CJIS Compliance and Video Security – What You Need to Know
November 05, 2021
Many CJIS-compliant organizations wonder how video surveillance fits into their security policies. Security cameras help criminal justice organizations secure their facilities and protect employees. However, it’s crucial to maintain CJIS compliance to protect Criminal Justice Information (CJI) while using a video security solution.
In this article, you’ll learn how to use security cameras in a CJIS-compliant way, and how you can use video surveillance to strengthen overall CJIS compliance throughout your entire organization.
What is CJIS Compliance?
CJIS stands for Criminal Justice Information Services. It was established in 1992 by the Federal Bureau of Investigation (FBI). Serving as the largest division in the FBI, CJIS’s goal is to provide tools and services to law enforcement, national security community partners, and the public.
To be CJIS compliant means adhering to specific standards set by criminal justice and law enforcement (at local, state, and federal levels) for securing CJI data. The CJIS Security Policy outlines these standards for protecting the sources, transmission, storage, and generation of CJI. This policy contains 13 areas in which organizations must be familiar to meet the compliance requirements.
What kinds of data does CJIS cover?
CJIS pertains to Criminal Justice Information, also referred to as "CJI". This includes data that can be used for background checks, criminal investigations, and for statistical analysis of criminal data. In other words, CJIS contains information that helps fight crime and protect the general public.
It's crucial that this type of data is kept very secure, and that access is monitored closely. Compromised or inaccurate data could lead to mistakes when making critical decisions. For this reason, the CJIS Security Policy outlines standard methods to secure this information and make it nearly impossible to hack.
How Does CJIS Compliance Pertain to Video Security?
There are two aspects to consider when it comes to CJIS compliance and video surveillance:
- Using video surveillance as a tool to improve overall CJIS compliance
- Making sure your video surveillance setup itself is CJIS compliant
How do you ensure video surveillance is CJIS compliant?
Many law enforcement and government agencies use video surveillance as part of their physical security solution. By following the guidelines established in the CJIS security policy, organizations can confidently use security cameras in full accordance with CJIS regulations.
These best practices will help you stay within compliance:
Follow the ‘Reasonable Expectation of Privacy’ Rule: In general, security cameras are not allowed in areas where people have a “reasonable expectation of privacy”. Make sure you only place cameras in ‘public’ areas and not in areas where people expect privacy, such as bathrooms or changing rooms.
Audit Camera Placement: Identify any cameras that have access to CJI. This includes both physical spaces and cameras that have a view of computer screens that may display CJI.
Footage from these surveillance cameras must be tightly controlled to protect sensitive information. You can accomplish this by limiting who has access to video footage, and by using a video security system that has configurable privacy masks—the ability to black out a piece of video, such as a computer monitor.
Restrict Access to Video Surveillance System: Have strict access control into the system so that you know exactly who logs in and when. If you use dedicated Viewing Stations or Monitors, don’t place them in public areas. Make sure camera footage can only be viewed in restricted areas by authorized personnel.
Use Permissions-Based Role Management: Use a platform that allows you to customize system access levels for different users. Control access to CJI by sharing and restricting access to different cameras on an individual or role-based basis. For example, you may want to give a receptionist access to a lobby camera, but not interior cameras.
Choose a Video Security System with Documented Security Practices: Choose a system that leverages strong security safeguards like end-to-end encryption, audit logs of all system access, and regular 3rd party security audits to check for potential system vulnerabilities. You can review some of Rhombus' security practices here and here.
How do video security cameras improve overall compliance with CJIS Security Policy?
CJIS policies require that you protect CJI in multiple ways. The basic ideas of these policies is that you must maintain security by restricting physical and digital access to CJI, and accountability by keeping records of who does access CJI and performing regular audits.
The following section outlines the thirteen CJIS policies that expand and clarify these basic goals.
Surveillance cameras can help meet and exceed these expectations of security and accountability around CJI. Video surveillance can be used as a tool to be CJIS compliant through means such as access control verification, alert response, and auditing. Cameras improve accountability by creating a visual record of facility access and physical CJI access. When combined with tools like facial recognition and automatic alerts, security cameras can even be a proactive tool for preventing breaches and improper access.
13 Policies Required for CJIS Compliance
These policies are required to meet CJIS compliance:
Information Exchange Agreements
The information exchange agreements outline the roles, responsibilities, and data ownership between internal entities and any outside parties. Maintaining compliance means to first and foremost ensure the method of exchanging this sensitive data is done in such a way that it meets the CJIS security standards.
Security Awareness Training
CJI requires extra care while handling, therefore a precedent of keeping this information secure is vital. Users who access CJI need to be aware of the expected behavior when accessing CJI. There are four levels of security training needed to access CJI ranging from knowing who can access what physical spaces containing CJI to properly securing personal computers and network protection against attacks.
Attacks happen and knowing how to respond to them when they inevitably come knocking is crucial. Exposure to these scenarios and procedures set in place are mandatory to maintain CJIS compliance.
Auditing and Accountability
Implementation of audit and accountability controls to verify authorized users accessing content are needed. Auditing tools should be applied to the information system that provide auditing capability (servers, etc.) and would not necessarily be applied to every user’s machine. Logging of successful and unsuccessful file access and login attempts must be tracked along with audit monitoring/reporting/analysis, response, and time stamps of events.
Controlling who can access what is great to stop events before they have a chance to happen. CJIS compliance requires one to have proper access enforcement in place for granting access to those who need it. This ranges from physical access to remote access to digital access of CJI material.
Identification and Authentication
Everyone who is authorized to work with CJI needs to be uniquely identifiable. This unique identification can be a full name, badge number, serial number, or other unique alphanumeric identifier. Authentication methods also need to be in place in the form of complex passwords, personal identification numbers, one-time passwords, smart cards, and software/hardware tokens.
Changes to the hardware, software, and/or firmware components of information systems can affect the overall security of CJI. That is why those that are qualified to access these information system components for purposes of updating them must be cleared to do so.
Protecting of digital and physical media is necessary while dealing with CJI. Being familiar with best practices of media storage, access, transport, and disposal are needed to handle CJI.
Just like media protection, physical protection of hardware and devices holding CJI is just as important. Access control and monitoring standards set by CJIS can help not only meet compliance but prevent attacks and incorrect handling of CJI.
Systems and Communication Protection and Information Integrity
Entities handling CJI need to have safeguards in place for systems and communication methods so that they are protected from unauthorized access. Implementation of perimeter security solutions such as anti-virus software, firewalls and Intrusion Prevention Systems (IPS) is highly recommended. Ensuring that all CJI is encrypted, both at rest and in transit is vital to maintain compliance. An example of some of these measures are the use of 128-bit encryption, use of virtual machines, and partitioning user functionality through use of separate computers instances of operating systems.
Formal security audits will be done regularly to entities accessing/procuring CJI to verify they are adhering to the CJIS security standards. These audits happen once every three years.
Anyone who will be granted access to CJI, must undergo an intense screening process. A part of this process involves a national fingerprint-based record check.
Mobile devices are prone to many different attacks due to their nature, so it makes sense to have precautions in place to protect them while dealing with CJI. Monitoring, and controlling wireless access to the information system is not only vital to the protection of CJI but crucial since wireless technologies enable one or more devices to communicate without physical connection. Users need to be required to ensure their devices are password protected and install Mobile Device Management (MDM) software. Remote wiping software, and the use of device locator service for situations when devices are lost or stolen. Virtual Private Network (VPN) should be used when devices are accessing the internet through unsecured networks to ensure that all CJI data is secured.
Surveillance cameras are a helpful tool that many government and legal organizations use to secure their facilities and protect CJI. By following several best practices, it’s easy to use security cameras in a CJIS-compliant way to increase your organization’s safety and visibility.
CJIS compliance can be complicated, and Rhombus often addresses questions among prospects about video surveillance, security cameras, and CJIS regulations. Rhombus has worked with numerous law enforcement organizations that use cloud security cameras as part of their compliance strategy and hopes to aid anyone considering the use of security cameras in their organization.