Don’t we all love a policy that requires you to have multiple other policies?
Actually, the CJIS Security Policy may require you to have 20+ policies, policy statements or procedure documentation depending upon your agency’s specific technology implementation and use.
I oversaw the CJIS audits for all CJIS-type agencies in New York, and I’m now out and about performing CJIS ACE Compliance Profiles for different agencies around the nation. From my experience, it is clear that documentation of required policies and procedures is often an afterthought, if a thought at all.
This fact doesn’t surprise me one bit.
Being a former sworn law enforcement officer and always heavily involved with information technology, security and compliance, I totally understand that the mainline business of law enforcement is job number one. Everything else seems to take a backseat on the priority list.
Even if an agency performs a technical requirement every single day to perfection (e.g. media protection), documenting the policy and process often lags behind. Sometimes, this documentation never gets done — resulting in being OUT OF COMPLIANCE.
I understand this scenario. I lived it and know it well. That being said, having the required local policies and procedures documented does serve a very important purpose beyond just complying with the CJIS Security Policy. I am not going to bore you with the philosophy of the need for policy and procedure documentation, but it does serve a critical role in helping to ensure more complete awareness, consistency and compliance across the criminal justice community.
To help you with your agency’s compliance with the required policies mandated by the CJIS Security Policy, I am offering a copy of the Required Policies/Procedures Checklist to all CJIS ACE Newsletter subscribers for free. All you have to do is ask!
This checklist (of which many state CSOs and ISOs have versions available) extracts and references the sections of the CJIS Security Policy that may require an agency to have a documented policy or process in place in order to be compliant.
Just reply to this email or directly to me at email@example.com and ask for your checklist, and it’ll be on its way.
When you receive this checklist, review the required policies and how they may or may not apply to your agency. Admittedly, some of these can be difficult to draft up. So if you determine that you need assistance, CJIS ACE services are there to help. Just drop me an email or give me a call, and we can discuss your specific need and how our customized (and cost-effective) services can relieve you of these headaches.
Until next time, be safe.
William “Bill” Tatun, CISSP, CISM
Chief Information Security Officer
Diverse Computing Inc.
Were you forwarded this newsletter and found the content useful?
Then please take a few seconds and subscribe to our newsletter.
CJIS ACE is a division of Diverse Computing, Inc. that helps law enforcement, criminal justice, and non-criminal justice agencies as well as companies/organizations that provide criminal justice products and/or services comply with the FBI CJIS Security Policy and NCIC requirements. CJIS ACE services are designed to help strengthen an organization’s information security profile and comply with any other CJIS-related policies that may be required (e.g. a State or County IT Security Policy). CJIS ACE brings real-world experience at the ready to assist your agency’s personnel in navigating the daunting and complicated path through audits and information security policy compliance.