2.016. Security Check/Fingerprinting
2.016. Security Check/Fingerprinting
It is the intent of Cooperative Educational Services (C.E.S.) to maintain a safe work environment for its students and employees. Therefore all newly hired C.E.S. employees must submit to being fingerprinted and a Department of Children and Families (DCF) Background Check.
Procedure:
1. No later than ten (10) calendar days after the Executive Director or designee has notified a job applicant of a decision to hire the applicant, or as soon thereafter as practicable, the applicant will be directed to be fingerprinted by C.E.S. and complete paperwork for a DCF Background Check. The pending successful applicant will be provided, in writing, The Connecticut Department of Emergency Services and Public Protection’s Agency Privacy Requirements for Noncriminal Justice Applicants, Non-Criminal Justice Applicant’s Privacy Rights, and the Federal Bureau of Investigation (FBI) and United States Department of Justice (DOJ) Privacy Act Statement prior to being fingerprinted. When possible,
fingerprinting and the DCF Background Check will be completed prior to the job applicant’s first day of employment.
2. Failure of the applicant to have his/her fingerprints taken or authorize a DCF Background Check prior to employment, without good cause, will be grounds for the withdrawal of the offer of employment or termination of actual employment.
3. C.E.S. will waive the fingerprint fee for all internal candidates for employment and all parent volunteers.
4. Upon receipt of a criminal record check or DCF background check, indicating a previously undisclosed conviction or existence on the Child Abuse Registry, the Executive Director or his/her designee will notify the affected applicant/employee in writing of the results of the record check, the process for challenging the record with the FBI and/or DCF, and will provide an opportunity for the affected applicant/employee to respond to the results of the criminal record and/or background check. A copy of the FBI Criminal Record Check may be provided to the job applicant/employee. The affected applicant/employee will be provided reasonable time to respond to the results of the record and background check. In the case of an undisclosed felony, C.E.S. will place the employee on unpaid leave for the duration of the employee response (48 hours). Barring evidence to the contrary within 48 hours, the employee will be terminated.
5. Decisions regarding the effect of a conviction or a pending charge upon an applicant/employee, whether disclosed or undisclosed by the
applicant/employee, will be made on a case-by-case basis. Notwithstanding the foregoing, the falsification or omission of any information on a job application or in a job interview, including but not limited to information concerning criminal convictions or pending criminal charges, shall be grounds for disqualification from consideration for employment or discharge from employment.
6. C.E.S. will use the criminal record and background check record solely for the purpose requested and will not disseminate the records outside the receiving department, or the authorized entity. All records will be handled with confidentiality.
Legal Reference: Connecticut General Statutes10-221d Criminal history records checks of school personnel. Fingerprinting. Termination or
dismissed (as amended by PA 01-173) P.A. 16-67 Act Concerning the Disclosure of Certain Education Personnel Records, Criminal Penalties for Threatening In Educational Settings and the Exclusion of a Minor's Name from Summary Process Complaints
ADOPTED: April 7, 2016
REVISED: October 6, 2016
2.016. Administrative Procedures
Criminal History Record Information (CHRI) Proper Access, Use and Dissemination Procedures
Purpose
The intent of the following policies is to ensure the protection of the Criminal Justice Information (CJI) and its subset of Criminal History Record
Information (CHRI) until such time as the information is purged or destroyed in accordance with applicable record retention rules.
The following policies were developed using the FBI’s Criminal Justice Information Services (CJIS) Security Policy. Cooperative Educational
Services (C.E.S.) may complement this policy with a local policy; however, the CJIS Security Policy shall always be the minimum standard. The local policy may augment, or increase the standards, but shall not detract from the CJIS Security Policy standards.
Scope
The scope of this policy applies to any electronic or physical media containing FBI CJI while being stored, accessed or physically moved from a
secure location from C.E.S. In addition, this policy applies to any authorized person who accesses, stores, and/or transports electronic or physical media.
Criminal Justice Information (CJI) and Criminal History Record Information (CHRI)
CJI is the term used to refer to all of the FBI CJIS provided data necessary for law enforcement and civil agencies to perform their missions including, but not limited to biometric, identity history, biographic, property, and case/incident history data.
CHRI, is a subset of CJI and for the purposes of this document is considered interchangeable. Due to its comparatively sensitive nature, additional
controls are required for the access, use and dissemination of CHRI. In addition to the dissemination restrictions outlined below, Title 28, Part 20,
Code of Federal Regulations (CFR), defines CHRI and provides the regulatory guidance for dissemination of CHRI.
Proper Access, Use, and Dissemination of CHRI
Information obtained from the Interstate Identification Index (III) is considered CHRI. Rules governing the access, use, and dissemination of CHRI are found in Title 28, Part 20, CFR. The III shall be accessed only for an authorized purpose. Further, CHRI shall only be used for an authorized
purpose consistent with the purpose for which III was accessed. Dissemination to another agency is authorized if (a) the other agency is an
Authorized Recipient of such information and is being serviced by the accessing agency, or (b) the other agency is performing noncriminal justice administrative functions on behalf of the authorized recipient and the outsourcing of said functions has been approved by appropriate CJIS Systems Agency (CSA) or State Identification Bureau (SIB) officials with applicable agreements in place.
Personnel Security Screening
Access to CJI and/or CHRI is restricted to authorized personnel. Authorized personnel is defined as an individual, or group of individuals, who have completed security awareness training and have been granted access to CJI data.
Security Awareness Training
Basic security awareness training shall be required within six months of initial assignment, and biennially thereafter, for all personnel who have access to CJI.
Physical Security
A physically secure location is a facility or an area, a room, or a group of rooms within a facility with both the physical and personnel security controls sufficient to protect the FBI CJI and associated information systems. The perimeter of the physically secure location shall be prominently posted and separated from non-secure locations by physical controls.
Only authorized personnel will have access to physically secure non-public locations. C.E.S. will maintain and keep current a list of authorized
personnel. All physical access points into the agency’s secure areas will be authorized before granting access. The agency will implement access
controls and monitoring of physically secure areas for protecting all transmission and display mediums of CJI. Authorized personnel will take
necessary steps to prevent and protect the agency from physical, logical and electronic breaches.
Media Protection
Controls shall be in place to protect electronic and physical media containing CJI while at rest, stored, or actively being accessed. “Electronic media” includes memory devices in laptops and computers (hard drives) and any removable, transportable digital memory media, such as magnetic tape or disk, backup medium, optical disk, flash drives, external hard drives, or digital memory card. “Physical media” includes printed documents and imagery that contain CJI.
The agency shall securely store electronic and physical media within physically secure locations or controlled areas. The agency shall restrict
access to electronic and physical media to authorized individuals. If physical and personnel restrictions are not feasible then the data shall be encrypted per Section 5.10.1.2.
Media Transport
Controls shall be in place to protect electronic and physical media containing CJI while in transport (physically moved from one location to another) to prevent inadvertent or inappropriate disclosure and use. The agency shall protect and control electronic and physical media during transport outside of controlled areas and restrict the activities associated with transport of such media to authorized personnel.
Media Sanitization and Disposal
When no longer usable, hard drives, diskettes, tape cartridges, CDs, ribbons, hard copies, print-outs, and other similar items used to process, store and/or transmit FBI CJI shall be properly disposed of in accordance with measures established by C.E.S.
Physical media (print-outs and other physical media) shall be disposed of by one of the following methods:
1) shredding using C.E.S. issued shredders.
2) placed in locked shredding bins for Secure EcoShred to come on-site and shred, witnessed by C.E.S. personnel throughout the entire
process.
3) incineration using C.E.S. incinerators or witnessed by C.E.S. personnel onsite at agency or at contractor incineration site, if conducted by non-
authorized personnel.
Electronic media (hard-drives, tape cartridge, CDs, printer ribbons, flash drives, printer and copier Hard-drives, etc.) shall be disposed of by one of
the C.E.S. methods:
|
1) Overwriting (at least 3 times) - an effective method of clearing data from magnetic media. As the name implies, overwriting uses a
program to write (1s, 0s, or a combination of both) onto the location of the media where the file to be sanitized is located.
2) Degaussing - a method to magnetically erase data from magnetic media. Two types of degaussing exist: strong magnets and electric
degausses. Note that common magnets (e.g., those used to hang a picture on a wall) are fairly weak and cannot effectively degauss magnetic media.
3) Destruction – a method of destroying magnetic media. As the name implies, destruction of magnetic media is to physically dismantle by methods of crushing, disassembling, etc., ensuring that the platters have been physically destroyed so that no data can be pulled. IT systems that have been used to process, store, or transmit FBI CJI and/or sensitive and classified information shall not be released from C.E.S.’s
control until the equipment has been sanitized and all stored information has been cleared using one of the above methods.
Account Management
The agency shall manage information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing
accounts. The agency shall validate information system accounts at least annually and shall document the validation process. All accounts shall be reviewed at least annually by the designated CJIS point of contact (POC) or his/her designee to ensure that access and account privileges commensurate with job functions, need-to-know, and employment status on systems that contain Criminal Justice Information. The POC may
also conduct periodic reviews.
Remote Access
C.E.S. shall authorize, monitor, and control all methods of remote access to the information systems that can access, process, transmit, and/or store FBI CJI. Remote access is any temporary access to an agency’s information system by a user (or an information system) communicating temporarily through an external, non-agency controlled network (e.g., the Internet).
C.E.S. shall employ automated mechanisms to facilitate the monitoring and control of remote access methods. C.E.S. shall control all remote accesses through managed access control points. C.E.S. may permit remote access for privileged functions only for compelling operational needs but shall document the rationale for such access in the security plan for the information system.
Utilizing publicly accessible computers to access, process, store or transmit CJI is prohibited. Publicly accessible computers include but are not limited to: hotel business center computers, convention center computers, public library computers, public kiosk computers, etc.
Personally Owned Information Systems
A personally owned information system shall not be authorized to access, process, store or transmit CJI unless the agency has established and
documented the specific terms and conditions for personally owned information system usage. A personal device includes any portable
technology like camera, USB flash drives, USB thumb drives, DVDs, CDs, air cards and mobile wireless devices such as Androids, Blackberry OS, Apple iOS, Windows Mobile, Symbian, tablets, laptops or any personal desktop computer. When bring your own devices (BYOD) are authorized, they shall be controlled using the requirements in Section 5.13 of the CJIS Security Policy.
Reporting Information Security Events
The agency shall promptly report incident information to appropriate authorities to include the state CSA or SIB’s Information Security Officer
(ISO). Information security events and weaknesses associated with information systems shall be communicated in a manner allowing timely
corrective action to be taken. Formal event reporting and escalation procedures shall be in place. Wherever feasible, the agency shall employ
automated mechanisms to assist in the reporting of security incidents. All employees, contractors and third party users shall be made aware of the procedures for reporting the different types of event and weakness that might have an impact on the security of agency assets and are required to report any information security events and weaknesses as quickly as possible to the designated point of contact.
Policy Violation/Misuse Notification
Violation of any of the requirements contained in the CJIS Security Policy or Title 28, Part 20, CFR, by any authorized personnel will result in suitable disciplinary action, up to and including loss of access privileges, civil and criminal prosecution and/or termination.
Likewise, violation of any of the requirements contained in the CJIS Security Policy or Title 28, Part 20, CFR, by any visitor can result in similar
disciplinary action against the sponsoring employee, and can also result in termination of services with any associated consulting organization or
prosecution in the case of criminal activity.