Introduction 

VIDIZMO is a digital evidence management platform responsible for securing sensitive information and upholding stringent security protocols. To meet this responsibility, VIDIZMO aligns its operations with the Criminal Justice Information Services (CJIS) Security Policy, a comprehensive set of mandatory guidelines established by the FBI to safeguard Criminal Justice Information (CJI). 

The CJIS Security Policy serves as a framework to prevent unauthorized access, modification, or disclosure of CJI. Agencies handling CJI data must adhere to these policies to guarantee the integrity and confidentiality of the information.  

This article explores how VIDIZMO's features and functionalities align seamlessly with the CJIS Security Policy Resource Center. By doing so, VIDIZMO ensures that agencies can confidently harness video technology, confident in the knowledge that their data security remains uncompromised. 

CJIS Security Policy Overview 

The Criminal Justice Information Services (CJIS) Division within the US Federal Bureau of Investigation (FBI) provides access to criminal justice information (CJI) for state, local, and federal law enforcement and criminal justice agencies. This includes sensitive data like criminal histories. To ensure the secure transmission, storage, and processing of CJI, law enforcement and government agencies in the United States must comply with the CJIS Security Policy. 

The CJIS Security Policy, mandated by the FBI, outlines the minimum security requirements and controls to protect CJI at every stage of its lifecycle. For agencies using cloud services, it is imperative to ensure that their chosen cloud service provider adheres to these CJIS Security Policy requirements. This ensures the robust security of Criminal Justice Information, maintaining the integrity and confidentiality of sensitive data. 

The CJIS Security Policy outlines 13 areas that private contractors, including cloud service providers, must assess to ensure their use of cloud services aligns with CJIS requirements. These areas closely correspond to NIST 800-53, which also serves as the foundation for the Federal Risk and Authorization Management Program (FedRAMP). Microsoft’s Government Cloud offerings are certified under FedRAMP, and VIDIZMO, deployed on Azure cloud, benefits from Microsoft Azure’s compliance with CJIS controls. While many controls are directly met by Microsoft Azure, some responsibilities may be shared between VIDIZMO and Azure. 

In the case of AWS cloud VIDIZMO deployed on AWS aligns with CJIS compliance by leveraging AWS’s security features and practices. 

VIDIZMO and CJIS Security Policy 

The CJIS Security Policy outlines a set of mandatory controls for safeguarding CJI. These controls encompass various aspects of data security, including access control, encryption, audit logging, and incident response. 

1. Access Control 

Limiting Access to Authorized Personnel

  • Role-Based Access Control (RBAC): Assigns specific permissions based on user roles, ensuring only authorized individuals access relevant data. This aligns with CJIS Security Policy Control SP 800-53 Rev. 5, AC-2 (Account Management) and AC-3 (Access Enforcement). 

  • Granular Permission Settings: Fine-tunes access further, controlling viewing, editing, sharing, and other actions for individual users or groups. 

  • Two-Factor Authentication (MFA): Adds an extra layer of security by requiring a secondary verification step beyond passwords. This aligns with CJIS Security Policy Control SP 800-53 Rev. 5, AC-2 (Account Management) and AC-3 (Access Enforcement). 

  • Limited access: Only authorized personnel can access CJI data based on their roles and permissions. 


Strong Authentication Mechanisms

  • Secure Password Protocols: Enforces complex password requirements, password aging policies, and regular password resets. 

  • Single Sign-On (SSO Integration): Leverages existing organizational authentication systems for centralized control and improved user experience. 

 

Implementing Role-Based Access Controls: 

  • Predefined Roles: Offers pre-configured roles with specific permissions for common user types (e.g., investigators, evidence custodians). 

  • Customizable Roles: Allows customization of roles and permissions to match specific organizational needs and security protocols. 

  • Auditing and Reporting: Tracks user activity and access attempts, providing detailed records for accountability and compliance reporting. 

2. Encryption 

All data at rest and in transit within VIDIZMO is encrypted using AES 256-bit encryption, the industry standard for secure data protection, safeguarding CJI data from unauthorized access. This meets CJIS Security Policy Control: SP 800-53 Rev. 5, SC-28. Microsoft Azure and Amazon Web Services (AWS), both cloud providers, employ strong encryption algorithms and adhere to strict security protocols, adding an extra layer of protection. 

 

3. Auditing and Monitoring 

VIDIZMO maintains comprehensive audit logs that track all user activity related to CJI data, including access attempts, modifications, and data transfers. These detailed logs facilitate forensic analysis, accountability, and adherence to audit requirements. This meets CJIS Security Policy Control: AU-9. 

  • Audits Logs: VIDIZMO maintains comprehensive audit logs that capture critical events, including user actions, system modifications, and access attempts. 

  • Automatic Audit Log Reporting: VIDIZMO generates audit log reports, providing a detailed overview of system activities. 

  • Chain of Custody Tracking: VIDIZMO’s DEMS should facilitate effective chain of custody tracking for digital evidence, ensuring its authenticity and admissibility in court. 

4. Incident Response  

  • VIDIZMO has established a well-defined incident response plan to promptly identify, contain, and remediate potential security incidents involving CJI data. This proactive approach minimizes risks and ensures data integrity. This meets CJIS Security Policy Control: SI-7. 

  • VIDIZMO collaborates with Azure and AWS for incident response, relying on their robust procedures for infrastructure security, prompt notification of data breaches, and joint communication to ensure coordinated response and minimize incident impact. 

  • VIDIZMO will promptly report security incidents to its internal team and notify affected customers according to established procedures. VIDIZMO conducts a thorough analysis to understand the root cause of the incident and prevent similar occurrences in the future. Document lessons learned from each incident to continuously improve security posture. 

5. Physical Security 

As a software-as-a-service (SaaS) platform, it operates within the secure facilities of its underlying infrastructure providers: Microsoft Azure and Amazon Web Services (AWS)  Cloud. These cloud providers take primary responsibility for physical security measures, leaving some shared aspects with VIDIZMO.  

  • Azure and AWS operate secure data centers featuring multi-layered access controls, biometric authentication, and security patrols. Advanced environmental controls safeguard against physical threats like fire and flooding. Video surveillance and intrusion detection systems ensure real-time monitoring. Regular security audits and penetration testing are conducted to identify and address vulnerabilities, ensuring a high level of physical security in their state-of-the-art facilities.
  • Data Encryption: While Azure and AWS encrypt data at rest and in transit, VIDIZMO's encryption features within the platform provide an additional layer of security for your CJI data. 

  • User Authentication: VIDIZMO's role-based access control and strong authentication mechanisms further restrict access to data within the platform, even if physical access to the underlying infrastructure were compromised. 

 

6. Personnel Security

  • Conduct background checks for employees: VIDIZMO emphasizes the importance of conducting thorough background checks for all employees who have access to data. 

  • Provide security awareness training: VIDIZMO places a strong emphasis on continuous security awareness training for its personnel. Regular training sessions are conducted to educate personnel on the latest threats, phishing techniques, and the importance of maintaining a security-conscious mindset. 

 

7. Secure Disposal

CJIS Control 18 requires the secure disposal of sensitive data. VIDIZMO offers CJIS-compliant data destruction features and practices. 

  • Scheduled Deletion: Set automated deletion schedules for specific data types or retention periods, ensuring timely and secure disposal. 

  • Manual Deletion: Securely delete individual data items through user-initiated actions with confirmation steps. 

  • Azure and AWS: Both providers offer secure data deletion methods for data stored within their infrastructure, adhering to relevant regulations. 

 

8. Vulnerability Management 

VIDIZMO follows best practices for secure configuration, and timely patches are applied to address potential vulnerabilities. The platform supports organizations in maintaining a secure environment in line with CJIS guidelines. 

  • Infrastructure Security: AWS and Azure cloud providers have robust vulnerability management programs for their underlying infrastructure, including regular assessments, patching, and proactive measures to identify and address potential security weaknesses. 

  • Regular Assessments: VIDIZMO conducts regular vulnerability assessments of its platform using industry-standard tools and methodologies. 

  • Prioritization and Remediation: Identified vulnerabilities are prioritized based on severity and potential impact, with timely remediation plans implemented. 

  • Secure Coding Practices: VIDIZMO follows secure coding practices and development methodologies to minimize the introduction of vulnerabilities in the platform. 

  • Security Patch Management: VIDIZMO promptly applies security patches for any identified vulnerabilities within its software components. 

 

9. Risk Assessment 

CJIS Control 24 demands a proactive approach to risk management. VIDIZMO understands this critical responsibility and employs a comprehensive risk assessment strategy, coupled with effective mitigation measures, to protect your data. 

  • Regular Assessments: VIDIZMO conducts periodic risk assessments using industry-standard frameworks and methodologies, systematically evaluating potential threats and vulnerabilities across its platform and infrastructure. 

  • Shared Responsibility: Both VIDIZMO and its cloud providers, Microsoft Azure and Amazon Web Services (AWS), contribute to risk assessment by sharing threat intelligence and vulnerabilities identified within their respective domains. 


10. Policy and Procedure Development 

VIDIZMO addresses CJIS Control 25 by emphasizing the establishment and enforcement of security policies and procedures.

  • Documentation: VIDIZMO provides easily accessible documentation detailing its internal security policies and procedures, serving as a valuable reference for users to understand best practices.
  • Transparency: VIDIZMO ensures transparency by keeping users informed about any changes to security policies and procedures through regular communication channels. This commitment to documentation and transparent communication aligns with CJIS Control 25, fostering a secure and well-informed user environment within VIDIZMO.

 

11. Information Exchange

VIDIZMO ensures the safe and controlled sharing of sensitive information in compliance with CJIS Control 38.

  • Secure Collaboration Framework: VIDIZMO provides a secure environment for collaboration on CJI data, incorporating granular access controls, encryption, and secure communication channels.
    • Granular Access Controls:  In VIDIZMO, users with administrator roles can define permissions for users with varying levels of access, enabling granular control over user roles.
    • Encryption: All data at rest and in transit is encrypted with industry-standard protocols like AES 256-bit, ensuring confidentiality and data integrity. 
    • VIDIZMO prioritizes the security of your data, leveraging industry-standard secure communication protocols for all communication within its platform. This includes protecting sensitive information like login credentials, content uploads, and internal data transfers. One key element of this approach is the use of HTTPS (TLS) for API endpoints, ensuring data remains confidential and encrypted throughout its journey. 
  • Compliance Alignment: The secure collaboration features meet CJIS Security Policy Controls AC-16 and SI-4, emphasizing the importance of controlled data sharing.
  • Encrypted Communication: All data transfers within VIDIZMO are encrypted in transit and at rest, adhering to industry-standard protocols and ensuring confidentiality and integrity.

Conclusion  

VIDIZMO is dedicated to giving law enforcement and criminal justice agencies a safe and compliant platform for managing videos. Our strong features match the strict rules of the CJIS Security Policy, guaranteeing the safety of important Criminal Justice Information (CJI) data. 

CJIS Security Policy, based on NIST standards, outlines security requirements for protecting Criminal Justice Information (CJI) in the US. Many CJIS Security Policy controls directly map to NIST SP 800-53 controls, making it easier for organizations to comply with both, so refer to our article "VIDIZMO COMPLIANCE WITH NIST SP 800-53" to learn about NIST SP 800-53 compliance with VIDIZMO.