Law enforcement agencies, no matter how big or small, are at risk of a cyber attack. Smaller agencies are especially attractive targets as they tend to be less well secured, providing a front door for a nation-state actor to gain access to a huge range of data – from FBI data to other federal, state and local information shared across public safety agencies in the US. The Criminal Justice Information Services (CJIS) Security Policy sets minimum security requirements for any organization accessing, transmitting or creating criminal justice information (CJI). The need to be CJIS compliant is vital and it’s not something organizations can afford to ignore. The increasing sophistication of cyber threats means that the issue is now more prevalent than ever; and not forgetting updates to the CJIS Security Policy which now means all data in motion must be encrypted.
It is clear to see that if an agency isn’t CJIS compliant, it can put law enforcement officers and the public at significant risk.
What data is at risk?
Imagine the data passing through various areas of an agency’s network every minute and you can see how much data there would be for a hacker to be able to exploit. From biometric data to passport numbers and other identity data, through to files and files of case/incident history, an enormous amount of sensitive data is transferred between judicial agencies each day. Without the correct security measures in place that would meet the CJIS Security Policy requirements, this sensitive data is at risk of falling into the wrong hands.
Undoubtedly, public safety knows the possible consequences if CJI data isn’t properly secured; just think of the records of case witnesses and other sensitive data, that if in the wrong hands, could put members of the public in danger. However, agencies also have the responsibility of keeping the front door locked to block access by nation state actors looking for a so-called ‘easy’ way in. Think about it: lost or stolen CJI data could also mean the difference between completing a criminal operation and starting a new one. Each and every agency has a part to play in keeping the network of CJI data safe. It’s not just about protecting data, but about protecting access to the network, as if one agency falters or isn’t CJIS compliant, it could provide the simple access needed for a hacker to exploit sensitive and critical data.
The question remains
Who is really protecting this critical data, and what can the law enforcement community do to keep their networks safe?
Becoming CJIS compliant really doesn’t need to be complicated. In smaller agencies, however, there may be just one person, or a small handful of people, responsible for CJIS compliance, and they feel overwhelmed when faced with such a critical task and often have limited cybersecurity or technical background to support them. Additionally, the ever-increasing workloads and legacy data networks facing the person responsible means the task is often added to an already overwhelming to-do list.
Simply put, agencies with limited or no dedicated IT and cybersecurity resource are challenged by the requirements to achieve CJIS compliance. Then, when CJIS-compliant security measures are considered, the requirements can seem too complex to implement; what is encryption and how does it protect data? Who should be allowed access to what information? Which parts of the network need to be secured?
A change in mindset is needed. By taking simple steps and looking at each CJIS Security Policy requirement one by one, those tasked with ensuring their agency becomes CJIS compliant won’t be left in a cybersecurity daze.
Step by step
One of the key elements of CJIS compliance is securing all data in motion: meaning that all data transmitted outside the boundary of a physically secure location – even if it’s between two offices of the same judicial agency – must be encrypted. This part is vital. While encryption might seem hard, scary and expensive to implement, it can be as simple as adding encryption software on top of your existing security solution, which is easy to deploy, use and maintain. This separates security from the infrastructure that is being protected, no matter how complex the network might be, keeping critical data secure. This simple step will ensure that your agency is not only compliant with the CJIS Security Policy but that it is playing its integral part of protecting data and keeping the ‘bad guys’ out.
With simple steps to take, public safety agencies can quickly become CJIS compliant. These organizations must know what CJI data they hold, where it is being held and how it is being kept secure: questions which will be easy to answer with the correct security measures in place. Once a change in mindset has been achieved, CJIS compliance won’t seem so daunting, and agencies will be able to ensure they are staying on the right side of the law.
About the Author
Dan Garbarz is the Director of Systems Engineering for Certes Networks. As part of his role, Dan designs security postures for prospective customers; demonstrates and positions Certes products for compliance in government regulated environments; manages System Engineers for the Americas; and creates go-to-market programs and whitepapers. A certified ethical hacker and active ISSA member, Dan has spoken on a variety of Information Technology related topics throughout his career and holds both a degree in Computer Science and a Masters in Business Administration.