RECORD MANAGEMENT SYSTEM AND CRIMINAL JUSTICE INFORMATION (CJI) TRAINING

​

​

​

​

Jim Watson, Information Security Officer

​

Wyoming Division of Criminal Investigation

​

INTRODUCTION

• If your agency uses a Computer Assisted Dispatch (CAD)/Record Management System (RMS) and this system stores FBI CJIS Criminal Justice Information (CJI), there are certain FBI CJIS Security Policy requirements that must be complied with.

​

​

INTRODUCTION

​

• Even if your CAD/RMS just stores the FBI Number, your agency must comply with all requirements of the FBI CJIS Security Policy.

​

​

INTRODUCTION

• Per a decision by the FBI CJIS Advisory Policy Board (APB), that has been ratified by the FBI Director, the FBI Number alone is not considered Criminal Justice Information (CJI); however, combined with personal information i.e., name, date of birth, social security number, etc., it is then considered to be CJI.

​

INTRODUCTION

• This is based on Title 28 Code of Federal Regulations (CFR), Part 20, Subpart B, Section 20.21(c)(2) which states, “No agency or individual shall confirm the existence or nonexistence of criminal history record information to any person or agency that would not be eligible to receive the information itself.”

BACKGROUND CHECKS

• The employees of the vendor that provides services your agency i.e., Spillman, RIMS, SunGard, EFORCE, etc., must undergo a state of residency and national fingerprint-based background check prior to the granting of access to CJI.

​

**CJIS Security Policy, Section 5.12.1**

​

BACKGROUND CHECKS

• The FBI will not allow fingerprint- based background checks from other states. For instance, if your vendor was fingerprinted in Utah, that background check cannot be used by your agency.

​

BACKGROUND CHECKS

• The FBI has granted authority to each CJIS Systems Officer (CSO) to accept fingerprint-based background checks that have been conducted within their jurisdiction.

​

• The Wyoming CSO, Jeff Cullen, will allow fingerprint-based background checks conducted within Wyoming; however, requests are granted on a case-by-case basis!

CJIS SECURITY ADDENDUM

​

• The employees of your vendor must review and sign a CJIS Security Addendum.

​

**CJIS Security Policy, Section 5.1.1.5; [ A Security Addendum can be found in Appendix H]**

​

SECURITY AWARENESS TRAINING

• The employees of the vendor must receive security awareness training within six (6) months of assignment and every year thereafter.

​

**CJIS Security Policy, Section 5.2**

​

​

SECURITY AWARENESS TRAINING

• Vendors are required to have a security program consistent with federal and state laws, regulations, and standards (including the CJIS Security Policy). So, many vendors will give you certification and/or documentation that their employees have received security awareness training.

​

• However, the ultimate responsibility for this training falls upon the agency!

​

SYSTEM REQUIREMENTS

• Along with the FBI CJIS Security Policy requirements that your vendor must meet, there are also certain requirements that your agency’s CAD/RMS must meet as well.

UNIQUE USER ID

• CJIS Security Policy, Section 5.6 states, “each person who is authorized to store, process, and/or transmit CJI shall be uniquely identified. A unique identification shall also be required for all persons who administer and maintain the system(s) that access CJI or networks leveraged for CJI transit.”

PASSWORDS

• CJIS Security Policy, outlines password requirements:

​

• Must be a minimum of eight (8) characters in length.
• Not be a dictionary word or proper name.
• Not be the same as the User ID.
• Expire within a maximum of ninety (90) calendar days.
• Not be identical to the previous ten (10) passwords.
• Not be transmitted in the clear outside the secure location.
• Not be displayed when entered.

​

SYSTEM USE NOTIFICATION MESSAGE

• CJIS Security Policy, Section 5.5 states that the system shall display an approved system use notification message before granting access (logon).

​

• At a minimum, the notification message must provide the following information:

SYSTEM USE NOTIFICATION MESSAGE

​

• The user is accessing a restricted information system.

​

• System usage may be monitored, recorded, and subject to audit.

​

• Unauthorized use of the system is prohibited and may be subject to criminal and/or civil penalties.

​

• Use of the system indicates consent to monitoring and recording.

VALIDATION OF SYSTEM ACCOUNTS

• CJIS Security Policy, Section 5.5 states, “the agency shall manage information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. The agency shall validate information system accounts at least annually and shall document the validation process.”

​

​

​

VALIDATION OF SYSTEM ACCOUNTS

• This means:

​

1. Valid need-to-know/need-to-share that is determined by assigned official duties.

2. Satisfaction of all personnel security criteria.

​

The agency responsible for account creation shall be notified when:

1. A user’s information system usage or need-to-know or need-to-share changes.

2. A user is terminated or transferred or associated accounts are removed, disabled, or otherwise secured.

​

​

VALIDATION OF SYSTEM ACCOUNTS

• This means (In English):

​

• At least once a year you need to go into your CAD/RMS and make sure that all of your system users’ information is accurate and up-to-date.

​

• The users in the system still need access and their access level is accurate.

​

• Make any appropriate changes.

​

• Don’t forget to document this!

EVENT LOGGING

• CJIS Security Policy, Sections 5.4 states, “the agency’s information system shall generate audit records for defined events. The agency’s information system shall produce, at the application and/or operating system level, audit records containing sufficient information to establish what events occurred, the sources of the events, and the outcomes of the events.”

​

EVENT LOGGING

• The following events shall be logged:

1. Successful and unsuccessful system log-on attempts.

2. Successful and unsuccessful attempts to use:

a. access permission on a user account, file, directory or other system resource;

b. create permission on a user account, file, directory or other system resource;

c. write permission on a user account, file, directory or other system resource;

d. delete permission on a user account, file, directory or other system resource;

e. change permission on a user account, file, directory or other system resource.

​

EVENT LOGGING

​

3. Successful and unsuccessful attempts to change account passwords.

4. Successful and unsuccessful actions by privileged accounts.

5. Successful and unsuccessful attempts for users to:

a. access the audit log file;

b. modify the audit log file;

c. destroy the audit log file.

​

The agency shall retain audit records for at least one (1) year.

​

​

EVENT LOGGING

• The responsible management official shall designate an individual or position to review/analyze information system audit records for indications of inappropriate or unusual activity, investigate suspicious activity or suspected violations, to report findings to appropriate officials, and to take necessary actions. Audit review/analysis shall be conducted at a minimum once a week.

​

ENCRYPTION

• CJIS Security Policy, Section 5.10 states, “when CJI is transmitted outside the boundary of the physically secure location, the data shall be immediately protected via cryptographic mechanisms (encryption).”

​

• In other words, a Mobile Data Terminal (MDT) in a patrol car, a tablet (IPad, etc.) or a smart phone .

​

• Info from your CAD/RMS to the courthouse.

​

ENCRYPTION

• When encryption is employed, the cryptographic module used shall be certified to meet National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 140-2 standards.

​

ENCRYPTION

• Your vendor should be able to provide you with the FIPS 140-2 Security Validation Certificate to show that the encryption module in their application is compliant with the CJIS Security Policy.

​

• A Security Validation Certificate looks like this:

ENCRYPTION

ENCRYPTION

ENCRYPTION

• Again, your vendor should be able to supply you with this document. If they cannot, then they are not compliant.

​

• Also, if you need assistance please contact Jim Watson or Jeff Cullen.

ADVANCED AUTHENTICATION (AA)

• CJIS Security Policy, Section 5.6 states, “AA shall not be required for users requesting access to CJI from within the perimeter of a physically secure location.”

​

• A police vehicle is now and forever (I Hope!!!) defined as a physically secure location.

ADVANCED AUTHENTICATION (AA)

• To put it in plain English, AA is basically something you have; a unique User ID, something you know; a password or a PIN, plus something else; a token.

​

• Some examples of when AA is not required and when it is required are:

ADVANCED AUTHENTICATION (AA)

• An officer on a traffic stop runs the vehicle operator for driver’s license, wants, warrants, etc. from the MDT mounted in his/her police vehicle.

​

• AA is not required. A police vehicle is considered a physically secure location as defined in the CJIS Security Policy, Section 5.9

ADVANCED AUTHENTICATION (AA)

• An officer responds to a homicide scene, exits the police vehicle with the mobile device and runs a query on the deceased.

​

• AA is required. The request for access to CJI is now originating from outside the perimeter of a physically secure location.

​

​

ADVANCED AUTHENTICATION (AA)

• AA can be very confusing and frustrating. It is recommended that you review Section 5.6 in its entirety. These pages contain AA use cases and a decision tree that may assist you.

​

• Of course, you may feel free to contact Jim Watson or Jeff Cullen.

MOBILE DEVICE MANAGEMENT (MDM)

• CJIS Security Policy, Section 5.13 outlines the requirements for all Mobile Devices accessing CJI.

​

• If your agency is using cell/smart phones and/or tablets i.e., IPad, etc., certain controls must be implemented. These controls are discussed in Section 5.13

QUESTIONS???

• Contact information:

​

• Jeff Cullen, Control Terminal Supervisor

307-777-7524 or jeff.cullen@wyo.gov

​

Jim Watson, Information Security Officer

307-777-7545 or jimmy.watson@wyo.gov

​