User agreement - SOM - State of Michigan



POLICY STAtEMENTPursuant to [indicate state or federal authorizing law], [Agency Name] is considered a Noncriminal Justice Agency (NCJA) and is an Authorized Recipient (AR), wherein certain authorized personnel can request and receive fingerprint-based Criminal History Record Information (CHRI) checks. Authorization for ARs to receive CHRI is for the purpose of [employment, licensing, or volunteer (indicate all that apply)] determinations. Therefore, [Agency Name] is to ensure compliance with applicable state and federal laws, applicable rules and regulations, and the most current version of the Federal Bureau of Investigation (FBI) Criminal Justice Information Services (CJIS) Security Policy (CJISSECPOL), in addition to [Agency Name] policies, procedures, and processes. This Information Security Policy provides the appropriate access, maintenance, security, confidentiality, dissemination, integrity, and audit requirements of CHRI in all its forms, whether at rest or in transit. This policy/procedure shall be reviewed and updated at least annually and following any security incidents involving CHRI.The most stringent requirement shall prevail if conflict(s) is/are found between agency policies, state, or federal laws, with the most current version of the CJISSECPOL, and corresponding rules or regulations. As used in this policy:Authorized Recipients:A criminal justice agency or federal agency authorized to receive CHRI pursuant to federal statute or executive order, orA nongovernmental entity authorized by federal statute or executive order to receive CHRI for noncriminal justice purposes, orA government agency authorized by federal statute, executive order, or state statute which has been approved by the United States Attorney General to receive CHRI for noncriminal justice purposes. Authorized User/Personnel:An individual, or group of individuals, who have been appropriately vetted through a national fingerprint-based background check, where required, and have been granted access to Criminal Justice Information (CJI) data, wherein access is only for the purpose of evaluating an individual’s qualifications for employment or assignment.Policy Effective Date and Annual Review DocumentationPolicy Effective Date: _________________Policy Review Dates: Review DateReviewed Conducted By_____________ ___________________________________ ________________________________________________________user agreement (CJISSECPOL 5.1.1.6)[Agency Name] shall complete and maintain a Noncriminal Justice Agency User Agreement (RI-087) provided by the Michigan State Police (MSP). Agreements are in place to provide for data ownership, individual roles, responsibilities, etc. The [Agency Name] shall request a new user agreement in the event they have a legal name change, they move to a new physical address, or they wish to add or remove fingerprint reason codes. The most current copy of this user agreement will be maintained on file at the agency indefinitely.local agency security officer (LASO) (CJISSECPOL 3.2.9)The [indicate agency authority e.g., board of directors, agency commission, agency representative with authorizing authority, superintendent] will designate a LASO by means of completing and returning to MSP-CJIC-ATS@, a Noncriminal Justice Agency Appointment Notification (CJIS-015). An individual designated as the LASO is:An “authorized user/personnel.” An individual that has completed a fingerprint-based background check, where required, and found appropriate to have access to CHRI.If a school, the LASO is an employee directly involved in evaluating an individual’s qualifications for employment or assignment.A LASO is responsible for the following:Identifying who is using or accessing CHRI and/or systems with access to CHRI.Identifying and documenting any equipment connected to the state system.Ensuring personnel security screening procedures are being followed as stated in this policy.Confirming the approved and appropriate security measures are in place and working as expected.Ensuring annual Awareness and Training is being completed by all personnel authorized access to the CHRI.Supporting policy compliance and ensuring the MSP Information Security Officer (ISO) is promptly informed of security incidents.Review and update information security policy/procedures annually or after security incidents involving CHRI. Employ one or more of the following techniques to increase the security and privacy awareness of system users: displaying posters; offering supplies inscribed with security and privacy reminders; displaying logon screen messages; generating email advisories or notices from organizational officials; conducting awareness events.When changes in the LASO/CHRISS Administrator occur, [Agency Name] shall complete and return a new NCJA appointment notification form (CJIS-015). The most current copy of the NCJA appointment notification form will be kept on file indefinitely by the agency.AWARENESS AND TRAINING (at) (CJISSECPOL 5.2)All users with authorized access to CJI should be made aware of their individual responsibilities and expected behavior when accessing CJI and the systems which process CJI. This training should be a part of initial training for new users prior to accessing CJI and annually thereafter; and when required by system changes or within 30 days of any security event for individuals involved in the event. LASOs require enhanced training on the specific duties and responsibilities of those positions and the impact those positions have on the overall security of information systems. Training is a role-based security and privacy training to personnel with the following roles: Basic Role: All individuals with unescorted access to a physically secure location. (this is not typical for a NCJAs)General Role: All personnel with access to CJI. This level is designed for people who have physical and logical access to CJI.Privileged Role: This level is designed for all information technology personnel including system administrators, security administrators, network administrator, etc.? More access needed than a general user, but not an assigned LASO. (i.e., CHRISS Administrator)Security Role: This level is designed for personnel with the responsibility to ensure the confidentiality, integrity, and availability of CJI and the implementation of technology in a manner compliant with the CJISSECPOL. (i.e., LASO)Privacy Act Statement disclosure[Agency Name] shall ensure that the applicant receives the Federal Privacy Act Statement Disclosure by providing the applicants the most current version of the MSP RI-030 Live Scan consent form. The applicant will receive this information by hard copy or electronic copy.personnel security (CJISSECPOL 5.12)Personnel termination / TRANSFER (CJISSECPOL 5.12.2 & 5.12.3)The LASO or authorized designee shall terminate access to CHRI immediately, which is within 24 hours of a notification that an individual’s termination of employment or transfer/reassignment.[Insert Agency Procedures, the specific steps of how personnel termination / transfer will be addressed:Indicate how notification will occur or is initiated. Provide termination of access steps to be taken by the agency for individuals with access to physical CHRI media. (The return of any keys or access cards to buildings, offices, and/or files.)Provide termination of access steps to be taken by the agency for access to digital CHRI media. (The disabling of access to the agency’s digital CHRI system of records, inactivation of CHRISS account.)]Personnel Sanctions (CJISSECPOL 5.12.4)Persons found noncompliant with state or federal laws, current CJISSECPOL, rules or regulations, including [Agency Name] Information Security Policy, will be formally disciplined. Discipline can be, but not limited to, counseling, the reassignment of CHRI responsibilities, dismissal, or prosecution. Discipline will be based on the severity of the infraction and at the discretion of [Agency Name].media proTection (MP) (CJISSECPOL 5.8)CHRI media is to be protected and secured at all times. The following is established and is to be implemented to ensure the appropriate security, handling, transporting, and storing of CHRI media in all its forms.Media Storage & Access (MP 2, MP 4)Digital and physical CHRI media shall be securely stored within physically secured locations or controlled areas, and within the agency’s facility unless otherwise permitted. Access to such media is restricted to authorized personnel only and secured at all times when not in use or under the supervision of an authorized individual.Physical CHRI media:Is to be stored within individual records when feasible or by itself when necessary.Is to be maintained within a lockable filling cabinet, drawer, closet, office, safe, vault, etc.Digital CHRI media:Is to be secured through encryption as specified in the most current version of the CJISSECPOL.Unless encrypted, digital storage media devices (such as discs, CDs, SDs, thumb drives, DVDs, etc.) are to be maintained within a lockable filling cabinet, drawer, closet, office, safe, vault, etc.Media Transport (MP 5) Should the need arise to move CHRI media outside of the secured location or controlled area, the [Agency Name] shall establish and implement appropriate security controls to prevent compromise of the data while transporting. The transport of CHRI media will be performed by authorized personnel only.CHRI media includes:Physical CHRI media such as paper/hard copies. Digital CHRI media such as laptops; computer hard drives; and any removable, transportable digital memory media, such as magnetic tape or disk, optical disk, flash drives, external hard drives, or digital memory card(s).[Insert Agency Procedures, the specific steps of how agency transport will occur:Indicate who will handle and transport CHRI media. (Should be the LASO but can be another authorized employee.)Provide when transport is to occur. (Only upon justification and approved by?)Provide how transport of media will occur. (Such as by use of a locked container, sealed envelope, or encryption of certain digital devices when applicable.)Identify media is to remain in the physical possession of the designated authorized employee until CHRI media is delivered to its intended destination.]DIGITAL media sanitization and disposal (MP 6)Without ensuring the proper disposal of installed and removable digital storage, information security risks can be created by reassigning, transferring, trading-in, disposing of computers, or replacing digital storage media and computer software. Therefore, once digital CHRI media devices are determined no longer needed by the agency, devices shall be sanitized and disposed of according to the most current version of the CJISSECPOL. Due to the presence of temporary files (data remanence), devices where digital media was once stored, processed, and/or used for dissemination (fax, scanners, computers, laptops, etc.) shall be sanitized in a manner that gives assurance that the information cannot be recovered prior to disposal of or upon the reassigning or recycling of such devices. An "erase" feature (e.g., putting a document in a “trash can” icon) or deleting a file is not sufficient for sensitive information, because the information may still be recoverable. The agency will provide steps for the sanitization and disposal of devices where CHRI media was once stored, processed, and/or used. [Insert Agency Procedures, the specific steps of how digital sanitization will occur:Indicate how the agency authorizes the sanitization of devices (formal documentation).Sanitization of digital media devices shall be conducted or witnessed by an authorized user. Indicate which method of sanitization will be used by the agency:When clearing data (wiping) use three passes with a disk wiping utility using the DoD 5220.22-M (E) method.Writes zero bytes (0x00)Writes high bytes (0xFF)Writes pseudo-random bytesWhen purging the data, use a National Security Agency/Central Security Service (NSA/CSS) approved degausser except for optical media such as CDs/DVDs where it must be physically destroyed.Physical destruction includes shredding, disintegrating, cutting, drilling, or grinding.Indicate which method(s) inoperable digital media will be physically destroyed (e.g., shredding, disintegrating, cutting, drilling, or grinding).]disposal of physical Media (MP 6)Once physical CHRI media (paper copies) is determined no longer needed by the agency, media shall be destroyed and disposed of according to the CJISSECPOL. Formal procedures for the secure disposal or destruction of physical media:[Insert Agency Procedures, the specific steps of how disposal of physical media will occur:Retention Policy: CHRI will be held for _______ years/days, etc. Disposal or destruction of physical CHRI media shall be witnessed or carried out by an authorized user. Indicate which method(s) of destruction will be used by the agency (e.g., incineration, crosscut shredding, or pulverization).] Media USE (MP 7)[Agency Name] prohibits the use of personally owned and no identifiable owner digital media devices on all agency owned or controlled systems that store, process, or transmit criminal justice information.PHYSICAL PROTECTION (CJISSECPOL 5.9)[Agency Name] shall document and implement a physical protection policy and procedures to ensure CHRI and information system hardware, software, and media are physically protected through access control measures.Access is limited to controlled area during CHRI processing times, and to authorized personnel approved by the agency to access or view CHRI. CHRI will be locked and secured to prevent unauthorized access when rmation system devices and documents containing CHRI will be positioned in such a way as to prevent an unauthorized individual from access or view. Encryption requirements will be implemented for digital storage (i.e., data “at rest”) of CHRI.[Insert Agency Procedures, describe all locations where CJI, and information system hardware, software and media are physically located and processed.]Incident response (CJISSECPOL 5.3)[Agency Name] shall establish operational incident handling procedures for instances of an information security breach. Information security incidents are major incidents that significantly endanger the security or integrity of CHRI. The agency will identify responsibilities for information security incidents and include how and who to report such incidents to. The agency will ensure appropriate security incident capabilities exist and should incorporate the lessons learned from ongoing incident handling activities. The agency will ensure procedures exist and are implemented for a follow-up action of a security breach and for the collection of evidence in cases of legal action. All individuals with direct or indirect access to CHRI shall be trained on how to handle an information security incident, and such training will be included within the provided Awareness and Training. Procedures shall be in place to track and document information security incidents, whether physical or digital, on an ongoing basis. When an incident has been determined a breach involving CHRI, the agency will report the security breach to the MSP ISO by use of the “Information Security Officer (ISO) Computer Security Incident Response Capability Reporting” form (CJIS-016). [Insert Agency Procedures, the specific steps of how incident response will occur:Provide specific contacts, by title, for who an incident is to be reported. This should lead up to the LASO.Handling Capabilities implemented by the agency:Capabilities shall be handled according to the following description:Physical – Hard Copy CHRIDigital – Digitally Accessed/Saved CHRIPreparationThe CHRI container will be locked at all times in the business office which will be locked when office staff is not present. (List name of video system if you have one.)Firewalls, virus protection, and malware/spyware protection will be maintained. DetectionPhysical intrusions to the building will be monitored by means of: (Provide ways the building is monitored, such as the building alarm - list company name if you have alarm system, checking doors locked at night.)Electronic intrusions will be monitored by the virus and malware/spyware detection.AnalysisThe LASO will work with police authorities to determine how the incident occurred and what data were affected. The IT department will determine what systems or data were compromised and affected.ContainmentThe LASO will lock uncompromised CHRI in a secure container or transport CHRI to secure area.The IT department will stop the spread of any intrusion and prevent further damage.EradicationThe LASO will work with law enforcement (name of police department) to remove any threats that compromise CHRI data. The IT department will remove the intrusion before restoring the system. All steps necessary to prevent recurrence will be taken before restoring the system.RecoveryThe law enforcement agency (name of police department) in charge will handle and oversee recovery of stolen CHRI media. The LASO may contact MSP for assistance in re-fingerprinting if necessary. The IT department will restore the agency information system and media to a safe environment. Should the agency choose to take legal action, whether criminal or civil, the following organizations [What law enforcement agency would you call to take a report or who would you contact for legal counsel in a civil matter] are contacted for evidence collection.[Reporting - an “Information Security Officer (ISO) Computer Security Incident Response Capability Reporting,” form (CJIS-016) has been established and is the required method of reporting security incidents to the MSP. Therefore, it should be supported in agency policy. The CJIS-016 can be located at the SAS website: cjicats (Forms).]The agency shall retain completed CJIS-016 forms on an ongoing basis to meet policy requirement for tracking.All personnel are to report suspected incidents to the LASO immediately but not to exceed one (1) hour after discovery, if an incident is confirmed the LASO shall then report the incident to MSP ISO. Incident response includes a process to determine if notification to individuals is needed, assessment to determine the extent of the harm, and identification of applicable privacy requirements when a breach has occurred.?Incident response testing will be conducted annually using the following tests: tabletop or walk-through exercises, simulations, or other agency appropriate tests.? ?Secondary Dissemination (CJISSECPOL 4.2)When permitted by law, and [Agency Name] releases a CHRI response to another authorized recipient pursuant to authorized sharing provisions, a log of such release(s) shall be established, implemented, and kept current for all dissemination outside of the CHRISS system. The log will be maintained indefinitely and be made available upon request to the MSP representative for audit purposes. Fields required for the log are:The date the record was sharedRecord disseminated Requesting agencyRequestor’s nameMethod of sharing; by U.S. Mail, or landline fax (no emailing unless encrypted)Agency personnel that shared the CHRI ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download