Resources to support your upcoming CJIS Technical Audit are provided below. If you need further assistance or have questions, please contact [email protected]. Thank you!
Security Addendums – Any vendor or contractor (CAD/RMS/Janitorial) who has physical or virtual access to your systems must sign this form. Every individual with access must complete the form, not just the company. FBI_CJIS_Security_Addendum_2019
Personnel Sanctions Policy – A written policy with your agency’s rules of acceptable use of CJI and/or disciplinary actions for misuse. This is also covered in Montana State law under MCA 45- 45-7-601. Misuse of confidential criminal justice information. Acceptable Use of IT Resources – Acceptable Use Policy Example
Security Awareness Training List – A list of your agencies users and training status is required. The list should include: first and last name, date of hire, date of last security awareness training, access level (administrator, query-only, etc.), agency, and department). This can be shown during the on-site visit. If your agency receives training through DOJ and/or CJIN, we can help you prepare this list.
Security Awareness Training Materials – if DOJ or CJIN manages security awareness training for your users, copies of training materials are not required. If your agency uses a non-DOJ security training program, provide detailed information about your training program including topics covered for each level of access. If needed, DOJ’s materials are available at the following: DOJ Training Program – CJIN Training v2018
Physical Protection Policies and Procedures – This should be a written policy describing how physical access (escorted visitors, Restricted Access signs displayed, controlled access to secure areas) is managed by your agency. Physical Protection Policy Template
Network Diagram – This is a high-level data flow diagram showing CJIS systems access [including by system users and/or IT personnel. This should be no more than two (2) years old and should not include specific IP addresses. This should be sent via secure email or reviewed during your on-site visit.
Event Logs – CJIS policy requires agencies retain one year of event logs for information systems accessing CJI. The logs should include successful and unsuccessful log on attempts, password changes, transactions, etc. For your audit you should prepare a sample from the last 30 days.
Encryption Certificates – CJIS policy requires CJI to be encrypted at rest and in transit to certified FIPS 140-2 standards. Certificates for typical Montana Law Enforcement systems include: Datamaxx.OMNIXX – Netmotion – CISCO – RSA 4000 USB Token – Globalscape – Bitlocker (We’ve added commonly used products above. If your product is not listed, often times their encryption certificate is available on their website.)
Procedures/forms for requesting and/or removing access to Information Systems – A procedure detailing how your agency manages users including adding, training, transferring and deleting users.
