AH 01 Technology Use and Protection (Policy.Administrative.AH 01 Technology Use and Protection.WebHome)

1. Access to Criminal Justice Information: The physical or logical (electronic) ability, right orprivilege to view, modify or make use of Criminal Justice Information.

49

1. Administration of Criminal Justice: The detection, apprehension, detention, pretrial release,post-trial release, prosecution, adjudication, correctional supervision, or rehabilitation of accused persons or criminal offenders. It also includes criminal identification activities; the collection, storage, and dissemination of criminal history record information; and criminal justice employment.

50

1. Agency Controlled Mobile Device: A mobile device that is centrally managed by an agency for the purpose of securing the device for potential access to CJI. The device can be agency issued or BYOD (personally owned).

51

1. Authorized User/Personnel: An individual, or group of individuals, who have been appropriately vetted through a national fingerprint-based record check and have been granted access to CJI data.

52

1. BCI: Bureau of Criminal Identification (Utah)

53

1. CJI: Criminal justice information.

54

1. CJIS: The Criminal Justice Information System administered by the FBI.

55

1. Computer System: Shall mean all computers (on-site and portable), hardware, software and resources owned, leased, rented or licensed by the Washington County Sheriff's Office , which are provided for official use by agency employees. This shall include all access to, and use of, Internet Service Providers (ISP) or other service providers provided by or through the agency or agency funding.

56

1. Electronic media: Electronic storage media including memory devices in laptops and computers (hard drives) and any removable, transportable digital memory media, such as magnetic tape or disk, backup medium, optical disk, flash drives, external hard drives, or digital memory card.

57

1. Entity: An entity qualified to access criminal history information under state or federal law.

58

1. Escort: Authorized personnel who accompany a visitor at all times while within a physically secure location to ensure the protection and integrity of the physically secure location and any Criminal Justice Information therein. The use of cameras or other electronic means used to monitor a physically secure location does not constitute an escort.

59

1. Hardware: Shall include, but is not limited to, computers, computer terminals, network equipment, modems or any other tangible computer device generally understood to comprise hardware.

60

1. Login ID: A unique identifier in UCJIS for a user or non-user.

61

1. Misuse: The access, use, disclosure, or dissemination of records for a purpose prohibited or not permitted by statute, rule, regulation, or policy of a governmental entity.

62

1. Mobile Device: Any portable device used to access CJI via a wireless connection (e.g. cellular, WiFi, Bluetooth, etc.).

63

1. Mobile Device Management (MDM): Centralized administration and control of mobile devices specifically including, but not limited to, cellular phones, smart phones, and tablets. Management typically includes the ability to configure device settings and prevent a user from changing them, remotely locating a device in the event of theft or loss, and remotely locking or wiping a device. Management can also include over-the-air distribution of applications and updating installed applications.

64

1. NCIC: National Crime Information Center

65

1. Non-user: A person working for or with an agency, who does not have direct access to UCJIS but has indirect access to records, including individuals who may access computer systems or programs used to access UCJIS files or have unrestricted access to a location containing UCJIS records or a computer with UCJIS access.

66

1. Right of access: A program established in which a provider makes an individual's UCH and warrant of arrest information available to the subject of the record.

67

1. Secure Area: A building or area within a building that requires a greater level of security because it is subject to provisions of the Federal Bureau of Investigation Criminal Justice Information System (CJIS) security policy, or because the nature of the business operations within that building or area requires a heightened level of security.

68

1. Software: Shall include, but is not limited to, all computer programs and applications including shareware. This does not include files created by the individual user.

69

1. TAC: An agency's terminal agency coordinator.

70

1. Temporary File or Permanent File or File: Shall mean any electronic document, information or data residing or located, in whole or in part, whether temporarily or permanently, on the system, including but not limited to spreadsheets, calendar entries, appointments, tasks, notes, letters, reports or messages.

71

1. UCH: Utah Computerized Criminal History;

72

1. UCJIS: Utah Criminal Justice Information System, which includes the Criminal Justice Information System

73

1. User: A person who has direct access to UCJIS or who may obtain UCJIS records from a person who has direct access.

74

75

**AH 01_102 __GENERAL__**

76

77

1. POLICY:

78

11. This policy describes the use of WCSO computers, software programs, and criminal information systems. It provides guidance for the creation, viewing, modification, transmission, dissemination, storage, security and destruction of criminal justice information.

79

11. Any employee utilizing any computer, electronic storage device or media, Internet service, phone service, information conduit, system or other wireless service provided by or funded by the WCSO expressly acknowledges and agrees that the use of such service, whether for business or personal use, shall remove any expectation of privacy the employee, sender and recipient of any communication utilizing such service might otherwise have, including as to the content of any such communication. The WCSO also expressly reserves the right to access and audit any and all communications (including content) sent, received and/or stored through the use of such service.

80

81

**AH 01_103 __CRIMINAL JUSTICE INFORMATION SYSTEM__**

82

83

1. POLICY:

84

11. All information from the Utah Criminal Justice Information System (UCJIS) shall be used solely for the purpose of administration of criminal justice and for employment screening by criminal justice agencies. All WCSO users with direct or indirect access to UCJIS information shall ensure the security and confidentiality of the data. Any misuse or compromise of the physical or logical security of the CJI system shall be reported to a TAC, an alternate TAC or a supervisor. To ensure the integrity and confidentiality of CJI, it is the responsibility and duty of all WCSO employees to, but not limited to:

85

111. Criminal history information should not be transmitted over radios or other non-secure media;

86

111. Files containing CJI must remain locked;

87

111. Computer monitors shall be positioned so they can not be viewed by unauthorized persons;

88

11. WCSO employees shall not disseminate CJI to other agencies or unauthorized persons.

89

11. Only trained and authorized personnel may disseminate CHRI to the person of record under authority of Right of Access;

90

11. WCSO users shall not access CJI from publicly accessed computers or publicly accessed wireless networks;

91

11. UCJIS use will be governed by [[Utah Code Annotated 53-10-108>>https://le.utah.gov/xcode/Title53/Chapter10/53-10-S108.html]].

92

11. The BCI Director and the Commissioner of Public Safety will be notified immediately of any suspected misuse of UCJIS files or the data obtained through UCJIS as stated in UCA 53-10-108.

93

94

**AH 01_104 __CJIS SECURITY TRAINING FOR USERS WITH ACCESS__**

95

96

1. POLICY:

97

11. At a minimum, the UCJIS Terminal Access Coordinators (TACS) shall address a baseline security awareness training for all authorized personnel with access to Criminal Justice Information (CJI) to include:

98

111. Rules that describe responsibilities and expected behavior with regard to CJI usage;

99

111. Implications of noncompliance;

100

111. Incident response (Points of contact; Individual actions);

101

111. Media protection;

102

111. Visitor control and physical access to spaces—discuss applicable physical security policy and procedures, (e.g., challenge strangers, report unusual activity);

103

111. Protect information subject to confidentiality concerns and hardcopy destruction;

104

111. Proper handling and marking of CJI;

105

111. Threats, vulnerabilities, and risks associated with handling of CJI;

106

111. Social engineering or psychological manipulation of people into performing divulging confidential information, ie, phishing, baiting, diversion, etc.;

107

111. Dissemination and destruction.

108

109

**AH 01_105 __CJIS SECURITY TRAINING FOR ALL PERSONNEL__**

110

111

1. POLICY:

112

11. The following topics, at a minimum, shall be addressed as baseline security awareness training for all authorized personnel with both physical and logical access to CJI:

113

11. Responsibilities and expected behavior with regard to information system usage;

114

11. Password usage and management, including creation, frequency of changes, and protection;

115

11. Protection from viruses, worms, Trojan horses, and other malicious code;

116

11. Unknown e-mail/attachments;

117

11. Web usage, including allowed versus prohibited and monitoring of user activity;

118

11. Spam;

119

11. Physical Security;

120

11. Handheld device security issues, both physical and wireless security issues;

121

11. Encryption and the transmission of sensitive/confidential information over the Internet, agency policy, procedures, and technical contact for assistance;

122

11. Laptop security, both physical and information security issues;

123

11. Personally owned equipment and software installation;

124

11. Access control;

125

11. Individual accountability;

126

11. Use of acknowledgement statements, passwords, access to systems and data, personal use and gain;

127

11. Desktop security, including the use of screensavers, restricting visitors’ view of information on screen (mitigating “shoulder surfing”), battery backup devices, allowed access to systems;

128

11. Protect information subject to confidentiality concerns, in systems, archived, on backup media,and until destroyed;

129

11. Threats, vulnerabilities, and risks associated with accessing CJIS Service systems and services.

130

131

**AH 01_106 __USER TESTING AND TRAINING__**

132

133

1. POLICY:

134

11. Coordination and implementation of training and testing shall be the responsibility of the WCSO TAC with support from BCI.

135

11. TAC and alternate TACs are required to be tested in accordance with BCI policy.

136

11. Users must receive training and testing within six months of login assignment.

137

11. TAC will provide re-testing every two years to users and alternate TACs to reaffirm proficiency.

138

11. User training requirements include knowledge of:

139

111. BCI Operations Manual;

140

111. NCIC Operations Manual;

141

111. NCIC Code Manual;

142

111. User Security Statement and Agreement;

143

111. All other policies and procedures by NCIC and BCI.

144

11. The privacy and security of UCJIS and NCIC files will be emphasized in all training sessions.T

145

11. The WCSO TAC and alternate TACs should attend the mandatory annual BCI TAC Conference. Other WCSO representatives may attend as directed. Information from the conference will be forwarded to all other WCSO staff by the TAC; in compliance with BCI policy.

146

147

**AH 01_107 __PASSWORD ATTRIBUTES__**

148

149

1. POLICY:

150

11. Secure password attributes authenticate an individual’s unique ID. Passwords for systems that access CJIS shall:

151

111. Be a minimum length of eight (8) characters on all systems;

152

111. Not be a dictionary word or proper name;

153

111. Not be the same as the Userid;

154

111. Expire within a maximum of 90 calendar days;

155

111. Not be identical to the previous ten (10) passwords;

156

111. Not be transmitted in the clear outside the secure location;

157

111. Not be displayed when entered.

158

159

**AH 01_108 __LOGIN MANAGEMENT__**

160

161

1. POLICY:

162

11. All new employees will receive training and testing in UCJIS security during orientation. The TAC or an Alternate TAC shall add the new employee as a user, in compliance with Utah BCI policy and procedures. When an employee's assignment requires a UCJIS login, the following steps will be taken:

163

111. The employee's supervisor shall notifiy the TAC or an Alternate TAC, provide the employee's name and request access for the employee;

164

111. The TAC or an Alternate TAC will create the login in compliance with the policy and procedures of Utah BCI, then provide training and testing material to the employee;

165

111. TAC or an Alternate TAC will review the training and testing, then certify the training in UCJIS.

166

111. When an employee no longer requires access to UCJIS or leaves employment with the Sheriff's Office, the TAC or an Alternate TAC shall immediately be notified and the TAC or an Alternate TAC shall remove the employee's access to UCJIS. The TAC or an Alternate TAC shall audit the active UCJIS users against the employee roster annually.

167

168

**AH 01_109 __LOGIN SECURITY__**

169

170

1. POLICY:

171

11. The TAC and alternate TACs shall be responsible for all WCSO login management with the authority to add, suspend, restrict, and delete any User.

172

11. Users shall only access UCJIS files from WCSO computers or terminals, WCSO laptop computers, or other law agency owned computers.

173

11. Users shall not access UCJIS files from personal computers or hand-held sized computers and phones.

174

11. Users may not share logins or passwords.

175

11. Users are responsible for all CJI access using their login.

176

11. Users shall log out or lock computer screen when leaving their computer to prevent unauthorized access or viewing of CJI.

177

178

**AH 01_110 __IT SECURITY INCIDENT RESPONSE PLAN__**

179

180

1. POLICY

181

11. An IT Incident is defined as an act in violation of legal statute, or in violation of the explicit or implied security policies of the organization, with or without intent to do harm. These activities include but are not limited to:

182

111. A system resource is exposed or is potentially exposed to unauthorized access;

183

111. Legitimate and authorized access to an information system or service is interrupted or denied;

184

111. Any adverse event compromising the authentication and access to a software application, computer system, or network;

185

111. The unauthorized use of a system for the processing or storage of data;

186

111. The unauthorized alteration of data transferred and stored electronically;

187

111. Changes to system hardware, firmware, or software characteristics without the owner’s knowledge, instruction or consent.

188

11. Any suspected incident detected by an agency member should be immediately reported to the IT Manager through the helpdesk application if possible. Potentially critical incidents, as outlined below, shall be immediately escalated by contacting the IT Manager by telephone. Escalation if the IT Manager is not immediately available is:

189

111. Administrative Lieutenant;

190

111. Undersheriff;

191

111. Sheriff;

192

111. County IT Director.

193

11. Incident Types and Severity based upon affect to operations.

194

111. Non-critical incidents

195

1111. Type 1 – Isolated incidents of computer viruses and spyware generally handled by antivirus software. Minor system slowdowns or intersystem communication errors.

196

111. Potentially Critical Incidentsi

197

1111. Type 2 – Significant system slowdowns or service interruptions. Unusual system behavior that may impact the integrity or continued operation of IT Systems.

198

1111. Type 3 – Obvious signs of system penetration, denial of service or damage to physical infrastructure.

199

11. Incident reporting

200

111. All suspected incidents shall be reported by agency members to the IT Manager either throughthe helpdesk system or directly by phone in the event of potentially critical incidents. Reporting members are expected to provide the following information:

201

1111. Name and contact information;

202

1111. Time of the report;

203

1111. Observed nature of the incident;

204

1111. What was observed;

205

1111. When was it observed;

206

1111. What equipment was involved;

207

1111. How was the incident detected; and

208

1111. What was first noticed that supported the idea that an incident had occurred?

209

11. Incident Response

210

111. Non-critical incidents shall be handled by the IT Manager during the normal course of business according to best practices.

211

111. Incidents shall be logged into the helpdesk system.

212

111. Reporting parties shall be notified of trouble ticket progress and resolution.

213

111. Potentially critical incidents shall be handled immediately by the IT Manager or other qualified members of the Incident Response Team (IRT).

214

111. Incidents shall be logged into the helpdesk system.

215

111. Incident severity shall be evaluated based on the following documented criteria:

216

1111. Whether the incident is real or perceived;

217

1111. The type of incident ;

11111. Virus;

11111. Worm;

11111. Intrusion;

11111. Abuse;

11111. Damage;

11111. Denial of service;

224

1111. If the incident is still in progress;

225

1111. If the affected equipment and/or data business is critical;

226

1111. The severity of the potential impact;

227

1111. If the incident is inside the trusted network; and

228

1111. If incident can be quickly contained.

229

11. Methods of containment vs. business disruption and data loss.

230

111. A Response Plan shall be implemented addressing these major areas of incident response:

231

1111. Triage

232

1111. Determine the scope and severity of the incident and determine whether to “protect” or “Pursue”.

233

1111. Develop a response plan based on the known situation.

234

1111. Allocate resources to protect other systems and isolate those affected.

235

1111. Assign responsibilities to team members.

236

11. Response

237

111. Initiate a plan and document actions taken as well as evidence/damage discovered.

238

111. If “pursuit” was chosen utilize forensically sound methods including the preservation of as much evidence as possible. Only qualified and authorized personnel shall perform interviews or system examinations.

239

111. Document all activates.

240

111. Review evidence to determine the full scope of damage.

241

11. Recovery

242

111. Document the number of systems damaged and the extent of the damage.

243

111. Re-install the affected system(s) from scratch and restore data from backups if necessary.

244

111. Re-set all passwords for all users on all systems.

245

11. Maintenance/Lessons Learned

246

111. Formally document the following:

247

1111. How the incident occurred

248

1111. Which systems were affected, and why (lack of patches, poor passwords, etc).

249

1111. Where the attack originated and other possible information related to the attacker.

250

1111. What the response plan was.

251

1111. Whether the response plan was effective.

252

111. Review current policy and practice and security equipment, implement changes as necessary.

253

11. Incident Response Team (IRT)

254

111. The IRT shall consists of at least three qualified members. It may be enlarged based on the nature of the incident.

255

1111. Currently assigned members are:

256

11111. IT Manager

257

11111. IT Assistant

258

11111. Former IT Sergeant/IT Manager

259

11111. Undersheriff

260

1111. Additional qualified members may be added as necessary from the following resources:

261

11111. Washington County IT

262

11111. St. George City IT

263

11111. Washington City IT

264

11111. State of Utah DTS

265

111. The IRT is generally supervised by the IT Manager, however based upon the nature of the incident supervision will fall to the most qualified team member as determined by the ranking responder.

266

267

**AH 01_111 __SYSTEM INSPECTION OR REVIEW__**

268

269

1. POLICY:

270

11. An employee's supervisor has the express authority to inspect or review the system, any and all temporary or permanent files and related electronic systems or devices, and any contents thereof when such inspection or review is in the ordinary course of his/her supervisory duties, or based on cause.

271

11. When requested by an employee's supervisor, or during the course of regular duties requiring such information, employees of the agency's information systems staff may extract, download or otherwise obtain any and all temporary or permanent files residing in or located in or on the system.

272

11. Reasons for inspection or review may include, but are not limited to:

273

111. system malfunctions;

274

111. problems or general system failure;

275

111. a lawsuit against the agency involving the employee or related to the employee's duties;

276

111. an alleged or suspected violation of a WCSO policy; or

277

111. a need to perform or provide a service or information when the employee is unavailable.

278

279

**AH 01_112 __AGENCY PROPERTY__**

280

281

1. POLICY:

282

11. All information, data, documents, communications, and other entries initiated on, sent to or from, or accessed on any WCSO computer, or through the WCSO computer system on any other computer, whether downloaded or transferred from the original WCSO computer, shall remain the exclusive property of the WCSO and shall not be available for personal or non-WCSO use without the expressed authorization of an employee's supervisor.

283

284

**AH 01_113 __UNAUTHORIZED USE OF SOFTWARE__**

285

286

1. POLICY:

287

11. Employees shall not copy or duplicate any copyrighted or licensed software except for a single copy for backup purposes in accordance with the software company's copyright and license agreement. To reduce the risk of computer virus or malicious software infection, employees shall not install any unlicensed or unauthorized software on any WCSO computer. Employees shall not install personal copies of any software onto any WCSO computer. Any files or software that an employee finds necessary to upload onto a WCSO computer or network shall be done so only with the approval of the WCSO IT specialist and only after being properly scanned for malicious attachments.

288

11. No employee shall knowingly make, acquire or use unauthorized copies of computer software not licensed to the agency while on agency premises or on an agency computer system. Such unauthorized use of software exposes the agency and involved employees to severe civil and criminal penalties.

289

290

**AH 01_114 __PHYSICAL AND ELECTRONIC MEDIA PROTECTION__**

291

292

1. POLICY:

293

11. All electronic information and licensed software must be properly removed when disposing of computers and other office electronics with hard drives and other storage media devices. Unauthorized disclosure of certain information could subject the WCSO to legal liability. This procedure is designed to ensure that information technology (IT) resources do not contain confidential data or licensed software before they are transferred for reuse, donation, recycling, or destruction. The primary responsibility for sanitizing and physical destruction rests with the Information Technology branch of WCSO or their designees. This procedure applies not only to hard drives but to all other electronic storage media including, but not limited to:

294

111. Compact discs (CDs);

295

111. Digital versatile discs (DVDs);

296

111. Universal Serial Bus (USB drives); and

297

111. Other diskettes and tapes.

298

11. Studies of disk sanitization indicate that simply deleting files from the media or formatting a hard drive is not sufficient to completely erase data so that it cannot be recovered. These studies generally recommend two methods for disk sanitation:

299

111. Destruction of the media either by physical force or byelectromagnetic degaussing. Physicaldestruction should be conducted under dual control, and documented.

300

111. Disk sanitization, overwriting of all previously stored data in compliance with NIST standards.

301

302

**AH 01_115 __TRANSPORTATION OF MEDIA AND CJI__**

303

304

1. POLICY:

305

11. Controls shall be in place to protect electronic and physical media containing CJI while in transport or physically moved from one location to another, to prevent inadvertent or inappropriate disclosure and use. Dissemination from another agency is authorized if the other agency is an authorized to disseminate such information and is being serviced by the receiving agency. WCSO personnel shall:

306

111. Protect and control electronic and physical media during transport outside of controlled areas;

307

111. Restrict the pickup, receipt, transfer and delivery of such media to authorized personnel.

308

11. WCSO personnel will control, protect, and secure electronic and physical media during transport from public disclosure by:

309

111. Use of privacy statements in electronic and paper documents;

310

111. Limiting the collection, disclosure, sharing and use of CJI;

311

111. Following the least privilege and role based rules for allowing access. Limit access to CJI to only those people or roles that require access;

312

111. Securing hand carried confidential electronic and paper documents by storing CJI in a locked briefcase or lockbox.

313

314

**AH 01_116 __PROHIBITED AND INAPPROPRIATE USE__**

315

316

1. POLICY:

317

11. CJI and/or other law enforcement records management systems shall only be accessed by authorized employees who are engaged in an active investigation, assisting in an active investigation, or who otherwise have a legitimate law enforcement or WCSO business related purpose to access such data.

318

11. Internet sites containing information that is not appropriate or applicable to WCSO use and which shall not be intentionally accessed include, but are not limited to:

111. adult forums;

111. pornography;

111. chat rooms; and

111. similar or related web sites.

323

11. Certain exceptions may be permitted with the prior approval of a supervisor as a function of an assignment. Downloaded information shall be limited to messages, mail and data files which shall be subject to audit and review by the WCSO without notice. No copyrighted and/or unlicensed software program files may be downloaded.

324

11. Employees shall report any unauthorized access to the system or suspected intrusion from outside sources (including the Internet) to a supervisor and follow the Security Incident Response Plan

325

326

**AH 01_117 __SANCTIONS FOR MISUSE__**

327

328

1. POLICY:

329

11. Consequences for improper use or abuse of access to UCJIS may include; but are not limited to:

330

111. Suspension of login;

331

111. Permanent loss of login;

332

111. Criminal charges for violation of Utah State Statute 53-10-108, (in part);

333

1111. (11) (a) It is a class B misdemeanor for a person to knowingly or intentionally access, use, disclose, or disseminate a record created, maintained, or to which access is granted by the division or any information contained in a record created, maintained, or to which access is granted by the division for a purpose prohibited or not permitted by statute, rule, regulation, or policy of agovernmental entity. A person who discovers or becomes aware of any unauthorized use of records created or maintained, or to which access is granted by the division shall inform the commissioner and the director of the Utah Bureau of Criminal Identification of the unauthorized use.

334

111. Personal civil liability to the user;

335

111. Disciplinary action by the WCSO, up to and including termination.

336

337

**AH 01_118 __PROTECTION OF AGENCY SYSTEMS AND FILES__**

338

339

1. POLICY:

340

11. All employees have a duty to protect the system and related systems and devices from physical and environmental damage and are responsible for the correct use, operation, care and maintenance of the system. It is expressly prohibited for an employee to allow an unauthorized user to access the system at any time or for any reason.

341

342

**AH 01_119 __PHYSICAL SECURITY__**

343

344

1. POLICY:

345

11. The WCSO shall establish organizational guidelines for protecting the property, privacy and security of CJIS, employees, volunteers and members of the public by regulating access to buildings.

346

11. Vendors and guests of staff shall be escorted at all times when entering the secure areas of the WCSO patrol and corrections buildings;

347

11. Employees shall routinely use issued keys and keycards when entering the secure areas of the WCSO patrol and corrections buildings. Employees in good standing may be granted access by other staff if keys and keycards are not readily available;

348

11. Key and keycard holders shall immediately notify their supervisor if a key or keycard is misplaced, lost or stolen;

349

11. Failure to immediately report a lost or stolen key or keycard may result in disciplinary action.

350

11. Persons not employed by WCSO whose positions require unescorted access into high security areas or buildings shall comply with the provisions of the CJIS security policy, including a fingerprint-based national records check and training. Individuals who do not receive CJIS clearance shall not be granted access to high security areas or high security buildings. Unescorted access to high security areas shall not be granted prior to CJIS clearance.

351

11. Office staff shall monitor and log all visitors entering secure areas of the WCSO patrol and corrections buildings. The log shall contain the date, printed name, signature, and time of entry and exit.

352

11. Exceptions to the requirement to log visitors;

353

111. Special events held in the group meeting rooms located inside secure areas, provided that doors to all unoccupied rooms are kept locked during the event.

354

111. Other law enforcement personnel known to WCSO staff.

355

111. Attendees of a training held in the group meeting rooms located inside secure areas, provided that doors to all unoccupied rooms are kept locked during the event and a copy of the training roster is maintained with the visitor log.

356

111. Inmate visitation, which is regulated by WCSO jail policy and procedures.

Wiki source code of AH 01 Technology Use and Protection