CJIS Protocol: GO # CO-3

Questions and Answers

What primary goal did the FBI have in mind when they established the Criminal Justice Information Services (CJIS) Division in 1992?

• To create a central repository for biometric data such as fingerprints and iris scans.
• To standardize the process of multi-factor authentication across all law enforcement agencies.
• To equip law enforcement, national security, and the intelligence community with criminal justice information. (correct)
• To regulate the use of wireless networking in law enforcement agencies.

According to the CJIS Security Policy, what is the minimum-security requirement for organizations that access criminal justice information?

• Adherence to local law enforcement policies only.
• Meeting the minimum-security requirements established by the CJIS Security Policy. (correct)
• Compliance with the security standards set forth by individual state laws.
• Use of only FBI-approved hardware and software for data transmission.

What role does the Terminal Agency Coordinator (TAC) serve within the Salem Police Department regarding CJIS information?

• They act as the primary contact for media inquiries related to CJIS data breaches.
• They are responsible for conducting internal audits of hardware and software used for CJIS data.
• They serve as a liaison with local, state, and federal partners ensuring CJIS compliance. (correct)
• They oversee the training and certification of all department personnel accessing SPOTS terminal.

If a police officer is uncertain about the policies regarding CJIS data, what is their immediate responsibility?

To contact the TAC, their immediate supervisor, or the LASO for clarification. (D)

What type of data is classified as 'CJIS Data'?

Biometric data, identity history data, and property data accompanied by personally identifiable information. (D)

What is the key distinction between 'Identity History Data' and 'Biographic data' within the context of CJIS data?

'Identity History Data' provides a history of criminal and/or civil events linked to an individual's biometrics, while 'Biographic data' relates only to information about a specific case. (C)

For the purposes of the Salem Police Department, which agencies are considered Criminal Justice Agencies (CJAs)?

Law enforcement, courts, corrections, DCYF, and various probation and attorney offices. (B)

What is the role of the Local Agency Security Officer (LASO) in relation to CJIS and the Salem Police Department?

To serve as the primary liaison between the local law enforcement agency and state or FBI CJIS on matters of information security. (A)

Through the SPOTS terminal, what types of items can the Salem Police Department enter or check in NCIC?

Wanted and missing persons, stolen vehicles, weapons, and boats. (B)

What capability does the National Law Enforcement Teletype System (NLETS) provide to law enforcement agencies?

A secure network for exchanging criminal justice and public safety-related information among agencies. (C)

What is the primary function of the State Police Online Telecommunications System (SPOTS)?

Providing a secure computer system for law enforcement to perform various checks and inquiries. (C)

According to the policy, what types of technology are considered SPOTS terminals?

Mobile Data Terminals (MDTs), in-house LAN/NCIC screens, and any mobile application with NCIC query capabilities. (B)

What is the Salem Police Department's responsibility as a participating Control Terminal Agency (CTA) for SPOTS?

To ensure system security and restrict access to authorized agencies and users. (C)

What should happen if a confirmed breach has compromised CJIS information?

The breach must be reported to the Dispatch Supervisor/TAC and Chief of Police as soon as possible. (B)

Where should hard copy printouts of information attained through SPOTS be stored?

In designated locations such as the dispatch center and Shift Commander's Office, and prosecution reports in file cabinets. (D)

According to the policy, how should discovery requests be handled?

They should be sent via email to defense counsel or defendant, and defendant information can be sent without redaction. (B)

What training is required for dispatchers and other users to properly use the SPOTS terminal?

Dispatchers require a 4-day training, while other users need a 1-day SPOTS user class. (D)

What constitutes misuse of the SPOTS system?

Accessing SPOTS information for personal use or disclosing sensitive information to unauthorized individuals, or activity that results in data modification or loss. (B)

Under what conditions can un-redacted CJIS data be released to another Criminal Justice Agency?

Only if transmitted via a secure method like a CJIS-compliant portal or encrypted email. (A)

What is required of all outside vendors who have access to secure areas of the Salem Police Department?

A signed Contractor User Agreement detailing confidentiality and penalties for unauthorized dissemination of CJIS materials. (C)

Flashcards

Criminal Justice Information Services Division (CJIS)

Division created by the FBI in 1992 to equip law enforcement, national security, and the intelligence community with criminal justice information.

CJIS Security Policy

Minimum security requirements for any organization accessing criminal justice data.

CJIS standards

Standards including data encryption, wireless networking, multi-factor authentication, and physical security.

Salem Police Department's Responsibility

Ensuring the protection of Criminal Justice Information (CJI). Designates a Terminal Agency Coordinator (TAC).

Terminal Agency Coordinator (TAC)

Works as a liaison to oversee security, storage and compliance with CJIS protocol.

Criminal Justice Information Services (CJIS)

Systems and information to protect and safeguard CJIS Data.

CJIS Biometric Data

Fingerprints, palm prints, iris scans, and facial recognition data.

Identity History Data

Textual data that corresponds with an individual's biometric data.

Criminal Justice Agency (CJA)

Agency within the criminal justice system including law enforcement, courts, and corrections.

Local Agency Security Officer (LASO)

The primary Information Security Officer between a local law enforcement agency and the State or FBI CJIS.

National Law Enforcement Teletype System (NLETS)

Secure network linking agencies to exchange criminal justice and public safety related information.

State Police Online Telecommunications System (SPOTS)

State-wide computer system controlled by the New Hampshire State Police under the direction of the FBI through CJIS.

Terminal Agency Coordinator (TAC)

Serves as point of contact for the agency in all matters related to CJIS information access.

Misuse of SPOTS system

Unauthorized modification or destruction of system data.

Sanitize Digital Media

Overwrite at least three times or degauss digital media prior to disposal or release for reuse by unauthorized individuals.

Study Notes

• Salem Police Department General Order covers CJIS Protocol, GO # CO-3, and was issued on 02.05.2024, rescinding G.O. # 80-5, with the chapter focusing on communications.

Purpose

• The FBI created the Criminal Justice Information Services Division (CJIS) in 1992.
• CJIS was made to equip law enforcement, national security, and the intelligence community with criminal justice information.
• The CJIS Security Policy sets minimum security requirements for any organization accessing data.
• It also provides guidelines to protect the transmission, storage, and creation of criminal justice information like fingerprints and case/incident histories.
• CJIS standards include data encryption, wireless networking, remote access, multi-factor authentication, and physical security.
• All entities accessing FBI's CJI data, whether law enforcement or non-criminal justice agencies, must adhere to CJIS security standards.

Policy

• The Salem Police Department is responsible for ensuring the protection of CJIS information.
• The department will designate a Terminal Agency Coordinator (TAC) to liaise with local, state, and federal partners to oversee security, storage, and compliance.
• All department personnel must follow the requirements, policies, and procedures set forth in the NCIC Operating Manual, State Police SPOTS Manual, and FBI's CJIS Security Policy, Version 5.9.
• Manuals and policies are available through the SPOTS Terminal.
• This policy outlines the everyday requirements, use, and dissemination of CJIS data.
• If an operator or user is unclear on CJIS data policies, they must contact the TAC, immediate supervisor, or LASO for clarification before any action.

Definitions

• Criminal Justice Information Services (CJIS) are systems and information used to protect CJIS Data.
• CJIS Data includes biometric data like fingerprints, palm prints, iris scans, and facial recognition data
• Identity History Data is textual data corresponding with individual's biometric data, giving a history of criminal and/or civil events.
• Includes information on a criminal history (III).
• Identity History Data applies to individuals associated with a unique case, but not necessarily to identity data.
• Biographic data provides information related to a unique case, not an individual's history; for this agency, it includes local or Master Name records.
• Property Data is information about vehicles/property linked to a crime including personally identifiable information (PII) with license plate.
• Case/Incident History includes information about the history of criminal incidents, such as arrest, criminal offense, and warrant reports, and Master Name records.
• Criminal Justice Agency (CJA) includes Law enforcement, Courts, and Corrections, the DCYF, Juvenile/Adult Probation and Parole Officers, County Attorney's Office, and the Attorney General's office in other states and in the federal government.
• Local Agency Security Officer (LASO) is the Operations Support Bureau Commander being the primary Information Security Officer between a local law enforcement agency and the State or FBI CJIS, who Handles matters related to Information Security and assists with audits of hardware and procedures.
• National Crime Information Center (NCIC) allows the Salem Police Department to enter or check items via the SPOTs terminal, including wanted/missing persons, stolen vehicles/plates/weapons/boats, and stolen articles.
• Only the originating agency can cancel items from NCIC through the SPOTS terminal if recovered.
• Noncriminal Justice Agencies (NCJA) includes federal, state, or local agencies lacking law enforcement, judicial, or Corrections authority.
• National Law Enforcement Teletype System (NLETS) is a secure network linking agencies to exchange criminal justice and public safety information via an international standardized format.
• NLETS supports inquiries into motor vehicle, driver's license, criminal history, and other databases, and shares goals, processes, and policies with the FBI CJIS, though they are separate.
• State Police Online Telecommunications System (SPOTS) is a statewide computer system controlled by the New Hampshire State Police under the direction of the FBI through CJIS and helps law enforcement professionals.
• SPOTS provides nationwide broadcasts, motor vehicle/records checks, criminal history checks, NCIC entries/cancellations, ICE inquiries, in-state misdemeanor warrants, electronic bench warrants, domestic violence protective orders, wanted person detainers, AMBER alerts, violent gang/terrorist organization inquiries, and administrative messages.
• Mobile Data Terminals (MDT's), LAN/NCIC screens, mobile apps for NCIC queries, and ALPR responses are considered SPOTS terminals.
• Terminal Agency Coordinator (TAC) is the Dispatch Supervisor and the point of contact for CJIS information access, administers CJIS systems programs (SPOTS Terminal) and ensures compliance with CJIS systems policies.

System Security

• As a Control Terminal Agency (CTA) for SPOTS, including Mobile Data Terminals (MDTs) or other electronic access, the Salem Police Department must assume and enforce system security.
• The FBI uses hardware/software controls to help ensure the system's integrity, but individual agencies and certified users have the final responsibility.
• Criminal justice information stored and disseminated via SPOTS is sensitive, confidential, and legally protected, with access restricted to authorized agencies for official business only.
• Data in SPOTS must be protected to ensure correct, legal, and efficient dissemination which failure may warrant removal of terminal and suspension of use, and intentional or negligent dissemination is subject to disciplinary action.

Security Breaches/Issues

• Any confirmed or suspected breach compromising CJIS information must be reported to the Dispatch Supervisor/TAC and Chief of Police ASAP.
• All details will be forwarded to the State of New Hampshire Information Security Officer and State Police NCIC unit.

Media Protection

• Hard copies from SPOTS shall be stored in dispatch center, shift commander's office or prosecution reports.
• Dispatch center NCIC entries and cancellation files will be kept in file cabinet.
• Shift Commander's Office reports pending approval containing criminal history and motor vehicle reports.
• Prosecution reports for pending court cases will be kept in file cabinets.
• Discovery requests will be sent via email to defense counsel or defendant.
• Defendant information can be sent without information redaction.
• Defense counsel can be notified of criminal history related to victim/witnesses, but CJIS documents will not be sent.
• Records-closed case files will be kept until they are allowed to be destroyed or moved to permanent storage.
• Hard drives from every PC and any printer/scanner/copier in the department shall be removed and destroyed by the Town of Salem Information Technology contractor.
• All hardware will be physically destroyed and rendered unusable/unreadable.

System Users

• The Dispatch Supervisor/TAC will ensure all Dispatchers attend a 4-day training in the proper use of the SPOTS terminal and additional users have a one-day SPOTS user class.
• The Dispatch Supervisor/TAC ensures all sworn personnel are certified to operate Mobile Data Terminals (MDT) through a 4-hour class held at the Police Standards & Training facility.
• The Dispatch Supervisor/TAC ensures all personnel are up to date on CJIS training and recertifications required every two years.
• The Dispatch Supervisor/TAC will notify the New Hampshire State Police of all user additions and removals.

System Discipline

• Unauthorized NCIC requests may lead to criminal proceedings against the agency and individuals, violating policies and regulations.
• System misuse includes computer security violations leading to unauthorized disclosure or accessing SPOTS information inappropriately, any media format use, and activity causing unauthorized data modification, system processing loss, or theft of computer media.

Release of CJIS Data

• Un-redacted department reports with CJIS data cannot be transmitted without specific guidelines.
• CJIS data may be faxed from an agency machine to a known user like faxing to DCYF or dropped into a CJIS compliant portal/FTP like Rockingham County Attorney's Office or NH US Attorney's Office FTP, or mailed via US Mail with unrelated parties redacted
• CJIS data can also be sent via CJIS-compliant encrypted email, hand-given to a CJA employee authorized to access CJIS Data, or normally transmitted via CJIS compliant software (MDT / SPOTS / J-ONE).

Outside Vendors

• Outside vendors with access to secure areas of the Salem Police Department must sign a Contractor User Agreement detailing confidentiality and penalties for unauthorized dissemination of CJIS materials referencing Admin Forms 7 & 8.

Operations Directive

• To take precautions and establish the requirements and responsibilities for use of the SPOTS, NCIC and NLETS Systems.
• To ensure that all officers and employees of the Salem Police Department comply with all state, federal and CJIS regulations regarding the use of these systems, the requirements set forth in Attachment-A shall specify specific requirements for the use of these systems

Sanitization and Disposal to Protect Media

• Digital Media includes any electronic or digital device capable of storing CJIS data and Physical Media means any paper or document containing CJIS data or other sensitive data.
• The agency will sanitize digital media by overwriting at least three times or degaussing before disposal or reuse by unauthorized individuals and inoperable digital media shall be destroyed (cut up, shredded, etc.).
• Written documentation of sanitization/destruction steps must be maintained and carried out by authorized personnel.
• The agency shall securely dispose of physical media through shredding or incineration, using secured boxes throughout the agency, with destruction carried out by authorized personnel.