The previous blog on formal audits shed light on the various audits that need to be taken place to ensure compliance with all the rules and regulations. In this blog, we will understand how important it is to ensure CJIS Compliance Personnel Security and the various guidelines to protect the Criminal Justice Information (CJI) against insider threats. The following security requirements and terms apply to all the personnel who have access to unencrypted CJI including those that have access to devices that store, transmit and process unencrypted CJI.
CJIS Compliance Personnel Security Policy and Procedures
Minimum Screening Requirements for Personnel Needing Access to CJI:
- For all the personnel having access to Criminal Justice Information (CJI), a verification of identification, and state of residence and fingerprint-based record of the individual needs to be ascertained. This applies to that personnel who have direct responsibility for configuration and maintenance of computer networks and systems that have direct access to CJI. However, if the said individual resides in another state other than that of the assigned agency, the agency should conduct fingerprint-based checks and also should execute NLETS CHRI IQ/FQ/AQ query using the purpose code C, E, J based on the circumstances.
- All the requests for access shall be made as specified by CJIS Systems Officer (CSO). The CSO or a designated person would be authorized to approve access to Criminal Justice Information. All such designees must be from an authorized Criminal Justice agency.
- Access to Criminal Justice Information should be denied by the hiring authority in the Interface Agency, in case a felony conviction of any kind exists. However, the authority may ask for a review by the CSO in extenuating circumstances where considerable time has passed or the severity of the offense is mitigated
- If the individual appears to be a fugitive or has a record of arrest without a conviction, the CSO or their designee shall review the matter before granting access
- The access may be denied if there is a record of any kind exists that may hamper the security of Criminal Justice Information, the CSO or their designee should review and take appropriate action
- Review needs to be done by a board maintaining management control to ascertain if the individual who is employed by a CSO, NCJA can be given access to CJI
- CSO would need to determine if any individual already having access to CJI is convicted or arrested, whether the individual be given access to Criminal Justice Information or not. The authority to hire/fire, however, doesn’t lie with CSA, but only the authority to grant access to CJI
- If the CSO or their designee determines that access to CJI by a person wouldn’t be in public interest, access shall be denied and a formal letter stating the denial be sent to the appointing authority
- All the custodial workers, contractors and support personnel with access to physically secure locations and controlled areas also should be subject to state and national fingerprint-based record checking
- It is also recommended that re-investigations be conducted once in every five years unless Rap back is enforced
Personnel Screening for Contractors and Vendors
Apart from meeting the above-mentioned requirements, vendors and contractors should meet the additional requirements to ensure personal security. They include a thorough background check on behalf of the contractor; informing the Contracting Government Agency (CGA) if a record of any kind is found; disqualifying a contractor employee with a criminal history. The CGA should maintain a list of all the personnel with access to Criminal Justice Information and provide the latest copy to the CSO.
As soon as the employment of an individual is terminated, the agency shall revoke the access to CJI.
In an event of the authorized personnel being transferred or reassigned to another within the agency, the agency should initiate necessary actions such as changing system access authorizations, closing and establishing accounts.
If the personnel fail to comply with the established information security procedures and policies, the agency should take appropriate actions and impose formal sanctions on such personnel.
That brings us to the close of this topic on CJIS Compliance Personnel Security.
DoubleHorn is one of the leading Cloud Solutions Providers founded in January 2005 and based in Austin, Texas. DoubleHorn is capable of offering CJIS Compliant Cloud Solutions, Contact us at firstname.lastname@example.org to learn more.