top of page

Bill Tatun

May 23, 2014

Which of the 20+ Policy/Documentation Requirements of the CJIS Security Policy Do You Have?

Don’t we all love a policy that requires you to have multiple other policies?

Actually, the CJIS Security Policy may require you to have 20+ policies, policy statements or procedure documentation depending upon your agency’s specific technology implementation and use.

I oversaw the CJIS audits for all CJIS-type agencies in New York, and I’m now out and about performing CJIS ACE Compliance Profiles for different agencies around the nation. From my experience, it is clear that documentation of required policies and procedures is often an afterthought, if a thought at all.

This fact doesn’t surprise me one bit.

Being a former sworn law enforcement officer and always heavily involved with information technology, security and compliance, I totally understand that the mainline business of law enforcement is job number one. Everything else seems to take a backseat on the priority list.

Even if an agency performs a technical requirement every single day to perfection (e.g. media protection), documenting the policy and process often lags behind. Sometimes, this documentation never gets done — resulting in being OUT OF COMPLIANCE.

I understand this scenario. I lived it and know it well. That being said, having the required local policies and procedures documented does serve a very important purpose beyond just complying with the CJIS Security Policy. I am not going to bore you with the philosophy of the need for policy and procedure documentation, but it does serve a critical role in helping to ensure more complete awareness, consistency and compliance across the criminal justice community.

To help you with your agency’s compliance with the required policies mandated by the CJIS Security Policy, I am offering a copy of the Required Policies/Procedures Checklist to all CJIS ACE Newsletter subscribers for free.  All you have to do is ask!

This checklist (of which many state CSOs and ISOs have versions available) extracts and references the sections of the CJIS Security Policy that may require an agency to have a documented policy or process in place in order to be compliant.

Just reply to this email or directly to me at and ask for your checklist, and it’ll be on its way.

When you receive this checklist, review the required policies and how they may or may not apply to your agency. Admittedly, some of these can be difficult to draft up. So if you determine that you need assistance, CJIS ACE services are there to help. Just drop me an email or give me a call, and we can discuss your specific needs and how our customized (and cost-effective) services can relieve you of these headaches.

Until next time, be safe.

bottom of page