Directive: AS-13-002
Physical Security of FBI CJI

General Order Reference: 82.1

Implementation Date: 3/21/13

Purpose: To establish standards for the physical security of FBI CJI and associated information systems

Scope: All employees

Detail: The following policy shall govern the physical access to FBI CJI and associated information systems:

I.    Physically Secure Location

A.    A physically secure location is a facility or an area, a room, or a group of rooms within a facility with both the physical and personnel security controls sufficient to protect the FBI CJI and associated information systems.

B.    The perimeter of the physically secure location shall be prominently posted and separated from non-secure locations by physical controls.

C.    Security perimeters shall be defined, controlled, and secured.

D.    Restricted non-public areas in the Olympia Police Department shall be identified with a sign at the entrance.

II.    Authorized Physical Access

A.    Only authorized personnel will have access to physically secure non-public locations.

B.    The Olympia Police Department will maintain and keep current a list of authorized personnel.

C.    All physical access points into the agency’s secure areas will be authorized before granting access.

D.    The agency will implement access controls and monitoring of physically secure areas for protecting all transmission and display mediums of CJI.

E.    Authorized personnel will take necessary steps to prevent and protect the agency from physical, logical and electronic breaches.

III.    All personnel with CJI physical and logical access must:

A.    Meet the minimum personnel screening requirements prior to CJI access.

1.    To verify identification, a state of residency and national fingerprint-based record checks shall be conducted within 30 days of assignment for all personnel who have direct access to CJI and those who have direct responsibility to configure and maintain computer systems and networks with direct access to CJI.

2.    Support personnel, private contractors/vendors, and custodial workers with access to physically secure locations or controlled areas (during CJI processing) shall be subject to a state and national fingerprint-based record check unless these individuals are escorted by authorized personnel at all times.

3.    Prior to granting access to CJI, the Olympia Police Department, on whose behalf the contractor is retained, shall verify identification via a state of residency and national fingerprint-based record check.

B.    Complete security awareness training.

1.    All authorized Olympia Police Department, Noncriminal Justice Agencies (NCJA) like city or county IT and private contractor/vendor personnel will receive security awareness training within six months of being granted duties that require CJI access and every two years thereafter.

2.    Security awareness training will cover areas specified in the CJIS Security Policy at a minimum.

3.    Be aware of who is in their secure area before accessing confidential data.

a.    Take appropriate action to protect all confidential data.

b.    Protect all terminal monitors with viewable CJI displayed on monitor and not allow viewing by the public or escorted visitors.

C.    Properly protect and not share any individually issued keys, proximity cards, computer account passwords, etc.

1.    Report loss of issued keys, proximity cards, etc to authorized agency personnel.

2.    Safeguard and not share passwords, Personal Identification Numbers (PIN), Security Tokens (i.e. Smartcard), and all other facility and computer systems security access procedures.

D.    Properly release hard copy printouts of CJI only to authorized vetted and authorized personnel and shred or burn hard copy printouts when no longer needed, per Directive AS-13-001.

E.    Ensure that controls are in place to protect electronic media and printouts containing CJI while in transport. When CJI is physically moved from a secure location to a non-secure location, appropriate controls will prevent data compromise and/or unauthorized access.

IV.    Visitors Access

A.    A visitor is defined as a person who visits the Olympia Police Department on a temporary basis who is not employed by a criminal justice agency and has no unescorted access to the physically secure location within the City of Olympia where FBI CJI and associated information systems are located.

B.    For the purpose of this document, employees of other Criminal Justice Agencies who are known to the Olympia Police Department shall not be considered visitors

C.    Visitors shall be recorded by completing the visitor access log, which includes: name and visitor’s agency, purpose for the visit, date of visit, time of arrival and departure, name and agency of person visited.

D.    Visitors shall be accompanied by an Olympia Police Department escort at all times to include delivery or service personnel. An escort is defined as authorized personnel who accompany a visitor at all times while within a physically secure location to ensure the protection and integrity of the physically secure location and any CJI therein.

E.    All requests by groups for tours of the Olympia Police Department will be referred to the proper agency point of contact for scheduling. In most cases, these groups will be handled by a single form, to be signed by a designated group leader or representative.

Roles and Responsibilities:

I.    Local Agency Security Officer (LASO)

Each LASO shall:

A.    Identify who is using the CSA (state) approved hardware, software, and firmware and ensure no unauthorized individuals or processes have access to the same.

B.    Ensure that personnel security screening procedures are being followed as stated in this policy.

C.    Ensure the approved and appropriate security measures are in place and working as expected.

D.    Support policy compliance and ensure the CSA ISO is promptly informed of security incidents.

II.    Information Technology Support

A.    In coordination with above roles, all vetted IT support staff will protect CJI from compromise at the Olympia Police Department by performing the following:

1.    Be knowledgeable of required Olympia Police Department technical requirements and policies taking appropriate preventative measures and corrective actions to protect CJI at rest, in transit and at the end of life.

2.    Properly protect the Olympia Police Department’s CJIS system(s) from viruses, worms, Trojan horses, and other malicious code (real-time scanning and ensure updated definitions).

a.    Install and update antivirus on computers, laptops, MDTs, servers, etc.

III.    Account Management, in coordination with the Terminal Agency Coordinator (TAC)

A.    Shall ensure that all user IDs belong to currently authorized users.

B.    Keep login access current, updated and monitored.

C.    Remove or disable terminated or transferred or associated accounts.

D.    Authenticate verified users as uniquely identified.

E.    Not use shared generic or default administrative user accounts or passwords for any device used with CJI.

By: L. Wohl, Police Administrative Services Manager