As Records and Information Management Specialists, one of the essential functions of our job is to get the facts about new and updated document rules and regulations. Here, I have gathered some helpful information for you regarding the CJIS Security Policy requirements that will affect how Criminal Justice Information (CJI) is stored and accessed.
The FBI’s Criminal Justice Information Services (CJIS) Security Policy requirements – that address both physical and electronic records – continue to move towards a higher level of access and security. One of the rules that became effective in 2012 requires government agencies to maintain a list of contractors and vendors who have successfully completed a background investigation. Anyone who has access to this information (in any format including electronic or printed /paper) must be subject to a state and national fingerprint-based record check. This includes all employees of vendors and/or contractors: delivery drivers, box storage companies, scanning contractors, outsourced administrative. etc.
Medical Industry Blazes the Trail for Secured Information with HIPAA
The essential premise of the CJIS Security Policy is to provide appropriate controls to protect the full lifecycle of Criminal Justice Information (CJI), whether at rest or in transit. Ironically enough, these CJIS Security Policy protocols become more challenging from a paper perspective because paper is a lot more difficult to track and control outside of a secure working environment. The good news is that the medical industry has been on this issue for a long time as the Health Insurance Portability and Accountability Act (HIPAA) continues to also move towards security and interoperability (basically a secure way to share information). The technology and process for converting paper to digital formats has become more efficient, thus driving down the cost. Additionally, there are some really cool tools available that allow us to store it and share it in ways that are low maintenance and user friendly.
CJIS Security Policy Requirements Q&A with Our Local FBI Agency
We have a pretty sharp team dedicated to reading, digesting and ensuring that we interpret the CJIS Security Policy correctly (yes, we serve them a LOT of coffee)! But just to make it super clear, I thought I would reach out to our local FBI agency. He graciously referred me to CJIS ISO in Texas. Here’s what we verified:
1. Do boxes containing CJI paper records need to be stored in a separate area of the facility?
Not necessarily. The Facility needs to be secured. Although if they are stored in a separate part of the facility, that would limit the amount of finger printing that needs to be done to only those that have access to the records.
2. Do all employees with access to the boxes need to have fingerprint and background checks (including drivers, warehouse staff, etc.)?
Yes, those that have access to the boxes have to pass a finger print background check and there must be a Security Addendum signed with the law enforcement agency as well as Certification pages signed by each employee with access. Again, there are alternatives. For instance, if the boxes are locked and secure and the Law Enforcement agency keeps the only key that opens them, the storage and transporting folks would not have access and not be required to pass a background check.
The cliff-notes version: Vendors with access to CJI have to have a security addendum with a law enforcement agency and pass a finger print based background check. The CJI data must be secure at all times and access to the data needs to be limited to authorized persons only. There is a PII component to most CJI, but in Texas if you’re good with the CJIS Security Policy, you should be good with State PII laws.
We make sure to use CJIS compliant staff when digitizing documents that contain CJI. We also provide a “secure file transfer” service that helps attorneys share this information within and outside their organizations once they migrate from paper to digital formats. Finally, our consultants are able to assess what tools, products and/or services are relevant to your specific needs for meeting the CJIS Security Policy requirements.
For more information about how we can help you meet CJIS Security Policy requirements, contact us by phone at 1-800-803-1083 or send us a message.
——————————————————————————————————————————————————————————————-Anna Stratton is Director of Information Management Solutions at Southwest Solutions Group headquartered in Dallas, Texas. Anna specializes in records management and business process protocols, document scanning, policy design, and information retention policies and process. Anna has over 18 years of professional business management experience and provides advice nationwide through the SYSTEC Group’s “Ask the Expert” column. Ms. Stratton is also a dynamic national speaker and conducts private corporate seminars on a variety of topics in addition to providing keynote and educational speeches for organizations such as ARMA and the Lorman Seminar Group. Ms. Stratton has been recognized by Cambridge Who’s Who for demonstrating dedication, leadership and excellence in information and asset management.