How Cerium works with Law Enforcement Agencies to Protect Criminal Justice Information
The FBI’s Criminal Justice Information Services Division (CJIS) Security Policy, is a set of standards for organizations that access criminal justice information (CJI). The CJIS Security Policy was developed to ensure appropriate controls are in place to protect the full lifecycle of CJI, whether at rest or in transit. As a managed service provider (MSP), Cerium Networks understands the security precautions that must be taken to protect and comply with CJIS Security Policies.
Security and Compliance are Shared Responsibilities
While Cerium Networks does not process, store, or transport client data, we believe that security and compliance are shared responsibilities between Cerium and our clients. Shared responsibility means that our clients remain responsible for managing their client-side environment(s) and their data; including but not limited to:
- User identity and access management
- Access control for Cerium Managed Services solutions
- Security management and control of hardware, software, applications, and device rights
- Digital and physical security for data both in transit and at rest.
ISO 27001 Attestation
Cerium has adopted the ISO 27001:2013 Information Security Management System (ISMS) and is working towards formal attestation by an independent auditor. We continuously evaluate our security processes, procedures, and methodologies and we remediate gaps promptly if/when they are identified. ISO 27001 Attestation represents the highest form of independent assurance available with respect to internal control, data protection, and regulatory compliance (i.e., CJIS, HIPAA, and PCI).
Security Policies, Protocols Best Practices
Cerium security policies, protocols, and best practices for accessing client systems include:
- An agreed-upon limit of unsuccessful login attempts
- Event logging of various login activities, including password changes
- Monthly audit reviews
- Active account management moderation
- Session lock after 30 minutes of inactivity
- Access restrictions based on physical location, job assignment, time of day, and network address
Information Exchange Agreements
Cerium is committed to maintaining world-class security and compliance programs in support of our clients’ needs. Cerium will sign and adhere to Information Exchange Agreements that contain clear specifications of all client services and systems we will have access to. They also detail the extent of our interaction and the relevant security policies and procedures in place between to ensure appropriate safeguards. Our agreements include audit, dissemination, quality assurance (QA), security, and validation, among others.
Personnel Security
Cerium personnel, including employees and contractors, are subject to security screenings and national fingerprint-based background checks. Cerium maintains thorough records of the results of those tests.
All Cerium Personnel working for Cerium Networks’ Philippines, are subject to extensive employment checks through the Philippine National Bureau of Investigation (the Philippine equivalent of the FBI). These screenings include a comprehensive National Criminal Record fingerprint search.
Security Awareness Training
Cerium employees (US and Philippines) are required to undertake security training within the first six months of joining Cerium and are required to complete refreshers every year. We maintain records on all individual security awareness training and specific information system security training.
Remote Monitoring and Management
Cerium remote monitoring applications and services align with CJIS requirements:
- Auditing and Accountability: Cerium’s remote management and monitoring tools provide the ability to generate audit records of client systems for defined events, incidents, and requests.
- Incident Response: Cerium remote monitoring solutions can detect and contain data breaches. Cerium has data recovery measures in place and all data breaches are reported to the appropriate authorities. It is important to note that Cerium Networks clients must also have their own incident response policies and procedures in place.
- Access Control: Cerium employs multiple mechanisms for addressing login management for remote access to client systems, including access restriction based on physical location, job assignment, time of day, network address and session lock session inactivity.
- Authentication: Access to Cerium remote monitoring applications support CJIS login credential standards, meet password requirements, and use advanced authentication methods as previously discussed.
Conclusion
At Cerium Networks, we take our data security and compliance responsibilities seriously. We continuously work to enhance and refine our security and compliance programs to keep pace with constantly evolving requirements. This document provides a high-level summary of how Cerium Networks Managed Services works with our clients to address CJIS compliance concerns; contact a Cerium Networks expert to learn more.
Disclaimer: This blog post is provided for informational purposes only, and it is provided “as is,” without warranties of any kind, whether express or implied. In addition, this blog post does not create any representations, contractual commitments, conditions or assurances from Cerium Networks or any of its related entities. Cerium Networks’ Managed Services responsibilities to its clients are set forth in the contract(s) it has signed with those clients, and this blog post is not a part of and does not modify any such contract. The post reflects our current CJIS compliance practices, which may be updated from time to time.
