Policy Text
Page 1 of 7 10/14 (NEW 3/15)
Advanced Authentication
I. Overview
This general order establishes p olicy, procedures and definitio ns for the use of
Advanced Authentication (AA) to comply with St ate and Federal p olicies required for
secure transmission of crimi nal justice information.
II. Scope
AA will be used to access criminal justice information (CJI) on any computing system in
an unsecured location. AA will no t be required for authorized users requesting access
to CJI within the perimeter of a physically secure location whe re technical security
controls have been met. AA will be required when accessing CJ I from mobile locations
or when accessing CJI from a physica lly secure location where t echnical security
controls have not been met. This General Order applies to the use of all systems used to ca rry out SSD’s mission,
regardless of location, whether o perated by Sheriff’s Departmen t officers, employees,
affiliates, volunteers or contractors. III. Definitions
A. Advanced Authentication (AA)
Advanced Authentication (AA) pro vides additional security to th e typical
user identification and authenticat ion of login ID and password , such as:
grid card systems, biometric syst ems, user-based public key inf rastructure
(PKI), smart cards, software to kens, hardware tokens, paper (in ert) tokens
or “Risk-based Authentication. “ Users accessing criminal just ice
information (CJI) must use AA wh en physical and technical secur ity
controls have not been met.
B. Criminal Justice Information (CJI)
Criminal Justice Information is the generic term used to refer to all of the
DOJ-provided data necessary for law enforcement agencies to per form
their mission and enforce the laws , including but not limited t o: biometric,
identity history, person, organi zation, property and case/incid ent history
data.
Page 2 of 7 10/14 (NEW 3/15)
C. Personnel Security Controls
Personnel security controls inc lude use of background screening
consistent with the FBI CJIS Se curity Policy to vet those with unescorted
access to areas in which CJI is processed, information security awareness
training, and periodic re views of user accounts.
D. Non-Secured Location
A non-secured location is one where the physi cal or technical s ecurity
controls are not in place to ens ure that CJI and information sy stem
hardware, software and media are appropriately protected.
E. Physical Security Controls
Physical security controls ensur e that CJI and information syst em
hardware, software and media are physically protected through a ccess
control measures. A physically s ecure location is a facility o r an area, a
room, or a group of rooms within a facility, with both the phys ical and
personnel security controls sufficient to protect CJI and assoc iated
information systems. A police vehi cle is not a physically secu re location.
F. Security Token
A security token is a device t hat the owner uses to authorize a ccess to a
network. Security tokens provi de an additional layer of authen tication in a
secure environment. Unlike a pa ssword, a security token is a p hysical
object. Even if the token falls into the wrong hands, it canno t be used to
gain access to the network becau se the token is associated with a specific
user account and password.
G. Technical Security Controls
Technical security controls are safeguards or counter measures to avoid,
counteract or minimize loss or unavailability carried out or ma naged by
computer systems. Examples of te chnical security controls are encrypted
transmission of data and the us e of firewalls to ensure CJI rem ains
uncompromised.
H. Two Factor Authentication
Two-factor authenticat ion employs the use of two of the followi ng three
factors of authentication: somet hing you know (e.g. password), something
you have (e.g. security token), s omething you are (e.g. biometr ic). The
two authentication factors will be unique (i.e. password/token or
biometric/password but not passw ord/password or token/token).
Page 3 of 7 10/14 (NEW 3/15) IV. Policy
A. Criminal Justice Information must:
1. Be encrypted on the network.
2. Be encrypted if it is stor ed or cached on a device.
3. Only be accessed by those wit h a “Need to Know” and a “Right to
Know.”
B. User Authentication must:
1. Establish the identit y of each unique user.
2. Establish the authority of each unique user.
V. Roles and Responsibilities
A. Users
1. Security Tokens
a. The SSD User will use the secu rity tokens in accordance
with General Order 10/8, Use of Department Computers and
Network.
b. Security tokens will not be shared with another person, or
stored in an easily accessibl e or visible location.
c. Security tokens will be ret urned to their Supervisors upon
separation from the Sacr amento County Sheriff’s
Department, or upon determination that two factor authentication is no longer needed.
2. Support
a. During business hours (Monday t o Friday, 8 a.m. to 5 p.m.),
users will contact the Help D esk at (916) 874-4999 to
request support.
b. After business