CJIS Security Policy Requirements - Local Agency Concerns...

1

1/3/2014

CJIS Security Policy Requirements ‐ Local Agency Concerns & Issues

2

1/3/2014


3

1/3/2014


The CJIS Security Policy provides Criminal Justice Agencies and Noncriminal Justice Agencies with a minimum set of security requirements for access to FBI CJIS Division systems and information, and to protect and safeguard CJI. The essential premise of the CJIS Security Policy is to provide the appropriate controls to protect CJI, from creation through dissemination; whether at rest or in transit.

The CJIS Security Policy may be used as the sole security policy for the agency. The local agency may complement the CJIS Security Policy with a local policy, or the agency may develop their own stand‐alone security policy; however, the CJIS Security Policy shall always be the minimum standard and local policy may augment, or increase the standards, but shall not detract from the CJIS Security Policy standards.

The agency shall develop, disseminate, and maintain formal, documented procedures to facilitate the implementation of the CJIS Security Policy and, where applicable, the local security policy. The policies and procedures shall be consistent with applicable laws, executive orders, directives, policies, regulations, standards, and guidance.

Every “shall” statement contained in the CJIS Security Policy has been scrutinized for risk vs. the reality of resource restraints and real‐world application. Individual agencies are encouraged to implement additional controls to address agency specific risks.

Distribution of the CJIS Security Policy: The CJIS Security Policy, version 5.2 and later, is a publically available document and may be posted and shared without restrictions.

4

1/3/2014


CJA is defined as a court, a governmental agency, or any subunit of a governmental agency which performs the administration of criminal justice pursuant to a statute or executive order and which allocates a substantial part of its annual budget to the administration of criminal justice.

NCJA is defined (for the purposes of access to CJI) as an entity or any subunit thereof that provides services primarily for purposes other than the administration of criminal justice. An example of a governmental NCJA is a City or County IT Department.

CGA is a governmental agency, whether a CJA or a NCJA, that enters into an agreement with a private contractor subject to the CJIS Security Addendum. The CGA entering into an agreement with a contractor shall appoint an Agency Coordinator.

• Agency Coordinator will be a staff member of the CGA who manages the agreement between the contractor and the agency.

5

1/3/2014


This could be an individual employed by the agency, or an employee of the IT Department for the City or County government as long as the responsibilities are met.

6

1/3/2014


CJIS Security Policy, Version 5.2, Section 4.1

The following categories of CJI describe the various data sets housed by FBI CJIS architecture:

Biometric Data – Data derived from one or more intrinsic physical or behavioral traits of humans, typically for the purpose of uniquely identifying individuals from within a population. Used to identify individuals, to include: fingerprints, palm prints, iris scans, DNA, and facial recognition.

Identity History Data – Textual data that corresponds with an individual’s biometric data, providing a history of criminal and/or civil events for the identified individual.

Biographic Data – Information about individuals associated with a unique case, and not necessarily connected to identity data. Biographic data does not provide a history of an individual, only information related to a unique case.

Property Data – Information about vehicles and property associated with crime when accompanied by any personally identifiable information (PII).

Case/Incident History – Information about the history of criminal incidents.

7

1/3/2014


Types of PII include: Name, SSN, or biometric records, alone or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date of birth, or mother’s maiden name.

Any FBI CJIS provided data maintained by an agency, including but not limited to, education, financial transactions, medical history, and criminal or employment history may include PII.

A criminal history record, for example contains PII as would a Law Enforcement National Data Exchange (N‐DEx) case file.

Agencies shall develop policies, based on state and local privacy rules, to ensure appropriate controls are applied when handling PII extracted from CJI.

8

1/3/2014


III and NCIC access, use and dissemination will be covered in greater detail for the March/April 2014 TAC Meetings.

Rules governing the access, use and dissemination of CHRI may also be found in Title 28, Part 20 of the Code of Federal Regulations.

A pdf is available from the GPO (Government Printing Office):http://www.gpo.gov/fdsys/pkg/CFR‐2006‐title28‐vol1/pdf/CFR‐2006‐title28‐vol1‐part20.pdf

CJIS Security Policy, Version 5.2, Section 4.2 – Access, Use and Dissemination of Criminal History Record Information (CHRI), NCIC Restricted Files Information, and NCIC Non‐Restricted Files Information.

Penalties, Section 4.2.5.2:Improper access, use or dissemination of CHRI and NCIC Non‐Restricted Files Information is serious and may result in in administrative sanctions including, but not limited to, termination of services and state and federal criminal penalties. Proper access to, use, and dissemination of data from NCIC Restricted Files shall be consistent with access, use and dissemination policies concerning the III described in Title 28, Part 20, CFR, and the NCIC Operating Manual.

**Also see Section 5.9 – Policy Area 9 ‐ Physical Protection

9

1/3/2014


The Restricted Files, which shall be protected as CHRI, are as follows:

1. Gang Files2. Known or Appropriately Suspected Terrorist Files3. Supervised Release Files4. Immigration Violator File 5. National Sex Offender Registry Files6. Historical Protection Order Files of NCIC7. Identity Theft Files8. Protective Interest Files9. Person With Information (PWI) data in the Missing Person Files**

**The PWI field may be present in a MP record if there is a “substantial likelihood” that the PWI has relevant information about the missing person that could result in the recovery of the missing person. This could be a non‐custodial parent, guardian, etc. There may also be a warrant entered in NCIC for the ‘Person With Information’ if conditions exist for the entering agency to obtain a warrant. These records may be linked together.

The remaining NCIC files are considered Non‐Restricted Files. Non‐Restricted NCIC Files may be accessed and used for any authorized purpose consistent with the inquiring agency’s responsibility.

10

1/3/2014


The next few slides will cover each policy area listed. Some are covered in more detail than others.

We will be discussing those areas where agencies were found Non‐Compliant in the FBI audits, and those where the SBI has received questions about.

11

1/3/2014


While the major theme of the policy areas is concerned with electronic exchange directly with the FBI, it is understood that further dissemination of CJI to authorized recipients by various means (hard copy, e‐mail, web posting, etc.) constitutes a significant portion of CJI exchanges. Regardless of its form, use or method of dissemination, CJI requires protection throughout its life.

Circumstances of applicability are based on individual agency/entity configurations and usage.

12

1/3/2014


When deciding who should complete the security awareness training, agencies should evaluate who currently has access to CJI and not just those individuals who are DCI certified, or those individuals that work on DCI systems (IT personnel).

Keep in mind that individuals who have access to CJI may not be DCI certified, but may still have an operational need for access to the information, or may be exposed to CJI due to their role with the agency.

The below list is not all inclusive, but may assist you in determining which personnel are required to take the security awareness training:• DCI certified operators• IT personnel• Non‐DCI certified law enforcement officers• Non‐DCI certified records clerks/receptionists• Cleaning personnel (possibly, if they have unescorted access to areas where CJI is accessed or

stored)• Non‐IT vendors that provide data destruction (shredding) or hardware disposal services• Non‐IT vendors that provide a non‐criminal justice service to the agency• Non‐DCI certified law enforcement officers to whom your agency provides DCI service, and• Non‐DCI device agency personnel to whom your agency provides service who have access to CJI

These personnel may need to take the Security Awareness Training if they have access to CJI. You will need to make a determination on who needs or is required to view the Security Awareness Training Video and sign the log, based on their access to CJI, if any. For example, the snack or drink vendor will not be required to view this as long as they are not going into areas where CJI is accessed or stored, or if they are escorted while in those secure areas.

13

1/3/2014


There has been an increase in the number of accidental and malicious computer attacks against both government and private agencies, regardless of whether the system is high or low profile.

The ISO (Information Security Officer) for NC is Brian Dickerson with the Department of Justice IT Division. Email: [email protected]

14

1/3/2014


Handout 1: F.1 IT Security Incident Response Form

This is an example of the Security Incident Response Form from the CJIS Security Policy and can be found in Appendix F. This form may be used to notify our ISO of your agency’s Security Incident.

The agency shall promptly report incident information to appropriate authorities. Information security events and weaknesses associated with information systems shall be communicated in a manner allowing timely corrective action to be taken.

Formal event reporting and escalation procedures shall be in place.

Wherever feasible, the agency shall employ automated mechanisms to assist in the reporting of security incidents.

All employees, contractors and third party users shall be made aware of the procedures for reporting different types of event and weakness that might have an impact on the security of agency assets and are required to report any information security events and weaknesses as quickly as possible to the designated point of contact.

The designated POC for NC is Brian Dickerson, DOJ/ITD, ISO. Email: [email protected]

15

1/3/2014


To increase the probability of authorized users conforming to a ‘prescribed pattern of behavior’: To increase the chances that your authorized users are doing what they are supposed to be doing and only that which is allowed, based on their job and/or responsibilities within your agency. The ‘prescribed pattern of behavior’ is what your agency, the SBI and FBI allows based on their certifications, responsibilities, etc. and may be documented in your agency’s policy and procedures.

This is not just the DCIN log in, but for your agency’s network, RMS, CAD, etc. The SBI and DOJ/IT maintains audit logs for VPN and DCIN access.

Before a user can log into DCIN, they must log into an agency’s computer, laptop, mobile device, etc. It is the agency maintained network (system) that is required to maintain audit logs.

Auditable EventsThe following events shall be logged and contain the date and time of the event, the software or hardware component used or accessed, type of event, user identity, and the outcome of the event:1. Successful and unsuccessful log in attempts2. Successful and unsuccessful attempts to access, create, write, delete, or change

permissions on a user account, file directory or other system resource3. Successful and unsuccessful attempts to change account passwords (not DCIN

passwords)4. Successful and unsuccessful actions by privileged accounts5. Successful and unsuccessful attempts for users to modify or destroy the audit log file

16

1/3/2014


Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing and transmission of CJIS information and the modification of information systems, applications, services and communications configurations allowing access to CJIS information.

Account management includes the identification of account types (i.e., individual, group, and system), establishment of conditions for group membership, and assignment of associated authorizations. The agency shall identify authorized users for the information system and specify access rights/privileges.

The agency shall grant access to the information system based on:1. Valid need‐to‐know/need‐to‐share that is determined by assigned official duties.2. Satisfaction of all personnel security criteria.

The agency responsible for account creation shall be notified when:1. A user’s information system usage or need‐to‐know or need‐to‐share changes.2. A user is terminated or transferred or associated accounts are removed, disabled, or

otherwise secured.

The validation process should include validating the users of the system to ensure they are still employed, still require the same access, etc.

17

1/3/2014


A personally owned information system shall not be authorized to access, process, store or transmit CJI unless the agency has established and documented the specific terms and conditions for personally owned information system usage. (Your personal laptops, PDAs, tablets, etc.)

Publicly accessible computers (public library computers, hotel business center computers, convention center computers, public kiosk computers, etc.) shall not be used to access, store, or transmit CJI. This may also include accessing your agency’s email from a public computer system, if CJI is included in the email.

Job assignment – you would not give or allow access for the janitor or cleaning crew. Only authorized personnel that have been backgrounded with a state and national FP check, and according to their specific job assignment and the ‘need to know’ this information should be allowed.

Physical location – Access is granted to personnel inside a physically secure location or area of your agency, but may not be granted on a public WiFi unless Advanced Authentication (AA) is in place for those devices and systems you are using to access CJI.

18

1/3/2014


Each person allowed to store, process and/or transmit CJI shall be uniquely identified. This includes all personnel that administer and maintain systems that access CJI or networks leveraged for transfer of CJI. The unique identification can take the form of full name, badge number, serial number, or other unique alphanumeric identifier. Agencies shall ensure all user IDs belong to currently authorized users. This information must be kept current by adding new users and disabling and/or deleting former users.

Agencies shall follow the secure password attributes to authenticate an individual’s unique ID. This must be done for all systems the user will access for CJI, including RMS, agency network, LiveScan devices, email, etc.

Passwords shall:1. Be a minimum length of 8 characters on ALL systems. (This includes all systems or

applications used to access, store and process CJI and not just DCI, e.g. RMS, CAD, local networks, AFIS system, etc.).

2. Not be a dictionary word or proper name.3. Not be the same as the user ID.4. Expire within a maximum of 90 calendar days.5. Not be identical to the previous 10 passwords.6. Not be transmitted in the clear outside the secure location.7. Not be displayed when entered.

Section 5.6.2.1.1 of the CJIS Security Policy

19

1/3/2014


Handout 2: Notice 2013‐00001 Extension for Advanced Authentication Requirement

Authenticators are ‘something you know’ (password), ‘something you are’ (biometric), or ‘something you have’ (e.g. hard token) and is part of the identification and authentication process.• Examples of standard authenticators include: Passwords, tokens, biometrics, and

personal identification numbers (PIN)

Advanced Authentication provides for additional security to the typical user identification and authentication log‐in ID and password, such as biometric systems, user‐based public key infrastructure (PKI), smart cards, software tokens, hardware tokens, paper (inert) tokens, or “Risk‐based Authentication” that includes a software token element comprised of a number of factors, such as network information, user information, positive device identification, user profiling, and high‐risk challenge/response questions.

The requirement to use or not use AA is dependent upon the physical, personnel, and technical security controls associated with the user location. AA shall not be required for users requesting access to CJI from within the perimeter of a physically secure location, when the technical security controls have been met. (Sections 5.5 and 5.10, CJIS Security Policy)

20

1/3/2014


The network topological drawing shall include the following:1. All communications paths, circuits, and other components used for the interconnection

beginning with the agency‐owned system(s) and traversing through all interconnected systems to the agency end‐point.

2. The logical location of all components (e.g., firewalls, routers, switches, hubs, servers, encryption devices, and computer workstations). Individual workstations (clients) do not have to be shown; the number of clients is sufficient.

3. “For Official Use Only” markings.4. The agency name and date (day, month, year) drawing was created or updated.

21

1/3/2014


Handout 3: Notice 2013‐00010 Technical Security Audits – Policy Documentation and Requirements

The agency shall securely store electronic and physical media within physically secure locations or controlled areas. The agency shall restrict access to electronic and physical media to authorized individuals. If physical and personnel restrictions are not feasible, then the data shall be encrypted to a minimum of 128 bit per requirements outlined in section 5.10.1.2 of the CJIS Security Policy.

Electronic media: Controls shall be in place to protect electronic media containing CJI while in transport (physically moved from one location to another) to help prevent compromise of the data. Encryption as described above is the optimal control during transport; however, if encryption of the data isn’t possible then the agency shall institute other controls to ensure the security of the data. CJIS Security Policy, Version 5.2, Section 5.8.2.1

Electronic media means electronic storage media including memory devices in laptops and computers (hard drives), and any removable, transportable digital memory media, such as magnetic tape or disk, optical disk, flash drives, external hard drives, or digital memory card.

Physical media: The controls and security measures in the CJIS Security Policy, as listed above for electronic media, also apply to CJI in physical (printed documents, printed imagery, etc.) form. Physical media shall be protected at the same level as the information would be protected in electronic form. CJIS Security Policy, Version 5.2, Section 5.8.2.2

22

1/3/2014


Destruction before disposal of both electronic and physical media is required.

The procedures to dispose of both electronic and physical media must be documented in a written policy.

Degauss – To neutralize, cancel or destroy the magnetic field.

23

1/3/2014


Destruction before disposal of both electronic and physical media is required.

Formal procedures means a written policy outlining the procedures for destruction of your physical media.

24

1/3/2014


25

1/3/2014


A physically secure location is a facility or an area, a room, or a group of rooms within a facility with both physical and personnel security controls sufficient to protect CJI and associated information systems.

For a mobile terminal to be in compliance with a “physically secure location”, the device must remain inside the vehicle while in operation unless the agency has obtained Advanced Authentication for the wireless devices.

Sections 5.9.1.1 – 5.9.1.8 of the CJIS Security Policy describes the physical controls required in order to be considered a physically secure location. The next few slides will be discussing those.

26

1/3/2014


The NC Administrative Code, Title 12, Chapter 04F covers the access and use of and security of DCI, however this document is in the process of being revised with more current information.

This section of the Administrative Code was added when DCI was created, to cover the state owned property (i.e., computers, modems, printers, etc.), but it is still in effect, even though the hardware belongs to the local agencies, the software (Omnixx) is where you have access to information that must be protected.

Currently, the NC Administrative Code indicates:Agency heads who have management control over the DCI terminals shall institute controls for maintaining the sensitivity and confidentiality of all information provided by or through DCI. These controls will include, but are not limited to the following: 1. The DCI terminal and printer shall be located in a secure area accessible only to authorized personnel.2. The DCI terminal operator’s manual and changes thereto shall be located in a secure area accessible only by

authorized personnel.

Failure to maintain a secure site will be a violation of this Rule and subject to provisions of Subchapter 4G Rule .0102 (a) of this Chapter:Insecure location of DCI terminal pursuant to 12 NCAC 4F .0101 shall result in the following penalties:1. First Offense – Agency Penalty (Warning) with conditions that the terminal be secured within 48 hours2. Second Offense‐Agency Penalty (Reprimand) with conditions that the SBI Assistant Director for DCI and the

agency head must establish an agreed time period within which the terminal can be secured, and;3. Third Offense‐Agency Penalty (Suspension) resulting in suspended access to CCH and driver’s history data

until the terminal is secured.

A copy of the NC Administrative Code is located in Omnixx Force , Links menu, under the Compliance tab, thenNCAC Reference. The CJIS Security Policy is also located in Omnixx Force , Links menu, IT Assistance, then CJIS Security Policy .

27

1/3/2014


Most agencies have identification cards and/or other agency issued credentials for their authorized personnel.

Agencies may also keep a current list if desired, but not needed if the ID or credentials have been issued and are being used to identify the employees.

28

1/3/2014


29

1/3/2014


All DCI devices should be positioned in a way as to prevent unauthorized individuals from accessing or viewing CJI. This means, at a minimum, the computers with DCI access should be turned away from windows where the public may have access, such as the lobby area of the agency. There may be instances where unauthorized personnel or escorted visitors are present within the secure area and may have access to viewing the computer monitor. The operator must log off DCI, preferably log off the computer, if they step away from the computer when visitors or unauthorized personnel are present.

There are safeguards available to install on a monitor to minimize the risk of unauthorized viewing – privacy filters ‐ use an advanced technology that simulates tiny Venetian blinds shielding your screen from curious glances. The result? You get a straight‐on, clear view of your information, while the people on all sides of you see a darkened screen. The privacy filter is just a suggestion for your agency and not a requirement.

30

1/3/2014


31

1/3/2014


The agency shall control physical access to information system distribution and transmission lines within the physically secure location.The agency shall also authorize and control information system related items entering and exiting the physically secure location.

How do you authenticate a visitor before granting access to be escorted into a physically secure area within your department?1. Some require the visitor to sign in on a visitor log, but this is not required by CJIS

Security Policy or the SBI. It is a good practice though.2. Asking for their name and the name of the person they are visiting, and/or the purpose

of their visit.3. Asking for identification – picture ID.4. Contacting the person or section they are visiting to confirm their visit.

Depending on your type of agency and your policy, these steps may vary and may include some additional steps to authenticate your visitor.

32

1/3/2014


Privacy filters may also be used as an additional safeguard to protect CJI but should not be used as the sole means of security. Operators must log off DCI, at a minimum, when the computer is left unattended. Physical media (printed CJI data) must never be left unattended on a desk or area. This must be secured or destroyed before leaving an area unattended.

33

1/3/2014


Specific examples of flow control enforcement can be found in boundary protection devices, (e.g. proxies, gateways, guards, encrypted tunnels, firewalls, and routers) that employ rule sets or establish configuration settings that restrict information system services or provide a packet filtering capability.

This was one area that most agencies were found Non‐Compliant if they could access DCI, RMS, email, etc. from outside the physically secure location of their agency, and the information they were accessing contained CJI. This would also include the location of the server for your agency’s network. Most of the time, servers are located in different buildings or locations.

If your agency’s fiber optic cable is not encrypted and CJI is being transmitted across the fiber optic cable through RMS, CAD, etc., your agency is Non‐Compliant with the CJIS Security Policy.

34

1/3/2014


Boundary protection devices would include: proxies, gateways, guards, encryption tunnels, firewalls, and routers.These devices would employ rule sets or establish configuration settings that restrict information system services or provide packet filtering capability.

Encryption: For agencies using public key infrastructure (PKI) technology, the agency shall develop and implement a certificate policy and certification practice statement for the issuance of the public key certificates used in the information system. Registration to receive a public key certificate shall:1. Include authorization by a supervisor or a responsible official.2. Be accomplished by a secure process that verifies the identity of the certificate holder.3. Ensure the certificate is issued to the intended party.

When CJI is transmitted outside the boundary of the physically secure location, the data shall be immediately protected by encryption. CJI may be found in: (RMS) records management systems, emails, electronic media (thumb drives, disks, etc.). This list is not all‐inclusive.

Example: A local agency has several offices and buildings used as sub‐stations outside the main building for the agency. All of these locations are connected via an underground fiber optic cable and have access to the agency’s RMS, CAD, etc. The public does not have access and this is not a public WiFi, but since the information is traveling outside the boundary of a physically secure location, the information must be encrypted.

35

1/3/2014


CJIS Security Policy, Version 5.2, Section 5.10.1.3

Intrusion Detection Tools and Techniques

The agency shall implement network‐based and/or host‐based intrusion detection tools.

The SBI/CSA shall, in addition:1. Monitor inbound and outbound communications for unusual or unauthorized activities.2. Send individual intrusion detection logs to a central logging facility where correlation

and analysis will be accomplished as a system wide intrusion detection effort.3. Employ automated tools to support near‐real‐time analysis of events in support of

detecting system‐level attacks.

36

1/3/2014


1. Issue alerts/advisories to appropriate personnel.2. Agencies must document the types of actions to be taken in response to security

alerts/advisories.3. Take appropriate actions in response.

37

1/3/2014


The agency (or software developer/vendor) shall develop and implement a local policy that ensures prompt installation of newly released security relevant patches, service packs, and hot fixes.

Local policies should include items such as:1. Testing of appropriate patches before installation.2. Rollback capabilities when installing patches, updates, etc.3. Automatic updates without individual user intervention.4. Centralized patch management.

38

1/3/2014


FBI has the authority under the CJIS Security Policy and the Code of Federal Regulations.

SBI has the authority under the CJIS Security Policy and the NC Administrative Code. The CJIS Security Policy states that we may conduct audits at a minimum, triennially (every 3 years) just as the FBI but the NC Administrative Code states we will conduct audits biennially (every 2 years).

All agencies having access to CJI shall permit an inspection team to conduct an appropriate inquiry and audit of any alleged security violations.

Triennial Security Audits by the FBI CJIS Division are authorized and conducted on all CSAs and will include a sample of Criminal Justice Agencies and Non‐Criminal Justice Agencies. Audits may be conducted on a more frequent basis if the audit reveals that an agency has not complied with the CJIS Security Policy.

39

1/3/2014


This section’s security terms and requirements apply to all personnel who have access to unencrypted CJI including those individuals with only physical or logical access to devices that store, process or transmit unencrypted CJI.

All requests for access shall be made as specified by the CSO. The CSO, or their designee, is authorized to approve access to CJI. All CSO designees shall be from an authorized criminal justice agency.

40

1/3/2014


1. If a FELONY conviction of any kind exists, the hiring authority (agency) shall DENY access to CJI. However, the hiring authority may ask for a review by the CSO (Control Systems Officer with SBI) in extenuating circumstances where the severity of the offense and the time that has passed would support a possible variance.

2. If a record of any other kind exists, access to CJI shall not be granted until the CSO or their designee reviews the matter to determine if access is appropriate.

3. If the person appears to be a fugitive or has an arrest history without conviction, the CSO or their designee shall review the matter to determine if access to CJI is appropriate.

4. If the person is employed by a Non‐Criminal Justice Agency (NCJA), the CSO or their designee shall review the matter to determine if access to CJI is appropriate.

5. If the person already has access to CJI and is subsequently arrested and/or convicted, continued access to CJI shall be determined by the CSO. This does not implicitly grant hiring/firing authority with the CSA, only the authority to grant access to CJI.

6. If the CSO or their designee determines that access to CJI by the person would not be in the public interest, access shall be denied and the person’s appointing authority shall be notified in writing of the access denial.

7. Support personnel, contractors, and custodial workers with access to physically secure locations or controlled areas (during CJI processing) shall be subject to a state and national fingerprint‐based record check unless these individuals are escorted by authorized personnel at all times.

41

1/3/2014


If the CGA (IT Department possibly) does not have the authority to view CHRI, the CJA shall review the record to determine if access is allowed. If a record exists and the agency has questions on whether it is a disqualifier, contact the SBI Compliance Unit for guidance.

Applicants with a record of misdemeanor offense(s) may be granted access if the CSOdetermines the nature or severity of the misdemeanor offense(s) do not warrant disqualification.

The CGA may request the CSO to review a denial of access determination.

42

1/3/2014


Personnel Transfer:The agency shall review CJI access authorizations when personnel are reassigned or transferred to other positions within the agency, and initiate appropriate actions such as closing and establishing accounts and changing system access authorizations if needed.

Personnel Termination:The agency, upon termination of individual employment, shall immediately terminate access to CJI. NC Administrative Code requires the agency to notify the SBI within 24 hrswhen a certified user leaves the agency’s employment. This will allow us to move the user from your User List to the Inactive File until such time they are employed by another authorized agency.

Personnel Sanctions:The agency shall employ a formal sanctions process for personnel failing to comply with established information security policies and procedures.Formal sanctions process would be a written policy that is required by the CJIS Security Policy. This could be incorporated into existing Policy and Procedures established by your agency.

43

1/3/2014


Handout 4: Notice 2013‐00009 Technical Security Agreements and Their Uses

The exchange of information may take several forms including email, instant messages, web services, facsimile, hard copy, and information system sending, receiving, and storing CJI.The exchange agreements shall specify the security controls and conditions described in this document.

The information exchange agreement that most are familiar with is the Service Agreement signed by the head of the servicing agency and the head of the recipient agency. There may be instances where CJI is authorized for further dissemination to an authorized recipient not covered under a ‘Servicing Agreement’. In these instances the dissemination of CJI is considered to be ‘Secondary Dissemination’. Agencies shall have a policy to validate a requestor of CJI as an authorized recipient before disseminating CJI.

Example of when this might occur: A State Trooper has arrested an individual for DWI and has requested the local Sheriff’s Office for a driver’s history and a criminal record check on the driver. The Trooper is an authorized recipient as long as the request is for a legitimate law enforcement/criminal justice purpose. This would be ‘Secondary Dissemination’ and would be logged as such when the inquiry is performed.

The User Agreement will not be discussed during this meeting but more information may be found in the CJIS Security Policy, version 5.2, Section 5.1.

44

1/3/2014


Handout 4: Notice 2013‐00009 Technical Security Agreements and Their Uses

The MCA may be a separate document or included in the language of an inter‐agency agreement.

An example of a NCJA would be a city or county IT Department.

There are examples of Management Control Agreements in the CJIS Security Policy. You may use these to create your own agreements.

If your IT person or persons are employed by the CJA, no agreement is required, but they must go through the same background checks that are required by the CJIS Security Policy.

45

1/3/2014


The Private Contractor User Agreement is like the MCA in that it should specify that management control of the criminal justice function remains with the criminal justice agency and would include the scope of providing service for the administration of criminal justice for the agency. This agreement is signed by both agency heads and a copy should be kept on file for audit purposes.

If you currently have a MCA signed between your agency and a private contractor, you will not need to have a PCUA (Private Contractor User Agreement) signed if there has been no changes in the agency head for both the CJA and the private contractor or vendor.

The FBI CJIS Division advised:A contractual agreement must exist between a private contractor and a criminal justice agency but also the security addendum must be signed by all private contractor personnel with access to CJI. The FBI and CJIS Security Policy does not specify or say that the agreement be called this or that but that there is some type of contractual agreement between the two parties.

46

1/3/2014


The CJIS Security Addendum is a uniform addendum to an agreement between the CJA or NCJA and a private contractor, approved by the Attorney General of the United States, which specifically authorizes access the CHRI, limits the use of information to the purposes for which it is provided, ensures the security and confidentiality of the information is consistent with existing regulations and the CJIS Security Policy, provides for sanctions, and contains such other provisions as the Attorney General may require. The wording for the CJIS Security Addendum may not be changed in any way.

City and County IT personnel are not required to sign the CJIS Security Addendum, but you must have a MCA with the City or County IT Department.

47

1/3/2014


48

1/3/2014


CJIS Security Policy Requirements - Local Agency Concerns...

Documents

Transcript of CJIS Security Policy Requirements - Local Agency Concerns...