Section 3 of the FBI-CJIS Security Policy defines Roles and Responsibilities for an agency. With regard to this specific question, the answer is that the responsibility for this can be in either department. There are a few more roles outlined in this section that indicate a staff role assignment within an agency, etc., however, the role of CJIS Systems Agency Information Security Officer (CSA ISO) noted in Section 3.2.8 does not prohibit the role from going to an IT security person as you describe. The same can be said for the role you inquire about, the Local Agency Security Officer (LASO) in Section 3.2.9. Each of these roles has differences in responsibility and may be held by the same person.

The role is best filled with the person who has the high level working knowledge of the networks, systems application and appropriate use requirement with the authority to impact carrying out the policy over the users, application development, networks, etc. This is best determined through discussion with the agency head who has been given responsibility and access privileges to FBI-CJIS Systems and FBI CJI Criminal Justice Information and the IT department, to determine who can carry out the responsibilities effectively with the expectations for compliance. As IT has gotten more complex this often requires a collaborative effort between IT and the persons responsible for the user community. The CJIS Information Security Officer role is an administrative position that ensures policy compliance across business lines that encompass the users and IT assets. Cybersecurity requires is a specific skill set requiring much more day-to-day technical expertise.