Criminal Justice Information Protection Policy

Questions and Answers

What is the main purpose of the Media Protection Policy?

To ensure that all media is available for public dissemination

To promote the use of personal information systems

To ensure Criminal Justice Information is protected until it is appropriately handled (correct)

To allow broad public access to Criminal Justice Information

How often should user accounts with access to Criminal Justice Information be reviewed?

Only when a security incident occurs

Annually at a minimum (correct)

At the end of each fiscal year

Every six months

Which of the following is NOT a recommended storage practice for Criminal Justice Information?

Using a locked drawer or cabinet for physical media

Storing hardcopy documents in a secure area

Allowing any employee access to CJI documents (correct)

Restricting electronic media access to authorized individuals

What must be done with Criminal Justice Information at the end of its media life?

Destroy or sanitize it using approved methods

What action is recommended if Criminal Justice Information is stored outside a secure location?

Ensure the data is encrypted

Which of the following locations is considered publicly accessible and should not be used for processing Criminal Justice Information?

A hotel business center computer

What should be done if a user has inappropriate access to Criminal Justice Information?

Immediate action should be taken to rectify access levels

Which of the following is a requirement regarding the use of personal information systems?

They cannot be used to access or store Criminal Justice Information

What certification must be met by the cryptographic module when encryption is used?

FIPS 140-2 standards

Which of the following is NOT a recommended practice for protecting CJI during transport?

Allow all personnel to access CJI

What action should be taken when disposing of CJI documents?

Shred the documents

Which role is responsible for notifying about the loss or disclosure of CJI records?

Local Agency Security Officer (LASO)

Which security measure is advised for controlling access to CJI?

Implementing role-based rules

What should be done if an incident involving CJI is discovered?

Notify the Chief of Police and complete a report within 24 hours

Which of the following actions is NOT acceptable when handling CJI?

Mailing hard copies of CJI information

What is the appropriate safeguard for electronic and physical media during transport?

Only allow transfer by authorized personnel

Study Notes

Media Protection Policy

• Purpose: To ensure the protection of Criminal Justice Information (CJI) until it is either released to the public via authorized channels or purged/destroyed according to record retention rules.
• Scope: This policy applies to all SGSC Police Department employees who have access to CJI.

User Accounts/Access Validation

• Regular Review: All account systems containing CJI should be periodically reviewed, at least annually to ensure access and privileges align with job functions, need-to-know, and current employment status.

Commercial Dissemination

• Authorized Release: CJI can only be released to the public via authorized channels.

Media Storage and Access

• Secure Storage: Electronic and physical media containing CJI must be stored in a secure area (locked drawer, cabinet, or room).
• Restricted Access: Only authorized personnel are allowed to access electronic and physical media containing CJI.
• Printout Management: CJI printouts must be stored in a secure area accessible only to employees whose job requires it.
• Encryption: When CJI is stored electronically outside a physically secure location, it must be protected by encryption that meets FIPS 140-2 standards.
• Log Out: All computer users must lock or log off their computers when not in immediate vicinity to protect CJI.

Media Transport

• Authorized Recipients: Electronic and physical media containing CJI can only be transported to agencies that are authorized recipients of the information and are being serviced by the accessing agency.
• Control and Protection: Transport of CJI outside of secure areas must be restricted to authorized personnel.
• Secure Delivery: Confidential electronic and paper documents containing CJI must be securely delivered by:
  • Authorized personnel viewing or accessing the data in a secure location.
  • No mailing hard copies and no personal transportation of CJI unless specifically authorized.
  • Use of a shredder when disposing of CJI documents.

Electronic Media Sanitization and Disposal

• Proper Sanitization: All electronic media containing CJI must be sanitized and disposed of using approved equipment, techniques, and procedures.

Breach Notification and Incident Reporting

• Reporting: In case of a breach, the SGSC Police Department personnel must notify the Chief of Police, TAC, and LASO within 24 hours. A detailed incident report must be submitted.
• Supervisory Action: The supervisor must communicate the situation to the LASO to notify them of the loss or disclosure of CJI records.

Roles and Responsibilities

• Personnel Responsibility: All SGSC Police Department personnel are responsible for complying with the Media Protection Policy.
• Supervisory Responsibility: Supervisors are responsible for ensuring their team members adhere to policy and reporting breaches.

Description

This quiz covers the essential aspects of the Media Protection Policy concerning Criminal Justice Information (CJI). It evaluates your understanding of user account validation, secure media storage practices, and authorized release channels. Test your knowledge on best practices for protecting sensitive information within the SGSC Police Department.