Texas Technology, Techs are FBI Certified and Fingerprinted.
Implementation for Technology Audits.
CJIS Security Training FBI
Law enforcement needs timely and secure access to services that provide data wherever and whenever for stopping and reducing crime. In response to these needs, the Advisory Policy Board (APB) recommended to the Federal Bureau of Investigation (FBI) that the Criminal Justice Information Services (CJIS) Division authorize the expansion of the existing security management structure in 1998. Administered through a shared management philosophy, the CJIS Security Policy contains information security requirements, guidelines, and agreements reflecting the will of law enforcement and criminal justice agencies for protecting the sources, transmission, storage, and generation of Criminal Justice Information (CJI). The Federal Information Security Management Act of 2002 provides further legal basis for the APB approved management, operational, and technical security requirements mandated to protect CJI and by extension the hardware, software and infrastructure required to enable the services provided by the criminal justice community.
The essential premise of the CJIS Security Policy is to provide appropriate controls to protect the full lifecycle of CJI, whether at rest or in transit. The CJIS Security Policy provides guidance for the creation, viewing, modification, transmission, dissemination, storage, and destruction of CJI. This Policy applies to every individual—contractor, private entity, noncriminal justice agency representative, or member of a criminal justice entity—with access to, or who operate in support of, criminal justice services and information.
The CJIS Security Policy integrates presidential directives, federal laws, FBI directives and the criminal justice community’s APB decisions along with nationally recognized guidance from the National Institute of Standards and Technology. The Policy is presented at both strategic and tactical levels and is periodically updated to reflect the security requirements of evolving business models. The Policy features modular sections enabling more frequent updates to address emerging threats and new security measures. The provided security criteria assists agencies with designing and implementing systems to meet a uniform level of risk and security protection while enabling agencies the latitude to institute more stringent security requirements and controls based on their business model and local needs.
The CJIS Security Policy strengthens the partnership between the FBI and CJIS Systems Agencies (CSA), including, in those states with separate authorities, the State Identification Bureaus (SIB). Further, as use of criminal history record information for noncriminal justice purposes continues to expand, the CJIS Security Policy becomes increasingly important in guiding the National Crime Prevention and Privacy Compact Council and State Compact Officers in the secure exchange of criminal justice records.
The Policy describes the vision and captures the security concepts that set the policies, protections, roles, and responsibilities with minimal impact from changes in technology. The Policy empowers CSAs with the insight and ability to tune their security programs according to their risks, needs, budgets, and resource constraints while remaining compliant with the baseline level of security set forth in this Policy. The CJIS Security Policy provides a secure framework of laws, standards, and elements of published and vetted policies for accomplishing the mission across the broad spectrum of the criminal justice and noncriminal justice communities.
APB Approved Changes
1. Section 5.2 Policy Area 2: Security Awareness Training: added language, Spring 2015, APB20, SA2, Security Awareness Training Requirements.
2. Section 18.104.22.168 All Personnel: change section title to “Level One Security Awareness Training”, modify language and required training topics, Spring 2015, APB20, SA2, Security Awareness Training Requirements.
3. Section 22.214.171.124 Personnel with Physical and Logical Access: change section title to “Level Two Security Awareness Training”, modify language and moved required training topics from previous Section 126.96.36.199, Spring 2015, APB20, SA2, Security Awareness Training Requirements.
4. Section 188.8.131.52 Personnel with Information Technology Roles: change section title to “Level Three Security Awareness Training”, modify language and moved required training topics from previous Section 184.108.40.206, Spring 2015, APB20, SA2, Security Awareness Training Requirements.
5. Section 220.127.116.11 Level Four Security Awareness Training: added section and moved required training topics from previous Section 18.104.22.168, Spring 2015, APB20, SA2, Security Awareness Training Requirements.
6. Section 5.2 Figure 4: changed figure title and added a use case for each level of security awareness training, Fall 2015, APB12, SA4, Security Awareness Training Requirements.
7. Section 5.3 Incident Response: modified language to indicate any incident involving criminal justice information, Fall 2015, APB12, SA3, Security Incident Response Reporting.
8. Section 22.214.171.124 Advanced Authentication: add language describing the use of out-of-band authenticator, Spring 2015, APB 20, SA4, Clarification of Out-of-Band Authentication for Advanced Authentication (AA).
9. Section 5.9.1 Physically Secure Location: modified language to include security awareness training reference, Spring 2015, APB20, SA2, Security Awareness Training Requirements.
10. Section 5.10.2 Facsimile Transmission of CJI: modified language and introduced a new requirement, Fall 2015, APB12, SA1, Faxing Requirements in the CJIS Security Policy.
11. Section 5.11.2 Audits by the CSA: add language allowing CSA audits of vendor facilities, Spring 2015, APB 20, SA3, CJIS Systems Agency (CSA) Audit of Contractor Facilities.
12. Section 126.96.36.199(7) Minimum Screening Requirements for Individuals Requiring Access to CJI: add language allowing CSO delegation of continuing access determination for non-felony offenses, Spring 2015, APB 20, SA5, CJIS Systems Officer (CSO) Delegation of Personnel Screening Requirements.
13. Section 5.13 Policy Area 13: Mobile Devices: modify language throughout the entire section based on Mobile Security Task Force recommendations, Fall 2015, APB12, SA2, Request to Modify CJIS Security Policy Section 5.13 Mobile Devices.
14. Appendix A Terms and Definitions: add definitions for “Out-of-band” and “In-band”, Spring 2015, APB 20, SA4, Clarification of Out-of-Band Authentication for Advanced Authentication (AA).
15. Appendix A Terms and Definitions: add definition for “Facsimile (Fax)”, Fall 2015, APB12, SA1, Faxing Requirements in the CJIS Security Policy.
16. Appendix A Terms and Definitions: add definitions for “Full-feature Operating System”, “Limited-feature Operating System”, “Mobile (WiFi) Hotspot”, “Wireless Access Point”, and “Wireless (WiFi) Hotspot”, Fall 2015, APB12, SA2, Request to Modify CJIS Security Policy Section 5.13 Mobile Devices.
17. Appendix F.1 Security Incident Response Form: modified form to indicate any incident involving criminal justice information, Fall 2015, APB12, SA3, Security Incident Response Reporting.
18. Appendix K Criminal Justice Agency Supplemental Guidance: replace current appendix with new appendix, Spring 2015, APB 20, SA8, Evaluation of Appendix K.
1. Figure 14 – A Local Police Department’s Information Systems & Communications Protections: change the title of the figure and add use faxing cases. Security and Access Subcommittee requested the use cases be added.
2. Appendix C Network Topology Diagrams, Figures C.1-A, B, C, and D: added required information from Section 188.8.131.52 Network Diagram to diagrams. Sample diagrams did not contain the required elements of agency name, effective date of drawing, and “For Official Use Only” marking.
3. Appendix G Best Practices: added new Appendix G.5 Administrator Accounts for Least Privilege and Separation of Duties, Spring 2015, SA6 (info only). Security and Access Subcommittee approved the appendix to be added under the APB approved ISO latitude for administrative changes.