As we begin our journey into the policy areas of Criminal Justice Information Services (CJIS) Security Policy version 5.1, we find increased security requirements for several areas in our current topic of interest, Information Exchange Agreements. This area provides requirements for the information shared through communication mediums: electronic mail, instant messages, web services, facsimile, hard copy; and information systems sending, receiving, and storing Criminal Justice Information (CJI). The following information focuses on the recent changes to increase security measures. As a reminder - Security requirements as set forth by the security policy are considered a starting point. Agencies are encouraged to develop local policies and procedures to further protect CJI.
First, we find additional measures are in place to clarify the process of exchanging information. This assists agencies to provide the appropriate security measures in compliance with version 5.1. Information exchange agreements must be in place and agencies must document security measures as follows:
- Before exchanging CJI
- When sharing CJI data that is sent to and/or received from the FBI CJIS
- Commits both parties to the terms of information exchange
Information handling includes handling, processing, storing, and communication of CJI. Procedures are required to protect information from unauthorized disclosure, alteration or misuse.
Agency User Agreements
Updates to agency user agreements increases specifications for public and private Noncriminal Justice Agencies with additional requirements for:
- Authorization pursuant to federal law or state statute approved by the U.S. Attorney General
- Signed written agreement with the appropriate signatory authority of the CJIS Systems Agency and/or State Identification Bureaus providing the access
- Allow the FBI to periodically test the ability to penetrate the FBI’s network
Security and Management Control Outsourcing Standard
Increased measures in place requiring all Channelers are:
- Subject to the terms and conditions described in the Compact Council Security and Management Control Outsourcing Standard
- To meet the same training and certification criteria required by governmental agencies performing a similar function
- Subject to the same extent of audit review as local user agencies
Monitoring, Review, and Delivery of Services
Measures are added pertaining to private contractors and service providers requiring:
- Reports and records are regularly monitored and reviewed
- Control and visibility for all security aspects including identification of vulnerabilities and information security incident reporting and response
- Conformance to the incident reporting and response specifications
Managing Changes to Service Providers
Changes include: provision of services, changes to existing services, and new services. Updated requirements incorporate:
- Any changes to services provided by a service provider are managed by the Criminal Justice Agency
- Evaluation of the risks to the agency is undertaken based on the criticality of the data, system, and the impact of the change
The final requirement update for Information Exchange is - log the dissemination of Criminal History Record Information when the receiving agency was not included in the primary information exchange agreement.
Security measures increased significantly for Information Exchange Agreements with the introduction of CJIS Security Policy version 5.0 and continue in version 5.1. Readers, who are familiar with the previous versions of the security policy, should closely review the measures of the current version. Areas of particular increase are seen for monitoring, managing, and documenting the exchange of information.
Policy Area 2. Security Awareness and Training. The majority of the requirements found in version 5.1 of the security policy first appeared in version 5.0. Prior to these recent versions, security awareness and training was not a well documented process and contained few requirements. Join us next month, as we examine the updated requirements beginning with basic security awareness training and following through to assigning records maintenance responsibilities.