876249

42.5 CJIS SECURITY AND COMPLIANCE Page 1 of 21 EDGEWOOD POLICE DEPARTMENT GENERAL ORDER # 42.5 CJIS SECURITY & COMPLIANCE Revised Date: September 12 , 2024 This General Order consists of the following numbered sections: I. Relationship to the FBI CJIS Security Policy II. Personally Identifiable Information III. Information Exchange IV. Information Handling V. Incident Response VI. Account Management VII. System Access Control for Multiple Concurrent Sessions VIII. Remote Access IX. Personally Owned Information Systems X. Identification and Authentication XI. Authenticator Management XII. Media Protection XIII. Physical Protection XIV. Encryption XV. Voice Over Internet Protocol (VOIP) XVI. Patch Management XVII. Security Alerts and Advisories XVIII. Wireless Usa ge Restrictions/Logs/Mobile Devices XIX. Bluetooth XX. Incident Response for Limited Featured Operating System Devices XXI. Personnel Sanctions I. RELATIONSHIP TO THE FBI CJIS SECURITY POLICY The overriding goal of this policy is to comply with the FBI C JIS Security Policy and the FDLE User Agreement requirements. Due to the evolving nature of the CJIS Security Policy, it is necessary to separately communicate the requirements of the CJIS Security Policy as they are developed and enhanced. These additional requirements are intended to be an enhancement to the existing Standard Operating Procedures of the Edgewood Police Department. The Agency shall adhere, at a minimum, to the CJIS Security Policy. While the Agency may augment or increase the stan dards, it cannot detract from the minimum 42.5 CJIS SECURITY AND COMPLIANCE Page 2 of 21 requirements set forth by the FBI CJIS Security Policy. II. PERSONALLY IDENTIFIABLE INFORMATION PII Personally Identifiable Information (PII) is information which can be used to distinguish or trace an individual’ s identity, such as name, social security number, or biometric records, alone or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, or mother’s maiden name. Any NCIC or FCIC provided data maintained by the agency, including but not limited to, education, financial transactions, medical history, and criminal or employment history may include an individual’s PII. All electronic files that contain PII will reside within the Agency’s physically secure location. All physical files (aka paper, folders, etc.) that contain PII will reside within a locked file cabinet, storeroom , or office when not being actively viewed or modified. PII is not to be downloade d to workstations or mobile devices (such as laptops, personal digital assistants (smartphones), mobile phones, tablets or removable media) or to systems outside the protection of the Agency. PII will also not be sent through any form of insecure electronic communication as significant security risks emerge when PII is transferred from a secure location to a less secure location or is disposed of improperly. When disposing of PII the physical or electronic file should be shredded or securely dele ted. All disposal of PII will be done by authorized Agency personnel. The Agency shall select a mobile shredding vendor who will shred physical PII on premises. If disk drives (flash drives, server drives, disk drives) storing PII are to be reused, they sh all be overwritten a minimum of three times or degaussing of digital media. All PII will be collected only when there is a legal authority and it is necessary to conduct Agency duties. Access to PII is only conducted when the information is needed to cond uct Agency official duties and should only be utilized for official purposes. Agency members will not create duplicate copies of documents that contain PII and will destroy the documents when no longer needed. When PII is extracted from a document Agency members may only target the PII that is required for the task. PII that is extracted shall not be retained beyond the record retention rules for the data and the system it was accessed from. PII shall not be stored or transmitted via personally own ed devices. PII may not be taken home by any Agency member. III. INFORMATION EXCHANGE Criminal Justice Information is the term used to refer to all of the FBI CJIS provided data necessary for law enforcement and civil agencies to perform their missions including, but not limited to biometric, identity history, biographic, property, and case/incident history data. CJI is considered any information that is derived from NCIC and/or FCIC and should be treated as such. The Agency will put forth forma l agreements with other agencies prior to exchanging crimin al justice information as well as the use of secondary dissemination. The Agency allows for criminal justice information to be shared with local law 42.5 CJIS SECURITY AND COMPLIANCE Page 3 of 21 enforcement agencies and has current agreements in place with each. This exchange is allowed only via hard copy or fax machine. Transmission via email is not permitted. If the Agency needs to share CJI with another agency that it does not currently have an agreement with