Health Care Department Operations Manual

Cancel

Chapter 5 – Administrative

Article 3 – Information Technology

View All Sections >

5.3.11 Endpoint Security

  • Introduction and Overview

    • Department information assets are often used to conduct business functions internally as well as with other State and non-department persons and devices on the Internet. Devices used for such department business purposes are comprised of servers, network devices, and end user devices including mobile computers, tablets, and smart phones; such devices are collectively called “endpoints” or “endpoint devices.”  Some department information assets are more prone to loss or theft due to their size, mobility, or location of use.

    • The department needs to ensure that endpoints are suitably protected to prevent unauthorized access to data and information that may reside on the endpoints.

  • Objectives

    • Objectives for this policy are to define the requirements to protect department endpoints that may routinely interact with unknown or untrusted devices on the Internet, or that are more susceptible to loss or theft.

  • Scope and Applicability

    • The scope of this policy extends to all State information assets owned and operated by the department, information assets managed by third parties on behalf of the department, and all information assets that process or store department information in support of department services and mission.

    • This policy applies to Owners of Information Assets and Information Asset Custodians.

  • Policy Directives

    • The department shall ensure that:

    • All department endpoints are identified and endpoint asset inventories are documented and continually updated.

    • Risks to individual department endpoint device types and the data they access, process, and store are assessed.

    • The requisite endpoint protection controls, as referenced in the Statewide Information Management Manual, are implemented and maintained to mitigate risks to each endpoint.

    • Endpoint protection controls include people (asset users), processes, and technology controls.

    • Endpoint protection controls are continuously monitored.

    • Endpoint protection controls are reviewed at least annually.

  • Roles and Responsibilities

    • Department Chief Information Officer (CIO) or Designee:

      • Owns this policy and is responsible for ensuring that all Owners of Information Assets, Information Asset Custodians, and users of department information assets are aware of this policy and acknowledge their individual responsibilities.

      • Is responsible for ensuring that this policy is reviewed annually and updated accordingly. 

      • Is required to audit and assess compliance with this policy at least once every 2 years.

    • Department Information Security Officer (ISO):

      • Shall assist Owners of Information Assets and Information Asset Custodians with the identification and selection of endpoint protection controls.

      • Shall ensure that endpoint protection controls meet department requirements for security and privacy.

    • Department Owners of Information Assets and Program Management:

      • In collaboration with the Information Asset Custodians shall ensure that the endpoint protection controls are defined, documented, and implemented, and that implementation is reviewed annually.

      • In collaboration with the Information Asset Custodians shall ensure the endpoint protection controls commensurate with the sensitivity or criticality of the asset are implemented for assets under their purview.

    • Department Information Asset Custodians:

      • Shall implement the requisite endpoint protection controls based upon the sensitivity or criticality of the assets as defined by the Owners of Information Assets.

      • Shall maintain and update endpoint protection technologies based on best practices.

      • Shall maintain records of endpoint protection controls and ensure proper change management.

  • Enforcement

    • Non-compliance with this policy may result in disciplinary or adverse action as set forth in California Department of Corrections and Rehabilitation, Department Operations Manual, Chapter 3, Article 22.

    • The department shall comply with the information security and privacy policies, standards, and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISO, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.

    • The consequences of negligence and non-compliance with State laws and policies may include department and personal.

      • Loss of delegated authorities.

      • Negative audit findings.

      • Monetary penalties.

      • Legal actions.

  • Auditing

    • The department has the right to audit any activities related to the use of State information assets.

    • CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

  • Reporting

    • Violations of this policy shall be reported to the department ISO.

  • Security Variance Process

    • If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISO.

  • Authority

    • This policy complies with the State of California Government Code section 11549.3.

  • Revisions

    • The CIO or designee shall ensure that the contents of this article are current and accurate.

  • References

    • Statewide Information Management Manual, 5305-A, Information Security Program Management Standard

    • Statewide Information Management Manual, 5355-A, Endpoint Protection Standard

    • State Administrative Manual, Section 5355, Endpoint Defense

    • State Administrative Manual, Section 5355.1, Malicious Code Protection

    • National Institute of Standards and Technology, Special Publications 800-53, Security Assessment and Authorization, CA-7

    • National Institute of Standards and Technology, Special Publications 800-53, Configuration Management, CM-2, CM-3, CM-6, CM-7, CM-10, CM-11

    • National Institute of Standards and Technology, Special Publications 800-53, System and Communications Protection, SC-8, SC-10, SC-11, SC-13, SC-18, SC-23, SC-24, SC-28, SC-38, SC-42, SC-43

    • National Institute of Standards and Technology, Special Publications 800-53, System and Information Integrity, SI-2, SI-3, SI-4, SI-5, SI-7, SI-8, SI 11

    • National Institute of Standards and Technology, Special Publications 800-53, Program Management, PM-9

    • National Institute of Standards and Technology, Special Publications 800-53, Risk Assessment, RA-2, RA-3, RA-5

    • National Institute of Standards and Technology, Special Publications 800-53, Physical and Environmental Protection, PE-3, PE-19, PE-20

    • California Department of Corrections and Rehabilitation, Department Operations Manual, Chapter 3, Article 22

    • California Department of Corrections and Rehabilitation, Department Operations Manual, Chapter 4, Article 41, Section 48010.5

    • California Government Code, Section 11549.3

  • Revision History

    • Effective: 02/2022