502 KAR 30:050 - Security of centralized criminal history record information

RELATES TO: KRS 17.140, 17.150

NECESSITY, FUNCTION, AND CONFORMITY: KRS 17.140 requires a centralized criminal history record information system to be established in the Justice and Public Safety Cabinet under the direction, control, and supervision of the commissioner of the Department of Kentucky State Police. KRS 15A.160 authorizes the secretary of the cabinet to adopt administrative regulations to administer the cabinet. KRS 17.150(6) requires the secretary of the cabinet to promulgate administrative regulations necessary to implement the criminal history record information system. This administrative regulation sets specific security standards to preserve the CHRI in an acceptable state.

Section 1. Procedures shall be implemented in the centralized criminal history record information system to insure that access to criminal history record information is restricted to authorized persons. The ability to access, modify, change, update, purge, or destroy information shall be limited to authorized criminal justice personnel, or other authorized persons who provide operational support, such as programming or maintenance. Technologically advanced software or hardware designs shall be implemented to prevent unauthorized access to criminal history record information.

Section 2. Procedures shall be implemented in the centralized criminal history information system to determine what persons have authority to enter in areas where criminal history information is stored and implement access control measures to insure entry is limited to specific areas where authorization is valid. Further, access control measures shall be implemented to insure unauthorized persons are totally denied access to areas where criminal history record information is stored. Access constraints shall include the system facilities, systems operating environments, data file contents, whether while in use or when stored in media library, and system documentation.

Section 3. Procedures shall be implemented in the centralized criminal history information system to insure that computer operations that support the criminal history record information data base, whether dedicated or shared, operate in accordance with procedures developed or approved by the Justice and Public Safety Cabinet, and further insure that:

(1) CHRI is stored by the computer in such a manner that it cannot be modified, destroyed, accessed, changed, purged, or overlaid in any fashion by unauthorized persons.

(2) Operational programs shall be used that will prohibit inquiry, record updates, or destruction of records, from any terminal other than designated terminals within the Criminal Identification and Records Branch.

(3) The destruction, partial deletion, total deletion, or record correction shall be limited to designated terminals under the direct control of Criminal Identification and Records Branch.

(4) Operational programs shall be used to detect and store for the output of designated criminal justice agency employees, all unauthorized attempts to penetrate any criminal history record information system, program or file.

(5) The programs specified in subsections (2) and (4) of this section shall be known only to criminal justice agency employees responsible for criminal history record information system control or individuals in agencies pursuant to a specific written agreement with the Justice and Public Safety Cabinet to provide the programs, and the operational programs shall be continuously kept under maximum security conditions.

(6) Procedures shall be instituted to assure that any individual or agency authorized direct access is responsible for:

(a) The physical security of criminal history record information under its control or in its custody; and

(b) The protections of information from unauthorized access, disclosure, or dissemination.

Section 4. Procedures shall be implemented in the centralized criminal history record information system to protect CHRI from unauthorized access, theft, sabotage, fire, flood, wind, or other natural or manmade disasters.

Section 5. Emergency Plans Required. Written plans and instructions dealing with emergencies described in Section 4 of this administrative regulation shall be developed in manual form and cover all foreseeable incidents ranging from minor accidents to major disasters causing the destruction of computer facilities, entire data bases, and CHRI contained in manual files. Employees of the centralized criminal history record information system shall be trained in procedures and specifically assigned responsibilities in case of an emergency. Plans and instructions shall include emergency shutdown and evacuation procedures, a disaster recovery plan to restart critical system functions, procedures for backup files for critical data such as fingerprint cards, and duplicate system designs. The commissioner of the Department of Kentucky State Police shall make available needed personnel to reinstitute the centralized criminal history record information system as soon as feasible after accident or disaster.

Notes

502 KAR 30:050

11 Ky.R. 1717; eff. 6-4-85; 48 Ky.R. 1310, 2254; 49 Ky.R. 38; eff. 10/4/2022.

STATUTORY AUTHORITY: KRS 15A.160, 17.140, 17.150(6)