Criminal Justice Information (CJI) is data used in the practice of criminal justice, including the investigation and prosecution of crimes. Modern mobile and cloud technologies present law enforcement with new opportunities to capture and communicate CJI, potentially speeding investigations, building better cases, and handling more cases with limited staff.
These technologies however create new risks: data breaches can put investigations in jeopardy and individuals at risk. New technologies can also be difficult to use. Law enforcement can’t be tasked with time consuming technical work or extra documentation to ensure or demonstrate the chain of custody. Information sharing therefore needs to be intuitive and efficient so officers can focus on their jobs instead of the technology. Fortunately, standards and tools are keeping pace.
Recognizing that CJI must be protected from tampering and data leaks, the FBI, as long ago as 1998, began work on a security policy for managing CJI and controlling any IT systems that store or transmit CJI. Over the years, the Criminal Justice Information System (CJIS) Security Policy has become more thorough and detailed, accounting for new types of security threats and for new technologies such as cloud computing and personal mobile devices (BYOD). The most recent version of the CJIS Security Policy, version 5.5, was issued in June 2016.
In the words of the FBI:
The essential premise of the CJIS Security Policy is to provide appropriate controls to protect the full lifecycle of CJI, whether at rest or in transit. The CJIS Security Policy provides guidance for the creation, viewing, modification, transmission, dissemination, storage, and destruction of CJI. This Policy applies to every individual—contractor, private entity, noncriminal justice agency representative, or member of a criminal justice entity—with access to, or who operate in support of, criminal justice services and information.
While protecting CJI in compliance with the CJIS Security Policy, today’s law enforcement agencies need to:
- Make CJI securely available to authorized users, including users in different agencies and users working remotely. While mobile devices provide users the ability to access information and capture photos and videos, law enforcement needs a solution that enables CJI to be exchanged efficiently from the field while meeting strict data security and compliance requirements.
- Ensure that data security and data governance best practices are followed in any scenario. The latest cloud and mobile technologies can improve data access and productivity, but they most do so without creating new challenges for data security and data governance. This can be a challenge when CJI is shared between agencies on different systems, or on mobile devices in the field.
- Enforce the CJIS Security Policy consistently, across all internal platforms and cloud services in use. This is all the more challenging as data is distributed across a variety of Enterprise Content Management (ECM) platforms and file storage services, such as Microsoft SharePoint, OpenText, Documentum, Windows File Shares, Google Drive, Microsoft OneDrive, Box, Dropbox, and other content sources.
The Accellion kiteworks Solution and CJIS
Kiteworks by Accellion is an enterprise-class, CJIS-compliant content collaboration platform that leverages a private cloud deployment to enable secure content sharing with internal and external parties. With kiteworks, enterprises and government agencies can seamlessly access, share and collaborate on content stored in legacy ECM platforms without having to duplicate or migrate files, which is costly, risky and creates a disruption to workflows and processes.
kiteworks leverages a law enforcement agency’s existing investments in ECM and email platforms with a content access and collaboration layer that supports authoring, collaboration, and workflow, and implements data governance including enterprise search for all content under management. In addition, all content is audited, and can optionally be held to collect information for use in industry-standard eDiscovery tools.
With kiteworks, law enforcement professionals can securely capture and transfer CJI with their mobile phones. For example, photos are secured and automatically uploaded to the kiteworks server, bypassing the phone’s camera roll entirely. With no evidence available on the device, the risk of data leaks is eliminated, however a complete audit trail of the chain of custody remains. Similarly, officers can remotely access, view, edit and share content stored in on-premise and cloud repositories, without having to download any files onto their phones. Once again, with no CJI stored on the phone, a lost, stolen, or hacked phone doesn’t present any security issues. Lastly, staff can collect, organize and share content with other departments, jurisdictions and attorneys general through web, office and email tools, again without leaks and with a full audit trail.
Government and law enforcement agencies such as the City of Pleasanton, Abbotsford Police Department, South Carolina Attorney General’s Office, Texas Juvenile Justice Department, the County of Sacramento and others rely on Accellion to ensure maximum information security and compliance for internal and external information sharing from any location, using any device. Strong security controls and the industry’s broadest deployment options enable organizations to ensure the protection of CJI, intellectual property, and other sensitive information. In addition, comprehensive management and control over all information sharing activities allow for the highest levels of data security and compliance.
The kiteworks platform includes a number of capabilities for law enforcement agencies, including:
- Enterprise-class security and governance features, including FIPS 140-2 certified encryption modules.
- Compliance with industry and government regulations, including SOX, HIPAA (with signed BAA), ITAR, SOC2, and PCI DSS Level 1. FedRAMP accreditation is formally “in process.”
- Secure connectors to enterprise content, including content stored in on-premises and cloud-based ECM systems such as SharePoint, SharePoint Online, Documentum, OpenText, Box, and Dropbox.
- Microsoft Office 365 integration.
- Content collaboration and productivity.
- Secure email attachments, including an intuitive Outlook plugin.
- Mobile applications with a secure container that separates law enforcement content from the rest of the device. In addition, all kiteworks content can be remotely wiped by the administrator in the case of a lost or stolen device.
- Private and hybrid clouds enable IT to architect a system that meets their infrastructure strategy and budget, yet ensures full security and compliance.
- REST APIs for custom integration and development.
kiteworks currently meets CJIS security requirements in all applicable critical policy areas, including:
- Policy Area 4: Auditing and Accountability - Full auditing and accountability through reports accessible through Admin dashboards, as well as through Syslog and SNMP. Administrators can comply with legal requests to preserve and collect all relevant files and metadata, and set content retention policies to meet regulatory compliance requirements.
- Policy Area 5: Access Control - Access Control through LDAP, SSO, 2FA, and local databases for external user authentication. kiteworks also provides granular permissions for individual folders for collaboration.
- Policy Area 6: Identification and Authentication - Authentication through LDAP, SSO, and 2FA.
- Policy Area 7: Configuration Management
- Full administrative control over configuration management. It also provides access restrictions for changes.
- Policy Area 10: System and Communications Protection and Information Integrity
- End-to-end encryption of data in transit and data at rest. The platform is available in FIPS 140-2 certified and compliant configurations. Customers also retain sole ownership and control of their encryption keys.
- Policy Area 13: Mobile Devices - Major mobile operating systems supported. Native MDM-light capabilities such as remote data wipe, secure encrypted containers, access PINs, token lifetime configuration, and mobile app whitelisting are all part of the kiteworks platform. The mobile productivity suite makes it easy for authorized users to create, edit, share, and collaborate on files on mobile devices.
In total, the kiteworks private cloud content collaboration platform enables law enforcement agencies to take full advantage of the latest advances in mobile devices and cloud computing, while meeting strict CJIS requirements.
To learn more about kiteworks and its features for CJIS compliance, please contact us.