Washington State Patrol Non-Criminal Justice Agency Compliance Audit Process Marsha Stril WSP Compliance Auditor 360-534-2135
Dec 17, 2015
Washington State Patrol Non-Criminal Justice Agency
Compliance Audit Process
Marsha Stril
WSP Compliance Auditor
360-534-2135
Introductions
• Your name• Your title
Fingerprints
• How do you verify that the person in front of you is who they say they are?– Verified forms of identification
• Current, valid, unexpired picture identification document (driver’s license)
Secondary forms of identification• State Government Issued Certificate of
Birth • U.S. Active Duty/Retiree/Reservist
Military Identification • Card (000 10-2) • U.S. Passport • Federal Government Personal Identity
Verification • Card (PIV) • Department of Defense Common
Access Card • U.S. Tribal or Bureau of Indian Affairs
Identification • Card • Social Security Card • Court Order for Name Change/Gender
Change/Adoption/
• Divorce • Marriage Certificate (Government
Certificate Issued) • U.S. Government Issued Consular
Report of Birth • Abroad • Foreign Passport with Appropriate
Immigration • Document(s) • Certificate of Citizenship (N560) • Certificate of Naturalization (N550) • INS I-551 Resident Alien Card Issued
Since 1997 • INS 1-688 Temporary Resident
Identification Card • INS I-688B, I-766 Employment
Authorization Card
Garbage in, Garbage out
Audit for compliance
Here’s the Deal
• How is this change relevant to what I do?• What specifically should I do?• How will I be measured and what
consequences will I face?• What tools and support are available?• What’s in it for me?
Overview• Criminal Justice Information Services (CJIS)
Security Policy• Statutory Authority Review• User Agreements/Memorandum of
Understanding (MOU)• Criminal History Lifecycle
SecurityStorage/RetentionDisseminationDestructionMedia Security
• Audit Process
CJIS Security Policy• Federal Requirements
• Protect the full lifecycle of the Criminal History Record Information (CHRI)
Whether at rest or in transit
• Applies to Non-Criminal Justice Agencies (NCJA)
• Provides a secure framework of laws and standards
http://www.fbi.gov/about-us/cjis
Criminal History Record Information (CHRI) Lifecycle
• Requested (fingerprints)• Delivered (encrypted email)
• What happens next?• Where is it being stored?• How long do you keep it?• How is it destroyed?• How secure is your agency IT system?
Is the CHRI Secure?
• Personnel• Who has access to it?• Are they sharing it?
• With whom?• Location
• Controlled access• Password protected
• Storage• How long can you retain it?
“Shoulder Surfers”
Secure?
Storage/Retention
• Store CHRI in a secure records environment• Dedicated area with restricted access
• Retain CHRI only as long as it pertains to a particular event
• Licensing • Employment• Fitness determination
State & Federal CHRI
• CHRI cannot be shared with any internal or external body not involved in the fitness determination of an applicant
• CHRI cannot be given to a person or entity that has no direct interest (secondary dissemination).
• CHRI can be given to the applicant upon request– Verify ID
Dissemination of CHRI
Is it okay to share (disseminate) the results to
anyone else?
Here is an example• The State Department of Education (DOE) conducts
state and national fingerprint-based fingerprint CHRI checks under an approved state statute. Ms. Doe applies to work for the Wonder County Board of Education (BOE). The BOE conducts a state and national fingerprint-based CHRI check on Ms. Doe. The results of the national CHRI check are disseminated to the State Identification Bureau (SIB). The SIB disseminates the record to the State DOE, who is turn disseminates the record to the Wonder County BOE.
DESTRUCTION OF CHRI
Remember: Safety First!
Macy’s Day Parade Story
Federally Approved Methods of CHRI Destruction
Incineration Shredding
Media Security“at rest or in transit”
Let’s review…..
• Security– Personnel & environment
• Storage & Retention– Where & how long
• Dissemination– Authorized or not
• Destruction– Only two authorized methods
• Media Security
Any Questions so Far?
Audit Process
It’s not that bad!
• NCJA audits are mandated to the state repository (WSP) by the FBI
• On-site and/or Mail-in• Triennial audit cycle (every 3 years)
The Audit Covers• Security• Retention/Storage• Dissemination• Destruction• Media Security• Statutory Authority Review• User Agreements/Memorandum of
Understanding (MOU)• Required “Security Awareness Training”
Statutory Authority
• Authorized by state statute [ Revised Code of Washington (RCW)] – Can also be authorized by ordinance– Federal Regulations (HUD, etc.)– For purposes of employment, licensing, fitness
determination and/or emergency placement
Memorandum of understanding (MOU)
• The FBI requires WSP to have an MOU with each of the non-criminal justice agencies (and criminal justice agencies) that submit fingerprint based state and federal background checks
• The purpose of this MOU is to set policy to ensure the protection of CHRI between WSP, the agencies, and the FBI
Why Audit????
The intention of the audit process is to:
• Help agencies implement and/or review
policies, meeting state and federal security standards
• Increase safety practices with regards to CHRI • Limit Agency Liability (MOU)
Pre-Audit
• Pre-audit questionnaire and an audit worksheet are sent out prior to on-site or mail-in audit
• WSP auditor draws a sample of data, verifying information
• The agency returns the completed documents-(timelines are important) Why???
• The auditor will notify you of the data drawn and the requested date and time for an on-site or mail in (correspondence) review
During the Audit
• Verify information provided• Verify Training requirements
– Security Awareness Training mandatory in 2013
• Verify the security of the process• Verify the security of your IT services• Verify storage procedures• Verify how CHRI is disseminated• Verify how CHRI is destroyed• Verify MOU’s that cover these areas
Post Audit• Conversation, compliance and completeness• Areas of concern noted
• Compliance letter sent to the audited agency
• Agency is given 30 days to respond with an action plan
• Be responsive • Official letter with completed findings sent to the
audited agency within 10 business days of reaching compliance standards
satisfactorily
As we move forward
• Open and transparent communication• Clarification of any misunderstandings• What can the Washington State Patrol do to
assist you?
Questions???
WSP Compliance Auditor
Marsha Stril
[email protected]: 360-534-2135
NCJA webpage: http://www.wsp.wa.gov/_secured/ncja/ncja.htm