Got acronyms? Of course you do. No doubt we find ourselves amidst a convergence of many technical and law enforcement acronyms, whether in journals, text messages, laws, operating procedures, you name it,
Ah! More acronyms! CJIS is Criminal Justice Information Systems, a division of the FBI (Federal Bureau of Investigation – of course, you knew that one). In the fourth quarter of 2015, the FBI CJIS division updated the CJIS Security Policy and several sections deal specifically with this important topic, BYOD.
CSI feels it is worth pointing out a few of the key references, requirements, and warnings regarding staff bringing their own devices to the agency. Of course, as it is the authoritative source, please do refer to the complete document for all the details (find it at https://www.fbi.gov/about-us/cjis/
Many law enforcement agencies
On one hand, the value, in terms of communications and convenience, is obvious. For the past several versions of the policy, CJIS has recognized the availability of, and thus the growing need for addressing, mobile devices. But, as their policy points out, there are challenges in using these devices for accessing CJI (Criminal Justice Information), and especially so if they are personally owned. The policy states: “If personally owned devices are utilized within the environment (BYOD scenario), specialized and costly access control methods may be required to reach compliance with CJIS Security Policy.”
So, they go on to say...…“BYOD environments pose significant challenges to the management of secure device configurations. In many cases it may be impossible to apply effective security that is acceptable to the device owner or it may require extremely costly compensating controls to allow access to CJI on personally owned devices.
While allowed by the CJIS Security Policy, agencies are advised to conduct a detailed cost analysis of the ancillary costs of compliance with
” MDM and EMM systems and applications, coupled with a device-specific technical policy, can provide a robust method for device configuration management, if properly implemented. MDM capabilities include the application of mandatory policy settings on the device, detection of unauthorized configurations or software/ applications, detection of rooting/
"A written and approved policy for your agency’s use of mobile devices is the cornerstone for compliance,” advises Rein. “And it is essential to distinguish whether you are implementing, or even allowing, personally owned devices or agency-issues ones." He recommends the following essential considerations for your agency if considering a BYOD environment:
● Solid understanding of Advanced Authentication
● Understanding when Compensating Controls are applicable
● Loss of Device (how to address & plan for)
● Remote Data Erasure
● Protecting against “Rooting” or “Jailbreaking”
● Use of Mobile Device Management (MDM)
● Use of Enterprise Mobility Management (EMM)
CSI serves a wide range of agencies that use, consume, store, and share CJI. These agencies also employ a variety of operational and technological policies and procedures that relate to their use of technology and communications. We encourage all of our customers to familiarize themselves and understand this important FBI CJIS policy and the need for proper conformance.