Skip to Content
Last modified by Spencer Dobson on 2022/12/19 18:49
Hide last authors
Ryan Larkin 1.1 1 **Washington County Sheriff's Office
Spencer Dobson 4.1 2 SUPPORT DIVISION**
Ryan Larkin 1.1 3 Policy Manual
4
5
Spencer Dobson 4.1 6 Volume: AH Administrative Procedures
7 Chapter: 01 Technology Use and Protection
Ryan Larkin 1.1 8
Spencer Dobson 4.1 9 Replaces and/or Supersedes: AH 01 04/27/2021
10 \\Review Date: 12/19/2022
Ryan Larkin 1.1 11
12
13 **__TABLE OF CONTENTS__**
14 AH 01_101 Definitions
15 AH 01_102 General
16 AH 01_103 Criminal Justice Information System
17 AH 01_104 CJIS Security Training for Users with Access
18 AH 01_105 CJIS Security Training for All Personnel
19 AH 01_106 User Testing and Training
20 AH 01_107 Password Attributes
21 AH 01_108 Login Management
22 AH 01_109 Login Security
23 AH 01_110 IT Security Incident Management Plan
24 AH 01_111 System Inspection or Review
25 AH 01_112 Agency Property
26 AH 01_113 Unauthorized use of Software
27 AH 01_114 Physical and Electronic Media Protection
28 AH 01_115 Transportation of Media and CJI
29 AH 01_116 Prohibited and Inappropriate Use
30 AH 01_117 Sanctions for Misuse
31 AH 01_118 Protection of Agency Systems and Files
32 AH 01_119 Physical Security
33
34
35 **AH 01_101 __DEFINITIONS__**
36
Spencer Dobson 4.1 37 1. Access to Criminal Justice Information: The physical or logical (electronic) ability, right or privilege to view, modify or make use of Criminal Justice Information.
38 1. Administration of Criminal Justice: The detection, apprehension, detention, pretrial release, post-trial release, prosecution, adjudication, correctional supervision, or rehabilitation of accused persons or criminal offenders. It also includes criminal identification activities; the collection, storage, and dissemination of criminal history record information; and criminal justice employment.
Ryan Larkin 1.1 39 1. Agency Controlled Mobile Device: A mobile device that is centrally managed by an agency for the purpose of securing the device for potential access to CJI. The device can be agency issued or BYOD (personally owned).
40 1. Authorized User/Personnel: An individual, or group of individuals, who have been appropriately vetted through a national fingerprint-based record check and have been granted access to CJI data.
Ryan Larkin 3.1 41 1. BCI: Bureau of Criminal Identification (Utah)
Ryan Larkin 1.1 42 1. CJI: Criminal justice information.
43 1. CJIS: The Criminal Justice Information System administered by the FBI.
44 1. Computer System: Shall mean all computers (on-site and portable), hardware, software and resources owned, leased, rented or licensed by the Washington County Sheriff's Office , which are provided for official use by agency employees. This shall include all access to, and use of, Internet Service Providers (ISP) or other service providers provided by or through the agency or agency funding.
45 1. Electronic media: Electronic storage media including memory devices in laptops and computers (hard drives) and any removable, transportable digital memory media, such as magnetic tape or disk, backup medium, optical disk, flash drives, external hard drives, or digital memory card.
46 1. Entity: An entity qualified to access criminal history information under state or federal law.
47 1. Escort: Authorized personnel who accompany a visitor at all times while within a physically secure location to ensure the protection and integrity of the physically secure location and any Criminal Justice Information therein. The use of cameras or other electronic means used to monitor a physically secure location does not constitute an escort.
48 1. Hardware: Shall include, but is not limited to, computers, computer terminals, network equipment, modems or any other tangible computer device generally understood to comprise hardware.
49 1. Login ID: A unique identifier in UCJIS for a user or non-user.
50 1. Misuse: The access, use, disclosure, or dissemination of records for a purpose prohibited or not permitted by statute, rule, regulation, or policy of a governmental entity.
51 1. Mobile Device: Any portable device used to access CJI via a wireless connection (e.g. cellular, WiFi, Bluetooth, etc.).
52 1. Mobile Device Management (MDM): Centralized administration and control of mobile devices specifically including, but not limited to, cellular phones, smart phones, and tablets. Management typically includes the ability to configure device settings and prevent a user from changing them, remotely locating a device in the event of theft or loss, and remotely locking or wiping a device. Management can also include over-the-air distribution of applications and updating installed applications.
53 1. NCIC: National Crime Information Center
54 1. Non-user: A person working for or with an agency, who does not have direct access to UCJIS but has indirect access to records, including individuals who may access computer systems or programs used to access UCJIS files or have unrestricted access to a location containing UCJIS records or a computer with UCJIS access.
55 1. Right of access: A program established in which a provider makes an individual's UCH and warrant of arrest information available to the subject of the record.
56 1. Secure Area: A building or area within a building that requires a greater level of security because it is subject to provisions of the Federal Bureau of Investigation Criminal Justice Information System (CJIS) security policy, or because the nature of the business operations within that building or area requires a heightened level of security.
57 1. Software: Shall include, but is not limited to, all computer programs and applications including shareware. This does not include files created by the individual user.
58 1. TAC: An agency's terminal agency coordinator.
59 1. Temporary File or Permanent File or File: Shall mean any electronic document, information or data residing or located, in whole or in part, whether temporarily or permanently, on the system, including but not limited to spreadsheets, calendar entries, appointments, tasks, notes, letters, reports or messages.
60 1. UCH: Utah Computerized Criminal History;
61 1. UCJIS: Utah Criminal Justice Information System, which includes the Criminal Justice Information System
62 1. User: A person who has direct access to UCJIS or who may obtain UCJIS records from a person who has direct access.
63
64 **AH 01_102 __GENERAL__**
65
66 1. POLICY:
67 11. This policy describes the use of WCSO computers, software programs, and criminal information systems. It provides guidance for the creation, viewing, modification, transmission, dissemination, storage, security and destruction of criminal justice information.
68 11. Any employee utilizing any computer, electronic storage device or media, Internet service, phone service, information conduit, system or other wireless service provided by or funded by the WCSO expressly acknowledges and agrees that the use of such service, whether for business or personal use, shall remove any expectation of privacy the employee, sender and recipient of any communication utilizing such service might otherwise have, including as to the content of any such communication. The WCSO also expressly reserves the right to access and audit any and all communications (including content) sent, received and/or stored through the use of such service.
69
70 **AH 01_103 __CRIMINAL JUSTICE INFORMATION SYSTEM__**
71
72 1. POLICY:
73 11. All information from the Utah Criminal Justice Information System (UCJIS) shall be used solely for the purpose of administration of criminal justice and for employment screening by criminal justice agencies. All WCSO users with direct or indirect access to UCJIS information shall ensure the security and confidentiality of the data. Any misuse or compromise of the physical or logical security of the CJI system shall be reported to a TAC, an alternate TAC or a supervisor. To ensure the integrity and confidentiality of CJI, it is the responsibility and duty of all WCSO employees to, but not limited to:
74 111. Criminal history information should not be transmitted over radios or other non-secure media;
75 111. Files containing CJI must remain locked;
76 111. Computer monitors shall be positioned so they can not be viewed by unauthorized persons;
77 11. WCSO employees shall not disseminate CJI to other agencies or unauthorized persons.
78 11. Only trained and authorized personnel may disseminate CHRI to the person of record under authority of Right of Access;
79 11. WCSO users shall not access CJI from publicly accessed computers or publicly accessed wireless networks;
Ryan Larkin 1.2 80 11. UCJIS use will be governed by [[Utah Code Annotated 53-10-108>>https://le.utah.gov/xcode/Title53/Chapter10/53-10-S108.html]].
Ryan Larkin 3.1 81 11. The BCI Director and the Commissioner of Public Safety will be notified immediately of any suspected misuse of UCJIS files or the data obtained through UCJIS as stated in UCA 53-10-108.
Ryan Larkin 1.1 82
83 **AH 01_104 __CJIS SECURITY TRAINING FOR USERS WITH ACCESS__**
84
85 1. POLICY:
86 11. At a minimum, the UCJIS Terminal Access Coordinators (TACS) shall address a baseline security awareness training for all authorized personnel with access to Criminal Justice Information (CJI) to include:
87 111. Rules that describe responsibilities and expected behavior with regard to CJI usage;
88 111. Implications of noncompliance;
89 111. Incident response (Points of contact; Individual actions);
90 111. Media protection;
91 111. Visitor control and physical access to spaces—discuss applicable physical security policy and procedures, (e.g., challenge strangers, report unusual activity);
92 111. Protect information subject to confidentiality concerns and hardcopy destruction;
93 111. Proper handling and marking of CJI;
94 111. Threats, vulnerabilities, and risks associated with handling of CJI;
95 111. Social engineering or psychological manipulation of people into performing divulging confidential information, ie, phishing, baiting, diversion, etc.;
96 111. Dissemination and destruction.
97
98 **AH 01_105 __CJIS SECURITY TRAINING FOR ALL PERSONNEL__**
99
100 1. POLICY:
101 11. The following topics, at a minimum, shall be addressed as baseline security awareness training for all authorized personnel with both physical and logical access to CJI:
102 11. Responsibilities and expected behavior with regard to information system usage;
103 11. Password usage and management, including creation, frequency of changes, and protection;
104 11. Protection from viruses, worms, Trojan horses, and other malicious code;
105 11. Unknown e-mail/attachments;
106 11. Web usage, including allowed versus prohibited and monitoring of user activity;
107 11. Spam;
108 11. Physical Security;
109 11. Handheld device security issues, both physical and wireless security issues;
110 11. Encryption and the transmission of sensitive/confidential information over the Internet, agency policy, procedures, and technical contact for assistance;
111 11. Laptop security, both physical and information security issues;
112 11. Personally owned equipment and software installation;
113 11. Access control;
114 11. Individual accountability;
115 11. Use of acknowledgement statements, passwords, access to systems and data, personal use and gain;
116 11. Desktop security, including the use of screensavers, restricting visitors’ view of information on screen (mitigating “shoulder surfing”), battery backup devices, allowed access to systems;
117 11. Protect information subject to confidentiality concerns, in systems, archived, on backup media,and until destroyed;
118 11. Threats, vulnerabilities, and risks associated with accessing CJIS Service systems and services.
119
120 **AH 01_106 __USER TESTING AND TRAINING__**
121
122 1. POLICY:
123 11. Coordination and implementation of training and testing shall be the responsibility of the WCSO TAC with support from BCI.
124 11. TAC and alternate TACs are required to be tested in accordance with BCI policy.
125 11. Users must receive training and testing within six months of login assignment.
126 11. TAC will provide re-testing every two years to users and alternate TACs to reaffirm proficiency.
127 11. User training requirements include knowledge of:
128 111. BCI Operations Manual;
129 111. NCIC Operations Manual;
130 111. NCIC Code Manual;
131 111. User Security Statement and Agreement;
132 111. All other policies and procedures by NCIC and BCI.
Spencer Dobson 4.1 133 11. The privacy and security of UCJIS and NCIC files will be emphasized in all training sessions.
Ryan Larkin 1.1 134 11. The WCSO TAC and alternate TACs should attend the mandatory annual BCI TAC Conference. Other WCSO representatives may attend as directed. Information from the conference will be forwarded to all other WCSO staff by the TAC; in compliance with BCI policy.
135
136 **AH 01_107 __PASSWORD ATTRIBUTES__**
137
138 1. POLICY:
139 11. Secure password attributes authenticate an individual’s unique ID. Passwords for systems that access CJIS shall:
140 111. Be a minimum length of eight (8) characters on all systems;
141 111. Not be a dictionary word or proper name;
Spencer Dobson 4.1 142 111. Not be the same as the User ID;
Ryan Larkin 1.1 143 111. Expire within a maximum of 90 calendar days;
144 111. Not be identical to the previous ten (10) passwords;
145 111. Not be transmitted in the clear outside the secure location;
146 111. Not be displayed when entered.
147
148 **AH 01_108 __LOGIN MANAGEMENT__**
149
150 1. POLICY:
151 11. All new employees will receive training and testing in UCJIS security during orientation. The TAC or an Alternate TAC shall add the new employee as a user, in compliance with Utah BCI policy and procedures. When an employee's assignment requires a UCJIS login, the following steps will be taken:
152 111. The employee's supervisor shall notifiy the TAC or an Alternate TAC, provide the employee's name and request access for the employee;
153 111. The TAC or an Alternate TAC will create the login in compliance with the policy and procedures of Utah BCI, then provide training and testing material to the employee;
154 111. TAC or an Alternate TAC will review the training and testing, then certify the training in UCJIS.
155 111. When an employee no longer requires access to UCJIS or leaves employment with the Sheriff's Office, the TAC or an Alternate TAC shall immediately be notified and the TAC or an Alternate TAC shall remove the employee's access to UCJIS. The TAC or an Alternate TAC shall audit the active UCJIS users against the employee roster annually.
156
157 **AH 01_109 __LOGIN SECURITY__**
158
159 1. POLICY:
160 11. The TAC and alternate TACs shall be responsible for all WCSO login management with the authority to add, suspend, restrict, and delete any User.
161 11. Users shall only access UCJIS files from WCSO computers or terminals, WCSO laptop computers, or other law agency owned computers.
162 11. Users shall not access UCJIS files from personal computers or hand-held sized computers and phones.
163 11. Users may not share logins or passwords.
164 11. Users are responsible for all CJI access using their login.
165 11. Users shall log out or lock computer screen when leaving their computer to prevent unauthorized access or viewing of CJI.
166
167 **AH 01_110 __IT SECURITY INCIDENT RESPONSE PLAN__**
168
169 1. POLICY
170 11. An IT Incident is defined as an act in violation of legal statute, or in violation of the explicit or implied security policies of the organization, with or without intent to do harm. These activities include but are not limited to:
171 111. A system resource is exposed or is potentially exposed to unauthorized access;
172 111. Legitimate and authorized access to an information system or service is interrupted or denied;
173 111. Any adverse event compromising the authentication and access to a software application, computer system, or network;
174 111. The unauthorized use of a system for the processing or storage of data;
175 111. The unauthorized alteration of data transferred and stored electronically;
176 111. Changes to system hardware, firmware, or software characteristics without the owner’s knowledge, instruction or consent.
177 11. Any suspected incident detected by an agency member should be immediately reported to the IT Manager through the helpdesk application if possible. Potentially critical incidents, as outlined below, shall be immediately escalated by contacting the IT Manager by telephone. Escalation if the IT Manager is not immediately available is:
178 111. Administrative Lieutenant;
179 111. Undersheriff;
180 111. Sheriff;
181 111. County IT Director.
182 11. Incident Types and Severity based upon affect to operations.
183 111. Non-critical incidents
184 1111. Type 1 – Isolated incidents of computer viruses and spyware generally handled by antivirus software. Minor system slowdowns or intersystem communication errors.
Spencer Dobson 4.1 185 111. Potentially Critical Incidents
Ryan Larkin 1.1 186 1111. Type 2 – Significant system slowdowns or service interruptions. Unusual system behavior that may impact the integrity or continued operation of IT Systems.
187 1111. Type 3 – Obvious signs of system penetration, denial of service or damage to physical infrastructure.
188 11. Incident reporting
Spencer Dobson 4.1 189 111. All suspected incidents shall be reported by agency members to the IT Manager either through the helpdesk system or directly by phone in the event of potentially critical incidents. Reporting members are expected to provide the following information:
Ryan Larkin 1.1 190 1111. Name and contact information;
191 1111. Time of the report;
192 1111. Observed nature of the incident;
193 1111. What was observed;
194 1111. When was it observed;
195 1111. What equipment was involved;
196 1111. How was the incident detected; and
197 1111. What was first noticed that supported the idea that an incident had occurred?
198 11. Incident Response
199 111. Non-critical incidents shall be handled by the IT Manager during the normal course of business according to best practices.
200 111. Incidents shall be logged into the helpdesk system.
201 111. Reporting parties shall be notified of trouble ticket progress and resolution.
202 111. Potentially critical incidents shall be handled immediately by the IT Manager or other qualified members of the Incident Response Team (IRT).
203 111. Incidents shall be logged into the helpdesk system.
204 111. Incident severity shall be evaluated based on the following documented criteria:
205 1111. Whether the incident is real or perceived;
206 1111. The type of incident ;
207 11111. Virus;
208 11111. Worm;
209 11111. Intrusion;
210 11111. Abuse;
211 11111. Damage;
212 11111. Denial of service;
213 1111. If the incident is still in progress;
214 1111. If the affected equipment and/or data business is critical;
215 1111. The severity of the potential impact;
216 1111. If the incident is inside the trusted network; and
217 1111. If incident can be quickly contained.
218 11. Methods of containment vs. business disruption and data loss.
219 111. A Response Plan shall be implemented addressing these major areas of incident response:
220 1111. Triage
221 1111. Determine the scope and severity of the incident and determine whether to “protect” or “Pursue”.
222 1111. Develop a response plan based on the known situation.
223 1111. Allocate resources to protect other systems and isolate those affected.
224 1111. Assign responsibilities to team members.
225 11. Response
226 111. Initiate a plan and document actions taken as well as evidence/damage discovered.
227 111. If “pursuit” was chosen utilize forensically sound methods including the preservation of as much evidence as possible. Only qualified and authorized personnel shall perform interviews or system examinations.
228 111. Document all activates.
229 111. Review evidence to determine the full scope of damage.
230 11. Recovery
231 111. Document the number of systems damaged and the extent of the damage.
232 111. Re-install the affected system(s) from scratch and restore data from backups if necessary.
233 111. Re-set all passwords for all users on all systems.
234 11. Maintenance/Lessons Learned
235 111. Formally document the following:
236 1111. How the incident occurred
237 1111. Which systems were affected, and why (lack of patches, poor passwords, etc).
238 1111. Where the attack originated and other possible information related to the attacker.
239 1111. What the response plan was.
240 1111. Whether the response plan was effective.
241 111. Review current policy and practice and security equipment, implement changes as necessary.
242 11. Incident Response Team (IRT)
243 111. The IRT shall consists of at least three qualified members. It may be enlarged based on the nature of the incident.
244 1111. Currently assigned members are:
245 11111. IT Manager
246 11111. IT Assistant
247 11111. Former IT Sergeant/IT Manager
248 11111. Undersheriff
249 1111. Additional qualified members may be added as necessary from the following resources:
250 11111. Washington County IT
251 11111. St. George City IT
252 11111. Washington City IT
253 11111. State of Utah DTS
254 111. The IRT is generally supervised by the IT Manager, however based upon the nature of the incident supervision will fall to the most qualified team member as determined by the ranking responder.
255
256 **AH 01_111 __SYSTEM INSPECTION OR REVIEW__**
257
258 1. POLICY:
259 11. An employee's supervisor has the express authority to inspect or review the system, any and all temporary or permanent files and related electronic systems or devices, and any contents thereof when such inspection or review is in the ordinary course of his/her supervisory duties, or based on cause.
260 11. When requested by an employee's supervisor, or during the course of regular duties requiring such information, employees of the agency's information systems staff may extract, download or otherwise obtain any and all temporary or permanent files residing in or located in or on the system.
261 11. Reasons for inspection or review may include, but are not limited to:
262 111. system malfunctions;
263 111. problems or general system failure;
264 111. a lawsuit against the agency involving the employee or related to the employee's duties;
265 111. an alleged or suspected violation of a WCSO policy; or
266 111. a need to perform or provide a service or information when the employee is unavailable.
267
268 **AH 01_112 __AGENCY PROPERTY__**
269
270 1. POLICY:
271 11. All information, data, documents, communications, and other entries initiated on, sent to or from, or accessed on any WCSO computer, or through the WCSO computer system on any other computer, whether downloaded or transferred from the original WCSO computer, shall remain the exclusive property of the WCSO and shall not be available for personal or non-WCSO use without the expressed authorization of an employee's supervisor.
272
273 **AH 01_113 __UNAUTHORIZED USE OF SOFTWARE__**
274
275 1. POLICY:
276 11. Employees shall not copy or duplicate any copyrighted or licensed software except for a single copy for backup purposes in accordance with the software company's copyright and license agreement. To reduce the risk of computer virus or malicious software infection, employees shall not install any unlicensed or unauthorized software on any WCSO computer. Employees shall not install personal copies of any software onto any WCSO computer. Any files or software that an employee finds necessary to upload onto a WCSO computer or network shall be done so only with the approval of the WCSO IT specialist and only after being properly scanned for malicious attachments.
277 11. No employee shall knowingly make, acquire or use unauthorized copies of computer software not licensed to the agency while on agency premises or on an agency computer system. Such unauthorized use of software exposes the agency and involved employees to severe civil and criminal penalties.
278
279 **AH 01_114 __PHYSICAL AND ELECTRONIC MEDIA PROTECTION__**
280
281 1. POLICY:
282 11. All electronic information and licensed software must be properly removed when disposing of computers and other office electronics with hard drives and other storage media devices. Unauthorized disclosure of certain information could subject the WCSO to legal liability. This procedure is designed to ensure that information technology (IT) resources do not contain confidential data or licensed software before they are transferred for reuse, donation, recycling, or destruction. The primary responsibility for sanitizing and physical destruction rests with the Information Technology branch of WCSO or their designees. This procedure applies not only to hard drives but to all other electronic storage media including, but not limited to:
283 111. Compact discs (CDs);
284 111. Digital versatile discs (DVDs);
285 111. Universal Serial Bus (USB drives); and
286 111. Other diskettes and tapes.
287 11. Studies of disk sanitization indicate that simply deleting files from the media or formatting a hard drive is not sufficient to completely erase data so that it cannot be recovered. These studies generally recommend two methods for disk sanitation:
Spencer Dobson 4.1 288 111. Destruction of the media either by physical force or by electromagnetic degaussing. Physical destruction should be conducted under dual control, and documented.
Ryan Larkin 1.1 289 111. Disk sanitization, overwriting of all previously stored data in compliance with NIST standards.
290
291 **AH 01_115 __TRANSPORTATION OF MEDIA AND CJI__**
292
293 1. POLICY:
294 11. Controls shall be in place to protect electronic and physical media containing CJI while in transport or physically moved from one location to another, to prevent inadvertent or inappropriate disclosure and use. Dissemination from another agency is authorized if the other agency is an authorized to disseminate such information and is being serviced by the receiving agency. WCSO personnel shall:
295 111. Protect and control electronic and physical media during transport outside of controlled areas;
296 111. Restrict the pickup, receipt, transfer and delivery of such media to authorized personnel.
297 11. WCSO personnel will control, protect, and secure electronic and physical media during transport from public disclosure by:
298 111. Use of privacy statements in electronic and paper documents;
299 111. Limiting the collection, disclosure, sharing and use of CJI;
300 111. Following the least privilege and role based rules for allowing access. Limit access to CJI to only those people or roles that require access;
301 111. Securing hand carried confidential electronic and paper documents by storing CJI in a locked briefcase or lockbox.
302
303 **AH 01_116 __PROHIBITED AND INAPPROPRIATE USE__**
304
305 1. POLICY:
306 11. CJI and/or other law enforcement records management systems shall only be accessed by authorized employees who are engaged in an active investigation, assisting in an active investigation, or who otherwise have a legitimate law enforcement or WCSO business related purpose to access such data.
307 11. Internet sites containing information that is not appropriate or applicable to WCSO use and which shall not be intentionally accessed include, but are not limited to:
308 111. adult forums;
309 111. pornography;
Spencer Dobson 4.1 310 111. chat rooms;
311 111. Tik Tok; and
Ryan Larkin 1.1 312 111. similar or related web sites.
313 11. Certain exceptions may be permitted with the prior approval of a supervisor as a function of an assignment. Downloaded information shall be limited to messages, mail and data files which shall be subject to audit and review by the WCSO without notice. No copyrighted and/or unlicensed software program files may be downloaded.
314 11. Employees shall report any unauthorized access to the system or suspected intrusion from outside sources (including the Internet) to a supervisor and follow the Security Incident Response Plan
315
316 **AH 01_117 __SANCTIONS FOR MISUSE__**
317
318 1. POLICY:
319 11. Consequences for improper use or abuse of access to UCJIS may include; but are not limited to:
320 111. Suspension of login;
321 111. Permanent loss of login;
322 111. Criminal charges for violation of Utah State Statute 53-10-108, (in part);
323 1111. (11) (a) It is a class B misdemeanor for a person to knowingly or intentionally access, use, disclose, or disseminate a record created, maintained, or to which access is granted by the division or any information contained in a record created, maintained, or to which access is granted by the division for a purpose prohibited or not permitted by statute, rule, regulation, or policy of agovernmental entity. A person who discovers or becomes aware of any unauthorized use of records created or maintained, or to which access is granted by the division shall inform the commissioner and the director of the Utah Bureau of Criminal Identification of the unauthorized use.
324 111. Personal civil liability to the user;
325 111. Disciplinary action by the WCSO, up to and including termination.
326
327 **AH 01_118 __PROTECTION OF AGENCY SYSTEMS AND FILES__**
328
329 1. POLICY:
330 11. All employees have a duty to protect the system and related systems and devices from physical and environmental damage and are responsible for the correct use, operation, care and maintenance of the system. It is expressly prohibited for an employee to allow an unauthorized user to access the system at any time or for any reason.
331
332 **AH 01_119 __PHYSICAL SECURITY__**
333
334 1. POLICY:
335 11. The WCSO shall establish organizational guidelines for protecting the property, privacy and security of CJIS, employees, volunteers and members of the public by regulating access to buildings.
336 11. Vendors and guests of staff shall be escorted at all times when entering the secure areas of the WCSO patrol and corrections buildings;
337 11. Employees shall routinely use issued keys and keycards when entering the secure areas of the WCSO patrol and corrections buildings. Employees in good standing may be granted access by other staff if keys and keycards are not readily available;
338 11. Key and keycard holders shall immediately notify their supervisor if a key or keycard is misplaced, lost or stolen;
339 11. Failure to immediately report a lost or stolen key or keycard may result in disciplinary action.
340 11. Persons not employed by WCSO whose positions require unescorted access into high security areas or buildings shall comply with the provisions of the CJIS security policy, including a fingerprint-based national records check and training. Individuals who do not receive CJIS clearance shall not be granted access to high security areas or high security buildings. Unescorted access to high security areas shall not be granted prior to CJIS clearance.
341 11. Office staff shall monitor and log all visitors entering secure areas of the WCSO patrol and corrections buildings. The log shall contain the date, printed name, signature, and time of entry and exit.
342 11. Exceptions to the requirement to log visitors;
343 111. Special events held in the group meeting rooms located inside secure areas, provided that doors to all unoccupied rooms are kept locked during the event.
344 111. Other law enforcement personnel known to WCSO staff.
345 111. Attendees of a training held in the group meeting rooms located inside secure areas, provided that doors to all unoccupied rooms are kept locked during the event and a copy of the training roster is maintained with the visitor log.
346 111. Inmate visitation, which is regulated by WCSO jail policy and procedures.