In the previous blog, we discussed at length about the identification and authentication to be followed in the process of accessing Criminal Justice Information (CJI). In this blog, we will focus on CJIS Compliance Configuration Management. The configuration of the information system is of paramount importance given the fact that any breach of the system may lead to catastrophic loss.
Access Restrictions on Changes
Any unwanted changes in the system can be detrimental to its normal functioning and must be avoided. Additionally, the overall security of the system may be affected by the changes that are made. Hence, agencies must understand that configuration management is of prime importance and ensure that only authorized and qualified users have access to the components of the information system and only they should be allowed to initiate changes that include modification and upgrades as well. The previously discussed policy area – Access control – clearly describes the requirements for agencies with respect to control of restrictions and privileges.
Providing only the functionality that the users need to perform their functions is the best way to keep the information system security. In order to ensure this, agencies should configure their services, applications or information systems in such a way that the systems restrict and/or prohibit access to specific ports, functions, services and/or protocols.
Agencies should maintain a comprehensive topological drawing of the agency network depicting the interconnectivity between the network of services, criminal justice information, and systems. The network diagram should be updated and maintained in a current status. The topological drawing of the network shall incorporate the following aspects
- The logical pattern of all the components of the system such as routers, firewalls, encryption devices, hubs, switches, computer workstations and servers should be illustrated. However, the individual clients (workstations) needn’t be shown and a number of such workstations can be mentioned.
- All the circuits, communication paths and other components of the system that are used for interconnecting the agency owned systems and passing through all the interconnected system to the end-point of the agency system.
- The name of the agency and date (including day, month) and year when the drawing was created or was updated.
- Clear mention of “For Official Use Only” (FUOU) markings
Security of Configuration Documentation
A document describing the system configuration of the agency’s information system is to be created that includes sensitive details such as the description of data structures, applications, processes related to authorization, procedures, data flow processes among others. Agencies need to protect this system documentation from unauthorized access as elucidated in the policy area – Access Control.
Thus we come to an end of understanding the importance of CJIS Compliance Configuration Management and in the next blog we will try to analyze the next policy area – Media Protection
DoubleHorn is a leading Cloud Solutions Provider founded in January 2005 and located in Austin, Texas. We offer products from the leading Cloud providers and these products are carefully designed to meet the emerging technology requirements of Government agencies and Enterprises. As a Cloud Services Broker, we help you in selecting the right solution, we implement, maintain and also offer a single source for billing and support of multiple Cloud products. If you are new to cloud and various cloud products and not sure how to begin, contact us for a complimentary initial assessment at firstname.lastname@example.org or (855) 618-6423.