G.O. 37
LONGWOOD POLICE DEPARTMENT
GENERAL ORDER
NUMBER: GO - 37
SUBJECT: CJIS SECURITY
EFFECTIVE: AUGUST 18, 2014
REVISED: DECEMBER 02, 2019
GENERAL ORDER
CJIS SECURITY
GO – 37 PAGE 1 OF 21
I. PURPOSE:
It is the purpose of this directive to define Longwood Police Department policy for
the use of the Criminal Justice Information System (CJIS).
II. SCOPE (RELATIONSHIP POLICY):
The goal of this policy is to comply with the CJIS security policy requirements. Due
to the evolving nature of the CJIS security policy, it is necessary to separately
communicate the requirements of the CJIS security policy as they are developed
and enhanced. These additional requirements are intended to be an enhancement
to the existing Standard Operating Procedures of the Longwood Police
Department. The agency shall adhere, at a minimum, to the CJIS security policy.
While the agency may augment or increase the standards, it cannot detract from
the minimum requirements set forth by the FBI CJIS security policy.
III. DEFINITIONS:
A. Criminal Justice Information (CJI)
CJI is defined as any information derived, in whole or part from any state
or federally controlled source, such as FCIC/NCIC or CJNet. This includes
partial information that might otherwise be gained from publicly available
resources. For example, an address gained from running a person in DAVID
is CJI, even though that information may be gleaned from property
records. A statement saying that a person does not have a criminal history
comprises CJI. Only the following types of data are exempt from the
protection levels required for CJI: transaction control type numbers (e.g.
GENERAL ORDER
CJIS SECURITY
GO – 37 PAGE 2 OF 21
ORI, NIC, FNU, etc.) when not accompanied by information that reveals CJI
or PII.
B. Criminal History Record Information (CHRI)
A subset of CJI. Any notations or other written or electronic evidence of
an arrest, detention, complaint, indictment, information or other formal
criminal charge relating to an identifiable person that includes identifying
information regarding the individual as well as the disposition of any
charges, when obtained in whole or part from any state or federally
controlled source. Due to its comparatively sensitive nature, additional
controls are required for the access, use and dissemination of CHRI.
C. Personally owned device
A cell phone, tablet or any other device that is owned and maintained by
the user and not the agency.
D. Personally Identifiable Information (PII)
Any information pertaining to an individual that can be used to distinguish
or trace a person’s identity. PII is defined as any one or more of types of
information including, but not limited to:
1. Social security number
2. Username and password
3. Passport number
4. Credit card number
5. Clearances
6. Banking information
7. Biometrics
8. Date and place of birth
9. Mothers maiden name
GENERAL ORDER
CJIS SECURITY
GO – 37 PAGE 3 OF 21
10. Criminal, medical and financial records
11. Educational transcripts
12. Photos and video including any of the above
E. Computer
Any device running a full featured operating system (e.g. Microsoft
Windows, Apple OS X) to include desktop computers, towers and servers.
It also includes laptops such as MCT’s and certain tablet computers like the
Surface Pro. This definition does not include smartphones.
F. Local Area Security Officer (LASO)
A member of the agency, determined by the chief, who ensures the agency
is CJIS compliant and is the CJIS security point of contact.
G. Media
Materials that store data in any form or allow data to pass through to
include paper, transparencies, multipart forms, computer hard drives,
computer disks, USB drives, rewritable CD ROMs, video and audible tapes.
H. Physically Secure Location
A physically secure location is a facility, a criminal justice conveyance (such
as an enclosed, secured automobile), or an area, a room, or a group of
rooms within a facility with both the physical and personnel security
controls sufficient to protect CJI and associated information systems.
IV. PERSONALLY IDENTIFIABLE INFORMATION (PII):
A. Physical and Electronic PII Files
All electronic files that contain PII will reside within the agency’s physically
secure location. All physical files that contain PII will reside within a locked
file cabinet or the records area when not being actively viewed or
modified. PII is not to be downloaded to workstations or mobile devices
(such as laptops, personal digital assistants, mobile phones, tablets or
removable media) or to systems outside the protection of the agency. PII
GENERAL ORDER
CJIS SECURITY
GO – 37 PAGE 4 OF 21
obtained from a CJI source will not be sent through any form of insecure
electronic communication as significant security risks emerge when PII is
transferred from a secure location to a less secure location or is disposed
of improperly. When disposing of PII the physical or electronic file should
be shredded or securely deleted. All disposal of PII will be done by
authorized agency members.
B. Access and Use of PII
All PII will be collected only when there is a legal authority and it is
necessary to conduct agency duties. Access to PII is only conducted when
the information is needed to conduct police department official duties and
should only be utilized for official purposes. Agency members will not
create duplicate copies of documents that contain PII and will destroy the
documents when no longer needed. When PII is extracted from a
document, agency members may only target the PII that is required for the
task. PII that is extracted shall not be retained beyond the records
retention rules for the data and the system it was accessed from. PII shall
not be stored or transmitted via personally owned devices. PII may not be
taken home by any agency member.
V. CJI INFORMATION HANDLING:
A. CJI Information Use
The information obtained from the CJI systems, must only be used for
criminal justice purposes. Members must follow all CJIS security policy,
state and federal rules and regulations regarding CJI information. All
members with access to CJI, audio as well as visual, shall receive the proper
training within 30 days of hire. CJI or PII obtained from a CJI source will not
be transmitted via email unless encrypted. All information outlined in the
information exchange and disposal of physical media shall be followed as
well. These procedures shall include all inquiries for both criminal justice
and non-criminal justice purposes.
B. Servers Used for CJI Storage
The agency utilizes servers for storage of CJI. The servers are kept in a
physically secured building inaccessible to non-authorized individuals. The
door is locked and is only accessible to agency members.
GENERAL ORDER
CJIS SECURITY
GO – 37 PAGE 5 OF 21
C. Physical CJI Storage
Physical information, such as reports that contain CJI are stored in the
records room that is only accessible to agency members. The documents
are stored in locked filing cabinets and are only removed when needed for
operational purposes. When removed, the information is kept by an
authorized individual and then returned.
D. CJI Information Removed from the Facility
Any information that must leave the facility for transport will be done so
only by authorized members and only for operational purposes.
E. Computer Monitor Viewing Restrictions
All computers within the facility are turned away from view to prevent
unintentional viewing or shoulder surfing.
F. CJI Information in Emails
The agency does not send CJI via email. In the event CJI would need to be
sent via email, the CJNET Email system would be used. This ensures that
the information is encrypted from end to end.
G. Encryption
The agency does not utilize PKI encryption.
VI. INFORMATION EXCHANGE/ SECONDARY DISSEMINATION:
The Longwood Police Department will establish formal agreements with other law
enforcement agencies prior to exchanging CJI or utilizing secondary dissemination.
The Longwood Police Department allows for CJI to be shared with local law
enforcement agencies and has current agreements in place with each. This
exchange is only permitted in hard copy form or through a CJI application shared
with other agencies.
If the Longwood Police Department needs to share CJI with another agency that it
does not currently have an agreement with, the Agency will verify the receiver of
the information by inspecting the receivers agency issued law enforcement
identification and contacting the receiver’s dispatch center to ensure the
GENERAL ORDER
CJIS SECURITY
GO – 37 PAGE 6 OF 21
requesting individual is an authorized recipient allowed access to the information.
The Longwood Police Department will document the information given as well as
the identity of the requestor in a secondary dissemination log. All disseminated
CJI shall be documented in the dissemination log. The dissemination log will
include: the date, subject’s name, SID or FBI number, name of authorized
requestor, requestor’s agency, operator, reason for dissemination, and purpose
code.
VII. REMOTE ACCESS:
A. The agency utilizes remote access to communicate with information
systems through an external, non- agency-controlled network. The
purpose of this policy is to outline acceptable methods of remote access
and the security in place to keep the information system(s) secure.
B. Remote access shall only be used for official use only. This includes those
members remoting in to the agency’s network using the Net Motion
secure VPN while working remotely which includes school resource
officers or members assigned to task forces. IT members may remote
access into the agency’s network for official business purposes only.
Currently we do not have vendors accessing systems containing CJI.
However, if there is a need for vendors to access CJI systems, virtual
escorting will be employed.
C. It is the responsibility of agency members with remote access privileges
to the agency network to ensure that the connection is secure. All remote
access to the agency information systems must be done through the
agency’s VPN tunnel. The tunnel will be verified as FIPS 140-2 certified.
Those members accessing the VPN must use advanced authentication as
a secondary form of authentication in order to access the network. The
agency authorized Net Motion for this, which is FIPS 140-2 certified.
Information technology members will monitor and control all remote
access to the agency systems.
VIII. PERSONALLY OWNED DEVICES:
A. Personally owned devices are not allowed to access the agency network.
Therefore, a device that is not owned by the agency, shall not process,
store, access or transmit CJI.
GENERAL ORDER
CJIS SECURITY
GO – 37 PAGE 7 OF 21
B. Under no circumstance are users allowed to connect their personal device
to the agency network or any agency owned devices, applications or
systems.
IX. WI-FI:
A. Agency Provided Wi-Fi
The Longwood Police Department has provided a limited number of
agency secured network wireless access points. These are configured,
monitored and logged to conform to strict security guidelines. Information
Technology members are responsible for maintenance of all access points.
Procedures for maintaining these access points include the following.
1. Perform validation testing to ensure rogue access points do not
exist in the 802.11 wireless local area network and fully understand
the wireless network security posture.
2. Maintain a complete inventory of all access points at all times.
3. Place access points inside secured locations only to prevent
unauthorized physical access and user manipulation.
4. Test access point range boundaries to determine the precise extent
of the wireless coverage and design the wireless coverage to limit
the coverage area to only what is needed for operational purposes.
5. Enable user authentication and encryption mechanisms for the
management interface of the access point
6. Ensure that all access points have strong administrative passwords
and ensure that all passwords are changed in accordance with the
FBI CJIS security policy.
7. Ensure the reset function on access points is used only when
needed and is only invoked by authorized members. Restore
access points to the latest security settings when the reset
functions are used to ensure the factory default settings are not
utilized.
8. Change the default service set identifier (SSID) in all access points.
Disable the broadcast SSID feature so that the client SSID must
GENERAL ORDER
CJIS SECURITY
GO – 37 PAGE 8 OF 21
match that of the access point. Validate that the SSID character
string does not contain any agency identifiable information.
9. Enable all security features of the access points, including the
cryptographic authentication, firewall and other privacy features.
10. Ensure encryption key sizes are at least 128-bits and the default
shared keys are replaced by unique keys.
11. Disable ad hoc mode.
12. Disable all nonessential management protocols on the access
points and disable hypertext transfer protocol (HTTP) when not
needed or protect HTTP access with authentication and encryption.
13. Enable logging and review the logs on a monthly basis.
14. Segregate virtually or physically the wireless network from the
operational wired infrastructure and limit access between wireless
networks and the wired network to only operational needs.
15. When disposing of access points that will no longer be used, clear
access point configuration to prevent disclosure of network
configuration, keys, passwords, etc.
16. Legacy protocols used by all pre-802.11 protocols do not meet the
requirements for FIPS 140-2 and are not used.
B. Public/Private Wi-Fi
There are significant risks to connecting to non-agency controlled wireless
access points (Wi-Fi) such as those in coffee shops, hotels and similar
locations. Rogue access points masquerading as legitimate public access
points can allow for man-in-the-middle, eavesdropping, and session
hijacking attacks. Home and other private networks can be similarly
compromised when strict security features, patching and log reviews are
not in place. Longwood Police Department computers may not be
connected to any public/private hotspot or Wi-Fi.
C. NetMotion
GENERAL ORDER
CJIS SECURITY
GO – 37 PAGE 9 OF 21
When utilizing agency issued laptops, members are required to run Net
Motion Mobility. Net Motion encrypts network traffic and ensures data
flows through our enterprise grade security tools. Filters must not be
bypassed unless the device is connected to an agency issued network port
or agency issued Wi-Fi.
X. BLUETOOTH TECHNOLOGY:
A. Bluetooth Defined
Bluetooth is an open standard for short-range radio frequency
communication and used primarily to establish wireless personal area
networks. Bluetooth technology has been integrated into many types of
business and consumer devices, including cell phones, laptops,
automobiles, medical devices, printers, keyboards, mice, headsets, and
biometric capture devices.
B. Bluetooth Uses and Restrictions
Bluetooth will only be used for official business purposes. The purposes
include Longwood Police Department’s wireless mice and keyboards.
Currently the agency does not utilize to transmit CJI.
XI. MEDIA PROTECTION:
A. Media in all forms with CJI and PII will be protected at all times.
1. Digital and physical media is restricted to authorized individuals.
Only those users of the agency who have undergone a fingerprint
based record check and have appropriate security awareness
training will be allowed to handle criminal justice information in
any form.
2. Handling physical media- The agency will ensure that only
authorized individuals will be granted access to media containing
criminal justice information. The media will be stored within the
physically secure building and kept behind locked doors and locked
cabinets. When no longer needed, the electronic media will be
disposed of by authorized agency members. Hard copies will be
shredded by authorized members by using a cross cut shredder.
GENERAL ORDER
CJIS SECURITY
GO – 37 PAGE 10 OF 21
3. Any media that is transported outside the physically secure
location will be kept in a sealed envelope with evidence tape to
ensure that the chain of custody is maintained. When the media is
released to another user, the user will document the transaction in
a secondary dissemination log for validation purposes.
4. At no time will the physical media be released to an unauthorized
person or left without proper documentation.
XII. ELECTRONIC MEDIA SANITATION AND DISPOSAL:
A. Electronic media that has been used to store CJI that has reached the end
of its lifecycle must be sanitized and disposed of to ensure that criminal
justice information is not viewed or accessed by unauthorized individuals.
B. All electronic media must be properly sanitized before being transferred
from the custody of the agency. The proper method of sanitization
depends on the type of media and the intended disposition of the media.
C. The agency will overwrite the hard drive utilizing a three pass wipe. This
will ensure that the data on the drive is overwritten with patterns of binary
ones and zeros. The sanitization of the hard drive is not complete until the
third wipe passes and a verification pass is complete.
D. Destruction of the hard drive will incorporate physically drilling into the
drive. This will be carried out or witnessed by authorized agency members.
E. USB drives, floppy disks, rewritable CD-ROMS, zip disks, videotapes and
audiotapes will be erased if able and then destroyed by drilling or
smashing, which will be witnessed or carried out by authorized agency
members.
XIII. PHYSICAL MEDIA DISPOSAL
A. The disposal of physical media that contains CJI must be completed in an
effective manner in order to protect the secure information.
B. When no longer needed, this physical media such as hard copy print-outs
shall be disposed of by the following method:
1. The CJI media is stored in a locked bin until cross-cut shredded.
GENERAL ORDER
CJIS SECURITY
GO – 37 PAGE 11 OF 21
2. The shredding will be completed by the agency approved shredding
vendor with the entire process being witnessed by a member of the
agency.
XIV. PHYSICAL LOCATION PROTECTION
A. Only authorized members have access to the police station or any other
location where criminal justice information systems and components are
located by the Longwood Police Department
B. Visitors must sign in at the front desk and produce identification. The
agency does not allow unescorted access by any non-agency member.
When escorted into the building, visitors will wear a visitor’s badge and be
accompanied by an authorized agency member.
C. All computer screens will be turned away from public view. All physical
media containing CJI will be locked in a filing cabinet in a locked office. Only
authorized members will have a key to the cabinet.
D. All computer components will be locked in the secure server room. Only IT
members will have access to the server room. All vendors and contractors
will undergo fingerprint based records checks documented using the
agency ORI and will complete appropriate security awareness training.
E. Any transportation of CJI will be done so securely. Only authorized
members can transport CJI. It will physically be with the members or, if
electronic, will be done so encrypted meeting the FIPS 140-2 standard.
F. All agency computers will be equipped with boundary protection tools and
spam and spy ware software to avoid any intrusion attacks.
XV. ACCOUNT MANAGEMENT:
A. The management of CJI system accounts shall be conducted by
information technology members at the direction of the LASO in
accordance with all policies and CJIS security policy requirements. New
employee members will gain access to all systems upon start date, but will
lose access to CJI systems if training courses are not completed/ or passed
within 30 days. All user accounts of retired, terminated or otherwise
former and non-working members shall be disabled and revoked
immediately and no longer than five days from member separation. User
GENERAL ORDER
CJIS SECURITY
GO – 37 PAGE 12 OF 21
accounts suspected of compromise shall be immediately disabled upon
first discovery of compromise. Logs of access privilege changes shall be
maintained for a minimum of one year and document the validation
process.
B. The agency LASO is the point of contact for all accounts. The LASO shall
manage information system accounts to include establishing, activating,
modifying, reviewing, disabling, and removing user accounts on all
Criminal Justice Information Systems.
C. Account Creation:
1. Upon completion of appropriate state and national fingerprint-
based records check, the agency will notify the LASO and provide
the following information regarding the user via the Information
Technology New User Setup Form:
a. Applicant full name
b. Applicant date of birth
c. Applicant social security number
d. Applicant start date
e. Applicant assigned MCT (laptop)
f. Applicant system(s) access
g. Applicant system(s) permissions
2. The LASO will create and establish a Windows Domain account for
the applicant. Each account is uniquely identified by a user name
derived from the user’s first letter of their first name followed by
their last name. All accounts are created to ensure a unique
username for every individual.
3. The Domain account will be assigned a temporary password and
will be set up to require the user to create a new password upon
activating the first session. The password for the account must
GENERAL ORDER
CJIS SECURITY
GO – 37 PAGE 13 OF 21
adhere to the agency password requirements outlined in the
Authentication Strategy Policy.
4. The LASO will contact the Seminole County Sheriffs’ Office to
establish an account for the Input RMS/JMS and CAD system for
the user utilizing the same username requirements.
5. The LASO will identify the level of authority for the user which are
read only or edit all.
6. The LASO will provide the initial credentials and temporary
password to the users’ supervisor.
7. Upon completion of paperwork, the user will be issued agency
equipment delegated to the users’ position within the agency.
Equipment includes, but is not limited to, agency laptop, integrated
aircard for wireless access, keys, identification badge and
authentication token (bingo card). The user will sign a receipt all
items. Subsequent equipment changes, deletions, enhancements
will be documented via agency equipment receipt form and
approved through agency chain of command.
8. The LASO will meet with the new user upon starting to ensure
proper access to each information system is granted.
D. Account Modification
In the event of promotion, demotion, suspension, leave or voluntary or
involuntary termination, the supervisor will immediately notify the LASO
of the change of status to ensure appropriate access changes are made to
systems and applications.
1. Promotion/Demotion- Supervisor will notify LASO of the change of
status and change of authority level.
a. The LASO will update all systems and applications as
necessary to evolve with the current status of employment
and will document these changes in the active directory.
2. Suspension/Leave - Supervisor will notify LASO of the temporary
change to the users’ account.
GENERAL ORDER
CJIS SECURITY
GO – 37 PAGE 14 OF 21
a. The LASO will temporarily deactivate the account on each
system and application.
b. Upon reinstatement, the supervisor will notify the LASO
and reactivate the user accounts on all systems and
applications.
E. Account Termination
1. Upon termination from the agency, whether voluntary or
involuntary, the supervisor will inform the LASO of the employment
change.
2. The LASO will remove all accounts on all information systems and
applications.
3. The LASO will notify SCSO of the user’s termination from the agency
so the user can be removed from their systems as well.
F. Account Validation
The agency shall validate information system accounts at least annually
and shall document the validation process. The LASO will send an email
message to SCSO (6900@seminolesheriff.org) requesting the Longwood
Police Department ORI (FL0590300) user list in the Application Security
Manager. When the list is obtained, the Application Security Manager list
will be reconciled with the CJI System Accounts spreadsheet. Any
discrepancies that are discovered during the reconciliation shall be
reported to SCSO (6900@seminolesheriff.org). For discrepancies relating
to a reassignment or transfer to other another position, the notification
shall contain the name of the employee and any change in access by
application. For discrepancies associated with a terminated employee, the
name of the employee and termination date shall be included in the
notification
XVI. VOICE OVER INTERNET PROTOCOL:
A. Voice over Internet Protocol (VoIP) has been embraced by organizations
globally as an addition to, or replacement for, public switched telephone
network (PSTN) and private branch exchange (PBX) telephone systems.
The immediate benefits are lower costs than traditional telephone services
GENERAL ORDER
CJIS SECURITY
GO – 37 PAGE 15 OF 21
and VoIP can be installed in-line with an organization’s existing Internet
Protocol (IP) services. Among VoIP’s risks that have to be considered
carefully are: myriad security concerns, cost issues associated with new
networking hardware requirements, and overarching quality of service
(QoS) factors.
B. Information Technology Department shall deploy, support and maintain all
VOIP equipment. Only Information Technology is authorized to add,
remove or modify any of the Longwood Police Department’s VOIP
equipment or systems.
C. Information Technology shall:
1. Deploy, support and maintain all VOIP equipment
2. Change the default administrative password on all IP phones and
VoIP switches
3. Utilize Virtual Local Area Network (VLAN) technology to segment
VoIP traffic from data traffic that contains CJI, CHRI or PII
4. Ensure each voicemail account is password protected and
password is only shared with the employee assigned a particular
voicemail account
D. Longwood Police Department members shall:
1. Agency members will not add, remove or modify any of the
Longwood Police Department’s VOIP equipment or systems
2. Members will not share their VOIP voicemail account password
with anyone else
XVII. INCIDENT RESPONSE PLAN:
A. Security Breach Notification Requirement
Should an incident occur involving any device (workstations, smart phones,
laptops, tablets, etc.) that is on the Longwood Police Department network,
the LASO shall be contacted immediately. If it is deemed by the LASO to be
GENERAL ORDER
CJIS SECURITY
GO – 37 PAGE 16 OF 21
a security breach of confidential information, a Security Incident Response
Form will be filled out and submitted to FDLE ISO at fdlecjisiso@flcjn.net
B. User Reporting Responsibilities
1. All users are responsible for reporting known or suspected
information or information technology security incidents. All
incidents must be reported immediately to Longwood Police
Department LASO. The LASO will inform a member of IT and
document the incident.
2. If a suspected incident occurs on a user’s laptop, the user shall not
turn off the device. The user will leave the device on and report the
incident. A member of IT will look over the device and determine if
the incident is contained to the one device or if it is within the
agency system. Longwood Police Department will employ Cisco
Advanced Malware Protection on all desktop and laptop devices
and will ensure that the antivirus software is up-to-date.
C. Incident Response
Incident response will be managed based on the level of severity of the
incident. The level is a measure of its impact or threat on the operation or
integrity of Longwood Police Department and its’ information. High Level
(potential to impact the network or criminal justice information), Medium
Level (potential to impact one system or non-critical system), and Low
Level (has little or no risk of infecting a criminal justice system).
D. The Longwood Police Department will identify the security breach by
conducting the following:
1. Confirm the discovery of a compromised resource(s).
2. Evaluate the security incident.
3. Evaluate the security incident.
4. Identify the system(s) of information affected.
5. Review all preliminary details
GENERAL ORDER
CJIS SECURITY
GO – 37 PAGE 17 OF 21
6. Characterize the impact on Longwood Police Department as:
minimal, serious, or critical.
7. Determine where and how the breach occurred.
a. Identify the source of compromise and the time frame
involved. Review the network to identify all compromised
or affected systems.
8. Examine appropriate system and audit logs for further irregularities
a. Document all internet protocol (IP) addresses, operating
systems, domain system names and other pertinent system
information.
9. Initiate measures to contain and control the incident to prevent
further unauthorized access.
10. Document actions throughout the process from initial detection to
final resolution.
E. If the incident is in physical form (copy of CJI in paper format), the
individual must notify the expected breach to Longwood Police
Department’s LASO immediately and provide specific details regarding the
loss of the CJI (where it occurred, who was involved, the possible liability
anticipated by the loss of information).
XVIII. ACCESS ENFORCEMENT:
A. Access control policies are high-level requirements that specify how access
to the information system(s) are managed and who may access the
information under what circumstance. The purpose of this policy is to
define standards and procedures for multiple concurrent sessions within
the agency information system(s).
B. Access to all CJI systems will be granted by the agency’s LASO. Once access
is granted, the Information Technology (IT) Department will control access.
C. Access to agency information system(s) are based on a user’s right to
know, authority, and user group.
D. The agency does not allow multiple concurrent sessions.
GENERAL ORDER
CJIS SECURITY
GO – 37 PAGE 18 OF 21
XIX. AUTHENTICATION STRATEGY:
A. Information technology members will follow the secure password
attributes below to authenticate an individual’s unique identification.
Passwords shall:
1. Be a minimum length of eight (8) characters on all systems
2. Not be a dictionary word or proper name
3. Not be the same as the User ID
4. Expire within a maximum of 90 calendar days
5. Not be identical to the previous ten (10) passwords
6. Not be transmitted in the clear outside the secure location
7. Not be displayed when entered
B. All Longwood Police Department laptop users shall use advanced
authentication security measures as deployed by information technology
members. The advanced authentication system will be compliant with the
CJIS security policy requirements.
C. In the event a user’s network login credentials or bingo card is lost,
compromised or damaged, the incident shall be reported immediately via
the chain of command for action deemed necessary. The chain of
command will immediately report the incident to the LASO who will notify
IT members. Upon notification, information technology members will
reset the user’s network login credentials. If the user’s advanced
authentication card is lost, compromised or damaged the existing card will
be disabled in the Beacon AA Manager and a new card will be issued
XX. AUTHENTICATOR MANAGEMENT:
A. Authenticators will be assigned to members during training or upon
reassignment. Any lost, compromised, or damaged authenticators should
be reported to the IT department immediately. Authenticators shall be
deactivated immediately if members are terminated, retired, or
reassigned.
GENERAL ORDER
CJIS SECURITY
GO – 37 PAGE 19 OF 21
B. Each user that accesses criminal justice information must be uniquely
identified prior to being given access to the system and information. The
agency uses standard authenticators (passwords) as well as the Beacon
bingo cards as advanced authenticators for accessing criminal justice
information in a secure manner.
C. A temporary standard authenticator is given to the user via the LASO
during the first active session the user has. The user then creates a new
password outlined in the authentication strategy policy.
D. Advanced authenticators are given to users prior to gaining access to
criminal justice information outside of the physically secure location. The
agency utilizes Beacon bingo cards for Advanced Authentication. The LASO
will set up the user in the Beacon AA Manager system.
E. Beacon Bingo AA card care:
1. The user must maintain possession of their bingo card at all times
2. The bingo card must be stored in a secured area, out of sight from
others
3. The user shall not share their bingo card or loan the card to other
users
4. If the user loses their bingo card, the user must immediately report
the loss to the LASO
5. If the user believes their bingo card has been compromised, the
user must report the issue to the LASO
XXI. PATCH MANAGEMENT:
A. All workstations, mobile devices and servers owned by Longwood Police
Department must have up-to-date operating system security patches
installed in order to protect the device and network from known
vulnerabilities.
B. With the City of Longwood’s VMware virtual desktop platform, the Police
Department gold image is updated monthly after the second Tuesday of
each month. During the monthly virtual desktop patching, all operating
GENERAL ORDER
CJIS SECURITY
GO – 37 PAGE 20 OF 21
system, browsers, Java, Flash and any other software is updated. All laptop
(MCT) devices are updated via the VMware Mirage platform. The laptop
gold image is patched for all operating system, browsers, Java, Flash and
any other software then replicated to each laptop using the VMware
Mirage services. Current agency servers have the minimum baseline
requirements that define the default operating system level, service pack,
hotfix, and patch level required to ensure the security of Longwood Police
Department’s data and network.
C. IT will manage the patching needs for the servers on the network. In
addition, they will manage the patching needs for all virtual desktops on
the network. IT will routinely assess the compliance of the monthly
patching efforts and will provide guidance to all members of any security
and patch management issues. IT also approves monthly and emergency
patch deployments if necessary.
D. IT will monitor and report the outcome of each patching cycle to Longwood
Police Department LASO. This will enable the LASO to assess the current
level of risk. If a patch is causing vulnerability on the network or appliance,
IT will roll the patch back in order to lessen the chance of vulnerabilities on
the network.
E. Longwood Police Department’s IT department shall review all security
relevant patches, service packs, and hot fixes from the vendors. Once
reviewed, the patches will be fixed promptly.
XXII. SECURITY ALERTS AND ADVISORIES:
A. Security alerts and advisories will be subscribed and released by the IT
Department to ensure knowledge of newly discovered threats that may
affect Longwood Police Department information systems. IT members
shall evaluate each security alert to determine its urgency and relevance
to Longwood Police Department. If an alert is determined to be critical or
pertinent to the Longwood Police Department infrastructure, the
appropriate members will be notified.
B. The Information Technology Department has signed up for alerts and
advisories from the following sites:
1. US-CERT CISA Weekly Vulnerability Summary Bulletin
GENERAL ORDER
CJIS SECURITY
GO – 37 PAGE 21 OF 21
2. Multi-State Information Sharing and Analysis Center (MS-ISAC)
Cybersecurity Advisory
a. Longwood Police Department will receive information
system security alerts and advisories from the above sites.
b. Once an alert has been received or detected and has been
determined to be a credible threat, IT will notify Longwood
Police Department LASO.
c. IT members will take appropriate action depending on the
alert. This could include updating security settings and/or
issuing information to all relevant Longwood Police
Department members with directions to ensure proper
handling of the issue.
d. IT members will document the details of all alerts. The alerts
will be stored on the IT network drive and will remain with
IT for a period of four years.
XXIII. PERSONNEL SANCTIONS:
A. All members with the Longwood Police Department shall adhere to this
policy. Failure to do so may result in disciplinary actions, up to and
including termination and/or criminal prosecution.