Sample Audit Checklist for CJIS Security Policy (CJISSECPOL) Area 2
# QUESTION YES NO N/A STANDARD COMMENT
Page 1 of 8
5.2 Awareness Training (AT)
1
1. Has the Tribe or TGRA developed an
organizational-level awareness and training policy
to ensure all personnel with physical or logical
access
2
to CJI
3
/CHRI
4
are aware of their specific
individual responsibilities and expected behavior
when they access it or systems that contain or
process it?
Does the training policy convey the impact those
individual positions have on the overall security of
information systems?
For the questions above, simply restating controls
does not constitute an organizational policy or
procedure.
____
____
____
____
____
____
AT
AT
2. Does the Tribe or TGRA disseminate its
organization-level awareness and training policy
to all personnel when their unescorted logical or
physical access to any information system results
in the ability, right, or privilege to view, modify,
or make use of unencrypted CHRI?
Does the Tribe or TGRA document its
dissemination of the policy?
____
____
____
____
____
____
AT-1, a.1
AT-1, a.1
1
These requirements are sanctionable for audit beginning October 1, 2023.
2
The physical or logical (electronic) ability, right or privilege to view, modify or make use of CJI.
3
Criminal Justice Information (CJI) is the abstract term used to refer to all of the FBI CJIS provided data necessary
for law enforcement agencies to perform their mission and enforce the laws, including but not limited to: biometric,
identity history, person, organization, property (when accompanied by any personally identifiable information), and
case/incident history data. In addition, CJI refers to the FBI CJIS-provided data necessary for civil agencies to
perform their mission; including, but not limited to data used to make hiring decisions. The following type of data
are exempt from the protection levels required for CJI: transaction control type numbers (e.g., ORI, NIC, UCN, etc.)
when not accompanied by information that reveals CJI or PII.
4
Criminal History Record Information (CHRI) is a subset of CJI. Any notations or other written or electronic
evidence of an arrest, detention, complaint, indictment, information or other formal criminal charge relating to an
identifiable person that includes identifying information regarding the individual as well as the disposition of any
charges.
Sample Audit Checklist for CJIS Security Policy (CJISSECPOL) Area 2
# QUESTION YES NO N/A STANDARD COMMENT
Page 2 of 8
3. Does the Tribe or TGRA’s organization-level
awareness and training policy address its
purpose
5
, scope, roles, responsibilities,
management commitment, coordination among
organizational entities, and compliance?
Is the policy is consistent with applicable laws,
executive orders, directives, regulations, policies,
standards, and guidelines?
Has the Tribe or TGRA developed procedures to
facilitate the implementation of the awareness and
training policy and the associated awareness and
training controls?
____
____
____
____
____
____
____
____
____
AT-1, a.1(a)
AT-1, a.1(b)
AT-1, a.2
4. Based on inquiry and record examination, has the
Tribe or TGRA designated organizational
personnel with information security awareness
and training responsibilities to manage the
development, documentation, and dissemination
of the awareness and training policy and
procedures?
____
____
____
AT-1, b
5. Based on inquiry and record examination, does
the Tribe or TGRA review and update the current
awareness and training policy annually and
following changes in the information system
operating environment, when security incidents
occur or when changes to the CJIS Security Policy
are made?
____
____
____
AT-1, c.1
6. Based on inquiry and record examination, does
the Tribe or TGRA review and update its
procedures annually and following changes in
information system operating environment, when
security incidents occur or when changes in the
CJIS Security Policy are made?
____
____
____
AT-1, c.2
7. Based on inquiry and record examination, does
the Tribe or TGRA provide security and privacy
literacy training to system users (including
managers, senior executives, and contractors) as
part of initial training for new users prior to the
users accessing CJI and annually thereafter?
____
____
____
AT-2, a.1
5
See Question 1.
Sample Audit Checklist for CJIS Security Policy (CJISSECPOL) Area 2
# QUESTION YES NO N/A STANDARD COMMENT
Page 3 of 8
8. Based on inquiry and record examination, does
the Tribe or TGRA provide security and privacy
literacy training to system users (including
managers, senior executives, and contractors)
when required by system changes or within 30
days of any security event for individuals involved
in the event?
____
____
____
AT-2, a.2
9. Based on record examination, does the Tribe or
TGRA employ one or more of the following
techniques to increase the security and privacy
awareness of system users?
1. Displaying posters
2. Offering supplies inscribed with security and
privacy reminders
3. Displaying logon screen messages
4. Generating email advisories or notices from
organizational officials
5. Conducting awareness events
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
AT-2, b.1
AT-2, b.2
AT-2, b.3
AT-2, b.4
AT-2, b.5
10. Does the Tribe or TGRA update literacy training
and awareness content annually and following
changes in the information system operating
environment, when security incidents occur or
when changes are made in the CJIS Security
Policy?
____
____
____
AT-2, c
11 Does the Tribe or TGRA incorporate lessons
learned from internal or external security incidents
or breaches into literacy training and awareness
techniques?
____
____
____
AT-2, d
12. Does the Tribe or TGRA provide literacy training
on recognizing and reporting potential indicators
of insider threats?
____
____
____
AT-2, (2)
13. Does the Tribe or TGRA provide literacy training
on recognizing and reporting potential and actual
instances of social engineering and social mining?
____
____
____
AT-2, (3)
Sample Audit Checklist for CJIS Security Policy (CJISSECPOL) Area 2
# QUESTION YES NO N/A STANDARD COMMENT
Page 4 of 8
14. Based on record examination, does the Tribe or
TGRA provide role-based security and privacy
training to personnel with the following roles and
responsibilities?
All individuals with unescorted access to a
physically secure location.
General User: A user, but not a process, who is
authorized to use an information system.
Privileged User: A user that is authorized (and,
therefore, trusted) to perform security-relevant
functions that general users are not authorized
to perform.
Organizational Personnel with Security
Responsibilities: Personnel with the
responsibility to ensure the confidentiality,
integrity, and availability of CJI and the
implementation of technology in a manner
compliant with the CJIS Security Policy.
____
____
____
____
____
____
____
____
____
____
____
____
AT-3, a
AT-3, a
AT-3, a
AT-3, a
15. Based on inquiry and record examination, does
the Tribe or TGRA provide role-based security
and privacy training to personnel before
authorizing access to the system, information, or
performing assigned duties, and annually
thereafter?
____
____
____
AT-3, a.1
16. Based on inquiry and record examination, does
the Tribe or TGRA provide role-based security
and privacy training to personnel when required
by system changes?
____
____
____
AT-3, a.2
17. Does the Tribe or TGRA update role-based
training content annually and following audits;
changes in the information system operating
environment; security incidents; or when changes
are made to the CJIS Security Policy?
____
____
____
AT-3, b
18. Does the Tribe or TGRA incorporate lessons
learned into role-based training from internal or
external security incidents or breaches?
____
____
____
AT-3, c
Sample Audit Checklist for CJIS Security Policy (CJISSECPOL) Area 2
# QUESTION YES NO N/A STANDARD COMMENT
Page 5 of 8
19. Based on record examination, does the Tribe or
TGRA incorporate the minimum following topics
into appropriate role-based training content for all
individuals with unescorted access to a physically
secure location?
a. Access, Use and Dissemination of Criminal
History Record Information (CHRI), NCIC
Restricted Files Information, and NCIC Non-
Restricted Files Information Penalties
b. Reporting Security Events
c. Incident Response Training
d. System Use Notification
e. Physical Access Authorizations
f. Physical Access Control
g. Monitoring Physical Access
h. Visitor Control
i. Personnel Sanctions
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
AT-3, d.1.a
AT-3, d.1.b
AT-3, d.1.c
AT-3, d.1.d
AT-3, d.1.e
AT-3, d.1.f
AT-3, d.1.g
AT-3, d.1.h
AT-3, d.1.i
Sample Audit Checklist for CJIS Security Policy (CJISSECPOL) Area 2
# QUESTION YES NO N/A STANDARD COMMENT
Page 6 of 8
20. Based on record examination, does the Tribe or
TGRA include the following topics into
appropriate role-based training content for a
General User
6
, in addition to AT-3 d.1?
a. Criminal Justice Information
b. Proper Access, Use, and Dissemination of
NCIC Non-Restricted Files Information
c. Personally Identifiable Information
d. Information Handling
e. Media Storage
f. Media Access
g. Audit Monitoring, Analysis, and Reporting
h. Access Enforcement
i. Least Privilege
j. System Access Control
k. Access Control Criteria
l. System Use Notification
m. Session Lock
n. Personally Owned Information Systems
o. Password
p. Access Control for Display Medium
q. Encryption
r. Malicious Code Protection
s. Spam and Spyware Protection
t. Cellular Devices
u. Mobile Device Management
v. Wireless Device Risk Mitigations
w. Wireless Device Malicious Code Protection
x. Literacy Training and Awareness/Social
Engineering and Mining
y. Identification and Authentication
(Organizational Users)
z. Media Protection
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
AT-3, d.2.a
AT-3, d.2.b
AT-3, d.2.c
AT-3, d.2.d
AT-3, d.2.e
AT-3, d.2.f
AT-3, d.2.g
AT-3, d.2h
AT-3, d.2.i
AT-3, d.2.j
AT-3, d.2.k
AT-3, d.2.l
AT-3, d.2.m
AT-3, d.2.n
AT-3, d.2.o
AT-3, d.2.p
AT-3, d.2.q
AT-3, d.2.r
AT-3, d.2.s
AT-3, d.2.t
AT-3, d.2.u
AT-3, d.2.v
AT-3, d.2.w
AT-3, d.2.x
AT-3, d.2.y
AT-3, d.2.z
6
A user, but not a process, who is authorized to use an information system.
Sample Audit Checklist for CJIS Security Policy (CJISSECPOL) Area 2
# QUESTION YES NO N/A STANDARD COMMENT
Page 7 of 8
21. Based on record examination, does the Tribe or
TGRA include the following topics into
appropriate role-based training content for a
Privileged User
7
, in addition to AT-3 d.1 and 2?
a. Access Control
b. System and Communications Protection and
Information Integrity
c. Patch Management
d. Data backup and storage—centralized or
decentralized approach
e. Most recent changes to the CJIS Security
Policy
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
AT-3, d.3.a
AT-3, d.3.b
AT-3, d.3.c
AT-3, d.3.d
AT-3, d.3.e
22. Based on record examination, does the Tribe or
TGRA include the following topics into
appropriate role-based training content for
Organizational Personnel with Security
Responsibilities
8
, in addition to AT-3 d.1, 2 and
3?
a. Local Agency Security Officer Role
b. Authorized Recipient Security Officer Role
c. Additional state/local/tribal/territorial or
federal agency roles and responsibilities
d. Summary of audit findings from previous
NIGC audits of local agencies
e. Findings from the last FBI CJIS Division audit
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
AT-3, d.4.a
AT-3, d.4.b
AT-3, d.4.c
AT-3, d.4.d
AT-3, d.4.e
23. Does the Tribe or TGRA provide all personnel
with initial and annual training in the employment
and operation of personally identifiable
information processing and transparency controls
when their unescorted logical or physical access to
any information system results in the ability, right,
or privilege to view, modify, or make use of
unencrypted CJI?
____
____
____
AT-3, (5)
7
A user that is authorized (and, therefore, trusted) to perform security relevant functions that general users are not
authorized to perform.
8
Personnel with the responsibility to ensure the confidentiality, integrity, and availability of CJI and the
implementation of technology in a manner compliant with the CJISSECPOL.
Sample Audit Checklist for CJIS Security Policy (CJISSECPOL) Area 2
# QUESTION YES NO N/A STANDARD COMMENT
Page 8 of 8
24. Does the Tribe or TGRA document and monitor
information security and privacy training
activities, including security and privacy
awareness training and specific role-based
security and privacy training?
____
____
____
AT-4, a
25. Does the Tribe or TGRA retain individual training
records for a minimum of three years?
____
____
____
AT-4, b
