Presentation is loading. Please wait.

Presentation is loading. Please wait.

Crime Records Service Access and Dissemination Bureau Audit Unit

Published by우성 위 Modified over 5 years ago

Similar presentations

Presentation on theme: "Crime Records Service Access and Dissemination Bureau Audit Unit"— Presentation transcript:

1 Crime Records Service Access and Dissemination Bureau Audit Unit
2016 TRAINING SEMINAR

2 Terms you should know: CHRI: Criminal History Record Information
Access: The ability to receive, view, or discuss CHRI. ADB Access and Dissemination Bureau CJIS Security Policy: A policy regarding CHRI enforced by the FBI to which all states and authorized private entities must adhere. Authorized: Only individuals approved by LES/CRS (DPS) Name-based: Criminal history obtained by submitting a Name, Date of Birth, and at times other identifiers. Fingerprint-based: Criminal history obtained by submitting fingerprints and identifiers.

3 Terms you should know cont.
OS: Outsourcing Standard (Security and Management Control Outsourcing Standard for Non-Channelers). AR: Authorized Recipient means (1) nongovernmental entity, (2) a governmental agency. Contractor: A governmental agency, a private business, non-profit organization or individuals, that is not itself an AR, who has entered into a contract with the AR to perform noncriminal justice admin. Functions requiring access to CHRI.

4 ListServ ListServ is a notification system that DPS uses for updates or mass information mail outs. All users of the accounts may sign up to get updates. To subscribe to our Listserv list please visit and enter your name, address, and select the “CRSADB” list. Leave the Subscription Type as “Regular” and then click “Subscribe (CRSADB)”.

5 SYSTEM SECURITY The data stored in the Secure Site is documented criminal justice information and must be protected to ensure correct, legal, and efficient dissemination and use. Security of the server and terminal site, and proper handling of information received is the responsibility of the agency. Audit Question!

6 SYSTEM SECURITY All systems should have firewall protection, virus protection, and have the appropriate Operating system with current service packs in place. ‘Session Locks’ should be in place on all terminals with a maximum of 30 minutes of inactivity. Public Accessible Computers shall not be used to access, store, or transmit CHRI. Audit Question!

7 THINGS YOU SHOULDN’T DO
7/29/2015 THINGS YOU SHOULDN’T DO Users may only access this site with an assigned User ID. No person is permitted to use this site using another persons User ID & Password. For Assistance:

8 PHYSICAL SECURITY The local agency is responsible for the security of the computer terminals used to access CHRI. This includes Laptops that may be used at off site locations. The person receiving a request for CHRI must ensure the requestor is authorized to receive it. Unauthorized retrieval and dissemination of CHRI material could result in administrative or criminal sanctions. (TXGC ) Audit Questions!

9 Restrict access to the minimum number of persons needed to do the job.
PHYSICAL SECURITY Agency should have a procedure in place on how to select individuals to have access to CJI. Restrict access to the minimum number of persons needed to do the job. Validation Visitors to the terminal site and storage site must be accompanied by an ‘approved’ person. Audit Question!

10 THINGS YOU SHOULDN’T DO
Did you know Lulu’s nephew applied for a position and his Criminal History is as long as his arm?!

11 PHYSICAL SECURITY The location of all CHRI from the DPS or FBI databases must have adequate physical security to protect against unauthorized viewing or access to displayed, stored, or printed CHRI at all times. Audit question!

12 PERSONNEL SECURITY Statewide Criminal History checks will be conducted on all personnel applying for access to CHRI. Qualifications for denial include, but are not limited to: The applicant has ever been convicted of a felony The applicant has ever been convicted of a Class A Misdemeanor The applicant has been convicted of a Class B Misdemeanor in the last 10 years The applicant has ever been convicted of a family violence offense DPS will send a letter to the individual when an application gets denied!

13 DISABLING USERS Account supervisors must suspend a users account when a person no longer needs access to the secure site. Liability for the agency is potentially high if not done. Individual can still access CHRI from another location which would be a potential class B misdemeanor for unauthorized retrieval and purpose. Agency will be held liable for not disabling an individual’s access and all CHRI retrieved by that individual. DPS Secure Site will require supervisors and users to better maintain their account and keep their information current. Coming Fall of 2016 CJIS Security Policy Audit question!

14 Training (2) DPS Secure Site Training mandatory to retrieve and run CCH Secure Site Training may be retaken at any time CJIS Online mandatory for everyone that may have access to CHRI (verbally, electronically or by any media, un-escorted access to facility) CJIS Online due within six month of initial assignment and biennially thereafter!!! KEEP INSTRUCTIONS Audit question!

15

16 CJIS Online DPS will assign a TAC/ADMIN!
ADB will send with instruction. TAC/ADMIN will get notification of expiration. 90 days prior to expiration. & Individual will receive notification 90 day before expiration.

17 CJIS ONLINE TRAINING Below are the FBI security training requirements for individuals who have access to Criminal Justice Information (CJI). All Personnel (Level I) – Anyone with unescorted access to facility where CHRI is accessed. Spanish Version/No Test Personnel with CHRI Access (Level II) – anyone with access to CHRI, physically or verbally. Personnel with logical CHRI access (Level III)– Anyone with the ability to run CHRI searches. IT Personnel with logical CHRI access (Level IV)– Anyone designated as IT that has the potential to access CHRI via a network or other methods.

18 Includes SID #, DOB and Name of individual.
Offline MGMT Includes SID #, DOB and Name of individual. Should be kept secured May be kept on desktop encrypted with passphrase or in an encrypted folder.

19 TRANSFER OF CHRI VIA EMAIL
Transfer of CHRI via is allowed under the CJIS Security Policy. If CHRI is in the text of an , the must be sent encrypted. If CHRI is sent as an attachment, the attachment must also be encrypted. Encryption standards and requirements are available in the CJIS Security Policy (Current version is 5.5) Audit question!

20 STORAGE AND DESTRUCTION OF CHRI
CHRI must be kept secure at all times CHRI being stored must be kept in a locked drawer with only authorized users having access to both the drawer AND the key. CHRI may only be kept until it is used for it’s authorized purpose. Destruction of CHRI CHRI must be destroyed by, or under the supervision of, authorized users. CHRI must be destroyed by shredding or burning. Audit Question!

21 ELECTRONIC STORAGE Electronic storage of CHRI is allowed, unless retention of such information is not permitted by statute. All CHRI retained electronically in file storage systems must strictly follow FBI CJIS Security Policy 5.5 and policies have to be in place. All CHRI must be contained in separate file folders within the system to prevent unauthorized access, use and dissemination of CHRI. Audit question!

22 Information Technology (IT)
IT may be in audits or be available to answer questions… Policies written and unwritten! -Policy about sanitation (written) -Protection and Procedure Policy (digital & physical Media) (written) -Deleting log-on users -Corrective action policy (written) -Physical protection policy (system hardware, software and media) (written) Dissemination

23 IT Back ups/electronic archiving Cloud computing?
Network Printers Password protected? System Notification upon start up? Usage restrictions? Mobile wireless devices… Audit Question!

24 Outsourcing “Noncriminal Justice Administrative Functions”,
which means the routine functions relating to the processing of CHRI, to include but not limited to the following: Making Fitness determinations/recommendations. Obtaining missing dispositions. Disseminating CHRI as authorized by Federal statute, Federal Executive Order, or State statute approved by the United States Attorney General. Other authorized activities related to the handling, use, storage and destruction of CHRI. Outsourcing Standard would have to be in place.

25 Outsourcing Cont’d Authorized Recipient’s (AR) that outsource their entire Administrative functions. Agencies that have vendors/contractor performing function under an Information Technology (IT) contract. Authorized Recipient’s that have vendors/contractors accessing CHRI for the limited solely purposes of: - Storage - Retrieval - Destruction Please contact audit!

26 CCH RELATED LAWS §411.135: ACCESS TO CERTAIN INFORMATION BY PUBLIC
(a) Any person is entitled to obtain from the department: (1) any information described as public information under Chapter 62, Code of Criminal Procedure, including, to the extent available, a recent photograph of each person subject to registration under that chapter; and (2) criminal history record information maintained by the department that relates to the conviction of or a grant of deferred adjudication to a person for any criminal offense, including arrest information that relates to the conviction or grant of deferred adjudication. (b) The department by rule shall design and implement a system to respond to electronic inquiries and other inquiries for information described by Subsection (a). (c) A person who obtains information from the department under Subsection (a) may: (1) use the information for any purpose; or (2) release the information to any other person.

27 CCH RELATED LAWS § : USE OF CRIMINAL HISTORY RECORD INFORMATION (1) is for the exclusive use of the authorized recipient of the information; and (2) may be disclosed or used by the recipient only if, and only to the extend that, disclosure or use is authorized or directed by: (A) this subchapter (B) another statute (C) a rule adopted under a statute (D) an order of a court of competent jurisdiction. (a-1) The term “criminal history record”: The information contained, wholly or partly, in a document’s original form or any subsequent form or use. (c) An agency or individual may not confirm the existence or nonexistence of criminal history record information to any person that is not eligible to receive the information.

28 7/29/2015 CCH RELATED LAWS § UNAUTHORIZED OBTAINING, USE, OR DISCLOSURE OF CRIMINAL HISTORY RECORD INFORMATION; PENALTY. (a) A person commits an offense if the person knowingly or intentionally: (1) obtains criminal history record information in an unauthorized manner, uses the information for an unauthorized purpose, or discloses the information to a person who is not entitled to the information; or (2) violates a rule of the department adopted under this subchapter. (b) An offense under Subsection (a) is a Class B misdemeanor, except as provided by Subsection (c). (c) An offense under Subsection (a) is a felony of the second degree if the person: (1) obtains, uses, or discloses criminal history record information for remuneration or for the promise of remuneration; or (2) employs another person to obtain, use, or disclose criminal history record information for remuneration or for the promise of remuneration. (d) The department shall provide a copy of this section to: (1) each person who applies for access to criminal history record information maintained by the department; and (2) each private entity that purchases criminal history record information from the department.

29 §411.097 Local and Regional Education Entities
CCH RELATED LAWS § Local and Regional Education Entities PURPOSE Pre-employment, employment, volunteer, student teacher, or bus monitor/aide with contracted transportation company. Not subject to “Public Information Act” May provide copy of Fingerprint return to an employee. Must be destroyed on the earlier of: once a decision is made, OR one year after obtaining, whichever comes first ISD / CHARTER SCHOOLS Name based searches CHRI may not be retained in personnel files Name based CHRI may not be retained after a decision has been made Fingerprint based CHRI may be retained if necessary, but it’s recommended to destroy hard copies if the record is no longer needed.

30 Service Codes/Fast Passes for Schools
Uses Generic/LEE (issued by FSU/DPS) Volunteers For Independent Contractors/Nurses hire by Guardians or parents / pre 2008 non-certified employees. Re-printing of anyone previously FP. (TEA Fingerprint Complete) For Volunteers that Districts would like to fingerprint.

31 Service Codes Cont. Service Code Uses NCPA
(National Child Protecting Act) (Issued by FSU/DPS) ESC: only has one Service Code For Independent Contractors/Nurses hire by Guardians or parents.

32 Contractors Independent Contractor should be printed with LEE/Generic Service Code. Should NOT be uploaded to TEA, except under special circumstances. (The Contractors has employees that are substitutes or teachers.) Substitutes should be uploaded to TEA. School District would have to upload and contractor would subscribe (backwards). Example of contractor….Kelly Services.

33 DPS will perform audits What are the audits all about?
What can you do to prepare? What will the auditors do?

34 AUDITS The purpose of the audit is to assess compliance with noncriminal justice use and the appropriate rules pertaining to the security, maintenance, and dissemination of CHRI. Auditors will look at: The security of all retained CHRI received from DPS The computer terminals used to access CHRI Who has access to CHRI, both electronically and physically How CHRI is destroyed Are contractor/Vendors involved Has all training been completed

35 ELECTRONIC AUDITS

36 TOPOLOGICAL DIAGRAM EXAMPLE

37 Q & A

38 DPS: Courtesy, Service and Protection
Identify at least 5 acrynoms: ListServ: What trainings are required for access to CJI? When should the Outsourcing Standard be put into place? What policies should your agency have in place per the CJIS Security policy?

Download ppt "Crime Records Service Access and Dissemination Bureau Audit Unit"

Similar presentations

FERPA - Sharing Student Information

FERPA - Sharing Student Information
Access is defined as physical access: The ability to receive, view, or discuss the Criminal History Record Information (CHRI) regardless of retrieval method.

Access is defined as physical access: The ability to receive, view, or discuss the Criminal History Record Information (CHRI) regardless of retrieval method.
Vermont Criminal Information Center 103 South Main Street Waterbury, Vermont 05671 Subscription Service for Non- Criminal Justice Agencies Power Point.

Vermont Criminal Information Center 103 South Main Street Waterbury, Vermont Subscription Service for Non- Criminal Justice Agencies Power Point.
Identification and Disposition of Official University Records University of Texas at Arlington Records Management.

Identification and Disposition of Official University Records University of Texas at Arlington Records Management.
VOTER REGISTRATION AND IDENTIFICATION

VOTER REGISTRATION AND IDENTIFICATION
Review Questions Business 205

Review Questions Business 205
Texas Code of Criminal Procedure. Terminal Objective Upon completion of this module, the participant will be knowledgeable about the sections of the Code.

Texas Code of Criminal Procedure. Terminal Objective Upon completion of this module, the participant will be knowledgeable about the sections of the Code.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website: www.mc.vanderbilt.edu/HIPAA.

HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
Jennifer Hlad, LEDS & OUCR Trainer LASO 101 – 2013 OREGON STATE POLICE LAW ENFORCEMENT DATA SYSTEMS CRIMINAL JUSTICE INFORMATION SERVICES DIVISION.

Jennifer Hlad, LEDS & OUCR Trainer LASO 101 – 2013 OREGON STATE POLICE LAW ENFORCEMENT DATA SYSTEMS CRIMINAL JUSTICE INFORMATION SERVICES DIVISION.
VETERANS BENEFITS ADMINISTRATION AVECO July 14 – 18, 2014 Centralized Certification.

VETERANS BENEFITS ADMINISTRATION AVECO July 14 – 18, 2014 Centralized Certification.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
ICAOS Jail Administrator Presentation Presented by: [Revision 3/1/2014]

ICAOS Jail Administrator Presentation Presented by: [Revision 3/1/2014]
NONCRIMINAL JUSTICE AGENCY USE OF CRIMINAL JUSTICE INFORMATION

NONCRIMINAL JUSTICE AGENCY USE OF CRIMINAL JUSTICE INFORMATION
ICAOS Jail Administrator Presentation Presented by: [Revision 5/18/2012]

ICAOS Jail Administrator Presentation Presented by: [Revision 5/18/2012]
Understanding CJIS Online

Understanding CJIS Online
2/16/2010 The Family Educational Records and Privacy Act.

2/16/2010 The Family Educational Records and Privacy Act.
INTERNET and CODE OF CONDUCT

INTERNET and CODE OF CONDUCT
CPS Acceptable Use Policy Day 2 – Technology Session.

CPS Acceptable Use Policy Day 2 – Technology Session.
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.
Section Five: Security Inspections and Reviews Note: All classified markings contained within this presentation are for training purposes only.

Section Five: Security Inspections and Reviews Note: All classified markings contained within this presentation are for training purposes only.

Similar presentations

Ads by Google