GENERAL ORDERS LINCOLN POLICE DEPARTMENT
SUBJECT: CJIS/NCIC PROCEDURES
TITLE: CJIS MEDIA PROTECTION
EFFECTIVE DATE: JUNE 1, 2025
REVISION DATE:
ACCREDITATION: ALABAMA ASSOCIATION OF CHIEFS OF POLICE (AACOP)
APPROVAL: CHIEF SCOTT BONNER
Embedded Files
CJIS MEDIA PROTECTION
1206.1 PURPOSE
The intent of the Media Protection Policy is to ensure the protection of the Criminal Justice Information (CJI) until such time as the information is either released to the public via authorized dissemination (e.g. within a court system or when presented in crime reports data), or is purged or destroyed in accordance with applicable record retention rules.
This Media Protection Policy was developed using the FBI's Criminal Justice Information Services (CJIS) Security Policy 5.1 dated 7/13/2012. The Lincoln Police Department may complement this policy with a local policy; however, the CJIS Security Policy shall always be the minimum standard. The local policy may augment, or increase the standards, but shall not detract from the CJIS Security Policy standards.
1206.2 SCOPE
The scope of this policy applies to any electronic or physical media containing FBI Criminal Justice Information (CJI) while being stored, accessed or physically moved from a secure location from the Lincoln Police Department. This policy applies to any authorized person who accesses, stores, and / or transports electronic or physical media. Transporting CJI outside the agency's assigned physically secure area must be monitored and controlled.
Authorized Lincoln Police Department personnel shall protect and control electronic and physical CJI while at rest and in transit. The Lincoln Police Department will take appropriate safeguards for protecting CJI to limit potential mishandling or loss while being stored, accessed, or transported. Any inadvertent or inappropriate CJI disclosure and/or use will be reported to the Lincoln Police Department Local Agency Security Officer (LASO). Procedures shall be defined for securely handling, transporting and storing media.
1206.3 MEDIA STORAGE AND ACCESS
To protect CJI, the Lincoln Police Department personnel shall:
(a) Securely store electronic and physical media within a physically secure or controlled area. A secured area includes a locked drawer, cabinet, or room.
(b) Restrict access to electronic and physical media to authorized individuals.
(c) Ensure that only authorized users remove printed form or digital media from the CJI.
(d) Physically protect CJI until media end of life. End of life CJI is destroyed or sanitized using approved equipment, techniques and procedures. (See Sanitization Destruction Policy)
(e) Not use personally owned information system to access, process, store, or transmit CJI unless the Lincoln Police Department has established and documented the specific terms and conditions for personally owned information system usage. (See Personally Owned Device Policy)
(f) Not utilize publicly accessible computers to access, process, store, or transmit CJI. Publicly accessible computers include but are not limited to: hotel business center computers, convention center computers, public library computers, public kiosk computers, etc.
(g) Store all hardcopy CJI printouts maintained by the Lincoln Police Department in a secure area accessible to only those employees whose job function require them to handle such documents.
(h) Safeguard all CJI by the Lincoln Police Department against possible misuse by complying with the Physical Protection Policy, Personally Owned Device Policy, and Disciplinary Policy.
(i) Take appropriate action when in possession of CJI while not in a secure area:
CJI must not leave the employee's immediate control. CJI printouts cannot be left unsupervised while physical controls are not in place.
Precautions must be taken to obscure CJI from public view, such as by means of an opaque file folder or envelope for hard copy printouts. For electronic devices like laptops, use session lock use and /or privacy screens. CJI shall not be left in plain public view. When CJI is electronically transmitted outside the boundary of the physically secure location, the data shall be immediately protected using encryption.
(a) When CJI is at rest (i.e. stored electronically) outside the boundary of the physically secure location, the data shall be protected using encryption. Storage devices include external hard drives from computers, printers and copiers used with CJI. In addition, storage devices include thumb drives, flash drives, back-up tapes, mobile devices, laptops, etc.
(b) When encryption is employed, the cryptographic module used shall be certified to meet FIPS 140-2 standards.
(j) Lock or log off computer when not in immediate vicinity of work area to protect CJI. Not all personnel have same CJI access permissions and need to keep CJI protected on a need-to-know basis.
(k) Establish appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of CJI. (See Physical Protection Policy)
1206.4 MEDIA TRANSPORT
Controls shall be in place to protect electronic and physical media containing CJI while in transport (physically moved from one location to another) to prevent inadvertent or inappropriate disclosure and use. "Electronic media" means electronic storage media, including memory devices in laptops and computers (hard drives) and any removable, transportable digital memory media, such as magnetic tape or disk, backup medium, optical disk, flash drives, external hard drives, or digital memory card.
(a) Dissemination to another agency is authorized if:
The other agency is an Authorized Recipient of such information and is being serviced by the accessing agency, or
The other agency is performing personnel and appointment functions for criminal justice employment applicants.
(b) The Lincoln Police Department personnel shall:
Protect and control electronic and physical media during transport outside of controlled areas.
Restrict the pickup, receipt, transfer, and delivery of such media to authorized personnel.
(c) The Lincoln Police Department personnel will control, protect, and secure electronic and physical media during transport from public disclosure by:
Use of privacy statements in electronic and paper documents.
Limiting the collection, disclosure, sharing and use of CJI.
Following the least privilege and role-based rules for allowing access. Limit access to CJI to only those people or roles that require access.
Securing hand-carried confidential electronic and paper documents by:
(a) Storing CJI in a locked briefcase or lockbox.
(b) Only authorized personnel can view or access the CJI electronically or document printouts in a physically secure location.
(c) for hard copy printouts or CJI documents:
Package hard copy printouts in such a way as to not have any CJI information viewable.
That are mailed or shipped, agency must document procedures and only release to authorized individuals. DO NOT MARK THE PACKAGE TO BE MAILED CONFIDENTIAL. Packages containing CJI material are to be sent by method(s) that provide for complete shipment tracking and history, and signature confirmation of delivery. (Agency Discretion)
Not taking CJI home or when traveling unless authorized by Lincoln Police Department LASO. When disposing confidential documents, use a shredder.
1206.5 ELECTRONIC MEDIA SANITIZATION AND DISPOSAL
The agency shall sanitize, that is, overwrite at least three times or degauss electronic media prior to disposal or release for reuse by unauthorized individuals. Inoperable electronic media shall be destroyed (cut up, shredded, etc.). The agency shall maintain written documentation of the steps taken to sanitize or destroy electronic media. Agencies shall ensure the sanitization or destruction is witnessed or carried out by authorized personnel. Physical media shall be securely disposed of when no longer required, using formal procedures. For end-of-life media policy, refer to "Sanitization Destruction Policy".
1206.6 BREACH NOTIFICATION AND INCIDENT REPORTING
The agency shall promptly report incident information to appropriate authorities. Information security events and weaknesses associated with information systems shall be communicated in a manner allowing timely corrective action to be taken. Incident-related information can be obtained from a variety of sources including, but not limited to, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports.
1206.7 ROLES AND RESPONSIBILITIES
If CJI is improperly disclosed, lost, or reported as not received, the following procedures must be immediately followed:
(a) Lincoln Police Department personnel shall notify his/her supervisor or LASO, and an incident-report form must be completed and submitted within 24 hours of discovery of the incident. The submitted report is to contain a detailed account of the incident, events leading to the incident, and steps taken/to be taken in response to the incident.
(b) The supervisor will communicate the situation to the LASO to notify of the loss or disclosure of CJI records.
(c) The LASO will ensure the CSA ISO (CJIS System Agency Information Security Officer) is promptly informed of security incidents.
(d) The CSA ISO will:
Establish a security incident response and reporting procedure to discover, investigate, document, and report to the CSA, the affected criminal justice agency, and the FBI CJIS Division ISO major incidents that significantly endanger the security or integrity of CJI.
Collect and disseminate all incident-related information received from the Department of Justice (DOJ), FBI CJIS Division, and other entities to the appropriate local law enforcement POCs within their area.
Act as a single POC for their jurisdictional area for requesting incident response assistance.
1206.8 PENALTIES
Violation of any of the requirements in this policy by any authorized personnel will result in suitable disciplinary action, up to and including loss of access privileges, civil and criminal prosecution and/or termination.
1206.9 ACKNOWLEDGEMENT
I have read the policy and rules above and I will:
Abide by the Lincoln Police Department's Media Protection Policy. I understand any violation of this policy may result in discipline up to and including termination.
Report any Lincoln Police Department CJI security incident to Supervisor and / or LASO as identified in this policy.
Signature: Date: ______________________
Questions
Any questions related to this policy may be directed to the Lincoln Police Department's LASO:
LASO Name: LASO Phone:
LASO email:
State C/ISO Name: C/ISO Phone:
C/ISO email:
Other Related Policy Reference:
These policies and operating procedures are not designed to cover every possible scenario or situation in society, but rather to define standard operating procedures for members of the Lincoln Police Department. These guidelines are subject to past, present and future judicial review. These guidelines can be amended and or repealed by the Chief of Police as necessary. The policies and procedures herein provided supersede all previous policies and orders.
Page updated
Google Sites
Report abuse