Skip to main content

 

ConnectWise

Criminal Justice Information Services (CJIS) Security Policy

  1. Last updated
    Jan 19, 2021
  2. Save as PDF

Introduction

The purpose of the Criminal Justice Information Services (CJIS) security policy is to ensure the protection of criminal justice information (CJI) until the information is appropriately released or destroyed. This page will list how ScreenConnect™ conforms to the CJIS security policy.

What is Criminal Justice Information (CJI)?

CJI refers to the FBI CJIS-provided data necessary for law enforcement agencies to perform their mission and enforce the laws, information that can include biometric, identity history, person, organization, property, and case/incident history data. CJI also refers to data necessary for civil agencies to perform their mission, including data used to make hiring decisions. The intent of the CJIS Security Policy is to ensure the protection of the aforementioned CJI until the information is 1) released to the public via authorized dissemination (e.g., within a court system, presented in crime reports data, or released in the interest of public safety) and 2) purged or destroyed in accordance with applicable record retention rules.

Note: Following the notes in this document will not guarantee CJI compliance, nor can we give advice or guidelines for achieving CJI compliance. Contact your CJI compliance professional to review your company's compliance status.

Detailed CJIS Requirements and ScreenConnect Compliance

Detailed CJIS Requirements and ScreenConnect Solutions
Policy Requirement ScreenConnect Solution
5.4.1 Auditable Events and Content (Information Systems) Auditable Events and Content (Information Systems) The agency’s information system shall generate audit records for defined events. These defined events include identifying significant events which need to be audited as relevant to the security of the information system.

The following events shall be logged:

  • Successful and unsuccessful system log-on attempts
  • Successful and unsuccessful attempts to access, create, write, delete or change permission on a user account, file, directory or other system resource
  • Successful and unsuccessful attempts to change account passwords
  • Successful and unsuccessful actions by privileged accounts
  • Successful and unsuccessful attempts for users to access, modify, or destroy the audit log file
  • With ScreenConnect Cloud, there is no end-user access to any server-side files or directory structures.
  • With ScreenConnect On-Premise, the partner is responsible for securing access to the ScreenConnectserver.
  • AD/LDAP user authentication, depending on configuration, may log all sign-in attempts.
  • When connected to a guest machine, all events are audited. If extended auditing is enabled, each session will be automatically recorded, and videos can be downloaded and viewed from the Audit page.
5.4.1.1.1 Content The following content shall be included with every audited event:
  • Date and time of the event
  • The component of the information system (e.g., software component, hardware component) where the event occurred
  • Type of event
  • User/subject identity
  • Outcome (success or failure) of the event
  • Extensive audit logs are generated
  • Extended auditing creates a video record of each session
5.4.3 Audit Monitoring, Analysis, and Reporting

The responsible management official shall designate an individual or position to review/analyze information system audit records for indications of inappropriate or unusual activity, investigate suspicious activity or suspected violations, to report findings to appropriate officials, and to take necessary actions. Audit review/analysis shall be conducted at a minimum once a week.
  • Audit logs can be filtered to a specific date range in order to facilitate review.
5.4.4 Time Stamps The agency’s information system shall provide time stamps for use in audit record generation. The time stamps shall include the date and time values generated by the internal system clocks in the audit records. The agency shall synchronize internal information system clocks on an annual basis.
  • Time stamps are added to all timeline and audit log information.
  • Extended auditing will also include time stamps.
5.4.5 Protection of Audit Information The agency’s information system shall protect audit information and audit tools from modification, deletion and unauthorized access.
  • All access to the web interface's audit log is restricted to accounts with the "Administer" permission.
5.5.2 Access Enforcement Access to the system and contained information. The information system controls shall restrict access to privileged functions (deployed in hardware, software, and firmware) and security-relevant information to explicitly authorized personnel. Access control policies (e.g., identity-based policies, role-based policies, rule based policies) and associated access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) shall be employed by agencies to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains) in the information system.

Agencies shall control access to CJI based on one or more of the following:

  • Job assignment or function (i.e., the role) of the user seeking access
  • Physical location
  • Logical location
  • Network addresses (e.g., users from sites within a given agency may be permitted greater access than those from outside)
  • Time-of-day and day-of-week/month restrictions
  • ScreenConnect's role-based security can define granular permissions based on a user's role.
  • Using role-based security and session groups can prevent certain users from accessing certain machines.
  • The "restrict by IP" feature can prevent unwanted eyes from accessing the Admin, Host, or Guest pages.
5.5.3 Unsuccessful Login Attempts Where technically feasible, the system shall enforce a limit of no more than five consecutive invalid access attempts by a user (attempting to access CJI or systems with access to CJI). The system shall automatically lock the account/ node for a 10-minute time period unless released by an administrator.
  • Windows authentication can lock a user out after X password login attempts.
  • Forms authentication can enforce this via PasswordAttemptWindow and MaxInvalidPasswordAttempts.
5.5.4 System Use Information The information system shall display an approved system use notification message, before granting access, informing potential users of various usages and monitoring rules.
  • The resource string "LoginPanel.LoginReason.None.Message" can be configured to give a message prior to login.
5.5.5 Session Lock The information system shall prevent further access to the system by initiating a session lock after a maximum of 30 minutes of inactivity, and the session lock remains in effect until the user reestablishes access using appropriate identification and authentication procedures.
  • Edit the web.config setting "MaxLongestTicketReissueIntervalSeconds" for the Host and Admin pages
  • Edit the web.config setting "InputIdleDisconnectTimeSeconds" to disconnect hosts from their sessions after a specific amount of time idling.
  • Add the app.config settings, "AccessLockMachineOnDisconnect" and "SupportLockMachineOnDisconnect"
5.5.5.6 Remote Access The agency shall authorize, monitor, and control all methods of remote access to the information system. Remote access is any temporary access to an agency’s information system by a user (or an information system) communicating temporarily through an external, nonagency-controlled network (e.g., the Internet).
  • Access sessions offer persistent, encrypted connections to remote machines.
  • Session groups can organize remote machines and used in combination with role-based security to control access to certain groups of machines.
5.6.1 Identification Policy and Procedures Each person who is authorized to store, process, and/or transmit CJI shall be uniquely identified. A unique identification shall also be required for all persons who administer and maintain the system(s) that access CJI or networks leveraged for CJI transit. The unique identification can take the form of a full name, badge number, serial number, or other unique alphanumeric identifier. Agencies shall require users to identify themselves uniquely before the user is allowed to perform any actions on the system. Agencies shall ensure that all user IDs belong to currently authorized users. Identification data shall be kept current by adding new users and disabling and/or deleting former users.
  • All users can be set up with unique usernames and passwords.
5.6.2 Authentication Policy and Procedures Each individual’s identity shall be authenticated at either the local agency, CSA, SIB or Channeler level. The authentication strategy shall be part of the agency’s audit for policy compliance. The FBI CJIS Division shall identify and authenticate all individuals who establish direct web-based interactive sessions with FBI CJIS Services. The FBI CJIS Division shall authenticate the ORI of all message-based sessions between the FBI CJIS Division and its customer agencies but will not further authenticate the user nor capture the unique identifier for the originating operator because this function is performed at the local agency, CSA, SIB or Channeler level.

Agencies shall follow the secure password attributes, below, to authenticate an individual’s unique ID. Passwords shall:

  • Be a minimum length of eight (8) characters on all systems
  • Not be a dictionary word or proper name
  • Not be the same as the Userid
  • Expire within a maximum of 90 calendar days
  • Not be identical to the previous ten (10) passwords
  • Not be transmitted in the clear outside the secure location
  • Not be displayed when entered

The CJIS Security Policy mandates that Advanced Authentication be used to verify user access in certain conditions. Methods cited in the policy include biometric systems, user-based public key infrastructure (PKI), smart cards, software tokens, hardware tokens, paper (inert) tokens, or “Risk-based Authentication” that includes a software token element comprised of a number of factors, such as network information, user information, positive device identification (i.e. device forensics, user pattern analysis and user binding), user profiling, and high-risk challenge/response questions.
  • Forms authentication: Most of the password requirements can be met using a regular expression for password complexity. Password reuse and expiration are currently not supported
  • Active Directory/LDAP: Password policy would be controlled by the domain admin
  • An SSL certificate can be added to ScreenConnect On-Premise.
5.7.1 Access Restrictions for Changes Planned or unplanned changes to the hardware, software, and/or firmware components of the information system can have significant effects on the overall security of the system. The goal is to allow only qualified and authorized individuals access to information system components for purposes of initiating changes, including upgrades, and modifications.
  • Access to systems can be controlled by role-based security.
  • Advanced auditing records all session activity.