Cost-Effective Compliance -- Security Today

Cost-Effective Compliance

Full CJIS compliance to be enforced by 2013

By Chris Jensen
Aug 01, 2012

The FBI established the Criminal Justice Information Services (CJIS) division in 1992, and it is now the bureau’s largest division. CJIS provides state, local and federal law enforcement and criminal justice agencies with access to all sorts of centralized information for investigations. Secure records of fingerprint identification, criminal histories and sex offender registrations are just some of the records stored at CJIS. Because this data is so critical for law enforcement, there are mandated enhanced security measures that tightly control access.

As of September 2010, these measures require any organization needing access to CJIS data to have unique IDs and strong passwords in place. Additionally, these organizations must be in full compliance with the rest of CJIS Advanced Authentication requirements by 2013.

There aren’t any shortcuts, but there are fast and cost-effective ways to achieve full CJIS compliance through advanced authentication strategies.

Simply put, advanced authentication means that organizations need security technology that’s more than a simple username and password. Any two-factor authentication solution will do, whether it’s a smartcard, biometrics, a USB token, a soft token or a cellphone-based authentication method. When law enforcement accesses information from a police vehicle or when an agency employee is connecting remotely through a virtual private network, they need a “what-you-have and what-you-know” way to securely connect to the system remotely. Without CJIS compliance, law enforcement agencies could lose access to CJIS systems, thereby losing an effective crime-fighting tool.

For the public sector, protecting access to sensitive data is imperative and also a requirement under the CJIS Advanced Authentication compliance. Two-factor authentication is a key element in a layered approach commonly deployed to mitigate risk and protect against fraud.

KBA

Knowledge-based authentication (KBA) comes in two varieties— lexical or graphical knowledge. Lexical knowledge employs passwords, PINs or answers to a challenge question; graphical knowledge uses a picture or pattern recognition for access. These solutions are very cost-efficient but are also low-assurance, weaker methods of authentication.

With KBA, the responsibility is on public employees to maintain strong passwords, remember answers to questions they made up weeks or months before or recognize patterns in what could be critical situations. Oftentimes, employees write down their password on a note and keep it under their keyboard. This defeats the purpose of this type of security. Frequent calls to the help desk regarding forgotten strong passwords also add to the cost of this “low-cost” solution.

Tokens

Tokens come in a variety of forms that range from high assurance to medium assurance, and their cost can vary just as dramatically. Tokens provide excellent end-point independence but also can be costly and offer a poor user experience because users have to carry another piece of hardware for system access. High-assurance tokens such as X.509 tokens are available, but they may require a middleware reader. High-assurance tokens can be the right solution if the user base adopts them and if the highest assurance is more important than the cost of provisioning, installation and maintenance.

Biometrics

Biometric two-factor authentication typically includes fingerprints, vein structure, facial recognition or retinal scan. There are even behavioral biometrics that use voice and typing rhythm recognition. True biometric authentication can be high assurance but comes with a price tag to match. Behavioral biometrics are promising but are still in the more experimental phase, and industry analysts warn that they are not yet proven. They offer medium to high assurance but need specialized capture devices to work correctly.

Phone-based Authentication

Phone-based authentication is an emerging technology that is fast becoming a favorite option for banks, enterprises and globally distributed online services. A number of vendors offering phone-based authentication solutions have emerged in the past few years.

These solutions provide medium- to high-assurance authentication and are low-cost options because users are already provisioned with a phone. Instead of carrying a token, users receive onetime PIN codes to their phone via SMS or voice call. Typically, the only cost associated with phone-based authentication is a per-transaction fee or a per-user fee to cover the cost of placing the call.

For those who lose their phone, many of these authentication schemes can centrally manage the device to find it or easily replace their authentication credentials for a new phone.

Choosing the Right Solution

For fast and cost-effective CJIS compliance, organizations need five things:

a good authentication solution;
risk-appropriate strength;
low total cost of ownership;
good user experience; and
end-point independence. When choosing the type of authentication, remember:
All solutions are not created equal. What two-factor authentication solution is the right one for your workforce?
Which solution is best used in the field, and what implementation challenges exist?
What might change on your network in the next few years, and can your authentication solution scale for security, ease of use and functionality as your company grows?

Balance of Security and Ease of Use

As more employees in your organization interact with CJIS data, the importance of choosing an efficient authentication solution increases. Phone authentication lets users take advantage of a technology that is already part of their everyday life: the cellphone.

With no extra devices to carry, phone authentication is quick and seamless. Consider the effort it takes to install and maintain a token-based solution. Phone authentication can often help organizations keep costs low and security compliance high because it is easy to deploy and maintain.

This article originally appeared in the August 2012 issue of Security Today.

Featured

Overwhelming Majority of CISOs Anticipate Surge in Cyber Attacks Over the Next Three Years

An overwhelming 98% of chief information security officers (CISOs) expect a surge in cyber attacks over the next three years as organizations face an increasingly complex and artificial intelligence (AI)-driven digital threat landscape. This is according to new research conducted among 300 CISOs, chief information officers (CIOs), and senior IT professionals by CSC1, the leading provider of enterprise-class domain and domain name system (DNS) security. Read Now
- Cybersecurity
ASIS International Introduces New ANSI-Approved Investigations Standard
- Guard Services
Cloud Security Alliance Brings AI-Assisted Auditing to Cloud Computing

The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today introduced an innovative addition to its suite of Security, Trust, Assurance and Risk (STAR) Registry assessments with the launch of Valid-AI-ted, an AI-powered, automated validation system. The new tool provides an automated quality check of assurance information of STAR Level 1 self-assessments using state-of-the-art LLM technology. Read Now
- Cybersecurity
Report: Nearly 1 in 5 Healthcare Leaders Say Cyberattacks Have Impacted Patient Care

Omega Systems, a provider of managed IT and security services, today released new research that reveals the growing impact of cybersecurity challenges on leading healthcare organizations and patient safety. According to the 2025 Healthcare IT Landscape Report, 19% of healthcare leaders say a cyberattack has already disrupted patient care, and more than half (52%) believe a fatal cyber-related incident is inevitable within the next five years. Read Now
- Cybersecurity
AI Is Now the Leading Cybersecurity Concern for Security, IT Leaders

Arctic Wolf recently published findings from its State of Cybersecurity: 2025 Trends Report, offering insights from a global survey of more than 1,200 senior IT and cybersecurity decision-makers across 15 countries. Conducted by Sapio Research, the report captures the realities, risks, and readiness strategies shaping the modern security landscape. Read Now
- Cybersecurity

Security Today eNews

Sign up today for essential industry news and product information that can help you stay afloat in the fast-paced world of security.

Email Address*Country*

Please type the letters/numbers you see above.

Webinars

Whitepapers

New Products

PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening.
Connect ONE®

Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.
FEP GameChanger

Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction.