Jail Management System - Maricopa County

Issue 6 IT Policies and Procedures
Summary
MCSO does not have formal JMS security policies and procedures that should address Criminal
Justice Information Services Security Policy requirements. Formalized IT procedures can help
MCSO implement security and other control activities during personnel absences and turnover.
MCSO should develop formalized JMS IT policies and procedures.
Criteria
The Federal Criminal Justice Information System (CJIS) Security Policy requires that MCSO
develop formal, documented procedures to facilitate the implementation of both federal and local
security policies.
COBIT recommends that IT organizations develop and communicate IT policies throughout the
organization.
Condition
MCSO’s policies and procedures do not include formalized information security policies and
procedures over the following key IT processes:
Effect
JMS and remote user account management
JMS security log reviews
Change management and program development
Patch management
Disaster recovery
Without formalized IT policies and procedures, MCSO may not be able to perform security and
control activities during employee absences and staffing changes. Also, ACJIS (Arizona
Criminal Justice Information System) and NCIC (National Crime Information Center) may
remove MCSO from their networks because of incomplete security guideline compliance.
Cause
MCSO IT personnel rely on their extensive hands-on experience in operating JMS in lieu of
formal policies and procedures and have focused their limited resources on day-to-day operations
rather than documenting IT operations.
Recommendation
MCSO should develop formalized JMS IT policies and procedures.
Maricopa County Internal Audit 15 Jail Management System–May 2012