By Doug Boude, Software Development Manager, equivant Supervision, Corrections, and Pretrial (SCP)
The ability to comprehensively safeguard a customer’s data is fundamental to the trust that is extended to any tech industry vendor. All customer data is important and must be regarded with the highest level of care. However, in the criminal justice software industry, there is an even higher authority with a vested interest in the protection of certain data. This category of information is referred to as CJIS, or Criminal Justice Information Services data. Regardless of what applications, vendors, or agencies are handling it, they are all subject to rules and regulations issued by the CJIS department of the FBI.
Formed in 1992, CJIS’s mission is to balance the criminal justice system’s need for information access, sharing, and transparency against protecting the civil liberties of the many people who interact with or appear in that data. This could include law enforcement officers, judges, court workers, defendants, inmates, victims, corrections workers, and even the family members of any of these people.
The CJIS data protection framework encompasses various subcategories of data, each having its own domain and accompanying risks. Criminal history, biometrics such as DNA and fingerprints, background checks, law enforcement strategies and tactics, and agency-specific data are all covered by CJIS policies and requirements.
equivant Supervision, Corrections, and Pretrial (SCP), provides software services to agencies at every level of the criminal justice system. As such, the management and storage of the CJIS data we handle is as important to our clients as the functionality of our software. Therefore, we invest heavily in our infrastructure, software development practices, and our people to provide our customers with the industry’s highest level of evidentiary trust possible.
Without evidence that information security is part of a vendor’s culture, behavior, and character, you should probably think twice before using them. Fortunately, there are ways to gain a high level of assurance that the software vendor with whom you are about to partner is trustworthy. You should insist upon one or more of the following certifications or statements of attestation:
- SOC2 Type 2
- ISO 27001
- FedRAMP
- StateRAMP
- GDPR (more common internationally)
All these certifications or statements of attestation are bestowed by third party companies whose job is to audit the vendor and validate the existence of (and compliance with) a comprehensive array of policies and procedures. These procedures and policies govern, at a high level, the full spectrum of what one should expect from their vendor: security, privacy, availability, processing integrity, and confidentiality. When a vendor can produce such a certification, it signifies that you can have a high level of confidence in the company’s ability to serve you in a trustworthy manner. Without such a certification or attestation, you’re simply taking them at their word, and thus taking on an unknown level of risk.
The discipline of Information Security, which plays a fundamental role in CJIS data protection, is broad and deep. Because of the sensitive nature of CJIS data and the fact that it’s handling and care is overseen by the CJIS department of the FBI, any software in the criminal justice system industry that handles this type of data must inherently and culturally practice sound and provable Information Security practices. Information Security should be not only a practiced discipline, but it should also be at the very heart of your criminal justice software company’s culture and mission. If you need guidance about what information security questions to ask when evaluating your software partners, please reach out. We’d love to tell you about equivant SCP’s superior commitment to the security of your data.
