It is commonplace today to see one central interdisciplinary communications administration overseeing multiple agencies or multiple jurisdictions over a territory — statewide, county-wide or city-wide. In fact, the real beauty of such a setup is the ability to share the costs of a multi-million dollar communications infrastructure, to not have to duplicate IT staff and know-how, and to have the ability to realize economies of scale with regards to procurement of associated software and hardware.
A crucial part of the overall communications technology has to do with the sharing and transmission of mobile data — text messaging, dispatch, NCIC queries, mug shots, vehicle location tracking, mapping, field reporting, image sharing, intranet and Internet connectivity and even video streaming.
Agencies sharing the mobile data communications infrastructure, whether they are law enforcement, fire, EMS, corrections or public works, are subject to various legal and regulatory security compliance rules with regard to their wireless access to data.
The most prominent example of security compliance rules is the FBI's CJIS (Criminal Justice Information Services) Security Policy, the latest iteration from December 2008. The policy applies to any agency that requires access to the FBI's criminal justice information database, whether at the international, federal, state or local level, and provides the minimum level of information technology (IT) security requirements determined acceptable for the transmission, processing and storage of criminal justice data.
In order to be compliant, agencies must put into place the following security mechanisms:
- VPN — VPN software, preferably a mobile VPN, is installed to secure any communication to and from a non-secure location;
- Encryption — All data must be sent over the air encrypted; the FBI mandates the usage of FIPS 140–2 compliant encryption, at a minimum level of 128 bits, either AES or 3DES;
- User authentication — Validates mobile users attempting to log onto the network;
- Advanced (strong) authentication — An additional two-factor security methodology also working toward validating user identity; biometrics or token keys are tools commonly used by law enforcement.
In addition to these general requirements, agencies must ensure that CJIS-related data is sent on a separate VLAN from the one sent for other agencies. Similarly, administrators without the credentials to access CJIS information should not be able to manage these areas.
Multiple groups, diverse needs
Where things get complicated is when you consider that other types of agencies sharing the common system are potentially subject to other rules. Consider that the fire or EMS departments are subject to Health Insurance Portability & Accountability Act (HIPAA) regulations, having stipulations vis-à-vis the transmission of individually identified health information over public networks.
The IT administrator of a multi-agency or multi-jurisdictional communications center therefore has the challenge of customizing security and access policies toward multiple groups of end-users based on operational as well as regulatory rules. Moreover, security rights should be customized on the system administrator side, ensuring that the IT staff managing the fire department without CJIS credentials will only be able to manage the users and device for which they are responsible, meaning the users and devices related to the fire department and not the ones linked to CJIS like the police department.
Consider the variables involved: