Policy Area 4: Auditing and Accountability
Auditing and accountability updates to the Criminal Justice Information Services (CJIS) Security Policy bring attention to knowing the auditing capabilities of networked devices. In essence, if a device is capable of collecting data, such as error and access logs, then this function should be closely considered to balance the load of data collection and security.
Highlights of changes in the Policy include the following areas:
Auditable Events and Content (Information Systems)
Ø Periodic review and update of auditable events
Ø If event collection is not automated, a manual system must be in place
Ø Successful and unsuccessful attempts to access, create, write, delete or change permission on a user account, file, directory or other system resources
Ø Successful and unsuccessful actions by privileged accounts
Ø Successful and unsuccessful attempts of users to access, modify, or destroy the audit log file
The following must now be included with every audited event:
Ø Date and time of the event
Ø The component of the information system, such as software or hardware, where the event occurred
Ø Type of event
Ø User or subject identity
Ø Outcome (success or failure) of the event
Response to Audit Processing Failures – has been added to provide alerts if the audit process fails. Examples of failures which require alerts include: software or hardware errors, the audit system and the audit storage reaching capacity.
Audit Monitoring, Analysis, and Reporting
Requires an individual (or position) is designated to review and analyze information system audit records to:
Ø Identify indications of inappropriate or unusual activity
Ø Investigate suspicious activity or suspected violations
Ø Report findings to appropriate officials
Ø Take necessary actions
Ø Conduct audit review and analysis at a minimum once a week
In the event there is an indication of increased risk to agency operations, agency assets, or individuals based on law enforcement information, intelligence information, or other credible sources of information, the level of audit monitoring and analysis must be appropriately increased.
Time Stamps – with date and time values are generated by the internal system clock for audit records.
Protection of Audit Information – systems shall protect audit information and audit tools from modification, deletion and unauthorized access.
Audit Record Retention – is set at a minimum of 365 days and increases as needed to comply with administrative, legal, audit or other requirements.
The crux of increases to auditing and accountability is awareness of devices with monitoring capabilities and complete information of audit logs. Audit information is also protected and retained to assure usability. For a complete understanding of the changes to auditing and accountability, please review the full policy.
Policy Area 5. Access Control. This area of CJIS Security Policy version 5.1 has undergone extensive changes since version 4.5 with many of the new requirements being mandatory in 2012 and several in 2013. Topics of increased requirements are seen to provide a platform for planning and implementation to restrict access to CJIS information.