The URL can be used to link to this page

Browse Search

Home My WebLink About20191319.tiffBOARD OF COUNTY COMMISSIONERS PASS -AROUND REVIEW PASS -AROUND TITLE: Internal CJIS Management Control Agreements DEPARTMENT: Information Technology PERSON REQUESTING: Ryan Rose a ID1c2 610 d DA DATE: 3/21/2019 Brief description of the problem/issue: As a part of our CJIS compliance, we need to have updated agreements between IT/BOCC/Justice Services, as well as between IT/BOCC/District Attorney which set policies, procedures, and processes associated with the non -criminal justice agency's access to criminal justice information and to stipulate that management control of the criminal justice functions (and information) remain solely with the criminal justice agency. A similar agreement has previously been signed between IT/BOCC/Sheriff's Office. We are asking to have the same agreement in place with JS and the DA. What options exist for the Board? (include consequences, impacts, costs, etc. of options): To maintain our CJIS compliance posture, IT is requesting authorization for the Chair to sign the agreements. Recommendation: Weld County IT recommends that the Board grant approval for the Chair to sign the attached agreements. Sean P. Conway Mike Freeman, Pro-Tem Scott K. James Barbara Kirkmeyer, Chair Steve Moreno Approve Recommendation Schedule Work Session 4-3 -/ 9 Other/Comments: 2019-1319 Ts o OO7 MANAGEMENT CONTROL AGREEMENT REGARDING COLORADO BUREAU OF INVESTIGATION AND FBI CRIMINAL JUSTICE INFORMATION SYSTEMS The purpose of this document is to establish and enforce Security Control of the access and use of the Colorado Bureau of Investigation's (CBI) Colorado Crime Information Center (CCIC) database and associated CJIS systems (NCIC, Nlets, etc.) in a location where access to and/or use of that system is accomplished by a criminal justice agency with the assistance of a non- criminal justice governmental agency. This document places Security Control of that access and use under the authority of the criminal justice agency. This document is an agreement between Weld County Justice Services Department, the "criminal justice agency," the Weld County Information Technology Department and Weld County Board of Commissioners, the "non -criminal justice agency" providing services in support of the criminal justice agency in the execution of its duties under the "administration of criminal justice." Whereas the non -criminal justice agency manages the associated computer and/or equipment and personnel that provide the criminal justice agencies with access to CCIC and associated CJIS systems, and Whereas the non -criminal justice agency through the CCIC Coordinator performs certain administrative functions of the Colorado Crime Information Center (CCIC) and the National Crime Information Center (NCIC) for the criminal justice agency, and Whereas the criminal justice agency has signed an agreement with the Colorado Bureau of Investigation to use and participate in the state's telecommunications networks and associated systems, and Whereas the state transmits state and national criminal history information over those networks, and Whereas the state participates in the FBI CJIS Systems, which require that all access to the FBI CJIS Systems be controlled by the FBI CJIS Security Policy, and Whereas the CJIS Security Policy requires that the State CJIS Systems Agency (CSA) (i.e., the Colorado Bureau of Investigation) establish "Security Control," for that access, and Whereas Security Control is defined as the ability of the CSA or criminal justice agency to set, maintain, and enforce: 1. Standards for the selection, supervision, and termination of personnel; and moo/ 9-,3/9 Management Control Agreement Page 2 2. Policy governing the operation of computers, access devices, circuits, hubs, routers, firewalls, and other components that make up and support a telecommunications network and related CJIS systems used to process, store, or transmit criminal justice information, guaranteeing the priority, integrity, and availability of service needed by the criminal justice community. Whereas the Colorado Bureau of Investigation defines management control as the authority and responsibility to enforce Security Control as herein defined, and Therefore, be it resolved that this agreement hereby places the technical services division under the management control, as herein defined, of the criminal justice agency. SECURITY The non -criminal justice agency agrees to abide by all current and hereafter approved rules of the Colorado Bureau of Investigation and Federal Bureau of Investigation, including but not limited to all requirements of the CJIS Security Policy. The compliance with those requirements shall be determined by the criminal justice agency and the CBI. Computers having access to CCIC/NCIC must have the proper software and hardware controls, implemented under the supervision of the criminal justice agency, to prevent criminal history and other CJIS data from being accessible to any terminals other than authorized terminals. The non -criminal justice agency must allow adequate physical security, as required by the CJIS Security Policy and determined by the criminal justice agency, to protect against any unauthorized personnel gaining access to the terminals, computer equipment, or any of the stored data. Personnel at the criminal justice agency site, or with remote access to the criminal justice agency's data, must be screened thoroughly under the authority and supervision of the criminal justice agency, in accordance with CCIC/NCIC policy. This screening applies to criminal justice and non -criminal justice personnel, including non -criminal justice maintenance and technical personnel. This screening will be done under the guidelines established in the CJIS Security Policy. Decisions by the criminal justice agency related to personnel are limited to the inclusion or exclusion of personnel from the criminal justice agency, according to the guidelines established by the CJIS Security Policy and implemented by CCIC Policy. All visitors to the criminal justice agency and the technical services division must be accompanied by staff personnel at all times. All terminals and network equipment having access to the state's law enforcement networks must be physically placed in secure locations, as required by the CIS Security Policy and determined by the criminal justice agency. Management Control Agreement Page 3 Access to all terminals and network equipment that protects and/or transmits the criminal justice data must be restricted to the minimum number of authorized employees needed to complete the work. Printed copies of criminal history data obtained from CCIC/NCIC must be afforded security to prevent any unauthorized access to or use of the data. When the printout is no longer needed, it must be filed in a secure file or destroyed. No terminal will access the state's law enforcement networks, and no data will be requested or obtained through these networks without the approval of the criminal justice agency. No changes will be made to the configuration of the networks accessing the state's law enforcement network without prior approval of the state. TRAINING Personnel at the criminal justice agency site, or with remote access to the criminal justice agency's data, must take Security Awareness training within 6 months of initial assignment, and biennially thereafter, as required by the CJIS Security Policy. This training and certification applies to criminal justice and non -criminal justice personnel, including non -criminal justice maintenance and technical personnel. This training shall include, at a minimum, the topics required by the CJIS Security Policy. MONITORING AND AUDITING The non -criminal justice agency agrees to allow the criminal justice agency and CBI necessary access, as determined by CBI and the criminal justice agency, to the physical locations, any computer programs, any computer files, and/or network activities necessary to implement and enforce security control as defined by the CJIS Security Policy. The criminal justice agency, in accordance with CCIC/NCIC policy, has the responsibility and authority to monitor, audit, and enforce the implementation of this agreement by the non -criminal justice agency. CBI and FBI audits of the technical services division will be to determine whether policies have been established by the criminal justice agency and implemented by the non -criminal justice agency. GENERAL The criminal justice agency will not manage the day to day operations of the technical services division but may establish and enforce the priorities necessary to meet CBI and FBI policies regarding system use. Management Control Agreement Page 4 The non -criminal justice agency agrees to cooperate with the criminal justice agency in the implementation of this agreement, and to accomplish the directives of the criminal justice agency under the provisions of this agreement. Non -Criminal Justice ency Ryan Rose Printed Name Chief Information Officer, Weld County Title Date Barbara Kirkmeyer Printed Name Chair, Weld County Board of Commissioners Title APR 0 3 2019 Date Criminal Justice Agency Douglas Erler Printed Name Director, Weld County Justice Services Department Title APR © 3 2019 Date 02o/9-/3/9 . Management Control Agreement Page 5 APPENDIX A Appropriate environmental security measures would include: a) A back-up power supply or uninterruptible power source. b) Environment monitors and controls for temperature, air conditioning, humidity, etc. c) Emergency lighting. d) Adequate fire detection/suppression devices. e) Emergency shutdown of system and/or power devices. f) Duplicate computer files, if applicable, (as a countermeasure for unauthorized destruction of original files) which are to be maintained off premise. Computer tapes or discs should be locked in a safe (fireproof) storage area under the control of senior agency personnel. Secondary storage (off -site location) will be used to back-up. Management Control Agreement Page 6 APPENDIX B The standards apply to all personnel with access to network systems as defined in Title 28 CFR, Part 20 to CHRI data, including, but not limited to: a) Management personnel who direct criminal justice related software, hardware, or dispatch functions. b) Supervisory personnel who supervise criminal justice related software, hardware, or dispatch functions; or have terminal access to criminal justice data either directly or through their subordinates; or who have general responsibility for criminal justice related data storage, switching, transmission and logging. c) Personnel involved in analysis, evaluation and/or programming of criminal justice related data stored, switches, transmitted or logged by the center. d) Non -Data processing personnel who regularly provide necessary software or hardware installation, modification or maintenance in the dispatch center. e) Non -Data Processing personnel who provide temporary and necessary software, hardware or telecommunications installation, modification or maintenance, or such other services as deemed necessary by the Communications Supervisor. f) All other persons with direct access to the dispatch center or terminals with access to the state's telecommunications system. Hello