401.1CS Security Check/Fingerprinting

401.1CS Security Check/Fingerprinting

PURPOSE

The intent of the following policies is to ensure the protection of the FBI’s National Criminal History Record Information (CHRI) until such time as the information is purged or destroyed in accordance with applicable record retention rules.

The following policies were developed using the FBI’s Criminal Justice Information Services (CJIS) Security Policy and guidance from the Iowa Division of Criminal Investigation (DCI). Central Springs Community Schools may complement this policy with a local policy; however, the CJIS Security Policy shall always be the minimum standard.  The local policy may supplement, or increase the standards, but shall not detract from the CJIS Security Policy standards nor from requirements set forth by the Iowa DCI.

SCOPE

The scope of this policy applies to any media, physical or electronic, containing FBI national CHRI-or any reference to such CHRI-received by a Qualified Entity (QE), while being stored, accessed or physically moved to a secure location by the Central Springs Community School District.  In addition, this policy applies to any person authorized to access, store, and/or transport national CHRI, who shall be referred to as Authorized Personnel.

Criminal Justice Information (CJI) and Criminal History Record Information (CHRI)- Criminal Justice Information (CJI) is the term used to refer to all of the FBI CJIS provided data necessary for law enforcement and civil agencies to perform their missions including, but not limited to biometric, identity history, biographic, property, and case/incident history data.

The DCI uses the term CHRI, which is a subset of CJI and for the purposes of this document is considered interchangeable. Due to its comparatively sensitive nature, additional controls are required for the access, use and dissemination of CHRI. In addition to the dissemination restrictions outlined below, Title 28, Part 20, Code of Federal Regulations (CFR), defines CHRI and provides the regulatory guidance for dissemination of CHRI.

According to 28 CFR 20.33, CHRI is information collected by criminal justice agencies on individuals consisting of identifiable descriptions and notations of arrests, detentions, indictments, informations, or other formal criminal charges, and any disposition arising therefrom, including acquittal, sentencing, correctional supervision, and release. The term does not include identification information such as fingerprint records if such information does not indicate the individual's involvement with the criminal justice system.

In other words, CHRI refers to the FBI result received from DCI based on fingerprints submitted by the QE, whether the results indicate a positive identification of criminal history or not.

Proper Access, Use, and Dissemination of CHRI- Rules governing the access, use, and dissemination of CHRI are found in Title 28, Part 20, CFR.

Central Springs Community School District has been approved as a Qualified Entity (QE) to receive CHRI pursuant to a specific statutory authority and shall not use such CHRI acquired pursuant to such authority for any other reason. Central Springs Community School is authorized to submit fingerprints to request national CHRI and review resultant CHRI as part of the screening process for applicants for employment or licensure, including current and/or prospective employees and volunteers, contractors and vendors, who have or may have unsupervised access to children, the elderly, or individuals with disabilities for whom the QE provides care for, or for other applicants as specified in the applicable statute.

Dissemination to another agency is ONLY authorized if the other agency is an Authorized Recipient of such information and is being serviced by the QE. The Iowa DCI does not allow outsourcing for administrative functions, including IT support.

Personnel Security Screening - Access to CHRI is restricted to Authorized Personnel. Authorized Personnel includes anyone who may have reason to access, view, have knowledge of, handle, and/or destroy CHRI, including anyone who may only have occasion to view CHRI incidentally in the performance of their duties. If the agency stores or transmits CHRI electronically, the agency’s IT personnel must also be identified as Authorized Personnel.

Iowa does not have legislation in place that requires civil fingerprint-based background checks for personnel with access to CHRI for the purposes of licensing or employment and therefore are exempted from the fingerprint-based background check requirement until such time as appropriate legislation has been written into law.

Security Awareness Training- Security Awareness Training through CJIS Online shall be required within six months of initial assignment, and biennially thereafter, for all personnel who have access to CHRI. Authorized Personnel will receive CJIS Online credentials set up by the Agency Administrator. Both the Agency Administrator and Authorized Personnel will be responsible for taking the Training and renewing certification as needed.

A physically secure location is a facility or an area, a room, or a group of rooms within a facility with both the physical and personnel security controls sufficient to protect CHRI. CHRI will be maintained securely and will only be accessible by Authorized Personnel. Central Springs Community School District will maintain and keep a current list of all Authorized Personnel. Authorized Personnel will take necessary steps to prevent and protect the agency from physical, logical and electronic breaches. 

Media Protection- Controls shall be in place to protect physical and electronic media containing CHRI while at rest, stored, or actively being accessed. The QE shall securely store physical and electronic media within physically secure locations or controlled areas such as in a locked file cabinet or other locked receptacle. The agency shall restrict access to physical and electronic media to authorized individuals.

Physical Media-  Physical media includes hardcopies, printed documents and imagery that contain CHRI.

Electronic Media - While electronic storage and/or transmission is strongly discouraged, electronic media includes memory devices in laptops and computers (hard drives) and any removable, transportable digital memory media, such as magnetic tape or disk, backup medium, optical disk, flash drives, external hard drives, or digital memory card.

If storing or transmitting CHRI electronically, the data shall be immediately protected via encryption per Section 5.10.1.2 of the CJIS Security Policy.

Controls shall be in place to protect electronic and physical media containing CHRI while in transport (physically moved from one location to another) to prevent inadvertent or inappropriate disclosure and use. The QE shall protect and control physical and electronic media during transport outside of controlled areas and restrict the activities associated with transport of such media to Authorized Personnel.

When no longer usable or needed, all physical and electronic media shall be properly disposed of in accordance with measures established by Central Springs Community School District.

Physical media (hard copies, print-outs and other physical media) shall be disposed of by one of the following methods:

  1. Shredding using Central Springs Community School District issued shredders.
  2. Placed in locked shredding bins for the district's designated secure shredding company to come on-site and shred, witnessed by Central Springs School District personnel throughout the entire process.
  3. Incineration using Central Springs Community School District incinerators or witnessed by Central Springs Community School District personnel onsite at agency.

Electronic media (hard-drives, tape cartridge, CDs, printer ribbons, flash drives, printer and copier hard-drives, and other similar items used to process, store and/or transmit CHRI) shall be disposed of by Central Springs Community School District using one of these methods:

  1.  Overwriting (at least 3 times) - an effective method of clearing data from magnetic media. As the name implies, overwriting uses a program to write (1s, 0s, or a combination of both) onto the location of the media where the file to be sanitized is located.
  2. Degaussing - a method to magnetically erase data from magnetic media. Two types of degaussing exist: strong magnets and electric degausses. Note that common magnets (e.g., those used to hang a picture on a wall) are fairly weak and cannot effectively degauss magnetic media.
  3. Destruction – a method of destroying magnetic media. As the name implies, destruction of magnetic media is to physically dismantle by methods of crushing, disassembling, etc., ensuring that the platters have been physically destroyed so that no data can be pulled.

IT systems that have been used to process, store, or transmit FBI CHRI shall not be released from Central Springs Community School District‘s control until the equipment has been sanitized and all stored information has been cleared using one of the above methods.

Electronic Media- The agency shall promptly report incident information to appropriate authorities to include the Iowa DCI. Information security events and weaknesses associated with information systems shall be communicated in a manner allowing timely corrective action to be taken.  Formal event reporting and escalation procedures shall be in place. Wherever feasible, the agency shall employ automated mechanisms to assist in the reporting of security incidents.  All Authorized Personnel shall be made aware of the procedures for reporting the different types of event and weakness that might have an impact on the security of agency assets and are required to report any information security events and weaknesses as quickly as possible to the designated point of contact.

Policy Violation/Misuse Notification- Violation of any of the requirements contained in the CJIS Security Policy or Title 28, Part 20, CFR, by any authorized personnel will result in suitable disciplinary action, up to and including loss of access privileges, civil and criminal prosecution and/or termination.

Likewise, violation of any of the requirements contained in the CJIS Security Policy or Title 28, Part 20, CFR, by any visitor can result in similar disciplinary action against the sponsoring employee, and can also result in termination of services with any associated consulting organization or prosecution in the case of criminal activity.

Legal Reference:

Iowa Code §§ 272.2(17); 279.13, .69; 235A.14; 235B.5; 321.375(2); 692A.121

Cross Reference:

401.1 Equal Opportunity Employment

 

Approved: 3-20-23
Reviewed: ____
Revised: ____

kheidemann@cen… Tue, 03/21/2023 - 12:36