Security

/Security

Our BMI Imaging Systems Blog, Security articles provide you with useful information about the methods and processes you should consider when converting and accessing your sensitive records. How do you access your records? Who converts them for you? Where are they hosted? Understand security and protect your records!

CJIS Compliance And Document Management

What is CJIS? Does it apply to my records? Who can I talk to about this kind of thing?

These are all great questions, and potentially they’re the ones that you’re asking yourself if you’ve landed on this article. What we’ll do here is give you an overview of CJIS, why CJIS compliance is important, and who should be concerned about it. We’ll also talk a bit about how CJIS applies to scanning your records (such as microfilm, microfiche, and hard copy files) and accessing your documents through a hosted database.

What is CJIS?

CJIS stands for Criminal Justice Information Services and is a division of the FBI. The mission is “to equip our law enforcement, national security, and intelligence community partners with the criminal justice information they need to protect the United States while preserving civil liberties.” Basically, CJIS provides a quick-access information database to local, state, and federal law enforcement agencies, which can then use that information to help them catch the bad guys more efficiently.

The FBI heads the overarching CJIS division, but individual states usually have their own organizations for handling CJIS protocols, such as the California Justice Information Services (“CJIS”) and the Arizona Criminal Justice Information System (“ACJIS”). At a high level, the FBI CJIS policy is the standard for local agency policies, and must be adhered to. However, local agencies can also complement the CJIS policies with their own protocols, but the CJIS Security Policy must be maintained at a minimum and must not be detracted from or reduced.

Why is CJIS Compliance Important?

One, because the FBI says it’s important. Two, because if you have CJI (Criminal Justice Information) then you’re required to adhere to the policies provided by the FBI (and potentially local agency policies) related to this type of information. Three, because if you are responsible for CJI, the FBI can “pop in” and perform a security audit at any time.

Who Should be Concerned About CJIS?

CJIS compliance applies to records that contain criminal information, such as police department records or court documents with criminal data. If your organization (hint: police departments, sheriff’s offices, courts) handles records that contain criminal information, you are likely supposed to be following the rules and guidelines of the CJIS Security Policy to ensure that your content is handled by the proper individuals and in the proper way.

How Does CJIS Apply to Scanning?

Here’s where we come in.
It’s all well and good to know CJIS policies and requirements, and that you have records that fall under the CJIS umbrella, but if you’re interested in scanning physical records like microfilm, microfiche, and paper files into digital format, or transferring electronic data with that same type of information, how does that work? Who’s allowed to handle this type of material?

The first thing you should do is to go to the CJIS portal (https://www.cjisonline.com/index.cgi) and do a search for companies that provide scanning and document management services. If they’re not on the list, they’re probably not the best pick to provide CJIS-compliant records handling. If you didn’t find what you were looking for on the CJIS portal, another way to determine which organizations can work with CJIS data is to search the web for scanning companies and when you get in contact with them, just ask if they’re a CJIS-listed vendor. If the response to that question is “who’s CJIS?” then you know you’re not talking to the right company.

BMI is a CJIS-listed vendor, meaning we’ve been given the green light to work with criminal data records. Our folks have been vetted and cleared for this type of work, and our physical and network security policies and procedures comply with the rules and guidelines for the sensitive nature of the material we’d be handling. To get an idea of the type of security we employ at BMI, take a look at our Security page for a brief overview.

CJIS Secure Cloud Hosting Environment

Let’s say you have an archive of 1,000 microfilm rolls containing criminal records. And let’s also say that you decided to scan your microfilm into a digital format. Finally, let’s say that you found a company that is a CJIS-listed vendor and worked with them to scan your microfilm. Good job!

But now what?

As with most choices in life, you have many. You could have your microfilm scanned into a standard format, such as multi-page PDFs or single-page TIFFs, and returned to you on an encrypted USB drive; you may have an existing content management database and choose to have the images formatted for import to that system; or, you may want to have the digital images and data imported into a hosted database provided by a document management company.

If you’re interested in a CJIS Cloud Hosting solution, that’s fantastic. We provide CJIS hosting to many clients from the law enforcement arena, and our network is structured to accommodate CJI. Aspects of the BMI CJIS Cloud Hosting Environment include:

  • The system will present a Community Cloud hosting model as defined by NIST SP 800-145.
  • Unique login credentials (username and password) with two-factor authentication (2FA).
  • IP Address Lock implementation to only allow system access to requests that originate from your network.
  • Data within the system encrypted at rest using FIPS 140-2 certified encryption technology.
  • Data in transmission encrypted using TLS encryption to conform with FIPS 140-2.
  • Automatic session timeout after 20 minutes of user inactivity.
  • All BMI personnel with access to the CJIS Hosted System or client data during the conversion process will have CJIS Level 4 certification and will have undergone and passed a criminal background investigation.

Next Steps

If you think it’s time to get serious about CJIS, we agree. As we mentioned in the section “How Does CJIS Apply to Scanning?”, you could check out the CJIS portal to get an idea of who may be a good fit to work with you on your project.

Another option is to give us a call (800-359-3456) or fill out a form (right side of this web page) and we’ll get one of our teammates to follow up with you and answer your questions.

2018-10-17T11:14:55+00:00October 1st, 2018|Security|

Moving to Cloud-Based Document Management

A Focus on Security

A number of reasons (both financial and strategic) are driving companies to online document management services from trusted vendors such as BMI Imaging. This shift away from traditional in-house approaches is well underway with more than 70% of organizations actively Document Hosting and Document Managementplanning or implementing cloud technologies today (according to InformationWeek April 2015 survey).

In the first of our 3-part “Moving to the Cloud” blog series, we focus on document hosting solutions, the core of cloud-based document management, and its key underlying requirement – security.

Security: The Number One Concern when it comes to Cloud-Based Document Management

Whether you’re a new company or an established organization, your customers’ trust is your number one asset. That’s why your move to the cloud-based document management requires a secure foundation that protects customer data and your business reputation.

In the InformationWeek survey mentioned above, almost 90% of respondents are very or moderately concerned about cloud-based security. Specifically, 45% of IT organizations are concerned about general security and 41% of IT organizations are worried about data loss / leakage.

5 Steps to a Secure, Cloud-Based Document Management Foundation

There are five steps that you should consider to minimize your risk when moving to cloud-based document management systems.

Step 1: Partner with a Trusted Cloud-Based Document Management Provider

Moving to cloud-based document management is not only about technology, but also about updating and integrating with key business processes already in place. BMI Imaging provides over 50 years of know-how, with more than 2,000 customers (commercial and government). We have developed over 400 unique image and data management tools and process control routines. In addition, we offer dedicated project management staff for personalized attention to your needs.

Step 2: Review Critical Vendor Infrastructure

It is important to review the vendor infrastructure. Example questions include: Is there 24/7/365 monitoring of all IT operations? What about redundancy protection? Is it N+2 (or better) for all critical systems? Is 2N+2 electrical power redundancy in place? Where are the local and remote (Disaster Recovery / Continuity) locations?

Step 3: Investigate Industry Certifications and Compliance

Does the cloud-based document management vendor undertake regular and rigorous SSAE-16 Type II/SAS 70 audits, with zero exceptions? Is PCI DSS compliance in place Existing Federal FISMA compliance with NIST 800-53 moderate baseline controls?

Step 4: Ensure Offline Security

Don’t forget about security of the physical facilities. Is there any public access to the facilities? Do 100% of vetted personnel have to be securely signed in and escorted at all times? What about multi-factor identification, including biometric and multi-level security zones? Are there digital cameras installed to monitor secure areas 24/7? Is there a physically separate caged environment within the secure data center?

Step 5: Secure End-User and Administrative Access

Are there simple administration and user selection and access rights? Is SSL encryption and IP lock security in place? Can you access the full audit trail and report on any document accessed?

The five steps above are a good foundation for ensuring that you minimize any risks associated with your cloud-based document management project. Contact a BMI specialist if you’d like to walk through any specific requirements.

 

2018-11-29T08:35:14+00:00June 3rd, 2015|Document Management, Security|