AH 01 Technology Use and Protection (Policy.Administrative.AH 01 Technology Use and Protection.WebHome)

1. Access to Criminal Justice Information: The physical or logical (electronic) ability, right orprivilege to view, modify or make use of Criminal Justice Information.

49

1. Administration of Criminal Justice: The detection, apprehension, detention, pretrial release,post-trial release, prosecution, adjudication, correctional supervision, or rehabilitation of accused persons or criminal offenders. It also includes criminal identification activities; the collection, storage, and dissemination of criminal history record information; and criminal justice employment.

50

1. Agency Controlled Mobile Device: A mobile device that is centrally managed by an agency for the purpose of securing the device for potential access to CJI. The device can be agency issued or BYOD (personally owned).

51

1. Authorized User/Personnel: An individual, or group of individuals, who have been appropriately vetted through a national fingerprint-based record check and have been granted access to CJI data.

52

1. BCI: Bureau of Criminial Indification (Utah)

53

1. CJI: Criminal justice information.

54

1. CJIS: The Criminal Justice Information System administered by the FBI.

55

1. Computer System: Shall mean all computers (on-site and portable), hardware, software and resources owned, leased, rented or licensed by the Washington County Sheriff's Office , which are provided for official use by agency employees. This shall include all access to, and use of, Internet Service Providers (ISP) or other service providers provided by or through the agency or agency funding.

56

1. Electronic media: Electronic storage media including memory devices in laptops and computers (hard drives) and any removable, transportable digital memory media, such as magnetic tape or disk, backup medium, optical disk, flash drives, external hard drives, or digital memory card.

57

1. Entity: An entity qualified to access criminal history information under state or federal law.

58

1. Escort: Authorized personnel who accompany a visitor at all times while within a physically secure location to ensure the protection and integrity of the physically secure location and any Criminal Justice Information therein. The use of cameras or other electronic means used to monitor a physically secure location does not constitute an escort.

59

1. Hardware: Shall include, but is not limited to, computers, computer terminals, network equipment, modems or any other tangible computer device generally understood to comprise hardware.

60

1. Login ID: A unique identifier in UCJIS for a user or non-user.

61

1. Misuse: The access, use, disclosure, or dissemination of records for a purpose prohibited or not permitted by statute, rule, regulation, or policy of a governmental entity.

62

1. Mobile Device: Any portable device used to access CJI via a wireless connection (e.g. cellular, WiFi, Bluetooth, etc.).

63

1. Mobile Device Management (MDM): Centralized administration and control of mobile devices specifically including, but not limited to, cellular phones, smart phones, and tablets. Management typically includes the ability to configure device settings and prevent a user from changing them, remotely locating a device in the event of theft or loss, and remotely locking or wiping a device. Management can also include over-the-air distribution of applications and updating installed applications.

64

1. NCIC: National Crime Information Center

65

1. Non-user: A person working for or with an agency, who does not have direct access to UCJIS but has indirect access to records, including individuals who may access computer systems or programs used to access UCJIS files or have unrestricted access to a location containing UCJIS records or a computer with UCJIS access.

66

1. Right of access: A program established in which a provider makes an individual's UCH and warrant of arrest information available to the subject of the record.

67

1. Secure Area: A building or area within a building that requires a greater level of security because it is subject to provisions of the Federal Bureau of Investigation Criminal Justice Information System (CJIS) security policy, or because the nature of the business operations within that building or area requires a heightened level of security.

68

1. Software: Shall include, but is not limited to, all computer programs and applications including shareware. This does not include files created by the individual user.

69

1. TAC: An agency's terminal agency coordinator.

70

1. Temporary File or Permanent File or File: Shall mean any electronic document, information or data residing or located, in whole or in part, whether temporarily or permanently, on the system, including but not limited to spreadsheets, calendar entries, appointments, tasks, notes, letters, reports or messages.

71

1. UCH: Utah Computerized Criminal History;

72

1. UCJIS: Utah Criminal Justice Information System, which includes the Criminal Justice Information System

73

1. User: A person who has direct access to UCJIS or who may obtain UCJIS records from a person who has direct access.

74

75

**AH 01_102 __GENERAL__**

76

77

1. POLICY:

78

11. This policy describes the use of WCSO computers, software programs, and criminal information systems. It provides guidance for the creation, viewing, modification, transmission, dissemination, storage, security and destruction of criminal justice information.

79

11. Any employee utilizing any computer, electronic storage device or media, Internet service, phone service, information conduit, system or other wireless service provided by or funded by the WCSO expressly acknowledges and agrees that the use of such service, whether for business or personal use, shall remove any expectation of privacy the employee, sender and recipient of any communication utilizing such service might otherwise have, including as to the content of any such communication. The WCSO also expressly reserves the right to access and audit any and all communications (including content) sent, received and/or stored through the use of such service.

80

81

**AH 01_103 __CRIMINAL JUSTICE INFORMATION SYSTEM__**

82

83

1. POLICY:

84

11. All information from the Utah Criminal Justice Information System (UCJIS) shall be used solely for the purpose of administration of criminal justice and for employment screening by criminal justice agencies. All WCSO users with direct or indirect access to UCJIS information shall ensure the security and confidentiality of the data. Any misuse or compromise of the physical or logical security of the CJI system shall be reported to a TAC, an alternate TAC or a supervisor. To ensure the integrity and confidentiality of CJI, it is the responsibility and duty of all WCSO employees to, but not limited to:

85

111. Criminal history information should not be transmitted over radios or other non-secure media;

86

111. Files containing CJI must remain locked;

87

111. Computer monitors shall be positioned so they can not be viewed by unauthorized persons;

88

11. WCSO employees shall not disseminate CJI to other agencies or unauthorized persons.

89

11. Only trained and authorized personnel may disseminate CHRI to the person of record under authority of Right of Access;

90

11. WCSO users shall not access CJI from publicly accessed computers or publicly accessed wireless networks;

91

11. UCJIS use will be governed by [[Utah Code Annotated 53-10-108>>https://le.utah.gov/xcode/Title53/Chapter10/53-10-S108.html]].

92

93

**AH 01_104 __CJIS SECURITY TRAINING FOR USERS WITH ACCESS__**

94

95

1. POLICY:

96

11. At a minimum, the UCJIS Terminal Access Coordinators (TACS) shall address a baseline security awareness training for all authorized personnel with access to Criminal Justice Information (CJI) to include:

97

111. Rules that describe responsibilities and expected behavior with regard to CJI usage;

98

111. Implications of noncompliance;

99

111. Incident response (Points of contact; Individual actions);

100

111. Media protection;

101

111. Visitor control and physical access to spaces—discuss applicable physical security policy and procedures, (e.g., challenge strangers, report unusual activity);

102

111. Protect information subject to confidentiality concerns and hardcopy destruction;

103

111. Proper handling and marking of CJI;

104

111. Threats, vulnerabilities, and risks associated with handling of CJI;

105

111. Social engineering or psychological manipulation of people into performing divulging confidential information, ie, phishing, baiting, diversion, etc.;

106

111. Dissemination and destruction.

107

108

**AH 01_105 __CJIS SECURITY TRAINING FOR ALL PERSONNEL__**

109

110

1. POLICY:

111

11. The following topics, at a minimum, shall be addressed as baseline security awareness training for all authorized personnel with both physical and logical access to CJI:

112

11. Responsibilities and expected behavior with regard to information system usage;

113

11. Password usage and management, including creation, frequency of changes, and protection;

114

11. Protection from viruses, worms, Trojan horses, and other malicious code;

115

11. Unknown e-mail/attachments;

116

11. Web usage, including allowed versus prohibited and monitoring of user activity;

117

11. Spam;

118

11. Physical Security;

119

11. Handheld device security issues, both physical and wireless security issues;

120

11. Encryption and the transmission of sensitive/confidential information over the Internet, agency policy, procedures, and technical contact for assistance;

121

11. Laptop security, both physical and information security issues;

122

11. Personally owned equipment and software installation;

123

11. Access control;

124

11. Individual accountability;

125

11. Use of acknowledgement statements, passwords, access to systems and data, personal use and gain;

126

11. Desktop security, including the use of screensavers, restricting visitors’ view of information on screen (mitigating “shoulder surfing”), battery backup devices, allowed access to systems;

127

11. Protect information subject to confidentiality concerns, in systems, archived, on backup media,and until destroyed;

128

11. Threats, vulnerabilities, and risks associated with accessing CJIS Service systems and services.

129

130

**AH 01_106 __USER TESTING AND TRAINING__**

131

132

1. POLICY:

133

11. Coordination and implementation of training and testing shall be the responsibility of the WCSO TAC with support from BCI.

134

11. TAC and alternate TACs are required to be tested in accordance with BCI policy.

135

11. Users must receive training and testing within six months of login assignment.

136

11. TAC will provide re-testing every two years to users and alternate TACs to reaffirm proficiency.

137

11. User training requirements include knowledge of:

138

111. BCI Operations Manual;

139

111. NCIC Operations Manual;

140

111. NCIC Code Manual;

141

111. User Security Statement and Agreement;

142

111. All other policies and procedures by NCIC and BCI.

143

11. The privacy and security of UCJIS and NCIC files will be emphasized in all training sessions.T

144

11. The WCSO TAC and alternate TACs should attend the mandatory annual BCI TAC Conference. Other WCSO representatives may attend as directed. Information from the conference will be forwarded to all other WCSO staff by the TAC; in compliance with BCI policy.

145

146

**AH 01_107 __PASSWORD ATTRIBUTES__**

147

148

1. POLICY:

149

11. Secure password attributes authenticate an individual’s unique ID. Passwords for systems that access CJIS shall:

150

111. Be a minimum length of eight (8) characters on all systems;

151

111. Not be a dictionary word or proper name;

152

111. Not be the same as the Userid;

153

111. Expire within a maximum of 90 calendar days;

154

111. Not be identical to the previous ten (10) passwords;

155

111. Not be transmitted in the clear outside the secure location;

156

111. Not be displayed when entered.

157

158

**AH 01_108 __LOGIN MANAGEMENT__**

159

160

1. POLICY:

161

11. All new employees will receive training and testing in UCJIS security during orientation. The TAC or an Alternate TAC shall add the new employee as a user, in compliance with Utah BCI policy and procedures. When an employee's assignment requires a UCJIS login, the following steps will be taken:

162

111. The employee's supervisor shall notifiy the TAC or an Alternate TAC, provide the employee's name and request access for the employee;

163

111. The TAC or an Alternate TAC will create the login in compliance with the policy and procedures of Utah BCI, then provide training and testing material to the employee;

164

111. TAC or an Alternate TAC will review the training and testing, then certify the training in UCJIS.

165

111. When an employee no longer requires access to UCJIS or leaves employment with the Sheriff's Office, the TAC or an Alternate TAC shall immediately be notified and the TAC or an Alternate TAC shall remove the employee's access to UCJIS. The TAC or an Alternate TAC shall audit the active UCJIS users against the employee roster annually.

166

167

**AH 01_109 __LOGIN SECURITY__**

168

169

1. POLICY:

170

11. The TAC and alternate TACs shall be responsible for all WCSO login management with the authority to add, suspend, restrict, and delete any User.

171

11. Users shall only access UCJIS files from WCSO computers or terminals, WCSO laptop computers, or other law agency owned computers.

172

11. Users shall not access UCJIS files from personal computers or hand-held sized computers and phones.

173

11. Users may not share logins or passwords.

174

11. Users are responsible for all CJI access using their login.

175

11. Users shall log out or lock computer screen when leaving their computer to prevent unauthorized access or viewing of CJI.

176

177

**AH 01_110 __IT SECURITY INCIDENT RESPONSE PLAN__**

178

179

1. POLICY

180

11. An IT Incident is defined as an act in violation of legal statute, or in violation of the explicit or implied security policies of the organization, with or without intent to do harm. These activities include but are not limited to:

181

111. A system resource is exposed or is potentially exposed to unauthorized access;

182

111. Legitimate and authorized access to an information system or service is interrupted or denied;

183

111. Any adverse event compromising the authentication and access to a software application, computer system, or network;

184

111. The unauthorized use of a system for the processing or storage of data;

185

111. The unauthorized alteration of data transferred and stored electronically;

186

111. Changes to system hardware, firmware, or software characteristics without the owner’s knowledge, instruction or consent.

187

11. Any suspected incident detected by an agency member should be immediately reported to the IT Manager through the helpdesk application if possible. Potentially critical incidents, as outlined below, shall be immediately escalated by contacting the IT Manager by telephone. Escalation if the IT Manager is not immediately available is:

188

111. Administrative Lieutenant;

189

111. Undersheriff;

190

111. Sheriff;

191

111. County IT Director.

192

11. Incident Types and Severity based upon affect to operations.

193

111. Non-critical incidents

194

1111. Type 1 – Isolated incidents of computer viruses and spyware generally handled by antivirus software. Minor system slowdowns or intersystem communication errors.

195

111. Potentially Critical Incidentsi

196

1111. Type 2 – Significant system slowdowns or service interruptions. Unusual system behavior that may impact the integrity or continued operation of IT Systems.

197

1111. Type 3 – Obvious signs of system penetration, denial of service or damage to physical infrastructure.

198

11. Incident reporting

199

111. All suspected incidents shall be reported by agency members to the IT Manager either throughthe helpdesk system or directly by phone in the event of potentially critical incidents. Reporting members are expected to provide the following information:

200

1111. Name and contact information;

201

1111. Time of the report;

202

1111. Observed nature of the incident;

203

1111. What was observed;

204

1111. When was it observed;

205

1111. What equipment was involved;

206

1111. How was the incident detected; and

207

1111. What was first noticed that supported the idea that an incident had occurred?

208

11. Incident Response

209

111. Non-critical incidents shall be handled by the IT Manager during the normal course of business according to best practices.

210

111. Incidents shall be logged into the helpdesk system.

211

111. Reporting parties shall be notified of trouble ticket progress and resolution.

212

111. Potentially critical incidents shall be handled immediately by the IT Manager or other qualified members of the Incident Response Team (IRT).

213

111. Incidents shall be logged into the helpdesk system.

214

111. Incident severity shall be evaluated based on the following documented criteria:

215

1111. Whether the incident is real or perceived;

216

1111. The type of incident ;

11111. Virus;

11111. Worm;

11111. Intrusion;

11111. Abuse;

11111. Damage;

11111. Denial of service;

223

1111. If the incident is still in progress;

224

1111. If the affected equipment and/or data business is critical;

225

1111. The severity of the potential impact;

226

1111. If the incident is inside the trusted network; and

227

1111. If incident can be quickly contained.

228

11. Methods of containment vs. business disruption and data loss.

229

111. A Response Plan shall be implemented addressing these major areas of incident response:

230

1111. Triage

231

1111. Determine the scope and severity of the incident and determine whether to “protect” or “Pursue”.

232

1111. Develop a response plan based on the known situation.

233

1111. Allocate resources to protect other systems and isolate those affected.

234

1111. Assign responsibilities to team members.

235

11. Response

236

111. Initiate a plan and document actions taken as well as evidence/damage discovered.

237

111. If “pursuit” was chosen utilize forensically sound methods including the preservation of as much evidence as possible. Only qualified and authorized personnel shall perform interviews or system examinations.

238

111. Document all activates.

239

111. Review evidence to determine the full scope of damage.

240

11. Recovery

241

111. Document the number of systems damaged and the extent of the damage.

242

111. Re-install the affected system(s) from scratch and restore data from backups if necessary.

243

111. Re-set all passwords for all users on all systems.

244

11. Maintenance/Lessons Learned

245

111. Formally document the following:

246

1111. How the incident occurred

247

1111. Which systems were affected, and why (lack of patches, poor passwords, etc).

248

1111. Where the attack originated and other possible information related to the attacker.

249

1111. What the response plan was.

250

1111. Whether the response plan was effective.

251

111. Review current policy and practice and security equipment, implement changes as necessary.

252

11. Incident Response Team (IRT)

253

111. The IRT shall consists of at least three qualified members. It may be enlarged based on the nature of the incident.

254

1111. Currently assigned members are:

255

11111. IT Manager

256

11111. IT Assistant

257

11111. Former IT Sergeant/IT Manager

258

11111. Undersheriff

259

1111. Additional qualified members may be added as necessary from the following resources:

260

11111. Washington County IT

261

11111. St. George City IT

262

11111. Washington City IT

263

11111. State of Utah DTS

264

111. The IRT is generally supervised by the IT Manager, however based upon the nature of the incident supervision will fall to the most qualified team member as determined by the ranking responder.

265

266

**AH 01_111 __SYSTEM INSPECTION OR REVIEW__**

267

268

1. POLICY:

269

11. An employee's supervisor has the express authority to inspect or review the system, any and all temporary or permanent files and related electronic systems or devices, and any contents thereof when such inspection or review is in the ordinary course of his/her supervisory duties, or based on cause.

270

11. When requested by an employee's supervisor, or during the course of regular duties requiring such information, employees of the agency's information systems staff may extract, download or otherwise obtain any and all temporary or permanent files residing in or located in or on the system.

271

11. Reasons for inspection or review may include, but are not limited to:

272

111. system malfunctions;

273

111. problems or general system failure;

274

111. a lawsuit against the agency involving the employee or related to the employee's duties;

275

111. an alleged or suspected violation of a WCSO policy; or

276

111. a need to perform or provide a service or information when the employee is unavailable.

277

278

**AH 01_112 __AGENCY PROPERTY__**

279

280

1. POLICY:

281

11. All information, data, documents, communications, and other entries initiated on, sent to or from, or accessed on any WCSO computer, or through the WCSO computer system on any other computer, whether downloaded or transferred from the original WCSO computer, shall remain the exclusive property of the WCSO and shall not be available for personal or non-WCSO use without the expressed authorization of an employee's supervisor.

282

283

**AH 01_113 __UNAUTHORIZED USE OF SOFTWARE__**

284

285

1. POLICY:

286

11. Employees shall not copy or duplicate any copyrighted or licensed software except for a single copy for backup purposes in accordance with the software company's copyright and license agreement. To reduce the risk of computer virus or malicious software infection, employees shall not install any unlicensed or unauthorized software on any WCSO computer. Employees shall not install personal copies of any software onto any WCSO computer. Any files or software that an employee finds necessary to upload onto a WCSO computer or network shall be done so only with the approval of the WCSO IT specialist and only after being properly scanned for malicious attachments.

287

11. No employee shall knowingly make, acquire or use unauthorized copies of computer software not licensed to the agency while on agency premises or on an agency computer system. Such unauthorized use of software exposes the agency and involved employees to severe civil and criminal penalties.

288

289

**AH 01_114 __PHYSICAL AND ELECTRONIC MEDIA PROTECTION__**

290

291

1. POLICY:

292

11. All electronic information and licensed software must be properly removed when disposing of computers and other office electronics with hard drives and other storage media devices. Unauthorized disclosure of certain information could subject the WCSO to legal liability. This procedure is designed to ensure that information technology (IT) resources do not contain confidential data or licensed software before they are transferred for reuse, donation, recycling, or destruction. The primary responsibility for sanitizing and physical destruction rests with the Information Technology branch of WCSO or their designees. This procedure applies not only to hard drives but to all other electronic storage media including, but not limited to:

293

111. Compact discs (CDs);

294

111. Digital versatile discs (DVDs);

295

111. Universal Serial Bus (USB drives); and

296

111. Other diskettes and tapes.

297

11. Studies of disk sanitization indicate that simply deleting files from the media or formatting a hard drive is not sufficient to completely erase data so that it cannot be recovered. These studies generally recommend two methods for disk sanitation:

298

111. Destruction of the media either by physical force or byelectromagnetic degaussing. Physicaldestruction should be conducted under dual control, and documented.

299

111. Disk sanitization, overwriting of all previously stored data in compliance with NIST standards.

300

301

**AH 01_115 __TRANSPORTATION OF MEDIA AND CJI__**

302

303

1. POLICY:

304

11. Controls shall be in place to protect electronic and physical media containing CJI while in transport or physically moved from one location to another, to prevent inadvertent or inappropriate disclosure and use. Dissemination from another agency is authorized if the other agency is an authorized to disseminate such information and is being serviced by the receiving agency. WCSO personnel shall:

305

111. Protect and control electronic and physical media during transport outside of controlled areas;

306

111. Restrict the pickup, receipt, transfer and delivery of such media to authorized personnel.

307

11. WCSO personnel will control, protect, and secure electronic and physical media during transport from public disclosure by:

308

111. Use of privacy statements in electronic and paper documents;

309

111. Limiting the collection, disclosure, sharing and use of CJI;

310

111. Following the least privilege and role based rules for allowing access. Limit access to CJI to only those people or roles that require access;

311

111. Securing hand carried confidential electronic and paper documents by storing CJI in a locked briefcase or lockbox.

312

313

**AH 01_116 __PROHIBITED AND INAPPROPRIATE USE__**

314

315

1. POLICY:

316

11. CJI and/or other law enforcement records management systems shall only be accessed by authorized employees who are engaged in an active investigation, assisting in an active investigation, or who otherwise have a legitimate law enforcement or WCSO business related purpose to access such data.

317

11. Internet sites containing information that is not appropriate or applicable to WCSO use and which shall not be intentionally accessed include, but are not limited to:

111. adult forums;

111. pornography;

111. chat rooms; and

111. similar or related web sites.

322

11. Certain exceptions may be permitted with the prior approval of a supervisor as a function of an assignment. Downloaded information shall be limited to messages, mail and data files which shall be subject to audit and review by the WCSO without notice. No copyrighted and/or unlicensed software program files may be downloaded.

323

11. Employees shall report any unauthorized access to the system or suspected intrusion from outside sources (including the Internet) to a supervisor and follow the Security Incident Response Plan

324

325

**AH 01_117 __SANCTIONS FOR MISUSE__**

326

327

1. POLICY:

328

11. Consequences for improper use or abuse of access to UCJIS may include; but are not limited to:

329

111. Suspension of login;

330

111. Permanent loss of login;

331

111. Criminal charges for violation of Utah State Statute 53-10-108, (in part);

332

1111. (11) (a) It is a class B misdemeanor for a person to knowingly or intentionally access, use, disclose, or disseminate a record created, maintained, or to which access is granted by the division or any information contained in a record created, maintained, or to which access is granted by the division for a purpose prohibited or not permitted by statute, rule, regulation, or policy of agovernmental entity. A person who discovers or becomes aware of any unauthorized use of records created or maintained, or to which access is granted by the division shall inform the commissioner and the director of the Utah Bureau of Criminal Identification of the unauthorized use.

333

111. Personal civil liability to the user;

334

111. Disciplinary action by the WCSO, up to and including termination.

335

336

**AH 01_118 __PROTECTION OF AGENCY SYSTEMS AND FILES__**

337

338

1. POLICY:

339

11. All employees have a duty to protect the system and related systems and devices from physical and environmental damage and are responsible for the correct use, operation, care and maintenance of the system. It is expressly prohibited for an employee to allow an unauthorized user to access the system at any time or for any reason.

340

341

**AH 01_119 __PHYSICAL SECURITY__**

342

343

1. POLICY:

344

11. The WCSO shall establish organizational guidelines for protecting the property, privacy and security of CJIS, employees, volunteers and members of the public by regulating access to buildings.

345

11. Vendors and guests of staff shall be escorted at all times when entering the secure areas of the WCSO patrol and corrections buildings;

346

11. Employees shall routinely use issued keys and keycards when entering the secure areas of the WCSO patrol and corrections buildings. Employees in good standing may be granted access by other staff if keys and keycards are not readily available;

347

11. Key and keycard holders shall immediately notify their supervisor if a key or keycard is misplaced, lost or stolen;

348

11. Failure to immediately report a lost or stolen key or keycard may result in disciplinary action.

349

11. Persons not employed by WCSO whose positions require unescorted access into high security areas or buildings shall comply with the provisions of the CJIS security policy, including a fingerprint-based national records check and training. Individuals who do not receive CJIS clearance shall not be granted access to high security areas or high security buildings. Unescorted access to high security areas shall not be granted prior to CJIS clearance.

350

11. Office staff shall monitor and log all visitors entering secure areas of the WCSO patrol and corrections buildings. The log shall contain the date, printed name, signature, and time of entry and exit.

351

11. Exceptions to the requirement to log visitors;

352

111. Special events held in the group meeting rooms located inside secure areas, provided that doors to all unoccupied rooms are kept locked during the event.

353

111. Other law enforcement personnel known to WCSO staff.

354

111. Attendees of a training held in the group meeting rooms located inside secure areas, provided that doors to all unoccupied rooms are kept locked during the event and a copy of the training roster is maintained with the visitor log.

355

111. Inmate visitation, which is regulated by WCSO jail policy and procedures.

Wiki source code of AH 01 Technology Use and Protection