G16.1.10 Security of Central Records Computer
Chapter: Chapter 16 – Records and Information Management
Sub-Chapter: 16.1 - Reports and Records System
Effective Date: 08/24/2023
Revised Date: 08/24/2023
Rescinds: S05-02 – 4/17/2018
Purpose
To describe the security measures for the Indiana University Police Department’s (IUPD) central records computer systems.
General Order
The director for information technology and systems ensures the IUPD maintains strict control over all computerized records. The IUPD implements security measures to ensure the integrity of the data is maintained.
System administrator for the records management computer system (16.1.10 a)
The director for information technology and systems is the designated administrator for the IUPD’s computers, servers, software, and all other computer related equipment. The director for information technology and systems coordinates and maintains the department’s computer systems and works collaboratively with University Information Technology Services (UITS).
Data backup and recovery procedures (16.1.10 b)
Indiana University servers are automatically backed up on a regular basis. IUPD’s computerized records are backed up daily and stored in a manner which allows for the data to be recovered.
Physical security measures (16.1.10 c)
IUPD’s Records Management System is electronically housed in the IU data center and is secured in accordance with IU Data Center Access Control Policy.
All doors leading into the secure areas of the IUPD will be secured at all times. Access will only be granted to IUPD employees and other authorized individuals. Access to IUPD workstations is limited to current employees.
Visitors who are not on the authorized individuals list and who are accessing secure areas of the IUPD will sign the visitor log indicating their name, date, purpose for their visit, and the authorized person who will escort the visitor. The escorting individual will remain with the visitor while they are in the secure IUPD areas. The escorting individual will take necessary actions to ensure the visitor does not have access to unencrypted Criminal Justice Information (CJI). These actions include, but are not limited to, advising other employees to secure CJI and ensuring CJI is not visible on screens or printed material. Upon leaving the secure areas of the IUPD, the visitor will sign out on the visitor log.
A separate visitor log is maintained at the public safety communications center. All individuals who are not regularly assigned to work in the public safety communications center must sign in and out on this visitor log.
Workstations designated as Indiana Data and Communication System (IDACS) terminals have been placed in locations approved by the Indiana State Police IDACS Committee and will not be moved unless authorized by the IUPD IDACS coordinator.
CJI will not be displayed on computer monitors that may be visible to the public. Officers who leave an in-car computer unattended will lock the computer or close the lid of the laptop, when practical and safe to do so.
Password administration procedures (16.1.10 d)
The director for information technology and systems or designee is responsible for administering all accounts that allow for access to various computerized records. Employees will safeguard their passwords and will not share their passwords with any other person. If an employee becomes aware their password has been compromised, they will immediately take appropriate action to safeguard the affected account. Depending on the system, passwords may be required to be routinely changed.
Additional Criminal Justice Information Systems (CJIS) procedures
All employees will comply with CJIS security policies. Unescorted access to unencrypted CJI is limited to authorized individuals. CJI will not be distributed to any unauthorized individual outside of law enforcement, or any authorized individual within law enforcement for a non-criminal justice purpose. All employees are expected to report to the IUPD IDACS coordinator if they become aware of any violation of CJIS security policy.
Criminal Justice Information (CJI)
Criminal Justice Information is any information from any source where such information was originally obtained by electronic access to the IDACS, the Indiana Criminal History Record Information System (CHRIS), or the Indiana Automated Fingerprint Identification System (AFIS). Such sources include, but are not limited to:
- FBI’s Interstate Identification Index (III),
- National Crime Information Center (NCIC),
- National Instant Check System (NICS),
- Indiana Bureau of Motor Vehicles (BMV) Driver and Vehicle Registration System (STARS), and
- Other state driver and motor vehicle registry or other information source available via the International Justice and Public Safety Network (NLETS).
The following systems maintained, accessed, and/or operated by the IUPD known to contain CJI, include but are not limited to:
- IDACS/NCIC
- Automated Records Management System (ARMS)
- Caliber Mobile
- Automated Reporting Information Exchange System (ARIES)
- Electronic Citation and Warning System (ECWS)
Authorized individuals
An individual is considered authorized once they have passed a fingerprint-based background check and the CJIS Security Awareness training. IUPD’s IDACS coordinator will maintain a list of authorized individuals who are not IUPD employees.
Any individual who requires routine, unescorted access to secure areas of the IUPD facilities (including any maintenance or janitorial staff) are required to complete a fingerprint-based background check and CJIS Security Awareness training before access is granted. Additional refresher training will be completed as required.
IDACS operators are required to complete the fingerprint-based background check and CJIS Security Awareness training, as a component of their IDACS training, within six (6) months of employment. Sworn officers with direct access to a terminal will complete the IDACS Mobile Data Operator Certification, at minimum. Sworn officers who are command staff or whose roles are primarily administrative may opt to forego an IDACS certification, and instead complete the CJIS Security Awareness training only. Public safety dispatchers will complete the IDACS Full Operator Certification. IUPD’s designated IDACS coordinators will complete the IDACS Coordinator Certification.
Data security
The IUPD’s IDACS coordinator is responsible for ensuring all data security guidelines in CJIS and IDACS security policies are followed. Procedures related to data security measures will be managed by the IDACS coordinator in collaboration with the director for information technology and systems. User accounts for systems containing CJI will be created and maintained based on the need of the user to access the data.
IDACS/NCIC information may only be accessed if used while in the discharge of officially mandated responsibilities or as a part of conducting a law enforcement investigation. All other use is strictly prohibited.
Records containing CJI will be printed only when necessary and must be printed from a printer that is secure from public access and view. Printed records containing CJI will be shredded as soon as they are no longer needed by the authorized individual.
Records containing CJI will not be sent via email. However, photos obtained from BMV records may be sent via email without any associated identifying information if there is a public safety need to distribute the photo.
If records containing CJI must be distributed electronically, the employee sending the information will use the Indiana University approved secure electronic document sharing system. Records containing CJI will not be stored or transported on removable media such as USB, external hard drives, or personally owned devices.
The director for information technology and services or designee will ensure that IUPD devices being retired from service are appropriately wiped and destroyed.
IUPD employees will not use publicly accessible computers to access, process, store, or transmit CJI. Publicly accessible computers include, but are not limited to, computers in libraries, hotels, convention centers, public kiosks, etc.
An IU virtual private network (VPN) is required to access CJI when not connected directly to the IU network. Personally owned devices may be allowed to access IUPD’s ARMS after establishing a VPN connection.
Audits, violations, and sanctions
Use logs for IUPD systems containing CJI will be audited at least annually by the IUPD’s IDACS coordinator or appropriate system administrator. A log of audit actions will be maintained.
All violations of CJIS or IDACS Security policies will be immediately reported to an IUPD IDACS coordinator. IDACS coordinators will follow procedures outlined in IDACS policies regarding the handling of security incidents. Violation of CJIS or IDACS Security policies may result in sanctions up to and including termination of IDACS access and/or employment with IUPD.
Related Information
Indiana University
- DM-01 Management of Institutional Data
- DM-01-S Standards for Management of Institutional Data
- IU Data Center Access Control Policy
- IU Data Center Standards
U.S. Department of Justice
- Criminal Justice Information Systems (CJIS) Security Policy