HIGHLIGHTS OF THE NAPHSIS SECURITY GUIDELINES MANUAL PRESENTED JUNE 5, 2013 BY CHUCK HARDESTER NAPHSIS SECURITY CONSULTANT
Why a NAPHSIS Security Guide? INTELLIGENCE REFORM & TERRIORISM PREVENTION ACT-2004 SEC. 7211. MINIMUM STANDARDS FOR BIRTH CERTIFICATES. SUPPLEMENT THE MODEL ACT ESTABLISH UNIFORMITY AMONG JURISDICTIONS NAPHSIS ADOPTED MOTION 2006 – 01
Motion 2006 – 01 To promote an awareness and commitment to national security through the intelligence reform & terrorism act regulations and create deterrent to identity theft and fraud, it is recommended that: Each jurisdiction designates a security coordinator performing or assigning the recommended best practices. Each jurisdiction adopt the attached best practices as part of the responsibilities under the designated security coordinator within each jurisdiction. NAPHSIS adopt these best practices as a standard and designate a security coordinator. The NAPHSIS security coordinator serves as a focal point among jurisdictional security coordinators so as to establish uniformity of security procedures and share information between and among the various jurisdictions.
57 Jurisdictions 6400 Issuing locations 14,000 different Birth certificates 57 – 6400 - 14000
Foundation of the Security Guide Model State Vital Statistics Act & Regulations State Best Practices Intel Reform Workgroups Recommendations Input from Contributors
What is the Process Initial Draft reviewed by Security Committee Draft sent to the Board of Directors Draft sent to Membership Comments and Additions Reviewed Section Made Available on NAPHSIS Website
Contributors to the Security Manual NCHS DOS-Passport Services DHS-forensic labs NAPHSIS Corporate Sponsors-technical Document Security Alliance-(DSA) North American Security Products Association-(NASPO) AAMVA-DMVs
The NAPHSIS Security Guide will be Internal Document-not available to public Living Document-continually changed and updated May Require a State to Change Laws and Regulations
SECTIONS OF THE MANUAL Section 1 Delayed Certificate of Birth Registration Section 2 Out of Institution Births Section 3 Birth Certification Document Section 4 Access to Vital Records Section 5 Issuance of a Certified Copy of Birth Section 6 Physical Security Measures Section 7 Destruction of Original Vital Records & other Documentation Containing Confidential & Sensitive Information Section 8 Corrections & Amendments to Birth Records Being Drafted
Section 1 “Delayed Birth Registration” All delayed certificates of birth should be processed, and filed at the central office of vital records. All birth certifications of a delayed certificate should be issued from the central office of vital records. Upon receipt of the documentation to establish the facts of birth, each document should be verified as authentic. If the document cannot be verified, it should not be accepted. All documentary evidence should agree. All documents submitted in support of the delayed birth registration should be copied and maintained for evidence. Affidavits of personal knowledge are not acceptable as evidence to establish a delayed certificate of birth. Walk-in or same day processing of a delayed certificate of birth should be prohibited. Any suspicious application should be retained in the fraud file for future reference.
Section 2 “Out of Institution Birth” All out of institution births should be filed with the office of the State Registrar. All documentation required to register an out of institution birth should be sent to the state vital records office for processing. There should be evidence of pregnancy, the infant was born alive, and the mother’s presence in the state on the date of the birth. Each piece of documentary evidence submitted should be verified by the vital records office or other designee of the State Registrar. All documentary evidence submitted should agree. An active fraud file of out of institution birth requests and related activities should be maintained.
Section 3 “Birth Certification Document” The birth certification document should have four layers of security, at a minimum. The security features should be overt, covert, and forensic and be included in the substrate (paper) and added to the surface (printing). All birth certification documents used in the state and local offices should be provided or approved by the state office. The printing of the birth certification documents should occur within the United States for security purposes. Shipping boxes containing birth certification documents should be anonymous. The name of the document should not be on the box, only the document number or a designated identifier. Annually, the State Registrar or designee should conduct and document a security inspection of the state operation.
Section 4 “Access to Vital Records” Access to vital records should be restricted and limited to eligible requestors. Only authorized employees and contractors of the vital records unit should have access to records and indexes. All employees (fulltime, part-time, temporary, contractual), who have access to records or data should be required to sign a privacy and confidentiality statement. The general public should be required to provide identification to obtain copies of restricted vital records. A government-issued photo ID such as a driver’s license, non-driver’s photo ID, or federal travel document issued by an appropriate issuing authority should be required. The authenticity of the government-issued photo ID document(s) presented to establish the identity of the applicant should be verified. Non-certified or informational copies of records should not be issued to the public.
Section 5 “Issuance of a Certified Copy of Birth” Each state office should prescribe a standardized application form for obtaining a certification of a vital record. An applicant for a birth certification should be required to provide identification documents establishing their identity and relationship to the person of the record before obtaining a birth certification. A valid government-issued identification document issued by an appropriate issuing authority should be required. A copy of the valid government-issued identification document should be copied and maintained with the application. Notarized statements should not be accepted in lieu of a valid government-issued identification document. State and local offices should issue all birth certifications from a centralized state-administered data base.
Section 6 “Physical Security Measures” There should be appropriate sensor, warning systems or controls in place to monitor fire, smoke, water and other emergencies. All areas of the vital records operation should have a fire suppression system. The State Registrar or designee should be notified of any emergency or security breech. A full report should be made and maintained in the files. There should be controlled access procedures to the vital records work area consisting on access devices (badges) for employees. There should be a central sign-in log for visitors, non-employees, vendors, delivery personnel, and cleaning staff. The public office staff should be protected from the public through barriers. At the conclusion of the work day, supervisory staff should conduct an operation-wide walk through to insure all established security measures are in place.
Section 7 “Destruction of Original Vital Records & Other Documentation Containing Confidential & Sensitive Information” To the fullest extent possible, the State Registrar should discourage the destruction of original paper records. At the end of the work day, all sensitive and confidential documentation should be taken by designated staff to a secure locked area for storage until destroyed. All sensitive and confidential documentation should be disposed of by shredding. The local registrar should notify the State Registrar for approval of any plan to destroy paper records in the local office. If an outside vendor is used to destroy hard drives, written certification of the destruction from the vendor should be maintained by the State Registrar.
SECURITY GUIDELINES MANUAL WWW.NAPHSIS.ORG SECURITYT SECTION