GENERAL ORDERS LINCOLN POLICE DEPARTMENT
SUBJECT: CJIS/NCIC PROCEDURES
TITLE: CJIS ACCESS CONTROL POLICY & PROCEDURE
EFFECTIVE DATE: JUNE 1, 2025
REVISION DATE:
ACCREDITATION: ALABAMA ASSOCIATION OF CHIEFS OF POLICE (AACOP)
APPROVAL: CHIEF DARREN E. BRITTON
CJIS ACCESS CONTROL POLICY & PROCEDURE
1205.1 PURPOSE
The purpose of the Lincoln Police Department's Access Control Policy is to establish procedures and guidelines to safeguard Criminal Justice Information (CJI) by restricting and managing access to systems, applications, and communication configurations within the agency. This ensures the confidentiality, integrity, and availability of CJI in compliance with applicable federal and state laws, regulations, and FBI CJIS Security Policy requirements.
1205.2 SCOPE
This policy applies to all agency personnel, contractors, and third-party users who access, process, store, or transmit CJI or use agency information systems and networks. It encompasses all physical and digital environments, including mobile and remote access, where CJI is accessed.
1205.2.1 ACCOUNT CREATION, ACCESS AUTHORIZATION, AND MANAGEMENT
All access requests must be formally documented and approved by the AISO and relevant supervisors.
Access is granted based on the principle of least privilege, ensuring users only have access necessary to perform their roles.
Periodic reviews of user access levels will be conducted annually or upon significant organizational changes.
User accounts will be created, modified, and disabled by the AISO in accordance with documented workflows.
The AISO must be notified within one business day when access changes occur due to role transfers, terminations, or changes in job responsibilities.
Temporary accounts will be automatically removed within 72 hours unless an extension is approved.
1205.2.2 REMOTE ACCESS
Remote access will only be granted through authorized and secure methods, such as VPNs or multi-factor authentication.
Usage restrictions and configuration guidelines will be documented and communicated to all remote users.
Unauthorized remote access attempts will be reported and investigated.
1205.2.3 ACCESS MONITORING AND AUDITING
All account activities, including login attempts, privilege changes, and file access, will be logged and monitored for unauthorized or unusual behavior.
Automated tools will be employed to ensure compliance and provide notifications for security violations.
Logs of privileged functions will be regularly reviewed.
1205.2.4 DEVICE SECURITY AND SESSION MANAGEMENT
All devices accessing CJI must employ a lock mechanism after 30 minutes of inactivity or when unattended.
Users must log out at the end of their work period, and sessions will be automatically terminated upon logout.
The Lincoln Police Department shall enforce a limit of five (5) consecutive invalid logon attempts by a user during a 15-minute period. The account shall be locked after the 5th invalid login attempt until an administrator resets the account.
The Lincoln Police Department shall display a system use notification message before granting access to the system that provides security and privacy notices, and states that the system is restricted to users authorized to access the system, the system is monitored and recorded, unauthorized use is prohibited and subject to criminal and civil penalties, and use of the system indicates consent to monitoring and recording.
System use notifications shall remain on the screen until users acknowledge usage conditions.
1205.2.5 INCIDENT MANAGEMENT
Accounts associated with high-risk individuals or security incidents must be disabled within 30 minutes of identifying the risk.
Security incidents involving unauthorized access to CJI will prompt an immediate review and update of the Access Control Policy.
1205.2.6 TRAINING AND AWARENESS
All users will undergo annual training on access control procedures and responsibilities.
Awareness campaigns will emphasize the importance of safeguarding access credentials and recognizing unauthorized access attempts.
1205.2.7 POLICY REVIEW AND UPDATES
The Access Control Policy will be reviewed and updated annually or after any security incidents to reflect changes in operational or regulatory requirements.
1205.3 ROLES AND RESPONSIBILITIES
This will help define what is expected of each individual, in order to achieve goals and ensure the smooth operation of processes.
1205.3.1 AISO
Oversees the implementation and maintenance of the access control mechanisms.
Ensures compliance with access control policies and procedures.
Conducts annual reviews and updates of access policies and user privileges.
Manages and documents system account creation, modification, and removal.
Enforce access control measures on systems and networks.
Monitor user activities for compliance and report security incidents.
Disable accounts when required due to policy violations, termination, or inactivity.
Approve access control policies and dedicate resources to ensure compliance.
Assign roles and responsibilities to qualified personnel.
Primary responsibility for account management belongs to the Agency Information Security Officer (AISO).
1205.3.2 AGENCY PERSONNEL
Ensure access to systems and information is used solely for authorized purposes.
Report unauthorized access attempts or other suspicious activities.
Modify user accounts in response to events like name changes, accounting changes, permission changes, office transfers, etc.,
Periodically review existing accounts for validity (at least once every 6 months), an
Cooperate fully with an authorized security team that is investigating a security incident or performing an audit review.
Lock or log off computer when not in immediate vicinity of work area to protect CJI. Not all personnel have same CJI access permissions and need to keep CJI protected on a need-to-know basis.
Ensure CJI is not transmitted over a public network. Only secure networks are allowed to access CJI.
If someone demands a password, refer them to the AISO
Here is a list of "do nots":
Don't reveal a password over the phone to anyone
Don't reveal a password to the boss
Don't hint at the format of a password (e.g., "my family name")
Don't reveal a password on questionnaires or security forms
Don't share a password with family members
Don't reveal a password to a co-worker while on vacation
Don't use the "Remember Password" feature of applications
Don't write passwords down and store them anywhere in your office.
Don't store passwords in a file on ANY computer system without encryption
1205.4 PROCEDURES
1205.4.1 ACCOUNT CREATION, ACCESS AUTHORIZATION, AND MANAGEMENT
The Lincoln Police Department's administrators shall formally document new account access requests for authorized users to be approved by the AISO.
The Lincoln Police Department's administrators shall notify the AISO within one (1) day should an individual's need-to-know change, the account is no longer required, or the individual is transferred or terminated.
The AISO will remove or disable all access accounts for separated or terminated employees immediately following separation from the agency.
The AISO must be notified if a user's information system usage or need-to-know changes (i.e., the employee is terminated, transferred, etc.).If an individual is assigned to another office for an extended period (more than 90 days), the AISO will transfer the individual's account(s) to the new office (CJA).
The AISO shall manage accounts upon notification from the Lincoln Police Department's administrators that includes disabling, enabling, removing, and creating accounts as well as modifying account privileges.
The Lincoln Police Department's administrators should notify the AISO necessary privileges for new account requests for authorized users to perform their role.
The AISO must disable all new accounts that have not been accessed within 90 days of creation. Accounts of individuals on extended leave (more than 90 days) should be disabled. (Note: Exceptions can be made in cases where uninterrupted access to IT resources is required. In those instances, the individual going on extended leave must have a manager-approved request from the designated account administrator or assistant.)
User accounts that are under investigation for misuse shall be disabled by the AISO within 30 minutes of discovery and remain disabled until the investigation is concluded.
All accounts shall be reviewed at least every six months by the Agency Information Security Officer (AISO) or his/her designee to ensure that access and account privileges commensurate with job functions, need-to-know, and employment status on systems that contain Criminal Justice Information.
Guest accounts will be automatically removed within 7 days of account expiration unless an extension is approved.
All guest accounts (for those who are not official employees of the CJA) with access to the criminal justice network shall contain an expiration date of one year or the work completion date, whichever occurs first. All guest accounts (for private contractor personnel) must be sponsored by the appropriate authorized member of the administrative entity managing the resource. Guest accounts will be removed within 7 days of the account expiration date.
Periodic reviews of user access levels will be conducted annually by the AISO or upon significant organizational changes.
The AISO shall reassign or remove privileges, if necessary, when conducting account validations.
1205.4.2 REMOTE ACCESS
Access to the Lincoln Police Department networks via remote access is to be controlled by using either a Virtual Private Network (in which a password and user id are required) or a form of advanced authentication (i.e., Biometrics, Tokens, Public Key Infrastructure (PKI), Certificates, etc.).
The Lincoln Police Department personnel shall not utilize public networks on agency owned devices.
The Lincoln Police Department personnel shall not utilize public networks to log in to accounts and access CJI.
The Lincoln Police Department shall monitor the network for any unauthorized remote access attempts and report any unauthorized access attempts per the incident response policy.
1205.4.3 ACCESS MONITORING AND AUDITING
All account activities, including login attempts, privilege changes, and file access, will be logged and monitored for unauthorized or unusual behavior.
Logs of privileged functions will be regularly reviewed by the AISO.
Logs will be maintained for one year.
1205.4.4 DEVICE SECURITY AND SESSION MANAGEMENT
All devices accessing CJI must employ a lock mechanism after 30 minutes of inactivity or when unattended.
Users must fully log out of their account at the end of their work period to prevent unauthorized access.
Users must lock their computer at the end of their work period or when not in use.
1205.4.5 INCIDENT MANAGEMENT
Accounts associated with security incidents must be disabled within 30 minutes of identifying the risk by the AISO.
Security incidents involving unauthorized access to CJI will prompt an immediate review and update of the Access Control Policy and Procedures. The AISO will initiate updating the policy and procedures following a security incident.
1205.4.6 TRAINING AND AWARENESS
The Lincoln Police Department personnel will sign the policy and procedures acknowledgement annually stating they have read the policy and will abide by the policy and procedures.
The AISO will disseminate the updated policy and procedures annually to Lincoln Police Department administration to distribute to agency personnel.
The AISO will oversee agency-wide awareness campaigns that will emphasize the importance of safeguarding account access credentials such as not sharing passwords, and how to recognize unauthorized account access attempts.
1205.4.7 POLICY REVIEW AND UPDATES
The AISO oversees updating the Access Control Policy and Procedures annually and following any security incidents to reflect changes in operational or regulatory requirements.
1205.5 ACKNOWLEDGEMENT
I have read the policy and rules above and I will:
Abide by the Lincoln Police Department's Access Control Policy and Procedures. I understand any violation of this policy may result in discipline up to and including termination.
Report any Lincoln Police Department CJI security incident to the Supervisor and/or the LASO as identified in this policy.
This policy ensures that the agency aligns with FBI CJIS Security Policy while addressing operational requirements and mitigating risks associated with unauthorized access to CJI. Compliance with this policy is mandatory and will be enforced through regular audits and user activity monitoring.
Signature: ______________________________________ Date: _______________________________
Questions
Any questions related to this policy may be directed to the Lincoln Police Department's LASO:
LASO Name: LASO Phone:
LASO email:
Other Related Policy Reference:
Physical Protection Policy
Incident Response Policy
Personally Owned Device Policy (if applicable)
These policies and operating procedures are not designed to cover every possible scenario or situation in society, but rather to define standard operating procedures for members of the Lincoln Police Department. These guidelines are subject to past, present and future judicial review. These guidelines can be amended and or repealed by the Chief of Police as necessary. The policies and procedures herein provided supersede all previous policies and orders.