Ga. Comp. R. & Regs. R. 140-2-.11 - Security Requirements for Criminal Justice Information in a Data Processing Environment

Current through Rules and Regulations filed through April 4, 2022

(1) Computers used to collect, store or disseminate CHRI shall be protected from unauthorized access by means of software or hardware control systems, which log all access attempts. Each individual authorized to store, process and/or transmit CJIS information will use a unique identifier. The unique identification is also required for personnel who administer and maintain the system. The unique identification can take the form of a full name, badge number, serial number or other unique alphanumeric identifier. The identifier shall be authenticated.

(2) CHRI transmitted from one point to another by computer shall be protected from unauthorized access by means of software or hardware control systems. Standards for control systems outlined here must meet FBI CJIS Security Policy requirements.

(a) Procedures to prevent unauthorized copying or retaining of messages containing CHRI must be in place.

(b) Computers may log any message traffic and record such data elements as date, time, message number, origin and destination.

(c) CJIS information passing through a public network segment shall be protected with encryption.

(d) CJIS information transmitted over dial-up or internet connections shall be protected with encryption.

(e) The Director may grant authorization for internet access to support CJIS processing when a minimum set of technical and administrative requirements, which assure the security of the CJIS system from unauthorized access via the internet are in place.

(f) CJIS information passing over wireless links shall be protected with encryption. Transmitting hot file data over wireless links is allowed with either encryption or a proprietary data transmission protocol that prevents recognizable clear text transmissions. All wireless links or server access points shall be protected by authentication to ensure protection from unauthorized system access.

(g) Networks having terminals or devices that access CJIS and/or the internet must be protected by firewalls meeting the GCIC/FBI CJIS Security Policy standard as amended.

(3) Computers storing or disseminating CHRI may perform logging activities pursuant to Rule 140-2-.06.

(4) Computers and the agencies operating or administratively responsible for the operation of computers utilized in whole or part for the collection, storage, dissemination or message switching of CHRI shall be subject to GCIC audits pursuant to Rule 140-2-.07.

(5) Physical security standards for these computers shall be maintained pursuant to Rule 140-2-.08.

(6) Personnel security standards for persons employed to operate, program or maintain these computers shall be established pursuant to Rule 140-2-.09 as follows:

(a) A criminal justice agency responsible for collecting, storing, disseminating or transmitting CHRI by computers not under its direct administrative control shall not employ any person convicted by any state or the federal government of any felony or sufficient misdemeanors to establish a pattern of disregard for the law

(b) A criminal justice agency responsible for collecting, storing, disseminating or transmitting CHRI by a computer center not under its direct administrative control has the right and responsibility to investigate computer center job applicants and employees and disqualify any person convicted by any state or the federal government of any felony or sufficient misdemeanors to establish a pattern of disregard for the law.

(7) Secret data or CHRI contained in a computer system, whether dedicated or shared, shall be kept under maximum-security conditions. Documents containing secret data or CHRI no longer required to support criminal justice operations, must be destroyed in a secure manner that precludes unauthorized access to the information.

(8) The agency administratively responsible for the supervision of persons, computer hardware or software assumes liability for any misuse of secret data or CHRI stored in a shared computer environment.

Notes

Ga. Comp. R. & Regs. R. 140-2-.11

O.C.G.A. Secs. 35-3-32 to 35-3-35, 35-3-38, 42 U.S.C. 3771, 28 CFR 20.21, FBI Security Policy.

Original Rule entitled "Security Requirements for Criminal Justice Information in a Data Processing Environment" adopted. F. Feb. 25, 1976; eff. Mar. 16, 1976. Repealed: New Rule of same title adopted. F. Jan. 7, 1983; eff. Feb. 1, 1983, as specified by the Agency. Repealed: New Rule of same title adopted. F. Sept. 6, 1984; eff. Oct. 8, 1984, as specified by the Agency. Repealed: New Rule of same title adopted. F. July 2, 1986; eff. July 22, 1986. Repealed: New Rule of same title adopted. F. Nov. 7, 1990; eff. Nov. 27, 1990. Amended: F. Dec. 2, 1992; eff. Dec. 22, 1992. Amended: F. Apr. 16, 1993; eff. May 6, 1993. Repealed: New Rule of same title adopted. F. Mar. 4, 1998; eff. Mar. 24, 1998. Amended: F. Sept. 5, 2002; eff. Sept. 25, 2002. Repealed: New Rule of same title adopted. F. Sept. 25, 2007, eff. Oct. 15, 2007.