CIB audits are an extension of the training process and intended to assess agency compliance with state, National Crime Information Center (NCIC) and The International Justice and Public Safety Network (Nlets) policies and regulations.
The purpose of the audit is to review technical security of terminals; accuracy, completeness, timeliness and validity of record entries; local policy and procedures relating to Transaction Information for the Management of Enforcement (TIME), NCIC and Nlets applications; the TIME System training status of members of your department; and agency's use of Criminal History Record Information (CHRI).
Audit Tips & Tricks
CJIS Security Policy>>
Entry Agency Record Reviews (Entry agencies only)
- As you review your selected records, you can update them as needed prior to completion of the record review section of the audit questionnaire. This means if you find additional information or incorrect information you are able to modify or supplement your records prior to CIB’s review of those records.
- A few of the areas we often find additional information are Department of Correction (DOC) records (e.g. Probation/Parole or Sex Offender records), Department of Natural Resources (DNR) files, out-of-state driver’s records, and out-of-state criminal history records (e.g. a Minnesota, Texas, or other state criminal history responses – not simply the III response).
- If you find another state identification number, remember to query that record for that state’s information as well. A potential tip here is that if someone has a record showing they were born in another state, it would be a good idea to query that state for any driver’s record or criminal history.
- Also, if you see a notation on the WI driver’s record that a person moved to WI from another state or has moved from WI to another state, you would want to query that other state for the possibility of additional information.
FIPS 140-2 Certificates (sample below)
- Many of these can be obtained from your hardware/software vendors, white papers, or occasionally a simple web search. Another search option is using the NIST search page here. Oftentimes, you may need to do the Advanced search and check the various Validation Status’ (e.g. Active, Historical, Revoked).
- Occasionally you may not find the certificate on the search page because the hardware/software may be listed under a different company or other name.
- Also ensure the FIPS 140-2 features are activated on the appropriate hardware/software as many systems have this as an added feature which must be activated at the agency/organization level.
Network Diagrams (samples below)
- When completing the network diagrams, ensure the diagram(s) meet the requirements of the CJIS Security Policy.
- Add the physical boundaries of the physically secure location on the diagram.
- Please use a color-coded diagram to identify various encryption data paths (e.g. Red = encrypted at FIPS 140-2; Blue = encrypted to another level/identify encryption level; Black = non-encrypted data; or a similar color code). Add a legend to identify any color-coding.
- Add the FIPS 140-2 certificate numbers along the appropriate data paths. If you don’t indicate the certificate numbers along their appropriate data path, you will need to forward the actual FIPS 140-2 certificate to your auditor.
- If your agency uses a virtual environment, ensure this is represented on the diagram.
Training Certifications
- Ensure your staff are current in the necessary trainings/certifications for the TIME System. As you review your certification report, you can check for the following certifications based on your staff’s access level. This is not all the certification levels, just the most common. Most of the below trainings/certifications are good for two years. The exceptions are eTIME Online Operator Agreement (good for as long as you work for the agency that assigned it to you) and Local Agency Security Officer (must be taken annually).
- Individuals who have unescorted access to your facility and/or systems/network
- Security Awareness certification (a signed paper version is also acceptable – available on WILENET)
- eTIME certifications
- eTIME Online Operator Agreement
- TIME Intro Certification (Module 1)
- Person & Vehicle Query Certification (Module 2)
- Criminal History Query Certification (Module 3)
- NCIC Property Files Certification (Module 5)
- MDC/MDT certifications
- TIME Intro Certification (Module 1)
- Person & Vehicle Query Certification (Module 2)
- Criminal History Query Certification (Module 3)
- Hit Confirmation Certification (Module 4)
- NCIC Property Files Certification (Module 5)
- Administrative Messages Certification (Module 6)
- Basic certifications
- TIME Intro Certification (Module 1)
- Person & Vehicle Query Certification (Module 2)
- Criminal History Query Certification (Module 3)
- Hit Confirmation Certification (Module 4)
- NCIC Property Files Certification (Module 5)
- Administrative Messages Certification (Module 6)
- Advisory Messages Certification (Module 7)
- Additional NCIC & Nlets Files Certification (Module 8)
- Advanced certifications
- TIME Intro Certification (Module 1)
- Person & Vehicle Query Certification (Module 2)
- Criminal History Query Certification (Module 3)
- Hit Confirmation Certification (Module 4)
- NCIC Property Files Certification (Module 5)
- Administrative Messages Certification (Module 6)
- Advisory Messages Certification (Module 7)
- Additional NCIC & Nlets Files Certification (Module 8)
- Person Entry Certification (Person Entry module)
- Vehicle Entry Certification (Vehicle Entry module)
- Other Property Entry Certification (Other Property Entry module)
- Note: In order to obtain the Person Entry, Vehicle Entry, and Other Property Entry certifications, the individual must complete all the above modules and successfully complete the Advanced Project (evaluated by CIB training staff after submission/mailing)
- Local Agency Security Officer (LASO)
- Local Agency Security Officer (LASO) certification
- Individuals who have unescorted access to your facility and/or systems/network