Policy Text
Policy
809San Luis Obispo Police Department
San Luis Obispo PD CA Policy Manual
Copyright Lexipol, LLC 2025/10/30, All Rights Reserved.
Published with permission by San Luis Obispo Police
DepartmentCJIS Access, Maintenance, and Security - 1CJIS Access, Maintenance, and Security
809.1 PURPOSE AND SCOPE
The purpose of this policy is to provide guidelines for the use, maintenance, and security of
department systems that access Criminal Justice Information.
809.1.1 DEFINITIONS
Definitions related to this policy include:
Criminal Justice Information (CJI) - Data provided by FBI Criminal Justice Information Services
(CJIS) that is necessary for law enforcement agencies to perform their mission and enforce the
laws (e.g., biometric, identity history, person, organization, case/incident history data).
Security incident - Any incident that compromises the security of CJI or systems that access
CJI. Examples include but are not limited to unauthorized use of legitimate code or credentials
within department systems, email communications that contain malicious code, data breaches,
signaling to external systems, and unauthorized exporting of information.
809.2 POLICY
It is the policy of the San Luis Obispo Police Department to maintain the security, confidentiality,
and integrity of its information systems that access CJI by collaborating with appropriate state and
federal agencies to implement the applicable established protocols.
809.3 CJIS COORDINATOR
The Chief of Police shall appoint a CJIS coordinator, who shall be responsible for the San Luis
Obispo Police Department's adherence to FBI CJIS Security Policy requirements.
The CJIS coordinator shall establish procedures necessary to govern the department's use,
maintenance, and security of systems that access CJI as described in this policy.
809.3.1 CJIS COORDINATOR RESPONSIBILITIES
The responsibilities of the CJIS coordinator include but are not limited to:
(a)Coordinating with others, such as the information technology or legal departments,
as appropriate, to maintain department compliance with FBI CJIS Security Policy
requirements and the California Justice Information Services.
(b)Managing member accounts with access to CJI, including:
1.Creating, enabling, modifying, disabling, and removing member accounts in
accordance with this policy and the FBI CJIS Security Policy.
2.Configuring member accounts in accordance with federal and state
requirements (e.g., limiting unsuccessful login attempts).
3.Reviewing member accounts for compliance with legal and policy requirements
at least annually.
San Luis Obispo Police Department
San Luis Obispo PD CA Policy Manual
CJIS Access, Maintenance, and Security
Copyright Lexipol, LLC 2025/10/30, All Rights Reserved.
Published with permission by San Luis Obispo Police
DepartmentCJIS Access, Maintenance, and Security - 2(c)Overseeing the maintenance, repair, and replacement of CJI systems and system
components in accordance with manufacturer or vendor specifications and/or
department requirements, including:
1.Maintaining a list of organizations and personnel approved by the Chief of Police
to perform maintenance on CJI systems.
2.Approving, scheduling, documenting, and monitoring all maintenance and
diagnostic activities, whether performed on-site, remotely, or off-site, and
maintaining records.
3.Verifying that non-escorted personnel performing maintenance on any CJI
system or terminal possess the required access authorizations, and designating
members who have the required access authorizations and technical
competence to supervise the maintenance activities of personnel who do not
possess the required access authorizations.
4.Maintaining records for all system maintenance and diagnostic activities.
(d)Monitoring department systems that have access to CJI to ensure compliance with
applicable laws and this policy; developing processes to detect, identify, and correct
flaws in software and firmware; and conducting security updates as necessary.
(e)Providing for the security of hardware that includes provisions for the following:
1.How hardware is to be brought into and taken out of department facilities
2.Physical security of hardware within department facilities
3.Physical security of areas containing network connections and transmission
lines, including monitored access
(f)Implementing and carrying out the department Incident Response Plan, including:
1.Tracking and documenting all suspected or actual security incidents related to
CJI in an appropriate manner.
2.Directing annual testing of the department's information security incident
response capabilities using tabletop or walk-through exercises, simulations, or
other types of testing.
3.Making the appropriate notifications outside of the Department (see the Records
Maintenance and Release Policy for additional guidance).
4.Providing information on security incidents to any third-party software
developers or vendors as appropriate.
(g)Protecting digital and non-digital media that contain CJI, including physical security,
transportation, destruction/sanitization, and documentation requirements.
(h)Developing and updating department information security and privacy literacy training
and incident response training as required by policy.
(i)Maintaining audit records in accordance with the established records retention
schedule, but in no event for less than one year.
San Luis Obispo Police Department
San Luis Obispo PD CA Policy Manual
CJIS Access, Maintenance, and Security
Copyright Lexipol, LLC 2025/10/30, All Rights Reserved.
Published with permission by San Luis Obispo Police
DepartmentCJIS Access, Maintenance, and Security - 3(j)Managing the development, documentation, and dissemination of procedures for the
following:
1.Awareness and training
2.Incident response
3.Audit and accountability
4.Access control
5.Identification and authentication
6.Configuration management
7.Media protection
8.Physical and environmental protection
9.System