CJIS Security Policy Resource Center
Table of Contents
- Executive Summary
- Change Management
- Summary of Changes
- Table of Contents
- List of Figures
- 1 Introduction
- 1.1 Purpose
- 1.2 Scope
- 1.3 Relationship to Local Security Policy and Other Policies
- 1.4 Terminology Used in This Document
- 1.5 Distribution of the CJIS Security Policy
- 2 CJIS Security Policy Approach
- 2.1 CJIS Security Policy Vision Statement
- 2.2 Architecture Independent
- 2.3 Risk Versus Realism
- 3 Roles and Responsibilities
- 3.1 Shared Management Philosophy
- 3.2 Roles and Responsibilities for Agencies and Parties
- 3.2.1 CJIS Systems Agencies (CSA)
- 3.2.2 CJIS Systems Officer (CSO)
- 3.2.3 Terminal Agency Coordinator (TAC)
- 3.2.4 Criminal Justice Agency (CJA)
- 3.2.5 Noncriminal Justice Agency (NCJA)
- 3.2.6 Contracting Government Agency (CGA)
- 3.2.7 Agency Coordinator (AC)
- 3.2.8 CJIS System Agency Information Security Officer (CSA ISO)
- 3.2.9 Local Agency Security Officer (LASO)
- 3.2.10 FBI CJIS Division Information Security Officer (FBI CJIS ISO)
- 3.2.11 Repository Manager
- 3.2.12 Compact Officer
- 4 Criminal Justice Information and Personally Identifiable Information
- 4.1 Criminal Justice Information (CJI)
- 4.1.1 Criminal History Record Information (CHRI)
- 4.2 Access, Use and Dissemination of Criminal History Record Information (CHRI), NCIC Restricted Files Information, and NCIC Non-Restricted Files Information
- 4.2.1 Proper Access, Use, and Dissemination of CHRI
- 4.2.2 Proper Access, Use, and Dissemination of NCIC Restricted Files Information
- 4.2.3 Proper Access, Use, and Dissemination of NCIC Non-Restricted Files Information
- 4.2.3.1 For Official Purposes
- 4.2.3.2 For Other Authorized Purposes
- 4.2.3.3 CSO Authority in Other Circumstances
- 4.2.4 Storage
- 4.2.5 Justification and Penalties
- 4.2.5.1 Justification
- 4.2.5.2 Penalties
- 4.3 Personally Identifiable Information (PII)
- 5 Policy and Implementation
- 5.1 Policy Area 1: Information Exchange Agreements
- 5.1.1 Information Exchange
- 5.1.1.1 Information Handling
- 5.1.1.2 State and Federal Agency User Agreements
- 5.1.1.3 Criminal Justice Agency User Agreements
- 5.1.1.4 Interagency and Management Control Agreements
- 5.1.1.5 Private Contractor User Agreements and CJIS Security Addendum
- 5.1.1.6 Agency User Agreements
- 5.1.1.7 Security and Management Control Outsourcing Standard
- 5.1.2 Monitoring, Review, and Delivery of Services
- 5.1.2.1 Managing Changes to Service Providers
- 5.1.3 Secondary Dissemination
- 5.1.4 References/Citations/Directives
- 5.2 Policy Area 2: Security Awareness Training
- 5.2.1 Awareness Topics
- 5.2.1.1 All Personnel
- 5.2.1.2 Personnel with Physical and Logical Access
- 5.2.1.3 Personnel with Information Technology Roles
- 5.2.2 Security Training Records
- 5.2.3 References/Citations/Directives
- 5.3 Policy Area 3: Incident Response
- 5.3.1 Reporting Information Security Events
- 5.3.1.1 Reporting Structure and Responsibilities
- 5.3.1.1.1 FBI CJIS Division Responsibilities
- 5.3.1.1.2 CSA ISO Responsibilities
- 5.3.2 Management of Information Security Incidents
- 5.3.2.1 Incident Handling
- 5.3.2.2 Collection of Evidence
- 5.3.3 Incident Response Training
- 5.3.4 Incident Monitoring
- 5.3.5 References/Citations/Directives
- 5.4 Policy Area 4: Auditing and Accountability
- 5.4.1 Auditable Events and Content (Information Systems)
- 5.4.1.1 Events
- 5.4.1.1.1 Content
- 5.4.2 Response to Audit Processing Failures
- 5.4.3 Audit Monitoring, Analysis, and Reporting
- 5.4.4 Time Stamps
- 5.4.5 Protection of Audit Information
- 5.4.6 Audit Record Retention
- 5.4.7 Logging NCIC and III Transactions
- 5.4.8 References/Citations/Directives
- 5.5 Policy Area 5: Access Control
- 5.5.1 Account Management
- 5.5.2 Access Enforcement
- 5.5.2.1 Least Privilege
- 5.5.2.2 System Access Control
- 5.5.2.3 Access Control Criteria
- 5.5.2.4 Access Control Mechanisms
- 5.5.3 Unsuccessful Login Attempts
- 5.5.4 System Use Notification
- 5.5.5 Session Lock
- 5.5.6 Remote Access
- 5.5.6.1 Personally Owned Information Systems
- 5.5.6.2 Publicly Accessible Computers
- 5.5.7 Wireless Access Restrictions
- 5.5.7.1 All 802.11x Wireless Protocols
- 5.5.7.2 Legacy 802.11 Protocols
- 5.5.7.3 Cellular
- 5.5.7.3.1 Cellular Risk Mitigations
- 5.5.7.3.2 Voice Transmissions Over Cellular Devices
- 5.5.7.4 Bluetooth
- 5.5.8 References/Citations/Directives
- 5.6 Policy Area 6: Identification and Authentication
- 5.6.1 Identification Policy and Procedures
- 5.6.1.1 Use of Originating Agency Identifiers in Transactions and Information Exchanges
- 5.6.2 Authentication Policy and Procedures
- 5.6.2.1 Standard Authentication (Password)
- 5.6.2.2 Advanced Authentication
- 5.6.2.2.1 Advanced Authentication Policy and Rationale
- 5.6.2.2.2 Advanced Authentication Decision Tree
- 5.6.3 Identifier and Authenticator Management
- 5.6.3.1 Identifier Management
- 5.6.3.2 Authenticator Management
- 5.6.4 Assertions
- 5.6.5 References/Citations/Directives
- 5.7 Policy Area 7: Configuration Management
- 5.7.1 Access Restrictions for Changes
- 5.7.1.1 Least Functionality
- 5.7.1.2 Network Diagram
- 5.7.2 Security of Configuration Documentation
- 5.7.3 References/Citations/Directives
- 5.8 Policy Area 8: Media Protection
- 5.8.1 Media Storage and Access
- 5.8.2 Media Transport
- 5.8.2.1 Electronic Media in Transit
- 5.8.2.2 Physical Media in Transit
- 5.8.3 Electronic Media Sanitization and Disposal
- 5.8.4 Disposal of Physical Media
- 5.8.5 References/Citations/Directives
- 5.9 Policy Area 9: Physical Protection
- 5.9.1 Physically Secure Location
- 5.9.1.1 Security Perimeter
- 5.9.1.2 Physical Access Authorizations
- 5.9.1.3 Physical Access Control
- 5.9.1.4 Access Control for Transmission Medium
- 5.9.1.5 Access Control for Display Medium
- 5.9.1.6 Monitoring Physical Access
- 5.9.1.7 Visitor Control
- 5.9.1.8 Access Records
- 5.9.1.9 Delivery and Removal
- 5.9.2 Controlled Area
- 5.9.3 References/Citations/Directives
- 5.10 Policy Area 10: System and Communications Protection and Information Integrity
- 5.10.1 Information Flow Enforcement
- 5.10.1.1 Boundary Protection
- 5.10.1.2 Encryption
- 5.10.1.3 Intrusion Detection Tools and Techniques
- 5.10.1.4 Voice over Internet Protocol
- 5.10.2 Facsimile Transmission of CJI
- 5.10.3 Partitioning and Virtualization
- 5.10.3.1 Partitioning
- 5.10.3.2 Virtualization
- 5.10.4 System and Information Integrity Policy and Procedures
- 5.10.4.1 Patch Management
- 5.10.4.2 Malicious Code Protection
- 5.10.4.3 Spam and Spyware Protection
- 5.10.4.4 Personal Firewall
- 5.10.4.5 Security Alerts and Advisories
- 5.10.4.6 Information Input Restrictions
- 5.10.5 References/Citations/Directives
- 5.11 Policy Area 11: Formal Audits
- 5.11.1 Audits by the FBI CJIS Division
- 5.11.1.1 Triennial Compliance Audits by the FBI CJIS Division
- 5.11.1.2 Triennial Security Audits by the FBI CJIS Division
- 5.11.2 Audits by the CSA
- 5.11.3 Special Security Inquiries and Audits
- 5.11.4 References/Citations/Directives
- 5.12 Policy Area 12: Personnel Security
- 5.12.1 Personnel Security Policy and Procedures
- 5.12.1.1 Minimum Screening Requirements for Individuals Requiring Access to CJI:
- 5.12.1.2 Personnel Screening for Contractors and Vendors
- 5.12.2 Personnel Termination
- 5.12.3 Personnel Transfer
- 5.12.4 Personnel Sanctions
- 5.12.5 References/Citations/Directives
- APPENDICES
- Appendix A Terms and Definitions
- Appendix B Acronyms
- Appendix C Network Topology Diagrams
- Appendix D Sample Information Exchange Agreements
- Appendix E Security Forums and Organizational Entities
- Appendix F IT Security Incident Response Form
- Appendix G Best practices
- Appendix H Security Addendum
- Appendix I References
- Appendix J Noncriminal Justice Agency Supplemental Guidance
- Appendix K Criminal Justice Agency Supplemental Guidance
To view this page ensure that Adobe Flash Player version 9.0.124 or greater is installed.
FAQs
There are no Frequently Asked Questions in this section.
CJIS Security Policy v5 1_07132012_(ns).pdf — PDF document, 1,057 kB (1,082,526 bytes)