AH 01 Technology Use and Protection (Policy.Administrative.AH 01 Technology Use and Protection.WebHome)

1. Access to Criminal Justice Information: The physical or logical (electronic) ability, right or privilege to view, modify or make use of Criminal Justice Information.

38

1. Administration of Criminal Justice: The detection, apprehension, detention, pretrial release, post-trial release, prosecution, adjudication, correctional supervision, or rehabilitation of accused persons or criminal offenders. It also includes criminal identification activities; the collection, storage, and dissemination of criminal history record information; and criminal justice employment.

39

1. Agency Controlled Mobile Device: A mobile device that is centrally managed by an agency for the purpose of securing the device for potential access to CJI. The device can be agency issued or BYOD (personally owned).

40

1. Authorized User/Personnel: An individual, or group of individuals, who have been appropriately vetted through a national fingerprint-based record check and have been granted access to CJI data.

41

1. BCI: Bureau of Criminal Identification (Utah)

42

1. CJI: Criminal justice information.

43

1. CJIS: The Criminal Justice Information System administered by the FBI.

44

1. Computer System: Shall mean all computers (on-site and portable), hardware, software and resources owned, leased, rented or licensed by the Washington County Sheriff's Office , which are provided for official use by agency employees. This shall include all access to, and use of, Internet Service Providers (ISP) or other service providers provided by or through the agency or agency funding.

45

1. Electronic media: Electronic storage media including memory devices in laptops and computers (hard drives) and any removable, transportable digital memory media, such as magnetic tape or disk, backup medium, optical disk, flash drives, external hard drives, or digital memory card.

46

1. Entity: An entity qualified to access criminal history information under state or federal law.

47

1. Escort: Authorized personnel who accompany a visitor at all times while within a physically secure location to ensure the protection and integrity of the physically secure location and any Criminal Justice Information therein. The use of cameras or other electronic means used to monitor a physically secure location does not constitute an escort.

48

1. Hardware: Shall include, but is not limited to, computers, computer terminals, network equipment, modems or any other tangible computer device generally understood to comprise hardware.

49

1. Login ID: A unique identifier in UCJIS for a user or non-user.

50

1. Misuse: The access, use, disclosure, or dissemination of records for a purpose prohibited or not permitted by statute, rule, regulation, or policy of a governmental entity.

51

1. Mobile Device: Any portable device used to access CJI via a wireless connection (e.g. cellular, WiFi, Bluetooth, etc.).

52

1. Mobile Device Management (MDM): Centralized administration and control of mobile devices specifically including, but not limited to, cellular phones, smart phones, and tablets. Management typically includes the ability to configure device settings and prevent a user from changing them, remotely locating a device in the event of theft or loss, and remotely locking or wiping a device. Management can also include over-the-air distribution of applications and updating installed applications.

53

1. NCIC: National Crime Information Center

54

1. Non-user: A person working for or with an agency, who does not have direct access to UCJIS but has indirect access to records, including individuals who may access computer systems or programs used to access UCJIS files or have unrestricted access to a location containing UCJIS records or a computer with UCJIS access.

55

1. Right of access: A program established in which a provider makes an individual's UCH and warrant of arrest information available to the subject of the record.

56

1. Secure Area: A building or area within a building that requires a greater level of security because it is subject to provisions of the Federal Bureau of Investigation Criminal Justice Information System (CJIS) security policy, or because the nature of the business operations within that building or area requires a heightened level of security.

57

1. Software: Shall include, but is not limited to, all computer programs and applications including shareware. This does not include files created by the individual user.

58

1. TAC: An agency's terminal agency coordinator.

59

1. Temporary File or Permanent File or File: Shall mean any electronic document, information or data residing or located, in whole or in part, whether temporarily or permanently, on the system, including but not limited to spreadsheets, calendar entries, appointments, tasks, notes, letters, reports or messages.

60

1. UCH: Utah Computerized Criminal History;

61

1. UCJIS: Utah Criminal Justice Information System, which includes the Criminal Justice Information System

62

1. User: A person who has direct access to UCJIS or who may obtain UCJIS records from a person who has direct access.

63

64

**AH 01_102 __GENERAL__**

65

66

1. POLICY:

67

11. This policy describes the use of WCSO computers, software programs, and criminal information systems. It provides guidance for the creation, viewing, modification, transmission, dissemination, storage, security and destruction of criminal justice information.

68

11. Any employee utilizing any computer, electronic storage device or media, Internet service, phone service, information conduit, system or other wireless service provided by or funded by the WCSO expressly acknowledges and agrees that the use of such service, whether for business or personal use, shall remove any expectation of privacy the employee, sender and recipient of any communication utilizing such service might otherwise have, including as to the content of any such communication. The WCSO also expressly reserves the right to access and audit any and all communications (including content) sent, received and/or stored through the use of such service.

69

70

**AH 01_103 __CRIMINAL JUSTICE INFORMATION SYSTEM__**

71

72

1. POLICY:

73

11. All information from the Utah Criminal Justice Information System (UCJIS) shall be used solely for the purpose of administration of criminal justice and for employment screening by criminal justice agencies. All WCSO users with direct or indirect access to UCJIS information shall ensure the security and confidentiality of the data. Any misuse or compromise of the physical or logical security of the CJI system shall be reported to a TAC, an alternate TAC or a supervisor. To ensure the integrity and confidentiality of CJI, it is the responsibility and duty of all WCSO employees to, but not limited to:

74

111. Criminal history information should not be transmitted over radios or other non-secure media;

75

111. Files containing CJI must remain locked;

76

111. Computer monitors shall be positioned so they can not be viewed by unauthorized persons;

77

11. WCSO employees shall not disseminate CJI to other agencies or unauthorized persons.

78

11. Only trained and authorized personnel may disseminate CHRI to the person of record under authority of Right of Access;

79

11. WCSO users shall not access CJI from publicly accessed computers or publicly accessed wireless networks;

80

11. UCJIS use will be governed by [[Utah Code Annotated 53-10-108>>https://le.utah.gov/xcode/Title53/Chapter10/53-10-S108.html]].

81

11. The BCI Director and the Commissioner of Public Safety will be notified immediately of any suspected misuse of UCJIS files or the data obtained through UCJIS as stated in UCA 53-10-108.

82

83

**AH 01_104 __CJIS SECURITY TRAINING FOR USERS WITH ACCESS__**

84

85

1. POLICY:

86

11. At a minimum, the UCJIS Terminal Access Coordinators (TACS) shall address a baseline security awareness training for all authorized personnel with access to Criminal Justice Information (CJI) to include:

87

111. Rules that describe responsibilities and expected behavior with regard to CJI usage;

88

111. Implications of noncompliance;

89

111. Incident response (Points of contact; Individual actions);

90

111. Media protection;

91

111. Visitor control and physical access to spaces—discuss applicable physical security policy and procedures, (e.g., challenge strangers, report unusual activity);

92

111. Protect information subject to confidentiality concerns and hardcopy destruction;

93

111. Proper handling and marking of CJI;

94

111. Threats, vulnerabilities, and risks associated with handling of CJI;

95

111. Social engineering or psychological manipulation of people into performing divulging confidential information, ie, phishing, baiting, diversion, etc.;

96

111. Dissemination and destruction.

97

98

**AH 01_105 __CJIS SECURITY TRAINING FOR ALL PERSONNEL__**

99

100

1. POLICY:

101

11. The following topics, at a minimum, shall be addressed as baseline security awareness training for all authorized personnel with both physical and logical access to CJI:

102

11. Responsibilities and expected behavior with regard to information system usage;

103

11. Password usage and management, including creation, frequency of changes, and protection;

104

11. Protection from viruses, worms, Trojan horses, and other malicious code;

105

11. Unknown e-mail/attachments;

106

11. Web usage, including allowed versus prohibited and monitoring of user activity;

107

11. Spam;

108

11. Physical Security;

109

11. Handheld device security issues, both physical and wireless security issues;

110

11. Encryption and the transmission of sensitive/confidential information over the Internet, agency policy, procedures, and technical contact for assistance;

111

11. Laptop security, both physical and information security issues;

112

11. Personally owned equipment and software installation;

113

11. Access control;

114

11. Individual accountability;

115

11. Use of acknowledgement statements, passwords, access to systems and data, personal use and gain;

116

11. Desktop security, including the use of screensavers, restricting visitors’ view of information on screen (mitigating “shoulder surfing”), battery backup devices, allowed access to systems;

117

11. Protect information subject to confidentiality concerns, in systems, archived, on backup media,and until destroyed;

118

11. Threats, vulnerabilities, and risks associated with accessing CJIS Service systems and services.

119

120

**AH 01_106 __USER TESTING AND TRAINING__**

121

122

1. POLICY:

123

11. Coordination and implementation of training and testing shall be the responsibility of the WCSO TAC with support from BCI.

124

11. TAC and alternate TACs are required to be tested in accordance with BCI policy.

125

11. Users must receive training and testing within six months of login assignment.

126

11. TAC will provide re-testing every two years to users and alternate TACs to reaffirm proficiency.

127

11. User training requirements include knowledge of:

128

111. BCI Operations Manual;

129

111. NCIC Operations Manual;

130

111. NCIC Code Manual;

131

111. User Security Statement and Agreement;

132

111. All other policies and procedures by NCIC and BCI.

133

11. The privacy and security of UCJIS and NCIC files will be emphasized in all training sessions.

134

11. The WCSO TAC and alternate TACs should attend the mandatory annual BCI TAC Conference. Other WCSO representatives may attend as directed. Information from the conference will be forwarded to all other WCSO staff by the TAC; in compliance with BCI policy.

135

136

**AH 01_107 __PASSWORD ATTRIBUTES__**

137

138

1. POLICY:

139

11. Secure password attributes authenticate an individual’s unique ID. Passwords for systems that access CJIS shall:

140

111. Be a minimum length of eight (8) characters on all systems;

141

111. Not be a dictionary word or proper name;

142

111. Not be the same as the User ID;

143

111. Expire within a maximum of 90 calendar days;

144

111. Not be identical to the previous ten (10) passwords;

145

111. Not be transmitted in the clear outside the secure location;

146

111. Not be displayed when entered.

147

148

**AH 01_108 __LOGIN MANAGEMENT__**

149

150

1. POLICY:

151

11. All new employees will receive training and testing in UCJIS security during orientation. The TAC or an Alternate TAC shall add the new employee as a user, in compliance with Utah BCI policy and procedures. When an employee's assignment requires a UCJIS login, the following steps will be taken:

152

111. The employee's supervisor shall notifiy the TAC or an Alternate TAC, provide the employee's name and request access for the employee;

153

111. The TAC or an Alternate TAC will create the login in compliance with the policy and procedures of Utah BCI, then provide training and testing material to the employee;

154

111. TAC or an Alternate TAC will review the training and testing, then certify the training in UCJIS.

155

111. When an employee no longer requires access to UCJIS or leaves employment with the Sheriff's Office, the TAC or an Alternate TAC shall immediately be notified and the TAC or an Alternate TAC shall remove the employee's access to UCJIS. The TAC or an Alternate TAC shall audit the active UCJIS users against the employee roster annually.

156

157

**AH 01_109 __LOGIN SECURITY__**

158

159

1. POLICY:

160

11. The TAC and alternate TACs shall be responsible for all WCSO login management with the authority to add, suspend, restrict, and delete any User.

161

11. Users shall only access UCJIS files from WCSO computers or terminals, WCSO laptop computers, or other law agency owned computers.

162

11. Users shall not access UCJIS files from personal computers or hand-held sized computers and phones.

163

11. Users may not share logins or passwords.

164

11. Users are responsible for all CJI access using their login.

165

11. Users shall log out or lock computer screen when leaving their computer to prevent unauthorized access or viewing of CJI.

166

167

**AH 01_110 __IT SECURITY INCIDENT RESPONSE PLAN__**

168

169

1. POLICY

170

11. An IT Incident is defined as an act in violation of legal statute, or in violation of the explicit or implied security policies of the organization, with or without intent to do harm. These activities include but are not limited to:

171

111. A system resource is exposed or is potentially exposed to unauthorized access;

172

111. Legitimate and authorized access to an information system or service is interrupted or denied;

173

111. Any adverse event compromising the authentication and access to a software application, computer system, or network;

174

111. The unauthorized use of a system for the processing or storage of data;

175

111. The unauthorized alteration of data transferred and stored electronically;

176

111. Changes to system hardware, firmware, or software characteristics without the owner’s knowledge, instruction or consent.

177

11. Any suspected incident detected by an agency member should be immediately reported to the IT Manager through the helpdesk application if possible. Potentially critical incidents, as outlined below, shall be immediately escalated by contacting the IT Manager by telephone. Escalation if the IT Manager is not immediately available is:

178

111. Administrative Lieutenant;

179

111. Undersheriff;

180

111. Sheriff;

181

111. County IT Director.

182

11. Incident Types and Severity based upon affect to operations.

183

111. Non-critical incidents

184

1111. Type 1 – Isolated incidents of computer viruses and spyware generally handled by antivirus software. Minor system slowdowns or intersystem communication errors.

185

111. Potentially Critical Incidents

186

1111. Type 2 – Significant system slowdowns or service interruptions. Unusual system behavior that may impact the integrity or continued operation of IT Systems.

187

1111. Type 3 – Obvious signs of system penetration, denial of service or damage to physical infrastructure.

188

11. Incident reporting

189

111. All suspected incidents shall be reported by agency members to the IT Manager either through the helpdesk system or directly by phone in the event of potentially critical incidents. Reporting members are expected to provide the following information:

190

1111. Name and contact information;

191

1111. Time of the report;

192

1111. Observed nature of the incident;

193

1111. What was observed;

194

1111. When was it observed;

195

1111. What equipment was involved;

196

1111. How was the incident detected; and

197

1111. What was first noticed that supported the idea that an incident had occurred?

198

11. Incident Response

199

111. Non-critical incidents shall be handled by the IT Manager during the normal course of business according to best practices.

200

111. Incidents shall be logged into the helpdesk system.

201

111. Reporting parties shall be notified of trouble ticket progress and resolution.

202

111. Potentially critical incidents shall be handled immediately by the IT Manager or other qualified members of the Incident Response Team (IRT).

203

111. Incidents shall be logged into the helpdesk system.

204

111. Incident severity shall be evaluated based on the following documented criteria:

205

1111. Whether the incident is real or perceived;

206

1111. The type of incident ;

11111. Virus;

11111. Worm;

11111. Intrusion;

11111. Abuse;

11111. Damage;

11111. Denial of service;

213

1111. If the incident is still in progress;

214

1111. If the affected equipment and/or data business is critical;

215

1111. The severity of the potential impact;

216

1111. If the incident is inside the trusted network; and

217

1111. If incident can be quickly contained.

218

11. Methods of containment vs. business disruption and data loss.

219

111. A Response Plan shall be implemented addressing these major areas of incident response:

220

1111. Triage

221

1111. Determine the scope and severity of the incident and determine whether to “protect” or “Pursue”.

222

1111. Develop a response plan based on the known situation.

223

1111. Allocate resources to protect other systems and isolate those affected.

224

1111. Assign responsibilities to team members.

225

11. Response

226

111. Initiate a plan and document actions taken as well as evidence/damage discovered.

227

111. If “pursuit” was chosen utilize forensically sound methods including the preservation of as much evidence as possible. Only qualified and authorized personnel shall perform interviews or system examinations.

228

111. Document all activates.

229

111. Review evidence to determine the full scope of damage.

230

11. Recovery

231

111. Document the number of systems damaged and the extent of the damage.

232

111. Re-install the affected system(s) from scratch and restore data from backups if necessary.

233

111. Re-set all passwords for all users on all systems.

234

11. Maintenance/Lessons Learned

235

111. Formally document the following:

236

1111. How the incident occurred

237

1111. Which systems were affected, and why (lack of patches, poor passwords, etc).

238

1111. Where the attack originated and other possible information related to the attacker.

239

1111. What the response plan was.

240

1111. Whether the response plan was effective.

241

111. Review current policy and practice and security equipment, implement changes as necessary.

242

11. Incident Response Team (IRT)

243

111. The IRT shall consists of at least three qualified members. It may be enlarged based on the nature of the incident.

244

1111. Currently assigned members are:

245

11111. IT Manager

246

11111. IT Assistant

247

11111. Former IT Sergeant/IT Manager

248

11111. Undersheriff

249

1111. Additional qualified members may be added as necessary from the following resources:

250

11111. Washington County IT

251

11111. St. George City IT

252

11111. Washington City IT

253

11111. State of Utah DTS

254

111. The IRT is generally supervised by the IT Manager, however based upon the nature of the incident supervision will fall to the most qualified team member as determined by the ranking responder.

255

256

**AH 01_111 __SYSTEM INSPECTION OR REVIEW__**

257

258

1. POLICY:

259

11. An employee's supervisor has the express authority to inspect or review the system, any and all temporary or permanent files and related electronic systems or devices, and any contents thereof when such inspection or review is in the ordinary course of his/her supervisory duties, or based on cause.

260

11. When requested by an employee's supervisor, or during the course of regular duties requiring such information, employees of the agency's information systems staff may extract, download or otherwise obtain any and all temporary or permanent files residing in or located in or on the system.

261

11. Reasons for inspection or review may include, but are not limited to:

262

111. system malfunctions;

263

111. problems or general system failure;

264

111. a lawsuit against the agency involving the employee or related to the employee's duties;

265

111. an alleged or suspected violation of a WCSO policy; or

266

111. a need to perform or provide a service or information when the employee is unavailable.

267

268

**AH 01_112 __AGENCY PROPERTY__**

269

270

1. POLICY:

271

11. All information, data, documents, communications, and other entries initiated on, sent to or from, or accessed on any WCSO computer, or through the WCSO computer system on any other computer, whether downloaded or transferred from the original WCSO computer, shall remain the exclusive property of the WCSO and shall not be available for personal or non-WCSO use without the expressed authorization of an employee's supervisor.

272

273

**AH 01_113 __UNAUTHORIZED USE OF SOFTWARE__**

274

275

1. POLICY:

276

11. Employees shall not copy or duplicate any copyrighted or licensed software except for a single copy for backup purposes in accordance with the software company's copyright and license agreement. To reduce the risk of computer virus or malicious software infection, employees shall not install any unlicensed or unauthorized software on any WCSO computer. Employees shall not install personal copies of any software onto any WCSO computer. Any files or software that an employee finds necessary to upload onto a WCSO computer or network shall be done so only with the approval of the WCSO IT specialist and only after being properly scanned for malicious attachments.

277

11. No employee shall knowingly make, acquire or use unauthorized copies of computer software not licensed to the agency while on agency premises or on an agency computer system. Such unauthorized use of software exposes the agency and involved employees to severe civil and criminal penalties.

278

279

**AH 01_114 __PHYSICAL AND ELECTRONIC MEDIA PROTECTION__**

280

281

1. POLICY:

282

11. All electronic information and licensed software must be properly removed when disposing of computers and other office electronics with hard drives and other storage media devices. Unauthorized disclosure of certain information could subject the WCSO to legal liability. This procedure is designed to ensure that information technology (IT) resources do not contain confidential data or licensed software before they are transferred for reuse, donation, recycling, or destruction. The primary responsibility for sanitizing and physical destruction rests with the Information Technology branch of WCSO or their designees. This procedure applies not only to hard drives but to all other electronic storage media including, but not limited to:

283

111. Compact discs (CDs);

284

111. Digital versatile discs (DVDs);

285

111. Universal Serial Bus (USB drives); and

286

111. Other diskettes and tapes.

287

11. Studies of disk sanitization indicate that simply deleting files from the media or formatting a hard drive is not sufficient to completely erase data so that it cannot be recovered. These studies generally recommend two methods for disk sanitation:

288

111. Destruction of the media either by physical force or by electromagnetic degaussing. Physical destruction should be conducted under dual control, and documented.

289

111. Disk sanitization, overwriting of all previously stored data in compliance with NIST standards.

290

291

**AH 01_115 __TRANSPORTATION OF MEDIA AND CJI__**

292

293

1. POLICY:

294

11. Controls shall be in place to protect electronic and physical media containing CJI while in transport or physically moved from one location to another, to prevent inadvertent or inappropriate disclosure and use. Dissemination from another agency is authorized if the other agency is an authorized to disseminate such information and is being serviced by the receiving agency. WCSO personnel shall:

295

111. Protect and control electronic and physical media during transport outside of controlled areas;

296

111. Restrict the pickup, receipt, transfer and delivery of such media to authorized personnel.

297

11. WCSO personnel will control, protect, and secure electronic and physical media during transport from public disclosure by:

298

111. Use of privacy statements in electronic and paper documents;

299

111. Limiting the collection, disclosure, sharing and use of CJI;

300

111. Following the least privilege and role based rules for allowing access. Limit access to CJI to only those people or roles that require access;

301

111. Securing hand carried confidential electronic and paper documents by storing CJI in a locked briefcase or lockbox.

302

303

**AH 01_116 __PROHIBITED AND INAPPROPRIATE USE__**

304

305

1. POLICY:

306

11. CJI and/or other law enforcement records management systems shall only be accessed by authorized employees who are engaged in an active investigation, assisting in an active investigation, or who otherwise have a legitimate law enforcement or WCSO business related purpose to access such data.

307

11. Internet sites containing information that is not appropriate or applicable to WCSO use and which shall not be intentionally accessed include, but are not limited to:

111. adult forums;

111. pornography;

111. chat rooms;

111. Tik Tok; and

111. similar or related web sites.

313

11. Certain exceptions may be permitted with the prior approval of a supervisor as a function of an assignment. Downloaded information shall be limited to messages, mail and data files which shall be subject to audit and review by the WCSO without notice. No copyrighted and/or unlicensed software program files may be downloaded.

314

11. Employees shall report any unauthorized access to the system or suspected intrusion from outside sources (including the Internet) to a supervisor and follow the Security Incident Response Plan

315

316

**AH 01_117 __SANCTIONS FOR MISUSE__**

317

318

1. POLICY:

319

11. Consequences for improper use or abuse of access to UCJIS may include; but are not limited to:

320

111. Suspension of login;

321

111. Permanent loss of login;

322

111. Criminal charges for violation of Utah State Statute 53-10-108, (in part);

323

1111. (11) (a) It is a class B misdemeanor for a person to knowingly or intentionally access, use, disclose, or disseminate a record created, maintained, or to which access is granted by the division or any information contained in a record created, maintained, or to which access is granted by the division for a purpose prohibited or not permitted by statute, rule, regulation, or policy of agovernmental entity. A person who discovers or becomes aware of any unauthorized use of records created or maintained, or to which access is granted by the division shall inform the commissioner and the director of the Utah Bureau of Criminal Identification of the unauthorized use.

324

111. Personal civil liability to the user;

325

111. Disciplinary action by the WCSO, up to and including termination.

326

327

**AH 01_118 __PROTECTION OF AGENCY SYSTEMS AND FILES__**

328

329

1. POLICY:

330

11. All employees have a duty to protect the system and related systems and devices from physical and environmental damage and are responsible for the correct use, operation, care and maintenance of the system. It is expressly prohibited for an employee to allow an unauthorized user to access the system at any time or for any reason.

331

332

**AH 01_119 __PHYSICAL SECURITY__**

333

334

1. POLICY:

335

11. The WCSO shall establish organizational guidelines for protecting the property, privacy and security of CJIS, employees, volunteers and members of the public by regulating access to buildings.

336

11. Vendors and guests of staff shall be escorted at all times when entering the secure areas of the WCSO patrol and corrections buildings;

337

11. Employees shall routinely use issued keys and keycards when entering the secure areas of the WCSO patrol and corrections buildings. Employees in good standing may be granted access by other staff if keys and keycards are not readily available;

338

11. Key and keycard holders shall immediately notify their supervisor if a key or keycard is misplaced, lost or stolen;

339

11. Failure to immediately report a lost or stolen key or keycard may result in disciplinary action.

340

11. Persons not employed by WCSO whose positions require unescorted access into high security areas or buildings shall comply with the provisions of the CJIS security policy, including a fingerprint-based national records check and training. Individuals who do not receive CJIS clearance shall not be granted access to high security areas or high security buildings. Unescorted access to high security areas shall not be granted prior to CJIS clearance.

341

11. Office staff shall monitor and log all visitors entering secure areas of the WCSO patrol and corrections buildings. The log shall contain the date, printed name, signature, and time of entry and exit.

342

11. Exceptions to the requirement to log visitors;

343

111. Special events held in the group meeting rooms located inside secure areas, provided that doors to all unoccupied rooms are kept locked during the event.

344

111. Other law enforcement personnel known to WCSO staff.

345

111. Attendees of a training held in the group meeting rooms located inside secure areas, provided that doors to all unoccupied rooms are kept locked during the event and a copy of the training roster is maintained with the visitor log.

346

111. Inmate visitation, which is regulated by WCSO jail policy and procedures.

Wiki source code of AH 01 Technology Use and Protection