In this blog, we will focus on the security awareness training required for personnel who access CJI. It is to be understood that the basic security awareness training is to be given to all the people who are accessing CJI data. This training is to be given within six months of initial assessment and also need to be trained once in every two years. A Special Intelligence Bureau (SIB) chief or a CJIS Systems Officer (SIB/CSO) would need to accept the documentation related to the completion of security training from another agency. Accepting the documentation from another agency means that the accepting agency assumes the risk that the training may not meet all the requirements needed by the federal, local or state laws.

1. Understanding CJIS Compliance – Security
Awareness Training
In the previous blog on information exchange agreements, we explored various user cases in
which agencies need to sign agreements regarding Criminal Justice Information (CJI) exchange.
In this blog, we will focus on the security awareness training required for personnel who access
CJI. It is to be understood that the basic security awareness training is to be given to all the
people who are accessing CJI data. This training is to be given within six months of initial
assessment and also need to be trained once in every two years. A Special Intelligence Bureau
(SIB) chief or a CJIS Systems Officer (SIB/CSO) would need to accept the documentation
related to the completion of security training from another agency. Accepting the documentation

2. from another agency means that the accepting agency assumes the risk that the training may not
meet all the requirements needed by the federal, local or state laws.
Awareness Topics
There can be several topics that are mentioned in an awareness campaign or session. In order to
facilitate implementation and development of individual agency security awareness programs the
guidelines below will be useful
All Personnel
As a minimum requirement the guidelines mentioned below need to be addressed as a basic
security awareness program for all authorized personnel who have access to Criminal Justice
Information.
1. General rules, responsibilities and required behavior with respect to usage of CJI
2. Who to contact in case of an incident and the necessary actions needed to be taken
3. Protection of media
4. Implications of non-compliance to rules and regulations
5. Protection of information subject to confidentiality
6. Physical access to spaces and visitor control. It also mentions the applicable security
policies in place and reporting that is required to be made in case of unauthorized access
7. Social engineering
8. Risks, threats and vulnerabilities associated in the process of handling CJI
9. Proper marking and handling of CJI
10. Matters relating to dissemination and destruction of information
Personnel with logical and physical access
In addition to the above basic guidelines, people with physical and logical access need to
understand and follow the below mentioned guidelines
1. General rules that outline the responsibilities and behavior related to usage of information
systems
2. Creation, usage and management of passwords
3. Web Usage - monitoring of user activity and prohibited sites
4. Spam
5. Specifics related to unknown attachments/emails
6. Physical security- risks related to systems and data
7. Protection that needs to be made with respect to Trojans, virus, malicious codes and
malware
8. Use of encryption techniques for transferring sensitive information over the Internet
9. Issues related to access control

3. 10. Both information related and physical security with respect to laptops and their usage
11. Issues associated with handheld devices and desktops as well
12. Individual accountability including an explanation of what it means to the agency
13. Specifics about if personally owned equipment is allowed by the agency or the state
14. Specifics related to information security and confidential items, their usage, backup,
archiving or destruction after its need is over.
Personnel with Information Technology Roles
Additionally, for people associated with information technology roles, there are a few other
guidelines that need to be followed and are as mentioned below
1. Measures taken to protection of network infrastructure
2. Access control measures
3. Backup and storage of data and if the approach is centralized or decentralized
4. Protection of the system and information from Trojans, worms, and viruses including
scanning and updating of virus definitions
5. As part of the configuration management, application and system patches need to be
applied
Security Training Records
A record of the individual security awareness training and also specific information system
security training would be documented. These documents need to be maintained by
SIB/CSO/Compact Officer. The maintenance of training records can also be delegated to local
bodies as well.
In the next blog, we will discuss the next policy area which is Incident Response.
DoubleHorn is a leading Cloud Solutions Provider founded in January 2005 and based in Austin,
Texas. Our solutions combine products from the leading Cloud providers and are carefully
crafted to meet your requirements. As a trusted advisor, we help you choose the right solution,
implement it and help you maintain with our decade old expertise as a Cloud Services provider.
If you are new to the cloud and not sure how to get started, contact us for a complimentary initial
assessment at solutions@doublehorn.com or (855) 618-6423.