Criminal Justice Information Services Cyber Security Program Deployment Guide
Updated version 5.9.2 as of May 2023
This guide describes how to implement the LogRhythm CJIS Compliance Automation Suite. This suite provides pre-bundled content such as Correlation Rules, Alarms, Investigations, Lists, and Reports that help organizations pursue compliance around CJIS data security objectives. In addition, this guide provides control mapping between LogRhythm SIEM and control objectives contained within CJIS.
The CJIS Compliance Automation Suite provides pre-bundled Investigations, Correlation Rules, Alarms, and Reports that are designed to support a minimum set of security requirements for access to Federal Bureau of Investigation (FBI) Criminal Justice Information Services (CJIS) Division systems and information. It is also designed to protect and safeguard Criminal Justice Information (CJI) as outlined by their cybersecurity policy, which can be found here. This minimum standard of security requirements ensures continuity of information protection across an organization’s operations. The essential premise of the CJIS Security Policy is to provide the appropriate controls to protect CJI, from creation through dissemination; whether at rest or in transit. This pre-bundled content is automatically associated with the correct CJIS control objectives that are supported by LogRhythm Enterprise. Various lists are also available, some of which are preconfigured and others that can be catered to your environment, processes, and system classifications.
Of the 130 substantive and auditable controls, LogRhythm SIEM supports 58 of those controls (45%) as a mitigating control, compensating control, and through general SIEM functionality. Our team’s interpretations of the augmented controls can be found in the matrices of this module. LogRhythm’s core set of content offered through the Consolidated Compliance Framework (CCF) is mapped to CJIS controls, offering a streamlined approach to compliance through SIEM technology. LogRhythm SIEM technology and content align with the CJIS core objectives of protecting CJI through many common control objectives including user access management, privileged access management, retention, business continuity, incident response, and overall assistance as a safeguarding mechanism to strengthen the organization’s security posture.
After you configure the automation suite, the LogRhythm Platform Manager includes the proper components needed for CJIS compliance. Correlation Rules, Alarms, Investigations, and Reports are automatically associated with the correct CJIS objectives. You can then schedule Reports for periodic generation and delivery or generate them on demand for various audiences. To identify areas of non-compliance in real-time, you can leverage Investigations and Alarms for immediate analysis of activities that impact your organization's cardholder data systems.
LogRhythm content is mapped to control objectives across the CJIS frameworks and designed to be utilized by various audiences including internal and external audit, executive management, control owners, program developers, IT security, IT operations, and other individuals or groups involved in the audit cycle.
Intended Audience
This guide is intended for LogRhythm Enterprise administrators and analysts who are responsible for maintaining compliance with various CJIS requirements. Further, monthly and weekly Reporting Packages can be established to provide forensic evidence and audit data to appropriate audiences for distribution. These groups include Security Operations, Security Management, IT Operations, Audit, and Executive Management. These reporting packages, the content included, and the frequency can be adjusted according to the needs of your audience
This guide details the installation, configuration, and verification of objects used in the CJIS Compliance Automation Suite. When this section is complete, the LogRhythm Platform Manager (Event Manager) has all the proper components needed for CJIS compliance. The process involves the following steps: