Boca Raton Police Services Department Criminal Justice Information Systems Security PDF

Summary

This document details the security policies for the use of criminal justice information systems by Boca Raton Police Services employees. It covers guidelines for access, use, and reporting of incidents. The document also includes procedures for background screening and user certification.

Full Transcript

BOCA RATON POLICE SERVICES DEPARTMENT Departmental Standards Directive 81.205 CRIMINAL JUSTICE INFORMATION SYSTEMS SECURITY Revised: September 18, 2019 I. PURPOSE: The purpose of this departmental standards directive is to describe the guidelines regarding employees’ use of criminal justice infor...

BOCA RATON POLICE SERVICES DEPARTMENT Departmental Standards Directive 81.205 CRIMINAL JUSTICE INFORMATION SYSTEMS SECURITY Revised: September 18, 2019 I. PURPOSE: The purpose of this departmental standards directive is to describe the guidelines regarding employees’ use of criminal justice information systems such as NCIC/FCIC, PALMS, DAVID, and any other systems that the Department or its employees subscribe to. II. POLICY: It shall be the policy of the Department to comply with all regulations regarding the use of criminal justice information systems. The Department shall utilize the Criminal Justice Information Services (CJIS) Security Policy as the minimum standards to govern the operation of all criminal justice information systems. III. DEFINITIONS: Local Agency Security Officer (LASO): A designated person to ensure compliance with the CJIS Security Policy (CSP) and acts as the security point of contact with the CJIS Systems Agency (CSA). FDLE is the CSA for Florida. FCIC Agency Coordinator (FAC): An individual selected from within the Department who serves as the point-of-contact for matters relating to CJIS information access. The FAC administers CJIS systems programs within the local agency and oversees the agency’s compliance with CJIS systems policies. IV. NATIONAL CRIME INFORMATION CENTER (NCIC) AND FLORIDA CRIME INFORMATION CENTER (FCIC): A. BACKGROUND SCREENING: 1. All City employees assigned to the Department or Information Technology who have direct access to criminal justice information (CJI) shall undergo background screening as prescribed in the CJIS Security Policy (CSP). 2. All contractors or vendors who have remote unescorted access to computer systems which contain CJI shall undergo background screening as prescribed in the CSP. Effective: May 20, 2016 Revised: September 18, 2019 Criminal Justice Information Systems Security Directive No. 81.205 Page 1 of 6 B. USER CERTIFICATION: 1. Only Department employees who have completed NCIC/FCIC training shall be permitted to operate computers with NCIC/FCIC access. 2. Employees using computers with NCIC/FCIC access shall receive training in accordance with CSP and become certified within six months of employment and recertified as required by CSP. 3. Until certification is achieved, the following training techniques will be used under the direct supervision of a certified operator: C. a. Familiarization with the FCIC operating terminal b. On-the-job training c. Automated systems security, if applicable d. All CSPs shall be followed when using manual and automated systems. AUTHORIZED USE: 1. Pursuant to FSS 943.054, criminal history information, including personally identifiable information, derived from the NCIC/FCIC computer terminal is available to criminal justice agencies for criminal justice purposes only. a. Personally identifiable information that has been extracted from criminal justice information will be handled in the same manner as criminal justice information. 2. Misuse of the NCIC/FCIC system will result in disciplinary action up to termination and/or prosecution. 3. Only Department-issued computers shall be utilized to access NCIC/FCIC systems. Personal devices shall not be used to access, process, store, or transmit CJI. 4. Questions regarding the access and use of NCIC/FCIC data shall be directed to the Department’s FAC. D. USE OF COMPUTERS WITH ACCESS TO NCIC/FCIC: 1. When using computers with access to NCIC/FCIC data, employees shall ensure that the following security measures are in place: 26.03 a. The computer is being used in a physically secure location, to include the following: i. Non-public areas within Department facilities (including the Police Station, 6500 Building, and annexes) Effective: May 20, 2016 Revised: September 18, 2019 Criminal Justice Information Systems Security Directive No. 81.205 Page 2 of 6 ii. Within a marked Department vehicle, provided no individuals could reasonably view the computer b. The employee logs in with his/her own unique username and password. c. The display screen is not visible to unauthorized persons. d. Any printers being used to print criminal justice information are not within view of unauthorized individuals. E. USE OF VOICE OVER INTERNET PROTOCOL (VOIP) TELEPHONES: 1. Employees shall not divulge personal information or CJI to unknown individuals over the telephone. 2. Employees shall not discuss personal information or CJI on speakerphone or while unauthorized individuals are present. 3. Employees shall not connect or install additional devices to the VOIP telephone (e.g. computers, Bluetooth recording devices) without the authorization of IT personnel. 4. Employees shall not use mobile software applications to access the VOIP system. 5. Employees shall not use VOIP telephones to place international calls outside the United States or its territories. 6. Employees shall not store or save CJI on the VOIP system. 7. Employees shall not connect FAX machines into the VOIP system to transmit or receive CJI. 8. Employees shall contact IT personnel in the event of suspicious activity (e.g. no dial tone, incorrect extension, incorrect time) related to a VOIP telephone. F. USER ACCOUNTS: 1. A Network Authorization Form shall be completed for all new hires by Professional Standards Bureau employees. The form shall be approved by the chief of police or his/her designee and forwarded to IT personnel. 2. Employees requesting access to NCIC/FCIC applications or modifications to their access shall obtain approval from their supervisor and send a request to IT personnel. 3. All network and NCIC/FCIC user accounts shall be deactivated immediately upon an employee’s resignation, retirement, or termination. Effective: May 20, 2016 Revised: September 18, 2019 Criminal Justice Information Systems Security Directive No. 81.205 Page 3 of 6 G. AUTHENTICATION/LOGIN: 1. All Department employees shall be assigned a unique user accounts by IT personnel for access to computers and applications with access to FCIC/NCIC. a. Employees shall only be permitted to have one active session using their unique user account when accessing applications with access to FCIC/NCIC. b. In the event an employee is terminated, resigns, transfers, or is reassigned, IT personnel, in conjunction with the Department LASO, shall review all user accounts to determine if access to the accounts should be terminated or if permissions need to be modified within seven (7) business days. 26.04 2. Employees attempting to log into a Department-issued laptop shall supply their Department credentials as well as an alternate form of identification, such as a fingerprint or proximity card. H. WIRELESS PROTOCOLS: 1. Employees may only utilize the following wireless protocols with their Department-issued laptops: a. Department’s internal Wi-Fi network b. Department’s vehicle-based Wi-Fi connection c. Department-issued cellular data connection d. Bluetooth connections to Department-issued RapidID devices 2. Employees shall not connect to Wi-Fi networks not administered by the Department. 3. Employees shall only use Department-issued Bluetooth devices when connecting to any Department equipment. I. REMOTE ACCESS: 1. Only NCIC/FCIC certified users may utilize a remote connection to monitor or control a computer with access to NCIC/FCIC. 2. Only Department-issued devices that have been approved by the IT Department may be utilized to establish a remote access connection by employees. 3. Employees shall follow all policies and procedures regarding the use of NCIC/FCIC systems and the viewing of criminal justice information while using remote access connections. Effective: May 20, 2016 Revised: September 18, 2019 Criminal Justice Information Systems Security Directive No. 81.205 Page 4 of 6 J. VENDOR – REMOTE ACCESS: 1. Vendor support is necessary to provide updates to software and troubleshoot system problems. 2. Authorized IT or Department employees shall virtually escort all vendors who are granted remote access. 3. Remote access is granted through specialized software built specifically for secure third-party remote access. This remote access shall provide authentication, encryption, access control, and audit capabilities. 4. Remote access shall be requested through email. The request shall include the requested server and the reason for the request. 5. Department IT personnel provide remote access by signing onto the server and enabling the VPN. The vendor shall be escorted until the work is complete, at which time the VPN shall be disabled 6. K. When not actively being used, vendor access shall remain disabled. FACILITY SECURITY: 1. All servers, access points, and other critical infrastructure containing or transmitting criminal history information (CHI) data shall be stored within secure locations accessible by key or access card. 2. Department employees or approved IT personnel shall accompany all visitors to computer centers and/or workstations at all times. L. MEDIA SECURITY: 1. No CJI, in any form, will be removed from secured locations or Department equipment unless it is necessary to complete a specific assignment. 2. All physical and electronic media containing CHI shall be kept in locked cabinets or offices when not in the physical control of the user. 3. Data backup shall be kept in a secured location in electronic format. 4. Physical media for archival purposes shall only be stored in secured locations. 5. In the event that any electronic or physical CHI media needs to be transported outside of secured locations, the media must meet the security requirements as specified in current CJIS security policies and be transported by CJIS certified personnel. a. Paper and electronic media being transported outside of secured locations shall be placed in opaque sealed envelopes or folders during transport. Effective: May 20, 2016 Revised: September 18, 2019 Criminal Justice Information Systems Security Directive No. 81.205 Page 5 of 6 6. Disposal procedures for electronic and print media shall be in accordance with Appendix A Security Documentation. M. REPORTING SECURITY INCIDENTS: 1. Employees shall document and forward any threat or perceived threat to the security of NCIC/FCIC data or any systems to the Department’s FAC or LASO. 2. The LASO shall complete the IT Security Incident Response Form to document the incident and forward a copy to FDLE. 3. IT personnel shall be responsible for maintaining documentation of any security incident. N. UPDATES & PATCH MANAGEMENT: 1. IT personnel shall be responsible for administering updates and patches to Department computers. 2. Updates and patches shall be applied by Department employees if instructed by IT personnel upon notification from the software developer, or immediately upon discovery of a critical security risk. Approved: Daniel C. Alexander Chief of Police Effective: May 20, 2016 Revised: September 18, 2019 Date: Criminal Justice Information Systems Security Directive No. 81.205 Page 6 of 6

Use Quizgecko on...
Browser
Browser