Policy: Law Enforcement Intelligence Network (LEIN)

PURPOSE

The purpose of this policy is to outline procedures for operating the Law Enforcement Information Network (LEIN) system and associated components containing Criminal Justice Information.

POLICY

The Michigan State University Police Department (Department) is approved to have LEIN access and it is the policy of the Department to properly access, receive and request LEIN as outlined in rules and statutes. This policy sets forth the requirements for employees accessing LEIN and requesting and/or receiving LEIN information. Further, all physical, logical and electronic access to Criminal Justice Information (CJI) must be properly documented, authorized and controlled on devices that store, process or transmit unencrypted CJI.

DEFINITIONS

Criminal Justice Information (CJI)

Criminal Justice Information are data (electronic or hard copy) collected by criminal justice agencies for the purposes as authorized or required by law pursuant to Michigan’s Administrative Rule R28.5101(g).

LEIN

An on-line system that provides authorized agencies with an integrated network for sharing information by interfacing with other criminal justice information sources, including the National Crime Information Center (NCIC).

Terminal Agency Coordinator (TAC)

The TAC is responsible for ensuring LEIN use compliance for the Department’s records containing LEIN and for personnel access to CJI. TAC’s roles and responsibilities includes:

Serves as a liaison to local county users and helps with supervision and system integrity across all authorized users within the Department.

Enable and disable access to LEIN by authorized users and operators.

Monitors and tracks user compliance.

Affirms and validates users in the Michigan Criminal Justice Information Network (MiCJIN).

Local Agency Security Officer (LASO)

The LASO ensures that physical security, software compliance, and physical security screening requirements are adhered to and any breaches to those requirements are immediately reported to the Michigan State Police (MSP) LEIN Field Services department.

Physically Secure Location

Visitor: A visitor is defined as a person who visits the Department on a temporary basis who is not employed by the Department and has no un-escorted access to the physically secure location where LEIN-based and CJI and associated information systems are located.

Authorized Personnel: An authorized user is an individual/group of individuals authorized to access CJI from LEIN as required by policy and as permitted by law.

To become an Authorized Person, an employee must complete State of Michigan required security awareness training to properly protect LEIN work; have completed a Department conducted background check; have been fingerprinted; and those prints have been submitted to the state for compliance with LEIN Rules and Regulations.

The Department’s Terminal Agency Coordinator (TAC) shall maintain records of authorized personnel to ensure their compliance with all requirements and be able to produce the records upon demand.

Authorized Physical Access: All physical access points to the Department’s secure areas shall be authorized before granting access. The primary method to allow this access is using Department access control technology.

PROCEDURES

Physical Protection

The Department follows the policies outlined by the United States Department of Justice, Federal Bureau of Investigation (FBI) Criminal Justice Information Security (CJIS) Policy.

█████████

███████████████████████████

█████████████████████████████████████████████

█████████

█████████

█████████

█████████

█████████

█████████

█████████

██████████████████

███████████████████████████

LEIN Print-outs: LEIN print-outs requiring disposal are destroyed using a cross-cut shredding device.

LEIN Access On Mobile Devices

The Department will supply devices (cellular smartphones, tablets, etc.) to perform duties assigned and will install LEIN client software as necessary. The following is mandatory:

“Bring Your Own Device” is strictly prohibited for LEIN client access.

No personally owned devices will be managed or authorized for Department software access.

All Department-owned mobile devices must be enrolled in the Department’s mobile device management (MDM) system. MDM policies on the device must:

Enable remote wiping of device

Establish a timeout locking feature and restricted access via PIN or Password

Detect “rooted” or “jail-broken” devices and restrict further access

Enforce device encryption

Devices that have been “rooted,” “jail-broken,” or have had any unauthorized changes made to them shall not be used to process, store, or transmit CJI data.

CJI data shall only be transferred between the authorized device and the storage areas of the device and shall not be copy/pasted into any other application.

In the event a device has been lost or stolen, the assigned user must:

Notify their supervisor immediately

Notify the IT Help Desk immediately

In case of a lost or stolen device, the Department’s Information Technology manager or designee shall:

Immediately disable the LEIN user account by locking or resetting the user password

Attempt to remote lock the device and change the access password or PIN

Attempt to locate the device on a system map using the device’s reported coordinates

Notify the Chief or designee, and assess the possibility of device recovery

Should device fail to be recovered, the IT Manager or designee shall perform a remote device wipe/format to erase the device securely

Access to Secured Areas

The Department has created areas secured using access control technology to prevent unauthorized access to LEIN and CJI. All full-time employees of the Department shall meet the state requirements for access to those secured areas.

Information technology is managed by the Department using personnel who have completed access and security requirements.

Information security on all Department systems, devices, software and similar infrastructure meet the physical security requirements for access to LEIN and CJI.

External police agency access

If the Department cannot confirm another police agency employee meets the requirements of authorized access, those agency personnel shall follow the visitor access control requirements.

MSU non-Department employee access

All MSU non-Department employees shall follow the visitor access control requirements.

Visitor access

Visitors shall check-in before entering the Department and be escorted at all times by authorized personnel while inside of the Department’s secured areas.

Visitor electronic devices shall be monitored while visitors are within the secured area.

Authorized personnel providing a visitor access shall ensure that visitors are not removing or otherwise gaining sensitive data while being escorted in the secured area.

Delivery/vendor access: Delivery or service personnel are held to the same requirements as visitors and must be escorted at all times by authorized personnel while inside of the Department’s secured areas.

LEIN Operators and Requesters

Only LEIN operators are authorized to directly access LEIN.

LEIN operators are required to be fingerprinted and cleared through a criminal history check prior to accessing LEIN. For newly sworn employees, the fingerprinting and criminal history check shall be completed as part of the employment screening requirements.

LEIN operators must successfully complete LEIN training and pass certification tests required by the CJIS Policy Council within six months after being designated as a LEIN operator. Once certified, LEIN operators must successfully pass recertification tests as required by the CJIS Policy Council. Employees authorized to request LEIN information from LEIN operators, and employees authorized to receive LEIN information in conjunction with their job responsibilities, must successfully complete LEIN training related to the proper uses, distribution and disclosure of LEIN information before requesting or receiving LEIN information.

LEIN operators shall ensure the accuracy, timeliness and quality of information they enter on LEIN. All entries shall be made in accordance with regulations set forth in the LEIN Operations Manual and NCIC Operations Manual.

Terminal Agency Coordinators (TAC)/Local Agency Security Officer (LASO)

There shall be a Terminal Agency Coordinator designated and trained for the Department.

Terminal Agency Coordinators shall be responsible for the following:

Ensuring compliance with LEIN and NCIC policies and regulations.

Coordinating audits of LEIN operations conducted by the Michigan Department of State Police.

Providing LEIN training and testing required by the CJIS Policy Council.

Immediately reporting any known violation of this policy through the appropriate chain of command.

Providing technical support regarding LEIN use.

Maintaining a current list of designated LEIN operators.

Completing monthly validations as required and described in the LEIN operations manual.

The TAC shall serve as the TAC trainer. TACs shall attend TAC training offered by the Michigan State Police.

There shall be a LASO designated and trained for the Department.

LASO and/or TAC shall be responsible for the following:

Creating new user accounts for LEIN

Editing/update existing user accounts for name change or other modifications

Removing or disabling accounts of users that have separated or terminated employment

Resetting passwords and unlocking disabled accounts as necessary

Disclosure of LEIN Information/Documents

LEIN information shall be disclosed only as necessary to comply with Department policy, i.e., preparation of investigative reports for prosecution, etc.

Under no circumstances shall the actual LEIN printout or a copy of a LEIN printout be given to or displayed in an area accessible to anyone not authorized to receive LEIN information.

Subject related: Driving records, CCH, BOL, ATL, SOS images

Non-subject related such as Funeral arrangements, Training, etc.

All LEIN printed by employees in the course of their duty shall be destroyed per methods outlined within this policy once the case is closed, unless being forwarded for report review.

LEIN information shall not be transmitted to anyone via electronic mail (e-mail) outside of the Department.

LEIN information sent over e-mail to other Department members is secured on the server using self-signed certificates.

LEIN information may be transmitted using the Ingham County Prosecutor’s Office (ICPO) E-Filing system or facsimile machine only after the intended recipient has been verified as being authorized and present to receive the information.

Disclosure in violation of Department policy which also is a violation of state law shall be referred for criminal prosecution.

Documentation of Disclosure

All Employees must document disclosure for the following conditions:

When reports are referred to ICPO for review, an employee must document that disclosure in the body of the police report.

Follow directives noted on Department Wiki or similar technology for the current protocol

Acceptable Use

LEIN operators shall access LEIN only as necessary in the course of their duty and investigations.

Under no circumstances shall employees access LEIN or request and/or receive LEIN information for personal reasons.

Employees shall comply with the “Michigan State University Acceptable Use Policy for MSU Information Technology Resources” as well as the policies set forth in this document.

Employees violating these policies and procedures, including accessing LEIN or requesting and/or receiving LEIN information without authorization, may be sanctioned following any or all of the following:

Subject to discipline as set forth in the Department’s Value Based Member Manual and MSU Employee Handbook

Denied use of LEIN

Subject to CJIS Policy Council Act criminal penalties

Drivers’ Privacy Protection Act criminal penalties.

LEIN Policy Violation

Any violation of this policy may result in network removal, access revocation, corrective or disciplinary action, and/or termination of employment.