Criminal Justice Information Systems Security.pdf

Full Transcript

BOCA RATON POLICE SERVICES DEPARTMENT
Departmental Standards Directive 81.205
CRIMINAL JUSTICE INFORMATION SYSTEMS SECURITY
Revised: September 18, 2019

I.

PURPOSE:

The purpose of this departmental standards directive is to describe the guidelines regarding employees’
use of criminal justice information systems such as NCIC/FCIC, PALMS, DAVID, and any other systems that
the Department or its employees subscribe to.

II.

POLICY:

It shall be the policy of the Department to comply with all regulations regarding the use of criminal justice
information systems. The Department shall utilize the Criminal Justice Information Services (CJIS) Security
Policy as the minimum standards to govern the operation of all criminal justice information systems.

III. DEFINITIONS:
Local Agency Security Officer (LASO): A designated person to ensure compliance with the CJIS Security
Policy (CSP) and acts as the security point of contact with the CJIS Systems Agency (CSA). FDLE is the
CSA for Florida.
FCIC Agency Coordinator (FAC): An individual selected from within the Department who serves as the
point-of-contact for matters relating to CJIS information access. The FAC administers CJIS systems
programs within the local agency and oversees the agency’s compliance with CJIS systems policies.

IV. NATIONAL CRIME INFORMATION CENTER (NCIC)
AND FLORIDA CRIME INFORMATION CENTER
(FCIC):
A.

BACKGROUND SCREENING:
1.
All City employees assigned to the Department or Information Technology who
have direct access to criminal justice information (CJI) shall undergo background
screening as prescribed in the CJIS Security Policy (CSP).
2.
All contractors or vendors who have remote unescorted access to computer
systems which contain CJI shall undergo background screening as prescribed in the CSP.

Effective: May 20, 2016
Revised: September 18, 2019

Criminal Justice Information Systems Security
Directive No. 81.205
Page 1 of 6

B.

USER CERTIFICATION:
1.
Only Department employees who have completed NCIC/FCIC training shall be
permitted to operate computers with NCIC/FCIC access.
2.
Employees using computers with NCIC/FCIC access shall receive training in
accordance with CSP and become certified within six months of employment and recertified as required by CSP.
3.
Until certification is achieved, the following training techniques will be used
under the direct supervision of a certified operator:

C.

a.

Familiarization with the FCIC operating terminal

b.

On-the-job training

c.

Automated systems security, if applicable

d.

All CSPs shall be followed when using manual and automated systems.

AUTHORIZED USE:
1.
Pursuant to FSS 943.054, criminal history information, including personally
identifiable information, derived from the NCIC/FCIC computer terminal is available to
criminal justice agencies for criminal justice purposes only.
a.
Personally identifiable information that has been extracted from criminal
justice information will be handled in the same manner as criminal justice
information.
2.
Misuse of the NCIC/FCIC system will result in disciplinary action up to termination
and/or prosecution.
3.
Only Department-issued computers shall be utilized to access NCIC/FCIC systems.
Personal devices shall not be used to access, process, store, or transmit CJI.
4.
Questions regarding the access and use of NCIC/FCIC data shall be directed to the
Department’s FAC.

D.

USE OF COMPUTERS WITH ACCESS TO NCIC/FCIC:
1.
When using computers with access to NCIC/FCIC data, employees shall ensure
that the following security measures are in place: 26.03
a.
The computer is being used in a physically secure location, to include the
following:
i.
Non-public areas within Department facilities (including the
Police Station, 6500 Building, and annexes)

Effective: May 20, 2016
Revised: September 18, 2019

Criminal Justice Information Systems Security
Directive No. 81.205
Page 2 of 6

ii.
Within a marked Department vehicle, provided no individuals
could reasonably view the computer
b.

The employee logs in with his/her own unique username and password.

c.

The display screen is not visible to unauthorized persons.

d.
Any printers being used to print criminal justice information are not
within view of unauthorized individuals.

E.
USE OF VOICE OVER INTERNET PROTOCOL (VOIP)
TELEPHONES:
1.
Employees shall not divulge personal information or CJI to unknown individuals
over the telephone.
2.
Employees shall not discuss personal information or CJI on speakerphone or while
unauthorized individuals are present.
3.
Employees shall not connect or install additional devices to the VOIP telephone
(e.g. computers, Bluetooth recording devices) without the authorization of IT personnel.
4.

Employees shall not use mobile software applications to access the VOIP system.

5.
Employees shall not use VOIP telephones to place international calls outside the
United States or its territories.
6.

Employees shall not store or save CJI on the VOIP system.

7.
Employees shall not connect FAX machines into the VOIP system to transmit or
receive CJI.
8.
Employees shall contact IT personnel in the event of suspicious activity (e.g. no
dial tone, incorrect extension, incorrect time) related to a VOIP telephone.

F.

USER ACCOUNTS:
1.
A Network Authorization Form shall be completed for all new hires by
Professional Standards Bureau employees. The form shall be approved by the chief of
police or his/her designee and forwarded to IT personnel.
2.
Employees requesting access to NCIC/FCIC applications or modifications to their
access shall obtain approval from their supervisor and send a request to IT personnel.
3.
All network and NCIC/FCIC user accounts shall be deactivated immediately upon
an employee’s resignation, retirement, or termination.

Effective: May 20, 2016
Revised: September 18, 2019

Criminal Justice Information Systems Security
Directive No. 81.205
Page 3 of 6

G.

AUTHENTICATION/LOGIN:
1.
All Department employees shall be assigned a unique user accounts by IT
personnel for access to computers and applications with access to FCIC/NCIC.
a.
Employees shall only be permitted to have one active session using their
unique user account when accessing applications with access to FCIC/NCIC.
b.
In the event an employee is terminated, resigns, transfers, or is
reassigned, IT personnel, in conjunction with the Department LASO, shall review
all user accounts to determine if access to the accounts should be terminated or
if permissions need to be modified within seven (7) business days. 26.04
2.
Employees attempting to log into a Department-issued laptop shall supply their
Department credentials as well as an alternate form of identification, such as a fingerprint
or proximity card.

H.

WIRELESS PROTOCOLS:
1.
Employees may only utilize the following wireless protocols with their
Department-issued laptops:
a.

Department’s internal Wi-Fi network

b.

Department’s vehicle-based Wi-Fi connection

c.

Department-issued cellular data connection

d.

Bluetooth connections to Department-issued RapidID devices

2.
Employees shall not connect to Wi-Fi networks not administered by the
Department.
3.
Employees shall only use Department-issued Bluetooth devices when connecting
to any Department equipment.

I.

REMOTE ACCESS:
1.
Only NCIC/FCIC certified users may utilize a remote connection to monitor or
control a computer with access to NCIC/FCIC.
2.
Only Department-issued devices that have been approved by the IT Department
may be utilized to establish a remote access connection by employees.
3.
Employees shall follow all policies and procedures regarding the use of NCIC/FCIC
systems and the viewing of criminal justice information while using remote access
connections.

Effective: May 20, 2016
Revised: September 18, 2019

Criminal Justice Information Systems Security
Directive No. 81.205
Page 4 of 6

J.

VENDOR – REMOTE ACCESS:
1.
Vendor support is necessary to provide updates to software and troubleshoot
system problems.
2.
Authorized IT or Department employees shall virtually escort all vendors who are
granted remote access.
3.
Remote access is granted through specialized software built specifically for secure
third-party remote access. This remote access shall provide authentication, encryption,
access control, and audit capabilities.
4.
Remote access shall be requested through email. The request shall include the
requested server and the reason for the request.
5.
Department IT personnel provide remote access by signing onto the server and
enabling the VPN. The vendor shall be escorted until the work is complete, at which time
the VPN shall be disabled
6.

K.

When not actively being used, vendor access shall remain disabled.

FACILITY SECURITY:
1.
All servers, access points, and other critical infrastructure containing or
transmitting criminal history information (CHI) data shall be stored within secure
locations accessible by key or access card.
2.
Department employees or approved IT personnel shall accompany all visitors to
computer centers and/or workstations at all times.

L.

MEDIA SECURITY:
1.
No CJI, in any form, will be removed from secured locations or Department
equipment unless it is necessary to complete a specific assignment.
2.
All physical and electronic media containing CHI shall be kept in locked cabinets
or offices when not in the physical control of the user.
3.

Data backup shall be kept in a secured location in electronic format.

4.

Physical media for archival purposes shall only be stored in secured locations.

5.
In the event that any electronic or physical CHI media needs to be transported
outside of secured locations, the media must meet the security requirements as specified
in current CJIS security policies and be transported by CJIS certified personnel.
a.
Paper and electronic media being transported outside of secured
locations shall be placed in opaque sealed envelopes or folders during transport.
Effective: May 20, 2016
Revised: September 18, 2019

Criminal Justice Information Systems Security
Directive No. 81.205
Page 5 of 6

6.
Disposal procedures for electronic and print media shall be in accordance with
Appendix A Security Documentation.

M.

REPORTING SECURITY INCIDENTS:
1.
Employees shall document and forward any threat or perceived threat to the
security of NCIC/FCIC data or any systems to the Department’s FAC or LASO.
2.
The LASO shall complete the IT Security Incident Response Form to document the
incident and forward a copy to FDLE.
3.
IT personnel shall be responsible for maintaining documentation of any security
incident.

N.

UPDATES & PATCH MANAGEMENT:
1.
IT personnel shall be responsible for administering updates and patches to
Department computers.
2.
Updates and patches shall be applied by Department employees if instructed by
IT personnel upon notification from the software developer, or immediately upon
discovery of a critical security risk.

Approved:

Daniel C. Alexander
Chief of Police

Effective: May 20, 2016
Revised: September 18, 2019

Date:

Criminal Justice Information Systems Security
Directive No. 81.205
Page 6 of 6