Rule 140-2-.02 - Security Policy for Criminal Justice Information(1) Handling procedures. (a) Secret data (as defined in Rule 140-1-.02(2)(c)3.): 1. When not in use it shall be stored in locking, fire-resistant vaults or safes. Computer programs and data files should be backed-up on electronic media and secured in a location separate from the building in which the computer system is located.2. Areas where the information is processed and handled shall be restricted to authorized personnel in the performance of official duties.3. The information shall be under the absolute control of criminal justice agencies with access regulated by agency heads or their designees.4. A log or other record shall be maintained when information is removed from, or returned to the physically secured storage defined above in paragraph (1)(a)1.(b) CHRI, as defined in Rule 140-1-.02(2)(c)1., shall be:1. Stored in a secure location when not under the control of authorized criminal justice agency employees.2. Processed in areas restricted to authorized personnel in the performance of official duties.3. Under the absolute control of criminal justice agencies except as exempted by these Rules.(c) Restricted and Sensitive data, as defined in Rule 140-1-.02(2)(c)2. and 4., shall be used and stored in a controlled access area.(2) Secret information, CHRI or restricted information is a "Secret of State", which is required by State policy, the interest of the community and the right of privacy of the citizens of this State to be confidential. Such information shall not be divulged except as permitted by Georgia law and these Rules. Criminal justice agencies must destroy documents containing secret information, CHRI or restricted information no longer required for operations in a manner precluding access to the information by unauthorized persons.(3) Criminal justice agencies shall disseminate CHRI only to agencies or persons requiring such information to perform duties serving the administration of criminal justice or as otherwise provided by statute, executive order or these Rules. Under no circumstances will CHRI be transmitted via the CJIS network to devices not authorized to access such information, which may exist in the GCIC computerized files, FBI Interstate Identification Index (III) or computerized files maintained in other states.(4) Local agency heads shall provide the GCIC Director with written notification of security policy violations for criminal justice information committed by employees of their agencies or agencies over which they exercise management control.(5) The Director shall establish an information security structure that provides for an ISO. The Director shall also ensure that each local agency having access to the CJIS network designates a LASO.Ga. Comp. R. & Regs. R. 140-2-.02
O.C.G.A. Secs. 35-3-30, 35-3-32, 28 CFR 20.21, FBI CJIS Security Policy.
Original Rule entitled "Data Security Requirements for Criminal Justice Information" adopted. F. Feb. 25, 1976; eff. Mar. 16, 1976.Repealed: New Rule of same title adopted. F. Jan. 7, 1983; eff. Feb. 1, 1983, as specified by the Agency.Repealed: New Rule of same title adopted. F. Sept. 6, 1984; eff. Oct. 8, 1984, as specified by the Agency.Repealed: New Rule entitled "Security Policy for Criminal Justice Information" adopted. F. July 2, 1986; eff. July 22, 1986.Repealed: New Rule of same title adopted. F. Nov. 7, 1990; eff. Nov. 27, 1990.Repealed: New Rule of same title adopted. F. Mar. 4, 1998; eff. Mar. 24, 1998.Amended: F. Sept. 5, 2002; eff. Sept. 25, 2002.Repealed: New Rule of same title adopted. F. Sept. 25, 2007, eff. Oct. 15, 2007.