WestFax CJIS Policies
CJI refers to all of the FBI's CJIS-provided data necessary for law enforcement agencies to perform their mission and enforce the laws. CJI includes biometric, identity history, person, organization, property and case/incident history data. It also includes FBI's CJIS-provided data necessary for civil agencies to perform their mission, including data used to make hiring decisions.
CJI must be protected until the information is either (a) released to the public through an authorized disclosure, such as in a crime report; or (b) purged or destroyed in accordance with applicable record retention rules. The CJIS Security Policy outlines a minimum set of security requirements that create security controls for managing and maintaining CJI fax data. There is no centralized body authorized to certify compliance with the CJIS Security Policy.
Many fax vendors incorrectly state that their solution is "CJIS certified." There is no such thing as being "CJIS certified".
The FBI has advised that CJAs and NCJAs are ultimately responsible for ensuring compliance, even when they engage with a third-party vendor to provide software or services relating to the agency's CJI. What is more, those agencies interpret solutions according to the agency's own risk acceptance standard of what is CJIS-compliant. WestFax expects to work collaboratively with clients to come to a mutually agreeable framework that is consistent with the FBI's CJIS Security Policy and industry standards. If WestFax agrees to take additional measures because of a unique client requirement, WestFax reserves the right to attach a fee to those efforts and to deploy them within a timeframe WestFax deems reasonable.
CJIS Policy Areas
The CJIS Security Policy is broken into 13 policy areas. The shared responsibility matrix referenced above details which party is responsible for controls within those policy areas, and how those responsibilities are met. What follows here is a high-level summary of the policy areas themselves and WestFax's response to each area.
Policy Area 1 - Information Exchange Agreements
Organizations dealing with CJI must have signed written agreements documenting the full length of their interaction and the relevant security policies and procedures in place between them to ensure appropriate safeguards. CJIS policy incorporates procedures on how information is handled and what should be in user agreements. Companies and agencies that use CJI must include specific processes and parameters in their information exchange agreements.
Policy Area 2 - Security Awareness Training
Basic security awareness training should be given in the initial six months and biennially for all personnel who have access to CJI. Records of individual basic security awareness training and specific information system security training shall be documented and updated. This is the customer’s responsibility to make sure the training is made available to all the personnel having access to the information and keep the training documents up to date.
Policy Area 3 - Incident Response
WestFax follows industry standard incident response protocols, including preparation, detection, analysis, containment, eradication and recovery. It is important to note that WestFax's clients must also have their own incident response policies and procedures in place, as WestFax does not manage or triage customers security incidents on its customers' behalf.
Policy Area 4 - Auditing and Accountability
Agencies must provide for the ability to generate audit records of their systems for defined events. WestFax, on request, will assist its clients who are undergoing an audit by responding to client inquiries pertaining to an audit and providing all available data in response.
Policy Area 5 — Access Control
WestFax has implemented mechanisms covering login management systems, remote access, and virtual private network (VPN) solutions certified to the FIPS 140-2 standard. WestFax has also established policies and controls for Wi-Fi, cellular & Bluetooth devices.
Policy Area 6 — Identification and Authentication
WestFax provides our personnel with unique user identification credentials and requires complex passwords, which must be changed regularly according to our security requirement policies.
Policy Area 7 — Configuration Management
WestFax segregates databases containing CJI on the WestFax network, and limits user access credentials to WestFax's resources authorized to access and manage CJI on behalf of our customers. WestFax system configuration documentation contains sensitive details (including processes, procedures, data structures, data flow processes, user permission structure, etc.). WestFax protects this system documentation from public distribution.
Policy Area 8 — Media Protection
WestFax secures all CJIS data in its possession in it's digital form. WestFax's solution is capable of encrypting data in transit and at rest. WestFax takes a risk-based approach to identifying, classifying and securing sensitive information as appropriate and based on customers requirements.
Policy Area 9 — Physical Protection
WestFax has designated physically secure locations in applicable WestFax office locations and other WestFax data centers areas where CJI may be accessed by WestFax resources.
Policy Area 10 — Systems and Communications Protection and Information Integrity
Communications safeguards must be employed to ensure the security and integrity of data across the network both in motion and at rest. WestFax security includes 256-bit AES SSL encryption at Rest, Active Directory integration, two-factor authentication, granular user and file-sharing permissions, client application security policies, anti-virus and Malware scanning, endpoint and api protections and a comprehensive audit trail.
Policy Area 11 — Formal Audits
The FBI does not audit third-party vendors such as WestFax. Instead, the FBI audits law enforcement agencies, such as WestFax's clients. WestFax cooperates with its clients during such audits as necessary.
Policy Area 12 — Personnel Security
WestFax conducts background checks on all WestFax personnel with physical or logical access to unencrypted CJI and limits. By principal no WestFax personnel are granted any permissions or capabilities to access any CJI materials due to access standards designed to provide least-priviledge access principals.
Policy Area 13 — Mobile Devices
This policy area requires law enforcement agencies to establish usage restrictions and implementation guidance for mobile devices, and to authorize, monitor, and control wireless access. WestFax has established industry standard rules for Mobile devices at any WestFax data center or office.
About WestFax
WestFax is a leading secure cloud fax provider based in the United States and serving our customers proudly since 1999. With over 23 years of experience, we have the background and knowledge to ensure your CJI and fax data is secure.
Reach out to us today at 800-473-6208 or sales@westfax.com to learn more about our Fax offerings for Law Enforcement.