Understanding CJIS Compliance Auditing and Accountability
In the previous blog, we discussed the aspects of incident handling and how agencies should be ready in anticipating incidents and reporting them as soon as possible. In this blog, we will understand various aspects of auditing and accountability. It is of vital importance that the individuals with access to Criminal Justice Information (CJI) should conform to prescribed protocols. Agencies hence should exercise appropriate accountability and audit controls to ensure that the authorized users conform to the set rules and regulations. Agencies should also make an assessment of the inventory of the components that make up their information systems in order to determine which security controls are applicable to those components.
Auditing controls need to be applied to mission-critical components such as servers and not necessarily to all the components (e.g. user-level workstations). In view of the advancements in technology, agencies should apply these controls to devices with diverse functionalities such as mobile phones and personal digital assistants that may require enforcing of security controls based on the agency assessed a perceived amount of risk.
Auditable Events and Content (Information Systems)
The information systems of an agency need to generate audit records for predefined events. These events include the process of identifying the important events that need to be audited keeping in view of their relevance to the security of the information system. The agencies also need to specify which information system components would perform auditing activities. Given the fact that the speed of the system is affected by the auditing activity, agencies should consider this aspect while acquiring information systems. The information system of an agency should produce, at an operational level or at an application level, audit records that contain sufficient information to understand the events occurred, their sources and the outcome of the event. These records need to be reviewed periodically and the list of auditable events needs to be updated. In case the agency doesn’t have automated systems, manual recording of the events needs to be done.
The following events need to be logged:
Successful as well as unsuccessful attempts to use
- create permission on a file, user account, directory or any other system resource
- access permission on a file, user account, directory or any other system resource
- change permission on a file, user account, directory or any other system resource
- write permission on a file, user account, directory or any other system resource
- delete permission on a file, user account, directory or any other system resource
Successful and failed attempts to change account passwords
Successful as well as unsuccessful actions by privileged accounts
Successful as well as failed attempts at logging onto a system
Successful and failed attempts by users to
- access audit log files
- modify audit log files
- destroy audit log files
The following content must be included with every audited event
- Date of the event and its time of occurrence
- Information about the component of the information system (either hardware or software) where the event occurred
- Type of the event occurred
- Subject/user identity
- The outcome of the event- either success or failure
Response to Audit Processing Failures
The information system in the agency should be able to alert the appropriate agency officials in the event of an audit processing failure. Typical auditing processing failures include insufficient storage capacity, hardware/software errors and other flaws in audit capturing mechanisms.
Audit Monitoring, Analysis, and Reporting
For the purpose of reporting unusual or inappropriate activity and to investigate suspected violations and suspicious activities, the concerned authority shall appoint an individual who would review and analyze system audit records. This individual or a position would report findings to concerned officials who would take necessary remedial actions. This audit review would be done minimum once every week. Furthermore, based on the position of risk that the agency is in, the frequency of the review/analysis may be increased. Based on the inputs from law enforcement, intelligence, and other trustworthy sources, the audit monitoring and analysis can be increased.
The information system needs to provide time stamps that would be useful in generating audit records. The time stamps should include the time and date values that are generated by internal system clocks. It is to be noted that the clocks need to be synchronized on an annual basis.
Protection of Audit Information
The agency should ensure that the information system should be protected from unauthorized access to audit tools, their modification, and deletion.
Audit Record Retention
The agency must retain audit records for a period of at least one year. After the minimum retention period is passed, the agency may evaluate if the retention of such records is necessary by administrative, audit or legal entities and if no longer needed, they may discard it.
Logging NCIC and III Transactions
Logs shall be maintained for a minimum of one year on all Interstate Identification Index (III) and National Crime Information Center (NCIC) transactions. The III portion of the log should clearly identify both the authorized receiving agency and the operator. It also should identify the secondary recipient and requester as well. The identification on the log should be in the form of a unique identifier that would remain unique to the secondary recipient an individual requester throughout the retention period of one year.
In the next blog, we will discuss the next policy area – Access Control
DoubleHorn is a leading Cloud Solutions Provider founded in January 2005 and based in Austin, Texas. Our offerings combine products from the leading Cloud providers and are carefully designed to meet the emerging technology requirements of Government agencies and Enterprises. As a Cloud Services Broker, we advise in selecting the right solution, implement, maintain and offer a single source for billing and support of multiple Cloud products. If you are new to the cloud and not sure how to get started, contact us for a complimentary initial assessment at firstname.lastname@example.org or (855) 618-6423.