Understanding CJIS Compliance Security Awareness Training

Part 1Part 2Part 4
In the previous blog on information exchange agreements, we explored various user cases in which agencies need to sign agreements regarding Criminal Justice Information (CJI) exchange. In this blog, we will focus on the security awareness training required for personnel who access CJI. It is to be understood that the basic security awareness training is to be given to all the people who are accessing CJI data. This training is to be given within six months of initial assessment and also need to be trained once in every two years. A Special Intelligence Bureau (SIB) chief or a CJIS Systems Officer (SIB/CSO) would need to accept the documentation related to the completion of security training from another agency. Accepting the documentation from another agency means that the accepting agency assumes the risk that the training may not meet all the requirements needed by the federal, local or state laws.

Awareness Topics

There can be several topics that are mentioned in an awareness campaign or session. In order to facilitate implementation and development of individual agency security awareness programs the guidelines below will be useful

All Personnel

As a minimum requirement, the guidelines mentioned below need to be addressed as a basic security awareness program for all authorized personnel who have access to Criminal Justice Information.

  1. General rules, responsibilities and required behavior with respect to usage of CJI
  2. Who to contact in case of an incident and the necessary actions needed to be taken
  3. Protection of media
  4. Implications of non-compliance to rules and regulations
  5. Protection of information subject to confidentiality
  6. Physical access to spaces and visitor control. It also mentions the applicable security policies in place and reporting that is required to be made in case of  unauthorized access
  7. Social engineering
  8. Risks, threats and vulnerabilities associated in the process of handling CJI
  9. Proper marking and handling of CJI
  10. Matters relating to dissemination and destruction of information

Personnel with logical and physical access

In addition to the above basic guidelines, people with physical  and logical access need to understand and follow the below mentioned guidelines

  1. General rules that outline the responsibilities and behavior related to usage of information systems
  2. Creation, usage and management of passwords
  3. Web Usage – monitoring of user activity and prohibited sites
  4. Spam
  5. Specifics related to unknown attachments/emails
  6. Physical security- risks related to systems and data
  7. Protection that needs to be made with respect to Trojans, virus, malicious codes and malware
  8. Use of encryption techniques for transferring sensitive information over the Internet
  9. Issues related to access control
  10. Both information related and physical security with respect to laptops and their usage
  11. Issues associated with handheld devices and desktops as well
  12. Individual accountability including an explanation of what it means to the agency
  13. Specifics about if personally owned equipment is allowed by the agency or the state
  14. Specifics related to information security and confidential items, their usage, backup, archiving or destruction after its need is over.

Personnel with Information Technology Roles

Additionally, for people associated with information technology roles, there are a few other guidelines that need to be followed and are as mentioned below

  1. Measures were taken for the protection of network infrastructure
  2. Access control measures
  3. Backup and storage of data and if the approach is centralized or decentralized
  4. Protection of the system and information from Trojans, worms, and viruses including scanning and updating of virus definitions
  5. As part of the configuration management, application and system patches need to be applied

Security Training Records

A record of the individual security awareness training and also specific information system security training would be documented. These documents need to be maintained by SIB/CSO/Compact Officer. The maintenance of training records can also be delegated to local bodies as well.

In the next blog, we will discuss the next policy area which is Incident Response.

DoubleHorn is a leading Cloud Solutions Provider founded in January 2005 and based in Austin, Texas. Our solutions combine products from the leading Cloud providers and are carefully crafted to meet your requirements. As a trusted advisor, we help you choose the right solution, implement it and help you maintain our decade-old expertise as a Cloud Services Provider. If you are new to the cloud and not sure how to get started, contact us for a complimentary initial assessment at solutions@doublehorn.com or (855) 618-6423.

Try The Cloud Pricing Tool
Understanding CJIS Compliance Information Exchange AgreementsUnderstanding CJIS Compliance Incident Response