Police Chiefs Issue Guidance for Cloud Computing
The WasteWatcher
On February 21, 2012, a Swineline blog post proposed that cloud computing is a viable option for law enforcement. This followed the Federal Bureau of Investigation’s announcement on February 7, 2012 that cloud vendors must comply with the Department of Justice’s Criminal Justice Information Services (CJIS) security policy after city officials in Los Angeles claimed that cloud computing was incompatible with CJIS. The International Association of Chiefs of Police (IACP) issued Guiding Principles on Cloud Computing in Law Enforcement during a symposium held on January 31, 2013. This guidance is aimed at helping police departments throughout the country attain the potential benefits of cloud computing, while insuring that the information they are responsible for maintaining is safe and secure. Among the principles cited by IACP are compliance by cloud providers with CJIS security policies; data ownership retention by law enforcement agencies; prohibitions on data mining or analytics by cloud providers; regularly scheduled audits of cloud provider’s performance, use, access, and compliance with terms of agreement; interoperability and portability of law enforcement data; maintenance of physical or logical integrity of law enforcement data; provisioning for potential changes in business structure, operations or organization of cloud services provider and continuity of operations and security of data; confidentiality of law enforcement data; availability of data to law enforcement when required; and a focus on the total cost of ownership model for cloud computing. A January 2013 survey released by IACP and the Ponemon Institute at the January 31 symposium indicated that 74 percent of law enforcement officials believe that cloud provider employees should pass background checks, and 43 percent believe that the greatest cloud security risk comes from cloud provider employees. The survey further showed that 89 percent of the respondents believed cloud providers must abstain from data mining and 71 percent felt that CJIS compliance is make-or-break for cloud. Combining privacy, security, portability, and governance along with total cost of ownership into the guidelines, many of these recommendations coincide with CAGW’s own guidance found in Cloud Computing 201: Guidelines for Successful Cloud Investments.