Criminal Justice Information Services (CJIS)
The Criminal Justice Information Services Division (CJIS) is the FBI segment that mandates parameters for access to Criminal Justice Information (CJI). The CJIS Security Policy outlines standards for protecting the sources, transmission, storage, and creation of CJI. It establishes best practices to ensure timely, secure, and reliable access to CJI for agencies that prevent and mitigate crime. So, CJIS is a significant concern for agencies looking to use a law enforcement transcription service.
The fundamental objective of CJIS is to keep CJI secure and private so that it isn’t tampered with and can be relied upon when submitted to a court of law. This is why law enforcement agencies must work with a police case transcription service like Athreon that understands the complexities of CJIS. CJI can take many forms, including fingerprint data, criminal background information, transcribing arrest case video, sentencing reports, parole reports, and body-worn camera footage.
CJIS Security Policy
If any CJI were to be compromised and fall into the wrong hands, it could be detrimental to law enforcement and the community. For this reason, Athreon has developed its law enforcement transcription service with a strong focus on supporting the CJIS Security Policy.
The CJIS Security Policy outlines 13 areas to prevent unauthorized access to CJI while maintaining its integrity. These policy areas include:
- Information Exchange Agreements. Entities need to sign formal documents that outline how they are permitted to handle CJI.
- Security Awareness Training. Staff with access to CJI must undergo security training within six months of hire and biannually after that.
- Incident Response. Protocols must help detect, mitigate, and recover from threats. Entities must report security incidents to the Justice Department.
- Auditing and Accountability. Entities need to document items like login attempts, attempts to change passwords and destroy log files, and more.
- Access Control. Entities need to limit access to CJI based on job function. Likewise, restrictions on data management are necessary too.
- Identification and Authentication. Unique login credentials are required to access CJI with advanced authentication methods like multifactor authentication.
- Configuration Management. Entities need to ensure that only authorized system users can make changes like system updates.
- Media Protection. Measures to protect physical and digital CJI are required while in transit and at rest. Entities need to destroy CJI on retired equipment.
- Physical Protection. Unauthorized individuals should not have access to CJI where it is stored.
- Systems and Communications Protection and Information Integrity. Applications and information systems need to ensure data security and system and network integrity. Encryption, breach detection, and network security are all critical considerations.
- Formal Audits. The FBI or other agencies may launch audits to ensure CJIS compliance. Entities are subject to audits every three years at a minimum.
- Personnel Security. Everyone with access to CJI (employees, contractors, and subcontractors) is subject to background checks, including fingerprinting.
- Mobile Devices. Entities need to establish usage restrictions to authorize, monitor, and control access to CJI on smartphones and tablets.
Who Needs to Comply With CJIS?
Anyone with access to CJI must comply with CJIS. Federal, state, county, municipal, and other agencies must comply. Any agency with an FBI number must comply with CJIS. Likewise, vendors that support law enforcement agencies must comply with CJIS. Vendors could include a cloud service provider, a company transcribing arrest case audio, a data backup vendor, a private security firm, and a background check company.
How Athreon’s Law Enforcement Transcription Service Protects CJI
We only use the CJI entrusted to us to deliver our contracted solutions. We have implemented robust administrative, technical, and physical controls to protect CJI, including advanced encryption. Additionally, we restrict the processing and handling of CJI to transcription company staff located in the United States. Our workforce members are required to undergo background checks and fingerprinting.
To further comply with CJIS, we use audit trails to identify what happens with all the CJI in our care. Our technology tracks who accesses CJI, when they access it, what they do with it, and from where they access it. For technical information about our security and privacy practices, visit this link.
CJIS Security Addendum
The CJIS Security Rule explains that law enforcement agencies should have their vendors with access to CJI sign the CJIS Security Addendum. By signing the CJIS Security Addendum, a vendor accepts their responsibility to project criminal justice information. Athreon will sign the CJIS Security Addendum to attest to its commitment to comply with the CJIS requirements.
Security Risk Assessments
Athreon performs a Security Risk Assessment annually. The Risk Assessment helps our law enforcement transcription service evaluate the effectiveness of our CJIS protocols. Additionally, our Risk Assessments help us identify threats to CJI that require our attention. In some cases, we conduct Security Risk Assessments more regularly when we introduce new technology or processes or make a significant change to our existing law enforcement analytics technology or processes.
CJIS Security Awareness Training
Because we take securing criminal justice information seriously in our police case transcription service, we provide Security Awareness Training to our staff members with access to CJI. New hires that management authorizes to have access to CJI participate in a comprehensive CJIS training course, which they renew no less than every two years. In between annual training courses, employees participate in weekly cybersecurity training lessons so that security awareness remains top of mind. We understand that CJIS training varies by state and by agency. We are willing to participate in CJIS training specific to individual law enforcement agencies.
CJIS Compliance – A Shared Responsibility
Although we have implemented strong controls to ensure CJIS compliance in our law enforcement transcription service, data privacy is a responsibility we share with our LEA clients. Clients are responsible for granting appropriate CJI access to Athreon and their end-users. Clients are also responsible for leveraging our speech to text services and law enforcement dictation software in a manner that complies with the CJIS regulations and any other security policies their organization may require.
CJIS Security Incidents
If we were to have a data breach, we would alert the impacted agencies about the security incident without undue delay. We would relay specific details about the security violation and provide a breach risk assessment document and a security incident report.
We encourage clients, vendors, employees, or anyone else with concerns about Athreon’s CJIS compliance to notify Athreon. Anyone may report a concern without fear of reprisal. A compliance officer will address reported concerns and act to remediate the matter.