PREVIOUS VERSION

The previous document that this document is based upon is available.

502 KAR 30:050.Security of centralized criminal history record information.

RELATES TO:

KRS 17.140, 17.150

STATUTORY AUTHORITY:

KRS 15A.160, 17.140, 17.150(6)

NECESSITY, FUNCTION, AND CONFORMITY:

KRS 17.140 requires a centralized criminal history record information system to be established in the Justice and Public Safety Cabinet under the direction, control, and supervision of the commissioner of the Department of Kentucky State Police. KRS 15A.160 authorizes the secretary of the cabinet to adopt administrative regulations to administer the cabinet. KRS 17.150(6) requires the secretary of the cabinet to promulgate administrative regulations necessary to implement the criminal history record information system. This administrative regulation sets specific security standards to preserve the CHRI in an acceptable state.

Section 1.

Procedures shall be implemented in the centralized criminal history record information system to insure that access to criminal history record information is restricted to authorized persons. The ability to access, modify, change, update, purge, or destroy information shall be limited to authorized criminal justice personnel, or other authorized persons who provide operational support, such as programming or maintenance. Technologically advanced software or hardware designs shall be implemented to prevent unauthorized access to criminal history record information.

Section 2.

Procedures shall be implemented in the centralized criminal history information system to determine what persons have authority to enter in areas where criminal history information is stored and implement access control measures to insure entry is limited to specific areas where authorization is valid. Further, access control measures shall be implemented to insure unauthorized persons are totally denied access to areas where criminal history record information is stored. Access constraints shall include the system facilities, systems operating environments, data file contents, whether while in use or when stored in media library, and system documentation.

Section 3.

Procedures shall be implemented in the centralized criminal history information system to insure that computer operations that support the criminal history record information data base, whether dedicated or shared, operate in accordance with procedures developed or approved by the Justice and Public Safety Cabinet, and further insure that:

(1)

CHRI is stored by the computer in such a manner that it cannot be modified, destroyed, accessed, changed, purged, or overlaid in any fashion by unauthorized persons.

(2)

Operational programs shall be used that will prohibit inquiry, record updates, or destruction of records, from any terminal other than designated terminals within the Criminal Identification and Records Branch.

(3)

The destruction, partial deletion, total deletion, or record correction shall be limited to designated terminals under the direct control of Criminal Identification and Records Branch.

(4)

Operational programs shall be used to detect and store for the output of designated criminal justice agency employees, all unauthorized attempts to penetrate any criminal history record information system, program or file.

(5)

The programs specified in subsections (2) and (4) of this section shall be known only to criminal justice agency employees responsible for criminal history record information system control or individuals in agencies pursuant to a specific written agreement with the Justice and Public Safety Cabinet to provide the programs, and the operational programs shall be continuously kept under maximum security conditions.

(6)

Procedures shall be instituted to assure that any individual or agency authorized direct access is responsible for:

(a)

The physical security of criminal history record information under its control or in its custody; and

(b)

The protections of information from unauthorized access, disclosure, or dissemination.

Section 4.

Procedures shall be implemented in the centralized criminal history record information system to protect CHRI from unauthorized access, theft, sabotage, fire, flood, wind, or other natural or manmade disasters.

Section 5.

Emergency Plans Required. Written plans and instructions dealing with emergencies described in Section 4 of this administrative regulation shall be developed in manual form and cover all foreseeable incidents ranging from minor accidents to major disasters causing the destruction of computer facilities, entire data bases, and CHRI contained in manual files. Employees of the centralized criminal history record information system shall be trained in procedures and specifically assigned responsibilities in case of an emergency. Plans and instructions shall include emergency shutdown and evacuation procedures, a disaster recovery plan to restart critical system functions, procedures for backup files for critical data such as fingerprint cards, and duplicate system designs. The commissioner of the Department of Kentucky State Police shall make available needed personnel to reinstitute the centralized criminal history record information system as soon as feasible after accident or disaster.

HISTORY: (11 Ky.R. 1717; eff. 6-4-1985; 48 Ky.R. 1310, 2254; 49 Ky.R. 38; eff. 10-4-2022.)

FILED WITH LRC: June 14, 2022

CONTACT PERSON: Brenn Combs, Staff Attorney, 919 Versailles Road, Frankfort, Kentucky 40601, phone (502) 782-1800, fax (502) 573-1636, email brenn.combs@ky.gov.

502 KAR 30:050.Security of centralized criminal history record information.

RELATES TO:

KRS 17.140, 17.150

STATUTORY AUTHORITY:

KRS 15A.160~~15A.060~~, ~~17.080,~~17.140, 17.150(6)

NECESSITY, FUNCTION, AND CONFORMITY:

KRS17.080 authorizes the Secretary of Justice to institute rules and administrative regulations and direct proceedings and actions for administration of laws and functions that are invested in the Justice Cabinet. KRS 17.140 requires a centralized criminal history record information system to be established~~establishes,~~ in the Justice and Public Safety Cabinet under the direction, control, and supervision of the commissioner of the Department of Kentucky State Police, a centralized criminal history record information system. KRS 17.140 defines a centralized criminal history record information system as the system including equipment, facilities, procedures, and agreements for the collection, processing, preservation, or dissemination of criminal history records maintained by the Justice Cabinet. KRS 15A.160 authorizes the secretary of the cabinet to adopt administrative regulations to administer the cabinet. KRS 17.150(6) requires the secretary of the cabinet to promulgate administrative regulations necessary to implement the criminal history record information system. This administrative regulation sets specific security standards to preserve the CHRI in an acceptable state.

Section 1.

Procedures shall be implemented in the centralized criminal history record information system to insure that access to criminal history record information is restricted to authorized persons. The ability to access, modify, change, update, purge, or destroy ~~such~~ information shall be limited to authorized criminal justice personnel, or other authorized persons who provide operational support, such as programming or maintenance. Technologically advanced software or~~and/or~~ hardware designs shall be implemented to prevent unauthorized access to criminal history record information.

Section 2.

Procedures shall be implemented in the centralized criminal history information system to determine what persons have authority to enter in areas where criminal history information is stored and implement access control measures to insure entry is limited to specific areas where authorization is valid. Further, access control measures shall be implemented to insure unauthorized persons are totally denied access to areas where criminal history record information is stored.~~Said~~ Access constraints shall include~~, but not be limited to,~~ the system facilities, systems operating environments, data file contents, whether while in use or when stored in media library, and system documentation.

Section 3.

Procedures shall be implemented in the centralized criminal history information system to insure that computer operations that~~which~~ support the criminal history record information data base, whether dedicated or shared, operate in accordance with procedures developed or approved by the Justice and Public Safety Cabinet, and further insure that:

(1)

CHRI is stored by the computer in such a manner that it cannot be modified, destroyed, accessed, changed, purged, or overlaid in any fashion by unauthorized persons.

(2)

Operational programs shall be~~are~~ used that will prohibit inquiry, record updates, or destruction of records, from any terminal other than designated terminals within the Criminal Identification and Records Branch.

(3)

The destruction, partial deletion, total deletion, or record correction shall beis limited to designated terminals under the direct control of Criminal Identification and Records Branch~~records~~.

(4)

Operational programs shall be~~are~~ used to detect and store for the output of designated criminal justice agency employees, all unauthorized attempts to penetrate any criminal history record information system, program or file.

(5)

The programs specified in subsections (2) and (4) of this section shall be~~are~~ known only to criminal justice agency employees responsible for criminal history record information system control or individuals in agencies pursuant to a specific written agreement with the Justice and Public Safety Cabinet to provide the~~such~~ programs, and the operational programs shall be~~program(s) are~~ continuously kept under maximum security conditions.

(6)

Procedures shall be~~are~~ instituted to assure that any individual or agency authorized direct access is responsible for:

(a)

The physical security of criminal history record information under its control or in its custody; and

(b)

The protections of ~~such~~ information from unauthorized access, disclosure, or dissemination.

Section 4.

Section 5.

Emergency Plans Required. Written plans and instructions dealing with emergencies described in Section 4 of this administrative regulation shall be developed in manual form and cover all foreseeable incidents ranging from minor accidents to major disasters causing the destruction of computer facilities, entire data bases, and~~and/or~~ CHRI contained in manual files. Employees of the centralized criminal history record information system shall be trained in procedures and specifically assigned responsibilities in case of an emergency. Plans and instructions shall include~~should be inclusive of, but not limited to,~~ emergency shutdown and evacuation procedures, a disaster recovery plan to restart critical system functions, procedures for backup files for critical data such as fingerprint cards, and duplicate system designs. The commissioner of the Department of Kentucky State Police shall make available needed personnel to reinstitute the centralized criminal history record information system as soon as feasible after accident or disaster.

Section 6.

The records commander shall institute procedures for the screening, supervising, and disciplining of agency personnel in order to minimize the risk of compromising internal security. A background investigation of all prospective employees for records shall be conducted. The scope of the background investigation shall include~~be inclusive of, but not limited to~~:

(1)

~~Verification of all items as listed on the employment application;~~

(2)

~~Moral character;~~

(3)

~~Financial history;~~

(4)

~~Individual as well as spouse arrest history inclusive of juvenile files; and~~

(5)

~~Agency personnel records. All records employees shallwill~~ agree to and sign nondisclosure statements and notice of security breach forms. The records commander shall so notify the Commissioner of the State Police as to any violation of security policy. A violation of said security policy shall include~~, but not be limited to,~~ ~~the intentional violation or wanton disregard of theany or all~~ ~~security policies with regard to criminal history record information as set forth by section policy or~~; the compromising of an employee's security by committing, facilitating, or being a party to a crime. Upon notification by the records commander of a security compromise, the commissioner shall take immediate appropriate administrative action.

HISTORY: (11 Ky.R. 1717; eff. 6-4-1985; 48 Ky.R. 1310, 2254; 49 Ky.R. 38; eff. 10-4-2022.)

FILED WITH LRC: June 14, 2022

CONTACT PERSON: Brenn Combs, Staff Attorney, 919 Versailles Road, Frankfort, Kentucky 40601, phone (502) 782-1800, fax (502) 573-1636, email brenn.combs@ky.gov.

Page Generated: 5/12/2023, 4:33:50 PM

Title 502 | Chapter 030 | Regulation 050

502 KAR 30:050.Security of centralized criminal history record information.

RELATES TO:

STATUTORY AUTHORITY:

NECESSITY, FUNCTION, AND CONFORMITY:

Section 1.

Section 2.

Section 3.

(1)

(2)

(3)

(4)

(5)

(6)

(a)

(b)

Section 4.

Section 5.

502 KAR 30:050.Security of centralized criminal history record information.

RELATES TO:

STATUTORY AUTHORITY:

NECESSITY, FUNCTION, AND CONFORMITY:

Section 1.

Section 2.

Section 3.

(1)

(2)

(3)

(4)

(5)

(6)

(a)

(b)

Section 4.

Section 5.

Section 6.

(1)

(2)

(3)

(4)

(5)