AUDITS
Jul 04, 2020
AUDITS
Why we audit?
Criminal History Record Information (CHRI) is protected, confidential information and must be used for authorized purposes only.
Improper handling and releasing of CHRI may result in fines up to $50,000 and/or imprisonment for 15 years.
Agencies we audit
Non-Criminal Justice agencies
Schools
Probate and Superior Courts
State and Local Agencies Ex: Fire Departments and City Governments
At least every 3 years
Agency Responsibilities
Agency Point of Contact (POC)
Agency Point of Contact is responsible for:
Scheduling the audit with the auditor
Completing pre-audit instruction packet
Providing onsite audit documentation
Providing post-audit responses
Local Agency Security Officer (LASO)
Agencies are required to appoint a LASO who shall:
Identify who is using the approved hardware, software, and firmware
Ensure no unauthorized individuals or processes have access to the same
Identify and document how the equipment is connected to the state system
Local Agency Security Officer (LASO)
Agencies are required to appoint a LASO who shall:
Ensure that personnel security screening procedures are being followed
Ensure the approved and appropriate security measures are in place and working as expected
Support policy compliance and ensure the GCIC is promptly informed of security incidents
Security
Agencies must keep CHRI in a controlled area. The controlled area must be limited to
authorized personnel. Unsupervised janitorial staff cannot have
access to the controlled area
Access to CHRI must be restricted if: the individual with access is no longer
employed by the agency the individuals job duties no longer
require access.
Security Agencies that keep criminal justice
information (CJI) by electronic means must:
meet the 128-bit encryption requirement
have firewalls in place within the system to protect data from unauthorized access
have unique username and password
Destruction of CHRI
Agencies must properly dispose of CHRI
By shredding or burning
By agency personnel
By contractor under supervision of agency personnel
By contractor without agency personnel
Outsourcing Agreement
Dissemination
Agencies may only disseminate CHRI to:
Authorized personnel within the agency
Authorized personnel within a related agency Fire Departments and Georgia Firefighter Standards
and Training Council are related
Individual of record
Agencies must record the dissemination in the dissemination log.
DisseminationFitness Determination Letter
May not include CHRI
May not indicate that a national fingerprint-based record check was completed
May indicate the status of suitability yes or no
The following may be released:
“The denial of licensing/employment is due to disqualifiers found during a background
investigation.”
Dissemination
CHRI is not available in any form for public access and may not be released
by an open records request, therefore…
CHRI should not be included in the personnel files
Audit Documentation
Audit Documentation
1. User agreements
2. Training Records
3. Awareness statements
4. Policies
5. Privacy Right/ Privacy Act Statement
6. Fingerprint Survey
7. Outsourcing Agreements
8. Agency Personnel List (Contractor/Volunteer)
9. Network Topology (if applicable)
10.Employment/ Licensing Applications
1. User Agreements
Agencies are responsible for:
maintaining a current copy of the GCIC User Agreement
Updating agreements when the agency head or contact person has changed
2. Training
Security Awareness Computer Based Training (CBT)
Applicant Services Orientation
Full day classroom training on all Applicant Services rules, regulations and responsibilities
Required for all agencies requesting a new ORI
3. Awareness Statement
Agency personnel are required to sign an awareness statement if they:
Process CJI
Handle CJI
Disseminate CJI
Destroy CJI
Have access to CJI
4. PoliciesMan-Made Disaster Policy
The agency must have a written policy for the protection of CJI/CHRI from:
unauthorized access
theft
sabotage
damage resulting from fire, wind, flood, power failure, or
other natural or man-made disasters
Media Protection Policy
The agency must have a written policy for:
Secure handling
Transporting
Storing
Disposing of:
electronic media Memory devices, laptops, computers, flash drive
physical media Printed documents
Disciplinary Policy
The agency must have a written policy to include formal sanctions that specifically
address violations of:
Use of CJI
Dissemination of CJI
Security of CJI
Destruction of CJI
5. Privacy Rights/Privacy Act Statement
Agencies must provide written notification of the Applicant Privacy Rights and the Privacy
Act Statement
GAPS agencies notification window
Livescan agencies poster application packet
6. Fingerprint Survey
Provide the specific use(s) and reason(s) for each transaction
Firefighters, teacher certifications, weapons carry licenses, volunteers, etc.
Provide the specific statute, or federal law that authorizes the background check O.C.G.A 25-4-8 (Firefighters)
7. Employment &Licensing Applications
Agencies must provide documentation to support each fingerprint transaction.
Ex: application for employment certification/licensing application petition for adoption (or acceptable alternative)
8. Agency Personnel List
Agencies must provide an alphabetical list of all agency personnel who have access to
CHRI, including:
Contractors
Vendors
Volunteers
9. Network TopologyAgencies shall ensure that a complete
topological drawing depicting the interconnectivity of the agency network to criminal justice information systems and
services is maintained in a current status.
Only Non-Criminal Justice Agencies that keep Criminal History Record Information in an electronic
format must have a Network Topology
10. Outsource Agreements
Agencies that chose to outsource any responsibilities which involve the administration of criminal justice
information including:
Shredding
Livescan
Fitness determinations
must have a GCIC approved Outsource Agreement.
10. Outsource Agreements
Receive written permission from GCIC
Provide a copy of the contract to GCIC must include the Outsourcing Agreement
Contact GCIC to see if contractor has any security violations
Fingerprint contractors for access to CHRI
On-Site Audit
An auditor will contact agencies 15 to 30 days in advance to schedule the audit.
Pre-Audit Instructions
Schedule Time for Briefings
Pre-Audit Instruction Packet
Audit Documentation
Complete all tasks PRIOR to On-Site Audit
Post Audit Instructions
If an agency is found to be in full compliance the auditor will send a Full Compliance Notification Letter
to the agency head
Post Audit Instructions
If an agency is found out of compliance the agency must
provide a written response to all non-compliance areas within
ten (10) days of Audit.The response must be on agency
letterhead and signed by the agency head.
Post Audit Instructions
Auditor will review agency response
Acceptable Response
Final Notification Letter
Further clarification/action necessary
agency head notified
Failure to respond to the audit or an unsatisfactory reply for non-compliance areas
may result in agency sanctions.
Resources
Applicant Services Blog
Audit Information
GCIC Updates
Agency Specific Information
Training Information
Training Schedule
Course Library (coming soon)
Instructional Videos (coming soon)
CJIS SymposiumAugust 23rd – August 25th
NCJ Orientation
Audits
Fingerprinting
Identity History Summary
NCJ CJIS Security Policy
Georgia Applicant Processing Service
(GAPS)
Don’t Put Your Agency In Jeopardy! (trivia)
Questions