Does this sound familiar?
Background checks….personnel screening…..fingerprint-based checks…..background checks…..
We hear it all the time….This person needs a background check, that person needs to be fingerprinted…But do you really know who needs a background check and why?
If you answered “no” or aren’t really sure, you’re not alone!
Policy Section 5.12 of the CJIS Security Policy (v5.3) covers Personnel Security and specifically sets the requirements regarding screening of personnel with access to criminal justice information.
A critical component of the CJIS Security Policy is having the proper security measures in place to mitigate the insider threat and the threat created when access to criminal justice information (CJI) is allowed.
The Personnel Security section of the CJIS Security Policy applies to ALL personnel who have access to unencrypted CJI.
Seems simple enough yet personnel screening and background checks are ALWAYS near the top of the list of issues found during FBI CJIS audits.
This is a question that I struggled with and tried to answer during my tenure serving on the APB’s Security and Access Subcommittee and as the NY State CSO and ISO. The thought was that if we made a policy statement that was clear, concise and to-the-point that there would be widespread compliance.
Well we tried, tried very hard and they’re currently trying – but – there is still a lot of confusion, therefore, noncompliance with this requirement.
Don’t get me wrong. Agencies typically put forth a noble effort when trying to comply with this section of the policy, but often fall short; many times not even knowing they’re not compliant.
I believe that most people know how to apply the policy in most obvious scenarios (e.g. police officers and dispatchers) but are less clear when it comes to many other, variable-ridden, scenarios.
To help illustrate my point, let’s look at a few quick scenarios:
The XYZ Police Department is located within a city-owned building near the center of the city. The police department work space is configured as and meets the requirements of a physically secure location, as per policy section 5.9 (Physical Protection). Police department personnel process criminal justice information in all non-public areas of the building at all times of the day.
Within the confines of the physically secure location (the police department), there is a fitness center available to authorized personnel. The only access to/from the fitness center is through the secure police department work space.
The XYZ city manager (who the police chief reports to) wishes to utilize the gym and demands an all-access key card to the police department so that he may access the fitness center. Issuance of the key-card will allow the city manager access to the fitness center at any time and allow him to come and go at will.
Does the city manager, who has responsibility for all city-owned buildings, need to be screened according to CJIS Security Policy?
XYZ Police Department’s IT systems and networks are maintained by XYZ City IT personnel and are primarily located in at an off-site data center operated and supported by the City of XYZ IT department.
Who needs to be background checked/screened? Anyone?
XYZ Police Department hires a janitor to clean the offices, patrol room and work spaces within the building.
Does the janitor need to be background checked?
Ok, let’s walk through the scenarios.
For the purposes of this illustration, let’s assume that there are not enough free resources for the police department to escort (at all times) any of the individuals above while they are working out, cleaning or supporting criminal justice IT at an off site location.
In scenarios A and B, both the city manager who wants to work out and any IT personnel who configure and maintain IT systems used by the police department need to be background checked and screened as per section 184.108.40.206(1) which states, “to verify identification, state of residency and national fingerprint-based records checks shall be conducted within 30 days of assignment for all personnel who have direct access to CJI and those who have direct responsibility to configure and maintain computer systems and networks with direct access to CJI. […].”
The city manager should probably be classified as a visitor and be subject to policy section 220.127.116.11 (Visitor Control). However, if there is an executive decision to allow unescorted access to the police department’s physically secure location, a background check is clearly required. A background check is required even if he needs unescorted access to the police department because of his “city responsibilities.”
Taking a look at scenario C, the janitor needs to be background checked as per policy section 18.104.22.168(9) which states, “support personnel, contractors and custodial workers with access to physically secure locations or controlled areas (during CJI processing) shall be subject to a state and national fingerprint-based record check unless these individuals are escorted by authorized personnel at all times.”
As you can understand the janitor needs to be background checked because he needs access to the physically secure location, therefore potential access to criminal justice information, to perform his assigned janitorial duties.
As illustrated, with every scenario there can be many variables. These variables lead to questions of interpretation and sometimes make a seemingly simple policy statement difficult to apply in the correct and compliant way. That’s where we can help!
With over 45 years of combined experience in law enforcement and dealing directly with scenarios like those above, the CJIS ACE team can help your agency interpret and apply the CJIS Security Policy in a way that maintains compliance and is compatible with your agency’s operational and technological needs.
We’ve “been there and done that” and have addressed many of the real-world scenarios you face every day in your efforts to comply with the requirements of the CJIS Security Policy.
Click HERE or email me below to let me know if you have any questions on personnel screening or what concerns you the most about CJIS Audits or the road toward Compliance.
Until next time, be safe.
William “Bill” Tatun
Chief Information Security Officer
Diverse Computing Inc.
850-656-3333 ext. 283
Please take a few seconds and subscribe to our newsletter.