SLED Overview of the FBI Criminal Justice Information Services

8/24/2012

1

For Official Use Only 1

SLED Overview of the FBICriminal Justice Information Services

(CJIS) Security PolicyVersion 5.18/09/2012

[email protected]


This session will be an overview of the FBICriminal Justice Information Services(CJIS) Security 5.1 policy and how itpertains and applies to municipal courtclerks, magistrates, judges and other courtstaff who are receiving NCIC criminaljustice information.


Security policy

The essential premise of the CJIS SecurityPolicy is to provide appropriate controls toprotect the full lifecycle of CJI, whether at rest orin transit. The CJIS Security Policy providesguidance for the creation, viewing, modification,transmission, dissemination, storage, anddestruction of CJI data. This policy applies toevery individual—contractor, private entity,noncriminal justice agency representative, ormember of a criminal justice entity—with accessto, or who operate in support of, criminal justiceservices and information.

8/24/2012

2


What is (NCIC) National CrimeInformation Center

NCIC 2000 is a nationwide, computerizedinformation system established as a service toall local, state, federal, and international criminaljustice agencies.

The goal of NCIC 2000 is to help the criminaljustice community perform its duties by providingand maintaining a computerized filing system ofaccurate and timely documented criminal justiceinformation.


The NCIC 2000 data bank can best bedescribed as a computerized index ofdocumented criminal justice informationconcerning crimes and criminals of nationwideinterest. NCIC files also include missing andunidentified person files, persons files who posea threat to officer and public safety, as well asstolen property files.

All state and local agencies participating in theNCIC 2000 System are required to adhere to thesecurity guidelines that can be found in theFBI/CJIS Security Policy 5.1


The NCIC 2000 System stores vastamounts of criminal justice informationwhich can be instantly retrieved by and/orfurnished to any authorized agency and isa virtually uninterrupted operation 24hours a day, 7 days a week

8/24/2012

3


Types of queries


Types of queries


NCIC stats

In January 1967 when NCIC became operational, itincluded five files, which contained 356,784 records. Inits first year of operation, NCIC processed approximately2.4 million transactions, or an average of 5,479transactions daily. Last year NCIC processed 2.4 billiontransactions. Recently, NCIC experienced a new one-day record of 8.6 million transactions. Presently, NCICcontains 19 files with over 15 million records, of whichnearly 1.7 million are in the wanted persons file. NCICservices more than 90,000 user agencies and averages7.5 million transactions per day. Currently on theaverage South Carolina performs 350,000 + transactionsper day.

8/24/2012

4


The local/regional computer availabilitygoals shall be 100 percent with 96 percentas minimum.

Equipment and/or technologicalincompatibility shall not be sufficientjustification for any agency to operateoutside of the normal CSA configuration.


The data stored in the NCIC 2000 System andthe III File are documented criminal justiceinformation and must be protected to ensurecorrect, legal, and efficient dissemination anduse. It is incumbent upon an agency operatingan NCIC 2000 infrastructure to implement thenecessary procedures to make that componentsecure from any unauthorized use. Anydeparture from this responsibility warrants theremoval of the offending component from furtherNCIC 2000 participation.


Throughout the last several years, there havebeen significant changes in the CJIScommunity’s telecommunications and systemsarchitecture. As a result of technologicaladvances, the FBI Director authorized a securitymanagement structure to specifically addresstechnical security controls, policy revision,oversight, training, and security incidentresolution and notification.

8/24/2012

5


In addition to the changes there have been asignificant number of the larger and moreimportant computer systems in this country thathave been successfully penetrated byindividuals whose reasons ran the gamete frommonetary profit to ideologic principles. If theNational Crime Information Center (NCIC) isgoing to function efficiently and effectively intoday's society System Security must be anomni-present element of its everyday operation.


Therefore the CJIS Advisory Policy Board(APB) adopted new policies in the areas ofidentification, authentication, encryption,wireless applications, dial-up access,Internet access, public networks, andfirewalls to address security concerns.


A Federal Working Group and severalregional Working Groups were establishedto recommend policy and procedures forthe programs administered by the FBICJIS Division.

These Working Groups are alsoresponsible for the review of operationaland technical issues related to theoperation of or policy for these programs.

8/24/2012

6


The FBI uses hardware and software controls tohelp ensure System security. However, finalresponsibility for the maintenance of the securityand confidentiality of criminal justice informationis shared with the individual agenciesparticipating in the NCIC 2000 System and theIT departments who support the agencies.Further information regarding System securitycan be obtained from the FBI/CJIS SecurityPolicy 5.1


The essential premise of the CJIS SecurityPolicy is to provide appropriate controls toprotect the full lifecycle of CJI, whether at rest orin transit. The CJIS Security Policy providesguidance for the creation, viewing, modification,transmission, dissemination, storage, anddestruction of CJI data. This policy applies toevery individual—contractor, private entity,noncriminal justice agency representative, ormember of a criminal justice entity—with accessto, or who operate in support of, criminal justiceservices and information.


Policy Purpose

To provide minimum security requirements associatedwith the creation, viewing, modification, transmission,dissemination, storage, or destruction of Criminal JusticeInformation or CJI.

To provide a baseline security policy for Local, State,and Federal agencies to build their policies upon. (It isthe minimum standard a local policy must follow).

The policy covers roles and responsibilities as well asthe 12 areas of compliance.

8/24/2012

7


Roles and Responsibilities – StateISO

SLED will appoint an Information SecurityOfficer (ISO) who has the responsibility toestablish and maintain information securitypolicy, assesses threats andvulnerabilities, performs risk and controlassessments, oversees the governance ofsecurity operations, and establishesinformation security training andawareness programs.


Roles and Responsibilities stateCSO

Each state must have a CJIS SecurityOfficer (CSO) assigned by the head of theCJIS Systems Agency (CSA)(SLED) whois responsible for enforcing security policyrules over ALL agencies, users, anddevices accessing CJI information via thestate CSA(SLED).


Roles and Responsibilities – LocalLevel

Each local agency accessing CriminalJustice Information or CJI is required tohave a Terminal Access Coordinator(TAC) and a Local Access Security Officer(LASO) to oversee that the CJIS SecurityPolicy is being abided by locally. Theycan be the same person.

8/24/2012

8


Terminal Agency Coordinator(TAC)

The TAC serves as the point-of-contact atthe local agency for matters relating toCJIS information access. A TACadministers CJIS systems programs withinthe local agency and oversees theagency’s compliance with CJIS systemspolicies.

The TAC is the Agency Coordinator (AC)


AC of the CGA

The AC is a staff member of the CGA whomanages agreements, responsible for thesupervision and integrity of the system,training and continuing education ofemployees as required. 3.2.7


Agency Coordinator (AC)

The AC shall be responsible for thesupervision and integrity of the system,training and continuing education ofemployees and operators, scheduling ofinitial training and testing, and certificationtesting and all required reports by NCIC.

8/24/2012

9


The AC shall:

Understand the communications, recordscapabilities, and needs of the individualwhich is accessing federal and staterecords through or because of itsrelationship with the CGA.

Receive information from the CGA (e.g.,system updates) and disseminate it toappropriate individuals.


The AC shall:

Maintain up-to-date records of allemployees or contractors who access thesystem, including name, date of birth,social security number, date fingerprintcard(s) submitted, date security clearanceissued, and date initially trained, tested,certified or recertified (if applicable).


The AC shall:

Schedule new operators for thecertification exam as well as schedulecertified operators for biennial re-certification testing within thirty (30) daysprior to the expiration of certification.Schedule operators for other mandatedclass.

8/24/2012

10


The AC shall:

The AC will not permit anuntrained/untested or non-certifiedemployee or contractor to access CJI orsystems supporting CJI where access toCJI can be gained.


The AC shall:

Provide completed applicant fingerprintcards on each Contractor employee whoaccesses the system to the CJA (or,where appropriate, CSA) for criminalbackground investigation prior to suchemployee accessing the system.


Local Agency Security Officer(LASO)

The primary Information Security contactbetween a local law enforcement agency andthe CSA

The LASO actively represents their agency in allmatters pertaining to Information Security,disseminates Information Security alerts andother material to their constituents, maintainsInformation Security documentation (includingsystem configuration data), assists withInformation Security audits of hardware andprocedures, and keeps the CSA informed as toany Information Security needs and problems.

8/24/2012

11


Roles and Responsibilities –Outsourcing of CJI Administration

The responsibility for the management ofthe approved security requirements shallremain with the Criminal Justice Agency.

Thus the outsourcing of the state CSO andISO positions is not allowed.

Thus the outsourcing of local TAC andLASO positions is not allowed


Roles and Responsibilities – LocalPoints of Contact

Local or municipal entities should refer allCJIS Security procedural or technicalquestions to their local criminal justiceagency’s TAC or LASO. They are thelocal point of contact.

If the local TAC or LASO does not have ananswer they can refer to the state CSO forassistance.


Illegal Dissemination of CJI and PIICan Lead to Penalties

Improper access and dissemination of anyCJI data including CHRI may result inadministrative sanctions, termination, andstate and federal penalties.

Refer to S.C. Financial Fraud and IdentityTheft Law for more information.

8/24/2012

12


What does the policy cover?

1. Information Exchange Agreements.

2. Awareness Training

3. Incident Response

4. Auditing and Accountability

5. Access Control

6. Identification and Authentication


What does the policy cover? (cont.)

7. Configuration Management

8. Media Protection

9. Physical Protection

10. Systems & Communications Protectionand Information Integrity

11. Formal Audits

12. Personnel Security


Information Exchange AgreementsPolicy Area 1

Criminal Justice Information requires protectionthroughout its life which is why agreements need to be inplace between each agency sharing CJI data. Theseagreements must specify security controls meeting theCJIS Security Policy requirements and be in placebefore any CJI can be exchanged.

Agreements should state the policies, standards,sanctions, governance, auditing, services accessed andpolicy compliance required for the user agency

CJI exchange includes e-mail, instant messaging, webservices, facsimile, hard copy, and the informationsystems sending, receiving, and storing CJI.

8/24/2012

13


Some Agreement Types

User

Service

Management Control *

Inter-Agency *

CJIS Security Addendum *

Civil Agency User Agreement

Livescan/Latent Fingerprint Sharing


Agreements requiredfor NCJA

Management Control agreement - grants the criminal justiceagency management control over the operations of the non-criminal justice agency as they relate to access to the LawEnforcement Data System network and services.

Required between CJA and the NCJA which provides services to the CJA(dispatching, record keeping, computer services, etc.).

"Management Control" means the authority to set and enforce: (a) Priorities; (b) Standards for the selection, supervision and termination of personnel;

and (c) Policy governing the operation of computers, circuits, and

telecommunications terminals used to process, store, or transmitinformation to or receive information from the Law Enforcement DataSystem.


Agreements requiredfor NCJA cont’

Inter-Agency – agreement between two agencies thatstates standards, policy, and access required of theparties

State CSA to non-criminal justice agency (DSIT) Local criminal justice agency to non-criminal

justice agency (county or city)

Security Addendum Criminal Justice Agency & private contractor

(each employee) Non-criminal Justice Agency & private contractor

(each employee

8/24/2012

14


ExampleCJA supported by NCJA

SLED is CSA SLED’s enterprise extends to Metropolitan PD Metropolitan City IT department performs IT administration of PD

network with some private contractors

Agreements Needed CJA user agreement between SLED and Metropolitan PD Inter-agency agreement between Metropolitan City IT and

Metropolitan PD Management control agreement between Metropolitan PD and

Metropolitan City IT Security Addendum between Metropolitan City IT and Private

contractors


5.2 Policy Area 2: SecurityAwareness Training

Security awareness training shall be requiredbefore an initial assignment for all personnelwho have access to CJI. The CSO/CSA mayaccept the documentation of the completion ofsecurity awareness training from anotheragency. Accepting such documentation fromanother agency means that the acceptingagency assumes the risk that the training maynot meet a particular requirement or processrequired by federal, state, or local laws.


Security Awareness TrainingPolicy Area 2

Security awareness training is mandatory forthose with roles in the support, administration orgeneral access to criminal justice information.

All criminal justice employees, non-criminaljustice employees, contractors, vendors, etc.

The level of training is dependent on the role ofthe individual – IT support requires the highestlevel of training.

8/24/2012

15


Security Awareness TrainingPolicy Area 2

Training must be performed every twoyears

The management control criminal justiceagency designated person (TAC, LASO,ISO, CSO, NCIC coordinator) isresponsible for coordinating and verifyingthe completion of this requirement for theirrespective agency


Incident ResponsePolicy Area 3

The information security officer at SLEDhas been identified as the POC onsecurity-related issues for the CSA andrespective agencies in the state.

The ISO is responsible for ensuringLASOs (local agency security officer)institute the CSA incident responsereporting procedures at the local level.


Policy Directive - 5.3

Agencies shall:

(i) establish an operational incident handlingcapability for agency information systemsthat includes adequate preparation,detection, analysis, containment, recovery,and user response activities;

(ii) track, document, and report incidents toappropriate agency officials and/orauthorities

8/24/2012

16


Responsibilities for incidentresponse

Agencies whether criminal justice or non-criminal justice, that areresponsible for the administration of criminal justice, dispatching,record keeping, or computer services for CJI all are required tofollow the CJIS policy incident reporting requirements.

Four critical tasks must be followed with incidents: Incident Handling Collection of evidence Incident Response training Incident Monitoring

These procedures may be audited by SLED and/or the FBI duringthe required technical and policy audits.


Auditing and AccountabilityPolicy Area 4

Agencies shall implement audit andaccountability controls to increase the probabilityof authorized users conforming to a prescribedpattern of behavior.

Agencies shall carefully access the inventory ofcomponents that compose their informationsystems to determine which security controls areapplicable to the various components.


Logging Events

Policy 5.4 states specific logging requirements

Specific events must be logged

Content to log on each event is specified

Monitoring, analysis and log reporting actions

Response to logged events

Log retention is 365 days

Other requirements exist for NCIC, III and CJISaccess and information logging

8/24/2012

17


Access ControlPolicy Area 5

Access control provides the planning andimplementation of mechanisms to restrictreading, writing, processing and transmission ofCJIS information and the modification ofinformation systems, applications, services andcommunication configurations allowing accessto CJIS information.

Access control includes physical in addition tological access.


User Access Control

Always assign least privilege to accounts

Use Job duties, Physical, logical or networklocation, and Date/Time restrictions for access.

All employee status changes must be reportedand accounts adjusted as required.

Policy guidelines state requirements for annualvalidation of accounts, logging of access andinactivity or failed log in attempts (policy 5.5)


Access Control Recommendations

System administrator access must be tightlyregulated.

Only allow remote admin access in emergencysituations.

Don’t allow remote access for group accounts

Always provide System Notifications orWarnings to users logging on.

Use approved mechanisms to control thisaccess. Policy 5.5.2.3 and 5.5.2.4

Security must be FIPS 140-2.

8/24/2012

18


CJI Access Restrictions

CJI access is not allowed from personallyowned or public computers.

No CJI over Bluetooth at this time due tonot FIPS140-2 approved encryptionstandard.

CJI over Wireless and Cellular must becarefully regulated following policy 5.5.7


Identification and AuthenticationPolicy Area 6

All users must be properly identified priorto access to any agency informationsystems or services.

Follow password policies for all access tothe criminal justice infrastructure ornetwork where CJI is transmitted as listedin 5.6.2.1


Advanced Authentication

Advanced Authentication (AA) is requiredwhen users are accessing CJI informationvia a network that is not deemed secureby the SLED ISO. Policy 5.6.2.2

Advanced Authentication is the useadditional identifiers on top of login ID andpassword that may include PKI, biometric,smart cards tokens, software tokens etc…

8/24/2012

19


Configuration ManagementPolicy Area 7

The goal is to allow only qualified andauthorized individuals access toinformation system components forpurposes of initiating changes, includingupgrades, and modifications.

Thus agencies must restrict who hasconfiguration management permissions


Configuration ManagementRequirements

All network changes must provide adetailed network topography diagram tothe SLED ISO anytime there is a proposednetwork change or a network change hasoccurred.

Agencies must protect all systemconfiguration documentation fromunauthorized access.


Media ProtectionPolicy Area 8

Procedures must be defined for securelyhandling, transporting, and storing mediaboth electronic and physical.

Procedures must also be in place for thesanitation and disposal of electronic andphysical media that meet policies.

All entities accessing CJI media must bevetted authorized personnel.

Specific policies are in policy 5.8

8/24/2012

20


Physical ProtectionPolicy Area 9

All CJI and associated information systems mustbe in a physically secure location.

This can be a facility, area, room or group ofrooms with controls described in 5.9.1.1 –5.9.1.9

Personnel security for access to the area mustfollow policy area 12

The location is subject to the managementcontrol of the CJA and must follow all criminaljustice policies.


Physical protection

A security perimeter should be established andposted as such.

A list of authorized personnel with access mustbe maintained.

All physical access points to the secure areamust be controlled.

All physical access to the IT systems andtransmission lines shall be controlled.

The display or view of information from outsidethis controlled area must prevent unauthorizedviewing.


Visitor Control

Visitors must be authenticated beforeauthorizing escorted access.

Access records shall be maintainedfollowing the policy requirements in 5.9.1.8

Items entering and exiting the area shallbe controlled and authorized

8/24/2012

21


Non-criminal justice agencies or contractorsmust follow these procedures to report incidentsto the LASO at the criminal justice agency theysupport. (Who signed the management controlagreement?)

The criminal justice agency LASO will reportthese incidents to the SLED ISO who will in turncommunicate the details to the FBI CJIS ISO.


Systems & CommunicationsProtection and Information Integrity

Policy Area 10

Examples range from boundary andtransmission protection to securing virtualenvironments.

Information flow enforcement betweeninterconnected systems shall be controlled.


Information Flow

Information flow regulates where the information

allowed to travel within the IT system and between

IT systems.

CJI can not be transmitted unencrypted acrossthe public network

Outside traffic that claims to be from the agencymust be blocked

Web requests from the public network not froman internal web proxy should not be passed.

8/24/2012

22


Layers of protection

CJI and system shall provide boundaryprotection as established in policy 5.10.1.1

Encryption standards must be met policy5.10.1.2, SLED has additionalrequirements for encryption AES 256.

Intrusion detection/prevention tools shallbe in place following policy 5.10.1.3

VoIP and facsimile policies shall also beimplemented per policy 5.10.1.4


Information Technology security

IT security is hardware and/or softwareused to assure the integrity and protectionof information and the means ofprocessing it.

Many criminal justice data systems andnetworks are interconnected to oneanother and the Internet.

As such, those systems and networks arevulnerable to exploitation by unauthorizedindividuals.


Partitioning

Specific controls must be in place to use thistechnology with Criminal justice information andProcessing.

The application, service, or system shall: Separate user functionality (including UI

services) form information system management. Separate UI services from information storage

and management services either physically orlogically. Guidelines for achieving this arespecified in 5.10.3.1

8/24/2012

23


Virtualization

All security controls in the policy apply tovirtualization.

Additional controls exist in policy 5.10.3.2

Isolate host from virtual machine

Maintain audit logs for all virtual hosts and machines(store these outside of virtual environment)

Physically separate Internet facing virtual machinesfrom virtual machines that process CJI

Critical device drivers shall be contained in a separateguest.


Virtualization

Addition technical security controls are suggested.

These include:

Encrypt network traffic between virtual machineand host

Implement IDS and IPS within the virtualmachine environment

Virtually firewall each virtual machine from eachother or physically firewall each with anapplication layer firewall controlling protocols

Segregate the administrative duties for the host


System & Information Integrity

The agency shall develop and implementa local policy for installing relevant securitypatches, service packs and hot fixes.

The policy must include items andprocedures (policy 5.10.4.1) for installingthese ‘fixes’.

Malicious code, spam and firewallprotection must be implemented followingpolicy 5.10.4.2 - 5.10.4.3

8/24/2012

24


Formal AuditsPolicy Area 11

Formal audits are conducted on IT services, secureareas, personnel and policies by SLED and the FBI.

Regular audit are triennial but can be conducted morefrequently.

The FBI has the authority to conduct unannouncedsecurity inspections and scheduled audits of thefacilities.

All agencies CJA and NCJA are subject to the auditrequirements and inspections.

Responses to audit findings must be addressed in anaccepted manner by the CJA, SLED and FBI.

Failure to correct deficiencies will result in sanctions.


Personnel SecurityPolicy Area 12

All personnel who have access tounencrypted criminal justice information(CJI) including those with only physical orlogical access must be screened.

All requests for access must be cleared bythe CJA who maintains managementcontrol. The TAC or LASO is the point ofcontact for these requests.


Background Checks

Notification of subsequent arrest and/orconvictions for those who have access must besent to the CSO to determine if access shouldbe continued.

Support personnel, contractors, custodialworkers, and others with access to physicallysecure or controlled locations shall be subject tothese regulations unless escorted by anauthorized person at all times.

8/24/2012

25


Personnel screening for contractorsand vendors

In addition to requirements in policy 5.12.1.1, the followitems are in place: The contracting government agency (CGA) shall coordinate the

background check prior to granting access with the criminal justiceagency that has management control.

If a record of any kind if found, the CGA will be notified and accessis delayed pending a review by the CJA. The CGA must notify thecontractor appointed security officer.

All felony convictions are disqualifications for access. Arrest warrants are disqualifications for access. The CGA shall maintain a list of personnel who have been

authorized for access and shall provide a current list to the CSOwhen requested.

The CGA can request the CSO to review any denials.


Maintenance after grantingphysical or logical access

Upon termination or separation, the individual’saccess shall immediately be terminated.

Reassignments or transfers shall result inactions such as closing and establishing newaccounts and changing system accessauthorizations.

A formal sanctions process for failure to complywith established information security policiesand procedures shall be documented,distributed and enforced. This should beavailable during an audit.


Background Checks

A state of residency and national fingerprintbackground check is require for unescortedaccess AND all personnel who have directaccess to CJI and all those who have ITresponsibility.

Any felony conviction will result in accessdenied.

If a record of any kind exists, access can not begranted until the CSO (SLED) reviews anddetermines if access is appropriate.

8/24/2012

26


System & Information Integrity

Any mobile device by design (laptops, handhelds,

PDA etc) must employ personal firewall protection.

A minimum list of activities performed by the personalfirewall is listed in policy 5.10.4.4 Manage program access to the Internet

Block unsolicited requests to connect to the device

Filter incoming traffic by IP, protocol or destination port

Maintain and IP traffic log

Security alerts and advisories must be received by theagency and policies must be in place for handling theinformation. Policy 5.10.4.5



A vulnerability is a condition or weaknessin (or the absence of):

Security Procedures

Technical Controls

Physical Controls

Other controls that could be exploited by athreat.



All systems and networks havevulnerabilities.

The goal of security is to minimize thosevulnerabilities.

Vulnerabilities include, but not limited tophysical, natural, hardware and software.

8/24/2012

27



Vulnerabilities Examples

Physical: The placement of a computer in anon-secure location.

Natural: a server connected to a power sourcewithout a surge protector or backup powersupply.

Hardware: a connection to the Internet without afirewall.

Software: not updating the computer operatingsystem when updates are issued.



Security Points of Contact

Identify who is using the hardware/softwareand ensure that no unauthorized users haveaccess to same.

Identify and document how the equipment isconnected to the state system.

Ensure that personnel security screeningprocedures are being followed as stated in theCJIS Security Policy



Ensure that appropriate hardware securitymeasures are in place

Support policy compliance and keep thestate ISO informed of security incidents.

8/24/2012

28


Remember

The local agency may complement theCJIS Security Policy with a local policy, orthe agency may develop their own stand-alone security policy; however, the CJISSecurity Policy shall always be theminimum standard and local policy mayaugment, or increase the standards, butshall not detract from the CJIS SecurityPolicy standards.


Remember

This Policy governs the operation of computers,access devices, circuits, hubs, routers, firewalls,and other components that comprise andsupport a telecommunications network andrelated CJIS systems used to process, store, ortransmit CJI, guaranteeing the priority,confidentiality, integrity, and availability ofservice needed by the criminal justicecommunity.


Remember

Responsibility for the management control ofnetwork security shall remain with the CJA.Management control of network securityincludes the authority to enforce the standardsfor the selection, supervision, and separation ofpersonnel who have access to CJI; set andenforce policy governing the operation of circuitsand network equipment used to transmit CJISdata; and to guarantee the priority service asdetermined by the criminal justice community.

8/24/2012

29


Remember

Private contractors who perform criminaljustice functions shall meet all policies fortraining and certification criteria requiredby governmental agencies performing asimilar function, and shall be subject tothe same extent of audit review as arelocal user agencies.

Additional screening requirements exist inthe security policy 5.1


Remember

All private contractors who performcriminal justice functions shallacknowledge, via signing of the SecurityAddendum Certification page, and abideby all aspects of the CJIS SecurityAddendum.


Agreements

User Agreements – states policy, standards, sanctions,governance, auditing, services accessed and policycompliance required or the user agency

Agreements Needed

CJA user agreement between SLED and court agency

Inter-agency agreement between Metropolitan City ITand Metropolitan court agency

Management control agreement between Metropolitancourt agency and Metropolitan City IT

Security Addendum between Metropolitan City IT andPrivate contractors (TAC needs copies)

8/24/2012

30


Contacts/ and Steps to gain access

Contact the CSO office in writing requestingaccess to NCIC data.

Once received the CSO office will forward thisrequest to the FBI for an NCIC ORI assignment.Any court that hears civil cases only (with theexception of domestic violence and stalkingcases) does not qualify for an NCIC 2000 ORIassignment.

Contact person for the CSO office is MillieGalloway at [email protected] or 803-896-7142



When the ORI has been established theCSO office will send an InformationExchange Agreement to the court.

Completed security addendums betweenagency and IT vendor.

The Court will perform TAC/LASOassignment

Security Awareness Training performed onall individuals.



Completed finger print checks on allindividuals.

Completed state of residency Check on allindividuals.

Once those checks have been performedthen the court will send the completed SiteSurvey and Topology for approval.

8/24/2012

31


www.sled.sc.gov

[email protected]

[email protected]

The End

Documents

SLED Overview of the FBI Criminal Justice Information Services