Loading...
HomeMy WebLinkAbout13A - Computers Record Security and General ManagementPolicy & Procedure Page 1 of 12 Lexington Police Department Subject: Computers, Record Security & General Management Policy Number: 13AAccreditation Standards: Reference: 11.4.4; 82.1.6; 82.1.7 Effective Date: 12/1/11 New Revised Revision Dates: 1/24/19 By Order of: Mark J. Corr, Chief of Police The Municipal Police Institute, Inc. (MPI) is a private, nonprofit charitable affiliate of the Massachusetts Chiefs of Police Association. MPI provides training and model policies and procedures for police agencies. This policy is an edited version of MPI Policy 4.21, “Computers and Data Security.” GENERAL CONSIDERATIONS AND GUIDELINES The Lexington Police Department utilizes computer equipment to aid in accomplishing its primary mission: responding to calls for service, preventing crime, apprehending criminals and documenting incidents. Computers and access to databases supplied by the Department or Town make our work more efficient and more accurate. The Department has a central computer with a police information management system called "PROPHOENIX”. The Department utilizes a computer system “PMAM”, a policy and training module accessible on-line. The Department also has access to the Town’s network server for internet, Microsoft Office®, and e-mail. Extensive on-line records are accessible to Department personnel 24 hours a day, seven days a week. The computerized records include: • All calls for police service, dispatch logs, arrest logs; • Restraining orders; • Motor vehicle citations; • Arrest and police information records; • Police incident reports; • Personnel information; • Statistical and data summaries; and additional police and management records. Most of the Department's administrative reporting is conducted within the central computer system. All other reports will be prepared in accordance with Department procedures on forms approved by the Chief of Police 13A - Computers, Record Security and Management Policy & Procedure Page 2 of 12 This policy will serve as a guide to help all employees preserve the integrity of our data, manage use of computer systems, decrease liability exposure, and prevent unlawful or wrongful actions involving computers and data. This policy supplements the policies and user agreements of state and federal data providers such as Leaps/NCIC/CJIS and contracted databases, in addition to the Electronic Communications Policy for Town of Lexington employees. It is the policy of the Lexington Police Department to: 1. Utilize computer resources to enhance our ability to perform our mission; and, 2. Improve officer safety through the availability of information, while maximizing security protocols and system integrity. PROCEDURES DEFINITIONS: Hardware: The tangible components of a computer such as disk drives, monitors, keyboards, mouse, etc. RMS: Records Management Systems of this Department and others. Offensive/Disruptive Communications: Communications which contain sexual content or sexual implications, racial slurs, gender-specific comments, or any other content that offensively addresses a person's race, creed, religion, physical or mental disability, color, sex, national origin, age, occupation, marital status, political opinion, sexual orientation, or any other group status. Password: A word or string of alphanumeric characters restricting access to an account, network, database, or file to an authorized member. Software: The programs, data, routines, and operating information used within a computer. Virus: A hidden code within a computer program or file intended to corrupt a system or destroy data stored in a computer. Malware: Malicious computer software that interferes with normal computer functions or sends personal data about the user to unauthorized parties over the Internet. System Administrator: An individual assigned or authorized by and under the direction of the Chief of Police to oversee and/or manage the operation and security of the department computer system and network 13A - Computers, Record Security and Management Policy & Procedure Page 3 of 12 A. COMPUTER PROTOCOLS 1. Central Computer System / PROPHOENIX a. The central computer system shall be the principal depository for police information. This information is protected by a multi-level security system, which includes: i. Employee passwords and identification numbers; ii. Security levels which are assigned by rank or position; and iii. Terminal access; certain information may not be accessible unless a specific terminal is used. b. Computer Use and Accountability i. The computer will only allow access when an ID number is used in tandem with the correct employee password. Once access is obtained, the computer will "stamp" any new information (or changes to existing information) with the employee ID number. ii. Personnel shall be responsible for any computer information "stamped" with their ID number. Each person is responsible for logging off. c. Authorized Users i. The job of protecting the hardware, software, and data from abuse is shared by all users of the Department’s data processing systems. The potential for someone (citizen or employee) to suffer a loss or inconvenience due to improper or inappropriate use of the Department’s data processing systems is real, whether malicious or accidental. ii. Only authorized users may have access to the Department computer system. Authorized users shall have an individual user account arranged by the System Administrator. iii. The use of Department computer systems and equipment is solely for purposes authorized by the Department. Unauthorized use is a violation of these policies and procedures, and violators may be subject to disciplinary action. d. It is important for all personnel to maintain a working knowledge of the computer system as required by the employee's duties and responsibilities. e. Commanding Officers and Supervisors shall: i. Monitor the computer skills demonstrated by employees under their supervision; ii. Whenever possible, provide basic and remedial training; and iii. Identify employees requiring advanced or specialized training from a computer administrator. 13A - Computers, Record Security and Management Policy & Procedure Page 4 of 12 f. It shall be the responsibility of all personnel to enter information into the computer system accurately and in accordance with Department guidelines. g. Department Employees will be issued a Microsoft Outlook account for the purposes of communicating with: h. Department Employees; i. Town employees, and j. Other individuals necessary to achieve departmental goals. k. Any employee assigned a network account with the Town of Lexington will, prior to access the network, sign the Town of Lexington’s computer policy and adhere to the guidelines contained therein. 2. Software a. Generally i. All software programs installed or introduced onto Department computers must be authorized by the System Administrator. ii. Software used in the Department’s computer systems is property of the Department and will not be used, copied or distributed without permission of the System Administrator. b. Unauthorized Software [11.4.4] i. Members are strictly prohibited from installing software programs, which have not been authorized for use by the System administrator or Designee.Any unauthorized software, such as games and other personal amusement software, will be deleted. ii. No employee shall install or use software on Department computers that is unlicensed, in violation of the software licensing agreement, or has been copied in violation of the law. iii. No employee shall introduce unauthorized programs or manipulate or alter programs running on mobile network computers or desktop computers. 3. Data Files a. Generally i. Employees must use caution when introducing data files into Department workstations. Data should be downloaded or received only from a trusted source. ii. Opening of suspect files for investigatory purposes should be done on designated investigative workstations only. The workstations are not connected to the Department network. iii. All disks and external storage devices, including disk drives (i.e., thumb drives), will be scanned by the user for viruses when introduced into any Department computer. This can be 13A - Computers, Record Security and Management Policy & Procedure Page 5 of 12 accomplished by right-clicking on the appropriate drive letter in the My Computer menu and choosing the option "Scan for Viruses" on the drop-down menu. iv. The Department will maintain proprietary rights over any work generated by its members in the course of their duties, and software or files will not be sold, distributed or maliciously deleted without permission of the Chief of Police. The use and distribution of such files will be at the discretion of the Chief or the System Administrator. b. Prohibited i. Employees shall not introduce unauthorized data files into mobile network computers, handheld devices or desktop computers from any source including floppy disks, CDs, DVDs, thumb drives, or any other media or on-line sources. [11.4.4] ii. Employees shall not encrypt data, or change permissions or files, without the formal approval of the Chief of Police or the System Administrator. 4. Data Back-ups a. Generally i. Daily backup of data shall be accomplished by the A-shift Commanding Officer for each A-shift and the back-up media stored in a secure location. [82.1.6(a)] ii. Weekly backup of data shall be accomplished by the Monday A- shift Commanding Officer. b. Media Storage [82.1.6(b)] i. Daily back-up media will be stored locally in the fire retardant safe located in the computer server room. ii. The weekly backup will be placed in the CO’s office portable fire retardant safe. In the case of an emergency and the building must be evacuated the safe in the CO’s office will be taken by the CO upon evacuation. c. Data i. Data files (word processing, e-mail, and spread sheets) will be backed up if they are stored on the department server. Backup of data not stored on the server is the responsibility of each user. The Department cannot be held responsible for lost data due to system failure caused by power outages or other problems that may cause unexpected shut down. If data is important to a user, s [he] must back it up. 13A - Computers, Record Security and Management Policy & Procedure Page 6 of 12 ii. Mobile computer network transaction logs of CJIS queries and responses must be maintained pursuant to 3.8.1 of the CJIS User Agreement. Files must be maintained for at least two years and must be available to CHSB upon their request. All other MDT log files shall also be stored for at least two years. d. MEDIA DISPOSAL: Back-up media which is no longer serviceable or which contains data that is no longer to be stored must be destroyed, so that the data cannot be retrieved, before being discarded. 5. Application Security a. Computer system security is the responsibility of all users. Employees may use Department computer systems only for Department purposes b. User access will be limited to only those programs, applications, records, and data necessary for that user to perform his/her assigned tasks. Users may access such records only for department business. [82.1.7] c. User Passwords i. Each authorized user of the system will be issued a login name and password. Users are responsible for maintaining the security of their passwords and should never share them with anyone, including other employees. [82.1.7] ii. Command staff, secretaries and others designated by the System administrator should change their password annually; iii. All other personnel should change their passwords bi-annually; any person may request an immediate password change if the confidentially of their password has been compromised. iv. The appearance of passwords on terminal screens and printouts is suppressed. v. No employee shall log into any computer or application using the username and password of another employee. This action is a crime under M.G.L. c. 266 s. 120F and is a serious breach of security.i d. Role of Program Administrators i. Program administrators are persons who may be assigned to manage a particular software program or application by the Chief of Police. ii. They shall manage and be responsible for user accounts, passwords, access, resets, and audits for their particular program. iii. Program administrators shall ensure that only current, authorized users are allowed access to their program or application. 13A - Computers, Record Security and Management Policy & Procedure Page 7 of 12 6. Network Security [82.1.6(c)] a. Network security is a critical security issue. b. Servers and routers are located in a secure area to avoid physical, illegal, and unauthorized access to this hardware. c. The Department shall provide various layers of security to safeguard data and software from unauthorized access. These security measures include: i. Detection of illegal penetration of the network and prevention of unauthorized access to the network and servers; ii. Prevention of unauthorized access to stored data; iii. Up-to-date anti-virus software installed and running on all servers and clients; iv. Minimal network administrator accounts and high security of network administrator passwords; and v. Secure setting for routers and firewalls. d. Supervised access to the network by vendors, maintenance technicians, and contractors may be allowed on an as-needed basis and only with permission of the Chief or the System Administrator. e. Access to the Department’s network will be limited to those with a legitimate need to use the system to access or input data. f. User access will be limited to only those programs and data necessary for that user to perform his/her assigned tasks. g. Each authorized user of the system will be issued a network login name and password. Users are responsible for maintaining the security of their passwords and should never share them with anyone, including other employees. h. A user’s password must be immediately changed if it becomes known to others. All user passwords should be changed bi-annually. i. All user passwords will be changed whenever a security infraction has been discovered. j. The appearance of passwords on terminal screens and printouts is suppressed. k. A network password audit shall be conducted annually by Chief of police or Designee. [82.1.6(c)] 7. Employee Activity a. PROPHOENIX i. All Department employees shall be trained in the use of PROPHOENIX. The training shall include how to access the system, write reports, enter property, view time management, etc. ii. It shall be the responsibility of the employee to view his/her time management to make sure all time is accurate. 13A - Computers, Record Security and Management Policy & Procedure Page 8 of 12 b. E-MAIL/Microsoft Outlook i. All Department employees shall be trained in the use of the e- mail system. This training shall include how to access e-mail, create e-mail messages, open an attachment, attach a document, send and receive e-mail and manage an e-mail account. ii. It shall be the responsibility of each employee to check their E-mail at least once per working shift and to read all e-mail messages, and their attachments, received from Department personnel. iii. Written directives may be distributed to employees by e-mail. Once the mail is opened, it shall be understood that the directive has been formally issued to the officer. The e-mail receipt indicating that the employee received and opened the e-mail shall serve as a record that the employee received and reviewed the written directive. iv. Any e-mail that is time-stamp delivered but has no date/time as to when it was opened shall be considered unread. If the message has no opened date/time and it does not exist in the recipient's mailbox, then it is considered to have been deleted, without being read, by the recipient. v. No employee shall delete any Department related e-mail without first opening it and reading the e-mail and/or its attachments. vi. The e-mails of Department employees are considered public record unless the content falls under a statutory exemption.ii E- mails containing jokes or personal comments to others will likely be deemed a public record (M.G.L. Chapter 66 § 10). vii. The following types of e-mail activities are expressly prohibited a) Transmission of global or mass mailings unless related to department business or unless prior authorization has been received from the Chief or his/her Designee. b) Transmission of chain letters or virus alerts. c) Transmission of any e-mail containing abusive, harassing, discriminatory, or sexually explicit language or content. d) Transmission of deceptively labeled e-mails, to include any e-mail that carries a misleading subject line, is anonymous, is attributed to another person, or identifies its true sender incorrectly. e) Inclusion of C.O.R.I. information within any e-mail, except where the recipient's e-mail address has been previously confirmed to be a legitimate and secure reception point. f) Any other transmissions or inclusions that violate federal, state, or local law. 13A - Computers, Record Security and Management Policy & Procedure Page 9 of 12 c. Internet Access i. Internet access is available to employees for legitimate business purposes only. ii. Users shall not use the Department system to access, download, upload, store, print, post, or distribute pornographic, obscene, or sexually explicit materials. iii. Users may visit an otherwise unacceptable site if it is for a legitimate law enforcement purposes and only with authorization of a supervisor. iv. If an employee accidentally accesses an unacceptable site, the employee must immediately disclose the incident to a supervisor. Such disclosure may serve as a defense against an accusation of an intentional violation of this policy. d. Release of Department Records [82.1.7] i. Records, including records containing criminal history data, may be released only in accordance with Massachusetts Law and Department policy. ii. Data maintained or obtained by this Department shall not be distributed in violation of investigative confidentiality or C.O.R.I through e-mail or uploading to chat (Officer.com) or entertainment sites (i.e., Break.com, Rotten.com, etc.). Data may be distributed for legitimate law enforcement purposes only. 8. Computers and Media Evidence a. Cautions i. Opening files of evidence hard drives and computer media may change data and file use markers, changing and/or contaminating evidence. ii. Media from questionable origin may introduce viruses or malware into the department network. iii. Electronic Media will be searched only with authorization from the court in conjunction with the Office of the District Attorneys and/or the NEMLEC Computer Crime Unit. b. See the Department Policy 83A - Collection and Preservation of Evidence prior to opening or viewing files on evidence hard drives or other media. B. ADMINISTRATIVE REPORTING 1. Daily Log. A daily log, in accordance with M.G.L. Chapter 41, section 98F, shall be maintained and shall record: a. All calls for service, complaints and reported crimes; 13A - Computers, Record Security and Management Policy & Procedure Page 10 of 12 b. Type and location of incident or call; c. When appropriate, the complainant (when identified); d. Case number and action code; e. The units assigned; and f. An arrest log listing the names and addresses of any person arrested and the applicable charges. g. Public Record. The public daily log unless otherwise provided by law, is public information and shall be made available to the public without charge, during regular business hours and at all other reasonable times. h. Physically incapacitated & handicapped persons. Any entry into the log which pertains to a handicapped individual who is physically or mentally incapacitated to the degree that said person is confined to a wheelchair or is bedridden or requires the use of a device designed to provide said person with mobility, shall be kept in a separate log and shall not be a public record nor shall such entry be disclosed to the public. i. GEO code A1. This GEO code should be used in any log note that is not a public record. This prevents the printing of this record in a public log. 2. Hot Sheet. At the beginning of each duty shift, the Patrol Supervisor or Lieutenant will discuss police information listed on the Hot Sheet. This report will include: a. All significant occurrences listed in the daily log (the default is 3 days but can list any time frame); and b. Police information directing patrols at times and locations when crimes and other problems are occurring. c. Whereas the Hot Sheet is available on-line, printing and distributing the Hot Sheet will be done at the discretion of the Commanding Officer. Officers are encouraged to check sheet information on their cruiser laptops. 3. Formal Police Reports. As required by the Chief of Police, all formal police reports shall be entered into the computer by the responding officer(s) in addition to a journal entry. a. Commanding Officers may, at their discretion, require a report in any situation. b. Commanding Officers shall review all reports entered by officers and personnel under their command (or working during the duty shift). c. Final report review and inspection will be the responsibility of the designated Report Review Officer. 4. Monthly Reports. The following reports shall be prepared monthly by clerical staff assigned by the Chief of Police or designee: a. Monthly crime reports -- National Incident Based Reporting System statistics for the Commonwealth of Massachusetts and the Federal Bureau of Investigation; 13A - Computers, Record Security and Management Policy & Procedure Page 11 of 12 b. Motor vehicle accident summaries; c. Citations - moving motor vehicle violations; d. Police fleet maintenance, mileage and fuel consumption. To be handled by the Police Mechanic. e. Note: The Chief of Police may require monthly reports from any of the Department's organizational components. 5. Annual Reports. Police annual reports shall be prepared as follows: a. The annual National Incident Based Crime Reporting System (NIBRS) shall be prepared by clerical staff. This report shall be a summary of the twelve monthly crime reports for the calendar year. b. The Annual Report of the Police Department to the Town of Lexington shall be prepared by the Chief of Police or by a designee under the Chief's direction. It shall include a summary of department activities, accomplishments, concerns and problems encountered during the year. c. A traffic enforcement report identifying the high accident locations in Lexington and outline a program for suppressing hazardous driving behaviors. d. An International City/County Management Association (ICMA) annual report on performance measures. 6. On-line Computer Reports. The central computer system is capable of generating numerous summary reports for any given date range. These reports will give department personnel (particularly Commanding Officers and heads of Department components) the ability to: a. Identify crime or incident trends; b. Summarize significant occurrences for any given time period; c. Keep personnel informed of major crimes, accidents, arrests or other important activities; d. Review statistical summaries for the purpose of allocating and distributing department resources; and e. Identify objectives for future programs. C. REPORT FORMS 1. The Captain of Administration shall be responsible for maintaining a system of accountability for all Department report forms. 2. All forms shall be approved for use by the Chief of Police. 3. REPORT FORMS – G-DRIVE. All approved report forms shall be retained on the police departments ‘freedom’ (G :) drive, under forms and documents. A copy of all approved forms will also be labeled and placed in a three ring binder in the CO’s office containing the following information: 13A - Computers, Record Security and Management Policy & Procedure Page 12 of 12 a. The date the form was created. b. Instructions for the proper use of each form. 4. New Report Form Requests a. Any request for a new report form must be submitted to the Captain of Administration. Each request should include the reasons why the form is needed and suggestions regarding format and use. b. When a new form is deemed necessary, a design shall be prepared under the direction of the Captain of Administration. c. New report forms will be circulated to the command staff in accordance with staff review procedures. d. All new report forms shall be subject to the approval of the Chief of Police. e. New report forms shall be placed on the G-Drive and a copy inserted into the master book of report forms with instructional material outlining the proper use of the form. 5. At least once each year, all existing forms shall be reviewed, amended, and/or deleted from the report form system by the Captain of Administration. D. MANDATORY REPORTS 1. The Chief of Police, or a designee, shall ensure that periodic reports, reviews, and other activities mandated by the accreditation standards are accomplished. 2. The Accreditation Manager shall: a. Maintain a list of all activities, which are mandated by the accreditation standards; b. Distribute, on an annual basis, a list of all mandatory reports to the affected personnel; c. Receive a copy of all mandatory reports, reviews and other materials; and d. Bring to the attention of the Chief of Police, or his designee, any report, review or other material, which has not been completed in a timely manner. i M.G.L. c. 266, §120F. ii M.G.L. c. 4, §7.