Cost-Effective Compliance

Full CJIS compliance to be enforced by 2013

The FBI established the Criminal Justice Information Services (CJIS) division in 1992, and it is now the bureau’s largest division. CJIS provides state, local and federal law enforcement and criminal justice agencies with access to all sorts of centralized information for investigations. Secure records of fingerprint identification, criminal histories and sex offender registrations are just some of the records stored at CJIS. Because this data is so critical for law enforcement, there are mandated enhanced security measures that tightly control access.

As of September 2010, these measures require any organization needing access to CJIS data to have unique IDs and strong passwords in place. Additionally, these organizations must be in full compliance with the rest of CJIS Advanced Authentication requirements by 2013.

There aren’t any shortcuts, but there are fast and cost-effective ways to achieve full CJIS compliance through advanced authentication strategies.

Simply put, advanced authentication means that organizations need security technology that’s more than a simple username and password. Any two-factor authentication solution will do, whether it’s a smartcard, biometrics, a USB token, a soft token or a cellphone-based authentication method. When law enforcement accesses information from a police vehicle or when an agency employee is connecting remotely through a virtual private network, they need a “what-you-have and what-you-know” way to securely connect to the system remotely. Without CJIS compliance, law enforcement agencies could lose access to CJIS systems, thereby losing an effective crime-fighting tool.

For the public sector, protecting access to sensitive data is imperative and also a requirement under the CJIS Advanced Authentication compliance. Two-factor authentication is a key element in a layered approach commonly deployed to mitigate risk and protect against fraud.

KBA

Knowledge-based authentication (KBA) comes in two varieties— lexical or graphical knowledge. Lexical knowledge employs passwords, PINs or answers to a challenge question; graphical knowledge uses a picture or pattern recognition for access. These solutions are very cost-efficient but are also low-assurance, weaker methods of authentication.

With KBA, the responsibility is on public employees to maintain strong passwords, remember answers to questions they made up weeks or months before or recognize patterns in what could be critical situations. Oftentimes, employees write down their password on a note and keep it under their keyboard. This defeats the purpose of this type of security. Frequent calls to the help desk regarding forgotten strong passwords also add to the cost of this “low-cost” solution.

Tokens

Tokens come in a variety of forms that range from high assurance to medium assurance, and their cost can vary just as dramatically. Tokens provide excellent end-point independence but also can be costly and offer a poor user experience because users have to carry another piece of hardware for system access. High-assurance tokens such as X.509 tokens are available, but they may require a middleware reader. High-assurance tokens can be the right solution if the user base adopts them and if the highest assurance is more important than the cost of provisioning, installation and maintenance.

Biometrics

Biometric two-factor authentication typically includes fingerprints, vein structure, facial recognition or retinal scan. There are even behavioral biometrics that use voice and typing rhythm recognition. True biometric authentication can be high assurance but comes with a price tag to match. Behavioral biometrics are promising but are still in the more experimental phase, and industry analysts warn that they are not yet proven. They offer medium to high assurance but need specialized capture devices to work correctly.

Phone-based Authentication

Phone-based authentication is an emerging technology that is fast becoming a favorite option for banks, enterprises and globally distributed online services. A number of vendors offering phone-based authentication solutions have emerged in the past few years.

These solutions provide medium- to high-assurance authentication and are low-cost options because users are already provisioned with a phone. Instead of carrying a token, users receive onetime PIN codes to their phone via SMS or voice call. Typically, the only cost associated with phone-based authentication is a per-transaction fee or a per-user fee to cover the cost of placing the call.

For those who lose their phone, many of these authentication schemes can centrally manage the device to find it or easily replace their authentication credentials for a new phone.

Choosing the Right Solution

For fast and cost-effective CJIS compliance, organizations need five things:

  • a good authentication solution;
  • risk-appropriate strength;
  • low total cost of ownership;
  • good user experience; and
  • end-point independence. When choosing the type of authentication, remember:
  • All solutions are not created equal. What two-factor authentication solution is the right one for your workforce?
  • Which solution is best used in the field, and what implementation challenges exist?
  • What might change on your network in the next few years, and can your authentication solution scale for security, ease of use and functionality as your company grows?

Balance of Security and Ease of Use

As more employees in your organization interact with CJIS data, the importance of choosing an efficient authentication solution increases. Phone authentication lets users take advantage of a technology that is already part of their everyday life: the cellphone.

With no extra devices to carry, phone authentication is quick and seamless. Consider the effort it takes to install and maintain a token-based solution. Phone authentication can often help organizations keep costs low and security compliance high because it is easy to deploy and maintain.

This article originally appeared in the August 2012 issue of Security Today.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction. 3

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3