informational audits noncriminal justice … · michigan state police . criminal justice...

NONCRIMINAL JUSTICE AGENCY USE OF CRIMINAL JUSTICE

INFORMATION

PRESENTED BY: MICHIGAN STATE POLICE

CRIMINAL JUSTICE INFORMATION CENTER SECURITY & ACCESS SECTION

“A PROUD tradition of SERVICE through EXCELLENCE, INTEGRITY, and COURTESY”

Security & Access Team

Staff Members Larry Jones, Manager Narcisa Morris, Analyst Security & Access Section (SAS) E-Mail MSP-CJIC-ATS@michigan.gov

Michigan State Police

FBI Criminal Justice Information Services

Noncriminal Justice Agency

Serves as our nations administrator for the appropriate security and management controls. As such, the FBI designates one criminal justice agency (on the CJIS network) as the CJIS Systems Agency (CSA) who is considered their point of contact in each state.

The CSA is duly authorized to oversee the security and management of all Criminal Justice Information (CJI) exchanges within the State of Michigan. Responsible for setting, maintaining, enforcing and reporting compliance to the FBI CJIS Division for such exchanges.

For the purpose of licensing and employment, certain authorized agencies request and receive fingerprint based Criminal History Record Information (CHRI) making the Noncriminal Justice Agency (NCJA) the next responsible records management entity.

Criminal Justice Information Exchange History

Fingerprinting Authorization

The following are federal and state laws authorizing fingerprint based CHRI background checks for licensing or employment determinations.

School Employment (SE)/Adam Walsh Act (AWA); MCL 380.1230a, The Revised School Code (SHALL)

National Child Protection Act Employment (CPE) & Child Protection Volunteer (CPV); 42 USC 5119 § 320928 & National Child Protection Act, including volunteers (MAY)

Flow Charts

NCJA Audits (1 of 4)

FBI CJIS conducts a triennial audit of each State on the use of CJI, including criminal history record information (CHRI-a subset of CJI).

FBI CJIS triennially audits will include their own randomly selected audit of NCJA’s.

Title 42 U.S.C., Chapter 140, Subchapter II, 14616; 28 CFR Part 901 § 4, requires MSP ATS to complete audits on all NCJA’s in the State of Michigan with access to CJI/CHRI.

MSP will periodically conduct audits of the NCJAs, within a triennial cycle.

NCJA Audits (2 of 4)

ATS Audit Criteria

Random fingerprint submission sample

Documentation comparison of requested transactions by the agency against the report or requested agency transactions over the previous 365 days (provided prior to audit by MSP auditors).

NCJA Audits (3 of 4)

SAS Audit Criteria

Supporting documentation for fingerprint reason code used by the agency.

Documentation that indicates CHRI responses requested are for an authorized purpose as stated in federal and state laws.

Consent form for fingerprinting

Applicant signature Date of consent www.michigan.gov/cjicats (NCJA Forms and Templates)

LIVESCAN FINGERPRINT REQUEST FORM RI-030

Auditable Areas

Reviewing: Supporting Documentation User Agreements Local Agency Security Officer (LASO) Personnel Security Media Protection Controlled Area Secondary Dissemination Security Awareness Training

Questions?

MSP and NCJA User Agreement (5.1)

NCJAs receiving CHRI from the MSP shall complete a Noncriminal Justice Agency User Agreement for the Use of Criminal History Record Information, RI-087 form.

This formal agreement is to specify how the exchange of CHRI is to be conducted between the MSP and the NCJA through applicable security and management controls. The user agreement outlines each party’s individual roles and responsibilities as it pertains to the day to day receipt and processing of CHRI and all that entails, including data ownership. The MSP and NCJA user agreements require the authorized signature of the agency representative (an employee of the agency with explicit authority to commit the agency to the agreement requirements) and the CJIS Security Officer of the MSP.

MSP and NCJA User Agreement RI-087

NCJA Outsourcing (1 of 2)

As of September 2013, our state does not meet the requirements for NCJA outsourcing of administrative functions to contractors. Regardless if dissemination is direct, indirect, physical, or verbal.

Therefore…

Receipt, retention, and/or dissemination of CHRI by the contractor is prohibited.

The existence or nonexistence of a record will not be physically or verbally shared with the contractor by a school.

Contractors will no longer be eligible to conduct fingerprint based criminal background checks.

NCJA Outsourcing (2 of 2)

Current Requirements:

Communicate with current contractors to determine the new fingerprinting process. Contracted employees are requested to complete a fingerprint criminal background check through the school agency’s fingerprint process. This is any individual assigned to regularly and continuously work under contract. (i.e. any substitute school personnel, or other school personnel normally contracted through a private entity, and most likely are indirectly hired by the school.)

Schools may institute a “red light/green light” notification to the contractor in order to indicate a specific individual is cleared or not cleared to work in the school.

Red Light – Green Light Example

Local Agency Security Officer- LASO (3.2.9)

Designated by the NCJA: Can be HR Director or other Designee Acts as Point of Contact (POC) with MSP Informs CSA Information Security Officer (ISO) of any security incidents

NCJA LASO Appointment (3.2.9)

www.michigan.gov/cjicats (NCJA Forms and Templates)

Personnel Security (5.12) (1 of 2)

Any persons with felony convictions shall be denied access to CJI/CHRI.

For other than a felony, any person with an arrest without conviction or a fugitive shall be reviewed to determine if access to CJI/CHRI is appropriate.

CJI/CHRI access will be discontinued for any person who is subsequently arrested or convicted of a crime and must be reported to MSP before access may be reinstated.

Support personnel, contractors, vendors and custodial workers with access to areas during CJI processing are subject to fingerprinted based CHRI check unless escorted by authorized personnel at all times.

Personnel Security (5.12) (2 of 2)

Termination of employment is termination of CJI/CHRI access. Review of appropriate access shall be conducted for personnel reassigned or transferred. Each NCJA shall establish a formal sanctions policy to address noncompliance by personnel.

Media Protection (5.8) (1 of 2)

Each NCJA shall establish a electronic/physical media protection policy.

All media shall have restricted access to authorized personnel only and secured in a controlled area.

Transportation of all forms of media is allowed and restricted to authorized personnel for transport.

Controls shall be in place during transit to ensure security and prevent the compromise of data.

Media Protection (5.8) (2 of 2)

NCJA’s shall maintain written documentation of steps taken for the electronic media sanitization and disposal, that is, overwrite at least three times or degauss electronic media prior to disposal.

Including formal procedures for disposal and destruction of physical media, by securely shredding or by incineration.

All destruction shall be witnessed or carried out by authorized personnel.

Controlled Area (5.9.2)

Limit access to controlled area during CJI/CHRI processing times.

CHRI room or storage area should be locked at all times when not in use.

Position CJI/CHRI to prevent unauthorized individuals from access and view.

Agencies shall abide and carry out encryption requirements for electronic storage of CJI/CHRI.

Questions?

Secondary Dissemination (5.1.3) (1 of 3)

Any disseminations conducted outside of primary information exchange agreements are to be logged.

The date record was shared Who made the request (personnel name and agency) Whose record is being shared Who sent the shared copy (personnel) How the request was fulfilled

Secondary Dissemination (5.1.3) (2 of 3)

K-12 schools cannot share responses with Colleges/Universities or Private Entities (Contractors). K-12 schools can share with other K-12 schools, whether private or public, per MCL 380.1230a(11) & (12)

School agencies sharing with applicant. Prior to release, school agencies shall determine through picture ID that applicant and record (CHRI response) are “one in the same.” Can include the state and federal portion of CHRI per recent clarification from the FBI. It is recommended to obtain a signed record identifying acknowledgement of receipt.

Security Awareness Training (5.2)

Each NCJA shall have an established Security Awareness Training (SAT) program, to be approved by CJIS Systems Officer (CSO) at MSP. SAT is the basic awareness of the security necessary for

authorized personnel having access to CHRI while performing their daily duties. Daily duties may involve the direct/indirect access, or processing. All personnel with access to CHRI are to have SAT provided by the agency.

An SAT “fill-in” template has been created and is available for agency's use at www.michigan.gov/cjicats (Training)

Freedom of Information (FOI) Request

Only release state CHRI as outlined in the FOI statute.

At NO time is the FBI portion of the CHRI released. (Title 28 § 534)

Request Copy of CHRI

CHRI is only sent to the original requestor. If responses are not received agencies may make a request for responses from the original print submission in the following manner:

After two weeks of the original print submission request must be made by e-mail: msp-crd-applhelp@michigan.gov After three months of the original print submission request must be made by U.S. mail accompanied by a $15.00 processing fee.

Michigan State Police CJIC – Applicant Help P O Box 30634 Lansing, MI 48909 After six months of the original print submission NO request may be made. The process starts again with a new set of fingerprints and associated processing fees.

Resources & Tools

Our website provides a one stop shopping for obtaining: • Forms • Supplement Guidance • Training Information • Templates • Listserv Archives

MSP Security & Access Website: www.michigan.gov/cjicats

NCJA Audit Information Sheet

THANK YOU !!!!!

For your time and attention – we look forward to working with you in the

future…