Skip to main content
Audit

Audit  Audit of the Department of Criminal Justice Information Services

Our office conducted a performance audit of the Department of Criminal Justice Information Services (DCJIS) for the period July 1, 2020 through June 30, 2021.

Organization: Office of the State Auditor
Date published: April 13, 2023

Executive Summary

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Department of Criminal Justice Information Services (DCJIS) for the period July 1, 2020 through June 30, 2021. The purpose of our audit was to determine whether DCJIS does the following:

  • maintains its Criminal Offender Record Information (CORI) database, iCORI,1 in accordance with Section 167A(f) of Chapter 6 of the General Laws
  • performs audits of non–law enforcement CORI requestors to confirm that each requestor has security protection over the information obtained through the iCORI database in accordance with Section 2.21(4)(d) of Title 803 of the Code of Massachusetts Regulations, which was effective during the audit period
  • ensures that all authorized law enforcement personnel who have access to criminal justice information complete cybersecurity awareness training in accordance with Sections 5.2.1 through 5.2.3 of the United States Department of Justice Federal Bureau of Investigation’s “Criminal Justice Information Services (CJIS) Security Policy,” dated June 1, 2020
  • reconciles funds received for CORI requests to the Massachusetts Management Accounting and Reporting System (MMARS) in accordance with the Office of the Comptroller of the Commonwealth’s “Cash Recognition and Reconciliation Policy,” dated July 1, 2004.

Below is a summary of our findings and recommendations, with links to each page listed.

Finding 1
 

DCJIS does not perform audits of non–law enforcement CORI requestors to ensure that this information is properly stored and safeguarded.

Recommendations
 
  1. DCJIS should require its audit team to perform audits to assess whether non–law enforcement requestors properly store and safeguard the CORI they obtain from DCJIS.
  2. DCJIS should develop and implement policies and procedures that require its audit team to perform audits to assess whether non–law enforcement requestors have properly stored and safeguarded CORI.

Finding 2
 

DCJIS did not ensure that Criminal Justice Information System Single Sign On Application (CSSOA) users completed cybersecurity awareness training.

Recommendations
 
  1. DCJIS should ensure that CSSOA users complete initial cybersecurity awareness training within six months of their initial access to CSSOA and biennially thereafter.
  2. DCJIS should continually monitor that both new and existing CSSOA users have completed the required cybersecurity awareness training.

Finding 3
 

DCJIS does not reconcile all revenue recorded in the iCORI database.

Recommendations
 
  1. DCJIS should investigate and resolve the $22,343 variance.
  2. DCJIS should develop policies and procedures that require its employees to perform regular reconciliations of the revenue recorded in its iCORI database to revenue recorded in MMARS.

 

1.    This database contains Massachusetts-only criminal activity and personally identifiable information such as names, birthdates, addresses, and social security numbers.

Table of Contents

Downloads

Open PDF file, 882.27 KB,  Audit of the Department of Criminal Justice Information Services (English, PDF 882.27 KB)

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.
Feedback