Security Awareness Training

CJIS SECURITY POLICY V5.5

POLICY AREA 5.2

What

• The protection of Criminal Justice Information (CJI) originating from the Department of Justice (FBI CJIS data).

When

• Basic security awareness training shall be required within six months of initial assignment, and biennially thereafter, for all personnel who have access to CJI.

Who

• All authorized personnel with access to (physical or logical) CJI. This includes vendors and anyone who works on and or maintains a technical component that is used to send, receive, process or route a transaction to or from systems that process or maintains FBI CJIS data.

Why

• Not only is it required per CJIS Security Policy, it is each individual’s responsibility to protect CJI with all due diligence. Even the most technically and physically secure environments are subject to threats due to lack of due diligence and or inappropriate conduct from the insider.

Level 1

BASELINE SECURITY AWARENESS TRAINING FOR ALL PERSONNEL WHO HAVE UNESCORTED ACCESS TO A PHYSICALLY SECURE LOCATION.

​

Level 1 Key Points

• Rules that describe responsibilities and expected behavior with regard to CJI usage.
• Implications of noncompliance.
• Incident response (Points of contact; Individual actions).
• Visitor control and physical access to spaces—discuss applicable physical security policy and procedures, e.g., challenge strangers, report unusual activity.

​

​

​

• FBI CJIS data is any data derived from the national CJIS Division systems.
• Many state CJIS systems (they include state hot file and criminal history data) contain FBI CJIS data and must be afforded the same security as national systems. 
• Criminal History Record Information (CHRI) is arrest-based data and any derivative information from that record.
• Descriptive Data
• Sentencing Data
• FBI Number
• Conviction Status
• Incarceration
• Probation & Parole Information

​

What are we protecting?

​

Rules that describe responsibilities and expected behavior with regard to CJI usage.

The Interstate Identification Index (III) is also, known as “Triple I” provides for the decentralized interstate III provides for the decentralized interstate exchange of Criminal History Record Information (CHRI) and functions as part of the FBI’s CJIS Division’s Integrated Automated Fingerprint Identification System (IAFIS). All 50 states return automated CCH information to users based on an inquiry and each state may format their record response differently.

What are we protecting?

​

Rules that describe responsibilities and expected behavior with regard to CJI usage. (continued)

Under the III, the FBI maintains an index of persons

arrested for felonies or serious misdemeanors

under state or federal law.

​

III includes identification data such as the name, birth date, race, sex and FBI/State identification numbers (SIDS) from each state that has information about an individual.

​

Information obtained from the III is considered CHRI and sensitive data and should be treated as such.

​

III may only be accessed for an authorized purpose, and may only be used for the purpose for which it was originally accessed.

​

All users are required to provide a reason for all III inquiries.

​

A criminal justice agency is defined as the courts, State & federal Inspector General Offices, and a governmental agency or any subunit thereof that performs the administration of criminal justice pursuant to a statute or executive order and that allocates a substantial part of its annual budget to the administration of criminal justice.

​

What are we protecting?

​

Rules that describe responsibilities and expected behavior with regard to CJI usage. (continued)

Voice transmission of a criminal history should be limited, and details of a criminal history should only be given over a radio or cell phone when an officer’s safety is in danger or the officer determines that there is a danger to the public.

​

Most of the files/data obtained from the National Crime Information Center (NCIC) system are considered restricted files.

​

There are several files that contain CHRI/CCH information and the dissemination of information should be protected as such:

• Gang File
• Known or Appropriately Suspected Terrorist (KST) File
• Convicted Persons on Supervised Release File
• Immigration Violator File
• National Sex Offender Registry File
• Historical Protection Order File
• Identity Theft File

​

�What are we protecting?�Rules that describe responsibilities and expected behavior with regard to CJI usage. (continued)�

Criminal history record information acquired via CJI Systems is for use by law enforcement and criminal justice agencies for official criminal justice purposes, consistent with purpose for which the information was requested. Each agency is responsible for maintaining a set of current written policies and procedures that include how the misuse of the NCIC and CCH information will be handled. <local agency note these here>

​

Administration of criminal justice means performing functions of detection, apprehension, detention, pretrial release, post trial release, prosecution, adjudication, correctional supervision, or rehabilitation of accused persons or criminal offenders by governmental agencies. The administration of criminal justice includes criminal identification activities and the collection, processing, storage, and dissemination of criminal justice information by governmental agencies.”

​

An agency may use a facsimile machine to send a criminal history providing both the sending and receiving agencies have an ORI and are authorized to receive criminal history information.

​

Unauthorized requests, receipt, release, interception, dissemination or discussion of FBI CJIS Data/CHRI could result in criminal prosecution and/or termination of employment.

​

• Any access of these systems and or dissemination of information obtained for non-criminal justice purposes are considered a misuse of the system.
• Of the misuse cases that are investigated, most will stem from one of the following categories: affairs of the heart, political motivations, monetary gain, or idle curiosity. Many past cases involved an operator trying to “help out a friend”.
• Unauthorized request, receipt or release of CJI material can and has resulted in criminal proceedings.
• Improper use of information obtained from any CJI System and/or related applications and devices may be unlawful, violate federal, state and local policies and may result in prosecution.
• <Placeholder for State/Agency input>

​

​

Implications of Noncompliance

​

Incident Response

• A security incident is a violation or possible violation of the technical aspects of the CJIS Security Policy that threatens the confidentiality, integrity or availability of state/FBI CJIS data.
• Discuss Agency Policy/Procedures here:
• How, who and when to contact.
• What is applicable to the local agency for level 1 training?

Unsecured areas that are designated controlled areas

(areas that CJI resides to include communications closets).

​

Visitor Control and Physical Access

• All employees are subject to the agency physical protection policy to ensure that the security of CJI is maintained.
• All employees need to remain cognizant of the designated physically secure areas and ensure that all personnel abide by access control points, entrance and exit procedures, visitor control and handling procedures. Employees must ensure that CJI, whether in physical or electronic form, remain in the secured areas unless they have specific authorization and procedures for taking that information out of the physically secure area.
• Employees are obligated to report violations and/or suspected violations. Furthermore, employees should report areas of sensitive access that may be unsecure such as emergency exit doors which may have been left propped open. Employees need to maintain vigilance in recognizing individuals who may not have appropriate access and may have been left unescorted.
• <Placeholder for State/Agency input>

​