Dogfooding: How PowerDMS Used PowerDMS for CJIS Compliance
- Written by Heath Hensley - CTO
- May 26 2015
Have you ever heard the term dogfooding? It’s a slang term used in the software industry for decades and basically means using your own product. PC Mag Encyclopedia says the expression comes from a 1970s television ad campaign for dog food, where actor Lorne Greene told consumers “When it comes to feeding my own dog, I know there isn’t a better dog food than Alpo.” The message to the consumer was that the product spokesman thought Alpo was so good he used it himself.
We’ve been doing a lot of “dogfooding” around PowerDMS these days. Our most recent dogfooding endeavor was the process of assessing ourselves against the Criminal Justice Information Services (CJIS) Security Policy.
The Federal Bureau of Investigation (FBI) Criminal Justice Information Services (CJIS) Security Policy is the baseline set of standards developed and approved by the FBI CJIS Advisory Policy Board (APB) for securing criminal justice information (CJI). Wow, four acronyms in one sentence, let me take it down a notch. The essential premise of the CJIS Security Policy is to provide the appropriate controls to protect CJI, from creation through dissemination—whether at rest or in transit.
Why does a software company like PowerDMS care about a set of standards designed to protect criminal justice information? One of the primary industries we serve is law enforcement and protecting criminal justice information is important to this industry. With that said, it is also important to us, especially if an agency intends to store, view and disseminate CJI with PowerDMS. With this in mind, the team at PowerDMS set out to ensure all of our systems, processes, procedures, and people were up to par with the FBI’s standards. Here is where the dogfooding came in.
PowerDMS is a cloud-based software solution developed to simplify risk and compliance related content management. Our product has a unique set of tools to help an organization assess, or audit, themselves against industry best practices and governing standards. PowerDMS also ensures the appropriate people approve, review, understand and sign-off on the right information, at the right time. In this situation, we needed to ensure the way we operate our business, and specifically how we protect our customers’ data, is compliant with the CJIS Security Policy. And that is what we did.
In our own internal PowerDMS site we subscribed to the CJIS Security Policy, started an assessment, and proceeded to go through the manual standard by standard aligning our own policies, procedures and proof of compliance to ensure there were no gaps.
Screen shot of our own encryption policy aligned with the CJIS encryption standard in PowerDMS.
Any security officer or compliance manager will tell you, this is no small task, even with help from an awesome tool like PowerDMS. Luckily for us, we have an incredible GRC team and great partners that helped along the way. Sienna Group, our security partner, played a vital role as an unbiased second set of eyes on everything and aiding in new policy, procedure and/or training development to fill in the gaps. Another helpful partner was Rackspace, our hosting provider. The technical and compliance teams at Rackspace ensured all of the physical and logical infrastructure for PowerDMS.com was up to par with the CJIS security policy. In addition to these partners, there were several members of the law enforcement community that were extremely helpful when we needed a better understanding of a particular standard. Ted DeRosa with Colorado Bureau of Investigations, Larry Coffee with Florida Department of Law Enforcement, and Robert Jordan with Highlands County Sheriff’s Office, along with several others, were always willing to take our call and share their experience and understanding of the FBI standards.
After reviewing the 138 standards, attaching 346 proofs of compliance, making some adjustments and additions to our policies and procedures, tweaking a few things in our infrastructure and countless hours of GRC team discussions, we are proud to say PowerDMS is compliant with the CJIS Security Policy.
Screen shot of a summary of our assessment in PowerDMS of the CJIS Security Policy.
The ongoing process of complying with the CJIS Security Policy has held us to a high standard for how we operate and ensure the availability, integrity and security of our customers’ data. I use the word “ongoing” very intentionally here because we know compliance and risk mitigation is an ever-changing thing. The world is always changing and the standards that attempt to govern it change as well. Organizations also change rapidly, therefore, we believe risk mitigation and compliance efforts need to be living and agile. These facts influence how we build our product. We obsess over the unique needs that our customers have with their living and relational content. We consider the content “living” because it is expected to change and remain relevant. We consider it “relational” because it is impactful to other content, and more importantly, many people in an organization. Building and supporting tools to manage an organization’s living and relational content is our passion.
We hope that by “dogfooding” here at PowerDMS we will create better products and services for our customers. We have learned a tremendous amount through using our own product for CJIS compliance. All in all, we think our dog food tastes pretty good. Can it be better? Always. With that being said, I am going to get back to work…
Thanks for reading!
To learn more about the topics discussed in this blog post check out the links below:
About the Author:
Heath Hensley is the Chief Technology Officer at PowerDMS. In 2004, while pursuing his degree in computer engineering from the University of Central Florida, Heath joined the PowerDMS team. He was the third employee. As co-creator of the software, Heath is credited with the early design and development of fundamental features essential to the current application. As the company has grown throughout the years, so has the scope of Heath’s responsibilities. In his current role as CTO, he is an integral member of the PowerDMS leadership team—leading multiple departments; guiding new SaaS product development; and overseeing the company’s internal technology infrastructure.