Approved By: Agency Name Management



Similar documents
How To Protect The Time System From Being Hacked

Physical Protection Policy Sample (Required Written Policy)

Fingerprint-Based Background Check Responsibilities for Non-Criminal Justice Agencies and Users

HIPAA Training for Hospice Staff and Volunteers

HIPAA Training for Staff and Volunteers

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as

PINAL COUNTY POLICY AND PROCEDURE 2.50 ELECTRONIC MAIL AND SCHEDULING SYSTEM

8.03 Health Insurance Portability and Accountability Act (HIPAA)

CONSOLIDATED RECORDS MANAGEMENT SYSTEM (CRMS) USER AGREEMENT

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

SECURITY and MANAGEMENT CONTROL OUTSOURCING STANDARD For NON-CHANNELERS

NONCRIMINAL JUSTICE AGENCY USE OF CRIMINAL JUSTICE INFORMATION

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Order. Directive Number: IM Stephen E. Barber Chief Management Officer

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

Information Security Policy

Security awareness training is not a substitute for the LEADS Security Policy.

BUSINESS ASSOCIATE AGREEMENT ( BAA )

Peace Corps Office of the OCIO Information and Information Technology Governance and Compliance Rules of Behavior for General Users

All Users of DCRI Computing Equipment and Network Resources

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

GLENN COUNTY HEALTH AND HUMAN SERVICES AGENCY. HIPAA Policies and Procedures 06/30/2014

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

Wellesley College Written Information Security Program

Information Technology Security Policies

Breach Notification Policy

1.02 Authorized Recipient means an entity authorized by statute to receive background check information for noncriminal justice purposes.

GENERAL ORDER DISTRICT OF COLUMBIA I. BACKGROUND

Statement of Policy. Reason for Policy

Payment Card Industry Compliance

BUSINESS ASSOCIATE AGREEMENT

Information Security Program Management Standard

ALTA OFFICE SECURITY AND PRIVACY GUIDELINES ALTA

APPENDIX H SECURITY ADDENDUM

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

Caldwell Community College and Technical Institute

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

HIPAA Breach Notification Policy

Health Information Privacy Refresher Training. March 2013

The Internet and 2 Acceptable use 2 Unacceptable use 2 Downloads 3 Copyrights 3 Monitoring 3. Computer Viruses 3

Information Security Policy

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

Appendix A: Rules of Behavior for VA Employees

Information Resources Security Guidelines

Reporting of HIPAA Privacy/Security Breaches. The Breach Notification Rule

Payment Card Industry (PCI) Policy Manual. Network and Computer Services

M E M O R A N D U M. Definitions

BUSINESS ASSOCIATE AGREEMENT

Montclair State University. HIPAA Security Policy

College of DuPage Information Technology. Information Security Plan

VOLUNTEER & EMPLOYEE CRIMINAL HISTORY SERVICE (VECHS) USER AGREEMENT FOR CRIMINAL HISTORY RECORD INFORMATION

University Healthcare Physicians Compliance and Privacy Policy

The Department of Health and Human Services Privacy Awareness Training. Fiscal Year 2015

HIPAA Business Associate Agreement

INFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL

HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations

This form may not be modified without prior approval from the Department of Justice.

Department of Health and Human Services Policy ADMN 004, Attachment A

R345, Information Technology Resource Security 1

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

INFORMATION TECHNOLOGY Policy 8400 (Regulation 8400) Data Security

PRIVACY AND INFORMATION SECURITY INCIDENT REPORTING

Client Advisory October Data Security Law MGL Chapter 93H and 201 CMR 17.00

Noncriminal Justice Agency Guide

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

Information Technology. Security Awareness Training for Administrative Personnel

CITY UNIVERSITY OF HONG KONG. Information Classification and

HIPAA Information Security Overview

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

BUSINESS ASSOCIATE AGREEMENT

BERKELEY COLLEGE DATA SECURITY POLICY

Information Security Policy

NC DPH: Computer Security Basic Awareness Training

PHI- Protected Health Information

HIPAA BUSINESS ASSOCIATE AGREEMENT

Standard: Information Security Incident Management

Transcription:

Policy Title: Effective Date: Revision Date: Approval(s): LASO: CSO: Agency Head: Media Protection Policy Every 2 years or as needed Purpose: The intent of the Media Protection Policy is to ensure the protection of the Criminal Justice Information (CJI) until such time as the information is either released to the public via authorized dissemination (e.g. within a court system or when presented in crime reports data), or is purged or destroyed in accordance with applicable record retention rules. This Media Protection Policy was developed using the FBI s Criminal Justice Information Services (CJIS) Security Policy 5.1 dated 7/13/2012. The [agency name] may complement this policy with a local policy; however, the CJIS Security Policy shall always be the minimum standard. The local policy may augment, or increase the standards, but shall not detract from the CJIS Security Policy standards. Scope: The scope of this policy applies to any electronic or physical media containing FBI Criminal Justice Information (CJI) while being stored, accessed or physically moved from a secure location from the [agency name]. This policy applies to any authorized person who accesses, stores, and / or transports electronic or physical media. Transporting CJI outside the agency s assigned physically secure area must be monitored and controlled. Authorized [agency name] personnel shall protect and control electronic and physical CJI while at rest and in transit. The [agency name] will take appropriate safeguards for protecting CJI to limit potential mishandling or loss while being stored, accessed, or transported. Any inadvertent or inappropriate CJI disclosure and/or use will be reported to the [agency name] Local Agency Security Officer (LASO). Procedures shall be defined for securely handling, transporting and storing media. Media Storage and Access: Controls shall be in place to protect electronic and physical media containing CJI while at rest, stored, or actively being accessed. Electronic media includes memory devices in laptops and computers (hard drives) and any removable, transportable digital memory media, such as magnetic tape or disk, backup medium, optical disk, flash drives, external hard drives, or digital memory card. Physical media includes printed documents and imagery that contain CJI. Page 1

To protect CJI, the [agency name] personnel shall: 1. Securely store electronic and physical media within a physically secure or controlled area. A secured area includes a locked drawer, cabinet, or room. 2. Restrict access to electronic and physical media to authorized individuals. 3. Ensure that only authorized users remove printed form or digital media from the CJI. 4. Physically protect CJI until media end of life. End of life CJI is destroyed or sanitized using approved equipment, techniques and procedures. (See Sanitization Destruction Policy) 5. Not use personally owned information system to access, process, store, or transmit CJI unless the [agency name] has established and documented the specific terms and conditions for personally owned information system usage. (See Personally Owned Device Policy) 6. Not utilize publicly accessible computers to access, process, store, or transmit CJI. Publicly accessible computers include but are not limited to: hotel business center computers, convention center computers, public library computers, public kiosk computers, etc. 7. Store all hardcopy CJI printouts maintained by the [agency name] in a secure area accessible to only those employees whose job function require them to handle such documents. 8. Safeguard all CJI by the [agency name] against possible misuse by complying with the Physical Protection Policy, Personally Owned Device Policy, and Disciplinary Policy. 9. Take appropriate action when in possession of CJI while not in a secure area: a. CJI must not leave the employee s immediate control. CJI printouts cannot be left unsupervised while physical controls are not in place. b. Precautions must be taken to obscure CJI from public view, such as by means of an opaque file folder or envelope for hard copy printouts. For electronic devices like laptops, use session lock use and /or privacy screens. CJI shall not be left in plain public view. When CJI is electronically transmitted outside the boundary of the physically secure location, the data shall be immediately protected using encryption. i. When CJI is at rest (i.e. stored electronically) outside the boundary of the physically secure location, the data shall be protected using encryption. Storage devices include external hard drives from computers, printers and copiers used with CJI. In addition, storage devices include thumb drives, flash drives, back- up tapes, mobile devices, laptops, etc. ii. When encryption is employed, the cryptographic module used shall be certified to meet FIPS 140-2 standards. Page 2

10. Lock or log off computer when not in immediate vicinity of work area to protect CJI. Not all personnel have same CJI access permissions and need to keep CJI protected on a need- to- know basis. 11. Establish appropriate administrative, technical and physical safeguards to ensure the security and confidentiality of CJI. (See Physical Protection Policy) Media Transport: Controls shall be in place to protect electronic and physical media containing CJI while in transport (physically moved from one location to another) to prevent inadvertent or inappropriate disclosure and use. Electronic media means electronic storage media including memory devices in laptops and computers (hard drives) and any removable, transportable digital memory media, such as magnetic tape or disk, backup medium, optical disk, flash drives, external hard drives, or digital memory card. Dissemination to another agency is authorized if: 1. The other agency is an Authorized Recipient of such information and is being serviced by the accessing agency, or 2. The other agency is performing personnel and appointment functions for criminal justice employment applicants. The [agency name] personnel shall: 1. Protect and control electronic and physical media during transport outside of controlled areas. 2. Restrict the pickup, receipt, transfer and delivery of such media to authorized personnel. The [agency name] personnel will control, protect, and secure electronic and physical media during transport from public disclosure by: 1. Use of privacy statements in electronic and paper documents. 2. Limiting the collection, disclosure, sharing and use of CJI. 3. Following the least privilege and role based rules for allowing access. Limit access to CJI to only those people or roles that require access. 4. Securing hand carried confidential electronic and paper documents by: a. Storing CJI in a locked briefcase or lockbox. b. Only viewing or accessing the CJI electronically or document printouts in a physically secure location by authorized personnel. c. For hard copy printouts or CJI documents: i. Package hard copy printouts in such a way as to not have any CJI information viewable. ii. That are mailed or shipped, agency must document procedures and only release to authorized individuals. DO NOT MARK THE PACKAGE TO BE MAILED CONFIDENTIAL. Packages containing CJI Page 3

material are to be sent by method(s) that provide for complete shipment tracking and history, and signature confirmation of delivery. (Agency Discretion) 5. Not taking CJI home or when traveling unless authorized by [agency name] LASO. When disposing confidential documents, use a shredder. Electronic Media Sanitization and Disposal: The agency shall sanitize, that is, overwrite at least three times or degauss electronic media prior to disposal or release for reuse by unauthorized individuals. Inoperable electronic media shall be destroyed (cut up, shredded, etc.). The agency shall maintain written documentation of the steps taken to sanitize or destroy electronic media. Agencies shall ensure the sanitization or destruction is witnessed or carried out by authorized personnel. Physical media shall be securely disposed of when no longer required, using formal procedures. For end of life media policy, refer to Sanitization Destruction Policy. Breach Notification and Incident Reporting: The agency shall promptly report incident information to appropriate authorities. Information security events and weaknesses associated with information systems shall be communicated in a manner allowing timely corrective action to be taken. Incident- related information can be obtained from a variety of sources including, but not limited to, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. Roles and Responsibilities: If CJI is improperly disclosed, lost, or reported as not received, the following procedures must be immediately followed: 1. [agency name] personnel shall notify his/her supervisor or LASO, and an incident- report form must be completed and submitted within 24 hours of discovery of the incident. The submitted report is to contain a detailed account of the incident, events leading to the incident, and steps taken/to be taken in response to the incident. (Agency Discretion) 2. The supervisor will communicate the situation to the LASO to notify of the loss or disclosure of CJI records. 3. The LASO will ensure the CSA ISO (CJIS System Agency Information Security Officer) is promptly informed of security incidents. 4. The CSA ISO will: a. Establish a security incident response and reporting procedure to discover, investigate, document, and report to the CSA, the affected criminal justice agency, and the FBI CJIS Division ISO major incidents that significantly endanger the security or integrity of CJI. Page 4

b. Collect and disseminate all incident- related information received from the Department of Justice (DOJ), FBI CJIS Division, and other entities to the appropriate local law enforcement POCs within their area. c. Act as a single POC for their jurisdictional area for requesting incident response assistance. Penalties: Violation of any of the requirements in this policy by any authorized personnel will result in suitable disciplinary action, up to and including loss of access privileges, civil and criminal prosecution and / or termination. Acknowledgement: I have read the policy and rules above and I will: Abide by the [agency name] s Media Protection Policy. I understand any violation of this policy may result in discipline up to and including termination. Report any [agency name] CJI security incident to Supervisor and / or LASO as identified in this policy. Signature: Date: /2012 Questions Any questions related to this policy may be directed to the [agency name] s LASO: LASO Name: LASO Phone: LASO email: State C/ISO Name: C/ISO Phone: C/ISO email: Other Related Policy Reference: See Media Sanitization and Destruction Policy Media Disposal Policy Physical Protection Policy Page 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information