Many CJIS-compliant organizations wonder how video surveillance fits into their security policies. Security cameras help criminal justice organizations secure their facilities and protect employees. However, it’s crucial to maintain CJIS compliance to protect Criminal Justice Information (CJI) while using a video security solution.
In this article, you’ll learn how to use security cameras in a CJIS-compliant way, and how you can use video surveillance to strengthen overall CJIS compliance throughout your entire organization.
CJIS stands for Criminal Justice Information Services. It was established in 1992 by the Federal Bureau of Investigation (FBI). Serving as the largest division in the FBI, CJIS’s goal is to provide tools and services to law enforcement, national security community partners, and the public.
To be CJIS compliant means adhering to specific standards set by criminal justice and law enforcement (at local, state, and federal levels) for securing CJI data. The CJIS Security Policy outlines these standards for protecting the sources, transmission, storage, and generation of CJI. This policy contains 13 areas in which organizations must be familiar to meet the compliance requirements.
CJIS pertains to Criminal Justice Information, also referred to as "CJI". This includes data that can be used for background checks, criminal investigations, and for statistical analysis of criminal data. In other words, CJIS contains information that helps fight crime and protect the general public.
It's crucial that this type of data is kept very secure, and that access is monitored closely. Compromised or inaccurate data could lead to mistakes when making critical decisions. For this reason, the CJIS Security Policy outlines standard methods to secure this information and make it nearly impossible to hack.
There are two aspects to consider when it comes to CJIS compliance and video surveillance:
Many law enforcement and government agencies use video surveillance as part of their physical security solution. By following the guidelines established in the CJIS security policy, organizations can confidently use security cameras in full accordance with CJIS regulations.
These best practices will help you stay within compliance:
Audit Camera Placement: Identify any cameras that have access to CJI. This includes both physical spaces and cameras that have a view of computer screens that may display CJI.
Footage from these surveillance cameras must be tightly controlled to protect sensitive information. You can accomplish this by limiting who has access to video footage, and by using a video security system that has configurable privacy masks—the ability to black out a piece of video, such as a computer monitor.
CJIS policies require that you protect CJI in multiple ways. The basic ideas of these policies is that you must maintain security by restricting physical and digital access to CJI, and accountability by keeping records of who does access CJI and performing regular audits.
The following section outlines the thirteen CJIS policies that expand and clarify these basic goals.
Surveillance cameras can help meet and exceed these expectations of security and accountability around CJI. Video surveillance can be used as a tool to be CJIS compliant through means such as access control verification, alert response, and auditing. Cameras improve accountability by creating a visual record of facility access and physical CJI access. When combined with tools like facial recognition and automatic alerts, security cameras can even be a proactive tool for preventing breaches and improper access.
These policies are required to meet CJIS compliance:
The information exchange agreements outline the roles, responsibilities, and data ownership between internal entities and any outside parties. Maintaining compliance means to first and foremost ensure the method of exchanging this sensitive data is done in such a way that it meets the CJIS security standards.
CJI requires extra care while handling, therefore a precedent of keeping this information secure is vital. Users who access CJI need to be aware of the expected behavior when accessing CJI. There are four levels of security training needed to access CJI ranging from knowing who can access what physical spaces containing CJI to properly securing personal computers and network protection against attacks.
Attacks happen and knowing how to respond to them when they inevitably come knocking is crucial. Exposure to these scenarios and procedures set in place are mandatory to maintain CJIS compliance.
Implementation of audit and accountability controls to verify authorized users accessing content are needed. Auditing tools should be applied to the information system that provide auditing capability (servers, etc.) and would not necessarily be applied to every user’s machine. Logging of successful and unsuccessful file access and login attempts must be tracked along with audit monitoring/reporting/analysis, response, and time stamps of events.
Controlling who can access what is great to stop events before they have a chance to happen. CJIS compliance requires one to have proper access enforcement in place for granting access to those who need it. This ranges from physical access to remote access to digital access of CJI material.
Everyone who is authorized to work with CJI needs to be uniquely identifiable. This unique identification can be a full name, badge number, serial number, or other unique alphanumeric identifier. Authentication methods also need to be in place in the form of complex passwords, personal identification numbers, one-time passwords, smart cards, and software/hardware tokens.
Changes to the hardware, software, and/or firmware components of information systems can affect the overall security of CJI. That is why those that are qualified to access these information system components for purposes of updating them must be cleared to do so.
Protecting of digital and physical media is necessary while dealing with CJI. Being familiar with best practices of media storage, access, transport, and disposal are needed to handle CJI.
Just like media protection, physical protection of hardware and devices holding CJI is just as important. Access control and monitoring standards set by CJIS can help not only meet compliance but prevent attacks and incorrect handling of CJI.
Entities handling CJI need to have safeguards in place for systems and communication methods so that they are protected from unauthorized access. Implementation of perimeter security solutions such as anti-virus software, firewalls and Intrusion Prevention Systems (IPS) is highly recommended. Ensuring that all CJI is encrypted, both at rest and in transit is vital to maintain compliance. An example of some of these measures are the use of 128-bit encryption, use of virtual machines, and partitioning user functionality through use of separate computers instances of operating systems.
Formal security audits will be done regularly to entities accessing/procuring CJI to verify they are adhering to the CJIS security standards. These audits happen once every three years.
Anyone who will be granted access to CJI, must undergo an intense screening process. A part of this process involves a national fingerprint-based record check.
Mobile devices are prone to many different attacks due to their nature, so it makes sense to have precautions in place to protect them while dealing with CJI. Monitoring, and controlling wireless access to the information system is not only vital to the protection of CJI but crucial since wireless technologies enable one or more devices to communicate without physical connection. Users need to be required to ensure their devices are password protected and install Mobile Device Management (MDM) software. Remote wiping software, and the use of device locator service for situations when devices are lost or stolen. Virtual Private Network (VPN) should be used when devices are accessing the internet through unsecured networks to ensure that all CJI data is secured.
Surveillance cameras are a helpful tool that many government and legal organizations use to secure their facilities and protect CJI. By following several best practices, it’s easy to use security cameras in a CJIS-compliant way to increase your organization’s safety and visibility.
CJIS compliance can be complicated, and Rhombus often addresses questions among prospects about video surveillance, security cameras, and CJIS regulations. Rhombus has worked with numerous law enforcement organizations that use cloud security cameras as part of their compliance strategy and hopes to aid anyone considering the use of security cameras in their organization.
Initially introduced in 2020, Cybersecurity Maturity Model Certification (CMMC) establishes cybersecurity standards for defense contractors who handle sensitive information. It affects all contractors who perform work for the Department of Defense (DoD) in the United States. In this blog, we’ll look at CMMC, how it pertains to video security cameras, and how you can use video surveillance to strengthen overall security compliance throughout your organization.
NIST represents a high standard of cybersecurity and data privacy that all organizations should aspire to. For federal agencies in the United States, NIST compliance is required. Organizations that require NIST compliance may wonder how video surveillance fits into their security strategy. In this blog, we’ll look at NIST, how it pertains to video security cameras, and how you can use video surveillance to strengthen overall security compliance throughout your entire organization.
As workers return to the office in the midst of Omicron, staying safe in the workplace is top of mind for employers and employees alike. To create a safer work environment, organizations need to develop and follow COVID-19 workplace policies. The CDC recommends that businesses start by “identifying where and how workers might be exposed to COVID-19 at work”. But how do you identify and assess these health risks at your workplace? In this article, we’ll discuss how smart physical security tools can help you.