301573

ORANGE COUNTY SHERIFF'S OFFICE GENERAL ORDER Effective Date: October 20, 2017  Amends - GO 13.1.4 (December 19, 2011) Number: 13.1.4 Distribution: All Personnel Review Month: November Reviewing Authority: Undersheriff / Information Technology Subject: Computer Security This policy consists of the following: 1. Purpose 2. Policy 3. Definitions 4. Procedures 1. Purpose The purpose of this policy is to protect the confidentiality, integrity, and availability of the agency’s information as w ell as the security of the technology that is used to store and transmit it. 2. Policy It is the policy of the agency to protect the rights of the citizens and employee safety by following security protocols for the storage and dissemination of electroni c information. 3. Definitions A. Advanced Authentication (AA) - provides for additional security to the typical user identification and authentication of login ID and password, such as: biometric systems, user -based public key infrastructure (PKI), smart c ards, software tokens, hardware tokens, paper (inert) tokens, or “Risk -based Authentication” that includes a software token element comprised of a number of factors, such as network information, user information, positive device identification (i.e. device forensics, user pattern analysis and user binding), user profiling, and high -risk challenge/response questions. B. CJIS Security Policy (CSP) – Federal Bureau of Investigation compliance document containing information security requirements, guidelines, and agreements reflecting the will of law enforcement and criminal justice agencies for protecting the sources, transmission, storage, and generation of Criminal Justice Information (CJI). C. Criminal Justice Information (CJI) – FDLE and FBI CJIS provided data necessary for law enforcement agencies to perform their mission and enforce the laws, including but not limited to: biometric, identity history, person, organization, property (when accompanied by any personally identifiable information), and case/inciden t history data. D. Logical Security – The specific use of passwords and user names intended to block access to a computer network for which a user’s need has not been proven, and 13.1.4, Page 2 of 11 authorization has not been approved. E. Mobile Device Management (MDM) – informat ion technology system capable of the administration of mobile devices, such as smartphones, tablet computers, laptops and desktop computers. F. Network Permissions – Specific rights given to individual users or groups of users, which allow the users to acces s network resources. G. Network Resources – Shared folders, printers, active directory structure or other device or object created within the agency computer network. H. Personally Identifiable Information (PII) - information which can be used to distinguish o r trace an individual’s identity, such as name, social security number, or biometric records, alone or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, or mo ther’s maiden name. I. Personally Owned Information Devices – any technology device that was purchased by an individual and was not issued by this agency. List of devices can be found in the CJIS Personally Owned Device policy . J. Physical Security – Preventing unauthorized persons from accessing a computer network. K. Physically Secure Location - a facility or an area, a room, or a group of rooms within a facility with both the physical and personnel security controls sufficient to protect CJI and associated information systems L. Remote Access - temporary access to an agency’s information system by a user (or an information system) communicating temporarily through an e xternal, non - agency -controlled network (e.g., the Internet). M. Remote Connection – Accessing the agency computer network from a computer system not directly connected to the agency computer network via a phone line, cable modem or wireless device. N. Removabl e Media – Electronic storage media such as tapes, platters, CD’s, DVD’s, USB flash drives, or floppy disks. 4. Procedures A. Security Measures Physical security measures for computers and network workstations are the responsibility of the office or unit w here those systems are installed and located. The individual unit Lieutenant or office supervisor is responsible for providing physical safeguards for the hardware, software and data to the same extent as is provided for other agency property in the unit. All computers and workstations will use both logical and physical security as preventative measures. B. Physical Access 13.1.4, Page 3 of 11 Computers will be kept in areas not easily accessible to the public or unauthorized personnel. Agency personnel shall control access to computers, servers, attached hardware, network equipment . This does not include outside agencies that have requested and been granted access to agency data. It is the responsibility of the requesting agency to confirm compliance with appropriate securi ty measures. Access can also be considered the unintentional viewing of information on a computer screen. All computers must be placed in such a manner as to prevent viewing by unauthorized personnel. Computers will not be removed from the United States u nless the purpose is agency business and approved by the IT Security Manager or designee. C. User Accounts and Access Positive control will be maintained at all times to prevent access to information by unauthorized personnel. The supervisor of each unit shall be responsible for requesting network access for personnel under their direct control