Do You Validate?
Some of you may not be into the NCIC (National Crime Information Center) side of the business. An integral part of entering records into NCIC is the validation process. I mention that because I go way back with validations. One of my duties as an NCIC/FCIC (FCIC – Florida) compliance auditor (cue the catcalls, boos, and hisses) was checking if agencies were doing their record validations.
And now validations have come to the world of the CJIS Security Policy. Actually it ain’t that new.
Those words, “The agency shall validate information system accounts at least annually and shall document the validation process,” (CSP Section 5.5.1) have been around since version 5.0 hit the streets back in February 2011. If you do the math, that’s six and a half years ago.
Validations in the NCIC world are essentially based on two things: 1) is the information correct and 2) is the person still wanted or missing (among other things), or is the property still stolen.
It’s kinda the same thing for the CSP.
In the world of CSP Section 5.5.1, first thing we gotta do is determine what needs to be validated. The quick and dirty answer — if it contains CJI, it’ll need to be validated. The quick list includes, but is not limited to, NCIC interface software/apps (like DCI’s eAgent), record management systems (RMS), jail management systems (JMS), and computer aided dispatch (CAD). Let me stress that this is not an all-inclusive list.
Make sure you “look” everywhere. I don’t know how many times I’ve asked IT folks about a given program or application, and they’ve told me “there’s no CJI in that” — only to turn and ask the same question to an operational user and have them respond “Oh yeah, we put CJI in there all the time.” You need to ask folks who use the apps, especially if you are a mid-to-large sized agency.
By the way, this inventory of CJI apps and programs will also come in handy for requirements in CSP Sections 5.4 and 220.127.116.11 (I ain’t gonna tell you what those sections are about in this newsletter, you gotta go find out if want to know).
So now that you know what systems need to have their “information system accounts” validated, what do you do?
When validating accounts you need to look at a number of things. So let’s start with the fundamental question for validating user accounts — does the person still work for your agency? If they don’t work for you, then their account needs to be deactivated; that’s an easy one. An individual who has moved on from your agency may still need to access CJI, but that is now the responsibility of their new agency.
Next up is the issue of whether they still need access to the application/service. People move around in agencies and companies. New jobs may be such that an individual doesn’t need access to the information that they needed in their previous position.
If a person has changed jobs, and even if they haven’t, you should talk to their supervisor about continued access to complete their assigned tasks. The supervisor should know what their folks need in order to do their jobs.
And finally, you should ask whether the individual needs the same level of access. As before, things change. Whether in the same position or a new one, there’s a possibility that the person may no longer need the same “access level” (those are my words, you won’t find “access level” in the CSP.)
Next up is documentation. How to document should not be difficult; I suggest a spreadsheet (hey you big agencies, remember a spreadsheet is an extremely low-level database, hint hint).
Harkening back to my audit days, when it came to validations, I wanted to see 1) what was done, 2) when it was done, and 3) who “done” it.
A spreadsheet is great for that kinda stuff. You can put folks’ names in one column, an acknowledgement of employment in another, an acknowledgement of continued access in the next, an acknowledgement of access level in the next (this can include what change(s) if needed), the date the process was completed, and who did the validation. You can also add tabs for multiple CJI systems.
You may be asking “why would I need multiple tabs?” — couple of reasons. First, if you have multiple CJI systems/apps, you’re gonna need to validate the folks using each one. You may want to have a separate tab for each.
Second, because the auditors only come around once every three years. You’re supposed to do this annually and keep records. If you can’t show records for the last three years, the auditor is probably gonna write you up.
Of course the question for large agencies is “does one person have to validate all accounts?” That’s an agency call. The auditors want to see that it was done, and who completed the task.
Validations, not a new thing, but it’s good security by ensuring only people with the need have access to the CJI system.
Y’all take care.