidence
- 5.3.3 Incident Response Training
- 5.3.4 Incident Monitoring
- 5.3.5 References/Citations/Directives
- 5.4 Policy Area 4: Auditing and Accountability
- 5.4.1 Auditable Events and Content (Information Systems)
- 5.4.1.1 Events
- 5.4.1.1.1 Content
- 5.4.2 Response to Audit Processing Failures
- 5.4.3 Audit Monitoring, Analysis, and Reporting
- 5.4.4 Time Stamps
- 5.4.5 Protection of Audit Information
- 5.4.6 Audit Record Retention
- 5.4.7 Logging NCIC and III Transactions
- 5.4.8 References/Citations/Directives
- 5.5 Policy Area 5: Access Control
- 5.5.1 Account Management
- 5.5.2 Access Enforcement
- 5.5.2.1 Least Privilege
- 5.5.2.2 System Access Control
- 5.5.2.3 Access Control Criteria
- 5.5.2.4 Access Control Mechanisms
- 5.5.3 Unsuccessful Login Attempts
- 5.5.4 System Use Notification
- 5.5.5 Session Lock
- 5.5.6 Remote Access
- 5.5.6.1 Personally Owned Information Systems
- 5.5.6.2 Publicly Accessible Computers
- 5.5.7 References/Citations/Directives
- 5.6 Policy Area 6: Identification and Authentication
- 5.6.1 Identification Policy and Procedures
- 5.6.1.1 Use of Originating Agency Identifiers in Transactions and Information Exchanges
- 5.6.2 Authentication Policy and Procedures
- 5.6.2.1 Standard Authenticators
- 5.6.2.1.1 Password
- 5.6.2.1.2 Personal Identification Number (PIN)
- 5.6.2.2 Advanced Authentication
- 5.6.2.2.1 Advanced Authentication Policy and Rationale
- 5.6.2.2.2 Advanced Authentication Decision Tree
- 5.6.3 Identifier and Authenticator Management
- 5.6.3.1 Identifier Management
- 5.6.3.2 Authenticator Management
- 5.6.4 Assertions
- 5.6.5 References/Citations/Directives
- 5.7 Policy Area 7: Configuration Management
- 5.7.1 Access Restrictions for Changes
- 5.7.1.1 Least Functionality
- 5.7.1.2 Network Diagram
- 5.7.2 Security of Configuration Documentation
- 5.7.3 References/Citations/Directives
- 5.8 Policy Area 8: Media Protection
- 5.8.1 Media Storage and Access
- 5.8.2 Media Transport
- 5.8.2.1 Digital Media during Transport
- 5.8.2.2 Physical Media in Transit
- 5.8.3 Digital Media Sanitization and Disposal
- 5.8.4 Disposal of Physical Media
- 5.8.5 References/Citations/Directives
- 5.9 Policy Area 9: Physical Protection
- 5.9.1 Physically Secure Location
- 5.9.1.1 Security Perimeter
- 5.9.1.2 Physical Access Authorizations
- 5.9.1.3 Physical Access Control
- 5.9.1.4 Access Control for Transmission Medium
- 5.9.1.5 Access Control for Display Medium
- 5.9.1.6 Monitoring Physical Access
- 5.9.1.7 Visitor Control
- 5.9.1.8 Delivery and Removal
- 5.9.2 Controlled Area
- 5.9.3 References/Citations/Directives
- 5.10 Policy Area 10: System and Communications Protection and Information Integrity
- 5.10.1 Information Flow Enforcement
- 5.10.1.1 Boundary Protection
- 5.10.1.2 Encryption
- 5.10.1.3 Intrusion Detection Tools and Techniques
- 5.10.1.4 Voice over Internet Protocol
- 5.10.1.5 Cloud Computing
- 5.10.2 Facsimile Transmission of CJI
- 5.10.3 Partitioning and Virtualization
- 5.10.3.1 Partitioning
- 5.10.3.2 Virtualization
- 5.10.4 System and Information Integrity Policy and Procedures
- 5.10.4.1 Patch Management
- 5.10.4.2 Malicious Code Protection
- 5.10.4.3 Spam and Spyware Protection
- 5.10.4.4 Security Alerts and Advisories
- 5.10.4.5 Information Input Restrictions
- 5.10.5 References/Citations/Directives
- 5.11 Policy Area 11: Formal Audits
- 5.11.1 Audits by the FBI CJIS Division
- 5.11.1.1 Triennial Compliance Audits by the FBI CJIS Division
- 5.11.1.2 Triennial Security Audits by the FBI CJIS Division
- 5.11.2 Audits by the CSA
- 5.11.3 Special Security Inquiries and Audits
- 5.11.4 References/Citations/Directives
- 5.12 Policy Area 12: Personnel Security
- 5.12.1 Personnel Security Policy and Procedures
- 5.12.1.1 Minimum Screening Requirements for Individuals Requiring Access to CJI:
- 5.12.1.2 Personnel Screening for Contractors and Vendors
- 5.12.2 Personnel Termination
- 5.12.3 Personnel Transfer
- 5.12.4 Personnel Sanctions
- 5.12.5 References/Citations/Directives
- 5.13 Policy Area 13: Mobile Devices
- 5.13.1 Wireless Communications Technologies
- 5.13.1.1 802.11 Wireless Protocols
- 5.13.1.2 Cellular Devices
- 5.13.1.2.1 Cellular Service Abroad
- 5.13.1.2.2 Voice Transmissions Over Cellular Devices
- 5.13.1.3 Bluetooth
- 5.13.1.4 Mobile Hotspots
- 5.13.2 Mobile Device Management (MDM)
- 5.13.3 Wireless Device Risk Mitigations
- 5.13.4 System Integrity
- 5.13.4.1 Patching/Updates
- 5.13.4.2 Malicious Code Protection
- 5.13.4.3 Personal Firewall
- 5.13.5 Incident Response
- 5.13.6 Access Control
- 5.13.7 Identification and Authentication
- 5.13.7.1 Local Device Authentication
- 5.13.7.2 Advanced Authentication
- 5.13.7.2.1 Compensating Controls
- 5.13.7.3 Device Certificates
- Appendices
- Appendix A Terms and Definitions
- Appendix B Acronyms
- Appendix C Network Topology Diagrams
- Appendix D Sample Information Exchange Agreements
- D.1 CJIS User Agreement
- D.2 Management Control Agreement
- D.3 Noncriminal Justice Agency Agreement & Memorandum of Understanding
- D.4 Interagency Connection Agreement
- Appendix E Security Forums and Organizational Entities
- Appendix F Sample Forms
- F.1 Security Incident Response Form
- Appendix G Best practices
- G.1 Virtualization
- G.2 Voice over Internet Protocol
- G.3 Cloud Computing
- G.4 Mobile Appendix
- G.5 Administrator Accounts for Least Privilege and Separation of Duties
- Appendix H Security Addendum
- Appendix I References
- Appendix J Noncriminal Justice Agency Supplemental Guidance
- Appendix K Criminal Justice Agency Supplemental Guidance
FAQs
There are no Frequently Asked Questions in this section.
CJIS Security Policy v5_5_20160601 (2) (1).pdf — PDF document, 3,073 kB (3,147,545 bytes)