Data Exchange Solutions
CJIS Policies Related to GovTransfer
Adopted by Data Exchange Solutions 8/1/2022
Criminal Justice Information (CJI) Handling
(1.3, 5.1.1.1)
Purpose
All Data Exchange Solutions (hereafter referred to as “DES”) personnel will follow all applicable laws and procedures to maintain the integrity and security of state and national criminal justice information systems as mandated by the Criminal Justice Information Services (CJIS) Systems Agency (CSA) and the Federal Bureau of Investigation (FBI). All handling of Criminal Justice Information (CJI) shall be in conformance with CJIS Security Policy and applicable state statutes. No policy shall be construed to be inconsistent with any aspect of CJIS Security Policy (CSP). This policy applies to all CJI information regardless of form, including its handling, storage, archival, and transmission via electronic, physical, or other media. This policy applies to the proper use CJI for criminal justice purposes.
DES is a private entity contracted by a governmental entity to perform the administration of criminal justice (28 CFR 20.3(b)), including access to CJI. DES is authorized access to CJI via the CJIS Security Addendum process.
Scope
This policy shall apply to all DES personnel, including contractors and subcontractors, or as otherwise specified, for access, processing, storage, dissemination, and destruction of criminal justice information.
Discussion
The goal of this policy is to protect CJI and CJI systems from unauthorized disclosure, alteration, or misuse. It is meant to ensure that all DES personnel authorized to collect, store, maintain, disseminate, or otherwise access CJI data conform to all rules and regulations set forth by CJIS Security Policy and applicable state Statutes and policies.
Definitions
A. Administration of Criminal Justice – as per 28 CFR (Code of Federal Regulations) 20.3(b), the performance of any of the following activities: detection, apprehension, detention, pretrial release, post-trial release, prosecution, adjudication, correctional supervision, or rehabilitation of accused persons or criminal offenders. The administration of criminal justice shall include criminal identification activities and the collection, storage, and dissemination of criminal history record information.
B. Authorized Personnel – Personnel who has been properly vetted for access to CJI, including 1) passing a national criminal justice fingerprint-based background check, 2) completion of the appropriate level of security awareness training, and 3) signing the Security Addendum Certification Page.
C. Criminal History Record Information (CHRI) — A subset of CJI. Any notations or other written or electronic evidence of an arrest, detention, complaint, indictment, information, or other formal criminal charge relating to an identifiable person that incluDES identifying information regarding the individual as well as the disposition of any charges.
D. Criminal Justice Information (CJI) – In general, it is any information obtained from an FBI or CSA CJIS system, including, but not limited to, biometric, identity history, biographic, property, and case/incident history that has not been officially released to the public or otherwise authorized for release by court order.
E. CJIS Systems Agency (CSA) – A duly authorized state, federal, international, tribal, or territorial criminal justice agency on the CJIS network providing statewide (or equivalent) service to its criminal justice users with respect to the CJIS data from various systems managed by the FBI CJIS Division. There shall be only one CSA per state or territory on connecting to the FBI CJIS systems.
F. Criminal Justice Agency (CJA) – As per 28 CFR 20.3(g), Criminal justice agency means:
(1) Courts; and
(2) A governmental agency or any subunit thereof that performs the administration of criminal justice pursuant to a statute or executive order, and that allocates a substantial part of its annual budget (more than 50%) to the administration of criminal justice. State and Federal Inspector General Offices are included.
G. Dissemination – The transmission/distribution of CJI/CHRI to Authorized Recipients within an agency.
H. NCIC – National Crime Information Center. An information system which stores CJI which can be queried by appropriate Federal, state, and local law enforcement and other criminal justice agencies.
I. Non-criminal Justice Agency (NCJA) – A governmental agency or any subunit thereof that provides services primarily for purposes other than the administration of criminal justice.
J. ORI (Originating Agency Identifier) – An FBI assigned number used to identify criminal justice and noncriminal justice agencies. ORIs are nine characters in length. The first two characters denote the state where the agency is located, e.g., the ORI for the Travis County Sheriff’s Office in Austin, TX is TX2270000.
K. Personally Identifiable Information (PII) – Defined as information about a person that contains some unique identifiers, including but not limited to name or Social Security Number, from which the identity of the person can be determined.
L. Secondary Dissemination — The transmission/distribution of CJI/CHRI from an agency to another authorized recipient agency when the recipient agency has not been previously identified in a formal information exchange agreement.
Procedures
A. CJI Information Security
All DES employees, including contractors and subcontractors, shall adhere to all requirements set forth in the Information Security Policy.
B. Agreements
All access to CJI is predicated on appropriate agreements. DES alone has no right to access, process or store CJI. Access is permitted pursuant to an agreement which specifically identifies DES’s purpose and scope of providing services for the administration of criminal justice. The agreement between the CJA and DES incorporates the CJIS Security Addendum approved by the Director of the FBI, acting for the U.S. Attorney General, as referenced in Title 28 CFR 20.33 (a)(7).
C. Physical security
Users shall adhere to all requirements of the DES CJI Related Physical Protection Policy.
D. Technical Security
Users shall adhere to all technical security related requirements of this policy. Any questions should be forwarded to the DES Compliance Officer for clarification.
E. Training
Access to CJI shall be limited to those authorized personnel who have met the training requirements specified in CJIS Security Policy for access to CJI. All training records shall be maintained by DES utilizing CJIS Online.
1. Persons with unescorted access in CSP defined physically secure locations shall complete basic security awareness training. These personnel do not perform the administration of criminal justice. This training is currently referred to as “Level 1” training.
2. All persons with access to CJI: security awareness training shall be required within six months of initial assignment, and biennially thereafter, for all employees who have access to CJI. This training is currently referred to as “Level 2” training.
3. Persons with logical access to CJIS applications: Users whose responsibilities include query or entry of CJI via CJIS systems shall successfully complete CJIS certification training. Training must be renewed biennially. This training is currently referred to as “Level 3” training.
4. Information Technology employees: In addition to training specified in 1), 2), and 3) above, IT employees shall complete CJIS Security & Awareness Training. Training must be renewed biennially. This training is currently referred to as “Level 4” training.
F. Audit Logs
1. DES shall maintain audit records and accountability controls of all CJIS system activities as required by the CJIS Security Policy. Auditing will be applied at the server level to obtain sufficient information to establish the types of events, the sources of the events, required content, and the outcome of the events.
2. DES IT will review the audit logs on a weekly basis as per the CSP for anomalies or potential security incidents. Additionally, Customers who have a valid, signed Master Services Agreement with DES will have online access to the audit logs.
3. DES shall increase the frequency of audit log review based on credible IT threats to DES, the application, and/or the Customer(s).
4. DES shall maintain audit logs on-line for the duration of the Master Services Agreement between DES and the Customer. Audit logs will be maintained for 60 days after the Services Agreement is terminated and the logs will be made available upon written request.
G. NCIC Data
In accordance with the NCIC Operations Manual users and systems must meet the requirements of the CJIS Security Policy prior to cutting or copying and pasting from an NCIC response into a local system. Local systems include e-mail, records management system, jail management system, or any other computer application or storage medium.
H. CJI Information E-Mailed
DES email system does not currently encrypt email to Customers, and is not used for any transmission of CJI.
I. Personally Identifiable Information (PII)
DES personnel shall protect Personally Identifiable Information (PII) using the security policies mandated for CJI.
J. CJIS Compliance Officer
1. In accordance with CJIS Security Policy, DES shall designate a CJIS Compliance Officer. The CJIS Compliance Officer will ensure the following duties are completed:
a. Identify who is using the CJIS approved hardware, software, and firmware and ensure no unauthorized DES employees or processes have access to the same.
b. Identify and document how the equipment is connected to the state system if any connection to the State System exists.
c. Ensure that employee security screening procedures are being followed as stated in this policy.
d. Ensure the approved and appropriate security measures are in place and working as expected.
e. Support policy compliance and ensure the client(s) CJIS Compliance Officer is promptly informed of security incidents.
K. Information Exchange/Secondary Dissemination (5.1.1)
1. Dissemination of CJI/CHRI is restricted to authorized Customer agencies and personnel, only as determined by the Customer.
2. DES will not share, disseminate, or forwarding CJI to another entity.
3. If the person or agency is unknown to the Customer personnel, Customer is require to:
● Ask to see the requestor’s credentials
● Ask the requestor’s supervisor’s name and phone number
● Ask the requestors to identify their agency and the agency’s ORI
● Contact the agency using a number found on the internet for the agency (do not use the number provided by the individual).
● Ask for the supervisor, and confirm the requestor works for the agency and that the requestor is authorized to receive CJI
● Log the dissemination in a secondary dissemination log
Q. Patch Management (5.10.4.1)
1. DES will develop and maintain a list of all services, including but not limited to, operating systems, applications, databases, firmware, used by DES where the developer issues security patches. (The list is named CJIS Related Systems and is located on a DES shared drive.)
2. DES will test the patch before applying it to the identified system.
3. As part of patch implementation, a rollback procedure will be identified prior to the install.
4. If possible, identified updates will be automated. Those services not eligible for auto-update will be identified below along with their typical projected implementation schedule.
5. Patch management will be controlled by DES IT.
S. Security Alerts and Advisories (5.10.4.4 (3))
1. DES subscribes to multiple security alerts/advisories, including:
● US-CERT Alerts
(https://www.us-cert.gov/ncas/alerts/index): Information about current security issues, vulnerabilities, and exploits. Alerts are released when there is an issue that affects the general public and outline the steps and actions users can take to protect themselves from attack.
● US-CERT Current Incident List
(https://www.us-cert.gov/ncas/current-activity): Summary of the most frequent, high-impact types of security incidents currently being reported to the US-CERT
● SANS Newsbites:
(https://www.sans.org/newsletters/): Executive summary of important security news
● ISS/X-Force Alerts & Advisories
(https://exchange.xforce.ibmcloud.com/new): Information on Internet threats and vulnerabilities
● Internet Storm Center
(https://isc.sans.edu//): Distributed Intrusion Detection Report
2. DES IT will review security alerts and advisories for applicability to DES operations and IT assets (including updates associated with mobile devices and systems).
3 DES IT will take appropriate actions based on security alerts and advisories to protect DES IT assets.
3. DES IT will notify applicable personnel via email or other communications regarding any relevant security alerts. The notification will include actions to be taken by DES personnel to protect DES assets and CJI data and systems.
T. Use of Bluetooth Devices (5.13.1.3)
1. DES personnel will only use DES approved Bluetooth devices in association IT hardware that accesses, process, or stores CJI. Any questions regarding what is or is not approved shall be directed to DES IT.
2. DES personnel may request conditional approval of other Bluetooth device (e.g., headphones, speakers, etc.) by DES IT. The request should be submitted via email through the employee’s supervisor to DES IT.
3. DES IT will evaluate the device for potential risk and compliance with the CSP, and will respond back to the requestor via email regarding approval/ disapproval.
U. Remote Access (5.5.6)
1. Remote access may be authorized for DES personnel based on employee roles.
2. Only DES devices are authorized for remote access.
3. A VPN User Request form shall be submitted for processing, including executives.
4. The VPN Request form will be approved by the requestor’s supervisor.
5. DES IT will process the request and assign access, including the access based on the requestor’s role.
6. DES IT will monitor established processes for remote access.
7. DES IT shall be notified immediately when the user no longer requires access to perform their duties.
V. Wireless Access Restrictions (5.13)
1. DES wireless devices (e.g., laptops, smartphones, tablets) will only be used for approved purposes and business requirements.
2. Access to DES related CJI resources via wireless devices will based on the user’s role and need to access CJI for the administration of criminal justice.
3. DES IT will provide remote access to CJI related systems and monitor access to ensure compliance with the CSP.
4. DES IT will implement and maintain a mobile device management (MDM) solution for wireless devices with access to CJI.
5. DES’s MDM solution shall comply with the requirements of the CSP, including but not limited to malicious code protection, remote wiping, and setting and locking of device configuration.
6. Questions regarding approved use of wireless devices shall be submitted to DES IT for review and comment.
W. Authentication Strategy & Authenticator Management (5.6.2 & 5.6.3.2 {2} )
1. All users will comply with DES computer use policies regarding the access to and use of DES computer hardware, software, network, and technology systems. Access to GovTransfer (Application) is controlled using a unique username and password. All passwords must comply with the CJIS Security Policy, and will be enforced by Application.
2. Application uses usernames and passwords for identification and authentication. New users are assigned usernames as part of their on-boarding as a DES employee in roles requiring Application access. Application users will establish their username and initial password, compliant with the CJIS Security Policy.
3. When a user no longer requires access to Application, DES IT will be notified by the user’s supervisor via email. DES IT will deactivate or, if needed, change the user’s access level as appropriate.
4. Users will not share passwords with other DES personnel. Users will not post their passwords anywhere near their monitors, or hide them in or around their desks. If needed, it is suggested a user keep private log (not stored around their work area) or use a password “vault” on their smartphone or computer.
5. In the event a user’s password is compromised or suspected that it might be compromised, the user will take appropriate measures to change their password, and notify their supervisor.
6. DES uses SMS as an advanced authentication/two factor authentication solution for remote access.
7. When a user remotely logs into Application, they will receive an SMS containing a 6 character one-time-password (OTP), that will expire after five minutes. The user enters the OTP to gain access to Application.
X. Voice over IP (VOIP) (5.10.1.4)
1. Only DES approved hardware is authorized for voice telecommunications (voice over IP). DES personnel shall not use any personal or other device not authorized and approved by proper DES IT personnel for VOIP related telecom services.
2. DES provided Voice over IP shall only be used for official business purposes, or other approved purposes include, but are not limited to:
● Emergency communications, including communication with family members
● Health related issues
● Home repair related emergencies
Y. CJI Media Protection (5.8, 5.8.3 & 5.8.4)
1. Any electronic or physical media containing CJI shall be protected against unauthorized disclosure or release while being stored, accessed, or physically moved from a secure location to another approved location. Transporting CJI outside DES’s assigned physically secure area shall be continually monitored and controlled by authorized DES personnel.
● “Electronic media” includes memory devices in laptops and computers (hard drives) and any removable, transportable digital memory media, such as magnetic tape or disk, backup medium, optical disk, flash drives, external hard drives, or digital memory card.
● “Physical media” includes printed documents and/or printed imagery that contain CJI.
2. Authorized DES personnel shall protect and control electronic and physical CJI while at rest and in transit. DES will follow appropriate safeguards for protecting CJI to limit potential mishandling or loss while being stored, accessed, or transported. Any inadvertent or inappropriate CJI disclosure and/or use will be immediately reported to the DES CJIS Compliance Officer.
STORAGE & ACCESS
1. Controls shall be in place to protect electronic and physical media containing CJI while at rest, stored, or accessed.
2. To protect CJI, DES personnel shall:
a. Securely store electronic and physical media in an appropriate container. An appropriate container includes a locked 1) box, 2) drawer, 3) cabinet, 4) room, or 5) facility.
b. Safeguard all CJI against unauthorized access or possible misuse. Restrict access to electronic and physical media to CJI authorized personnel only.
c. Physically protect CJI until media end of life. At end of life, CJI is destroyed or sanitized using approved equipment, techniques, and procedures.
d. Not use personally owned information system to access, process, store, or transmit CJI unless DES has established and documented the specific terms and conditions for personally owned information system usage. (5.5.6.1)
e. Not utilize publicly accessible computers to access, process, store, or transmit CJI. Publicly accessible computers include but are not limited to hotel business center computers, convention center computers, public library computers, public kiosk computers, etc. (5.5.6.2)
f. Store all hardcopy CJI printouts in a locked/secure area/room, or locked box, cabinet, or desk accessible to only CJI authorized personnel.
g. Take appropriate action when in possession of or accessing CJI while not in a physically secure area:
i. CJI must not leave the authorized employee’s immediate control. CJI printouts shall not be left unsupervised while physical controls are not in place.
ii. Precautions shall be taken to obscure physical CJI from public view, such as by means of an opaque file folder or envelope for hard copy printouts. For electronic devices like laptops, use session lock use and/or privacy screens. CJI shall not be left in plain public view.
iii. When accessing CJI system remotely outside the boundary of the physically secure location, the connection shall be protected using encryption. DES IT will ensure all remote connections meet CJIS Security Policy standards.
iv. DES personnel will only use electronic storage devices that are approved by DES IT. Storage devices include, but is not limited to, thumb drives, flash drives, backup tapes, mobile devices, laptops, and external hard drives from computers.
v. DES IT will ensure all external storage devices meet CJIS Security Policy standards. When encryption is employed, the cryptographic module used shall be certified to meet FIPS 140-2 standards
h. Lock or log-off computer when not in the immediate vicinity of the work area to protect CJI. Not all DES personnel have the same CJI access permissions and need to keep CJI protected on a need-to-know basis.
i. Ensure appropriate administrative, technical, and physical safeguards are in place to protect CJI. (See Physical Protection Policy)
TRANSPORTATION
1. DES shall control electronic and physical media containing CJI while in transport (physically moved from one location to another) to prevent inadvertent or inappropriate disclosure and use.
2. DES personnel shall:
a. Protect and control electronic and physical media during transport outside of controlled areas.
b. Restrict the pickup, receipt, transfer, and delivery of such media to authorized personnel.
3. DES personnel shall control, protect, and secure electronic and physical media during transport from public disclosure:
a. Use privacy statements in electronic and on paper documents.
b. Limit the collection, disclosure, sharing and use of CJI to authorized purposes only.
c. Follow the least privilege and role-based rules for allowing access.
d. Limit access to CJI to only those people or roles that require access.
e. Securely hand carry CJI electronic and paper documents:
i. Store CJI in a locked briefcase or lockbox.
ii. View or access the CJI electronically or document printouts in an appropriately secure location by authorized personnel.
iii. For hard copy printouts or CJI documents:
1. Package hard copy printouts in such a way as to not have any CJI information viewable.
2. For documents that are mailed or shipped, DES personnel must only release “unsealed” CJI to authorized individuals. DO NOT MARK THE PACKAGE CONFIDENTIAL or CONTAINS CJI. Packages containing CJI material are to be sent by method(s) that provide for complete shipment tracking and history, and signature confirmation of delivery. (DES Discretion)
f. Do not remove CJI from DES facility unless for authorized official purposes.
DESTRUCTION
1. DES personnel shall sanitize, that is, overwrite at least three times or degauss electronic media prior to disposal or release for reuse by unauthorized individuals (e.g., school.) Inoperable electronic media shall be destroyed (drilled at least 4 times, cut up, shredded, etc.).
2. DES personnel shall document destruction of electronic media in the destruction log, including the name of the media, date, authorized person completing the task, and method of destruction.
3. DES personnel shall ensure the electronic sanitization or destruction is witnessed or carried out by authorized personnel.
4. Physical media shall be securely disposed of when no longer required, using documented, formal procedures. The approved method of destruction of CJI is via cross-cut shredding. The required steps for the Destruction of physical media are as follows:
● Each unit is responsible for placing physical media (paper documents) into the designated shred containers.
● CJIS authorized DES personnel will take the shred containers to the designated on-site location and observe the entire shredding process performed by Rapid Shred of Grand Rapids, Michigan.
● Rapid Shred of Grand Rapids, Michigan will issue a certificate of Destruction upon completion of the on-site shredding operations.
● The certificate will be maintained for three years for audit inspection.
CJI Related Incident Response Plan
(5.3 & 5.13.5)
The following establishes an operational incident handling procedure for DES CJI and CJI systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; track, document, and report incidents to appropriate DES personnel and/or authorities.
Joe Puuri is the DES Compliance Officer for CJI security-related issues, and will ensure the incident response reporting procedures are initiated at the local level.
Reporting Information Security Events – DES will promptly report incident information to appropriate authorities. CJI related security events and weaknesses associated with information systems shall be communicated in a manner allowing timely corrective action to be taken. DES personnel shall be aware of the procedures for reporting the different types of event(s) and weakness that might have an impact on the security of DES assets. DES personnel are required to report any information security events and weaknesses as quickly as possible to the security point-of-contact identified above.
Reporting Procedures for Suspected and Actual Security Breaches for all DES personnel:
DES personnel:
● Personnel who
1) suspect a potential security breach or issue,
2) become aware of any CJIS related policy violation or potential violation, or
3) realize that “something isn’t right” with computers, any application, or systems used for DES business purposes
Shall notify their supervisor – tell them the issue; if they are unavailable, notify the next appropriate member in their chain-of-command.
DES Supervisors, upon notification by DES personnel:
● Notify DES Local Agency Security Officer (LASO).
● Notify DES IT and others, as needed.
The Designated LASO will:
● Compile information for completing an IT Security Incident Response Form (also attached in word & pdf).
● Identify the suspected cause for incident (Name, virus, etc.)
● Determine and note if Antivirus software was running and up to date at the time of infection (if applicable.)
● Determine how and when the problem was first identified
● Notify local IT staff been notified / determine if they are involved
● Determine number of workstations infected/affected
● Determine if any other equipment or network infected
● Determine proposal for action plan for removal.
● Will infected workstations be re-imaged before reconnection?
● When was the last update of signature files?
● When was the last operating system update?
● Was any CJIS data or personal identification information compromised?
● The system component will remain disconnected from the CJI network(s) until DES IT is certain DES systems are free from virus infection.
● Once free from infection and given clearance by DES IT, the system can be re-connected to the state/national CJI system(s).
Additional Considerations that shall be placed in the Incident Response Process – For FBI CJIS Security Policy, section 3.29: LASO must make notification to the State CSA ISO and gather enough information to complete the IT Incident Response Form located in Appendix F (page F-2) in the FBI CJIS Security Policy for notification to the FBI ISO (completed by the CSA ISO).
Additional incident reporting procedures for mobile devices that are authorized to access, process or store criminal justice information.
Definitions
Loss of control – device is unattended in a public area or unknown location.
Minimal duration – less than 15 minutes
Extended duration – longer than 15 minutes
Mobile device – smart phone, tablet, or laptop used to process or store criminal justice information (CJI)
DES personnel with mobile devices that are authorized for access to CJI (DES issued or personal) shall report to all LASO personnel and DES IT in the event of any of the following circumstances:
1. Loss of device control. For example:
● Device known to be locked, minimal duration of loss
● Device lock state unknown, minimal duration of loss
● Device lock state unknown, extended duration of loss
● Device known to be unlocked, more than momentary duration of loss
2. Total loss of device
3. Device compromise
4. Device loss or compromise outside the United States
DES personnel shall report the incident to DES Supervisor who shall report the incident to all LASO personnel and DES IT via email. The DES personnel shall include 1) the device; 2) date and time of the event; 3) a brief description of the situation (listed above); 4) the location of the event.
CJI Related Physical Protection Policy
(5.9)
Purpose:
The purpose of this policy is to provide guidance for DES personnel, support personnel, and private contractors/vendors for the physical, logical, and electronic protection of Criminal Justice Information (CJI). All physical, logical, and electronic access must be properly documented, authorized, and controlled on devices that store, process, or transmit unencrypted CJI. This Physical Protection Policy focuses on the appropriate access control DES needs to protect the full lifecycle of CJI from potential threats.
This CJI Related Physical Protection Policy was developed using the CJIS Security Policy (CSP). This policy applies to DES personnel, support personnel, and subcontractors/vendors with access, physical or logical, to CJI.
Authorized personnel are those who have been properly vetted (a minimum of a fingerprint-based background check by a criminal justice agency), completed the appropriate security awareness training, and signed the CSP Security Addendum.
Physically Secure Location:
A CSP physically secure location is a facility or an area, a room, or a group of rooms within a facility with both the physical and personnel security controls sufficient to protect the FBI CJI and associated information systems. The perimeter of the physically secure location shall be prominently posted and separated from non-secure locations by physical controls. Security perimeters shall be defined, posted, controlled, and secured. All Server rooms shall be considered CSP defined physically secure.
A list of physically secure facilities will be kept in the IT folder of the DES shared drive.
Controlled Area:
Areas that do not meet the requirements of a physically secure location can be designated controlled areas. Areas that cannot meet all the controls required for establishing a physically secure location, but there is an operational need to access or store CJI, the DES shall designate an area, a room, or a storage container, as a controlled area for the purpose of day-to-day CJI access or storage. In controlled areas:
1. Access shall be limited into the controlled area during CJI processing times to only those personnel authorized by DES to access or view CJI.
2. The area, room, or storage container must be locked when unattended by authorized DES personnel.
3. Information system devices and documents containing CJI shall be positioned in such a way as to prevent unauthorized individuals from accessing or viewing CJI.
4. Any CJI stored electronically in the controlled must be encrypted.
Except for those areas designated as CSP defined physically secure locations (see Physically Secure Area, within this policy), areas in DES facilities where CJI is accessed or processed will be designated as controlled areas.
Public Areas:
Those areas where CJI is not accessed, processed, or stored. Areas that generally open to the public and/or personnel who have not been vetted for access to CJI.
Visitors Access:
A visitor is defined as a person who 1) visits the facility on a temporary basis, 2) who is not employed by DES or the contracting governmental agency (CGA), and 3) is not authorized unescorted access to the physically secure location within the DES facility where CJI and CJI systems are located.
Visitors shall:
1. Check in before entering a physically secure location by:
a. Completing the visitor access log, which includes: name and visitor’s agency, purpose for the visit, date of visit, time of arrival and departure, name and agency of person visited, and form of identification used to authenticate visitor.
b. Document badge number on visitor log if visitor badge issued. The visitor badge shall be worn on approved visitor’s outer clothing and collected by DES at the end of the visit.
c. Planning to check or sign-in multiple times if visiting multiple physically secured locations and/or building facilities that are not adjacent or bordering each other that each has their own individual perimeter security to protect CJI.
2. Be always accompanied by a DES escort to include delivery or service personnel. An escort is DES personnel who is authorized access to CJI, and always accompanies a visitor while within a physically secure location to ensure the protection and integrity of any CJI therein. The use of cameras or other electronic means used to monitor a physically secure location does not constitute an escort.
3. Show DES personnel a valid form of photo identification.
4. Follow DES policy for authorized unescorted access.
a. Private subcontractors/vendors who require frequent unescorted access to CSP defined physically secure locations will be required to establish a Security Addendum between the DES and each private contractor personnel. Each private contractor personnel will appropriately have state and national fingerprint-based record background check prior to this restricted area access being granted.
5. Not be allowed to view screen information mitigating shoulder surfing.
6. Individuals not having any legitimate business in a CJI related restricted area shall be courteously escorted to a public area of the facility. Strangers in CJI related restricted areas without an escort should be challenged. If resistance or behavior of a threatening or suspicious nature is encountered, sworn personnel shall be notified.
7. Not be allowed to “sponsor” another visitor.
8. Not enter a secure area with electronic devices unless approved by the DES CJIS Compliance Officer to include cameras and mobile devices. Photographs are not allowed without permission of DES assigned personnel.
9. All requests by groups for tours of DES facility will be referred to the proper DES point of contact for scheduling. In most cases, these groups will be handled by a single form, to be signed by a designated group leader or representative. Remaining visitor rules apply for each visitor within the group. The group leader will provide a list of names to front desk personnel for instances of emergency evacuation and accountability of each visitor while on DES premises.
10. Prior to visitor gaining access to the secure area:
a. The visitor will be screened by the appropriate DES personnel for weapons. No weapons are allowed in the facility except by authorized personnel for authorized purposes.
b. The visitor will be screened for electronic devices. No personal electronic devices are allowed in any DES facility except when carried by authorized personnel for authorized purposes.
11. Escort personnel will acknowledge being responsible for properly evacuating visitor in cases of emergency. Escort personnel will know appropriate evacuation routes and procedures.
12. Escort personnel will validate visitor is not leaving DES with any DES owned equipment or sensitive data prior to visitor departure.
Authorized Physical Access:
Only authorized personnel will have access to CSP physically secure locations. DES will maintain and keep current a list of authorized personnel. All physical access points into the facility’s CJIS related secure areas will be authorized before granting access. DES will implement access controls and monitoring of physically secure areas for protecting all transmission and display mediums of CJI. Authorized personnel will take necessary steps to prevent and protect DES and its facilities from physical, logical and electronic breaches.
All personnel with CJI physical and logical access must:
1. Meet the minimum personnel screening requirements as required by the CJIS Security Policy prior to CJI access.
2. Complete security awareness training through CJIS Online.
a. All authorized DES, Noncriminal Justice Agencies (NCJA) like city or county IT and private contractor/vendor personnel will receive security awareness training within six months of being granted duties that require CJI access and every two years thereafter.
b. Security awareness training will cover areas specified in the CJIS Security Policy at a minimum.
3. Be aware of who is in their secure area before accessing confidential data.
a. Take appropriate action to protect all confidential data.
b. Protect all terminal monitors with viewable CJI displayed on monitor and not allow viewing by the public or escorted visitors.
4. Properly protect and not share any individually issued keys, proximity cards, computer account passwords, etc.
a. Report loss of issued keys, proximity cards, etc to supervisor, immediately.
b. If the loss occurs after normal business hours, or on weekends or holidays, personnel are to contact the DES Security Compliance Officer to have authorized credentials like a proximity card deactivated and/or door locks possibly rekeyed.
c. Safeguard and do not share passwords, Personal Identification Numbers (PIN), or any other facility and computer systems authenticators. See Sanctions Related to CJI Policy.
5. Properly protect from viruses, worms, Trojan horses, and other malicious code.
6. Access the internet for approved purposes only.
7. Do not use personally owned devices on DES computers with CJI access. (5.5.6.1)
8. Use of electronic media is allowed only by authorized DES personnel. Controls shall be in place to protect electronic media and printouts containing CJI while in transport. When CJI is physically moved from a secure location to a non-secure location, appropriate controls will prevent data compromise and/or unauthorized access.
9. Not use email for transmitting CJI.
10. Report any physical security incidents to Joe Puuri (the LASO) to include facility access violations, loss of CJI, loss of laptops, smartphones, tablets, thumb drives, CDs/DVDs and printouts containing CJI.
11. Properly release hard copy printouts of CJI only to authorized vetted and authorized personnel in a secure envelope and shred or burn hard copy printouts when no longer needed. Information should be shared on a “need to know” basis. Ensure data centers with CJI are physically and logically secure.
12. Keep DES IT personnel informed when CJI access is no longer needed. In the event of employment termination, the individual shall surrender all property and CJI system access managed by the DES facility, state and/or federal agencies.
13. Know which door to use for proper entry and exit of the facility and only use marked alarmed fire exits in emergency situations.
14. Ensure the perimeter security door securely locks after entry or departure. Do not leave any perimeter door propped opened and take measures to prevent piggybacking entries.
Sanctions Related to Misuse of Criminal Justice Information
(5.12.4)
PURPOSE:
DES personnel, with access to Criminal Justice Information (CJI) or any system containing CJI, are required to protect the system and related systems from physical and environmental damage, and are responsible for correct use, operation, care, and maintenance of the information system(s). All technology equipment: computers, laptops, software, copiers, printers, terminals, live scan devices, fingerprint scanners, software to include RMS/CAD, operating systems, etc., used to process, store, and/or transmit CJI is a privilege allowed by DES , state CSO, and the FBI.
To maintain the integrity and security of DES‘s and state and national CJIS systems and data, CJI related computer use privilege requires adherence of relevant federal, state, and local laws, regulations, and contractual obligations.
SCOPE:
All existing laws, DES regulations and policies apply, including but not limited to those laws and regulations that are specific to computers and networks, and those that apply to personal conduct.
POLICY:
Misuse of computing, networking or information resources may result in temporary or permanent restriction of computing privileges up to employment termination. In some misuse situations, account privileges will be suspended during any investigation. Additionally, misuse may be prosecuted under applicable federal and state statutes. All data files are subject for search.
When follow-up actions after an information security incident involves legal action (either civil or criminal), evidence shall be collected, retained, and presented to conform to the rules for evidence laid down in the relevant jurisdiction(s). Complaints alleging misuse of DES‘s computing and network resources, and state and national CJIS systems and/or data will be directed to DES Compliance Officer for taking appropriate disciplinary action.
Any suspected misuse of CJI data will be immediately investigated to ascertain the type, degree, intent, and consequence of the misuse. A sustained violation of the NCIC or CHRI shall result in such sanctions as specified in policy or deemed appropriate by the DES facility authority. Additional penalties for violation of this policy may include immediate removal from access to CJIS system and data. Subsequent violations of this policy may result in disciplinary action up to and including termination.
Substantiated misuse of the system must be reported to the customer’s LASO(s).
Any misuse that constitutes a violation of a CJI related security policy must be reported in accordance with the procedures in DES’s CJI Related Incident Response Plan.
Some Examples of Misuse include, but is not limited to:
1. Using someone else’s login that you are not the owner.
2. Leaving a computer logged in with your login credentials unlocked in a physically unsecure location allowing anyone to access DES systems and/or CJIS systems and data in your name.
3. Allowing an unauthorized person to access FBI CJI at any time for any reason. Note: Unauthorized use of the CJIS systems is prohibited and may be subject to criminal and/or civil penalties.
4. Allowing remote access of DES issued computer equipment to CJIS systems and/or data without prior authorization by DES .
5. Obtaining a computer account that you are not authorized to use.
6. Obtaining a password for a computer account of another account owner.
7. Using the DES‘s network to gain unauthorized access to CJI.
8. Knowingly performing an act which will interfere with the normal operation of CJIS systems.
9. Knowingly propagating a computer virus, Trojan horse, worm, and malware to circumvent data protection or compromising existing security holes to CJIS systems.
10. Violating terms of software and / or operating system licensing agreements or copyright laws.
11. Duplication of licensed software, except for backup and archival purposes that circumvent copyright laws for use in DES, for home use or for any customer or contractor.
12. Deliberately wasting computing resources to include streaming audio, videos for personal use that interferes with DES network performance.
13. Using electronic mail or instant messaging to harass others.
14. Masking the identity of an account or machine.
15. Posting materials publicly that violate existing laws or DES‘s codes of conduct.
16. Attempting to monitor or tamper with another user’s electronic mail or files by reading, copying, changing, or deleting without explicit agreement of the owner.
17. Using DES‘s technology resources to advance unwelcome solicitation of a personal or sexual relationship while on duty or using official capacity.
18. Unauthorized possession of, loss of, or damage to DES‘s technology equipment with access to CJI through unreasonable carelessness or maliciousness.
19. Maintaining CJI or duplicate copies of official DES files in either manual or electronic formats at his or her place of residence or in other physically non-secure locations without express permission.
20. Using DES‘s technology resources and/or CJIS systems for personal or financial gain.
21. Deliberately failing to report promptly any known technology-related misuse by another employee that may result in criminal prosecution or discipline under this policy.
22. Using personally owned devices on DES‘s network to include personally- owned thumb drives, CDs, mobile devices, tablets on Wi-Fi, etc. Personally owned devices should not store DES data, State data, or FBI CJI.
23. Any unauthorized access, disclosure, modification, destruction, handling, transmission, or deletion of CJI, whether by malice or mistake.
24. Any attempt to intercept or otherwise obtain CJI by means other than those authorized by governing authority.
25. Any use of CJI for personal reasons, especially involving personal relationships.
26. Any use of CJI for political purposes.
27. Any use of CJI for monetary gain.
28. Any use of CJI to satisfy one’s curiosity.
29. Performing or assisting in the performance of any act that will interfere with the authorized use of CJI.
30. Any violation of CJI related policies may constitute CJI misuse.
The above listing is not all-inclusive and any suspected technology resource or CJIS system or CJI misuse will be handled by DES on a case-by-case basis. Activities will not be considered misuse when authorized by appropriate DES officials for security or performance testing.
PERSONALLY IDENTIFIABLE INFORMATION POLICY
(4.3)
Purpose
The purpose of this policy is to define standards and procedures for ensuring appropriate controls are applied when handling Personally Identifiable Information (PII) extracted from CJI.
Scope
This procedure shall apply to all DES personnel. It addresses Personally Identifiable Information (PII) extracted from CJI and any PII extracted from other entities (i.e. driver’s license information, vehicle registration information, etc.).
Discussion
The goal of this policy is to ensure DES compliance with state and federal PII regulations and best practices for information security in law enforcement.
Definitions
A. Administration of Criminal Justice – as per 28 CFR (Code of Federal Regulations) 20.3(b), the performance of any of the following activities: detection, apprehension, detention, pretrial release, post-trial release, prosecution, adjudication, correctional supervision, or rehabilitation of accused persons or criminal offenders. The administration of criminal justice shall include criminal identification activities and the collection, storage, and dissemination of criminal history record information.
B. Authorized personnel – A person who works for DES or another recognized criminal justice entity, and has been properly vetted and trained for access to CJI, and is performing the administration of criminal justice.
C. Criminal Justice Information (CJI) – As defined in Policy 4.1 of the CJIS Security Policy (CSP). In general, it is any information including, but not limited to, biometric, identity history, biographic, property, and case/incident history that has not been officially released to the public or otherwise authorized for release by court order.
D. CSA – The criminal justice agency responsible for establishing and administering an information technology security program throughout the CSA’s user community, to include the local levels.
E. Personally Identifiable Information (PII) – Defined as information about a person that contains some unique identifier, including but not limited to name or Social Security Number, from which the identity of the person can be determined.
Procedures
Policy and Appropriate Use
A. Collection
PII shall be collected only when DES has the legal authority to do so and the information is necessary to conduct of official duties.
B. Limit Use
DES personnel and processes should only access PII when the information is needed to complete official contracted duties. PII is to be used for authorized purposes only. PII shall not be accessed or used for personal reasons.
C. Limit duplication
Do not create unnecessary or duplicative collections of PII. Only copy or duplicate PII as needed to perform authorized duties or functions. Unauthorized replication, especially for personal use, constitutes misuse (See Sanctions Related to Misuse of Criminal Justice Information.) Only print, copy, or extract PII from documents that is required for the authorized purpose.
D. Retention
The retention of PII extracted from any CJI system shall not extend beyond the State(s) retention policies.
E. Security
1. The following measures shall be taken to ensure the protection of PII:
a. Any mobile computer, mobile computing device or removable storage media that processes, stores, or transmits electronic records containing PII shall store and transmit that data encrypted. Encryption shall conform to standards specified in the CSP. Storage of PII shall be restricted to DES owned devices. PII shall not be stored or transmitted via personally owned devices, including but not limited to computers, tablets, smartphones, flash drives, or any other electronic storage media.
b. PII, in hard copy or electronic form, shall not be removed from DES facilities except for authorized purposes. When removed from DES facilities, PII in electronic form must be encrypted as specified above, and hard copy will be kept enclosed in an envelope.
c. DES personnel will use designated encryption processes to email PII only to an authorized recipient.
d. PII shall not be left unattended in any area or office where it might be accessed by unauthorized persons.
e. Store PII in shared access computer drives (“shared folders”) only if access to those folders is restricted to authorized personnel.
f. Physically secure PII when in transit. Do not mail or courier PII on media unless the data is encrypted.
g. Protect PII data during all stages of life cycle. Do not discard, or provide any vendor for maintenance media holding PII. Do not place laptops or removable media in checked baggage when travelling. Do not leave laptops or mobile devices that contain PII in a car overnight or unattended in public places.
h. If you are sent unsecured PII you still must secure it once you receive it.
i. Adhere to all provisions of Information Security Policy.
F. Misuse
Any suspected violation of the Personally Identifiable Information (PII) section will immediately be investigated. Misuse of PII information involving violation of CJIS Security Policy must be reported to the CSA.
G. Incident Response
All information security events including those involving personally identifiable information shall be promptly reported in accordance with the Information Security Incident Response Policy. The report shall include date and time of occurrence, PII data compromised, known and suspected unauthorized recipients, and whether the data was encrypted as required above. When possible an Incident Response Form should be completed and sent to the DES IT.
H. All requirements of FBI Security Policy relevant to PII shall be included by reference.
I. All requirements of DES’s CJI Handling Policy are included by reference.
Policy Noncompliance
Failure to comply with the Personally Identifiable Information Policy may, at the full direction of the DES authority, result in the suspension of any or all technology use and connectivity privileges, disciplinary action, and possibly termination of employment.
