Washington State Patrol Non-Criminal Justice Agency

Compliance Audit Process

Marsha Stril

WSP Compliance Auditor

360-534-2135

Introductions

• Your name• Your title

Fingerprints

• How do you verify that the person in front of you is who they say they are?– Verified forms of identification

• Current, valid, unexpired picture identification document (driver’s license)

Secondary forms of identification• State Government Issued Certificate of

Birth • U.S. Active Duty/Retiree/Reservist

Military Identification • Card (000 10-2) • U.S. Passport • Federal Government Personal Identity

Verification • Card (PIV) • Department of Defense Common

Access Card • U.S. Tribal or Bureau of Indian Affairs

Identification • Card • Social Security Card • Court Order for Name Change/Gender

Change/Adoption/

• Divorce • Marriage Certificate (Government

Certificate Issued) • U.S. Government Issued Consular

Report of Birth • Abroad • Foreign Passport with Appropriate

Immigration • Document(s) • Certificate of Citizenship (N560) • Certificate of Naturalization (N550) • INS I-551 Resident Alien Card Issued

Since 1997 • INS 1-688 Temporary Resident

Identification Card • INS I-688B, I-766 Employment

Authorization Card

Garbage in, Garbage out

Audit for compliance

Here’s the Deal

• How is this change relevant to what I do?• What specifically should I do?• How will I be measured and what

consequences will I face?• What tools and support are available?• What’s in it for me?

Overview• Criminal Justice Information Services (CJIS)

Security Policy• Statutory Authority Review• User Agreements/Memorandum of

Understanding (MOU)• Criminal History Lifecycle

SecurityStorage/RetentionDisseminationDestructionMedia Security

• Audit Process

CJIS Security Policy• Federal Requirements

• Protect the full lifecycle of the Criminal History Record Information (CHRI)

Whether at rest or in transit

• Applies to Non-Criminal Justice Agencies (NCJA)

• Provides a secure framework of laws and standards

http://www.fbi.gov/about-us/cjis

Criminal History Record Information (CHRI) Lifecycle

• Requested (fingerprints)• Delivered (encrypted email)

• What happens next?• Where is it being stored?• How long do you keep it?• How is it destroyed?• How secure is your agency IT system?

Is the CHRI Secure?

• Personnel• Who has access to it?• Are they sharing it?

• With whom?• Location

• Controlled access• Password protected

• Storage• How long can you retain it?

“Shoulder Surfers”

Secure?

Storage/Retention

• Store CHRI in a secure records environment• Dedicated area with restricted access

• Retain CHRI only as long as it pertains to a particular event

• Licensing • Employment• Fitness determination

State & Federal CHRI

• CHRI cannot be shared with any internal or external body not involved in the fitness determination of an applicant

• CHRI cannot be given to a person or entity that has no direct interest (secondary dissemination).

• CHRI can be given to the applicant upon request– Verify ID

Dissemination of CHRI

Is it okay to share (disseminate) the results to

anyone else?

Here is an example• The State Department of Education (DOE) conducts

state and national fingerprint-based fingerprint CHRI checks under an approved state statute. Ms. Doe applies to work for the Wonder County Board of Education (BOE). The BOE conducts a state and national fingerprint-based CHRI check on Ms. Doe. The results of the national CHRI check are disseminated to the State Identification Bureau (SIB). The SIB disseminates the record to the State DOE, who is turn disseminates the record to the Wonder County BOE.

DESTRUCTION OF CHRI

Remember: Safety First!

Macy’s Day Parade Story

Federally Approved Methods of CHRI Destruction

Incineration Shredding

Media Security“at rest or in transit”

Let’s review…..

• Security– Personnel & environment

• Storage & Retention– Where & how long

• Dissemination– Authorized or not

• Destruction– Only two authorized methods

• Media Security

Any Questions so Far?

Audit Process

It’s not that bad!

• NCJA audits are mandated to the state repository (WSP) by the FBI

• On-site and/or Mail-in• Triennial audit cycle (every 3 years)

The Audit Covers• Security• Retention/Storage• Dissemination• Destruction• Media Security• Statutory Authority Review• User Agreements/Memorandum of

Understanding (MOU)• Required “Security Awareness Training”

Statutory Authority

• Authorized by state statute [ Revised Code of Washington (RCW)] – Can also be authorized by ordinance– Federal Regulations (HUD, etc.)– For purposes of employment, licensing, fitness

determination and/or emergency placement

Memorandum of understanding (MOU)

• The FBI requires WSP to have an MOU with each of the non-criminal justice agencies (and criminal justice agencies) that submit fingerprint based state and federal background checks

 

• The purpose of this MOU is to set policy to ensure the protection of CHRI between WSP, the agencies, and the FBI

Why Audit????

The intention of the audit process is to:

• Help agencies implement and/or review

policies, meeting state and federal security standards

• Increase safety practices with regards to CHRI • Limit Agency Liability (MOU)

Pre-Audit

• Pre-audit questionnaire and an audit worksheet are sent out prior to on-site or mail-in audit

• WSP auditor draws a sample of data, verifying information

• The agency returns the completed documents-(timelines are important) Why???

• The auditor will notify you of the data drawn and the requested date and time for an on-site or mail in (correspondence) review

During the Audit

• Verify information provided• Verify Training requirements

– Security Awareness Training mandatory in 2013

• Verify the security of the process• Verify the security of your IT services• Verify storage procedures• Verify how CHRI is disseminated• Verify how CHRI is destroyed• Verify MOU’s that cover these areas

Post Audit• Conversation, compliance and completeness• Areas of concern noted

• Compliance letter sent to the audited agency

• Agency is given 30 days to respond with an action plan

• Be responsive • Official letter with completed findings sent to the

audited agency within 10 business days of reaching compliance standards

satisfactorily

As we move forward

• Open and transparent communication• Clarification of any misunderstandings• What can the Washington State Patrol do to

assist you?

Questions???

WSP Compliance Auditor

Marsha Stril

Marsha.Stril@wsp.wa.govOffice: 360-534-2135

NCJA webpage: http://www.wsp.wa.gov/_secured/ncja/ncja.htm