By Doug Boude, Software Development Manager, equivant
The safeguarding of sensitive information is a paramount concern as technology continues to play a pivotal role in the criminal justice realm. Criminal Justice Software Companies like equivant Supervision + Pretrial, at the intersection of law and technology, navigate a landscape that demands not only efficiency but also the utmost security. Aside from the fact that a customer’s data is proprietary to them, when it comes to information within Case and Pretrial Management systems, a whole other level of reasons exist to ensure data security.
First, Case and Pretrial Management systems contain data that is classified by the federal government as CJIS, or Criminal Justice Information Services data. That data represents the information that is absolutely essential to the organization performing case or pretrial management in order to achieve their mission and goals. At the same time, it is of the utmost importance that the organization preserve the civil liberties of those to whom the information directly pertains. Because of this duality of priorities, the CJIS department of the FBI was formed in 1992 to ensure a standardized way of doing this across all entities that collect, use, and store CJIS data. These rules, or security framework, must be adhered to by both the agency utilizing the data and the various software system vendors whose tools manage and serve that same information. Below are ways in which equivant Supervision + Pretrial fulfills your organization’s data security needs.
We safeguard your data on multiple fronts, including:
- Protect customers from unauthorized access to their data, data exposure, and the potential of exploitation of their sensitive information.
- Apply rigorous standards and practices to our software development and the environments in which it runs, ensuring not only the data’s availability, but also its integrity.
- Systematically and faithfully apply and adhere to the explicit standards and requirements placed upon us by the CJIS Security Policy—in a way that is recurrent and auditable.
Any software company that is charged with the responsibility of caring for a customer’s most important data should be held to the highest standards and be able to provide evidence of their compliance with them. In fact, as the customer, you have the right and obligation to require it.
Questions You Should Ask Your Software Vendor in Ensure Compliance
- Written Policies: Do you have written policies and procedures that define and guide your company’s security practices?
- Access Control: What are your policies around which employees can access which data, and when?
- Encryption: Will my data be encrypted so that even if someone obtained it, they could not read it?
- Employee Training: Are all of your employees security-aware at all times?
- Incident Response Plans: How will we know if a data incident occurs, and what will you do about it?
Any software vendor handling Case or Pretrial Management data should be able to readily produce these on demand. Additionally, since these policies and procedures will dictate that “paper trails” be established for all of these, one should be able to also see the proof that, for instance, access given to an employee to your data was done in a formal written manor with approvals from the appropriate managers.
Certificate of Compliance
Auditing a company in the manner described previously takes weeks. Once such a formal audit is performed, however, if the subject company has satisfied the auditor with the results, they are presented with something that you will want to see: a certificate of compliance.
A certificate of compliance, sometimes referred to as an attestation, is the proof a vendor will handle your data with the utmost care and remain compliant with best security practices. This certificate provides peace of mind that this vendor, and the software they are offering you, can indeed be safely trusted to secure your data.
There are many different certifications and attestations that are recognized in the data security industry, but a few are far more common than others. You should ask for either of the following, ISO 27001, or SOC2 Type 2. Either of those, if a company possesses them, signify to you that they not only have comprehensive written standards, policies, and procedures which guide their information security practices, but they have been actively and accurately practicing them for some significant period of time. On top of requiring the SOC2 Type 2 or ISO 27001 certifications, ensure that your potential software vendor administers CJIS Level 2 training for all of its employees.
Fulfilling your mission as a Case Manager in the Justice System means that, in order to provide proper continuity of treatment for offenders transitioning into society, you need full access to all of the data relevant to the individual. Since the individual’s civil liberties are also of paramount importance, the software system you use has to provide full and comprehensive data security while enabling you to efficiently perform your tasks. Doing your due diligence and requiring your vendor to provide you with proof of their compliance in the form of a SOC2 Type 2 or ISO 27001 certification will give you full assurance that you have chosen a vendor committed to mitigating your liability. If you would like more information about equivant’s security commitment or have questions about security and compliance, please contact us.