Comprehensive & Iron-clad
PDQ Vision customers have varying risk profiles and different security needs. Many of the access control features can be enabled or disabled by customers as needed, or can be changed to meet a specific level of risk. The default settings for these security features were chosen to provide a strong level of security, while still maintaining flexibility and convenience. Customers are encouraged to evaluate these features and align them with their unique needs.
- Customized password length and complex password requirements
- Customized failed login limit and lockout duration
- Enforced session timeout settings
- Mandatory challenge questions when authenticating from new locations
- Multi-factor authentication options for user login and prior to administrative actions (one time code via SMS or phone call-back)
- Restrict access to defined IP ranges (limit access to approved office locations)
Authorization & Permissions
- Granular role-based permission management
- Device-level permission management (for example, allow specific users to use the web-based interface, but not the mobile application)
- Integration with directory services for streamlined and secure user management
Auditing and User Reporting & Management
- Detailed, tamper-proof administrator and user activity logging
- Intuitive administration web portal to manage users, permissions and roles
- Intra-agency, inter-agency and external evidence sharing without data transfer, data duplication, physical media or email attachments
- Detailed chain-of-custody logging when sharing
- Revoke access to previously shared content
- Prevent a recipient of shared content from downloading or re-sharing evidence
PDQ Vision includes features to ensure the integrity and authenticity of digital evidence. These features ensure the evidence meets chain-of-custody requirements and can be proven to be authentic and free from tampering.
- Forensic fingerprint of each evidence file using industry standard SHA hash function. Integrity is validated before and after upload to ensure no changes occurred during transmission.
- Full tamper-proof evidence audit records. Logs the when, who, and what for each evidence file. These records cannot be edited or changed, even by account administrators.
- Original evidence files are never altered, even when derivative works (video segments) are created.
- Deletion protection, including deletion approval workflows, deletions notification emails, and a deletion remorse period to recover accidentally deleted evidence files.
PDQ Vision Platform Security
Evidence data is encrypted in transit and while at rest in storage. FIPS 140-2 approved encryption ciphers (or stronger) are utilized. PDQ Vision maintains mature, audited encryption key management procedures.
Data Encryption in Transit:
- Robust TLS 1.2 implementation with 256 bit connection
- RSA 2048 bit key
- Perfect Forward Secrecy
Evidence Data Encryption at Rest:
- 256 bit AES encryption
Vulnerability Identification and Remediation
Regular vulnerability assessments are conducted to assess PDQ Vision security controls and processes. Identification programs include frequent vulnerability scans and at least quarterly penetration tests performed by highly specialized and vetted 3rd party security firms. All identified vulnerabilities are evaluated by the PDQ Information Security team, assigned risk and remediation time frames, and tracked through remediation.
Security Monitoring and Response
PDQ Signature Systems employs a dedicated Security Operations team to monitor the security of the PDQ Vision platform. The team is highly skilled and capable to immediately respond to threats and malicious actors.
Hackers and other malicious actors move fast, and they take advantages of entities that can’t keep their systems up to date and secure. PDQ Vision is delivered as Software as a Service (SaaS). Security patches are applied well within vendor recommendations–and the platform itself receives security upgrades. These frequent security updates and upgrades come out of the box with the PDQ Vision service and do not require your interaction.
By having a laser focus on security and aggressively investing to maintain such security, we are able to deploy and appropriately manage advanced security tools and threat prevention solutions that are cost- or resource-prohibitive to individual agencies. Unlike what you would find with an off-the-shelf anti-virus software that you install yourself, we offer advanced protections that deter even the most sophisticated attackers. We have finely tuned web application firewalls, leverage security intelligence tools for continuous monitoring, and deploy layers of defense to detect and react to malicious activity.
Shared Security Responsibility
It is important for customers to understand the measures that PDQ Signature Systems has taken to secure the PDQ Vision platform, as customers inherit our advanced security capabilities, controls and programs. This security inheritance enables customers to achieve levels of data security that far exceed what is feasible in on-premise or hybrid solutions. However, it is also critically important for customers to understand and implement the security practices that are within their responsibility and control.
Fortunately, we are here to help. In addition to the customizable security features, we have developed numerous resources to provide guidance and instruction to ensuring the security of data retained in PDQ Vision.
What You Need to Know
Each day, criminal justice and law enforcement agencies on the local, state and federal levels access the Criminal Justice Information Services (CJIS) databases for information necessary to catch lawbreakers, perform background checks and track criminal activity. Obviously, it’s vitally important that this data not fall into the wrong hands. While the loss of business intelligence can mean a major financial hit, the security of CJIS data could mean the difference between thwarting a criminal operation and allowing another to occur.
CJIS compliance keeps networks on the same page when it comes to data security and encryption and ensures that sensitive criminal justice intelligence is locked down. But before we dig into the checklist of rules to follow to become CJIS compliant, let’s take a closer look at the CJIS.
CJIS: What It Is and How to Stay CJIS Compliant
Established in 1992, CJIS is the largest division of the FBI, and comprises several departments, including the National Crime Information Center (NCIC), Integrated Automated Fingerprint Identification System (IAFIS) and the National Instant Criminal Background Check System (NICS). CJIS monitors criminal activities in local and international communities using analytics and statistics provided by law enforcement, and their databases provide a centralized source of criminal justice information (CJI) to agencies around the country.
The world has changed a lot since 1992, and the proliferation of the Internet and the cloud, combined with the growing rate and sophistication of cyber security threats, have made protecting CJIS data more complicated than ever. Because of this growing concern, CJIS came up with a set of security standards for organizations, cloud vendors, local agencies and corporate networks.
The policies set forth by CJIS cover best practices in wireless networking, remote access, data encryption and multiple authentication. Some basic rules include:
- A limit of 5 unsuccessful login attempts by a user accessing CJIS
- Event logging various login activities, including password changes
- Weekly audit reviews
- Active account management moderation
- Session lock after 30 minutes of inactivity
- Access restriction based on physical location, job assignment, time of day, and network address
The CJIS Advanced Authentication Requirement
FBI Security Policy section 18.104.22.168.1, or the Advanced Authentication Requirement, compels agencies to use multi-factor authentication when accessing CJI. A quick example of multi-factor authentication is your debit card. While shopping with your credit card (in the U.S., at least) requires only what you have (the number on your credit card), your debit card also requires something you know (your PIN). If a thief steals your debit card, they can’t use it until they also get your PIN.
One common type of multi-factor authentication involves a software application or physical device that generates a unique, one-time password at timed intervals. This wildcard password (what you have) adds a second level of complexity to your password (what you know), providing multiple barriers of entry to potential data thieves.
CJIS Compliance and Data Encryption
The CJIS has also established requirements for the use of data encryption when storing and using sensitive data, as well as including CJI in communications. A minimum of 128-bit encryption is required, and keys used to decrypt data must be adequately complex (at least 10 characters long, a mix of upper and lowercase letters, numbers and special characters) and changed as soon as authorized personnel no longer need access.
Like multi-factor authentication, data encryption adds an extra layer of security to your data — if a criminal gains access to an encrypted file or communication, that information is useless without the key to decrypt it.
Email presents its own CJIS compliance challenges. A tremendous amount of criminal justice information is exchanged via email and standard email services do not offer the encryption required by CJIS. Most third-party encryption services are either difficult to use, expensive, or both. Many also require senders or receivers to establish new accounts to view CJIS-compliant emails. Signature Systems offers an alternative: cost effective, easy-to-use email encryption that works with existing email services.
Personnel and Training Considerations
Knowing what your agency needs to maintain CJIS compliance is one thing, but putting it into practice is another. It’s critical that you provide frequent staff training on CJIS best practices, make sure there’s ample documentation and knowledge sharing and implement agency-wide security protocols and password requirements.
Organizations can hire IT consultants, devote a department strictly for CJIS compliance and build the necessary infrastructure required to support the official policies. Alternatively, they can outsource their data protection services to companies that specialize in CJIS compliance. This is a great long-term solution for agencies and contractors that want to streamline their CJIS compliance efforts without making huge investments in staffing and infrastructure.
Loss of access to CJI can cripple an agency’s ability to do its job — not to mention jeopardize public safety. If CJI access is part of your agency’s operations, always err on the side of caution when it comes to data security, and stay on top of your compliance audits. Security investment, however hard on your budget, is always preferable to a leak or loss of critical criminal justice intelligence.
For secure email communications, Signature Systems offers a robust data encryption service that helps organizations comply with CJIS, HIPAA and FERPA regulatory requirements for encrypted email.
Secure, Scalable and Cost-effective
Every day, new technology merges with old systems. More data flows in. And agencies (and their servers) are overwhelmed. PDQ Vision was built to answer the data challenges of today’s law enforcement environment. Feel confident with this simplified, comprehensive evidence management system.
- Collect: Upload content in any file format, from any device
- Transfer: Automatically upload content from devices and hard drives
- Manage: Keep information organized and tag it with the correct metadata
- Retrieve: Find evidence quickly with simple search features
- Share: Grant access to people, like prosecutors, or share content with a secure link
- Increase: Scale storage space instantly and cost-effectively as needed
How We Stack Up
This is how our solution stacks up against those of other providers.
|Security Features||PDQ Vision||Hybrid Solutions with “Cloud Hosting”*||On-Premise Solutions*|
|Digital fingerprints to prove chain of custody||✓||✓||✓|
|3rd party security assurances for data storage including ISO 27001, FedRAMP, SOC 2, PCI Level 1||✓||✓|
|Massive storage capability and reliability||✓||✓|
|Evidence deletion protection (through workflows, notification emails, pending deletion period)||✓|
|Evidence audit records that cannot be altered, even by IT staff or system administrators||✓|
|Multi-factor authentication and IP whitelisting capable||✓|
|Data encryption at rest and in transit||✓|
|Auto installation of application security patches and feature upgrades||✓|
|Real-time threat detection and periodic penetration testing of application and data||✓|
* The information in this table represents the “average” offering within each evidence management solution type, based on our aggregated knowledge of competitor information.