Cost-Effective Compliance

Full CJIS compliance to be enforced by 2013

  • By Chris Jensen
  • Aug 01, 2012

The FBI established the Criminal Justice Information Services (CJIS) division in 1992, and it is now the bureau’s largest division. CJIS provides state, local and federal law enforcement and criminal justice agencies with access to all sorts of centralized information for investigations. Secure records of fingerprint identification, criminal histories and sex offender registrations are just some of the records stored at CJIS. Because this data is so critical for law enforcement, there are mandated enhanced security measures that tightly control access.

As of September 2010, these measures require any organization needing access to CJIS data to have unique IDs and strong passwords in place. Additionally, these organizations must be in full compliance with the rest of CJIS Advanced Authentication requirements by 2013.

There aren’t any shortcuts, but there are fast and cost-effective ways to achieve full CJIS compliance through advanced authentication strategies.

Simply put, advanced authentication means that organizations need security technology that’s more than a simple username and password. Any two-factor authentication solution will do, whether it’s a smartcard, biometrics, a USB token, a soft token or a cellphone-based authentication method. When law enforcement accesses information from a police vehicle or when an agency employee is connecting remotely through a virtual private network, they need a “what-you-have and what-you-know” way to securely connect to the system remotely. Without CJIS compliance, law enforcement agencies could lose access to CJIS systems, thereby losing an effective crime-fighting tool.

For the public sector, protecting access to sensitive data is imperative and also a requirement under the CJIS Advanced Authentication compliance. Two-factor authentication is a key element in a layered approach commonly deployed to mitigate risk and protect against fraud.

KBA

Knowledge-based authentication (KBA) comes in two varieties— lexical or graphical knowledge. Lexical knowledge employs passwords, PINs or answers to a challenge question; graphical knowledge uses a picture or pattern recognition for access. These solutions are very cost-efficient but are also low-assurance, weaker methods of authentication.

With KBA, the responsibility is on public employees to maintain strong passwords, remember answers to questions they made up weeks or months before or recognize patterns in what could be critical situations. Oftentimes, employees write down their password on a note and keep it under their keyboard. This defeats the purpose of this type of security. Frequent calls to the help desk regarding forgotten strong passwords also add to the cost of this “low-cost” solution.

Tokens

Tokens come in a variety of forms that range from high assurance to medium assurance, and their cost can vary just as dramatically. Tokens provide excellent end-point independence but also can be costly and offer a poor user experience because users have to carry another piece of hardware for system access. High-assurance tokens such as X.509 tokens are available, but they may require a middleware reader. High-assurance tokens can be the right solution if the user base adopts them and if the highest assurance is more important than the cost of provisioning, installation and maintenance.

Biometrics

Biometric two-factor authentication typically includes fingerprints, vein structure, facial recognition or retinal scan. There are even behavioral biometrics that use voice and typing rhythm recognition. True biometric authentication can be high assurance but comes with a price tag to match. Behavioral biometrics are promising but are still in the more experimental phase, and industry analysts warn that they are not yet proven. They offer medium to high assurance but need specialized capture devices to work correctly.

Phone-based Authentication

Phone-based authentication is an emerging technology that is fast becoming a favorite option for banks, enterprises and globally distributed online services. A number of vendors offering phone-based authentication solutions have emerged in the past few years.

These solutions provide medium- to high-assurance authentication and are low-cost options because users are already provisioned with a phone. Instead of carrying a token, users receive onetime PIN codes to their phone via SMS or voice call. Typically, the only cost associated with phone-based authentication is a per-transaction fee or a per-user fee to cover the cost of placing the call.

For those who lose their phone, many of these authentication schemes can centrally manage the device to find it or easily replace their authentication credentials for a new phone.

Choosing the Right Solution

For fast and cost-effective CJIS compliance, organizations need five things:

  • a good authentication solution;
  • risk-appropriate strength;
  • low total cost of ownership;
  • good user experience; and
  • end-point independence. When choosing the type of authentication, remember:
  • All solutions are not created equal. What two-factor authentication solution is the right one for your workforce?
  • Which solution is best used in the field, and what implementation challenges exist?
  • What might change on your network in the next few years, and can your authentication solution scale for security, ease of use and functionality as your company grows?

Balance of Security and Ease of Use

As more employees in your organization interact with CJIS data, the importance of choosing an efficient authentication solution increases. Phone authentication lets users take advantage of a technology that is already part of their everyday life: the cellphone.

With no extra devices to carry, phone authentication is quick and seamless. Consider the effort it takes to install and maintain a token-based solution. Phone authentication can often help organizations keep costs low and security compliance high because it is easy to deploy and maintain.

This article originally appeared in the August 2012 issue of Security Today.

Featured

  • The Future of Access Control: Cloud-Based Solutions for Safer Workplaces

    Access controls have revolutionized the way we protect our people, assets and operations. Gone are the days of cumbersome keychains and the security liabilities they introduced, but it’s a mistake to think that their evolution has reached its peak. Read Now

  • A Look at AI

    Large language models (LLMs) have taken the world by storm. Within months of OpenAI launching its AI chatbot, ChatGPT, it amassed more than 100 million users, making it the fastest-growing consumer application in history. Read Now

  • First, Do No Harm: Responsibly Applying Artificial Intelligence

    It was 2022 when early LLMs (Large Language Models) brought the term “AI” into mainstream public consciousness and since then, we’ve seen security corporations and integrators attempt to develop their solutions and sales pitches around the biggest tech boom of the 21st century. However, not all “artificial intelligence” is equally suitable for security applications, and it’s essential for end users to remain vigilant in understanding how their solutions are utilizing AI. Read Now

  • Improve Incident Response With Intelligent Cloud Video Surveillance

    Video surveillance is a vital part of business security, helping institutions protect against everyday threats for increased employee, customer, and student safety. However, many outdated surveillance solutions lack the ability to offer immediate insights into critical incidents. This slows down investigations and limits how effectively teams can respond to situations, creating greater risks for the organization. Read Now

  • Security Today Announces 2025 CyberSecured Award Winners

    Security Today is pleased to announce the 2025 CyberSecured Awards winners. Sixteen companies are being recognized this year for their network products and other cybersecurity initiatives that secure our world today. Read Now

Most   Popular

New Products

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file.

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”