Email
This field is for validation purposes and should be left unchanged.
Take Our CJIS ACE Risk Assessment Quiz
Is there a designated individual responsible for the agency's information security (organizational personnel with security responsibilities/LASO)?
Yes
No
I’m not sure
Does the LASO know they are the LASO and what their responsibilities are?
Yes
No
I’m not sure
Is the security awareness training, role-based and literacy, conducted at least annually?
Yes
No
I’m not sure
Does your agency have a documented plan for responding to security incidents?
Yes
No
I’m not sure
Is the incident response plan tested or reviewed?
Yes
No
I’m not sure
Are audit logs reviewed weekly for suspicious activity?
Yes
No
I’m not sure
Is user access to CJI based on the principle of least privilege (only granted access to what is needed to complete duties)?
Yes
No
I’m not sure
Are access rights reviewed and updated when personnel change roles within the agency?
Yes
No
I’m not sure
When a user in your agency selects a password, does the application check to see if that proposed password is on a banned password list?
Yes
No
I’m not sure
Has your agency implemented multi-factor authentication for access to CJI systems/services?
Yes
No
I’m not sure
Are users required to log off of their computers at the end of the work day/shift?
Yes
No
I’m not sure
Does your agency’s anti-malware (virus protection software) solution automatically update?
Yes
No
I’m not sure
Does your agency allow its personnel to use personally owned flash drives on agency computers?
Yes
No
I’m not sure
Are physical access controls in place to restrict unauthorized entry to areas where CJI is processed or stored?
Yes
No
I’m not sure
Are visitors escorted at all times within your physically secure location?
Yes
No
I’m not sure
Are security patches and updates applied in a timely manner?
Yes
No
I’m not sure
Does your agency have a process to detect if there is any unauthorized hardware or software on its network?
Yes
No
I’m not sure
Does your agency annually review its CJIS system to see if there are any unnecessary functions, ports, protocols, or services that are active?
Yes
No
I’m not sure
Does the agency have a documented plan for continuity of operations and/or disaster recovery for systems processing CJI in the event of an unforeseen event?
Yes
No
I’m not sure
Are maintenance activities on systems processing CJI performed by authorized personnel?
Yes
No
I’m not sure
Does the agency have steps in place to make sure that the companies it works with (IT hardware and/or software) don't create security problems for your CJI (Criminal Justice Information) and your systems?
Yes
No
I’m not sure
Does your agency have processes in place to regularly check its computer systems and networks to make sure they are still secure and functioning appropriately?
Yes
No
I’m not sure
Does your agency have an up to date network/topological diagram and an up to date list/inventory of all IT related components that make up your CJI system as required?
Yes
No
I’m not sure
Does your agency encrypt CJI that is transmitted or stored outside of a physically secure location using at least a FIPS 140-2 certified encryption module with a symmetric key strength of 128 bit?
Yes
No
I’m not sure
Please provide your contact information so a CJIS ACE Expert can reach out to you about your score.
Name
*
First
Last
Your Agency & State
Email
*
Phone
