Transcription
CJIS Compliance Matrix and ResponsibilitiesCJIS SECURITY POLICY V5.8: Evertel Compliance DetailsThe Federal Bureau of Investigation’s Criminal Justice Information Services (CJIS) Security Policy sets the minimum securityrequirements to provide an acceptable level of assurance to protect the full lifecycle of Criminal Justice Information. Agencies usingcloud based services are required to make informed decisions on whether or not the cloud provider can offer services that maintaincompliance with the requirements of the CJIS Security Policy.This document outlines the specific security policies and practices for Evertel and their compliance with the CJIS Security Policy,Version 5.8. Evertel has leveraged CJIS’s Requirements Companion Document to provide details on control responsibilities whenagencies use Evertel. The Requirements Companion Document is provided as an additional resource within the CJIS Security PolicyResource Center olicy-resource-center) and describes which party has responsibility toperform the actions necessary to ensure a particular CJIS Security Policy requirement is being met.Prepared by Evertel Technologies, LLCSend Inquiries to: Evertel Information Security Team atSupport@GetEvertel.com1
CJIS Compliance Matrix and ResponsibilitiesCJIS SECURITY POLICY V5.8: Evertel Compliance DetailsControlnumberTopic5.1Policy Area hangeAgency"Using the requirements in this policy as a startingpoint, the procedures shall apply to the handling,processing, storing, and communication of CJI.AgencyState and FederalAgency UserAgreementsEach CSA head or SIB Chief shall execute asigned written user agreement with the FBI CJISDivision stating their willingness to demonstrateconformity with this policy before accessing andAgency""5.1.1.2Responsibility (SaaS Agency DetailsModel)CJIS Security Policy Area 1 - Information Exchange AgreementsAgencyThe information shared through communicationmediums shall be protected with appropriatesecurity safeguards.Before exchanging CJI, agencies shall put formalagreements in place thatspecify security controls.Information exchange agreements for agenciessharing CJI data that is sent to and/or receivedfrom the FBI CJIS shall specify the securitycontrols and conditions described in thisdocument.Information exchange agreements shall besupported by documentationcommitting both parties to the terms ofinformation exchange.Law Enforcement and civil agencies shall have alocal policy to validate arequestor of CJI as an authorized recipient beforedisseminating CJI.Procedures for handling and storage ofinformation shall be established to protect thatinformation from unauthorized disclosure,alteration or misuse."5.1.1.1Shall StatementInformationHandlingAgencyEvertel DetailsAgencies are responsible forestablishing informationexchange agreements withparties with whom they sharedata through Evertel.Evertel’s TOS and Data SecurityPolicies outlines the dataprotection roles, responsibilitiesand data ownershipAgencies must establishpolicies related to the accessand usage of data storedwithin Evertel.Evertel maintains policies andpractices for securelyhandling information.AgencyAgencyAgencyCSA heads or SIB Chiefs areresponsible for maintainingthis written agreement.Prepared by Evertel Technologies, LLCSend Inquiries to: Evertel Information Security Team atSupport@GetEvertel.comN/A2
CJIS Compliance Matrix and ResponsibilitiesCJIS SECURITY POLICY V5.8: Evertel Compliance DetailsControlnumberTopic"""5.25.2.1.1Policy Area 2:Basic SecurityAwarenessTrainingLevel OneSecurityAwarenessTraining""""Shall Statementparticipating in CJIS records informationprograms.This agreement shall include the standards andsanctions governing utilization of CJIS systems.As coordinated through the particular CSA orSIB Chief, each Interface Agency shall alsoallow the FBI to periodically test the ability topenetrate the FBI’s network through the externalnetwork connection or system per authorizationof Department of Justice (DOJ) Order 2640.2F.All user agreements with the FBI CJIS Divisionshall be coordinated with the CSA head.Basic security awareness training shall berequired within six months of initial assignmentand biennially thereafter, for all personnel whohave access to CJI to include all personnel whohave unescorted access to a physically securelocation.At a minimum, the following topics shall beaddressed as baseline securityawareness training for all personnel who haveaccess to a physically secure location:1. Individual responsibilities and expectedbehavior with regard to being in the vicinity ofCJI usage and/or terminals.2. Implications of noncompliance.3. Incident response (Identify points of contactand individual actions).4. Visitor control and physical access to spaces—discuss applicable physical security policy andprocedures, e.g., challenge strangers, reportunusual activity, etc.Responsibility (SaaSModel)Agency DetailsEvertel DetailsAgencies are responsible forensuring personnel whoaccess Evertel undergoappropriate securityawareness training.Evertel maintains acomprehensive securityawareness program whichincludes annual training.Authorized Evertel personnelwith access to CJI are required tocomplete Level 4 CJIS SecurityTraining upon assignment andbiennially thereafter.Agencies are responsible forensuring personnel whoaccess Evertel undergoappropriate securityawareness training.See 5.2AgencyAgencyAgencyBothBothBothBothBothPrepared by Evertel Technologies, LLCSend Inquiries to: Evertel Information Security Team atSupport@GetEvertel.com3
CJIS Compliance Matrix and ResponsibilitiesCJIS SECURITY POLICY V5.8: Evertel Compliance DetailsControlnumber5.2.1.2TopicShall StatementLevel TwoSecurityAwarenessTraining""In addition to 5.2.1.1 above, the following topics,at a minimum, shall beaddressed as baseline security awareness trainingfor all authorized personnel with access to CJI:1. Media Protection.2. Protect information subject to confidentialityconcerns — hardcopy through destruction.3. Proper handling and marking of CJI.4. Threats, vulnerabilities, and risks associatedwith handling of CJI.5. Social engineering.6. Dissemination and destruction.In addition to 5.2.1.1 and 5.2.1.2 above, thefollowing topics, at a minimum, shall beaddressed as baseline security awareness trainingfor all authorized personnel with bothphysical and logical access to CJI:1. Rules that describe responsibilities andexpected behavior with regard toinformation system usage.2. Password usage and management—includingcreation, frequency of changes, and protection.3. Protection from viruses, worms, Trojan horses,and other malicious code.4. Unknown e-mail/attachments.5. Web usage—allowed versus prohibited;monitoring of user activity.6. Spam.7. Physical Security—increases in risks tosystems and data.8. Handheld device security issues—address bothphysical and wireless security issues.9. Use of encryption and the transmission ofsensitive/confidential information over theInternet—address agency policy, procedures, and""5.2.1.3""Level ity (SaaSModel)BothBothAgency DetailsEvertel DetailsAgencies are responsible forensuring personnel whoaccess Evertel undergoappropriate securityawareness training.See 5.2Agencies are responsible forensuring personnel whoaccess Evertel undergoappropriate securityawareness training.See hBothPrepared by Evertel Technologies, LLCSend Inquiries to: Evertel Information Security Team atSupport@GetEvertel.com4
CJIS Compliance Matrix and ResponsibilitiesCJIS SECURITY POLICY V5.8: Evertel Compliance DetailsControlnumberTopic""""""""5.2.1.4Level FourSecurityAwarenessTraining""Shall Statementtechnical contact forassistance.10. Laptop security—address both physical andinformation security issues.11. Personally owned equipment and software—state whether allowed or not(e.g., copyrights).12. Access control issues—address least privilegeand separation of duties.13. Individual accountability—explain what thismeans in the agency.14. Use of acknowledgement statements—passwords, access to systems and data, personaluse and gain.15. Desktop security—discuss use ofscreensavers, restricting visitors’ view ofinformation on screen (preventing/limiting“shoulder surfing”), battery backup devices,allowed access to systems.16. Protect information subject to confidentialityconcerns—in systems, archived, on backupmedia, and until destroyed.17. Threats, vulnerabilities, and risks associatedwith accessing CJIS Service systems andservices.In addition to 5.2.1.1, 5.2.1.2 and 5.2.1.3 above,the following topics at a minimum shall beaddressed as baseline security awareness trainingfor all Information Technology personnel(system administrators, securityadministrators, network administrators, etc.):1. Protection from viruses, worms, Trojan horses,and other maliciouscode—scanning, updating definitions.2. Data backup and storage—centralized ordecentralized approach.Responsibility (SaaSModel)Agency DetailsEvertel DetailsAgencies are responsible forensuring personnel whoaccess Evertel undergoappropriate securityawareness training.Evertel maintains acomprehensive securityawareness program.Training is provided for allemployees and is required at leastannually and within six months ofemployment. In addition toannual training, employeessupporting Evertel are required tocomplete CJIS Online training atLevel 4BothBothBothBothBothBothBothBothBothBothPrepared by Evertel Technologies, LLCSend Inquiries to: Evertel Information Security Team atSupport@GetEvertel.com5
CJIS Compliance Matrix and ResponsibilitiesCJIS SECURITY POLICY V5.8: Evertel Compliance DetailsControlnumber5.2.2TopicShall Statement"3. Timely application of system patches—part ofconfiguration management.4. Access control measures.5. Network infrastructure protection measures.LASO training shall be required prior toassuming duties but no later than six months afterinitial assignment and annually thereafter.""LASO TrainingBoth1. The roles and responsibilities listed in CJISSecurity Policy Section 3.2.9.Both"2. Additional state/local/tribal/federal agencyLASO roles and responsibilitiesBoth"3. Summary of audit findings from previous stateaudits of local agencies.Both"4. Findings from the last FBI CJIS Division auditof the CSA.Both"5. Most recent changes to the CJIS SecurityPolicyBoth"Security TrainingRecordsRecords of individual basic security awarenesstraining and specific information system securitytraining shall be:- documented- kept current- maintained by the CSO/SIB/Compact OfficerAgency DetailsEvertel Detailsbiennially.BothBothAt a minimum, the following topics shall beaddressed as enhanced security awarenesstraining for a LASO:"5.2.3Responsibility (SaaSModel)BothAgencies are responsible fortraining LASON/AAgencies are responsible formaintaining records ofsecurity awareness trainingfor personnel who accessEvertel.Evertel maintains acomprehensive securityawareness program.Training is provided for allemployees and is required at leastannually and within six months ofemployment. In addition toannual training, employeessupporting Evertel are required toPrepared by Evertel Technologies, LLCSend Inquiries to: Evertel Information Security Team atSupport@GetEvertel.com6
CJIS Compliance Matrix and ResponsibilitiesCJIS SECURITY POLICY V5.8: Evertel Compliance Detailscomplete CJISControlnumberTopicShall StatementResponsibility (SaaSModel)Agency DetailsEvertel DetailsOnline training at Level 4biennially. Records of trainingcan be provided to customers.5.3Policy Area 3:Incident Response""5.3.1ReportingSecurity Events"""CJIS Security Policy Area 3 - Incident ResponseBothTo ensure protection of CJI, agencies shall: (i)Agencies are responsible forestablish operational incident handlingestablishing incidentprocedures that include adequate preparation,response capabilities anddetection, analysis, containment, recovery, andmust report to Evertel if theyuser response activities believe an unauthorized thirdparty may be using their.(ii) track, document, and report incidents toBothappropriate agency officials and/or authorities.account or their content, or iftheir account information isBothISOs have been identified as the POC onlost or stolen.security-related issues for theirrespective agencies and shall ensure LASOsinstitute the CSA incident response reportingprocedures at the local level.The agency shall promptly report incidentinformation to appropriate authorities.Security events, including identified weaknessesassociated with the event, shall be communicatedin a manner allowing timely corrective action tobe taken.Formal event reporting and escalationprocedures shall be in place.Wherever feasible, the agency shall employautomated mechanisms to assist in the reportingof security incidents.BothBothBothBothAgencies are responsible forestablishing incidentresponse capabilities andmust report to Evertel if theybelieve an unauthorized thirdparty may be using theiraccount or their content, or iftheir account information islost or stolen.Prepared by Evertel Technologies, LLCSend Inquiries to: Evertel Information Security Team atSupport@GetEvertel.comIncident management andresponse processes aredocumented, maintained, andcommunicated to appropriatemanagement and Evertelpersonnel.Incident response plans andprocedures are implemented andinclude detail surrounding thehandling of forensic andevidentiary data.Evertel will notify Agency within72 hours of a confirmed incident.Authorities will be notifiedthrough Evertel's establishedchannels and timelines. Evertelemployees are trained on andmade aware of procedures toinform the Evertel InformationSecurity Team in the event of anidentified security event orweakness.7
CJIS Compliance Matrix and ResponsibilitiesCJIS SECURITY POLICY V5.8: Evertel Compliance Details"Controlnumber5.3.1.1.1TopicFBI CJIS DivisionResponsibilities""""5.3.1.1.2""CSA ISOResponsibilities"All employees, contractors and third party usersshall be made aware of the procedures forreporting the different types of event andweakness that might have an impact on thesecurity of agency assets and are required toreport any security events and weaknesses asShall StatementBothResponsibility (SaaSModel)quickly as possible to the designated point ofcontact.The FBI CJIS Division shall:1. Manage and maintain the CJIS Division'sComputer Security IncidentResponse Capability (CSIRC).2. Serve as a central clearinghouse for allreported intrusion incidents, securityalerts, bulletins, and other security-relatedmaterial.3. Ensure additional resources for all incidentsaffecting FBI CJIS Divisioncontrolled systems as needed.4. Disseminate prompt advisories of systemthreats and operating system vulnerabilities viathe security policy resource center on FBI.gov, toinclude but not limited to: Product SecurityBulletins, Virus Bulletins, and Security Clips.5. Track all reported incidents and/or trends.6. Monitor the resolution of all incidents.The CSA ISO shall:CJIS/CSO1. Assign individuals in each state, federal, andinternational law enforcement organization to bethe primary point of contact for interfacing withthe FBI CJIS Division concerning incidenthandling and response.CJIS/CSOAgency DetailsEvertel DetailsApplicable to FBI CJISDivision only.Applicable to FBI CJIS Divisiononly.Applicable to CSA ISOresponsibilities only.Applicable to CSA ISOresponsibilities red by Evertel Technologies, LLCSend Inquiries to: Evertel Information Security Team atSupport@GetEvertel.com8
CJIS Compliance Matrix and ResponsibilitiesCJIS SECURITY POLICY V5.8: Evertel Compliance ment ofSecurity Incidents"5.3.2.1Incident Handling2. Identify individuals who are responsible forreporting incidents within their area ofresponsibility.3. Collect incident information from thoseindividuals for coordination and sharing amongother organizations that may or may not beaffected by the incident.Shall Statement4. Develop, implement, and maintain internalincident response procedures and coordinatethose procedures with other organizations thatmay or may not be affected.5. Collect and disseminate all incident-relatedinformation received from the Department ofJustice (DOJ), FBI CJIS Division, and otherentities to the appropriate local law enforcementPOCs within their area.6. Act as a single POC for their jurisdictionalarea for requesting incidentresponse assistance.A consistent and effective approach shall beapplied to the management ofsecurity incidents.Responsibilities and procedures shall be in placeto handle security events and weaknesseseffectively once they have been reported.The agency shall implement an incident handlingcapability for security incidents that includespreparation, detection and analysis, containment,eradication, and recovery.CJIS/CSOCJIS/CSOResponsibility (SaaSModel)CJIS/CSOAgency DetailsEvertel DetailsAgencies are responsible forestablishing incidentresponse capabilities andmust report to Evertel if theybelieve an unauthorized thirdparty may be using theiraccount or their content, or iftheir account information islost or stolen.Agencies are responsible forestablishing incidentresponse capabilities andmust report to Evertel if theyEvertel maintains securityincident response procedures andcapabilities for Evertel.CJIS/CSOCJIS/CSOBothBothBothPrepared by Evertel Technologies, LLCSend Inquiries to: Evertel Information Security Team atSupport@GetEvertel.comEvertel maintains securityincident response procedures andcapabilities for Evertel.9
CJIS Compliance Matrix and ResponsibilitiesCJIS SECURITY POLICY V5.8: Evertel Compliance Details5.3.2.2Controlnumber"Wherever feasible, the agency shall employautomated mechanisms to support the incidenthandling process.BothCollection ofEvidenceWhere a follow-up action against a person oragency after an information security incidentinvolves legal action (either civil or criminal),evidence shall be collected, retained, andpresented to conform to the rules for evidencelaid down in the relevant jurisdiction(s).Shall StatementBothTopicResponsibility (SaaSModel)5.3.3Incident ResponseTrainingThe agency shall ensure general incidentresponse roles responsibilities areincluded as part of required security awarenesstraining.Both5.3.4IncidentMonitoringThe agency shall track and document securityincidents on an ongoing basis.Bothbelieve an unauthorized thirdparty may be using theiraccount or their content, or iftheir account information islost or stolen.Agencies are responsible forestablishing incidentresponse capabilities andmust report to Evertel if theybelieve an unauthorized thirdparty may be using theirAgency DetailsEvertel maintains securityincident response procedures andcapabilities for Evertel, whichinclude requirements to collectandEvertel Detailsaccount or their content, or iftheir account information islost or stolen.Agencies are responsible forestablishing incidentresponse capabilities andincluding general incidentresponse roles andresponsibilities in securityawareness training.maintain appropriate evidence,when necessary.Agencies are responsible forestablishing incidentresponse capabilities andtracking and documentingincidents. Agencies mustreport to Evertel if theybelieve an unauthorized thirdparty may be using theiraccount or their content, or iftheir account information islost or stolen.Evertel maintains securityincident response procedures andcapabilities for Evertel. Evertelinternally tracks and documentsall security incidents to ensureproper remediation.Prepared by Evertel Technologies, LLCSend Inquiries to: Evertel Information Security Team atSupport@GetEvertel.comThe Evertel security awarenesstraining includes securityincident response roles andresponsibilities, includingreporting expectations.10
CJIS Compliance Matrix and ResponsibilitiesCJIS SECURITY POLICY V5.8: Evertel Compliance Details"The CSA ISO shall maintain completed securityincident reporting forms until the subsequent FBItriennial audit or until legal action (if warranted)is complete (whichever time-frame is greater).CJIS Security Policy Area 4 - Auditing and Accountability5.4Policy Area 4:Agencies shall implement audit andAuditing andaccountability controls to increase theAccountabilityprobability of authorized users conforming to aprescribed pattern of behavior."Agencies shall carefully assess the inventory ofcomponents that compose their informationsystems to determine which security controls areapplicable to the various components.Controlnumber5.4.1TopicAuditable Eventsand Content(InformationSystems)""""5.4.1.1Events"Shall StatementThe agency’s information system shall generateaudit records for defined events.The agency shall specify which informationsystem components carry outauditing activities.The agency’s information system shall produce,at the application and/or operating system level,audit records containing sufficient information toestablish what events occurred, the sources of theevents, and the outcomes of the events.The agency shall periodically review and updatethe list of agency-definedauditable events.In the event an agency does not use an automatedsystem, manual recording of activities shall stilltake place.The following events shall be logged:1. Successful and unsuccessful system esponsibility (SaaSModel)ServiceProviderApplicable to CSA ISOresponsibilities only.Applicable to CSA ISOresponsibilities only.Agencies must document andexecute their implementationof audit monitoring, analysis,and reporting. WithinEvertel, detailed usage andaccess reports are availablefor agencies to monitor theiraccounts.Within the Evertel application,logs are generated and securedthat detail all access to evidencedata and evidence audit reportsare available to customers.Agency DetailsEvertel DetailsN/AEvertel systems are configured tolog all required events to acentral logging system.Additionally, within the Evertelapplication, logs are generatedand secured that detail all accessto evidence data and evidenceaudit reports are available tocustomers.Within the Evertel, detailedusage and access reports areavailable for agencies toEvertel systems are configured tolog all required events and moreto a central logging erServiceProviderServiceProviderPrepared by Evertel Technologies, LLCSend Inquiries to: Evertel Information Security Team atSupport@GetEvertel.com11
CJIS Compliance Matrix and ResponsibilitiesCJIS SECURITY POLICY V5.8: Evertel Compliance Details""2. Successful and unsuccessful attempts toaccess, create, write, delete or change permissionon a user account, file, directory or other systemresource.3. Successful and unsuccessful attempts tochange account passwords.4. Successful and unsuccessful actions byprivileged accounts.5. Successful and unsuccessful attempts for usersto access, modify, or destroy the audit log file.The following content shall be included withevery audited event:1. Date and time of the event.TopicShall Statement""2.The component of the information system (e.g.,software component, hardware component)where the event occurred.3. Type of event."4. User/subject identity."5. Outcome (success or failure) of the event.""".1ControlnumberContent5.4.2Response to AuditProcessingFailuresThe agency’s information system shall providealerts to appropriate agency officials in theevent of an audit processing failure.5.4.3Audit Monitoring,Analysis, andReportingThe responsible management official shalldesignate an individual or position toreview/analyze information system audit recordsfor indications of inappropriate or unusualactivity, investigate suspicious activity orsuspected violations, to report findings toappropriate officials, and to take necessaryactions.ServiceProvidermonitor their iderAdditionally, within the Evertelapplication, logs are generatedand secured that detail all accessto evidence data, and robustevidence audit reports areavailable to customers.Evertel systems are configured tolog all requiredServiceProviderResponsibility oviderServiceProviderBothBothN/AAgency DetailsEvertel Detailsevents and more to a centrallogging system. This includesdate and time of the event, useridentity, outcome of the event,and type of event.Within the Evertelapplication, detailed usageand access reports areavailable for agencies tomonitor their accounts.Agencies must document andexecute their implementationof audit monitoring, analysis,and reporting. Within theEvertel application, detailedusage and access reports areavailable for agencies toPrepared by Evertel Technologies, LLCSend Inquiries to: Evertel Information Security Team atSupport@GetEvertel.comControls are established to alertEvertel of any log collection orprocessing failures.Evertel employs advanceddetection and analysis capabilitiesof system events. This includesautomated detection and alerts forunusual activity or attacks.12
CJIS Compliance Matrix and ResponsibilitiesCJIS SECURITY POLICY V5.8: Evertel Compliance Details""5.4.4ControlnumberTime StampsTopic""5.4.5Protection ofAudit InformationAudit review/analysis shall be conducted at aminimum once a week.The agency shall increase the level of auditmonitoring and analysis activity within theinformation system whenever there is anindication of increased risk to agency operations,agency assets, or individuals based on lawenforcement information, intelligenceinformation, or other credible sources ofinformation.The agency’s information system shall providetime stamps for use in auditrecord generation.Shall StatementThe time stamps shall include the date and timevalues generated by the internal system clocks inthe audit records.The agency shall synchronize internalinformation system clocks on an annual basis.The agency’s information system shall protectaudit information and audit tools frommodification, deletion and unauthorized access.Bothmonitor their accounts.BothServiceProviderResponsibility (SaaSModel)ServiceProviderN/AAgency Detailsreceived time. All systems aresynchronized to an internal clock.Customer logs within Evertelalso include timestampssynchronized to an internal clock.ServiceProviderServiceProviderThe Evertel central loggingsystem collects eventgeneration time and eventEvertel DetailsN/APrepared by Evertel Technologies, LLCSend Inquiries to: Evertel Information Security Team atSupport@GetEvertel.comEvertel systems are configured tolog all required events and moreto a central logging system. Thecentral logging system protectslogs from unauthorized access,modification, and deletion.Evertel platform creates andmaintains audit records includingthe when, who, and what foreach evidence file. These recordscannot be edited or changed,even by account administrators.13
CJIS Compliance Matrix and ResponsibilitiesCJIS SECURITY POLICY V5.8: Evertel Compliance Details5.4.6Audit RecordRetention"5.4.7Logging NCICand IIITransactions"ControlnumberTopic"The agency shall retain audit records for at leastone (1) year.Once the minimum retention time period haspassed, the agency shall continue to retain auditrecords until it is determined they are no longerneeded for administrative, legal, audit, or otheroperational purposes.A log shall be maintained for a minimum of one(1) year on all NCIC and III transactions.ServiceProviderServiceProviderThe III portion of the log shall clearly identifyboth the operator and the authorized receivingagency.Shall StatementAgencyIII logs shall also clearly identify the requesterand the secondary recipient."The identification on the log shall take the formof a unique identifier that shall remain unique tothe individual requester and to the secondaryrecipient throughout the minimum one yearretention period.CJIS Security Policy Area 5 - Access Control5.5.1AccountThe agency shall manage information systemManagementaccounts, including establishing, activating,modifying, reviewing, disabling, and removingaccounts."The agency shall validate information systemaccounts at least annually and ".and shall document the validation process."The agency shall identify authorized users of theinformation system and specify accessrights/privileges."The agency shall grant access to the informationsystem based on:"1. Valid need-to-know/need-to-share that isdetermined by assigned official duties."2. Satisfaction of all personnel security criteria.N/AServiceProviderResponsibility (SaaSModel)AgencyEvertel system central log data ismaintained for at least one (1).Not applicable to Evertel asEvertel does not conductNCIC and III transactions.N/AAgency DetailsEvertel DetailsAgencies are responsible forimplementing this control fortheir user access of Evertel.Evertel allow for customersto directly administer useraccounts.Evertel provides agency with thetools to manage Access Control.AgencyBothBothBothBothBothBothPrepared by Evertel Technologies, LLCSend Inquiries to: Evertel Information Security Team atSupport@GetEvertel.com14
CJIS Compliance Matrix and ResponsibilitiesCJIS SECURITY POLICY V5.8: Evertel Compliance c"5.5.2.1Least Privilege"The agency responsible for accountcreation shall be notified when:1. A user’s information system usage or need-toknow or need-to-share changes.2. A user is terminated or transferred orassociated accounts are removed,disabled, or otherwise secured.The information system shall enforce assignedauthorizations for controlling access to thesystem and contained information.The information system controls shall restrictaccess to privileged functions (deployed inhardware, software, and firmware) and security-Shall Statementrelevant information to expli
CJIS SECURITY POLICY V5.8: Evertel Compliance Details Prepared by Evertel Technologies, LLC 2 Send Inquiries to: Evertel Information Security Team at Support@GetEvertel.com Control number Topic Shall Statement Responsibility (SaaS Model) Agency Details Evertel Details CJIS Security Policy Area 1 - Information Exchange Agreements
![Security Awareness Training 2015 Level I (002) [Read-Only]](/img/31/cogenttraininglevel1.jpg)
