HomeMy WebLinkAboutC-7229-1 - Participating Agency Hold Harmless AgreementPARTICIPATING AGENCY HOLD HARMLESS AGREEMENT
The State of California and the Department of Corrections and Rehabilitation and all
officers and employees thereof connected with the use of Parole LEADS, including but
not limited to the Secretary, shall not be answerable or accountable in any manner; for
any loss or damage that may happen as a result of the use of information from Parole
LEADS or for injury to or death of any person, either employees of the user agency or
the public; or for damage to property from any cause which might have been prevented
by the user agency, or anyone employed by or under contract with the user agency.
The user agency shall hold harmless the State of California, the Department of
Corrections and Rehabilitation, and all officers and employees thereof connected with
Parole LEADS, including but not limited to the Secretary, from all claims, suits or
actions of every name, kind, and description, brought forth, or on account of, injuries to
or death of any person including but not limited to employees of the user agency and
the public, or damage to property as a result of use of information from Parole LEADS
or except as otherwise provided by statute. The user agency shall not be responsible
for liability, injuries, death, damages or indemnification to the State therefore caused by
the sole negligence of the State or its agents.
Signat of Law Enforcement Agency's Chief Official Title Date
13c��- e> Alcrmcwr NY?DC-hiS:E-
Agency Name Agency Email
Soa
First Name (Print or Type)
APPROVED AS
CITY ATTCRNE
Lcw;s CA, (P I L+v m
Last Name (Print or Type) CLETS Agency ID (ORI #)
QM-Io,2fY
AGENCY PARTICIPATION AGREEMENT
The California Department of Corrections and Rehabilitation (CDCR), Division of Adult Parole Operations (DAPO) has implemented
Parole LEADS (Parole Law Enforcement Automated Data System) which provides parolee information to local law enforcement agencies
over a secure internet connection. The DAPO Offender Information that will be provided to your agency using Parole LEADS is Criminal
Offender Record Information (CORI). Releasing or coping CORI to non -authorized persons is a misdemeanor pursuant to Penal Code
Sections 13302-13304. Any such violation maybe referred to either the State Department of Justice (DOJ) or local entities for prosecution.
The CORI furnished by DAPO is for official law enforcement purposes only. Your department or agency is required to comply with all security
and technical provisions of this agreement. Agency staff using CORI information must have both a need to know and a right to know. Failure to
abide by the terms of this agreement, including the attached Parole LEADS Policy and Procedures, may result in the termination of the sharing
of Parole LEADS information with your department or agency.
DAPO makes no guarantee regarding the accuracy of Parole LEADS information, and strongly encourages all participating agencies
to verify information with the local Parole Agent before taking any action or making any decision based on this Information.
Additionally, it is strongly recommended that a Parole Agent be involved, at least telephonically, in any parolee -related search.
The data provided by Parole LEADS is intended for crime analysis or other law enforcement uses only. Summary or statistical information and
reports regarding DAPO offenders will not be released outside the law enforcement community (including the news media) without
confirmation from DAPO's Director or designee that the data is accurate and complete. This paragraph is not meant to dissuade any agency
from sharing Parole LEADS information with other law enforcement agencies as long as each disclosure is journaled according to CORI
regulations. Such sharing will be on a need to know, right to know basis and will not involve the electronic exportation of multiple Parole LEADS
records.
Parole LEADS CORI will be accessed exclusively from authorized computer workstations at the local law enforcement agency's place of
business, including a temporary command center and field devices issued by the agency and complying with CORI regulations. Any other
access, including access from any personally owned, remote, mobile or home-based computer, is prohibited.
User account maintenance will be the responsibility of authorized agency staff unless other arrangements are jointly agreed to by the
agency and DAPO.
The attached Policy and Procedures are a part of this agreement. The Policy and Procedures shall be adhered to by every user of Parole
LEADS. DOJ and the DAPO Security Administrator or designee is authorized to audit agency security logs and security procedures at each
individual worksite upon written notice.
I certify that I am the chief law enforcement official of my agency, and have the full power and authority to execute this agreement with CDCR. I
will ensure that my employees, who access, copy, use CORI information or maintain user accounts in Parole LEADS will be advised of the
contents of this agreement, the attached policy and procedures, and will complete DAPO approved training before using Parole LEADS data
or performing account maintenance. I have signed the Parole LEADS Participating Agency Hold Harmless Agreement. I also understand
that I must designate a "primary contact" person (see below) and must resubmit this request when I wish the "primary contact"
designation changed. This pri ery contact person has the authority to speak for my agency as it pertains to Parole LEADS matters.
Sign//e of Law Enforcement Agency's Chief Official Title Date Signed
L Cwt S of
First Name (Print or Type) Last Name (Print or Type) Agency Email
Agency
CA(P30I'fi m
CLETS Agency ID (ORI #)
SNotZT (4'i 44 -3-71a SSHoR.r tEVNBP/>•oRGr
Primary Contact Name (Print or Type) Primary Contact Work Number Primary Contact's Work Email
CITY
10.t1.t1 d w
POLICY AND PROCEDURES
Parole LEADS Mission Statement
The Division of Adult Parole Operations (DAPO) of the California Department of Corrections & Rehabilitation (CDCR)
has implemented a Parole Law Enforcement Automated Data System (Parole LEADS) application that provides Criminal
Offender Record Information (CORI) to qualified local California law enforcement agencies over a secure public internet
connection, primary for crime analysis activities.
References
The Parole LEADS policies and procedures were developed using the following reference documentation:
• Assembly Bill 3X (AB3X) effective January 1, 1995
• Criminal Offender Record Information (CORI) Legislation & Policy
• AB3X System Functional Specification
• California Department of Corrections and Rehabilitation Operations Manual (DOM)
Parole LEADS Svstem Description Overview
The Parole LEADS application is designed to allow controlled and secure access of selected parolee information through the
public internet. The system takes advantage of the latest Internet and security technology. This allows authorized law
enforcement crime analysts, investigators or agents to obtain parolee information from an extract of the DAPO Statewide
Parolee database in two ways. Authorized agency users can either access information on a search query basis or
request a database download consisting of the agency's "group" of parolee records updated after a user -selected date.
The Parole LEADS application is the responsibility of DAPO, the owners of this information. DAPO will maintain Parole
LEADS, while requiring the observance of the policies and procedures necessary to protect CDCR's data and information
systems. The Parole LEADS application is designed to serve local crime analysis needs and tactical or street -level
employment by investigators on departmental -issued portable devices such as laptops or smart phones.
The data provided by Parole LEADS is intended for law enforcement uses only. Summary or statistical information and reports
regarding DAPO offenders will not be released outside the law enforcement community (including the news media)
without confirmation from DAPO's Director or designee that the data is accurate and complete. This paragraph is not meant
to dissuade any agency from sharing Parole LEADS information with other law enforcement agencies as long as each
disclosure is recorded according to CORI regulations. Such sharing will be on a need to know, right to know basis and will
not involve the electronic exportation of multiple Parole LEADS records.
The Parole LEADS application performs two primary functions:
1. Parolee Database Download (defined group only)
2. Search for Parolee Information (group or statewide)
Parole LEADS Database Download
Each authorized agency is limited to one download site. Additionally, each agency will be able to download parolee
records from its pre -defined group. This "group" represents parolees from selected parole offices, usually those within the
"home" county of the agency plus parolees from parole units adjacent to this home county. The composition of each agency's
"group" is determined by the Parole LEADS Security Administrator with input from the "primary contact" person at each agency.
For this download activity, each agency will have one "primary contact" download user, and a maximum of two secondary
download users. Download user capability will require a higher security level than a search query user. Using the internet to
connect to the Parole LEADS Web Server, the download user requests a database download consisting of its group of records
updated since a user -selected date. The request is sent through the Parole LEADS Web Server. The download request is
handled in a background process. Downloaded parolee information is encrypted between the Parole LEADS Web Server and
the agency.
} PAROLELEADS - # ,Wi
,,ul
Search for Parolee Information
An authorized agency is not limited in the number of Parole LEADS "search query" users. A Parole LEADS end user must
have an internet connection utilizing one of the following web browsers:
— Mozilla Firefox Version 3.5 or later
— Microsoft's Internet Explorer Version 7 or later
The end user generates a search query to obtain specific information on parolees. The search query is processed by the
Parole LEADS Web Server to retrieve relevant DAPO parolee database records. The results of this query are then displayed
to the user. Request and response transactions are encrypted between the Parole LEADS end user and the Web Server.
Parole LEADS Information Security Policy
CDCR Department Operations Manual, Section 49020.1 (05/20/2013) states "It is the policy of the California Department
of Corrections and Rehabilitation (CDCR) to protect against the unauthorized modification, deletion, or disclosure of
information included in agency files and databases. The Department regards its information assets, including data processing
capabilities and automated files, to be essential resources. The Department shall assume full responsibility for ensuring the
security and integrity of its information resources."
CDCR regards its information assets, including data processing capabilities and automated files, to be essential public
resources. Many aspects of CDCR's operation would effectively cease in the absence of critical computer systems,
including automated systems necessary for the protection of the public, staff and offenders in the custody or control of CDCR.
Accordingly, the agency must assume full responsibility for the proper use and protection of Parole LEADS information in
its possession.
Parole LEADS Information Ownership and Custodial Responsibility
The CORI available on Parole LEADS is owned by the DAPO. Once a Parole LEADS database download or query is
accomplished, the agency assumes full custodial responsibility for this CORI, while DAPO maintains ownership. The
agency has no authority to share, reproduce, publish or disseminate Parole LEADS information outside its agency
or to use this information for non -law enforcement purposes. This is in no way intended to restrict the agency from
providing this information to multiple sites within its agency.
As with any CORI, Parole LEADS information may not be publicly broadcast unless it is encrypted. Since the State Department
of Justice (DOJ) has legal oversight for compliance with CORI statutes, users or custodians of Parole LEADS information
must also comply with DOJ's published "CLETS Policies, Practices, and Procedures."
Note: The DOJ publication "CLET Policies, Practices and Procedures" is available via the internet at the following
site: CLETS. Policies. Practices. and Procedures. This document is available for download in the PDF format that requires
Adobe Acrobat Reader. The CLETS site above has a link to the site that makes the Adobe Acrobat Reader available for
download.
Parole LEADS Security Concept of Operations
The Parole LEADS end users are required to use Mozilla (version 3.5 or later) or Microsoft's Internet Explorer (version 7.0 or
later) browsers which applies the Secure Sockets Layer (SSL) with 128 -bit encryption.
User identification and authentication is accomplished through the use of a reusable logon identifier and password at the Parole
LEADS Web Server.
Security management provided by the Parole LEADS Security Administrator can be contacted at ParoleLEADS2@cdcr.ca.gov.
Parole LEADS Information Security Procedures
Agency Enrollment Process
In order to gain access to Parole LEADS, a local law enforcement agency must be physically located in California. Additionally,
they must already access Criminal History Information from the California Law Enforcement Telecommunications System
(CLETS) and be free of sanctions from either DOJ or CLETS Advisory Committee. The agency will be required to execute a
Parole LEADS Agency Participation Agreement, which is provided as an attachment to this document and a Participating
Hold Harmless Agreement. Both these agreements must be signed by the agency head, the highest level authority within
the agency, usually the Chief of Police or the Sheriff. The Agency Participation Agreement emphasizes the importance of
handling CORI properly, outlines the operational environment through which Parole LEADS may be accessed, and
requires agency to follow the Parole LEADS Policies and Procedures. The Agency's chief official must also designate a
"primary contact" for the agency. This person will have the authority to speak on behalf of the agency on Parole LEADS
matters and approve all their agency's users and be the sole contact to deal directly with the Parole LEADS Security
Administrator or designee. All requests for Parole LEADS access must be approved by, and routed through, this primary
contact person. If the "primary contact" person is to be changed, a revised Agency Participation Agreement signed by the
head of the agency is required. Once an agency is approved for Parole LEADS access, each end user will be required to
complete a Parole LEADS End User Agreement. Law enforcement agencies interested in gaining access to the Parole
LEADS application should direct e-mail to ParoleLEADS2@cdcr.ca.gov.
End User Site Requirements
The Parole LEADS end user physical sites are required to provide adequate controls and countermeasures to protect the
CORI. Parole LEADS CORI shall be accessed exclusively from authorized computer workstations physically housed
authorized agency's place of business or law enforcement -issued portable devices such as laptop or notebook computers and
"smart" phones. Any other access, including access from any personally owned, remote, mobile or home-based
computer is expressly prohibited.
All agencies' computer facilities with access to Parole LEADS are required to have physical controls to prevent unauthorized
access due to the sensitivity of CDCR computer systems. Agency -issued portable devices such as laptop or notebook
computers and "smart" phones must employ safeguards to prevent unauthorized access to Parole LEADS CORI
information. Each custodian of Parole LEADS information shall establish physical and software controls over its information
assets. It is required that someone be assigned to manage the end user system, including the security of the information it
contains.
Parole LEADS Operations & Maintenance
System Startup
The first screen that any user sees after logging into Parole LEADS shall display the Terms and Conditions for using the
application.
Parole LEADS System Updates/Changes
All Parole LEADS system updates or changes relating to CORI data security or end user access shall be approved by the
Parole LEADS Information Security Office. Once approved, Enterprise Information Systems (EIS) shall implement and enforce
those changes. Strict configuration management of Parole LEADS shall be enforced by EIS at all times.
Parole LEADS Database Extraction
The Parole LEADS Database Extraction uses information generated from the DAPO's Statewide Parolee Database. The time
frame required for extracting information from the CDCR organizational network varies according to the date entered and
the number of records returned for the particular agency unit code as defined earlier. Parole LEADS is the delivery mechanism
for parole data contained within SOMS, an offender management system used exclusively by CDCR. Parole LEADS is updated
Yl:
with current parolee information every 20 minutes from SOMS to provide near real-time data to local law enforcement. DAPO
makes no guarantee regarding the accuracy of Parole LEADS information, and strongly encourages all participating
agencies to verify information with a local Parole Agent before taking any action or making any decision based on this
information.
It is important that all users be adequately trained to use Parole LEADS but also to notify the Parole LEADS Security
Administrator or designee regarding database inconsistencies or errors to ensure proper resolution.
With every database download there will be a separate index file of CDC numbers provided. This file contains a list of
parolees who should be found in the parolee database after the download. When the agency's database is built from sequential
database downloads (based on a user defined date) it is imperative that the agency, at the conclusion of each sequential
download, compare this index file with the database to assure information integrity. If there are any discrepancies, the user
may have to repeat the download based on different dates or request a new full download. Failure to apply this error
correcting mechanism consistently may allow parolee information to become inaccurate and may constitute grounds for
suspension or termination of Parole LEADS access.
Parole LEADS Logon and Password Standards
Access to Parole LEADS is restricted by a reusable password for authorized persons only. Authorized persons shall never
reveal their passwords to anyone for any reason, nor record them or display them in a location or manner where others
may discover them. Authorized persons engaging in a computer session shall log off before leaving the immediate vicinity
of the terminal because the password that allowed the session to begin remains in effect throughout the session. Violation of
this policy will result in the revocation of all user access privileges and appropriate disciplinary action. Such disciplinary
action may be based not only on the violation itself, but also on all activity performed by those using the password.
As defined in the attached Agency Participation Agreement, the integrity of user accounts, such as ensuring the user is an
active member of that agency, will be the responsibility of agency staff unless other arrangements are jointly agreed to by the
agency and DAPO. A separate Account Password Administration Agreement for those assigned as Password or Account
Administrators for their respective agency shall be submitted after the user reviews the training materials available in Learning
Management Section (LMS) in Parole LEADS.
Whenever an authorized person terminates employment or is reassigned to duties that do not require access to Parole
LEADS, the "primary contact" for the authorized agency shall, without delay, notify Parole LEADS Security Administrator or
designee.
There is a need to ensure that authority to access Parole LEADS is restricted to persons with a demonstrated right and need for
access. The request for each Parole LEADS account will first be approved by the agency's "primary contact" with this "need to
know, right to know" concept in mind.
The lack of use of Parole LEADS is assumed to be evidence that the use is no longer required. Accounts may be disabled
without notice if they are not used regularly.
Password Policy
Passwords shall be a minimum of eight (8) characters consisting of a least one upper case letter, one lower case letter
and one number.
The Parole LEADS Security Administrator shall be responsible for ensuring each authorized user's password can be set, reset,
and/or changed either through user initiated or System Administrator initiated.
Security questions within the account profile of an authorized user will be utilized to confirm identity before the password is reset.
If a password is forgotten or compromised, the end user must immediately take action to change their password or contact the
Parole LEADS Security Administrator or designee.
Parole LEADS end users shall be responsible for promptly notifying the Parole LEADS Security Administrator or designee when
a user ID and password should be disabled.
Each Parole LEADS end user shall be responsible for changing his or her password at least once every 75 days to counter the
possibility of undetected password compromise.
A password shall be invalidated at the end of 90 days. A user who logs on with an ID having an expired password shall be
required to change the password for that user ID before further access to the system is permitted.
Parole LEADS Security Audit Records Management
Parole LEADS generates security audit records at each of the firewalls, as well as at the various servers. The Parole LEADS
Information Security Office (ISO) shall ensure that security audit records be reviewed to detect potential attacks on Parole
LEADS, and that appropriate alarms be setup to notify the Parole LEADS Security Administrator when anomalous events occur.
The audit function supports accountability by providing a trail of user actions. Actions are associated with individual users for all
security relevant events. The audit trail can be examined to determine what happened and which user was responsible for a
security relevant event. For each recorded event, the audit record will include the date and time of the event, type of event,
offered user ID for unsuccessful logins or actual user ID for other events, and origin of the event (e.g., computer name or IP
address).
The Parole LEADS application shall cause a record to be written to the security audit trail for at least each of the following
events:
• Failed user authentication attempts
• Resource access attempts that are denied
• Attempts, both successful and unsuccessful, to obtain privilege
• Activities that require privilege
• Successful access of security critical resources
• Changes to Parole LEADS users' security information
• Changes to the Parole LEADS system security configuration or modification of system software
Alarm thresholds should be determined in order to notify the Parole LEADS ISO or Enterprise EIS personnel of potential security
violations.
Parole LEADS audit trail records shall be kept for a minimum of three (3) years.
Parole LEADS Agency Service Suspension or Termination Process
If Parole LEADS service to an authorized agency must be suspended or terminated, DAPO shall issue a letter suspending or
terminating the agency and its associated end users. This letter will explain the reasons for the suspension or termination and
advise the agency that the action can be appealed to the DAPO Director. All authorized user logon identifiers and passwords
associated with that agency will be canceled by the Parole LEADS Security Administrator immediately.
If an agency loses CLETS Criminal History capability or is sanctioned by action of DOJ or the CLETS Advisory Committee, that
agency will be terminated from Parole LEADS access until such time as the sanctions are lifted.
Parole LEADS Security Incident Escalation Standards
Reporting
It is the responsibility of all users with authorized access to Parole LEADS to report all incidents that would place DAPO
information assets at risk. The following incidents shall be reported to the Parole LEADS Security Administrator or designee at
P a ro I e L EA D S 2@ cd c r. c a. g o v:
0 Any incidents involving or suspected to involve unauthorized access to Parole LEADS information, automated files, or
databases.
• Any incident involving the unauthorized modification, destruction or loss of automated data, automated files, or
databases.
• Any incident involving a virus, worm, Trojan horse or other such computer contaminant.
• Any incident involving the unauthorized use of computer equipment, automated data, automated files or databases.
• Any incident involving or suspected to involve the misuse of DAPO information assets.
Security Incident Handling
The Parole LEADS Security Administrator is authorized to respond to any security incidents associated with the operation of
Parole LEADS. The Parole LEADS Security Administrator will review with the Information Security Office all security incidents at
the next scheduled meeting for action or for permanent resolution of temporary actions taken by the Security Administrator.
Closure
The Parole LEADS Information Security Office shall be the final authority for closing any actions required for a specific security
incident associated with the operations of the Parole LEADS system. An Information Security Incident Report shall be submitted
to the Department of Finance in accordance with CDCR DOM IV, Section 49010.6.5 if the incident involved one or more of the
following:
• Unauthorized intentional release, modification, or destruction of confidential or sensitive (CORI) information, or the theft
of such information including information stolen in conjunction with the theft of a computer or information storage device.
• Use of State Information asset in the commission of a crime.
• Intentional damage or destruction of State information assets, or the theft of such assets with an estimated value in
excess of $500.
Parole LEADS Training and Awareness
DAPO shall provide training to the law enforcement community in order to ensure the overall effectiveness, success, and
efficiency in operating the Parole LEADS application. Training shall focus on the following items:
• Introduction to Parole LEADS
• Parole LEADS System Overview
• Handling Criminal Offender Records Information (CORI)
• Parole LEADS System Functions
o Search for Parolee Information
o DAPO Parolee Database Download
o Understanding of Parole LEADS Information Sources, Limitations, and Cautions
• Parole LEADS Administrative Structure
• Parole LEADS Security Awareness Issues
• Beware of "Social Engineering"
• The Importance of Protecting Passwords
• Working with the Parole LEADS Security Administrator or designee
• Security Incident Reporting
• Questions and Answers