310 – Criminal Justice Information System (CJIS) Data Access Usage
I. Purpose
This policy establishes guidelines for the use and security of the department-issued TLETS terminal, mobile data terminal (MDT) equipment, and related CJIS information. Failure to comply with this policy can result in disciplinary action or termination as well as be subject to criminal and/or civil sanctions.
II. Policy
The Harris County Sheriff’s Office (HCSO) shall protect the integrity of the CJIS database and all data and information obtained through the use of mobile data terminals and hard-wired TLETS terminals by strictly following the procedures outlined in this order.
A. HCSO employees who have been properly trained in the use of the Criminal Justice Information System data access usage are authorized to make inquiries and to have access to sensitive information.
B. Access to any information available on JIMS shall only be for conducting official business on behalf of the HCSO. Each employee shall be held accountable for accessing the information on a need-to-know basis, and no information, whether criminal or civil in nature, may be disseminated outside the HCSO without authorization of the employee’s supervisor.
III. Definitions
Mobile data terminal (MDT): Includes all computers that have access via wireless or hard-wired network to TLETS, TCIC, NCIC, or any law enforcement database.
Non-secure location: Includes all locations not defined as “secure” below.
Secure location: Includes the HCSO areas that are not open to the public and accessible only by authorized personnel. This term also includes official police vehicles that are locked or attended by authorized sworn police personnel.
Storage Media: Includes, but is not limited to: DAT tapes, DVDs, CDs, floppy discs, flash drives, computers, tablets, and any PED as defined in HCSO Department Policy #309 – Electronic Media Technology Usage.
TLETS Terminal: Includes all computers (normally desktops) that have access via wireless or hard-wired network to TLETS, TCIC, NCIC, or any law enforcement database.
IV. Procedure
A. CJIS, TLETS, TCIC, and NCIC data shall be accessed ONLY from secure locations as defined.
B. The department shall maintain a roster or agency-issued credentials (officer badge, access card, etc.) of authorized personnel with unescorted access into physically secure areas.
C. When transporting non-law-enforcement personnel in police vehicles, officers will close the MDT screen or position it in a manner that will prevent unauthorized viewing of MDT data. TLETS terminal screens shall be positioned to prevent unauthorized viewing.
D. The terminal agency coordinator or his or her designee shall review the user or operator list annually or as needed and document when this was performed. The Human Resources Division shall provide the terminal agency coordinator with a list of personnel terminating their employment monthly and with a comprehensive list of personnel upon request to facilitate this review.
E. All printouts of CJIS data shall be promptly filed with the corresponding incident records. Otherwise, the printouts should be promptly shredded. If not shredded, then they should be incinerated. Disposal or destruction is witnessed and carried out by authorized personnel.
F. All storage media containing CJIS data that is no longer viable shall be overwritten using secure-format methodology that overwrites all data in three iterations or degaussed prior to disposal or release of the storage media for reuse by other personnel.
1. If no longer needed, storage media will be destroyed.
2. Inoperable electronic media shall be physically destroyed.
NOTE: Sanitation and destruction shall only be witnessed and carried out by authorized personnel.
G. The department shall keep a list of all MDT IDs and contacts so that devices can be promptly disabled if the need arises.
H. The local CJIS network equipment shall be located in a physically secure location.
I. All law enforcement vehicles containing MDTs shall be securely locked when not in use.
J. All computers used for processing CJIS data shall have anti-virus software installed. All will have the latest available updates for the operating system and anti-virus software. MDTs shall have a personal firewall enabled.
K. The department shall employ a formal incident response plan. Each authorized user shall report any violations of this security policy up the chain of command or to proper authorities.
L. No personal hardware (PC, laptop, etc.) or software shall be allowed on the agency’s TLETS network.
M. No publicly accessible computers shall be allowed on the agency’s TLETS network.
N. The department shall authorize and control information-system-related items entering and exiting the physically secure location.
O. The department shall establish a security alert and advisories process.
V. Training Required
A. Each person authorized unescorted access to secure Sheriff’s Office facilities shall receive security awareness training within six months of appointment or employment and thereafter at least every two years in accordance with CJIS policy. This training will be documented.
B. All requests for scheduling for JIMS user training classes must be submitted to the Systems Division using the “JIMS Training Request Form” (90-SYSFORM-6). This form can either be submitted by mail or by placing it in the mailbox marked “Systems” located in the HCSO mail room.
C. The Systems Division will notify the personnel who requested the training class of the date and time they are scheduled. If the time chosen is not applicable to the requester, the Systems Division will reschedule the person for another date and time.
D. A supervisor of the rank of sergeant or above must approve scheduling the requester for class. If the approval is not signified by the supervisor’s signature on the 90-SYSFORM-6 form, the form will be returned to the requester unprocessed. A supervisor of the rank of captain or above must approve class scheduling for the TCIC / NCIC class.
E. In the event that the requester is unable to attend the scheduled class, the requester should notify Systems as soon as possible to determine a reschedule date. If the requester contacts Systems prior to the date or time of the class, the class will be removed from the training record located within JIMS.
F. If the requester has failed to meet two settings for training, that person will not be rescheduled except with written confirmation from his or her division commander.
G. Personnel requiring TCIC/NCIC Training will register for a Less Than Full Access or a Full Access class using the Academy website. TCIC/NCIC codes will not be issued or reactivated until the requestor has satisfactorily completed the applicable class. The requestor is responsible for securing permission for training time off with their respective divisions.
VI. User Record Verification and Best Practices
A. The Systems Division shall conduct a monthly security code verification of the HCSO employees with access to JIMS. This audit will be accomplished to verify passwords, access codes, or access violations.
B. JIMS and TCIC/NCIC will automatically prompt all authorized users to change their password every sixty days. Any employee denied access or experiencing difficulty with their access codes should contact the Systems Division for JIMS or the Terminal Agency Coordinator for TCIC/NCIC.
C. Central Technology Services shall periodically check to confirm servers, terminals, and MDTs connected to the CJIS network are receiving the latest updates in regards to the operating system and anti-virus software and ensure:
1. Personal firewalls are enabled on MDTs, and
2. Sessions are locked within thirty (30) minutes on non-dispatch terminals.
Take appropriate action if required.
D. The terminal agency coordinator shall periodically check physically secure locations to ensure:
1. Safeguards such as locks are in working order,
2. Doors are closed and properly secured, and
3. Terminals are not viewable by unauthorized personnel.
Take appropriate action if required.
E. Central Technology Services shall periodically check to ensure that all network components (routers, firewalls, switches, etc.) that process CJIS information are still supported by the manufacturer. If warranties or contracts are in place, ensure they are valid and not out of date, and take appropriate action if required.
F. The terminal agency coordinator shall periodically check pertinent documents to ensure they are up to date and take appropriate action such as making editing changes or replacement if required.
Revision
This policy has been revised on the below listed dates:
April 21, 2009 April 20, 2016 September 20, 2018