63722265.pdf

\n\n--- Page 1 ---\n\nSEMINOLE COUNTY SHERIFF'S OFFICE NUMBER: G - 45 GENERAL ORDER RESCINDS: SUBJECT: Information Systems and Services EFFECTIVE: February 7, 2000 REVISED: February 18, 2025 Table of Contents: I. Purpose II. Scope III. Definitions IV. Governing Authority V. No Expectation of Privacy VI. Information and Equipment Handling VII. Secondary Dissemination and CJI/CHRI VIII. Mobile Device IX. Sheriff’s Office Information Systems X. Data Breach Incident Response XI. Email XII. Voice Over IP XIII. Personally Owned Devices XIV. Cloud Computing XV. Wi-Fi and Hotspots XVI. Bluetooth Technology XVII. International Travel XVIII. Media Disposal I. PURPOSE: This policy gives direction for the effective management and security of electronic systems and services of the Sheriff's Office. II. SCOPE: It is the policy of the Seminole County Sheriff’s Office to deliver and support technology solutions to meet the needs of its diverse workforce in support of its official mission. This directive provides appropriate controls to protect the information to which it has been entrusted. It provides guidance for the creation, viewing, modification, transmission, dissemination, storage, and destruction of data. This directive applies to every individual - employee, contractor, private entity, noncriminal justice agency representative, volunteer, intern, reserve, etc. with access to, or who operate in support of, SCSO’s criminal justice information and systems. III. DEFINITIONS: A. Criminal Justice Information (CJI): CJI is defined as any information derived, in whole or part from any state or federally controlled source, such as FCIC/NCIC or CJNet. This includes partial information that might otherwise be gained from GENERAL ORDER Information Systems and Services G-45 Page 1 OF 18 7\n\n--- Page 2 ---\n\npublicly available resources. For example, an address gained from running a person in DAVID is CJI, even though that information may be gleaned from property records. A statement saying that a person does not have a criminal history comprises CJI. Only the following types of data are exempt from the protection levels required for CJI: transaction control type numbers (e.g. ORI, NIC, FNU, etc.) when not accompanied by information that reveals CJI or PII. B. Criminal History Record Information (CHRI): A subset of CJI. Any notations or other written or electronic evidence of an arrest, detention, complaint, indictment, information or other formal criminal charge relating to an identifiable person that includes identifying information regarding the individual as well as the disposition of any charges, when obtained in whole or part from any state or federally controlled source. Due to its comparatively sensitive nature, additional controls are required for the access, use and dissemination of CHRI. C. Personally Identifiable Information (PII): PII is information which can be used to distinguish or trace an individual’s identity, such as name, social security number, or biometric records, alone or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, or mother’s maiden name. Most Restricted Systems provided or maintained by the agency include an individual’s PII. D. Restricted Systems: Restricted records systems are systems that contain CJI or PII. They are also systems that contain any information otherwise considered confidential or exempt by state or federal law. Examples of these systems include, but are not limited to; NCIC/FCIC, CJNet, David, CAFEWeb, XCAD/MiCAD, TUCSON, ELVIS, Finder, Jail Management, CorrecTek, Human Resources and Payroll systems. E. Computer: Any device running a full featured operating system (e.g. Microsoft Windows, Apple OS X). This definition includes desktop computers, towers, and servers. It also includes laptops such as MCT’s and certain tablet computers like the Surface Pro. This definition does not include smartphones. F. Limited Operating System Devices: Limited-feature operating systems devices are designed specifically for the mobile environment where battery life and power efficiency are primary design drivers (e.g. Apple iOS, Android, Windows RT/Phone, Blackberry OS, etc.). For the purposes of this policy, the term “smartphone” may be used interchangeably with the phrase “limited operating system device.” Any policy covering smartphones also applies to other handheld devices such as limited operating systems devices such as iPads and Android tablets. G. Mobile Device Management (MDM): Security rich software deployed on smartphones. MDM software allows the agency to administer the security of the device, containerizes and protects agency data and allows secure access to agency networked resources. H. Spam: Unsolicited or inappropriate email messages, especially advertising. I. Phishing: To try to obtain financial or other confidential information from Internet users, typically by sending an email that looks as if it is from a legitimate organization, usually a financial institution, but contains a link to a fake website that replicates the real one. J. Physically Secure Location: A physically secure location is a facility, a criminal justice conveyance (such as an enclosed, secured automobile), or an area, a room, or a group of rooms within a facility with both the physical and personnel GENERAL ORDER Information Systems and Services G-45 Page 2 OF 18 7\n\n--- Page 3 ---\n\nsecurity controls sufficient to protect CJI and associated information systems. IV. GOVERNING AUTHORITY: A. The FBI’s Criminal Justice Information Services (CJIS) Security Policy version 5.5 or higher governs minimum security standards that must be met when processing or storing criminal justice information. B. The Criminal Justice User Agreement between the Florida Department of Law Enforcement and the Seminole County Sheriff’s Office defines the terms and conditions under which access to FCIC/NCIC/CJNet is granted. C. Chapter 119, Florida Statutes provides for general state policy on public records, including confidentiality, retention, inspections and exemptions. D. Chapter 316, Florida Statutes, State Uniform Traffic Control, section 316.305 governs the use of wireless communication devices while driving. E. The Privacy Act of 1974 prohibits the disclosure of personally identifiable information maintained by agencies is a system of records without the consent of the subject individual, subject to twelve codified exceptions. F. Health Insurance Portability and Accountability Act (HIPAA) protects certain individually identifiable health information. G. Title 28, Part 20, Code of Federal Regulations (CFR) defines CHRI and provides the regulatory guidance for dissemination of CHRI. H. Title 18, Part I, Chapter 47, § 1030, United States Code (USC) criminalizes fraud and related activity in connection with computers. I. Florida Statute 817.568 Criminal use of personal identification information J. Florida Statute 943.125 (4)(o) Access and use of personal identification information V. NO EXPECTATION OF PRIVACY: A. By authorizing use of the electronic equipment (computers, smartphones, programs, network, etc.) by its personnel, the Sheriff’s Office does not relinquish control over materials on the systems or contained in system files. B. Users should not expect privacy in the content of files, emails, texts, call logs, electronic messages or any other data residing on or processed by Sheriff’s Office owned equipment. Agency systems should not be used as repositories for personal documents, images or records. All information stored on agency systems is subject to release in accordance with provisions set forth in state public records law and in response to court orders. C. Information systems are provided as tools for official business purposes and all information created, accessed or stored using these systems are subject to monitoring, auditing or review. D. Unencrypted