August 30, 2017
Secure and Uncompromised Criminal Justice Information with Help from the CJIS Audit Unit
Your agency submits it. Your agency gets it. Criminal justice information is an integral part of the business of fighting bad guys. But what if the very systems we rely upon become compromised or the information gets corrupted? Not only would that impede our progress in combating crime, but it could potentially put lives at risk. This is where the Audit Unit of the FBI’s Criminal Justice Information Services (CJIS) Division comes in.
There’s no need for trepidation.
The mission of the CJIS Audit Unit (CAU) is to evaluate, report, and improve policy compliance in order to increase the integrity and security of CJIS systems and programs and the use of criminal justice information. We’re on your side.
What’s being audited?
Criminal justice information is the term used to refer to all of the provided biometric, identity history, biographic, property, and case/incident history data necessary for law enforcement and civil agencies to perform their missions. Because a variety of entities contribute to the information, the CJIS Division employs a shared management philosophy. This means that the CJIS Division and you—the local, state, tribal, and federal agencies—share responsibility for the operation and management of the information systems. These systems include:
Interstate Identification Index
National Crime Information Center
National Sex Offender Registry
National Instant Criminal Background Check System
National Data Exchange
Next Generation Identification
Uniform Crime Reporting (UCR)
Who regulates the use of criminal justice information?
The CJIS Advisory Policy Board (APB) governs policy and sharing of information obtained by criminal justice agencies for criminal justice purposes. On the other hand, the National Crime Prevention and Privacy Compact Council (Council) governs criminal justice information obtained by all agencies for noncriminal justice purposes. Within each state, a CJIS Systems Agency (CSA), a CJIS Systems Officer (CSO), and/or a State Compact Officer oversee the use of the data; these entities and their representatives also work with the CAU to evaluate the integrity and security of information in CJIS systems.
Are there benefits to being audited?
Audits provide many benefits to the user community, including the improvement of the overall integrity of system data, verification of the adherence to minimum standards, compliancy assistance (which, in turn, limits the user community’s liability), protection and safeguarding of criminal justice information, and improvement of officer and public safety. The CAU strives to positively impact the criminal justice and noncriminal justice information user community by providing guidance and support to the FBI’s partners.
How does an audit work?
The CAU’s audit process adheres to a triennial audit schedule. To begin the process, an auditor reviews the CSA’s criminal justice information policies, procedures, practices, and data. Along with this review, the auditor selects a sample of local agencies as a reflection of how the CSA assures compliance within their jurisdictions. To assist in preparing for the audit, the auditor also provides the CSO and local agencies with preaudit documentation to include discussion points and a list of reports that will be requested. Once on-site, the auditor conducts an interview to gather information about specific processes, performs a data quality review, and participates in a tour of the facility to ensure physical security.
Upon completion of an audit, the CAU prepares a report including recommendations to the CSA and appropriate oversight bodies for any necessary corrective actions. The CAU then presents the audit findings to the CJIS APB’s Compliance Evaluation Subcommittee and/or the Council’s Sanctions Committee. The CAU also tracks its recommendations through completion to help ensure the use of CJIS systems data is appropriate and secure.
Will my agency be audited?
You may be wondering if participation in the CJIS audit process is required. The short answer is: most likely. Your agency is subject to the CJIS audit process if it is one of the following types:
State CSA and repository
State UCR Program office
Federally regulated agency
Agency within a U.S. territory with a Wide Area Network connection
Royal Canadian Mounted Police
FBI-approved channeling agency
Authorized recipient of criminal history record information
Sex offender registrar
Law Enforcement Enterprise Portal identity provider
Any FBI component