4112.52

Personnel- Certified/Non-Certified

Security Check/Fingerprinting

Criminal History Record Information (CHRI)

(Proper Access, Use and Dissemination Procedures)

Purpose

The intent of this policy is to ensure the protection of the Criminal Justice Information (CJI) and its subset of Criminal History Record Information (CHRI) until the information is purges or destroyed in accordance with applicable record retention rules.

This policy is based upon the FBI's Criminal Justice Information Services (CJIS) Security Policy. The Board considers the FBI CJIS Security Policy as the minimum standard. This Board policy may augment, or increase the standards, but shall not detract from the CJIS Security Policy standards.

Scope

This policy applies to any electronic or physical media containing FBI CJI while being stored, accessed or physically moved from a secure location within the District. This policy applies to any authorized person who accesses, stores, and/or transports electronic or physical media.

CHRI is a subset of CJI and for the purposes of this policy is considered interchangeable. Due to its comparatively sensitive nature, additional controls re required for the access, use and dissemination of CHRI. In addition to the dissemination restrictions outlined below, Title 28, Part 20, Code of Federal Regulations (CFR), defines CHRI and provides the regulatory guidance for dissemination of CHRI.

Proper Access, Use, and Dissemination of CHRI

Information obtained from the Interstate Identification Index (III) is considered CHRI. Rules governing the access, use, and dissemination of CHRI are found in Title 28, Part 20, CFR. The III shall be accessed only for an authorized purpose.

CHRI shall only be used for an authorized purpose consistent with the purpose for which III was accessed.

Personnel Security Screening

Access to CJI and/or CHRI is restricted to authorized personnel. Authorized personnel is defined as an individual or group of individuals, appropriately vetted through a national fingerprint-based record check and granted access to CJI data.

Security Awareness Training

Basic security awareness training is required, within six months of initial assignment, and biennially thereafter, for all personnel with access to CJI.

Physical Security

A "physically secure location" is a facility or an area, room, or group of rooms within a facility with sufficient physical and personnel security controls to protect the FBI CJI and associated information systems.

Only authorized personnel shall access physically secure non-public locations. All physical access points into the District's secure areas will be authorized before granting access. Authorized personnel will take necessary steps to prevent and protect the District from physical, logical and electronic breaches.

Media Protection

Controls shall be in place to protect electronic and physical media containing CJI while at rest, stored, or actively being accessed.

The District shall securely store electronic and physical media within physically secure locations or controlled areas. The District restricts access to electronic and physical media to authorized individuals.

Media Transport

The District shall protect and control electronic and physical media during transport outside of controlled areas and restrict the activities associated with transport of such media to authorized personnel.

Media Sanitization and Disposal

When no longer usable, hard drives, diskettes, tape cartridges, CDs, ribbons, hard copies, printouts, and other similar items used to process, store and/or transmit FBI CJI shall be properly disposed of in accordance with measures established by the District.

IT systems that have been used to process, store, or transmit FBI CJI and/or sensitive and classified information shall not be released from the District's control until the equipment has been sanitized and all stored information has been cleared.

Account Management

The District shall manage information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. The District shall validate information system accounts at least annually and shall document the validation process.

All accounts shall be reviewed at least annually by the designated CJIS point of contact (POC) or his/her designee to ensure that access and account privileges are commensurate with job functions, need-to-know, and employment status on systems that contain Criminal Justice Information. The POC may also conduct periodic reviews.

Remote Access

The District shall authorize, monitor, and control all methods of remote access to the information systems that can access, process, transmit, and/or store FBI CJI. The District may permit remote access for privileged functions only for compelling operational needs, but shall document the rationale for such access in the security plan for the information system.

Utilizing publicly accessible computers to access, process, store or transmit CJI is prohibited. Publicly accessible computers include but are not limited to hotel business center computers, convention center computers, public library computers, public kiosk computers, etc.

A personally owned information system is not authorized to access, process, store or transmit CJI unless the District has established and documented the specific terms and conditions for personally owned information system usage.

Policy Violation/Misuse Notification

Violation of any of the requirements contained in this CJIS Security Policy or Title 28, Part 20, CFR, by any authorized personnel will result in suitable disciplinary action.

(cf. 4112.5/4212.5 Security Check/Fingerprinting)

(cf. 4112.51/4212.51 Employment/Reference Checks)

Legal References:  Connecticut General Statutes

10-221d Criminal history records checks of school personnel.

Fingerprinting, Termination or dismissed. (as amended by PA

04-181 and June 19 Special Session, PA 09-1, PA 11-93 and PA 16-67)

29-17a Criminal history checks. Procedures. Fees.

PA 16-67 An Act Concerning the Disclosure of Certain Education Personnel Records

Criminal Justice Information Services (CJIS) Security Policy, Version

5.4, U.S. Department of Justice, Federal Bureau of Investigation,

Criminal Justice Information Services Division, October 6, 2015.

CJIS Security Policy

Title 28 C.F.R. Part 20

Policy Adopted:  2-11-19