“I have worked with hundreds of vendors in my twelve years as CJIS ISO in Texas, and never have I found any vendor more committed to law enforcement.” Alan Ferretti, Former CJIS ISO in Texas
Alan Ferretti, former Texas CJIS Information Security Officer (ISO), and I have been working together for nearly five years. He recently retired and wanted to provide his perspective on being a former CJIS ISO and working with Microsoft.
As a State CJIS ISO, you never know what you’ll be dealing with when the phone rings. Sometimes it might be an auditor with a disabled vehicle up in the Panhandle, or it may be a county judge asking for a reason law enforcement personal computers need antivirus software when others in the county don’t, or even a city manager wanting to know why they can’t have full run of the police department. It’s always something!
So, the phone call I got in the summer of 2012 wasn’t unusual. It was the Chief Information Security Officer (CISO) from the state of Texas. He explained there was an upcoming meeting with many state agencies and Microsoft to talk about this thing called “cloud computing.” He said he would review it for compliance with the Texas Administrative Code (TAC) and would like me to look at it from a CJIS compliance perspective. The plan was to make the Microsoft government cloud services available to all state and local governments in Texas through the state's preapproved procurement process.
I drove over to the Microsoft building at the scheduled time. The room was filled with a lot of state and Microsoft people. We listened to the presentations and then moved into the Q&A session. The state CISO asked a couple of clarification questions before pronouncing that it met all the requirements found in the TAC. That’s when I introduced Microsoft to the CJIS Security Policy. I explained what it was and why it exists. We made a small start in looking at the Policy and then the Microsoft team took it with them and we agreed to meet again after their review.
Follow up meetings were held. We did in-person meetings, video conferences, and corresponded about the Policy via email. When finished, we had made it through the entire Policy, section by section. All issues were sorted out and any confusion about what a policy section meant was well understood by Microsoft. Their folks became experts on not just the Policy, but the reason behind each requirement.
We then took the Security Addendum from the policy and added it to the contract available to all state and local agencies. This sounds easy, but keep in mind that this addition triggered state agency lawyer involvement. It is never a quick process. We also had to set up a way to receive, process, and inform Microsoft of the fingerprint screening results of their employees along with getting the signed CJIS Security Addendums on file. Not one problem was encountered. The Microsoft folks and the Texas Department of Public Safety folks were both professional and got the job done.
I must say, I have worked with hundreds of vendors in my twelve years as CJIS ISO in Texas, and never have I found any vendor more committed to law enforcement, more knowledgeable about the Policy requirements, and more compliance-aware than all the folks at Microsoft. It starts at the top and flows through their entire organization. The early efforts were well worth it and are paying dividends now for all law enforcement across the country. If you are looking for a vendor partner to support your usage of Cloud Computing, you’ll do no better than Microsoft.