502 KAR 30:050. Security of centralized criminal history record information.

 

      RELATES TO: KRS 17.140

      STATUTORY AUTHORITY: KRS 15A.060, 17.080, 17.140

      NECESSITY, FUNCTION, AND CONFORMITY: KRS 17.080 authorizes the Secretary of Justice to institute rules and administrative regulations and direct proceedings and actions for administration of laws and functions that are invested in the Justice Cabinet. KRS 17.140 establishes, in the Justice Cabinet under the direction, control, and supervision of the Commissioner of the Department of State Police, a centralized criminal history record information system. KRS 17.140 defines a centralized criminal history record information system as the system including equipment, facilities, procedures, and agreements for the collection, processing, preservation, or dissemination of criminal history records maintained by the Justice Cabinet. This administrative regulation sets specific security standards to preserve the CHRI in an acceptable state.

 

      Section 1. Procedures shall be implemented in the centralized criminal history record information system to insure that access to criminal history record information is restricted to authorized persons. The ability to access, modify, change, update, purge, or destroy such information shall be limited to authorized criminal justice personnel, or other authorized persons who provide operational support, such as programming or maintenance. Technologically advanced software and/or hardware designs shall be implemented to prevent unauthorized access to criminal history record information.

 

      Section 2. Procedures shall be implemented in the centralized criminal history information system to determine what persons have authority to enter in areas where criminal history information is stored and implement access control measures to insure entry is limited to specific areas where authorization is valid. Further, access control measures shall be implemented to insure unauthorized persons are totally denied access to areas where criminal history record information is stored. Said access constraints shall include, but not be limited to, the system facilities, systems operating environments, data file contents, whether while in use or when stored in media library, and system documentation.

 

      Section 3. Procedures shall be implemented in the centralized criminal history information system to insure that computer operations which support the criminal history record information data base, whether dedicated or shared, operate in accordance with procedures developed or approved by the Justice Cabinet, and further insure that:

      (1) CHRI is stored by the computer in such a manner that it cannot be modified, destroyed, accessed, changed, purged, or overlaid in any fashion by unauthorized persons.

      (2) Operational programs are used that will prohibit inquiry, record updates, or destruction of records, from any terminal other than designated terminals within the Records.

      (3) The destruction, partial deletion, total deletion, or record correction is limited to designated terminals under the direct control of records.

      (4) Operational programs are used to detect and store for the output of designated criminal justice agency employees, all unauthorized attempts to penetrate any criminal history record information system, program or file.

      (5) The programs specified in subsections (2) and (4) of this section are known only to criminal justice agency employees responsible for criminal history record information system control or individuals in agencies pursuant to a specific written agreement with the Justice Cabinet to provide such programs and the operational program(s) are continuously kept under maximum security conditions.

      (6) Procedures are instituted to assure that any individual or agency authorized direct access is responsible for:

      (a) The physical security of criminal history record information under its control or in its custody; and

      (b) The protections of such information from unauthorized access, disclosure or dissemination.

 

      Section 4. Procedures shall be implemented in the centralized criminal history record information system to protect CHRI from unauthorized access, theft, sabotage, fire, flood, wind, or other natural or manmade disasters.

 

      Section 5. Emergency Plans Required. Written plans and instructions dealing with emergencies described in Section 4 of this administrative regulation shall be developed in manual form and cover all foreseeable incidents ranging from minor accidents to major disasters causing the destruction of computer facilities, entire data bases, and/or CHRI contained in manual files. Employees of the centralized criminal history record information system shall be trained in procedures and specifically assigned responsibilities in case of an emergency. Plans and instructions should be inclusive of, but not limited to, emergency shutdown and evacuation procedures, disaster recovery plan to restart critical system functions, procedures for back-up files for critical data such as fingerprint cards, and duplicate system designs. The Commissioner of the Department of State Police shall make available needed personnel to reinstitute the centralized criminal history record information system as soon as feasible after accident or disaster.

 

      Section 6. The records commander shall institute procedures for the screening, supervising, and disciplining of agency personnel in order to minimize the risk of compromising internal security. A background investigation of all prospective employees for records shall be conducted. The scope of the background investigation shall be inclusive of, but not limited to:

      (1) Verification of all items as listed on the employment application;

      (2) Moral character;

      (3) Financial history;

      (4) Individual as well as spouse arrest history inclusive of juvenile files;

      (5) Agency personnel records.

      All records employees will agree to and sign nondisclosure statements and notice of security breach forms. The records commander shall so notify the Commissioner of the State Police as to any violation of security policy. A violation of said security policy shall include, but not be limited to, the intentional violation or wanton disregard of any or all security policies with regard to criminal history record information as set forth by section policy; the compromising of an employee's security by committing, facilitating, or being a party to a crime. Upon notification by the records commander of a security compromise, the commissioner shall take immediate appropriate administrative action. (11 Ky.R. 1717; eff. 6-4-85.)