We’ve been through the process.  Our policies for mobile devices, personnel sanctions, configuration management, media protection,  SQL database encryption (FIPS 140-2), secure media transport and disposal, etc. have all been reviewed and approved. 

Obviously, our full set of policies are available for review, and will be provided when appropriate, but here is a small sample of our CJIS Policy document just to give you a sense of their depth.

Guidelines for the Incident Response Process

In the process of responding to an incident, many questions arise and problems are encountered, any of which may be different for each incident. This section provides guidelines for addressing common issues. The Incident Response Coordinator, Chief Information Security Officer and Office of General Counsel should be consulted for questions and incident types not covered by these guidelines.

Insider Threats

In the case that a particular Incident Response Handler is a person of interest in an incident, the Incident Response Coordinator will assign other Incident Response Handlers to the incident.

Interactions with Law Enforcement

All communications with external law enforcement authorities are made after consulting with the designated corporate attorney. The ISO works with police to determine their information requirements and shares the minimum necessary information as required for incident response.

Communications Plan

All public communications about an incident or incident response to external parties outside of RPR Wyatt and Hoozin are made in consultation with senior management. Private communications with other affected or interested parties contain the minimum information necessary. The minimum information necessary to share for a particular incident is determined by the Incident Response Coordinator.

Privacy

The Computing Policy provides specific requirements for maintaining the privacy of all employees and contractors (if any). All incident response procedures will follow the current privacy requirements as set out in the Computing Policy. Exceptions must be approved by senior management.

Documentation, Tracking and Reporting

All incident response activities will be documented to include artifacts obtained using methods consistent with chain of custody and confidentiality requirements. Incidents will be prioritized and ranked according to their potential risk. As an investigation progresses, that ranking may change, resulting in a greater or lesser prioritization of ISO resources.

Incidents will be reviewed post-mortem to assess whether the investigational process was successful and effective. Subsequent adjustments may be made to methods and procedures used by the ISO and by other participants to improve the incident response process.

Artifacts obtained during the course of an investigation may be deleted after the conclusion of the investigation and post-mortem analysis unless otherwise directed by senior management.

Escalation

At any time during the incident response process, the Incident Response Coordinator and the Chief Information Security Officer may be called upon to escalate any issue regarding the process or incident. The Incident Response Coordinator and Chief Information Security Officer in consultation with senior management will determine if and when an incident should be escalated to external authorities.

Physical protection policy for CJI data

It is the policy of RPR Wyatt and Hoozin that physical custody of CJI data is not allowed. In no circumstances shall any CJI data be transferred from a client computer onto a company or personal computer. Violation of this policy is subject to termination of employment.

Security Awareness Training Policy

It is the policy of RPR Wyatt and Hoozin that all employees with incidental access to CJI data be current on security awareness training every 18 months by completing training at www.cjisonline.com or its equivalent, as may be required by specific client agencies.