VoIP and Law Enforcement Compliance/Complications

VoIP has made inroads into various industries within a short period. Different types of organizations – from national retail chains to local small businesses – are discovering that VoIP has something for them. It is hard to find an organization that does not have plans for VoIP in the near future. Part of the decision is fueled by fears that the PSTN will be shut down in a few years. But for the most part, lower costs and sophisticated features are sufficient enticements for organizations to upgrade.

However not all industry sectors have adopted VoIP to the same extent. Some businesses have to comply with specific security and privacy legislation. Not all vendors are able to offer certified solutions, which limits the choice for clients. Others might operate in areas with poor Internet access which restricts the use of VoIP. Law enforcement agencies and related bodies are among those that have to be careful when upgrading to new solutions.

Criminal Justice Information Systems (CJIS) Security Policy – FBI

One of the benefits of switching to VoIP is that organizations don’t have to maintain two separate networks for voice and data. While it reduces upfront and maintenance costs, it also means that voice and data share the same network infrastructure. This can be a problem for law enforcement agencies that need to comply with the CJIS security policy.

The CJIS security policy protects and governs all CJIS databases. These databases contain extremely sensitive information such as fingerprint data, arrest records, license plate numbers and so on. Agencies and users that access the data have to comply with strict security requirements as laid out in the CJIS security policy. The reason for this is readily understood – security breaches related to this type of data can have severely damaging consequences.

Generally speaking, phone calls and voice infrastructure are not secured to the same extent as the servers that hold sensitive data. When police departments used PSTN systems, there was a clear separation between voice calls and databases. However if they want to upgrade to VoIP, the security requirements complicate the process. While hosted VoIP services are the most popular alternative for businesses, they don’t meet the security requirements necessary for law enforcement agencies.

There are restrictions related to on premise SIP deployments as well. For instance, physical security is very important under the CJIS policy. Agencies have to lock network equipment such as LAN racks inside cabinets and only certified technicians should be able to access them. Similarly many companies use softphones – applications installed on computers that can make calls – to reduce costs. However this exposes the VoIP network to external security threats. So law enforcement agencies cannot use them.

Who Has to Comply with CJIS Security Policy?

Any agency or organization that has access to the CJIS databases, has to comply with the security policy. Some organizations may have access to all the data while others have restricted access under specific circumstances. City or county police departments typically have full access. It means that the entire IT infrastructure as well as all employees fall under the policy.

On the other hand there are government contractors whose HR department may access these databases now and then for a specific purpose (background checks, vetting prospective job candidates etc.). In these cases, only a few computers and users fall under the CJIS policy. Thus navigating the security landscape and designing appropriate solutions is a much more complicated process than for other companies.

Issues Related to CJIS Compliance

Organizations that fall under CJIS policy need to adhere to specific requirements. Some of them are:

• Manage all types of risks to data and information systems when deploying VoIP
• Ensure access to E-911 emergency communications
• Physical controls are very important and equipment must be monitored at all times
• Adequate protection systems must be implemented. These should be enabled at all times and tested for effectiveness
• Emphasis on passwords and access controls, especially for mobile units
• Need to follow all relevant privacy and security statutory requirements

There are different issues depending on whether the law enforcement agency is considering hosted VoIP or on premise SIP deployments. One of the main difficulties is separating access to data from voice calls. Since VoIP utilizes the same network infrastructure for both these functions, creating such a separation increases costs.

In many cases, police agencies opt to deploy a separate LAN for VoIP. It means that the VoIP infrastructure does not have to comply with CJIS requirements that govern data. It negates much of the cost savings associated with VoIP deployment. In the end, law enforcement agencies may have to spend twice as much on VoIP as other organizations of similar size. Fortunately quite a few vendors are developing CJIS compliant solutions that cater to law enforcement and city organizations. After all, organizations will have no choice but to upgrade to VoIP when the PSTN is finally shut down.