AUDITS

Mr. Wes Anderson

wes.anderson@gbi.ga.gov

(404) 783-2657

Mr. Greg Houston

greg.houston@gbi.ga.gov

(404) 273-6235

Ms. Ra’shelle Jones

rashelle.jones@gbi.ga.gov

(404) 519-9285

Ms. Corella Moten

corella.moten@gbi.ga.gov

(404) 821.1092

Ms. Brittany Watkins

brittany.watkins@gbi.ga.gov

(404) 491-4363

Why we audit?

Criminal History Record Information (CHRI) is protected, confidential information and must be used for authorized purposes only.

Improper handling and releasing of CHRI may result in fines up to $50,000 and/or imprisonment for 15 years.

Agencies we audit

Non-Criminal Justice agencies

Schools

Probate and Superior Courts

State and Local Agencies Ex: Fire Departments and City Governments

At least every 3 years

Agency Responsibilities

Agency Point of Contact (POC)

Agency Point of Contact is responsible for:

Scheduling the audit with the auditor

Completing pre-audit instruction packet

Providing onsite audit documentation

Providing post-audit responses

Local Agency Security Officer (LASO)

Agencies are required to appoint a LASO who shall:

Identify who is using the approved hardware, software, and firmware

Ensure no unauthorized individuals or processes have access to the same

Identify and document how the equipment is connected to the state system

Local Agency Security Officer (LASO)

Agencies are required to appoint a LASO who shall:

Ensure that personnel security screening procedures are being followed

Ensure the approved and appropriate security measures are in place and working as expected

Support policy compliance and ensure the GCIC is promptly informed of security incidents

Security

Agencies must keep CHRI in a controlled area. The controlled area must be limited to

authorized personnel. Unsupervised janitorial staff cannot have

access to the controlled area

Access to CHRI must be restricted if: the individual with access is no longer

employed by the agency the individuals job duties no longer

require access.

Security Agencies that keep criminal justice

information (CJI) by electronic means must:

meet the 128-bit encryption requirement

have firewalls in place within the system to protect data from unauthorized access

have unique username and password

Destruction of CHRI

Agencies must properly dispose of CHRI

By shredding or burning

By agency personnel

By contractor under supervision of agency personnel

By contractor without agency personnel

Outsourcing Agreement

Dissemination

Agencies may only disseminate CHRI to:

Authorized personnel within the agency

Authorized personnel within a related agency Fire Departments and Georgia Firefighter Standards

and Training Council are related

Individual of record

Agencies must record the dissemination in the dissemination log.

DisseminationFitness Determination Letter

May not include CHRI

May not indicate that a national fingerprint-based record check was completed

May indicate the status of suitability yes or no

The following may be released:

“The denial of licensing/employment is due to disqualifiers found during a background

investigation.”

Dissemination

CHRI is not available in any form for public access and may not be released

by an open records request, therefore…

CHRI should not be included in the personnel files

Audit Documentation

Audit Documentation

1. User agreements

2. Training Records

3. Awareness statements

4. Policies

5. Privacy Right/ Privacy Act Statement

6. Fingerprint Survey

7. Outsourcing Agreements

8. Agency Personnel List (Contractor/Volunteer)

9. Network Topology (if applicable)

10.Employment/ Licensing Applications

1. User Agreements

Agencies are responsible for:

maintaining a current copy of the GCIC User Agreement

Updating agreements when the agency head or contact person has changed

2. Training

Security Awareness Computer Based Training (CBT)

Applicant Services Orientation

Full day classroom training on all Applicant Services rules, regulations and responsibilities

Required for all agencies requesting a new ORI

3. Awareness Statement

Agency personnel are required to sign an awareness statement if they:

Process CJI

Handle CJI

Disseminate CJI

Destroy CJI

Have access to CJI

4. PoliciesMan-Made Disaster Policy

The agency must have a written policy for the protection of CJI/CHRI from:

unauthorized access

theft

sabotage

damage resulting from fire, wind, flood, power failure, or

other natural or man-made disasters

Media Protection Policy

The agency must have a written policy for:

Secure handling

Transporting

Storing

Disposing of:

electronic media Memory devices, laptops, computers, flash drive

physical media Printed documents

Disciplinary Policy

The agency must have a written policy to include formal sanctions that specifically

address violations of:

Use of CJI

Dissemination of CJI

Security of CJI

Destruction of CJI

5. Privacy Rights/Privacy Act Statement

Agencies must provide written notification of the Applicant Privacy Rights and the Privacy

Act Statement

GAPS agencies notification window

Livescan agencies poster application packet

6. Fingerprint Survey

Provide the specific use(s) and reason(s) for each transaction

Firefighters, teacher certifications, weapons carry licenses, volunteers, etc.

Provide the specific statute, or federal law that authorizes the background check O.C.G.A 25-4-8 (Firefighters)

7. Employment &Licensing Applications

Agencies must provide documentation to support each fingerprint transaction.

Ex: application for employment certification/licensing application petition for adoption (or acceptable alternative)

8. Agency Personnel List

Agencies must provide an alphabetical list of all agency personnel who have access to

CHRI, including:

Contractors

Vendors

Volunteers

9. Network TopologyAgencies shall ensure that a complete

topological drawing depicting the interconnectivity of the agency network to criminal justice information systems and

services is maintained in a current status.

Only Non-Criminal Justice Agencies that keep Criminal History Record Information in an electronic

format must have a Network Topology

10. Outsource Agreements

Agencies that chose to outsource any responsibilities which involve the administration of criminal justice

information including:

Shredding

Livescan

Fitness determinations

must have a GCIC approved Outsource Agreement.

10. Outsource Agreements

Receive written permission from GCIC

Provide a copy of the contract to GCIC must include the Outsourcing Agreement

Contact GCIC to see if contractor has any security violations

Fingerprint contractors for access to CHRI

On-Site Audit

An auditor will contact agencies 15 to 30 days in advance to schedule the audit.

Pre-Audit Instructions

Schedule Time for Briefings

Pre-Audit Instruction Packet

Audit Documentation

Complete all tasks PRIOR to On-Site Audit

Post Audit Instructions

If an agency is found to be in full compliance the auditor will send a Full Compliance Notification Letter

to the agency head

Post Audit Instructions

If an agency is found out of compliance the agency must

provide a written response to all non-compliance areas within

ten (10) days of Audit.The response must be on agency

letterhead and signed by the agency head.

Post Audit Instructions

Auditor will review agency response

Acceptable Response

Final Notification Letter

Further clarification/action necessary

agency head notified

Failure to respond to the audit or an unsatisfactory reply for non-compliance areas

may result in agency sanctions.

Resources

Applicant Services Blog

Audit Information

GCIC Updates

Agency Specific Information

Training Information

Training Schedule

Course Library (coming soon)

Instructional Videos (coming soon)

CJIS SymposiumAugust 23rd – August 25th

NCJ Orientation

Audits

Fingerprinting

Identity History Summary

NCJ CJIS Security Policy

Georgia Applicant Processing Service

(GAPS)

Don’t Put Your Agency In Jeopardy! (trivia)

Questions