doc_1545276

Policy 810Santa Ana Police Department Santa Ana PD Policy Manual Copyright Lexipol, LLC 2026/01/05, All Rights Reserved. Published with permission by Santa Ana Police DepartmentCJIS Access, Maintenance, and Security - 1CJIS Access, Maintenance, and Security 810.1 PURPOSE AND SCOPE The purpose of this policy is to provide guidelines for the use, maintenance, and security of department systems that access, process, store, or transmit Criminal Justice Information. 810.1.1 DEFINITIONS Definitions related to this policy include: Criminal Justice Information (CJI) - Data provided by FBI Criminal Justice Information Services (CJIS) that is necessary for law enforcement agencies to perform their mission and enforce the laws (e.g., biometric, identity history, person, organization, case/incident history data). Security incident - Any incident that compromises the security of CJI or systems that access, process, store, or transmit CJI. Examples include but are not limited to unauthorized use of legitimate code or credentials within department systems, email communications that contain malicious code, data breaches, signaling to external systems, and unauthorized exporting of information. 810.2 POLICY It is the policy of the Santa Ana Police Department to maintain the security, confidentiality, and integrity of its information systems that access, process, store, or transmit CJI by collaborating with appropriate state and federal agencies to implement the applicable established protocols. 810.3 CJIS COORDINATOR The Chief of Police shall appoint a CJIS coordinator, who shall be responsible for the Santa Ana Police Department's adherence to FBI CJIS Security Policy requirements. The CJIS coordinator shall establish procedures necessary to govern the department's use, maintenance, and security of systems that access CJI as described in this policy. 810.3.1 CJIS COORDINATOR RESPONSIBILITIES The responsibilities of the CJIS coordinator include but are not limited to: (a)Coordinating with others, such as the information technology or legal departments, as appropriate, to maintain department compliance with FBI CJIS Security Policy requirements and the California Justice Information Services. (b)Managing member accounts with access to CJI, including: 1.Creating, enabling, modifying, disabling, and removing member accounts in accordance with this policy and the FBI CJIS Security Policy. 2.Configuring member accounts in accordance with federal and state requirements (e.g., limiting unsuccessful login attempts, validating new passwords against known compromised or commonly used passwords). Santa Ana Police Department Santa Ana PD Policy Manual CJIS Access, Maintenance, and Security Copyright Lexipol, LLC 2026/01/05, All Rights Reserved. Published with permission by Santa Ana Police DepartmentCJIS Access, Maintenance, and Security - 23.Reviewing member accounts for compliance with legal and policy requirements at least annually. (c)Overseeing the maintenance, repair, and replacement of CJI systems and system components in accordance with manufacturer or vendor specifications and/or department requirements, including: 1.Maintaining a list of organizations and personnel approved by the Chief of Police to perform maintenance on CJI systems. 2.Approving, scheduling, documenting, and monitoring all maintenance and diagnostic activities, whether performed on-site, remotely, or off-site, and maintaining records. 3.Verifying that non-escorted personnel performing maintenance on any CJI system or terminal possess the required access authorizations, and designating members who have the required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations. 4.Maintaining records for all system maintenance and diagnostic activities. (d)Configuring remote access systems and devices only with the explicit authorization of the Chief of Police or the authorized designee, including: 1.Routing through authorized and managed access control points (e.g., firewalls, secure gateways). 2.Mandatory multi-factor authentications for users. 3.Use of automated mechanisms to monitor and control remote access methods. 4.Mandatory encryption (e.g., VPN, Transport Layer Security). 5.Required logging of all remote access activity. (e)Monitoring department systems that have access to CJI to ensure compliance with applicable laws and this policy; developing processes to detect, identify, and correct flaws in software and firmware; and conducting security updates as necessary. (f)Providing for the security of hardware that includes provisions for the following: 1.How hardware is to be brought into and taken out of department facilities 2.Physical security of hardware within department facilities 3.Physical security of areas containing network connections and transmission lines, including monitored access (g)Implementing and carrying out the department Incident Response Plan, including: 1.Tracking and documenting all suspected or actual security incidents related to CJI in an appropriate manner. 2.Directing annual testing of the department's information security incident response capabilities using tabletop or walk-through exercises, simulations, or other types of testing. Santa Ana Police Department Santa Ana PD Policy Manual CJIS Access, Maintenance, and Security Copyright Lexipol, LLC 2026/01/05, All Rights Reserved. Published with permission by Santa Ana Police DepartmentCJIS Access, Maintenance, and Security - 33.Making the appropriate notifications outside of the Department (see the Records Maintenance and Release Policy for additional guidance). 4.Providing information on security incidents to any third-party software developers or vendors as appropriate. (h)Protecting digital and non-digital media that contain CJI, including physical security, transportation, destruction/sanitization, and documentation requirements. (i)Developing and updating department information security and privacy literacy training and incident response training as required by policy