How Does Cloud-Based File Sharing Fit CJIS Compliant Security?

Maintaining CJIS (Criminal Justice Information Services) compliance might seem like a heavy burden for some law enforcement organizations. But with the right tools in place – like  cloud-based file sharing – you can turn your attention from compliance back to your job.

While you may have some concerns about security related to the “cloud” aspect of cloud-based file sharing, there are a select few file sharing hosts that understand CJIS compliance requirements and design their solutions with those standards in mind. In this article, we’ll look at six different CJIS security policy areas and how they coincide with features offered by cloud-based secure file sharing solutions.

Policy Area 4 - Auditing and Accountability

Per CJIS security policy, agencies are required to preserve data logs showing who accessed files and when they were accessed. These logs, while being primarily useful in the event of an audit, are also beneficial if you ever need to track the source of a data breach.

With a top cloud file sharing solution, you have access to these logs going back to the minute you adopted the solution. When you partner with FTP Today, for example, your logs are organized by calendar month and date back to the beginning of your partnership. You have access to detailed information like logins, failed logins, user navigation, session timeouts, and of course files transferred.

These content retention capabilities are more than just best practice. They are required by CJIS security policy. That makes it essential that you find a way to track user activity, and adopting a cloud file sharing solution makes the process much easier.

Policy Area 5 - Access Control

Controlling who can access your data is mandated by CJIS security policy area 5. Access controls take a number of different forms, from controlling IP address access and country access to granular controls limiting the actions users can take when it comes to using files.

Let’s look at IP address and country access controls first. With FTP Today, you have the power to limit access based on the IP address of the device from which a user is trying to access your solution. This means only approved users on approved devices can access your data.

Country access control has a similar benefit. For organizations that don’t operate outside the United States, there would be no reason for someone from another country to access their file sharing solution, unless they have sinister motives. In that case, it’s best to stop international hackers in their tracks and block access by country. This covers a broad spectrum of potential hackers, and keeps you in alignment with CJIS policy.

Beyond access attempts from outside users, you also need to control how your internal users access files. Let’s look at the granular access controls FTP Today offers to your solution administrators restricting how individuals work with data. This cloud-based file sharing solution grants administrators the ability to restrict on a per folder basis who can upload, download, and delete files, in addition to viewing a directory listing. This protects your files on a whole new level, preventing those without these permissions to alter important data.

Policy Area 6 - Identification and Authentication

It’s always important that you’re sure the users logging into your cloud file sharing solution are really who they say they are. That’s why CJIS security policy area 6 covers identification and authentication.

Imagine if a detective is out in the field and loses their phone. While it’s a mistake that happens to a lot of people, not everyone has materials on their phone that could be valuable to a data thief. With CJIS-compliant authentication methods, you can be sure that even if a device falls into the wrong hands, the data will still be protected.

So, what authentication measures do you need to include in your CJIS policy to stay compliant? Multi-factor authentication is a good place to start. This verifies a user’s identify with the traditional method – username and password – but also sends a one-time code via email, text message or TOTP app. This means if someone other than yourself tries to log into your cloud file sharing solution account, they would need your login credentials and access to your mobile device or email account. It can also alert you if an intruder is trying to gain access, because you’ll receive a message with a one-time code that you didn’t request.

Another measure you need to adopt is verifying users with multiple authentication methods. Not to be confused with multi-factor authentication, multiple authentication methods uses your login credentials (username) in conjunction with another authentication method like a specific SSH key. And, on top of the added security, administrators can apply authentication requirements on an individual user basis, allowing them to use a password, an SSH key, or both.

Policy Area 7 - Configuration Management

While security measures might be top-of-mind when it comes to compliance, you also need to restrict who can configure your data management solution. This means you must determine who can upgrade systems or make modifications to your solution. As part of your CJIS security policy, you can outline who has the controls, but you also need systems in place to enforce your restrictions.

With FTP Today, you can rely on role-based access controls to help you again. Only those with a role of site administrator or team manager are authorized to configure your solution or create other user accounts.

Policy Area 10 - System and Communications Protection and Information Integrity

Maintaining the integrity of your data, even when you’re using a cloud-based file sharing solution doesn’t have to be a burden. Encryption is the best way to keep data protected, both in transit and at rest. When you share files in non-secure ways, like via email for example, it’s easy for a hacker to intercept the data while it’s in transit. Data is also at risk when you store data in a non-secure server, like Dropbox or Google Drive.

FTP Today has a file protection option that’s a good match for organizations that want to be CJIS compliant. It’s available in FIPS 140-2-certified and compliant configurations. FIPS 140-2 is a government security standard that set the bar for data protection, making it ideal for law enforcement agencies.

Policy Area 13 - Mobile Devices

Finally, let’s look at one of the newest updates to the CJIS security policy – mobile device regulations. BYOD (bring your own device) workplace policies are becoming more and more common in the era of smartphones and tablets. With a top cloud-based file sharing solution, you can ensure that only approved mobile devices can be used to log into accounts.

Another essential mobile device-related protection is remote data wipe capabilities. If a device with access to sensitive information is lost, you need to be able to immediately remove all data from the device. Using a cloud-file sharing solution, you can lock the account to make sure no one can gain access.

Mobile devices, through a liability, do come with major benefits for law enforcement agencies. Instead of being tied to a desk looking at sensitive materials, you can now view them in the field. Just be sure you choose a cloud file sharing solution that has protections for data accessed on mobile devices.

Adopting a cloud-based file sharing solution can help you align with each CJIS security policy. But it’s essential that you choose the right file sharing solution for your needs. Not every option will have the CJIS compliance capabilities to keep you in alignment with regulations, so consider your options carefully before you decide.

Want to learn more about secure file sharing and how it can help you stay compliant with each CJIS security policy? Explore these commonly asked questions about secure FTP solutions.