AH 01 Technology Use and Protection (Policy.Administrative.AH 01 Technology Use and Protection.WebHome)

1. Access to Criminal Justice Information: The physical or logical (electronic) ability, right orprivilege to view, modify or make use of Criminal Justice Information.

49

1. Administration of Criminal Justice: The detection, apprehension, detention, pretrial release,post-trial release, prosecution, adjudication, correctional supervision, or rehabilitation of accused persons or criminal offenders. It also includes criminal identification activities; the collection, storage, and dissemination of criminal history record information; and criminal justice employment.

50

1. Agency Controlled Mobile Device: A mobile device that is centrally managed by an agency for the purpose of securing the device for potential access to CJI. The device can be agency issued or BYOD (personally owned).

51

1. Authorized User/Personnel: An individual, or group of individuals, who have been appropriately vetted through a national fingerprint-based record check and have been granted access to CJI data.

52

1. BCI: Bureau of Criminial Indification (Utah)

53

1. CJI: Criminal justice information.

54

1. CJIS: The Criminal Justice Information System administered by the FBI.

55

1. Computer System: Shall mean all computers (on-site and portable), hardware, software and resources owned, leased, rented or licensed by the Washington County Sheriff's Office , which are provided for official use by agency employees. This shall include all access to, and use of, Internet Service Providers (ISP) or other service providers provided by or through the agency or agency funding.

56

1. Electronic media: Electronic storage media including memory devices in laptops and computers (hard drives) and any removable, transportable digital memory media, such as magnetic tape or disk, backup medium, optical disk, flash drives, external hard drives, or digital memory card.

57

1. Entity: An entity qualified to access criminal history information under state or federal law.

58

1. Escort: Authorized personnel who accompany a visitor at all times while within a physically secure location to ensure the protection and integrity of the physically secure location and any Criminal Justice Information therein. The use of cameras or other electronic means used to monitor a physically secure location does not constitute an escort.

59

1. Hardware: Shall include, but is not limited to, computers, computer terminals, network equipment, modems or any other tangible computer device generally understood to comprise hardware.

60

1. Login ID: A unique identifier in UCJIS for a user or non-user.

61

1. Misuse: The access, use, disclosure, or dissemination of records for a purpose prohibited or not permitted by statute, rule, regulation, or policy of a governmental entity.

62

1. Mobile Device: Any portable device used to access CJI via a wireless connection (e.g. cellular, WiFi, Bluetooth, etc.).

63

1. Mobile Device Management (MDM): Centralized administration and control of mobile devices specifically including, but not limited to, cellular phones, smart phones, and tablets. Management typically includes the ability to configure device settings and prevent a user from changing them, remotely locating a device in the event of theft or loss, and remotely locking or wiping a device. Management can also include over-the-air distribution of applications and updating installed applications.

64

1. NCIC: National Crime Information Center

65

1. Non-user: A person working for or with an agency, who does not have direct access to UCJIS but has indirect access to records, including individuals who may access computer systems or programs used to access UCJIS files or have unrestricted access to a location containing UCJIS records or a computer with UCJIS access.

66

1. Right of access: A program established in which a provider makes an individual's UCH and warrant of arrest information available to the subject of the record.

67

1. Secure Area: A building or area within a building that requires a greater level of security because it is subject to provisions of the Federal Bureau of Investigation Criminal Justice Information System (CJIS) security policy, or because the nature of the business operations within that building or area requires a heightened level of security.

68

1. Software: Shall include, but is not limited to, all computer programs and applications including shareware. This does not include files created by the individual user.

69

1. TAC: An agency's terminal agency coordinator.

70

1. Temporary File or Permanent File or File: Shall mean any electronic document, information or data residing or located, in whole or in part, whether temporarily or permanently, on the system, including but not limited to spreadsheets, calendar entries, appointments, tasks, notes, letters, reports or messages.

71

1. UCH: Utah Computerized Criminal History;

72

1. UCJIS: Utah Criminal Justice Information System, which includes the Criminal Justice Information System

73

1. User: A person who has direct access to UCJIS or who may obtain UCJIS records from a person who has direct access.

74

75

**AH 01_102 __GENERAL__**

76

77

1. POLICY:

78

11. This policy describes the use of WCSO computers, software programs, and criminal information systems. It provides guidance for the creation, viewing, modification, transmission, dissemination, storage, security and destruction of criminal justice information.

79

11. Any employee utilizing any computer, electronic storage device or media, Internet service, phone service, information conduit, system or other wireless service provided by or funded by the WCSO expressly acknowledges and agrees that the use of such service, whether for business or personal use, shall remove any expectation of privacy the employee, sender and recipient of any communication utilizing such service might otherwise have, including as to the content of any such communication. The WCSO also expressly reserves the right to access and audit any and all communications (including content) sent, received and/or stored through the use of such service.

80

81

**AH 01_103 __CRIMINAL JUSTICE INFORMATION SYSTEM__**

82

83

1. POLICY:

84

11. All information from the Utah Criminal Justice Information System (UCJIS) shall be used solely for the purpose of administration of criminal justice and for employment screening by criminal justice agencies. All WCSO users with direct or indirect access to UCJIS information shall ensure the security and confidentiality of the data. Any misuse or compromise of the physical or logical security of the CJI system shall be reported to a TAC, an alternate TAC or a supervisor. To ensure the integrity and confidentiality of CJI, it is the responsibility and duty of all WCSO employees to, but not limited to:

85

111. Criminal history information should not be transmitted over radios or other non-secure media;

86

111. Files containing CJI must remain locked;

87

111. Computer monitors shall be positioned so they can not be viewed by unauthorized persons;

88

11. WCSO employees shall not disseminate CJI to other agencies or unauthorized persons.

89

11. Only trained and authorized personnel may disseminate CHRI to the person of record under authority of Right of Access;

90

11. WCSO users shall not access CJI from publicly accessed computers or publicly accessed wireless networks;

91

92

**AH 01_104 __CJIS SECURITY TRAINING FOR USERS WITH ACCESS__**

93

94

1. POLICY:

95

11. At a minimum, the UCJIS Terminal Access Coordinators (TACS) shall address a baseline security awareness training for all authorized personnel with access to Criminal Justice Information (CJI) to include:

96

111. Rules that describe responsibilities and expected behavior with regard to CJI usage;

97

111. Implications of noncompliance;

98

111. Incident response (Points of contact; Individual actions);

99

111. Media protection;

100

111. Visitor control and physical access to spaces—discuss applicable physical security policy and procedures, (e.g., challenge strangers, report unusual activity);

101

111. Protect information subject to confidentiality concerns and hardcopy destruction;

102

111. Proper handling and marking of CJI;

103

111. Threats, vulnerabilities, and risks associated with handling of CJI;

104

111. Social engineering or psychological manipulation of people into performing divulging confidential information, ie, phishing, baiting, diversion, etc.;

105

111. Dissemination and destruction.

106

107

**AH 01_105 __CJIS SECURITY TRAINING FOR ALL PERSONNEL__**

108

109

1. POLICY:

110

11. The following topics, at a minimum, shall be addressed as baseline security awareness training for all authorized personnel with both physical and logical access to CJI:

111

11. Responsibilities and expected behavior with regard to information system usage;

112

11. Password usage and management, including creation, frequency of changes, and protection;

113

11. Protection from viruses, worms, Trojan horses, and other malicious code;

114

11. Unknown e-mail/attachments;

115

11. Web usage, including allowed versus prohibited and monitoring of user activity;

116

11. Spam;

117

11. Physical Security;

118

11. Handheld device security issues, both physical and wireless security issues;

119

11. Encryption and the transmission of sensitive/confidential information over the Internet, agency policy, procedures, and technical contact for assistance;

120

11. Laptop security, both physical and information security issues;

121

11. Personally owned equipment and software installation;

122

11. Access control;

123

11. Individual accountability;

124

11. Use of acknowledgement statements, passwords, access to systems and data, personal use and gain;

125

11. Desktop security, including the use of screensavers, restricting visitors’ view of information on screen (mitigating “shoulder surfing”), battery backup devices, allowed access to systems;

126

11. Protect information subject to confidentiality concerns, in systems, archived, on backup media,and until destroyed;

127

11. Threats, vulnerabilities, and risks associated with accessing CJIS Service systems and services.

128

129

**AH 01_106 __USER TESTING AND TRAINING__**

130

131

1. POLICY:

132

11. Coordination and implementation of training and testing shall be the responsibility of the WCSO TAC with support from BCI.

133

11. TAC and alternate TACs are required to be tested in accordance with BCI policy.

134

11. Users must receive training and testing within six months of login assignment.

135

11. TAC will provide re-testing every two years to users and alternate TACs to reaffirm proficiency.

136

11. User training requirements include knowledge of:

137

111. BCI Operations Manual;

138

111. NCIC Operations Manual;

139

111. NCIC Code Manual;

140

111. User Security Statement and Agreement;

141

111. All other policies and procedures by NCIC and BCI.

142

11. The privacy and security of UCJIS and NCIC files will be emphasized in all training sessions.T

143

11. The WCSO TAC and alternate TACs should attend the mandatory annual BCI TAC Conference. Other WCSO representatives may attend as directed. Information from the conference will be forwarded to all other WCSO staff by the TAC; in compliance with BCI policy.

144

145

**AH 01_107 __PASSWORD ATTRIBUTES__**

146

147

1. POLICY:

148

11. Secure password attributes authenticate an individual’s unique ID. Passwords for systems that access CJIS shall:

149

111. Be a minimum length of eight (8) characters on all systems;

150

111. Not be a dictionary word or proper name;

151

111. Not be the same as the Userid;

152

111. Expire within a maximum of 90 calendar days;

153

111. Not be identical to the previous ten (10) passwords;

154

111. Not be transmitted in the clear outside the secure location;

155

111. Not be displayed when entered.

156

157

**AH 01_108 __LOGIN MANAGEMENT__**

158

159

1. POLICY:

160

11. All new employees will receive training and testing in UCJIS security during orientation. The TAC or an Alternate TAC shall add the new employee as a user, in compliance with Utah BCI policy and procedures. When an employee's assignment requires a UCJIS login, the following steps will be taken:

161

111. The employee's supervisor shall notifiy the TAC or an Alternate TAC, provide the employee's name and request access for the employee;

162

111. The TAC or an Alternate TAC will create the login in compliance with the policy and procedures of Utah BCI, then provide training and testing material to the employee;

163

111. TAC or an Alternate TAC will review the training and testing, then certify the training in UCJIS.

164

111. When an employee no longer requires access to UCJIS or leaves employment with the Sheriff's Office, the TAC or an Alternate TAC shall immediately be notified and the TAC or an Alternate TAC shall remove the employee's access to UCJIS. The TAC or an Alternate TAC shall audit the active UCJIS users against the employee roster annually.

165

166

**AH 01_109 __LOGIN SECURITY__**

167

168

1. POLICY:

169

11. The TAC and alternate TACs shall be responsible for all WCSO login management with the authority to add, suspend, restrict, and delete any User.

170

11. Users shall only access UCJIS files from WCSO computers or terminals, WCSO laptop computers, or other law agency owned computers.

171

11. Users shall not access UCJIS files from personal computers or hand-held sized computers and phones.

172

11. Users may not share logins or passwords.

173

11. Users are responsible for all CJI access using their login.

174

11. Users shall log out or lock computer screen when leaving their computer to prevent unauthorized access or viewing of CJI.

175

176

**AH 01_110 __IT SECURITY INCIDENT RESPONSE PLAN__**

177

178

1. POLICY

179

11. An IT Incident is defined as an act in violation of legal statute, or in violation of the explicit or implied security policies of the organization, with or without intent to do harm. These activities include but are not limited to:

180

111. A system resource is exposed or is potentially exposed to unauthorized access;

181

111. Legitimate and authorized access to an information system or service is interrupted or denied;

182

111. Any adverse event compromising the authentication and access to a software application, computer system, or network;

183

111. The unauthorized use of a system for the processing or storage of data;

184

111. The unauthorized alteration of data transferred and stored electronically;

185

111. Changes to system hardware, firmware, or software characteristics without the owner’s knowledge, instruction or consent.

186

11. Any suspected incident detected by an agency member should be immediately reported to the IT Manager through the helpdesk application if possible. Potentially critical incidents, as outlined below, shall be immediately escalated by contacting the IT Manager by telephone. Escalation if the IT Manager is not immediately available is:

187

111. Administrative Lieutenant;

188

111. Undersheriff;

189

111. Sheriff;

190

111. County IT Director.

191

11. Incident Types and Severity based upon affect to operations.

192

111. Non-critical incidents

193

1111. Type 1 – Isolated incidents of computer viruses and spyware generally handled by antivirus software. Minor system slowdowns or intersystem communication errors.

194

111. Potentially Critical Incidentsi

195

1111. Type 2 – Significant system slowdowns or service interruptions. Unusual system behavior that may impact the integrity or continued operation of IT Systems.

196

1111. Type 3 – Obvious signs of system penetration, denial of service or damage to physical infrastructure.

197

11. Incident reporting

198

111. All suspected incidents shall be reported by agency members to the IT Manager either throughthe helpdesk system or directly by phone in the event of potentially critical incidents. Reporting members are expected to provide the following information:

199

1111. Name and contact information;

200

1111. Time of the report;

201

1111. Observed nature of the incident;

202

1111. What was observed;

203

1111. When was it observed;

204

1111. What equipment was involved;

205

1111. How was the incident detected; and

206

1111. What was first noticed that supported the idea that an incident had occurred?

207

11. Incident Response

208

111. Non-critical incidents shall be handled by the IT Manager during the normal course of business according to best practices.

209

111. Incidents shall be logged into the helpdesk system.

210

111. Reporting parties shall be notified of trouble ticket progress and resolution.

211

111. Potentially critical incidents shall be handled immediately by the IT Manager or other qualified members of the Incident Response Team (IRT).

212

111. Incidents shall be logged into the helpdesk system.

213

111. Incident severity shall be evaluated based on the following documented criteria:

214

1111. Whether the incident is real or perceived;

215

1111. The type of incident ;

11111. Virus;

11111. Worm;

11111. Intrusion;

11111. Abuse;

11111. Damage;

11111. Denial of service;

222

1111. If the incident is still in progress;

223

1111. If the affected equipment and/or data business is critical;

224

1111. The severity of the potential impact;

225

1111. If the incident is inside the trusted network; and

226

1111. If incident can be quickly contained.

227

11. Methods of containment vs. business disruption and data loss.

228

111. A Response Plan shall be implemented addressing these major areas of incident response:

229

1111. Triage

230

1111. Determine the scope and severity of the incident and determine whether to “protect” or “Pursue”.

231

1111. Develop a response plan based on the known situation.

232

1111. Allocate resources to protect other systems and isolate those affected.

233

1111. Assign responsibilities to team members.

234

11. Response

235

111. Initiate a plan and document actions taken as well as evidence/damage discovered.

236

111. If “pursuit” was chosen utilize forensically sound methods including the preservation of as much evidence as possible. Only qualified and authorized personnel shall perform interviews or system examinations.

237

111. Document all activates.

238

111. Review evidence to determine the full scope of damage.

239

11. Recovery

240

111. Document the number of systems damaged and the extent of the damage.

241

111. Re-install the affected system(s) from scratch and restore data from backups if necessary.

242

111. Re-set all passwords for all users on all systems.

243

11. Maintenance/Lessons Learned

244

111. Formally document the following:

245

1111. How the incident occurred

246

1111. Which systems were affected, and why (lack of patches, poor passwords, etc).

247

1111. Where the attack originated and other possible information related to the attacker.

248

1111. What the response plan was.

249

1111. Whether the response plan was effective.

250

111. Review current policy and practice and security equipment, implement changes as necessary.

251

11. Incident Response Team (IRT)

252

111. The IRT shall consists of at least three qualified members. It may be enlarged based on the nature of the incident.

253

1111. Currently assigned members are:

254

11111. IT Manager

255

11111. IT Assistant

256

11111. Former IT Sergeant/IT Manager

257

11111. Undersheriff

258

1111. Additional qualified members may be added as necessary from the following resources:

259

11111. Washington County IT

260

11111. St. George City IT

261

11111. Washington City IT

262

11111. State of Utah DTS

263

111. The IRT is generally supervised by the IT Manager, however based upon the nature of the incident supervision will fall to the most qualified team member as determined by the ranking responder.

264

265

**AH 01_111 __SYSTEM INSPECTION OR REVIEW__**

266

267

1. POLICY:

268

11. An employee's supervisor has the express authority to inspect or review the system, any and all temporary or permanent files and related electronic systems or devices, and any contents thereof when such inspection or review is in the ordinary course of his/her supervisory duties, or based on cause.

269

11. When requested by an employee's supervisor, or during the course of regular duties requiring such information, employees of the agency's information systems staff may extract, download or otherwise obtain any and all temporary or permanent files residing in or located in or on the system.

270

11. Reasons for inspection or review may include, but are not limited to:

271

111. system malfunctions;

272

111. problems or general system failure;

273

111. a lawsuit against the agency involving the employee or related to the employee's duties;

274

111. an alleged or suspected violation of a WCSO policy; or

275

111. a need to perform or provide a service or information when the employee is unavailable.

276

277

**AH 01_112 __AGENCY PROPERTY__**

278

279

1. POLICY:

280

11. All information, data, documents, communications, and other entries initiated on, sent to or from, or accessed on any WCSO computer, or through the WCSO computer system on any other computer, whether downloaded or transferred from the original WCSO computer, shall remain the exclusive property of the WCSO and shall not be available for personal or non-WCSO use without the expressed authorization of an employee's supervisor.

281

282

**AH 01_113 __UNAUTHORIZED USE OF SOFTWARE__**

283

284

1. POLICY:

285

11. Employees shall not copy or duplicate any copyrighted or licensed software except for a single copy for backup purposes in accordance with the software company's copyright and license agreement. To reduce the risk of computer virus or malicious software infection, employees shall not install any unlicensed or unauthorized software on any WCSO computer. Employees shall not install personal copies of any software onto any WCSO computer. Any files or software that an employee finds necessary to upload onto a WCSO computer or network shall be done so only with the approval of the WCSO IT specialist and only after being properly scanned for malicious attachments.

286

11. No employee shall knowingly make, acquire or use unauthorized copies of computer software not licensed to the agency while on agency premises or on an agency computer system. Such unauthorized use of software exposes the agency and involved employees to severe civil and criminal penalties.

287

288

**AH 01_114 __PHYSICAL AND ELECTRONIC MEDIA PROTECTION__**

289

290

1. POLICY:

291

11. All electronic information and licensed software must be properly removed when disposing of computers and other office electronics with hard drives and other storage media devices. Unauthorized disclosure of certain information could subject the WCSO to legal liability. This procedure is designed to ensure that information technology (IT) resources do not contain confidential data or licensed software before they are transferred for reuse, donation, recycling, or destruction. The primary responsibility for sanitizing and physical destruction rests with the Information Technology branch of WCSO or their designees. This procedure applies not only to hard drives but to all other electronic storage media including, but not limited to:

292

111. Compact discs (CDs);

293

111. Digital versatile discs (DVDs);

294

111. Universal Serial Bus (USB drives); and

295

111. Other diskettes and tapes.

296

11. Studies of disk sanitization indicate that simply deleting files from the media or formatting a hard drive is not sufficient to completely erase data so that it cannot be recovered. These studies generally recommend two methods for disk sanitation:

297

111. Destruction of the media either by physical force or byelectromagnetic degaussing. Physicaldestruction should be conducted under dual control, and documented.

298

111. Disk sanitization, overwriting of all previously stored data in compliance with NIST standards.

299

300

**AH 01_115 __TRANSPORTATION OF MEDIA AND CJI__**

301

302

1. POLICY:

303

11. Controls shall be in place to protect electronic and physical media containing CJI while in transport or physically moved from one location to another, to prevent inadvertent or inappropriate disclosure and use. Dissemination from another agency is authorized if the other agency is an authorized to disseminate such information and is being serviced by the receiving agency. WCSO personnel shall:

304

111. Protect and control electronic and physical media during transport outside of controlled areas;

305

111. Restrict the pickup, receipt, transfer and delivery of such media to authorized personnel.

306

11. WCSO personnel will control, protect, and secure electronic and physical media during transport from public disclosure by:

307

111. Use of privacy statements in electronic and paper documents;

308

111. Limiting the collection, disclosure, sharing and use of CJI;

309

111. Following the least privilege and role based rules for allowing access. Limit access to CJI to only those people or roles that require access;

310

111. Securing hand carried confidential electronic and paper documents by storing CJI in a locked briefcase or lockbox.

311

312

**AH 01_116 __PROHIBITED AND INAPPROPRIATE USE__**

313

314

1. POLICY:

315

11. CJI and/or other law enforcement records management systems shall only be accessed by authorized employees who are engaged in an active investigation, assisting in an active investigation, or who otherwise have a legitimate law enforcement or WCSO business related purpose to access such data.

316

11. Internet sites containing information that is not appropriate or applicable to WCSO use and which shall not be intentionally accessed include, but are not limited to:

111. adult forums;

111. pornography;

111. chat rooms; and

111. similar or related web sites.

321

11. Certain exceptions may be permitted with the prior approval of a supervisor as a function of an assignment. Downloaded information shall be limited to messages, mail and data files which shall be subject to audit and review by the WCSO without notice. No copyrighted and/or unlicensed software program files may be downloaded.

322

11. Employees shall report any unauthorized access to the system or suspected intrusion from outside sources (including the Internet) to a supervisor and follow the Security Incident Response Plan

323

324

**AH 01_117 __SANCTIONS FOR MISUSE__**

325

326

1. POLICY:

327

11. Consequences for improper use or abuse of access to UCJIS may include; but are not limited to:

328

111. Suspension of login;

329

111. Permanent loss of login;

330

111. Criminal charges for violation of Utah State Statute 53-10-108, (in part);

331

1111. (11) (a) It is a class B misdemeanor for a person to knowingly or intentionally access, use, disclose, or disseminate a record created, maintained, or to which access is granted by the division or any information contained in a record created, maintained, or to which access is granted by the division for a purpose prohibited or not permitted by statute, rule, regulation, or policy of agovernmental entity. A person who discovers or becomes aware of any unauthorized use of records created or maintained, or to which access is granted by the division shall inform the commissioner and the director of the Utah Bureau of Criminal Identification of the unauthorized use.

332

111. Personal civil liability to the user;

333

111. Disciplinary action by the WCSO, up to and including termination.

334

335

**AH 01_118 __PROTECTION OF AGENCY SYSTEMS AND FILES__**

336

337

1. POLICY:

338

11. All employees have a duty to protect the system and related systems and devices from physical and environmental damage and are responsible for the correct use, operation, care and maintenance of the system. It is expressly prohibited for an employee to allow an unauthorized user to access the system at any time or for any reason.

339

340

**AH 01_119 __PHYSICAL SECURITY__**

341

342

1. POLICY:

343

11. The WCSO shall establish organizational guidelines for protecting the property, privacy and security of CJIS, employees, volunteers and members of the public by regulating access to buildings.

344

11. Vendors and guests of staff shall be escorted at all times when entering the secure areas of the WCSO patrol and corrections buildings;

345

11. Employees shall routinely use issued keys and keycards when entering the secure areas of the WCSO patrol and corrections buildings. Employees in good standing may be granted access by other staff if keys and keycards are not readily available;

346

11. Key and keycard holders shall immediately notify their supervisor if a key or keycard is misplaced, lost or stolen;

347

11. Failure to immediately report a lost or stolen key or keycard may result in disciplinary action.

348

11. Persons not employed by WCSO whose positions require unescorted access into high security areas or buildings shall comply with the provisions of the CJIS security policy, including a fingerprint-based national records check and training. Individuals who do not receive CJIS clearance shall not be granted access to high security areas or high security buildings. Unescorted access to high security areas shall not be granted prior to CJIS clearance.

349

11. Office staff shall monitor and log all visitors entering secure areas of the WCSO patrol and corrections buildings. The log shall contain the date, printed name, signature, and time of entry and exit.

350

11. Exceptions to the requirement to log visitors;

351

111. Special events held in the group meeting rooms located inside secure areas, provided that doors to all unoccupied rooms are kept locked during the event.

352

111. Other law enforcement personnel known to WCSO staff.

353

111. Attendees of a training held in the group meeting rooms located inside secure areas, provided that doors to all unoccupied rooms are kept locked during the event and a copy of the training roster is maintained with the visitor log.

354

111. Inmate visitation, which is regulated by WCSO jail policy and procedures.

Wiki source code of AH 01 Technology Use and Protection