Title 502 | Chapter 030 | Regulation 050
SUPERSEDED
This document is no longer current.
PREVIOUS VERSION
The previous document that this document is based upon is available.
JUSTICE AND PUBLIC SAFETY CABINET
Department of Kentucky State Police
(Amended After Comments)
502 KAR 30:050.Security of centralized criminal history record information.
Section 1.
Procedures shall be implemented in the centralized criminal history record information system to insure that access to criminal history record information is restricted to authorized persons. The ability to access, modify, change, update, purge, or destroy such information shall be limited to authorized criminal justice personnel, or other authorized persons who provide operational support, such as programming or maintenance. Technologically advanced software orSection 2.
Procedures shall be implemented in the centralized criminal history information system to determine what persons have authority to enter in areas where criminal history information is stored and implement access control measures to insure entry is limited to specific areas where authorization is valid. Further, access control measures shall be implemented to insure unauthorized persons are totally denied access to areas where criminal history record information is stored.Section 3.
Procedures shall be implemented in the centralized criminal history information system to insure that computer operations which support the criminal history record information data base, whether dedicated or shared, operate in accordance with procedures developed or approved by the Justice and Public Safety Cabinet, and further insure that:(1)
CHRI is stored by the computer in such a manner that it cannot be modified, destroyed, accessed, changed, purged, or overlaid in any fashion by unauthorized persons.(2)
Operational programs are used that will prohibit inquiry, record updates, or destruction of records, from any terminal other than designated terminals within the Criminal Identification and Records Branch.(3)
The destruction, partial deletion, total deletion, or record correction is limited to designated terminals under the direct control of Criminal Identification and Records Branch(4)
Operational programs are used to detect and store for the output of designated criminal justice agency employees, all unauthorized attempts to penetrate any criminal history record information system, program or file.(5)
The programs specified in subsections (2) and (4) of this section are known only to criminal justice agency employees responsible for criminal history record information system control or individuals in agencies pursuant to a specific written agreement with the Justice and Public Safety Cabinet to provide such programs and the operational program(s) are continuously kept under maximum security conditions.(6)
Procedures are instituted to assure that any individual or agency authorized direct access is responsible for:(a)
The physical security of criminal history record information under its control or in its custody; and(b)
The protections of such information from unauthorized access, disclosure or dissemination.Section 4.
Procedures shall be implemented in the centralized criminal history record information system to protect CHRI from unauthorized access, theft, sabotage, fire, flood, wind, or other natural or manmade disasters.Section 5.
Emergency Plans Required. Written plans and instructions dealing with emergencies described in Section 4 of this administrative regulation shall be developed in manual form and cover all foreseeable incidents ranging from minor accidents to major disasters causing the destruction of computer facilities, entire data bases, andSection 6.
(1)
(2)
(3)
(4)
(5)
KERRY B. HARVEY, Secretary
APPROVED BY AGENCY: January 10, 2022
FILED WITH LRC: January 11, 2022 at 10:44 a.m.
CONTACT PERSON: Amy Barker, Assistant General Counsel, 125 Holmes Street, Frankfort, Kentucky 40601, phone (502) 564-8207, fax (502) 564-6686, email Justice.RegsContact@ky.gov.
REGULATORY IMPACT ANALYSIS AND TIERING STATEMENT
Contact Person:
Amy Barker
(1) Provide a brief summary of:
(a) What this administrative regulation does:
This regulation sets specific security standards to preserve criminal history record information (CHRI) in an acceptable state.
(b) The necessity of this administrative regulation:
This regulation ensures compliance with KRS 17.140 and ensures that the CHRI remains secure to prevent unauthorized access.
(c) How this administrative regulation conforms to the content of the authorizing statutes:
This regulation works to ensure the appropriate processes for preservation of the criminal history records maintained by the Justice and Public Safety Cabinet and implements procedures to limit access to the protected information to authorized persons.
(d) How this administrative regulation currently assists or will assist in the effective administration of the statutes:
This regulation will assist the Criminal Identification and Records Branch in implementing and maintaining the appropriate procedures to effectively protect and store the protected CHRI.
(2) If this is an amendment to an existing administrative regulation, provide a brief summary of:
(a) How the amendment will change this existing administrative regulation:
The amendment will clarify the existing language of the administrative regulation, which provides guidance on how to effectively maintain and protect sensitive information. It revises the name of the entity that handles the criminal history record information within the Department and corrects the cabinet and Department names.
(b) The necessity of the amendment to this administrative regulation:
The previous language was unclear and not appropriately defined within relevant sections of the text.
(c) How the amendment conforms to the content of the authorizing statutes:
The amendment further clarifies the language of the regulation which works to ensure the appropriateness of the procedures implemented by the Criminal Identification and Records Branch.
(d) How the amendment will assist in the effective administration of the statutes:
The amendment contains language that is more clearly defined, which will benefit the personnel charged with implementing the subject procedures.
(3) List the type and number of individuals, businesses, organizations, or state and local governments affected by this administrative regulation:
The Department of Kentucky State Police, the Justice and Public Safety Cabinet, and all persons with personal information stored within the criminal history record information database maintained by Criminal Identification and Records Branch.
(4) Provide an analysis of how the entities identified in question (3) will be impacted by either the implementation of this administrative regulation, if new, or by the change, if it is an amendment, including:
(a) List the actions that each of the regulated entities identified in question (3) will have to take to comply with this administrative regulation or amendment:
This amendment does not require the regulated entities to take any action separate and apart from the previous language of the regulation; instead, this amendment provides clarification of the appropriate processes.
(b) In complying with this administrative regulation or amendment, how much will it cost each of the entities identified in question (3):
No additional cost is anticipated.
(c) As a result of compliance, what benefits will accrue to the entities identified in question (3):
The regulated agencies will have more clearly defined guidance on the appropriate procedures regarding the sensitive information that they are charged with protecting.
(5) Provide an estimate of how much it will cost the administrative body to implement this administrative regulation:
(a) Initially:
No additional cost is anticipated.
(b) On a continuing basis:
No additional cost is anticipated.
(6) What is the source of the funding to be used for the implementation and enforcement of this administrative regulation:
Funds budgeted to the Department and the criminal justice agencies.
(7) Provide an assessment of whether an increase in fees or funding will be necessary to implement this administrative regulation, if new, or by the change if it is an amendment:
No increase is necessary.
(8) State whether or not this administrative regulation established any fees or directly or indirectly increased any fees:
The amendment of this administrative regulation does not establish any new fees or increase any fees, directly or indirectly.
(9) TIERING: Is tiering applied?
No. Tiering was not appropriate in this administrative regulation because the administrative regulation applies equally to all those individuals or entities regulated by it.
FISCAL NOTE ON STATE OR LOCAL GOVERNMENT
(1) What units, parts or divisions of state or local government (including cities, counties, fire departments, or school districts) will be impacted by this administrative regulation?
The Department of the Kentucky State Police, the Justice Cabinet, and all persons with personal information stored within the criminal history record information database maintained by Records.
(2) Identify each state or federal statute or federal regulation that requires or authorizes the action taken by the administrative regulation.
KRS 17.140, KRS 15A.060
(3) Estimate the effect of this administrative regulation on the expenditures and revenues of a state or local government agency (including cities, counties, fire departments, or school districts) for the first full year the administrative regulation is to be in effect.
If specific dollar estimates cannot be determined, provide a brief narrative to explain the fiscal impact of the administrative regulation.
(a) How much revenue will this administrative regulation generate for the state or local government (including cities, counties, fire departments, or school districts) for the first year?
The administrative regulation does not generate any revenue.
(b) How much revenue will this administrative regulation generate for the state or local government (including cities, counties, fire departments, or school districts) for subsequent years?
The administrative regulation does not generate any revenue.
(c) How much will it cost to administer this program for the first year?
No additional cost is anticipated.
(d) How much will it cost to administer this program for subsequent years?
No additional cost is anticipated.
Note: If specific dollar estimates cannot be determined, provide a brief narrative to explain the fiscal impact of the administrative regulation.
Revenues (+/-):
Expenditures (+/-):
Other Explanation:
JUSTICE AND PUBLIC SAFETY CABINET
Department of Kentucky State Police
(Amended After Comments)
502 KAR 30:050.Security of centralized criminal history record information.
Section 1.
Procedures shall be implemented in the centralized criminal history record information system to insure that access to criminal history record information is restricted to authorized persons. The ability to access, modify, change, update, purge, or destroy such information shall be limited to authorized criminal justice personnel, or other authorized persons who provide operational support, such as programming or maintenance. Technologically advanced software or hardware designs shall be implemented to prevent unauthorized access to criminal history record information.Section 2.
Procedures shall be implemented in the centralized criminal history information system to determine what persons have authority to enter in areas where criminal history information is stored and implement access control measures to insure entry is limited to specific areas where authorization is valid. Further, access control measures shall be implemented to insure unauthorized persons are totally denied access to areas where criminal history record information is stored. Access constraints shall include the system facilities, systems operating environments, data file contents, whether while in use or when stored in media library, and system documentation.Section 3.
Procedures shall be implemented in the centralized criminal history information system to insure that computer operations which support the criminal history record information data base, whether dedicated or shared, operate in accordance with procedures developed or approved by the Justice and Public Safety Cabinet, and further insure that:(1)
CHRI is stored by the computer in such a manner that it cannot be modified, destroyed, accessed, changed, purged, or overlaid in any fashion by unauthorized persons.(2)
Operational programs are used that will prohibit inquiry, record updates, or destruction of records, from any terminal other than designated terminals within the Criminal Identification and Records Branch.(3)
The destruction, partial deletion, total deletion, or record correction is limited to designated terminals under the direct control of Criminal Identification and Records Branch.(4)
Operational programs are used to detect and store for the output of designated criminal justice agency employees, all unauthorized attempts to penetrate any criminal history record information system, program or file.(5)
The programs specified in subsections (2) and (4) of this section are known only to criminal justice agency employees responsible for criminal history record information system control or individuals in agencies pursuant to a specific written agreement with the Justice and Public Safety Cabinet to provide such programs and the operational program(s) are continuously kept under maximum security conditions.(6)
Procedures are instituted to assure that any individual or agency authorized direct access is responsible for:(a)
The physical security of criminal history record information under its control or in its custody; and(b)
The protections of such information from unauthorized access, disclosure or dissemination.Section 4.
Procedures shall be implemented in the centralized criminal history record information system to protect CHRI from unauthorized access, theft, sabotage, fire, flood, wind, or other natural or manmade disasters.Section 5.
Emergency Plans Required. Written plans and instructions dealing with emergencies described in Section 4 of this administrative regulation shall be developed in manual form and cover all foreseeable incidents ranging from minor accidents to major disasters causing the destruction of computer facilities, entire data bases, and CHRI contained in manual files. Employees of the centralized criminal history record information system shall be trained in procedures and specifically assigned responsibilities in case of an emergency. Plans and instructions shall include emergency shutdown and evacuation procedures, a disaster recovery plan to restart critical system functions, procedures for backup files for critical data such as fingerprint cards, and duplicate system designs. The commissioner of the Department of Kentucky State Police shall make available needed personnel to reinstitute the centralized criminal history record information system as soon as feasible after accident or disaster.KERRY B. HARVEY, Secretary
APPROVED BY AGENCY: January 10, 2022
FILED WITH LRC: January 11, 2022 at 10:44 a.m.
CONTACT PERSON: Amy Barker, Assistant General Counsel, 125 Holmes Street, Frankfort, Kentucky 40601, phone (502) 564-8207, fax (502) 564-6686, email Justice.RegsContact@ky.gov.
REGULATORY IMPACT ANALYSIS AND TIERING STATEMENT
Contact Person:
Amy Barker
(1) Provide a brief summary of:
(a) What this administrative regulation does:
This regulation sets specific security standards to preserve criminal history record information (CHRI) in an acceptable state.
(b) The necessity of this administrative regulation:
This regulation ensures compliance with KRS 17.140 and ensures that the CHRI remains secure to prevent unauthorized access.
(c) How this administrative regulation conforms to the content of the authorizing statutes:
This regulation works to ensure the appropriate processes for preservation of the criminal history records maintained by the Justice and Public Safety Cabinet and implements procedures to limit access to the protected information to authorized persons.
(d) How this administrative regulation currently assists or will assist in the effective administration of the statutes:
This regulation will assist the Criminal Identification and Records Branch in implementing and maintaining the appropriate procedures to effectively protect and store the protected CHRI.
(2) If this is an amendment to an existing administrative regulation, provide a brief summary of:
(a) How the amendment will change this existing administrative regulation:
The amendment will clarify the existing language of the administrative regulation, which provides guidance on how to effectively maintain and protect sensitive information. It revises the name of the entity that handles the criminal history record information within the Department and corrects the cabinet and Department names.
(b) The necessity of the amendment to this administrative regulation:
The previous language was unclear and not appropriately defined within relevant sections of the text.
(c) How the amendment conforms to the content of the authorizing statutes:
The amendment further clarifies the language of the regulation which works to ensure the appropriateness of the procedures implemented by the Criminal Identification and Records Branch.
(d) How the amendment will assist in the effective administration of the statutes:
The amendment contains language that is more clearly defined, which will benefit the personnel charged with implementing the subject procedures.
(3) List the type and number of individuals, businesses, organizations, or state and local governments affected by this administrative regulation:
The Department of Kentucky State Police, the Justice and Public Safety Cabinet, and all persons with personal information stored within the criminal history record information database maintained by Criminal Identification and Records Branch.
(4) Provide an analysis of how the entities identified in question (3) will be impacted by either the implementation of this administrative regulation, if new, or by the change, if it is an amendment, including:
(a) List the actions that each of the regulated entities identified in question (3) will have to take to comply with this administrative regulation or amendment:
This amendment does not require the regulated entities to take any action separate and apart from the previous language of the regulation; instead, this amendment provides clarification of the appropriate processes.
(b) In complying with this administrative regulation or amendment, how much will it cost each of the entities identified in question (3):
No additional cost is anticipated.
(c) As a result of compliance, what benefits will accrue to the entities identified in question (3):
The regulated agencies will have more clearly defined guidance on the appropriate procedures regarding the sensitive information that they are charged with protecting.
(5) Provide an estimate of how much it will cost the administrative body to implement this administrative regulation:
(a) Initially:
No additional cost is anticipated.
(b) On a continuing basis:
No additional cost is anticipated.
(6) What is the source of the funding to be used for the implementation and enforcement of this administrative regulation:
Funds budgeted to the Department and the criminal justice agencies.
(7) Provide an assessment of whether an increase in fees or funding will be necessary to implement this administrative regulation, if new, or by the change if it is an amendment:
No increase is necessary.
(8) State whether or not this administrative regulation established any fees or directly or indirectly increased any fees:
The amendment of this administrative regulation does not establish any new fees or increase any fees, directly or indirectly.
(9) TIERING: Is tiering applied?
No. Tiering was not appropriate in this administrative regulation because the administrative regulation applies equally to all those individuals or entities regulated by it.
FISCAL NOTE ON STATE OR LOCAL GOVERNMENT
(1) What units, parts or divisions of state or local government (including cities, counties, fire departments, or school districts) will be impacted by this administrative regulation?
The Department of the Kentucky State Police, the Justice Cabinet, and all persons with personal information stored within the criminal history record information database maintained by Records.
(2) Identify each state or federal statute or federal regulation that requires or authorizes the action taken by the administrative regulation.
KRS 17.140, KRS 15A.060
(3) Estimate the effect of this administrative regulation on the expenditures and revenues of a state or local government agency (including cities, counties, fire departments, or school districts) for the first full year the administrative regulation is to be in effect.
If specific dollar estimates cannot be determined, provide a brief narrative to explain the fiscal impact of the administrative regulation.
(a) How much revenue will this administrative regulation generate for the state or local government (including cities, counties, fire departments, or school districts) for the first year?
The administrative regulation does not generate any revenue.
(b) How much revenue will this administrative regulation generate for the state or local government (including cities, counties, fire departments, or school districts) for subsequent years?
The administrative regulation does not generate any revenue.
(c) How much will it cost to administer this program for the first year?
No additional cost is anticipated.
(d) How much will it cost to administer this program for subsequent years?
No additional cost is anticipated.
Note: If specific dollar estimates cannot be determined, provide a brief narrative to explain the fiscal impact of the administrative regulation.
Revenues (+/-):
Expenditures (+/-):
Other Explanation: