VIDIZMO Compliance with CJIS Security Policy Resource Center
Introduction
VIDIZMO is a digital evidence management platform responsible for securing sensitive information and upholding stringent security protocols. To meet this responsibility, VIDIZMO aligns its operations with the Criminal Justice Information Services (CJIS) Security Policy, a comprehensive set of mandatory guidelines established by the FBI to safeguard Criminal Justice Information (CJI). The CJIS Security Policy serves as a framework to prevent unauthorized access, modification, or disclosure of CJI. Agencies handling CJI data must adhere to these policies to guarantee the integrity and confidentiality of the information.
This article explores how VIDIZMO's features and functionalities align seamlessly with the CJIS Security Policy Resource Center. By doing so, VIDIZMO ensures that agencies can confidently harness video technology, confident in the knowledge that their data security remains uncompromised.
CJIS Security Policy Overview
The Criminal Justice Information Services (CJIS) Division within the US Federal Bureau of Investigation (FBI) provides access to criminal justice information (CJI) for state, local, and federal law enforcement and criminal justice agencies. This includes sensitive data like criminal histories. To ensure the secure transmission, storage, and processing of CJI, law enforcement and government agencies in the United States must comply with the CJIS Security Policy.
The CJIS Security Policy, mandated by the FBI, outlines the minimum security requirements and controls to protect CJI at every stage of its lifecycle. For agencies using cloud services, it is imperative to ensure that their chosen cloud service provider adheres to these CJIS Security Policy requirements. This ensures the robust security of Criminal Justice Information, maintaining the integrity and confidentiality of sensitive data.
VIDIZMO and CJIS Security Policy
VIDIZMO aligns its operations with the CJIS Security Policy by implementing various security measures, such as:
1. Access Control
Limiting Access to Authorized Personnel
- Role-Based Access Control (RBAC): Assigns specific permissions based on user roles, ensuring only authorized individuals access relevant data. This aligns with CJIS Security Policy Control SP 800-53 Rev. 5, AC-2 (Account Management) and AC-3 (Access Enforcement).
- Granular Permission Settings: Fine-tunes access further, controlling viewing, editing, sharing, and other actions for individual users or groups.
- Two-Factor Authentication (MFA): Adds an extra layer of security by requiring a secondary verification step beyond passwords. This aligns with CJIS Security Policy Control SP 800-53 Rev. 5, AC-2 (Account Management) and AC-3 (Access Enforcement).
- Limited Access: Only authorized personnel can access CJI data based on their roles and permissions.
Strong Authentication Mechanisms
- Secure Password Protocols: Enforces complex password requirements, password aging policies, and regular password resets.
- Single Sign-On (SSO) Integration: Leverages existing organizational authentication systems for centralized control and improved user experience.
Implementing Role-Based Access Controls
- Predefined Roles: Offers pre-configured roles with specific permissions for common user types (e.g., investigators, evidence custodians).
- Customizable Roles: Allows customization of roles and permissions to match specific organizational needs and security protocols.
- Auditing and Reporting: Tracks user activity and access attempts, providing detailed records for accountability and compliance reporting.
2. Encryption
All data at rest and in transit within VIDIZMO is encrypted using AES 256-bit encryption, the industry standard for secure data protection, safeguarding CJI data from unauthorized access. This meets CJIS Security Policy Control: SP 800-53 Rev. 5, SC-28. Microsoft Azure and Amazon Web Services (AWS), both cloud providers, employ strong encryption algorithms and adhere to strict security protocols, adding an extra layer of protection.
3. Auditing and Monitoring
VIDIZMO maintains comprehensive audit logs that track all user activity related to CJI data, including access attempts, modifications, and data transfers. These detailed logs facilitate forensic analysis, accountability, and adherence to audit requirements. This meets CJIS Security Policy Control: AU-9.
Audit Logs
- VIDIZMO maintains comprehensive audit logs that capture critical events, including user actions, system modifications, and access attempts.
- Automatic Audit Log Reporting: VIDIZMO generates audit log reports, providing a detailed overview of system activities.
- Chain of Custody Tracking: VIDIZMO’s DEMS should facilitate effective chain of custody tracking for digital evidence, ensuring its authenticity and admissibility in court.
4. Incident Response
VIDIZMO has established a well-defined incident response plan to promptly identify, contain, and remediate potential security incidents involving CJI data. This proactive approach minimizes risks and ensures data integrity. This meets CJIS Security Policy Control: SI-7.
- VIDIZMO collaborates with Azure and AWS for incident response, relying on their robust procedures for infrastructure security, prompt notification of data breaches, and joint communication to ensure coordinated response and minimize incident impact.
5. Physical Security
As a software-as-a-service (SaaS) platform, VIDIZMO operates within the secure facilities of its underlying infrastructure providers: Microsoft Azure and Amazon Web Services (AWS) Cloud. These cloud providers take primary responsibility for physical security measures, leaving some shared aspects with VIDIZMO.
- Azure and AWS Data Centers: These providers operate secure data centers featuring multi-layered access controls, biometric authentication, and security patrols. Advanced environmental controls safeguard against physical threats like fire and flooding. Video surveillance and intrusion detection systems ensure real-time monitoring. Regular security audits and penetration testing are conducted to identify and address vulnerabilities, ensuring a high level of physical security in their state-of-the-art facilities.
6. Personnel Security
VIDIZMO emphasizes the importance of conducting thorough background checks for all employees who have access to data and provides continuous security awareness training to educate personnel on the latest threats, phishing techniques, and the importance of maintaining a security-conscious mindset.
7. Secure Disposal
CJIS Control 18 requires the secure disposal of sensitive data. VIDIZMO offers CJIS-compliant data destruction features and practices.
- Scheduled Deletion: Set automated deletion schedules for specific data types or retention periods, ensuring timely and secure disposal.
- Manual Deletion: Securely delete individual data items through user-initiated actions with confirmation steps.
- Azure and AWS: Both providers offer secure data deletion methods for data stored within their infrastructure, adhering to relevant regulations.
8. Vulnerability Management
VIDIZMO follows best practices for secure configuration, and timely patches are applied to address potential vulnerabilities. The platform supports organizations in maintaining a secure environment in line with CJIS guidelines.
- Infrastructure Security: AWS and Azure cloud providers have robust vulnerability management programs for their underlying infrastructure, including regular assessments, patching, and proactive measures to identify and address potential security weaknesses.
- Regular Assessments: VIDIZMO conducts regular vulnerability assessments of its platform using industry-standard tools and methodologies.
- Security Patch Management: VIDIZMO promptly applies security patches for any identified vulnerabilities within its software components.
9. Risk Assessment
CJIS Control 24 demands a proactive approach to risk management. VIDIZMO employs a comprehensive risk assessment strategy, coupled with effective mitigation measures, to protect your data.
- Regular Assessments: VIDIZMO conducts periodic risk assessments using industry-standard frameworks and methodologies, systematically evaluating potential threats and vulnerabilities across its platform and infrastructure.
- Shared Responsibility: Both VIDIZMO and its cloud providers, Microsoft Azure and Amazon Web Services (AWS), contribute to risk assessment by sharing threat intelligence and vulnerabilities identified within their respective domains.
10. Policy and Procedure Development
VIDIZMO addresses CJIS Control 25 by emphasizing the establishment and enforcement of security policies and procedures.
- Documentation: VIDIZMO provides easily accessible documentation detailing its internal security policies and procedures, serving as a valuable reference for users to understand best practices.
- Transparency: VIDIZMO ensures transparency by keeping users informed about any changes to security policies and procedures through regular communication channels.
11. Information Exchange
VIDIZMO ensures the safe and controlled sharing of sensitive information in compliance with CJIS Control 38.
- Secure Collaboration Framework: VIDIZMO provides a secure environment for collaboration on CJI data, incorporating granular access controls, encryption, and secure communication channels.
- Granular Access Controls: Users with administrator roles can define permissions for users with varying levels of access, enabling granular control over user roles.
- Encrypted Communication: All data transfers within VIDIZMO are encrypted in transit and at rest, adhering to industry-standard protocols and ensuring confidentiality and integrity.
Conclusion
VIDIZMO is dedicated to giving law enforcement and criminal justice agencies a safe and compliant platform for managing videos. Our strong features match the strict rules of the CJIS Security Policy, guaranteeing the safety of important Criminal Justice Information (CJI) data. CJIS Security Policy, based on NIST standards, outlines security requirements for protecting Criminal Justice Information (CJI) in the US. Many CJIS Security Policy controls directly map to NIST SP 800-53 controls, making it easier for organizations to comply with both.