Ariz. Admin. Code § R13-1-201 - ACJIS Security Measures

A. All criminal justice agencies that collect, store, disseminate, or access criminal justice information or criminal history record information from the ACJIS or NCIC shall comply with the policies, rules and regulations as outlined in the following publications that are incorporated by reference, available from the Department's Access Integrity Unit at 2222 W. Encanto Blvd., Phoenix, AZ 85009, the Federal Bureau of Investigation at 1000 Custer Hollow Road, Clarksburg, WV 26306 and the U.S. Government Publishing Office www.govinfo.gov and include no future editions or amendments:

1. ACJIS Operating Manual, dated September 2021;

2. FBI Criminal Justice Information System Security Policy, dated December 7, 2022;

3. FBI NCIC Operating Manual, dated January 20, 2023;

4. FBI Interstate Identification Index/National Fingerprint File Manual, dated March 2017; and,

5. 28 Code of Federal Regulations Part 20, dated July 1, 2020.

B. A criminal justice agency accessing the ACJIS network shall meet the following security guidelines:

1. Access and dissemination of information from the ACJIS network is limited to criminal justice agencies for the administration of criminal justice or for criminal justice employment.

2. An agency that enters records into the ACJIS network is responsible for the accuracy, timeliness, and completeness of the record entries.

3. An agency shall have an ACJIS misuse policy that outlines the sanctions imposed on agency personnel who misuse ACJIS.

4. An agency shall ensure that agency equipment connected to the ACJIS network is fully compatible with existing ACJIS computer equipment and upgraded as necessary to remain compatible with ACJIS configurations and architecture.

5. An agency shall ensure that agency personnel maintain appropriate operator certification levels as specified in the ACJIS Operating Manual.

C. A criminal justice agency that interfaces its record management system with the ACJIS network shall meet the following interface standards and security requirements as set by the Department:

1. Provide to the Department a complete and accurate schematic depicting the agency network and hardware configuration;

2. Ensure there are security controls to prevent unauthorized access to ACJIS information;

3. Follow user identification and password configurations specified by the Department;

4. Establish a process to review system logs and store the logs for one year; and

5. Support policy compliance and ensure the Department Information Security Officer is promptly informed of security incidents.

D. The Department shall provide criminal justice agencies with information received from the FBI that the Department determines is necessary to comply with this Section.

Notes

Ariz. Admin. Code § R13-1-201

New Section made by final rulemaking at 11 A.A.R. 1550, effective June 4, 2005 (Supp. 05-2). Amended by final rulemaking at 28 A.A.R. 3425, effective 12/4/2022. Amended by final rulemaking at 30 A.A.R. 2077, effective 8/4/2024.