CJIS: Criminal Justice Information Services
Are you a law enforcement agency that needs patrol reports, witness or suspect interviews, jail calls, wiretaps, or any other audio or video file transcribed? Any time a file with sensitive data is handed to an outside company or vendor, it’s crucial the company is compliant with CJIS. Working with a company that does not follow CJIS policies can lead to disastrous breaches of data and lawsuits for years.
Here at Ditto Transcripts, we want to help you understand exactly what CJIS is, the policies it entails, and the steps we take to comply with it. What follows pertains to companies like us that provide law enforcement transcription services, and any other company in the US that wants to be CJIS compliant.
What is CJIS?
CJIS (Criminal Justice Information Services Division) is the largest division within the FBI. The CJIS operations center is a high-tech hub located in the hills of West Virginia. It offers advanced tools and services to law enforcement agencies, national security agencies, and intelligence community partners.
CJIS ensures companies who work with sensitive information stay within compliance standards of data security and encryption. Sensitive information can include everything from background checks, finger prints, DNA evidence, copies of government issued documents like passports, witness or suspect interviews, and many others.
With the advancement of cloud computing over the years, challenges have risen when it comes to data security, compliance, and incident response. If data is found in the wrong hands, it could cause havoc to the public trust of the government. Many times cloud services are a necessity, as they’re so effective. The concern of compliance and security will always be a factor to consider before sharing sensitive information with anyone.
As such, CJIS acts as an archive for criminal justice information to many different government agencies around the United States. CJIS stays on top of constant changes in technology and has created a set of security standards for businesses that cater to law enforcement.
It’s fair to say that if CJIS didn’t exist, the number of system breaches, shared information, and crime rates of all kinds would be out of control.
History of CJIS
In 1924, the FBI created an Identification Division to gather fingerprints from police agencies nationwide. This made it easier to search for fingerprint matches from crime evidence upon request from one central location in the US. And in 1992, the CJIS Division was established to serve as the focal point and central repository for all criminal justice information services within the FBI.
Who Needs to be CJIS Compliant?
Every business that has access to sensitive data, or data coming from CJIS databases needs to align their data security standards with the 13 policies below.
This applies to law enforcement agencies including police departments, prosecuting attorneys offices, transcription and translation companies, security agencies, etc.
The FBI’s outline of CJIS policies points out that not all policies apply to every organization. That being said, any company handling sensitive information should be familiar with all of the policies in case of changes that could include them at some point.
Note: Anyone who gains access to CJIS information must undergo a criminal background check to ensure the information doesn’t end up in the hands of someone with a criminal history. On the same note, US background checks cannot be done on foreign nationals. This means foreign nationals are not allowed to access CJIS databases or systems because a criminal background check is not possible to do.
Below is a look at which CJIS compliance policies businesses must follow in order to be compliant.
Requirements to be CJIS compliant
CJIS requirements have changed since it was origianlly founded in 1992. There are more internet hacking threats today than ever before. With a lot of today’s information being stored in the cloud via an internet connection, cyber security can be very challenging. That’s why using a CJIS compliant company is extremely crucial for all law enforcement agencies.
The policies by CJIS are there to enforce safety in wireless networking, data encryption, remote access, and multiple authentications. Here are some basic requirements from the CJIS:
- A limit of unsuccessful login attempts.
- Keeping track of login activities including password changes.
- Weekly audit reviews.
- Session lock after 30 minutes (or less) of inactivity.
- Access restrictions based on job role, location, time of day, and network address.
Now, let’s go into more depth. Here is a summary of the 13 CJIS policies.
Policy #1: Information exchange Agreements
Companies that share CJIS-protected data with other organizations must have a written agreement that both will comply with the CJIS security standards.
Policy #2: Security Awareness Training
All employees within a business handling CJIS data must undergo security training within the first six months of being assigned their roles. Every other year training needs to be provided to accommodate CJIS updates.
Policy #3: Incident Response
Companies handling CJIS-protected data must have safeguards in place to detect breaches and contain them. Data recovery measures are also crucial. Any data breaches must be reported to the authorities immediately.
Policy #4: Auditing and Accountability
Audit controls must be implemented to see who is accessing data, when data is accessed, and why it’s being accessed. This information needs to be logged for any future audits, which could help determine if the company is accountable or not.
Policy #5: Access Control
Restrictions must be set to control who can access data. The restrictions include who can access, upload, download, transfer, and delete secure data. Login management systems, remote access controls, and more should all be highly restricted and monitored.
Policy #6: Identification and authentication
CJIS has a set of login credentials including advanced authentication methods like one-time passwords and multi-factor authentication, and several password requirements (capital letters, numbers, characters, etc.) must be implemented for anyone accessing CJIS information.
Policy #7: Configuration Management
Only authorized users in a business can make configuration adjustments like upgrading systems or initiating modifications.
Policy #8: Media Protection
CJIS related data is to be protected in all forms — digital and physical — while in transit or while stored at a facility. Equipment (computers and other devices) that are no longer being used by the company must wipe the systems of all data and dispose of the device in alignment with CJIS policies.
Policy #9: Physical Protection
The physical location where the CJIS data is stored must be protected at all times. This could be with guards, cameras, and advanced security systems.
Policy #10: System and Communications Protection and Information Integrity
Physical data files must be protected and so should organization systems and communications. Steps that are taken to ensure protection include encryption, network security, data breach detection measures, and more.
Policy #11: Formal Audits
Any company who uses and manages CJIS data are subject to audits a minimum of every three years by the CJIS Audit Unit (CAU) or the CJIS Systems Agency (CSA). The organization that does the audit depends on which state the company is in. Audits can happen at any time and companies must comply or they could be closed down.
Policy #12: Personal Security
Everyone who works within the company, including full-time, part-time, and contractors must submit to security screenings and national fingerprint-based record checks.
Policy #13: Mobile Devices
Every employee’s mobile device (phones, laptops, tablets) are subject to CJIS oversight. The company must establish secure user restrictions, authorize, monitor, and control access to systems via non-work devices. Even employee devices who have never been on the premises are subject to oversight.
How to Choose a CJIS Compliant Cloud Provider
When it comes to choosing a cloud provider, there are many questions to consider. Do they have general liability insurance? Do they have cyber liability insurance? Are employee background checks kept confidential? How about authenticity? A good provider should do the above and be able to sign a contract that they are 100% US based and will not outsource or allow any foreign nationals to access your data. Make sure they are willing to sign a contract that also guarantees all of the above and will pay financial penalties if they knowingly lied or didn’t disclose anything that could possibly make them non CJIS compliant.
The problem with CJIS cloud providers in the US
When choosing a provider, it’s important to know that there is no central CJIS authorization body. Which means there are no CJIS certifications available in the US at this time. Be suspicious of any company that claims to have a CJIS certification or any company that offers a CJIS certification. Unfortunately law enforcement agencies are on their own to find a provider that ticks all the CJIS compliance boxes.
What’s even more confusing is each law enforcement agency can have their own compliance standards. The compliance standards may also vary from state to state and may not even be the same within a state sometimes. Because of this, providers must create a list of what they offer with detailed descriptions so agencies can see if they meet their CJIS compliance requirements.
However, the CJIS Systems Agency (CSA) can give some assurance that the provider follows the minimum requirements by auditing providers. This audit should not be confused with a certification though, as those are not available in the US yet. CJIS has created an outline of what a provider must do to hold an average compliance across all US states:
- Restrictions are implemented to prevent unauthorized users from accessing information they don’t need in order to do their jobs.
- Uses multi-factor authentication of some kind (one-time passwords, phone or email authentication).
- Access to data is limited based on job role, network, location, and time of day.
- A computer that is left unattended will automatically log out after 30 minutes of inactivity.
- Division is maintained between virtual and physical servers that store data. Servers that are available to the public through the internet are divided as well.
- Login attempts are limited to 5 tries. The user will be locked out and need to contact an administrator after too many unsuccessful attempts.
- Maintains logs of automatic recordings such as logins, password changes, new users, ect. for at least one year.
- Every staff member who has access to CJIS data undergoes a criminal background check.
- Performs frequent employee training for those with access to CJIS data.
If law enforcement and government agencies are encouraged to share CJIS data, why do they make it so difficult to do so? Agencies looking to be compliant have to adopt the 13 policies, plus be audited by the CJIS division to make sure they have the minimum requirements in place. This can be costly for agencies and take a lot of time to implement sometimes.
It is so difficult because CJIS data is highly sensitive. Agencies running within a compliant cloud based system need security measures in place to avoid the possibility of hackers and spies getting in by using their intrusion techniques.
How Ditto Transcripts Complies with CJIS
Ditto Transcripts specializes in law enforcement transcription solutions. Our trained team of law enforcement transcriptionists provides the best in online law enforcement transcription services using high-quality equipment. At Ditto Transcripts, we take the security of all law enforcement transcription seriously and are 100% compliant. Interested in learning about the best type of transcription jobs? Click here.
Here is how we comply:
Not just anyone can see stored files. We decide who can access files based on job role, physical location, network address, etc.
Limited Login Attempts
A user is allowed 5 login attempts before being locked out of the account. Once the user is locked out, a manager is needed to reset and allow access again.
Keeping sessions open for long periods gives unauthorized users more time to get in and access information. Our systems sign out automatically after 30 minutes of inactivity.
High Security on Business Facilities
At Ditto Transcript’s office, we have full surveillance with a security system, cameras, and motion sensors. Tangible files are stored safely in a locked environment. Cloud files are stored in Amazon facilities which have armed guards and a digital security system of their own.
We keep audit records that contain information needed to understand events that occurred, their sources, and the outcome of events. These records are reviewed weekly. Through audits, we can track who logged in, all actions done, and detect any breaches in the system and where they came from.
Multi-Factor Authentication and Encryption
So that the information doesn’t get into the wrong hands, we follow advanced multi factor authentication requirements. Staff who have access to certain documents must use a one-time password, codes, and facial recognition.
Our staff are all on the same page regarding complete compliance. We frequently train our staff on proper procedures and provide documents and knowledge.
If you have any questions about our compliance with CJIS, please let us know by contacting us using your preferred method or on our Contact Us page. We are a Denver Colorado based transcription services provider.