Department of Corrections and Rehabilitation - Operations Manual

Chapter 4 – Information Technology

Article 1 – Information Technology Definitions and Acronyms

Revised July, 18, 2013

41010.1 Policy

The Director, Enterprise Information Services (EISEnterprise Information Services (formerly Information Services Division)) and Executive Management of the California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation) recognize Information Technology (ITInformation Technology) as an indispensable tool of modern government. Therefore, it is the policy of the Director to support and promote the departmental use of innovative information technologies in order to increase worker productivity, improve departmental services, and strengthen the overall effectiveness of management, while saving money and reducing the overall cost of government. The definitions and acronyms contained here ensure the consistent use of ITInformation Technology definitions and acronyms throughout the Department Operations Manual (DOMDepartment Operations Manual) Chapter 4 – Information Technology.

41010.2 Purpose

The purpose of the Department’s ITInformation Technology Definitions and Acronyms policy is to ensure that proven management methods for the guidance and control of planning, acquisition, development, operation, maintenance, and evaluation of information management applications are established in a manner that provides for the most efficient, effective, and economical use of the Department’s resources for ITInformation Technology.

41010.3 Definitions

-A-
- Access
  - Ability and means to communicate with or otherwise interact with a system, to use system resources to handle information, to gain knowledge of the information the system contains, or to control system components and functions.
- Access Authorization
  - The granting of permission to execute a set of operations in a computer system.
- Access Control
  - The process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., federal buildings, military establishments, and border crossing entrances).
- Access Management Group
  - A group that is responsible for access permissions granted to CDCRCalifornia Department of Corrections and Rehabilitation’s Information Assets, including the CDCRCalifornia Department of Corrections and Rehabilitation Network, and departmental applications and databases.
- Accountability
  - The state of being liable, responsible and answerable.
- AISO
  - Agency Information Security Office – Provides information security recommendations, guidance, and authority.
- AMS
  - Application Maintenance and Support – Provides ITInformation Technology business application development, maintenance and support services spanning across all CDCRCalifornia Department of Corrections and Rehabilitation divisions, including adult and juvenile offenders, parole operations, and administration.
- Application Disaster Recovery Plan
  - A plan devised to process a computer application (application) after is has been distrupted for some period of time.
- Asset
  - Anything (tangible or intangible) that has value to CDCRCalifornia Department of Corrections and Rehabilitation.
- Authentication
  - Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. To access most technology services you must provide such proof of identity. In private and public computer networks (including the Internet), authentication is commonly used by requiring login passwords or passphrases; knowledge of such is assumed to guarantee that the user is authentic. Thus, when you are asked to “authenticate” to a system, it usually means that you enter your username and/or password for that system.
- Authorization
  - In computing systems, authorization is the process of determining which permissions a person or system is supposed to have. In multi-user computing systems, a system administrator defines which users are allowed access to the system, as well as the level of privileges they are eligible to access (e.g., access to file directories, hours of access, amount of allocated storage space). Authorization can be seen as both the preliminary setting of permissions by a system administrator, and the actual checking of the permission values when a user obtains access. Authorization is usually preceded by authentication.
- Availability
  - Assurance that the systems responsible for delivering, storing and processing information are accessible when needed, by those who need them.
-B-
- Back-up
  - A process by which data is copied in some form so as to be available and used if the original data from which it originated is lost, destroyed or corrupted.
- BIS
  - Business Information System – A fully implemented automated business management system that creates, tracks, and reports all of the Department’s business transactions.
- Blog
  - A web site containing frequent publications of personal thoughts and web links, coined from the words weblog, maintained for the purpose of commentary, or other material such as graphics or video.
- BPHBoard of Parole Hearings (formerly Board of Prison Terms)
  - Board of Parole Hearings – Conducts parole consideration; rescission, parole, revocation, and parole progress hearings for adult inmates and parolees.
- Business Continuity Management Program
  - An ongoing governance process supported by senior management and resourced to ensure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and plans, and ensure continuity of products/services through exercising, rehearsal, testing, training, and maintenance.
- Business Continuity Plan (BCPBudget Change Proposal)
  - A plan that documents arrangements and procedures that enable an organization to respond to an event that lasts for an unacceptable period of time and return to performing its critical business functions after an interruption.
-C-
- CALPIACalifornia Prison Industry Authority (formerly PIA) California Prison Industry Authority
  - A State-operated agency that provides productive work assignments for offenders in California’s adult correctional institutions. CALPIACalifornia Prison Industry Authority (formerly PIA) operates more than 60 service, manufacturing, and agricultural industries at prisons throughout California.
- CAS
  - Corrections Application Solutions – Develops and maintains applications and systems used by divisions and programs throughout CDCRCalifornia Department of Corrections and Rehabilitation to support statewide offender, parole, and juvenile operations.
- CCHCS
  - California Correctional Health Care Services – A department under federal receivership responsible for providing constitutionally adequate medical care to patient-inmates of the CDCRCalifornia Department of Corrections and Rehabilitation within a delivery system the state can successfully manage and sustain.
- CDCRCalifornia Department of Corrections and Rehabilitation Network
  - The system of telecommunication devices, workstations, servers, and peripherals used to provide inter- and intra-facility connectivity that enable CDCRCalifornia Department of Corrections and Rehabilitation employees to access information assets and electronic communications. The CDCRCalifornia Department of Corrections and Rehabilitation Network is managed by the CDCRCalifornia Department of Corrections and Rehabilitation Enterprise Information Services (EISEnterprise Information Services (formerly Information Services Division)) division and the Office of Technology Services (OTech).
- Chain E-mail or Letter
  - E-mail sent to successive people. Typically the email contains directions for the recipient to forward the email to multiple people. The contents usually contain promises of good luck for the recipient or money if the directions are followed.
- Classification
  - The assignment of information, including a document, to a category on the basis of its sensitivity concerning disclosure, modification, or destruction.
- Client (User)
  - The individual or organization that utilizes a product.
- Community Transition Program (CTP)
  - CTP obtains and utilizes information about offenders in order to develop and implement effective and specific reentry plans that maximize a parolee’s opportunity to successfully reintegrate into the community.
- Component
  - A component is defined in SAMState Administrative Manual § 5013 as any individually identified piece of hardware, such as the mainframe, tape drive, disk drive, power supply unit, controller, punch, reader, printer, modem, CRTCrisis Response Team, keyboard, remote device, and the like.
- Computer Contaminant
  - Any set of computer instructions that, outside the intent and without the permission of the owner of such information, is designed to modify, damage, or destroy a computer, system, or network, or to record or transmit information within a computer, system, or network. Such contaminants include, but are not limited to, the group of self-replicating or self-propagating computer instructions commonly termed viruses, Trojans, and worms which are designed to affect computer programs or data, consume computer resources, modify, destroy, record or transmit data, or otherwise usurp the normal operation of the computer, system, or network.
- Computer Network
  - Any system that provides communication among one or more computer systems and input/output devices including, but not limited to, display terminals and printers connected by telecommunication facilities.
- Computer Program or Software
  - A set of instructions, or statements or related data, that when executed in actual or modified form cause a computer, system, or network to perform specified functions.
- Computer Security
  - The technological safeguards and managerial procedures that can be applied to computer hardware, programs, data, and facilities to ensure the availability, integrity, and confidentiality of computer-based resources. This can also include assurance that intended functions are performed as planned.
- Computer Services
  - Includes, but is not limited to, computer time, data processing, storage functions, other uses of a computer, system, or network.
- Computer System
  - A device or collection of devices, including support devices but excluding calculators that are not programmable and not capable of being used in conjunction with external files, one or more of which contains computer programs, electronic instructions, input data, and output data, and which performs functions including, but not limited to, logic, arithmetic, data storage and retrieval, communication, and control.
- Computer-Based Tools
  - Software or computer programs that improve or enable a user’s ability to configure and manage ITInformation Technology components.
- Confidential Information
  - Information maintained by State agencies that is exempt from disclosure under provisions of the California Public Records Act (PRAPublic Records Act) (GCGovernment Code § 6250 et seq.) or other applicable state or federal laws. All inmate, parolee, ward, and employee information that has not been explicitly defined as public information in §3261.2 of Title 15 should be treated as Confidential Information.
- Confidentiality
  - Assurance that information is shared only among authorized persons or organizations. Breaches of confidentiality can occur when data is not handled in a manner adequate to safeguard the confidentiality of the information concerned. Such disclosure can take place by word of mouth, by printing, copying, e-mailing or creating other data. The classification of the information should determine its confidentiality and the appropriate safeguards.
- Correctional Offender Management
  - Profiling for Alternative Sanctions (COMPAS) Enables CDCRCalifornia Department of Corrections and Rehabilitation to perform needs assessments and follow adult offenders from their intake at the reception centers through the completion of their parole supervision requirements.
- Cost Thresholds
  - Cost thresholds are the set dollar amounts assigned to agencies based on their size and past experiences with Department delegations can be found at: http://www.cio.ca.gov/Contact_Us/staff_assignments.html CPAT California Parole Apprehension Team – Enhances public safety through parole intervention and parolee-at-large apprehension.
- Critical Application
  - An application that is so important to the Department that its loss or unavailability is unacceptable. With a critical application, even short-term unavailability of the information provided by the application would have a significant negative impact on the health and safety of the public or Department employees, the fiscal or legal integrity of operations, or the continuation of essential programs.
- CTA
  - California Technology Agency – State of California’s ITInformation Technology control agency.
- Custodian of Information
  - An employee or organizational unit (such as a data center or information processing facility) acting as caretaker of an automated file or database.
-D-
- DART Desktop Advanced Research Team
  - Provides system level operational support of all end-point devices.
- Data
  - A representation of facts, concepts, or instructions in a formalized manner suitable for communication, interpretation, or processing by humans or by automated means.
- Data Classification
  - Data Classification is the conscious decision to assign a level of sensitivity to data as it is being created, amended, enhanced, sorted, or transmitted. The classification of the data should then determine the extent to which the data needs to be controlled/secured and is indicative of its value in terms of Business Assets. The classification of data and documents is essential to differentiate between that which is of little (if any) value, and that which is highly sensitive and confidential. The classification of data helps determine what baseline security controls are appropriate.
- Data Processing Equipment
  - Computers, network components, and other devices that facilitate, enable, or depend upon data communications. Network devices such as, but not limited to, routers, hubs, wires, and servers are data processing equipment.
- Data Processing Systems
  - A system, including computer systems and associated personnel, that performs input, processing, storage, output, and control functions to accomplish a sequence of operations on data.
- Data Security
  - Protecting data from unauthorized access, modification, destruction, or disclosure.
- Data Transmission
  - The conveying of data from one functional unit to one or more additional functional units through the transmission of signals by wire, radio, light beam, or any other electromagnetic means.
- DEC
  - Disability Effective Communications System – An ITInformation Technology program created and maintained by EISEnterprise Information Services (formerly Information Services Division) that ensures that inmate and parolee due process rights are recognized by identifying and accommodating their disabilities and effective communication special needs.
- Decentralized Applications
  - Systems that run on more than one computer in geographically separated locations. The term also refers to systems that are not supported by a single organization, such as EISEnterprise Information Services (formerly Information Services Division).
- Defect
  - A variance from specifications/standards or an attribute/function not contained in the software requirements specifications.
- Denial of Service
  - An attack that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources.
- Deputy Director Operations
  - Responsible for all aspects of EISEnterprise Information Services (formerly Information Services Division)’s day-to-day operations.
- Development
  - Activities or costs associated with the analysis, design, programming, staff training, data conversion, acquisition, and implementation of new ITInformation Technology applications.
- Disaster Recovery Operation
  - The act of recovering from the effects of a disaster or disruption to a computer facility, and the preplanned restoration of facility capabilities.
- Disaster
  - A human or natural occurrence causing destruction and distress, after which a business is deemed unable to function.
- Disaster Recovery
  - The ability of an organization to respond to a disaster or an interruption in services by implementing a disaster recovery plan to stabilize and restore the organization’s critical functions.
- DRPDivision of Rehabilitative Programs
  - Disaster Recovery Plan – The management approved document that defines the resources, actions, tasks and data required to manage the technology recovery effort. Usually refers to the technology recovery effort. This is a component of the Business Continuity Plan.
- Documentation
  - Information about how specific applications are constructed, maintained, and used. It includes, but is not limited to, system and program design specifications, record formats, report layouts, program source and object code, job control language specifications, run instructions, key entry instructions, and data definitions.
- DRDDischarge Review Date Tracker
  - Discharge Review State Tracker – Creates a calendar-based event driven solution which allows field agents and case records staff to determine when a parolee is due for a Discharge Review.
-E-
- E-mail
  - Written communication transmitted electronically using computers connected to network(s). Today’s email systems are based on a store-and-forward model. Email servers accept, forward, deliver and store messages. Neither the users nor their computers are required to be online simultaneously; they need connect only briefly, typically to an email server, for as long as it takes to send or receive messages.
- EdCATS
  - Education Classroom Attendance Tracking System – Allows teachers to log academic and vocational classroom hours and track milestones achieved by students while attending those classes.
- EISEnterprise Information Services (formerly Information Services Division)
  - Enterprise Information Services – A division of CDCRCalifornia Department of Corrections and Rehabilitation responsible for the enterprise-wide execution of all ITInformation Technology systems and services.
- Electronic Data Processing (EDPElectronic Data Processing (see IT))
  - Equipment EDPElectronic Data Processing (see IT) equipment is defined as:
    - Central processing units and all related features and peripheral units, including processor storage, console devices, channel devices, etc.
    - Minicomputers, microcomputers, personal computers, and all peripheral units associated with such computers.
    - Special purpose systems including word processing, magnetic ink character recognition, optical character recognition, photocomposition, typesetting, and electronic bookkeeping.
    - Communications devices used for data transmission such as modems, data sets, multiplexors, concentrators, switches, local area networks, private branch exchanges, network control equipment, and microwave or satellite communications systems.
    - Input-output (peripheral) units (off-line or on-line) including: terminals, card readers, optical character readers, magnetic tape units, mass storage devices, card punches, printers, computer output to microfilm converters, video display units, data entry devices, FAXs, teleprinters, plotters, or any device used as a terminal to a computer, and control units for such devices.
- Encryption
  - Data encryption is a means of scrambling or ciphering the data so that it can be read only by the recipient – the person(s) holding the ‘key’ – a password of some sort. Without the ‘key,’ the ciphered data cannot be opened and read.
- Enterprise Architecture (EA)
  - The CDCRCalifornia Department of Corrections and Rehabilitation unit responsible for managing CDCRCalifornia Department of Corrections and Rehabilitation’s enterprise architecture program, a strategic practice for maintaining the ITInformation Technology architecture portfolio to facilitate more informed and effective ITInformation Technology decisionmaking, both strategically and operationally. This includes, but is not limited to, the Business, Application, Information/Data, Technical, and Security Architecture domains.
- eOMIS Electronic Offender Management Information System
  - A real-time application that increases the availability of accurate and complete offender information so CDCRCalifornia Department of Corrections and Rehabilitation can more efficiently manage inmates.
- ERMSElectronic Records Management System
  - Electronic Records Management System – A document management system that provides a digitally scanned and uploaded central records repository.
- EWACS
  - Enterprise Web and Collaboration Solutions – Provides web application development, operational support, and end user support for the enterprise. Develops public and internal facing web and client-based applications that meet various business needs.
-F-
- Failure
  - Inability of a product or service to perform its required functions within previously established limits.
- FIS
  - Field Information System – Documents all contacts by parole agents with juvenile offenders.
- Forwarded E-mail
  - E-mail resent from an internal network to an outside point, whether internal or external to CDCRCalifornia Department of Corrections and Rehabilitation.
-G-
- Guideline
  - A description that clarifies what should be done and how to achieve the objectives set out in policies.
-H-
- Handheld Computer Synonym for Personal Digital Assistant.
- Hardening
  - A defense strategy to protect against attacks by removing vulnerable and unnecessary services, patching security holes, and securing access controls.
- Hardware
  - The physical equipment or machinery (computers, terminals, printers, disc drives, etc.) used in ITInformation Technology systems.
- HAWI
  - Holds and Warrants Interface – Easily accesses parolee information to automate the issuance of holds and warrants.
- High Risk Confidential Information (HRCI)
  - Non-public information that if disclosed could result in a significant harm (including financial, legal, risk to life and safety or reputational damage) to the CDCRCalifornia Department of Corrections and Rehabilitation or individual(s). Examples of HRCI include, but are not limited to, information such as the following:
    - Personally identifiable information such as person’s name in conjunction with the person’s Social Security Number, credit or debit card information, individual financial account, driver’s license number, state IDInstitutions Division (see DAI) number, passport number, or a name in conjunction with biometric information;
    - Personal health information such as any information about health status, provisions of health care, or payment for health care information as protected under HIPAA;
    - Correctional Offender Record Information
    - Information that if disclosed would “reveal vulnerabilities to, or otherwise increase, the potential for an attack on an ITInformation Technology system of a public agency.” Examples include, but are not limited to, firewall and router configurations, server names, IP addresses, and other system configuration details;
    - Any documentation of information which contains information or data within any Gang Database.
    - Records of investigations, intelligence information, or security procedures. This includes, but is not limited to, information identifying confidential informants.
-I-
- Information Assets
  - All categories of information existing in any form, including electronic or hard copy that is stored, used, or created by CDCRCalifornia Department of Corrections and Rehabilitation and have value to the organization.
- Information Governance
  - The process of official enterprise-level decision making for CDCRCalifornia Department of Corrections and Rehabilitation information standards to ensure the effective, efficient, and secure use of CDCRCalifornia Department of Corrections and Rehabilitation information. This includes officially making and adopting Data Classification decisions for CDCRCalifornia Department of Corrections and Rehabilitation information.
- Information Integrity
  - The condition in which information or programs are preserved for their intended purpose, including the accuracy and completeness of information systems and the data maintenance within those systems.
- Information Owner
  - Group(s) or person(s) responsible for individual and/or collective decision-making regarding specific CDCRCalifornia Department of Corrections and Rehabilitation Information Assets. This includes decision-making regarding the appropriate use, access, controls, and Data Classifications for those Information Assets.
- Information Processing
  - The systematic performance of operations upon data such as handling, merging, sorting, and computing; synonymous with data processing systems.
- Information Security
  - The protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities. Information exists in many forms: printed or written on paper, stored electronically, transmitted by post or electronic means, on films, and spoken.
- Information Security Incident
  - An information security incident is indicated by a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security.
- Information Security Standards and Guidelines (ISSG)
  - Compilation of the standards and guidelines comprising CDCRCalifornia Department of Corrections and Rehabilitation’s program to ensure the protection and security of information asssets.
- Information Technology
  - All computerized and auxiliary automated information handling, including: Systems design and analysis; conversion of data; computer programming; information storage and retrieval; voice, video, and data communications; requisite system controls; simulation; and, all related interactions between people and machines.
- Input-Output Unit/Device
  - The equipment used to communicate with a computer; commonly termed I/O (Input/Output).
- Instant Message (IMInstructional Memorandum)
  - A type of communications service that enables a user to exchange text messages in real time among two or more individuals logged into a particular instant messaging system from a computer workstation.
- Integrity
  - As it pertains to data, is the assurance that the information is authentic and complete. Ensuring that information can be relied upon to be sufficiently accurate for its purpose. The integrity is not only whether the data is correct, but also whether it can be trusted and relied upon.
- Internet
  - The World Wide Web (WWW), consisting of a network of networks.
- Intranet
  - A term that refers to a closed network of networks. In the context of CDCRCalifornia Department of Corrections and Rehabilitation, it refers to the web portal used for hosting information and documents for internal CDCRCalifornia Department of Corrections and Rehabilitation users only.
- ISInformation Systems
  - Infrastructure Services – Creates, maintains, and supports all enterprise data activity necessary to facilitate CDCRCalifornia Department of Corrections and Rehabilitation’s current and future business needs as well as provide ongoing operations, production implementation, and control in a secure manner.
- ISCInformation Security Coordinators
  - Information Security Coordinator – Each entity’s ISCInformation Security Coordinators is responsible for ensuring that applicable CDCRCalifornia Department of Corrections and Rehabilitation ITInformation Technology security policies and procedures are followed.
- ITInformation Technology CSFO
  - ITInformation Technology Customer Service and Field Operations – Provides quality service, guidance and direction to customers in order to support their business needs by implementing cost-effective, innovative technologies and adopting operational ITInformation Technology best practices and standards.
- ITPSP
  - ITInformation Technology Policy and Strategic Planning – Drives enterprise ITInformation Technology planning efforts necessary to support the Agency’s mission and future investments while ensuring compliance with national, State and local mandates.
-J-
-K-
-L-
- Law Enforcement Automated Data System (LEADS)
  - Parole LEADS is a web-based computer system that provides local California law enforcement agencies with information on CDCRCalifornia Department of Corrections and Rehabilitation parolees.
- Life Cycle
  - The anticipated length of time that the ITInformation Technology system or application can be expected to be efficient and cost-effective and can continue to meet the agency’s programmatic requirements; synonymous with operational life of a system.
- LINX
  - Link Investigation and Network Cross-Reference – Centralized web-based application that contains inmate gang affiliations and validation for adult offenders.
- Local Area Network
  - A Local Area Network (LANLocal Area Network) is a computer network consisting of telecommunications devices such as routers, hubs, switches, firewalls, and computers such as workstations, servers, and peripheral devices.
- LSTS
  - Lifer Scheduling and Tracking System – Supports the inmates sentenced to life parole suitability hearing process.
-M-
- Mainframe
  - Refers to large computers typically housed in a data center environment and running legacy systems. Mainframe computers have security components, such as Resource Access Management Systems, integrated into the operating system and can support many hundreds of users simultaneously.
  - Malicious Software
    - Malicious software, or malware, is any set of computer instructions that, outside the intent and without the permission of the owner of such information, is designed to modify, damage, or destroy a computer, system, or network, or to record or transmit information within a computer, system, or network. Such contaminants include, but are not limited to, the group of self-replicating or self-propagating computer instructions commonly termed viruses. Trojan Horses and worms are designed to affect computer programs or data, consume computer resources, modify, destroy, record, or transmit data, or otherwise usurp the normal operation of the computer, computer system, or computer network. Malware includes computer viruses, computer worms, Trojan Horses, most root kits, spyware, dishonest adware and other malicious or unwanted software.
- MDOMentally Disordered Offender
  - Mentally Disorder Offender – Database that tracks MDOMentally Disordered Offender holds, creates hearing schedules, generates confirmation letters for evaluators and attorneys, and tracks MDOMentally Disordered Offender cases.
- Mission-Critical Applications
  - Applications defined by CDCRCalifornia Department of Corrections and Rehabilitation that support business activities or processes that cannot be interrupted or unavailable for the Recovery Time Objective (RTO) defined by the agency without significantly jeopardizing the organization.
-N-
- Need-to-Know
  - Refers to a person having both a legitimate right and a reason to obtain information.
- NIST
  - National Institute of Standards and Technology – A measurement standards laboratory which is a non-regulatory agency. NIST promotes innovation and industrial competitiveness by advancing measurement science, standards, and technology.
-O-
- OBITS
  - Offender Based Information Tracking System – Mission critical master record for all juvenile offender activity that feeds information into multiple systems.
- One-Time Costs
  - Costs occurring only once that are associated with the analysis, design, programming, staff training, data conversion, acquisition, and implementation of new ITInformation Technology applications.
- Operational Life
  - See Life Cycle.
- Operations
  - Activities or costs associated with the continued use of ITInformation Technology applications. Operations include personnel associated with computer operations, including network operations, job control, scheduling, and key entry. It also includes the costs of computer time and other resources needed for processing. See SAMState Administrative Manual Section 4819.2.
- OTech
  - Office of Technology Services – Provides ITInformation Technology services to many state, county, federal and local government entities throughout California.
- Owner of Information
  - See Information Owner.
-P-
- PACATS
  - Parolee Automated Cash Assistance Tracking System – Tracks cash assistance provided to parolees throughout the state, separated by assistance type.
- PALParolee-At-Large Trax
  - Parolee At Large Tracking System – Tracks CPAT agent caseloads.
- Parole-LEADS
  - See Law Enforcement Automated Data System.
- Personal Digital Assistant (PDAParole District Administrator)
  - Palm-sized computer that syncs with a computer workstation and allows users to refer to information from the workstation without having to print it out. Schedules, e-mails, documents, and spreadsheets as well as reference material such as dictionaries and phone lists can be stored and accessed as needed on the device. PDAs often are capable of wireless connectivity with LANs and the Internet.
- Personally Identifiable Information
  - Personally Identifiable Information (PII) is the manifestation of an individual’s first name or first initial and last name, in combination with one or more of the following:
    - Social Security Number;
    - Driver’s license number;
    - State issued IDInstitutions Division (see DAI) card;
    - Credit or debit card number in combination with any required security code or password that could permit access to an individual’s financial account;
    - Medical information, history, mental or physical condition, treatment or diagnosis by a health care professional;
    - Health information, policy number or subscriber IDInstitutions Division (see DAI), unique identifier, or any information in an application and claims history, including any appeals records.
- Physical Security
  - The measures designed to safeguard personnel; to prevent unauthorized access to equipment, installations, material, and documents; and to safeguard them against unauthorized access, damage, and theft.
  - Post Implementation Evaluation Report (PIERPost Implementation Evaluation Report) The review of a computer, computer system, or computer network that has been in operation for at least six months and no longer than two years for the purpose of matching the requirements of the system against what has been produced so as to ensure that stated requirements have been met.
- Policy
  - Overall intention and direction as formally expressed by management.
- PPPMA
  - Policy/Planning, Project Management and Acquisitions is the EISEnterprise Information Services (formerly Information Services Division) unit responsible for EA, PPRM, QPAC, and ITPSP.
- PPRM
  - Portfolio, Project and Resource Management is the EISEnterprise Information Services (formerly Information Services Division) unit that improves the management of ITInformation Technology investments by utilizing project and portfolio managements tools; incorporating proven methodologies; and following best practice disciplines to assist in the identification, ranking, and justification of investments and the implementation of funded projects.
- PRAS
  - Parole Restitution Application System – Tracks original court ordered restitution payments and balances.
- Privacy
  - The right of individuals and organizations to control the collection, storage, and dissemination of information about themselves.
- Process
  - The work activities that produce products, including the efforts of people and equipment.
- Product
  - The output of a process, including the goods and services produced by individuals and the organization.
- Production Application
  - A computer-based process that stores, manipulates, or reports departmental information.
- Program
  - In the ITInformation Technology field, a program is the set of instructions by which a computer operates to accomplish a specific task.
- Program Application Manager
  - Department supervisory and management staff responsible for managing or supervising employees’ use of an automated file or database.
- Programming
  - Detailed design encompassing the actual development and writing of program units or modules.
- Project
  - A planned sequence of tasks to respond to a problem or opportunity; an activity with a beginning and an end and containing a set of resources.
- Proprietary Software
  - Software packages which are developed by independent vendors and marketed to users.
- Protected Health Information
  - Individually identifiable information in electronic or physical form created, received, or maintained by health care organizations such as health care payers, providers, plans, and contractors. State laws require special precautions to protect from unauthorized use, access or disclosure.
- Protected Personal Information
  - Information that identifies or describes an individual and must be protected from inappropriate access, use, or disclosure as defined in applicable state and federal laws.
- Protecting Sensitive Information
  - Typically means providing for one or more of the following:
    - Confidentiality – Disclosure of the information must be restricted to designated parties.
    - Integrity – The information must be protected from errors or unauthorized modification.
    - Availability – The information must be available within some given timeframe (i.e., protected against destruction). (NIST Computer System Laboratory CSL Bulletin 92-11.)
- Public Information
  - Information maintained by State agencies that is not exempt from disclosure under the provisions of state or federal laws. Public Information is open to inspection by any person during normal business hours (PRAPublic Records Act § 6253(a)).
-Q-
- QPAC
  - Quality Project Authority and Compliance – Staff in EISEnterprise Information Services (formerly Information Services Division) that advocates for CDCRCalifornia Department of Corrections and Rehabilitation’s ITInformation Technology projects to Control Agencies for the purpose of securing project authority and funding approval, as well as the project’s successful completion.
- Quality
  - The extent to which a product meets the expectations and requirements of the user.
- Quality Assurance (QAQuality Assurance)
  - A staff function designed to support line management in performing the Quality Control function. As such, QAQuality Assurance identifies the processes (both good and bad) which affect quality, and is used to advise management of such effects. A management decision may then be necessary to ensure that QCQuality Control techniques are implemented and maintained; and, (2) The function that uses measurement and analysis to continually improve processing, procedures, and standards so that management can be reasonably assured of their staff following such methods, procedures, and standards, as well as staff’s ability to produce products which meet specified requirements.
- Quality Control (QCQuality Control)
  - The collection of activities to ensure that defects are neither made nor implemented. While QAQuality Assurance monitors the processes involved in the production cycle, QCQuality Control is an integral part of work and is the responsibility of each employee; and, (2) A line function used to measure quality associated with specific products or services. QCQuality Control is the responsibility of each ITInformation Technology area, and it is the function responsible for the quality of the work being done within a specific area or for a specific project.
-R-
- Recovery Point Objective (RPO)
  - The maximum amount of data loss an organization can sustain during an event.
- Recovery Time Objective (RTO)
  - The period of time within which systems, applications, or functions must be recovered after an outage (e.g. one business day). RTOs are used as the basis for the development of recovery strategies, and as a determinant as to whether or not to implement the recovery strategies during a disaster situation.
- Requirement
  - The specification(s) for satisfying a user need is associated with a standard by which the satisfaction of that need can be measured.
- Resource Access Management Facility
  - An application within IBM-based computer systems that reviews logons, passwords, and permissions before permitting access to information.
- Risk
  - In the context of information systems, the likelihood or probability that a loss of information assets or breach of security will occur.
- Risk Analysis
  - The process of identifying the vulnerabilities and threats to an organization by assessing the critical functions necessary for an organization to continue business operations, and defining the controls in place to reduce organization exposure and evaluating the cost for such controls.
- Risk Assessment
  - Overall process of risk analysis and risk evaluation.
- Risk Evaluation
  - The process of comparing the estimated risk against given risk criteria to determine the significance of the risk.
- Risk Management
  - The process of coordinating activities to direct and control the organization with regard to risk.
-S-
- Sensitive Information
  - Information maintained by State agencies that requires special precautions to protect it from unauthorized use, access, disclosure, modification, loss, or deletion. Sensitive information may be either Public or Confidential. It is information that requires a higher than normal assurance of accuracy and completeness. The key factor for Sensitive Information is that of integrity. Typically, Sensitive Information includes records of financial transactions and regulatory actions.
- Smartphone
  - A cellular telephone with built-in applications and Internet access. Smartphones provide digital voice service as well as text messaging, e-mail, Web browsing, still and video cameras, MP3 players, video viewing and often video calling. In addition to their built-in functions, smartphones can run a myriad of applications, turning the once single-minded cellphone into a mobile computer.
- Software
  - Programs, procedures, rules, and any associated documentation pertaining to the operation of a system. (Contrast with hardware.) Spam Unauthorized and/or unsolicited electronic mass mailings.
- Stakeholder
  - A person, group, organization, member, or system who affects or can be affected by an organization’s or system’s actions.
-T-
- Threat
  - The potential cause of an unwanted incident, which may result in harm to a system or organization.
-U-
- Unauthorized Disclosure
  - The intentional or unintentional disclosure of confidential information to people inside and/or outside the CDCRCalifornia Department of Corrections and Rehabilitation who do not have authorization predicated on a “need to know” basis.
- Unit Testing
  - Testing performed on a single, stand-alone module or unit of code.
- User Identification (IDInstitutions Division (see DAI))
  - The logon name an individual user to access a computer or network system.
- User of Information
  - An individual having specific limited authority from the owner of information to view, change, add to, disseminate, or delete such information.
-V-
- Validation
  - The process of comparing a product in any stage of its development with specified requirements to determine whether the correct product is being produced.
- Virus
  - Small but insidious piece of programming code that attacks computer and network systems through contaminated (infected) data files, introduced into a system via email, portable storage media or the Internet. The code attaches itself to the target computer’s operating system or other programs, and may automatically replicate itself to spread to other computers or networks.
- Vulnerability
  - A weakness of an asset or group of assets that can be exploited by one or more threats.
-W-
- Wide Area Network (WAN)
  - Two or more LANs connected together. A communications network that uses devices over telephone lines, fiber-optics, satellite dishes, or radio waves to span a larger geographic area that can be covered by a LANLocal Area Network.
- Wireless
  - Referring to communications transmitted without wires, such as radio, microwave, or infrared.
- Workstation
  - Any device commonly called a microcomputer, personal computer, or terminal used for processing, storing, or sending information.
- Worm
  - A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself.
- WWW
  - An abbreviation for World Wide Web. See Internet.
-X-
-Y-
-Z-

41010.4 Revisions

The Director of EISEnterprise Information Services (formerly Information Services Division), or designee, shall be responsible for ensuring that the contents of this Article are kept current and accurate.

41010.5 References

GCGovernment Code §§ 6250 – 6265, and 11702 (a) Title 15 § 3261.2 SAMState Administrative Manual §§ 4819.2, 5013, 5320.5 DOMDepartment Operations Manual §§ 52070.22, 52070.24 Health Insurance Portability and Accountability Act (HIPAA) of 1996 PCPenal Code §§ 13100-13104 PRAPublic Records Act § 6254.19 PRAPublic Records Act § 6254 (f) California Senate Bill 1386 Confidentiality of Medical Information Act, California Civil Code § 56 et seq.
Patients’ Access to Health Records Act
California Health and Safety Code §§ 123100-123149.5

Article 2 – EDP Responsibility

41020.1 Policy

The Department’s executive management is responsible for the establishment of departmental policy pertaining to the use of information technology, the prioritization of departmental resources, and strategic planning and leadership to seek out opportunities for employing information technology toward achievement of the Department’s mission, goals, and objectives. Department executive leadership is responsible for ensuring that information technology is used within the guidelines contained in this manual section and those established by other control agencies.

41020.2 Purpose

The purpose of this policy is to ensure that departmental resources and information technology are used optimally in achieving the Department’s mission, goals, and objectives. Additionally, this policy assures that uses of information technology follow the guidelines established internally by CDC management and externally by State control agencies.

41020.3 Management Information Systems Committee

Revised October 6, 1993

The MISManagement Information Systems Committee shall:
- Provide executive leadership in the development of EDPElectronic Data Processing (see IT) projects and policy.
- Enforce compliance of the project approval process with the Department’s Strategic Plan.
- Prioritize EDPElectronic Data Processing (see IT) projects in terms of their importance to the Department’s Strategic Plan.
- Review and enforce policy and procedures in support of EDPElectronic Data Processing (see IT) projects.
- As individual committee members, serve as liaisons with their respective end user communities to promote, coordinate, and facilitate automation efforts, and to ensure effective communication regarding EDPElectronic Data Processing (see IT)-related issues throughout all levels of the Department.
- Educate management in the advantages of automation, new EDPrelated technical innovations, and methods to maximize the efficiency and benefits of automation, and to minimize EDPElectronic Data Processing (see IT) development and operating costs.
- Provide review and approval of all information technology procurements not covered under the approved Workgroup Computing Policy.
- Provide ongoing review of CDC-approved EDPElectronic Data Processing (see IT) projects, terminating those projects which are no longer consistent with the Department’s Strategic Plan.
Note that the MISManagement Information Systems Committee does not make any decisions on funding of ITS projects. The committee only recommends the prioritization of these projects.
See DOMDepartment Operations Manual 43020.4, Information Management Annual Plan, for additional information about the role and responsibilities of the MISManagement Information Systems Committee.

41020.3.1 MIS Committee Composition

The MISManagement Information Systems Committee is comprised of the following voting staff:
- The Chief Deputy Director (Chairperson).
- Three representatives from ASDSee Division of Administrative Services (DAS) (see ASB).
- Three representatives from ECEvidence Code&ISDInformation Services Division (see EIS).
- Five representatives from Institutions Division.
- Three representatives from P&CSDParole & Community Services Division (see DAPO).
- One representative from P&CDPlanning and Construction Division (see FPCM).
- One representative from CalPIA.
These representatives shall be appointed for an indeterminate period.
In the absence of the Chief Deputy Director, the Deputy Director of ASDSee Division of Administrative Services (DAS) (see ASB) shall chair MISManagement Information Systems Committee meetings.
The committee shall meet on a quarterly basis and more often as needed. MISManagement Information Systems Committee meetings are generally open to all wishing to attend.

41020.4 Responsibility MIS‑SU

Revised October 6, 1993

MISManagement Information Systems-SU provides functional support to the MISManagement Information Systems Committee. The MISManagement Information Systems-SU’s responsibilities include: (1) coordinating MISManagement Information Systems Committee meeting agendas; (2) coordinating the review of proposed ITS and to furnish recommendations for MISManagement Information Systems Committee review; (3) preparing annual updates for the Cabinet on all CDC automation efforts for the current year and on strategic planning for the coming year; (4) developing, coordinating, and participating in presentations for the committee that address current technical innovations; (5) coordinating the review of ITS concepts to ensure compliance and consonance with the budget cycle; (6) recording the actions and decisions of the MISManagement Information Systems Committee for distribution to appropriate departmental staff; and, (7) conducting special projects as assigned by the committee.
Departmental Workgroup Computing Coordinator
- The Workgroup Computing Coordinator’s responsibilities include: (1)ensuring that workgroup computing hardware and software requests comply with departmental and control agency policy requirements; (2)preparing the appropriate certification documents for workgroup computing procurements; (3) providing assistance in the completion of workgroup computing requests; (4) maintaining the departmental Workgroup Computing Policy and Modem Policy, as well as related equipment request forms for distribution to departmental staff; (5) overseeing the personal computer Post Implementation Evaluation Report (PIERPost Implementation Evaluation Report) process; (6) maintaining the departmental personal computer equipment inventory; and (7) maintaining a record of all personal computer procurements, including those justified through the use of an FSRFeasibility Study Reports, a CDC Internal Summary Fact Sheet, or the approved Workgroup Computing Policy.
Department Information Security Officer
- The CDC Information Security Officer (ISOInformation Security Officer) is assigned management responsibility for overseeing and administering the Centralized Information Security Program and is charged with the responsibility of assuring the Department’s compliance with the SAMState Administrative Manual 4840, Security and Risk Management; 4989.7, Security of Personal Computer Systems; and 20013, EDPElectronic Data Processing (see IT) Audit Requirements. This program encompasses all automated ITS for which CDC has administrative responsibility. It includes the procedures, guidelines, and safeguards that are required to protect data, confidentiality, and privacy rights and ensures the integrity, audibility, and controllability of these ITS. All new policies and revisions of existing policy relating to automated information security will emanate from this office.
ISDInformation Services Division (see EIS)
- It is the responsibility of ISDInformation Services Division (see EIS) to establish and maintain the departmental EDPElectronic Data Processing (see IT) strategic planning process and to oversee the development of all departmental EDPElectronic Data Processing (see IT) policies, including assurance that such policies meet control agency guidelines. ISDInformation Services Division (see EIS) is also responsible for ensuring that such considerations as compatibility and connectivity of all proposed automated projects are taken into consideration in the project approval process.
- ISDInformation Services Division (see EIS) is responsible for the development, maintenance, operation, and support of all departmental PCPenal Code applications except Institutions Division projects, and for all automated systems requiring control agency oversight unless specifically delegated to another unit by the MISManagement Information Systems Committee.
- Under the User Project Management concept, the User Manager is responsible for all project reporting to control agencies, the user division, and the MISManagement Information Systems Committee. ISDInformation Services Division (see EIS) provides technical management and staff who work as team members accountable to the User Manager on the project and to ISDInformation Services Division (see EIS) on technical issues (e.g., project schedules).
- ISDInformation Services Division (see EIS) is also responsible for tracking all projects approved by the MISManagement Information Systems Committee, and ensuring that all projects comply with State reporting requirements. All project reporting to control agencies shall be coordinated through ISDInformation Services Division (see EIS), which shall maintain correspondence files on control agency reporting.
- ISDInformation Services Division (see EIS) shall report directly to the appropriate Division (User Manager Concept) associated with each EDPElectronic Data Processing (see IT) Project, and to the MISManagement Information Systems Committee on all approved projects.
- ISDInformation Services Division (see EIS) is responsible for the security of information technology facilities, and for software and equipment used in automated information processing at all sites under ISDInformation Services Division (see EIS) custodial responsibility. ISDInformation Services Division (see EIS) also maintains the CDC Operational Recovery Plan for these systems.
- ISDInformation Services Division (see EIS) provides functional support and assistance on all facility automated systems (except personal computers) to facility AISAs.
- ISDInformation Services Division (see EIS) is also responsible for ensuring compliance with State audit requirements relating to the integrity of information assets. This includes systems auditing under ISDInformation Services Division (see EIS)’s custodial realm of responsibility through participation in the departmental Peer, and PFABProgram and Fiscal Audits Branch (see OACC)’s auditing processes.
- ISDInformation Services Division (see EIS) is responsible for establishment of the Department’s overall automation infrastructure and the successful use of automation within the Department.
- ISDInformation Services Division (see EIS) consists of five major areas: Application Development and Maintenance Section, Technology Support Section, Project Initiation Unit, CMIS Section, and the Data Center Section.
Technology Support Section
- The Technology Support Section provides support services to ISDInformation Services Division (see EIS) in the following areas: personnel, recruitment, staff training, budgeting, procurement, interagency agreements and contract management, quality programs, space planning, and general office support. This section also provides support services to all branches of the ECEvidence Code&ISDInformation Services Division (see EIS) for personnel, recruitment, and training.
Project Initiation Unit
- The role of the Project Initiation Unit (PIUProject Initiation Unit) is to provide guidance and assistance to CDC staff in starting new information technology projects. This includes providing guidance in the development of project concept proposals, feasibility studies, and other documentation required to obtain approval of an information system project. The PIUProject Initiation Unit is responsible for tracking all approved projects and ensuring that all projects comply with State reporting requirements. Functional support, assistance and direction is provided to the ISAs on all system related issues by the Applications Systems Section.
Data Center Section
- The Data Center manages maintenance and support functions with the best available tools in order to increase the time that ITS are available to the users/owners. This section of ISDInformation Services Division (see EIS) is responsible for the continuous operation and reliability of computer hardware, database systems software, the systems’ databases, and communications networks, as well as the security of departmental ITS. As part of the Data Center, the Network Services Unit and the Hardware/Telecommunications Unit provide data communications services and support to ISDInformation Services Division (see EIS) and to other functional units as needed, ensure that standard approved practices are adhered to within the Department, and provide and promote the use of consulting resources to the Department when developing new systems or planning changes to existing data facilities.
CMIS Section
- The role of the CMIS Section is to develop a single automated offender information system which satisfies the needs of all users of CDC’s offender information and serves as the hardware/software platform for all future systems development for the Department. Using stateoftheart analysis techniques and project management tools, the CMIS Section is committed to providing the Department with an offender information system that meets the needs of the user community.
OISBOffender Information Services Branch
- OISBOffender Information Services Branch has been designated the Department’s primary provider of summary statistical information about inmates and parolees. The OISBOffender Information Services Branch responds to special information requests, compiles statistical reports, and prepares legislative estimates and population projections. The OISBOffender Information Services Branch is responsible also for coordinating the timely, accurate, and consistent coding and entry of data, and performs data integrity QCQuality Control functions for OBISOffender Based Information System and for classification, incident, and other major computerized inmate and parolee databases.
Estimates and Statistical Analysis Section
- The Estimates and Statistical Analysis Section is the primary source of summary statistical information on inmates and parolees under the jurisdiction of the Department. This section ensures that the Department has accurate data upon which to base program planning and direction. It also compiles and analyzes information for special projects, court cases, special task forces or programs, and prepares periodic statistical reports about inmates and parolees used in budget planning, legislative responses, and audits. The section prepares all departmental projections of future facility and parole populations, including inmate classification levels, and all population estimates of the impact of proposed legislation, ballot initiatives, and administrative policy changes. It also reviews such information to be disseminated by other branches and divisions outside of the Department.
TSS
- TSS coordinates the timely, accurate, and consistent coding and entry of data, and performs data integrity QCQuality Control functions for major computerized inmate and parolee ITS.
- This section provides support to the MISManagement Information Systems Committee to facilitate the development and automation of ITS, and conducts regular audits in the field and in Headquarters to maintain the accuracy and integrity of data. The section also provides necessary training for facility and parole region OBISOffender Based Information System operators.
Business and Contract Services
- BSS
  - BSS is responsible for the preparation of purchase documents for all EDPElectronic Data Processing (see IT) equipment and datarelated items that are obtained through Headquarters.
  - BSS shall ensure that all requests submitted for purchase are complete and that the necessary documentation, such as certifications or FSRs, is included.
  - BSS is the departmental contact with the DGSDepartment of General Services, Office of Procurement, for all EDPElectronic Data Processing (see IT) procurement.
Contract Services
- The Department’s Contract Services Section shall supervise contracts entered into by the Department in a manner which:
  - Conserves the financial interests of the State.
  - Prevents, so far as possible, any thriftless acts by employees of the Department.
  - Avoids thriftless expenditures.
- The Contract Services Section assists departmental staff in the development of EDPElectronic Data Processing (see IT) contract requests, bids, and contracts to achieve program objectives within the legal and regulatory constraints of the State, and to ensure compliance with all departmental policies and procedures.
Warden/Regional Administrators
- Each Warden and RPARegional Parole Administrator is ultimately responsible for the security and utilization of all automated systems and data bases in the respective facility or region. This includes the integrity and accuracy of data entered and the physical security of the data, hardware, and the system itself.
Facility/Parole AISAAssociate Information Systems Analyst/Regional AISAAssociate Information Systems Analyst
- Under the direction of the Warden or designee, or Regional Administrator or designee, the facility or region AISAAssociate Information Systems Analyst is responsible for the coordination of automated systems issues for the facility. This position acts as the primary contact for Headquarters on automation-related issues, including PCPenal Code, the DDPSDistributed Data Processing System, and all other automated system concerns.
- This position is responsible for coordination of staff training on PCPenal Code applications and systems, justification and acquisition of PCPenal Code equipment through use of PCPenal Code, policy, local automated system application support, inmate access to computers, on-site user assistance, information system security, and QCQuality Control oversight and audit coordination for all databases located in the area of assignment.
Facility/Regional Information Security Coordinators
- Facility/regional Information Security Coordinators (ISCInformation Security Coordinators), in accordance with State and departmental security policies, are responsible to the Warden/RPARegional Parole Administrator for overseeing policy and procedures on information security access at each facility.
- The ISCInformation Security Coordinators shall work in coordination with the ISAs and the Department’s Information Security Officer.
Departmental Managers/Supervisors
- All managers and supervisors assigned supervision of a function automated by DDPSDistributed Data Processing System are responsible for:
  - Preserving the security and integrity of the Department’s information assets and managing the associated risks.
  - Ongoing auditing to verify the accuracy and integrity of the data entered by subordinate staff.
  - Ensuring that program staff and other users of the DDPSDistributed Data Processing System information are aware of and comply with information security policy and procedures.
End Users of EDPElectronic Data Processing (see IT)
- Users are ultimately responsible for:
  - The accuracy and integrity of the data they enter into any departmental application.
  - Complying with all applicable laws, regulations, and administrative policies, as well as with any additional security policies and procedures established by the Department.
  - Notifying their manager/supervisor of any actual or attempted violations of security policies, practices, or procedures.

41020.5 Revisions

The Chief, ISDInformation Services Division (see EIS), or designee shall be responsible for ensuring that the contents of this article are kept current and accurate.

41020.6 References

DOMDepartment Operations Manual §§ 43030 and 43020.4.

Article 3 – Unassigned

Article 4 – General Information and Policy

Revised October 17, 1994

42010.1 Policy

It is the policy of the Department to create and maintain an annual ITS plan. This plan, prepared by ISDInformation Services Division (see EIS) (see DOMDepartment Operations Manual 43010.3, Information Management Planning, Responsibilities) and approved by the MISManagement Information Systems Committee, shall be the primary basis for structuring the use of ITS in CDC.
The annual departmental ITS plan shall, at a minimum, contain strategy for the use of:
- State data centers for departmental critical systems.
- Distributed systems for departmental critical systems.
- Microcomputers for departmental critical systems.
- Departmental telecommunications and networking systems.
- Facility PBXs for data.
- Local area networks.
- Modems.

42010.2 Purpose

The purpose of this policy is to disseminate the framework for the decision-making process used by the Department in deciding to apply automated solutions to the Department’s operations, accounting, and communications problems.

42010.3 ITS Selection Criteria

It is the intent of the Department to employ the following factors when deciding whether to use CDC ITS resources to develop, design, and implement a critical departmental information system:
- The priority of the ITS request (see DOMDepartment Operations Manual 43000).
- The relationship to the Department’s goals and objectives.
- The extent to which the application is critical to accomplishment of the Department’s goals and objectives.
- The risk analysis report (see DOMDepartment Operations Manual 49000).
- The results of a pilot project.
The Department’s strategies for use of such technologies shall be utilized to determine the design of the approved information system and the choice of hardware, software, and communication.

42010.4 ITS Selection Process

The Department’s vehicle for selection of technological alternatives is the FSRFeasibility Study Reports. When preparing an FSRFeasibility Study Reports, the above selection criteria shall be utilized as a basis. When automation is determined to be the approach to solving a business problem, the Department shall choose the automated system which best accomplishes the tasks involved.
The Department currently maintains a multi-tiered automation platform that offers a wide spectrum of hardware/software choices and which provides several databases accessible to applications for data sharing.
A significant feature of automated systems is the ability to share data. Benefits of data sharing include the saving of valuable input time and, in many cases, may solve cost justification problems by reducing or redirecting data input time and associated personnel years.
There are many automation platforms available for expansion in the Department. However, there are also many elements listed in the selection criteria that lead to the appropriate solution. Regardless of the business problem, selection criteria, or platform (hardware/software) involved, State policy requires that the FSRFeasibility Study Reports shall show a cost reduction, a viable cost avoidance, increased revenue, operational necessity, or be the result of a legislative mandate before approval of the concept can become a funded project.
In many instances, the FSRFeasibility Study Reports may have a concurrently associated pilot project to provide specific performance, cost, and technological justification for the continuance of the project.

42010.5 ITS Pilot Projects

Pilot projects are scaled down versions of an overall project. They are intended to provide information on cost savings/avoidance, technology use, or performance of bench marking in order to justify implementation of the full project. A pilot project is a subset of the overall project and is subject to the same approval process as the full project.
Many projects are approved through the Office of Information Technology (OITOffice of Information Technology) and the FSRFeasibility Study Reports process contingent upon pilot justification of the project.
The typical contents of a Pilot Implementation and Evaluation Plan include the sections and contents described below:
- Program Performance Improvements
  - This section defines the programmatic functions to be included in the pilot. It should include a description of the current processes, a description of the new processes, and a plan that includes quantified measurements for evaluating before-and-after program performance.
- Physical and Technical Characteristics
  - This section describes the physical and technical characteristics of the pilot. It shall include descriptions of sites, equipment, software, and telecommunications as well as any other technical resources that are needed to complete the pilot.
- Information Requirements
  - This section defines the informational processing requirements of the pilot. It should include definitions of data inputs (source, type, volume, timing, media, files, edits, etc.), processes (response times, interfaces, security, etc.), and outputs (reports and displays).
- Security Requirements
  - This section addresses the process to be used to determine the potential problems and risks, the controls necessary to safeguard the information hardware and software of the pilot, and the fully-implemented system. Typically, a risk analysis as described in DOMDepartment Operations Manual 49030 shall supply the necessary information. The completion of this requirement is especially important since necessary security controls can often increase the required budget.
- Financial Requirements
  - This section contains an estimate of all costs associated with the pilot phase of the project. Project accounting shall be defined so that actual pilot costs and benefits can be compared against estimates, and then used as a basis to refine full implementation estimates.
- Operational Recovery Requirement
  - This section addresses the process to be used to determine the operational recovery requirements. A pilot project shall have an operational recovery plan just for the pilot, and shall address the issue of operational recovery of the proposed fully-implemented system. Often, operational recovery processes add to the overall cost of the project. All critical departmental systems shall have an operational recovery plan as part of their implementation (see DOMDepartment Operations Manual 44000).
- Management Plan
  - This section contains a pilot management plan. The plan shall include:
    - Pilot responsibilities.
    - Pilot schedule.
    - Pilot reporting and review.
Any special requirements shall be identified such as training, conversion, or impact on existing operations.
At the end of the pilot and before continuing with the project, a Post Implementation Evaluation Report (PIERPost Implementation Evaluation Report) shall be completed and submitted to either the departmental MISManagement Information Systems Committee or OITOffice of Information Technology for review. The pilot PIERPost Implementation Evaluation Report shall contain an assessment of programmatic performance during the pilot. The results of the pilot PIERPost Implementation Evaluation Report shall be used to re-evaluate the analysis completed for the original feasibility study and, if necessary, be used to make changes to the project FSRFeasibility Study Reports.
Once the pilot PIERPost Implementation Evaluation Report is approved and any necessary changes are made to the original FSRFeasibility Study Reports, the pilot PIERPost Implementation Evaluation Report shall be reviewed and the project may be initiated upon its approval.

42010.6 Determining Priorities on ITS Requests

One of the criteria for project selection is the priority of the ITS request. To assist in decision-making, the following schema shall be utilized when assigning a priority to a particular request for information system resources: If multiple requests exist with the same priority, each division submitting requests shall determine the order of further prioritization. For example, if there are four priority 3.1 requests then these four requests should be renumbered as 3.1.1, 3.1.2, 3.1.3, and 3.1.4 in order of further priority.
The following is a description of several different levels of priorities. These priorities can be thought of as an initial rationale for assignment of ITS design, development, and maintenance resources. Each prospective project shall be assigned one of the following priorities prior to its presentation before the MISManagement Information Systems Committee:
Priority 1
- This priority level is exclusive to the maintenance of computer programs that have been designed, implemented, and installed. Resources used in this area are for the purpose of keeping existing computer-based systems functional. This priority includes routine maintenance. Any changes to production systems requiring more than 32 person-hours shall not be considered as maintenance, but as a new request which must be justified.
Priority 2
- Those resource requirements over which the Department has little control. Responses to legislative action, requests from the Governor or the agency, and requests from local law enforcement for critical information are all examples of projects that are Priority 2.
Priority 3
- An ITS request shall be Priority 3 if the implementation of the proposed computer-based system will result in a measurable benefit to the Department. Most requests for information system resources fall within this area.

42010.7 Revision

Revised January 4, 2010

The Assistant Secretary EISEnterprise Information Services (formerly Information Services Division), or designee shall be responsible for ensuring that the contents of this Article are kept current and accurate.

42010.8 References

DOMDepartment Operations Manual §§ 43000, 44000, and 49000.

Article 5 – IT Standards

Revised April 9, 2002

42020.1 Policy

It is the policy of the Department to promote standardization in its information management planning and operations through adherence to applicable American National Standards Institute (ANSI), Federal Information Processing Standards (FIPS), and State standards and guidelines. All proposed application or information technology activities shall be evaluated to ensure that all hardware, software, and communications platforms comply with ANSI, FIPS, and State standards and guidelines.

42020.2 Purpose

The purpose of this Policy is to facilitate the inter-organizational sharing and exchange of equipment, data, software, and personnel. The use of these EDPElectronic Data Processing (see IT) standards shall also facilitate communication:
- Between the Department and other State agencies.
- Between the Department and its EDPElectronic Data Processing (see IT) vendors.
- Between the Department and its EDPElectronic Data Processing (see IT) information providers/recipients.
- Among the various organizational units within the Department.
Adherence to established EDPElectronic Data Processing (see IT) standards should result in improved communication, improved product quality, decreased development time and costs, improved project control, and reduced maintenance costs.

42020.3 Computer Programming Language Standards

Where custom programming is needed, the Department requires the use of vendor-supplied programming languages which are departmental standard languages. The language chosen for development shall be consistent with the requirements of the application and platform for which it is intended.
- For new system development on minicomputer or mainframe platforms, a high level language shall be used wherever feasible. In this case, high level languages include either a fourth generation language such as Oracle or a Computer Assisted Software Engineering (CASE) tool integrated with a COBOL code generator.
- Where a high level language is not feasible or where maintenance shall be performed on applications already written in COBOL, the COBOL programming language shall be used.
- In the personal computer (PCPenal Code) area, application programming shall use either a language or compiler compatible with the dBASE standard, a fourth generation language for the PCPenal Code, or a CASE tool integrated with a COBOL code generator.
Use of vendor-supplied data base management, report generation, and file manipulation packages shall be considered in the design of ITS. For data management on all platforms, the use of a vendor-supplied relational data base management system compatible with structured query language (SQL) is recommended. The in-house development of data base management or file manipulation software is strongly discouraged and only permitted where there is no other alternative.
Normally, high level languages possess their own query language and report generation software. Wherever possible, the query language and report generator provided with the high level language shall be used. In situations where such software is not provided with the high level language or will not meet the application’s needs, third party query languages and report generation software can be chosen from the wide variety of software supplied by vendors.

42020.3.1 Application Generators

The Department encourages the investigation and use of application generator software.
Application generators are integrated fourth-generation language tools which permit an entire application to be generated. The most useful full-function application generators support a wide range of integrated components including a data base management system (DBMS), data dictionary, security facilities, analysis tools, query language, report generator, documentation generator, screen painter, prototyping facilitator, graphics generator, decision support or financial modeling tools, multiple end-user interfaces, high-level procedural language, data definition language, distributed processing facilities, testing tools, a micro-to-mainframe communications link, and a separate version of the tool for a personal computer.
Application generators for EDPElectronic Data Processing (see IT) professionals generally include a very high-level procedural language that is used to specify logical operations. These tools are usually integrated with a full-function DBMS that supports both relational and other data structures.

42020.3.2 Operating Software

It is the Department’s policy that standard, unmodified, vendorsupplied and maintained software aids be used in lieu of developing unique programs. The objective is to minimize and control the development of specialized programs that allocate, schedule, and control the central processing unit, memory, peripherals, communication, and data storage and retrieval.

42020.3.3 Application Packages

It is the Department’s policy that all feasibility studies shall have one alternative addressing the availability, usability, maintainability, and costeffectiveness of prewritten and tested application programs in lieu of developing major programs in-house. The PCPenal Code Policy in DOMDepartment Operations Manual 48010 addresses PCPenal Code application packages. The objective is to minimize the development time and costs of major application programs when such programs are available from other sources. For some custom applications, however, in-house development may be the most viable alternative.

42020.4 Systems Development Life Cycle

The Systems Development Life Cycle (SDLCSystems Development Life Cycle) is a systematic approach to software development that defines development phases. It begins when a software product is conceived and ends when the product is in production and being maintained. It also specifies the activities, products, verification procedures, and completion criteria for each phase. It is an effective engineering management tool that can be used to help ensure that a delivered product is correct and meets the user’s needs.
The Department advocates use of the SDLCSystems Development Life Cycle approach to software development, whether the platform is mini or mainframe. However, if the system being developed is a standalone PCPenal Code system, development phases may be combined or omitted so long as the delivered product meets the user’s needs.
The Department has included the following phases in its SDLCSystems Development Life Cycle: Concept Phase, Requirements Phase, Design Phase, Development Phase, Testing Phase, and Operation and Maintenance Phase.

42020.4.1 Concept Phase

The Concept Phase is the initial phase of system development during which user needs are described through documentation. The user group is formed during this phase. Examples of the documentation include a statement of needs, advance planning report, project initiation memo, feasibility studies, system definition documentation, regulations, and policies and procedures relevant to the project. Deliverables for this phase include:
- The project charter.
- The project management plan.
- The initial project file.

42020.4.2 Requirements Phase

The Requirements Phase is the period of time in the life cycle during which the requirements for a software product, such as functional and performance capabilities, are defined and documented. Major deliverables include the Software Requirements Specification documentation and the Baseline Report.

42020.4.3 Design Phase

The Design Phase is the period of time in which the designs for architecture, software components, interfaces and data are created, documented, and verified to satisfy requirements. Major deliverables include the Detailed Design Specification, the Test Plan, the Implementation Plan, the Users’ Manual and Procedures Manual, and the Training Plan.

42020.4.4 Development Phase

The Development Phase is the period of time in the development life cycle during which a software product is created from design, documentation is tested, and errors are corrected. Major deliverables of this phase include system documentation, program documentation, program code, and test results documentation.

42020.4.5 Testing Phase

The Testing Phase is the period of time in the life cycle in which the software product is evaluated by users and technical staff to determine whether requirements have been satisfied. Tests performed include the Requirements Test, the Operational Environment Tests, the Acceptance Test, and the Pilot Test.

42020.4.6 Operation and Maintenance Phase

The Operation and Maintenance Phase is the period of time in the life cycle during which a software product is used in its operational environment, monitored for satisfactory performance, and modified as necessary to correct problems or respond to changing requirements. The Post Implementation Evaluation Report (PIERPost Implementation Evaluation Report) is completed during this phase.

42020.5 User Computing Within CDCR

The standards addressed in DOMDepartment Operations Manual 42020.3 above, Computer Programming Language Standards, apply to end-users as well as EDPElectronic Data Processing (see IT) professionals, although the end-user shall not use procedural or third generation languages and shall restrict any programming activity to the personal computer.

42020.5.1 Personal Computer

The personal computer is meant to be a productivity tool to assist the user in fulfilling regular professional responsibilities.

42020.5.2 Database/Spreadsheet

A user-developed system is defined as a database or spreadsheet that is created, accessed, or updated with an offtheshelf software application.

42020.5.3 Management Approval

Approval shall be obtained from appropriate division management prior to expending any resources on a userdeveloped system that is used in an official capacity by any departmental personnel.

42020.5.4 Standard EDP Documentation

In order to ensure continued operation of userdeveloped systems, documentation shall be provided. Documentation shall include:
- A list of application software used (e.g., dBase, Foxbase, Lotus, Quattro, etc.).
- System requirements.
- A user manual to explain:
Where the system is installed (PCPenal Code location, drive, directory).
- How the system is started.
- Any macros or batch files used.
- Data entry procedures.
- Report generation.
- Backup procedures.
- File descriptions for each file used in the system:
  - File name.
  - File type (report, label, index, memo, database, spreadsheet).
- Structure of any data files:
  - Description of each data field.
Refer also to DOMDepartment Operations Manual 48010, Departmental Workgroup Computer Policy.

42020.6 Revisions

Revised July 10, 2014

The Assistant Secretary, EISEnterprise Information Services (formerly Information Services Division), or designee shall be responsible for ensuring that the contents of this Article are kept current and accurate.

42020.7 References

Revised July 10, 2014

OITOffice of Information Technology, Information Management Guideline: A Manager’s Guide to End User Computing.
DOMDepartment Operations Manual § 48010.

Article 6 – Quality Assurance and Quality Control

Revised October 17, 1994

42030.1 Policy

It is the policy of the Department to provide Quality Assurance (QAQuality Assurance) and Quality Control (QCQuality Control) functions to ensure the usability and effectiveness of all EDPElectronic Data Processing (see IT) applications and processes.

42030.2 Purpose

The purpose of the QAQuality Assurance function is to facilitate the continuous review and improvement of processes which underlie the creation and maintenance of automated systems and databases. The purpose of the QCQuality Control function is to implement methods and practices that allow EDPElectronic Data Processing (see IT) products and processes to be measured against predefined standards. Together, QAQuality Assurance and QCQuality Control ensure that automated systems and their products better meet user needs.

42030.3 Responsibilities

CDC recognizes that maintaining adequate, correct and current offender data is critical to departmental operations that directly affect staff, inmate, and public safety. OISBOffender Information Services Branch, in the ASDSee Division of Administrative Services (DAS) (see ASB), is responsible for major current, proposed, and future statewide offender ITS. QAQuality Assurance procedures to be applied to these departmental ITS include:
- Continual monitoring of the validity and currency of data contained in offender ITS;
- Establishment of methods to identify errors or inadequacies in these data; and
- Development of appropriate procedures and solutions to correct inaccuracies or out-of-date data.
The OISBOffender Information Services Branch does not directly implement most procedures and solutions. Rather, once a problem has been identified the OISBOffender Information Services Branch provides the owners of the data with tools and procedures aimed at eliminating the problem. After the owners of the data have implemented these tools and procedures, the OISBOffender Information Services Branch provides ongoing review of the data to ensure its accuracy, currency, and completeness.
A QAQuality Assurance council shall be established to ensure that departmental QAQuality Assurance policies, standards, and procedures are implemented and maintained. Responsibility for implementing QAQuality Assurance resides with each entity (i.e., division, branch, or unit) that develops and maintains systems.
QAQuality Assurance Council
- The QAQuality Assurance council shall be comprised of the departmental Information Security Officer (Chairperson) and representatives from each division responsible for the development and maintenance of ITS. The QAQuality Assurance council shall:
  - Develop departmental QAQuality Assurance policies, standards, and procedures.
  - Develop and implement an annual QAQuality Assurance plan in support of the Department’s strategic plan.
  - Ensure that systems developed or maintained in the Department adhere to CDC QAQuality Assurance/QCQuality Control standards and procedures.
  - Support programs that educate CDC staff in the importance of quality concepts and in the tools, techniques, methods, and practices that facilitate QAQuality Assurance and QCQuality Control.
  - Act as a source of information on processing quality data and on the need for continued commitment to an improvement effort.
  - Review industry standards (e.g., ANSI/IEEE, FIPS) to facilitate the development of departmental EDPElectronic Data Processing (see IT) standards.
- The QAQuality Assurance council shall meet quarterly or as needed.
Division/Branch/Unit
- Accountability for QAQuality Assurance and QCQuality Control is fixed on a system by system basis. See DOMDepartment Operations Manual 47000, Departmental Systems, for ownership designation and fixed responsibility for QCQuality Control.
- OISBOffender Information Services Branch is responsible for data integrity in major, statewide offender ITS.
- In fulfilling QAQuality Assurance/QCQuality Control responsibilities each entity shall, where applicable, ensure that:
  - ITS projects are reviewed during all phases of the systems development life cycle (SDLCSystems Development Life Cycle).
  - Data integrity is developed and maintained, both in the SDLCSystems Development Life Cycle and by the unit designated responsible for QCQuality Control, on each application or database.
  - User requirements are well-defined (for systems development or maintenance projects), all objectives of the work effort have been met, and results are appropriate keeping in mind each project’s overall objectives.
  - The ITS processes are monitored and measured for the purpose of improving these processes.
  - Quality improvement programs are established and quality concepts are promoted throughout Department branches that develop and maintain ITS.

42030.4 Definitions

Acceptance Testing
- Testing that insures a computer system meets the needs of the organization and the end-user.
Client (User)
- The individual or organization that utilizes a product.
Correctness
- The extent to which software conforms to its specifications and standards; (2) the extent to which software is free from design and coding defects (i.e., “fault-free”); and (3) the extent to which software meets user expectations.
Cost of Quality
- The cost of quality for a product is the sum of prevention, detection, correction, and client costs. Prevention cost is the total cost incurred during product development prior to general release. Detection, correction, and client costs are post-release costs associated with reworking due to defects. QAQuality Assurance shall be considered cost-effective when post-release costs are reduced by an amount greater than any increase in prevention costs resulting from the inclusion of QAQuality Assurance in the development process.
Data Base Integrity
- The accuracy, completeness, and timeliness of information contained in a database.
Defect
- A variance from specifications/standards or attribute/function not contained in the software requirements specifications.
Defect-Prone Process
- A process/activity during which a high number of defects occur.
Desk Checking
- An informal evaluation technique in which the person who developed a unit of code inspects it visually to identify possible errors or violations of development standards.
Failure
- Inability of a product or service to perform its required functions within previously established limits.
Integration Testing
- Testing performed on groups of modules to ensure data and control are passed properly between modules.
Long-Term Capacity Planning
- The objective of long-term capacity planning is to develop methods and means for ensuring that hardware, system software, communications, and system design shall meet the long-term objectives for additional processing required by new applications, integration of new processors and platforms, and new generations of software. This plan encompasses a five- to seven- year period and is designed to help determine budget requirements and goals for the Department.
Post Implementation Evaluation Report
- The review of a computer, computer system, or computer network that has been in operation for at least six months and no longer than two years for the purpose of matching the requirements of the system against what has been produced, so as to ensure that stated requirements have been met.
Problem Reporting/ Tracking
- A process of reporting outstanding problems, having them assigned for resolution, and closing them out when the user has been notified that the problems have been solved.
Process
- The work activities that produce products, including the efforts of people and equipment.
Product
- The output of a process including the goods and services produced by individuals and the organization.
Quality
- The extent to which a product meets the expectations and requirements of the user.
QAQuality Assurance
- A staff function designed to support line management in performing the QCQuality Control function. As such, QAQuality Assurance identifies those processes, both good and bad, that affect quality, and is used to advise management of such effects. A management decision may then be necessary to ensure that QCQuality Control techniques are implemented and maintained; and
- The function that uses measurement and analysis to continually improve processing, procedures, and standards so that management can be “assured” of their staff following such methods, procedures, and standards, as well as their ability to produce products that meet specified requirements.
QCQuality Control
- The collection of activities to ensure that defects are neither made nor implemented. While QAQuality Assurance monitors the processes involved in the production cycle, QCQuality Control is an integral part of work and is the responsibility of each employee; and
- A line function used to measure quality associated with specific products or services. QCQuality Control is the responsibility of each ITS area and is the function responsible for the quality of the work being done within a specific area or for a specific project.
Quality Improvement Program
- A program designed to reduce the number of defects produced.
Regression Testing
- Testing applied after changes have been made to ensure that no unwanted changes have been introduced.
Requirement
- The specification(s) for satisfying a user need; is associated with a standard by which the satisfaction of that need can be measured.
Resource Management
- The determination of current and short-term needs for hardware, system performance, and communications, and the allocation of such resources to meet the overall goals and current short-term plans of the Department. Resource Management requires the gathering of data about new processing needs and applications not addressed in longrange planning, as well as any other information that impacts current system resources.
System Testing
- A generic term that differentiates various types of higher order testing from unit testing.
Total Quality Management
- Consists of continuous process improvement activities involving everyone in an organization-managers and workers-in a totally integrated effort toward improving performance at every level. This improved performance is directed toward satisfying such crossfunctional goals as quality, cost, schedule, mission, need, and suitability. Total Quality Management, or TQM, integrates fundamental management techniques, existing improvement efforts, and technical tools under a disciplined approach focused on continuous process improvement. The activities are focused ultimately on increased client/user satisfaction.
Unit Testing
- Testing performed on a single, standalone module or unit of code.
Validation
- The process of comparing a product in any stage of its development with specified requirements in order to determine whether the correct product is being produced.
Walk-Through
- A review process in which a designer or programmer leads one or more members of the development team through a segment of documentation or code that he or she has written, and other team members ask questions and make comments about technique, style, possible errors, violation of development standards, and other issues.

42030.5 Revisions

Revised January 4, 2010

The Assistant Secretary, EISEnterprise Information Services (formerly Information Services Division), or designee shall be responsible for ensuring that the contents of this Article are kept current and accurate.

42030.6 References

Quality Assurance Institute: Effective Methods For Quality Assurance In Information Systems.
DOMDepartment Operations Manual § 47000.

Article 7 – Information Management Planning

Revised October 17, 1994

43010.1 Policy

The Department has established a management planning process that is consistent with the needs, resources, and use of information technology within the Department. In compliance with the SAMState Administrative Manual 4900.2, the established management planning process:
- Is consistent with the current statewide policies contained in SAMand current management memos for managing information and information technology.
- Is linked to and supportive of CDC’s overall program planning and budgeting processes.
- Involves CDC executive management and program managers, as well as those who are responsible for the use, operation, and support of ITS.
- Addresses current and projected relationships among the various aspects of information technology employed by CDC, including equipment (such as mainframes and minicomputers, personal computers, and office systems), software (such as computer languages, including fourth generation languages, and applications packages), and telecommunications.
- Relates current and planned uses of information technology to the information required for the accomplishment of CDC’s mission and key programs.
- Considers means for ensuring the continuing availability of the information required to support critical programs in the event of disaster, or other unforeseen events resulting in an interruption of CDC’s regular systems operation.

43010.2 Purpose

Planning includes identifying needs and opportunities, defining objectives, and determining appropriate means of achieving those objectives. The purposes of information management planning are to:
- Find ways that information technology can improve the effectiveness of CDC programs.
- Analyze the costs and benefits of information technology and allocate resources systematically.
- Clarify CDC’s priorities and be able to react to changes with a minimal amount of disruption.
- Improve communication among executive managers, staff responsible for information technology, and the users of the programs.
- Provide managers with a long-term perspective on current problems that simplifies making decisions and solving problems.
In addition, planning requirements are intended to provide the Office of Information Technology (OITOffice of Information Technology) and other control and oversight organizations with the basic facts those organizations require to carry out their responsibilities concerning the use of information technology in State government.

43010.3 Responsibility

It is the responsibility of ISDInformation Services Division (see EIS) to develop and maintain a departmental strategic plan. This plan shall be approved by the MISManagement Information Systems Committee. Once approved, this plan shall serve as the road map for planned automation efforts within the Department. This plan shall be utilized to link divisional planning efforts to the goals and objectives of the division and Department. The MISManagement Information Systems Committee shall ensure that all projects under its responsibility are consistent with and do not conflict with other planned efforts. Compatibility and connectivity shall be the shared vision of all planning.

43010.4 Information Management Planning Infrastructure

CDC has developed a formal structure for planning which includes an MISManagement Information Systems Committee and an ongoing planning process that involves analysis, evaluation, and review of proposed projects. This project review, reporting, and evaluation process is covered in DOMDepartment Operations Manual Subchapter 44000, Project Review, Reporting and Evaluation. Alternately, this subchapter describes the MISManagement Information Systems Committee, the MISManagement Information Systems Support Unit (MISManagement Information Systems-SU), ISDInformation Services Division (see EIS), and the role each plays in the management planning process.
MISManagement Information Systems Committee
- The MISManagement Information Systems Committee, whose members represent the divisions within CDC and the CalPIA, is responsible for executive leadership and strategic planning in seeking out opportunities to employ information technology for the achievement of the Department’s mission, goals, and objectives. The MISManagement Information Systems Committee assesses all proposed ITS projects (ranked according to their importance to the Department’s mission) to assure conformance with the Department’s mission statement, strategic plan, and key programs. The committee also reviews and approves the Department’s Information Management Annual Plan (IMAPInformation Management Annual Plan) and endorses future needs identified in long-range planning documents. DOMDepartment Operations Manual 41020.3 describes the role of the MISManagement Information Systems Committee.
ISDInformation Services Division (see EIS)
- ISDInformation Services Division (see EIS) is responsible for development and maintenance of the overall strategic plan of the Department. This plan shall be the result of compiling all divisional automation needs into a single document for the prioritization of projects and alignment with the budget by the MISManagement Information Systems Committee.
- ISDInformation Services Division (see EIS) is also responsible for maintaining and updating the IMAPInformation Management Annual Plan. This includes: working with the user to develop appropriate documents for inclusion in the IMAPInformation Management Annual Plan for those projects reportable to OITOffice of Information Technology, ensuring that the appropriate reportable project forms are completed, notifying the user once a project has been approved, whether it is delegated or non-delegated, maintaining copies of all reports, and, as appropriate, acting as a liaison between OITOffice of Information Technology and CDC project management concerning reporting requirements throughout the life cycle of the project.
MISManagement Information Systems-SU
- The MISManagement Information Systems-SU provides functional support to the MISManagement Information Systems Committee by coordinating MISManagement Information Systems Committee meeting agendas, coordinating the review of proposed ITS projects, preparing annual updates for the Department cabinet on all CDC automation efforts for the current year as well as strategic planning for the coming year, and participating in the development of presentations for the committee addressing current technical innovations and coordinating the review of information system concepts to ensure compliance and consonance with the budget cycle. Refer to DOMDepartment Operations Manual 41020.4 for more details on the role of the MISManagement Information Systems-SU.

43010.5 Information Management Planning Process

The Department uses the MBO approach for planning information management. The Department’s mission and philosophy statement were developed based on MBO principles, and resulted from many planning sessions held to enlist ideas from numerous levels, disciplines, and segments within the Department.
Each Division formulates its own goals and objectives using departmental goals and objectives as the foundation for the effort. The CDC ITS planning process originates with the development of the strategic plan (see also DOMDepartment Operations Manual 43010.3). MBO goals and objectives are developed to structure the Department’s efforts to achieve the purposes specified in the strategic plan. The establishment of such goals and objectives allows the identification of automation opportunities consistent with the plan, and the planning process then provides for the development of various concept statements to enable articulation of methods that may be used to benefit from the identified automation opportunities. All automation concept papers are reviewed by the MISManagement Information Systems Committee and, if approved, become part of the IMAPInformation Management Annual Plan. Implementation of an automation concept that requires increased or new source funding may require the preparation of a Budget Concept Statement, and a BCPBudget Change Proposal may also be necessary. Establishment of certain automation projects as specified in this Chapter shall require prior approval of an FSRFeasibility Study Reports.
ISDInformation Services Division (see EIS) shall provide the general guidelines for objectives that require automated solutions. The resulting document, the Information Systems Budget Concept Statement (ISInformation Systems-BCSBudget Concept Statement), is submitted to ISDInformation Services Division (see EIS) and the MISSU for review and recommendations.
ISDInformation Services Division (see EIS) shall coordinate development of the IMAPInformation Management Annual Plan, and shall maintain it to ensure that a vision of connectivity and compatibility is followed. Redundancy of data input is another area of concern, and this plan shall help ensure that a planned automation effort is coordinated within the department. Duplication of automation efforts is a costly and time-consuming waste. The IMAPInformation Management Annual Plan shall serve as a road map for automated efforts.
The MISManagement Information Systems Committee shall measure proposed projects against CDC’s, mission and established departmental priorities so as to best prioritize and approve proposed EDPElectronic Data Processing (see IT) projects.

43010.6 Revisions

Revised January 4, 2010

The Assistant Secretary, EISEnterprise Information Services (formerly Information Services Division), or designee shall be responsible for ensuring that the contents of this Article are kept current and accurate.

43010.7 References

SAMState Administrative Manual § 4900.2.
DOMDepartment Operations Manual §§ 44000, 41020.3 and 41020.4.

Article 8 – Project Initiation and Approval

Revised October 28, 2025

43020.1 Policy

It is the policy of the California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation or the department) that all information system proposals shall receive departmental and, as required, California Department of Technology (CDT) approval before project development can proceed.

43020.2 Purpose

The purpose of this policy is to ensure that the department is in compliance with all CDT requirements. The ultimate authority for approval of Information Technology (ITInformation Technology) projects lies with the CDT, but it is the intention of the director of CDT to delegate such approval authority selectively, to the maximum extent practicable, to the department director. Refer to State Administrative Manual (SAMState Administrative Manual), section 4819.34, for the factors considered by CDT in determining whether a project can be delegated.

43020.3 Objectives

All project proposals in the department requiring technology must collaborate with Enterprise Information Services (EISEnterprise Information Services (formerly Information Services Division)) to determine if the project’s classification is for maintenance and operations, an ITInformation Technology project, or a service request.

43020.3.1 PAL Stages and Deliverables

The Project Approval Lifecycle (PALParolee-At-Large) is a process that will be used by the department to manage and assess the full implications of any project proposals. The PALParolee-At-Large is a means of linking ITInformation Technology projects to the department’s strategic business and ITInformation Technology plans. The PALParolee-At-Large is divided into the following four stages which include the following types of analysis: Stage1 business analysis, Stage 2 alternatives analysis, Stage 3 procurement analysis and Stage 4 solution analysis. Refer to the CDT Reportable Project Decision Tree Reference Guide. Per the guidelines outlined in SAMState Administrative Manual, section 4928, the PALParolee-At-Large Stage/Gate deliverables, here and after referred to as “deliverables”, must provide an accurate summary of the results from all four stages of PALParolee-At-Large. The deliverables include a complete summary of the four stages of a proposed project to establish the business case for investment of state resources by setting out the reasons for undertaking the project and analyzing its costs and benefits.
PALParolee-At-Large deliverables must be submitted to CDT, the Office of Legislation (OOLOffice Of Legislation) Analyst, and to the Department of Finance’s Information Technology Consulting Unit for review. CDT publishes detailed instructions and guidelines for preparing deliverables, which are available in the Statewide Information Management Manual (SIMM), section 19. The deliverables must use the format specified by CDT and signed by the Chief Information Officer (CIO) or their designee. The department must maintain documentation of each analysis to ensure that project participants, management, and the CDT personnel can resolve any questions about the intent, justification, nature, and scope of the project.
If during the PALParolee-At-Large process the technology solution incorporates or utilizes Generative Intelligence (GenAI), per SIMM section 5305-F, the project team is required to complete the GenAI risk assessment.

43020.3.2 Internal Project Approval Lifecycle

In coordination with the EISEnterprise Information Services (formerly Information Services Division), ITInformation Technology Portfolio Management Office (PMO), the Internal Project Approval Lifecycle should be developed as outlined in this article.

43020.3.3 Requests Requiring a Change in the Governor’s Budget

If funding for a project is already available, approval is still necessary, and is discussed in this article.
- Early each calendar year, the Budget Management Branch (BMBBudget Management Branch) shall distribute a memorandum to CDCRCalifornia Department of Corrections and Rehabilitation Executive Staff, Wardens, and Regional Parole Administrators (RPAs) detailing the Budget Concept Statement (BCSBudget Concept Statement) request process for the fiscal year beginning approximately 18 months later. This memorandum shall include a timeline containing significant deadlines which shall be met in order for a request to proceed through the approval process.
- The designated EISEnterprise Information Services (formerly Information Services Division) section or team shall utilize the BCSBudget Concept Statement format when presenting an ITInformation Technology proposal to executives. The purpose of this format is to provide sufficient information to departmental executive staff to allow for a determination of whether the proposal warrants further development as a Budget Change Proposal (BCPBudget Change Proposal). BCPs are discussed in Department Operations Manual (DOMDepartment Operations Manual), Chapter 2, Article 1, section 21010.6 and SAMState Administrative Manual, section 6120.
- Refer to the annual budget instruction bulletin from the BMBBudget Management Branch, which the BMBBudget Management Branch emails all staff each year, when completing the BCSBudget Concept Statement and note that the format shall not exceed two pages in length including any supporting documentation. Requests out of compliance with the established format and instructions shall be returned to the requester without consideration.

43020.3.4 Project Cost Delegation

The CDT assigns CDCRCalifornia Department of Corrections and Rehabilitation a minimum total Project Cost Delegation for reporting purposes (see SIMM, section 15). CDT delegates to the department the approval authority for any ITInformation Technology proposal with an estimated total development cost equal to or less than the department’s assigned Project Cost Delegation, provided the proposal does not meet any other CDT established reporting criteria defined in SAMState Administrative Manual, section 4819.37.

43020.3.5 Revisions

The CIO or designee shall be responsible for ensuring the contents of this article are kept current and accurate.

43020.4.1 IMAP Composition

The IMAPInformation Management Annual Plan consists of three parts:
- Part A: Overview.
- Part B: Information Technology Activities.
- Part C: Exhibits and Supporting Documents.

43020.4.1.1 Part A – Overview

Part A contains a brief description of the agency’s mission, its current problems and opportunities associated with information management, and its strategy and objectives for the use of information technology.

43020.4.1.2 Part B – Information Technology

Part B provides an overview of current and proposed development projects and potential acquisition activities, with particular emphasis on those projects and activities that are relatively costly, require a BCPBudget Change Proposal, or meet any of the other special criteria described in SAMState Administrative Manual Section 4902.1.

43020.4.1.3 Part C – Exhibits and Supporting Documents

Part C contains Documents that supplement the information in Parts A and B of the IMAPInformation Management Annual Plan by providing details about the agency’s organization of information management and its available resources.

43020.4.2 IMAP Purpose

The purpose of the IMAPInformation Management Annual Plan is to ensure that CDC is systematic in identifying and satisfying its information requirements and provides OITOffice of Information Technology and other control and oversight agencies with the basic facts those organizations require to carry out their responsibilities regarding the use of information technology in State government.

43020.4.3 IMAP Responsibilities

ISDInformation Services Division (see EIS) is responsible for assembling and maintaining the IMAPInformation Management Annual Plan. ISDInformation Services Division (see EIS) develops IMAPInformation Management Annual Plan – Part A and the support documents contained in Part C. Part B of the IMAPInformation Management Annual Plan consists of New Reportable Project Forms that are completed by the project teams involved in the information technology projects, and summaries of project status for any major projects.

43020.4.4 Reportable Projects

SAMState Administrative Manual Section 4902.1 lists the criteria used to determine if a project is considered reportable. Reportable projects require completion of a New Reportable Project Form. This form is included in Section B of the IMAPInformation Management Annual Plan and provides OITOffice of Information Technology with information on the proposed project. OITOffice of Information Technology uses this information to determine whether approval authority for the project shall be delegated to CDC or if OITOffice of Information Technology shall retain the approval authority.
All proposed projects that do not meet the criteria in SAMState Administrative Manual Section 4902.1 are considered non-reportable projects. The costs of agency development or new acquisition projects, whether reportable or not, shall be included in the Agency Information Technology Costs spreadsheet included in Part C of the IMAPInformation Management Annual Plan.

43020.4.4.1 Definition of Reportable Project

A Reportable Project is defined as a planned development activity or the planned acquisition of a new or enhanced information technology capability (as defined in SAMState Administrative Manual Section 4819.2) which meets one or more of the following criteria:
- The project involves total estimated development or acquisition costs that are greater than the cost threshold established for the agency (see DOMDepartment Operations Manual 43020.4.4.2 for further information on cost thresholds).
- The project involves a budget augmentation through submission of a BCPBudget Change Proposal or Budget Revision to increase the agency’s existing information technology activities.
- The project is a new system development or acquisition made in response to a legislative mandate or the project is subject to special legislative review as specified in budget control language or other legislation.
- The project involves direct public access by private sector organizations or individuals to State data bases .
- The project involves contracts for professional, managerial, or technical services (excluding services received through interagency agreements) totalling more than $25,000.
- The project involves acquisition of one or more personal computers, personal computer software, or related peripherals, and the agency does not have an approved Workroup Computing Policy (SAMState Administrative Manual Section 4989 et seq.).
- The project involves installation or expansion of wide area network data communication services other than those offered by the DGSDepartment of General Services, Division of Telecommunications, or a State consolidated data center as defined in SAMState Administrative Manual Section 4982.
- The project involves one or more of the following emerging technologies and more than $25,000 will be spent on acquisition of hardware or software required for the technology:
  - Document imaging.
  - Geographic information systems.
  - Computer aided systems engineering.
  - Expert systems/artificial intelligence.

43020.5 FSR

CDC adheres strictly to State policy requiring that a feasibility study be conducted and a FSRFeasibility Study Reports be approved prior to the expenditure of resources on any information technology project. The only exception to this requirement is the justification and acquisition of personal computers and related commodities through use of the Workgroup Computing Justification Form (SAMState Administrative Manual Section 4991.1).
The term Information Technology Project is defined in DOMDepartment Operations Manual 41010.3, EDPElectronic Data Processing (see IT) Definitions.
The feasibility study shall be performed in conformance with the requirements of SAMState Administrative Manual Sections 4922 through 4927.
The FSRFeasibility Study Reports shall be prepared in accordance with SAMState Administrative Manual Sections 4928 through 4928.4.
The FSRFeasibility Study Reports shall be reviewed and approved in accordance with the general requirement of SAMState Administrative Manual Section 4819.3, State Information Management Authority and Responsibility, as well as the specific requirements of SAMState Administrative Manual Sections 4926 through 4926.5.
Refer to SAMState Administrative Manual and the handbook, “How To Conduct A Feasibility Study,” published by OITOffice of Information Technology, for specific guidelines for completing each step of the process.

43020.5.1 FSR Purpose

The Feasibility Study represents the first opportunity within the project management sequence for State management to assess the full implications of a proposed information technology project. The purposes of the Feasibility Study are to:
- Determine whether a proposed project represents a justified expenditure of public resources in terms of whether it:
  - Is responsive to a clearly defined, program-related problem or opportunity.
  - Is the best of the possible alternatives.
  - Is within the technical and managerial capabilities of the agency.
  - Would provide benefits over the life of the application that exceed development and operations costs. Such benefits typically include reduced program costs, avoidance of future program cost increases, increased program revenues, or provision of program services that can be provided only through the use of information technology.
- Provide a means for achieving agreement between agency executive management, program management, and project management as to:
  - The nature, benefits, schedule, and costs of proposed project.
  - Their respective management responsibilities over the course of the project.
- Provide executive branch control agencies and the Legislature with sufficient information to assess the merits of the proposed project and determine the nature and extent of project oversight requirements.

43020.5.2 Internal Approval Process

In addition to the State policy and procedures which govern information technology projects, FSRs shall be developed and approved according to the following internal process. Once the FSRFeasibility Study Reports and/or CDC internal Project Summary Fact Sheet is completed and approved by the Division approving authority, it is submitted to:
- ISDInformation Services Division (see EIS), Project Initiation Unit (PIUProject Initiation Unit), for technical review and recommendation.
- MISManagement Information Systems-SU for inclusion on MISManagement Information Systems Committee agenda.
- MISManagement Information Systems Committee for final departmental approval.
- ISDInformation Services Division (see EIS)/PIUProject Initiation Unit for submission to OITOffice of Information Technology for review and approval if the project is reportable.
- ISDInformation Services Division (see EIS)/PIUProject Initiation Unit for preparation of certification statement (Certifications for Personal Computer systems approved through the Personal Computer Policy are prepared by the MISManagement Information Systems-SU).
- Chairperson, MISManagement Information Systems Committee, to sign certification.
- Deputy Director, ASDSee Division of Administrative Services (DAS) (see ASB), and Assistant Director, OOCOffice Of Compliance (see OACC), to sign certification.
OITOffice of Information Technology’s response to the Department regarding project approval/disapproval is sent directly to the Chief Deputy Director and then to ISDInformation Services Division (see EIS). Subsequently, ISDInformation Services Division (see EIS) shall update the project file and route copies to the project initiator(s) and to MISManagement Information Systems-SU.
The process differs slightly if a BCPBudget Change Proposal is required. In order to ensure that the FSRFeasibility Study Reports is developed and approved within the mandatory time frames, refer to DOMDepartment Operations Manual 43020.3.1.
In addition to a project file, ISDInformation Services Division (see EIS) (Systems Support) also monitors initial and subsequent equipment procurements to ensure they fall within the scope of the approved FSRFeasibility Study Reports or CDC Internal Summary Fact Sheet. Copies of all approved procurement documents shall be routed to the MISManagement Information Systems-SU.

References

(1) CDT, Reportable Project Decision Tree Reference Guide.
(2) DOMDepartment Operations Manual, Chapter 2, Article 1, § 21010.6.
(3) SAMState Administrative Manual §§ 4819.34, 4819.37, 4928, and 6120.
(4) SIMM §§ 15, 19, and 5305-F.

Revision History

(1) Revised: October 17, 1994.
(2) Revised: January 4, 2010.
(3) Revised: October 28, 2025.

Article 9 – Project Management

Revised October 17, 1994

43030.1 Policy

It is the policy of the Department to create an automation organizational structure that is conducive to the successful implementation, maintenance, and control of the EDPElectronic Data Processing (see IT) environment.

43030.2 Purpose

The purpose of this policy is to ensure that an EDPElectronic Data Processing (see IT) infrastructure is created which meets the needs of the Department and fixes responsibility and authority for the development and maintenance of EDPElectronic Data Processing (see IT) systems.

43030.3 Responsibility

EDPElectronic Data Processing (see IT) project management is project team oriented. Maintenance and development projects each have a technical project manager. New development projects also have a user project manager. Each project, whether maintenance or new development, is uniquely and individually staffed with a separate project team. DOMDepartment Operations Manual 43030.4 describes the structure of project teams.
Team Concept
Project Team Structure
- The project team is a self-sufficient unit staffed with the appropriate technical and managerial resources to address the complexity and size of a project through its life cycle-from initiation through the development, implementation, and maintenance phases. A project team shall have the following composition:
  - A core technical staff of analysts and programmers to construct the system.
  - Users to participate in requirements definition, design “walkthroughs,” and test planning and execution.
  - Trainers to develop user manuals and to train users.
  - Administrative staff to support project tracking and management reporting.
- Each project shall have a technical project manager and an associated user group. New development projects shall also have a user project manager who shall stay with the project through implementation. The user project manager shall be responsible for “what” needs to be automated. The technical project manager shall be responsible for the technical aspects (i.e., the “how”) of the project. DOMDepartment Operations Manual 43030.5 (User Project Manager) and DOMDepartment Operations Manual 43030.6 (Technical Project Manager) outline the roles and responsibilities of the user and technical project managers, respectively.
User Project Manager
- The user project manager is selected by CDC executive management from one of the functional areas affected by the project and reports to the appropriate Deputy Director on the MISManagement Information Systems Committee.
- The user project manager provides overall guidance to the technical project manager. The user project manager keeps fully apprised of the status of the project through regular written project reports from the technical project manager, although the technical project manager reports formally to ISDInformation Services Division (see EIS) management.
- The user project manager is fully responsible for the project and, in effect, is subcontracting for technical expertise. Therefore, this contract is with ISDInformation Services Division (see EIS) rather than a specific technical project manager. This means that the usual reporting structure for ISDInformation Services Division (see EIS) is maintained.
- The user project manager is responsible for securing the necessary project funding and project resources. In addition, the user project manager is responsible for ensuring that the IMAPInformation Management Annual Plan, BCSBudget Concept Statement, BCPBudget Change Proposal, FSRFeasibility Study Reports, Special Project Report (SPRSpecial Project Reports), Quarterly Project Report (QPR), Post implementation Evaluation Report (PIERPost Implementation Evaluation Report), and any other required documentation is prepared and approved by departmental management. ISDInformation Services Division (see EIS) shall be responsible to review, log, and submit these reports to EDPElectronic Data Processing (see IT) control agencies as required.
- The user project manager communicates project needs and priorities to the technical project manager, as reported by the user group. The user project manager is also responsible for ensuring that the user community provides the necessary time and resources required throughout the project, such as needs and requirements analysis, data conversion, and user training, as addressed in the approved project management plan.
Technical Project Manager
- The technical project manager is appointed by ISDInformation Services Division (see EIS) and reports to a unit manager within the Applications Systems Section who, in turn, reports to the ISDInformation Services Division (see EIS) Application Systems Manager. The technical project team members report directly to the technical project manager.
- The technical project manager has full authority over and responsibility for the technical aspects of the project and the technical project team members. This responsibility includes:
  - Detailed planning.
  - Staff recruitment and management.
  - Project budget control.
  - Requirements specifications.
  - System design.
  - Programming and testing.
  - System implementation.
  - Data file conversion (responsibility for this task shall be shared with user staff depending upon the resources allocated to the project and the conversion approach approved in the implementation plan).
  - System maintenance.
  - User training (responsibility for this task may vary depending upon the resources allocated to the project and the training approach approved in the project management plan).
User Groups
- Each project (whether new development or maintenance) shall establish an associated user group comprised of representatives from the user community. The purpose of these user groups is to provide a forum for communication between the project teams and those who use the application systems, in order to facilitate more effective use of existing application systems and assist in the development of new systems.
- The user group representatives prioritize requests for system enhancements, exchange information on system usage, and provide feedback on system modifications.

43030.4 Revisions

Revised January 4, 2010

The Assistant Secretary, EISEnterprise Information Services (formerly Information Services Division), or designee shall be responsible for ensuring that the contents of this Article are kept current and accurate.

43030.5 References

DOMDepartment Operations Manual §§ 43030.4 – 43030.6.

Article 10 – Project Review and Basic Policy

Revised October 17, 1994

44010.1 Policy

The Department has established policy regarding project reporting and evaluation for each approved information technology project, in accordance with the requirements of SAMState Administrative Manual 4940 of the. All operating units within CDC shall adhere to the requirements set forth in the current section concerning project review, reporting, and evaluation. Additional requirements may be specified by the Office of Information Technology (OITOffice of Information Technology) in response to the Department’s IMAPInformation Management Annual Plan or in response to other needs reported by the Department (agency requirements are provided in SAMState Administrative Manual 4819.3 through 4819.39).

44010.2 Purpose

The purpose of this policy is to ensure that State and CDC project review requirements are implemented on an ongoing basis.

44010.3 Project Review Overview

Once the FSRFeasibility Study Reports for an information technology project has been approved by the MISManagement Information Systems Committee (also by OITOffice of Information Technology for non-delegated projects or the DGSDepartment of General Services for projects involving communications), the design, acquisition, development, and implementation phases of the project may proceed.
The success of each phase of the project shall be evaluated and reported in terms of the project objectives. Included are project reports, a formal management review, and a post-implementation assessment. (SAMState Administrative Manual 4944 through 4946.2 provide a framework for project monitoring and evaluation.)

44010.3.1 Information Technology Project Reports

Two information technology project reports are specified, the Quarterly Project Report (QPR) and the Special Project Report (SPRSpecial Project Reports). These reports:
- Support continuing communication among all project participants (project management, program management and executive management).
- Expose potential problems with respect to the availability of resources or the meeting of mandated project dates.
- Provide for CDC management and control agency review of project progress at appropriate intervals throughout the life of the project.

44010.3.2 Formal Project Review

In addition to the QPR and SPRSpecial Project Reports, a major management briefing, known as the Formal Project Review (FPRFormal Project Review) may be initiated by CDC management or required by the OITOffice of Information Technology for any information technology project. The FPRFormal Project Review allows for CDC management or control agency review of large projects after completion of the general design phase, but before substantial resources have been committed to the project. It may also be employed to provide a formal management assessment of a project at any point during the development cycle.

44010.3.3 Post Implementation Assessment

Following completion of each information technology project, CDC shall carry out a post-implementation assessment. The assessment shall:
- Measure the benefits and costs of the newly-implemented information technology application or system against the original objectives.
- Document projected operations and maintenance costs over the life of the application or system.

44010.3.4 EDP Audit

Every two years the Department shall carry out and submit to the DOFDepartment Of Finance an EDPElectronic Data Processing (see IT) audit. This audit is the responsibility of the Internal Audit Unit of PFABProgram and Fiscal Audits Branch (see OACC) (see DOMDepartment Operations Manual 49040). The audit shall be consistent with the DOFDepartment Of Finance publication, “Information Technology Security and Risk Management Guidelines.” This guide reflects the SAMState Administrative Manual requirements regarding the responsibility and control of EDPElectronic Data Processing (see IT) policy, and provides audit guidelines; however, it may not cover all areas to be audited. The guide and information about it are available through the Internal Audit Unit of PFABProgram and Fiscal Audits Branch (see OACC).
To accomplish this audit it is likely that ITS under development shall be selected for audit on a sample basis. The intent of the audit is to make an assessment of the degree of compliance by CDC with departmental and State policies and procedures. The scope of the audit shall include, but not be limited to, the following:
- Project approvals, feasibility study, and risk analysis (DOMDepartment Operations Manual 49020).
- Operational recovery plan (DOMDepartment Operations Manual 49030).
- Information security practices.
The Project Manager is responsible for ensuring that the project documentation is in compliance with policy.

44010.4 Project Review Central Control/Clearinghouse

All IMAPInformation Management Annual Plan “external” and “internal” reporting activities shall be monitored by CDC management through a central control agency/contact with regard to OITOffice of Information Technology reportable projects, OITOffice of Information Technology projects delegated to the Department, and all other Department information technology projects with an approved FSRFeasibility Study Reports, including those requiring a Summary Fact Sheet or Workgroup Computing Justification Form. The ISDInformation Services Division (see EIS), System Support Unit (ISDInformation Services Division (see EIS)-SSUSpecial Services Unit) shall be responsible for the central clearinghouse function. Refer to DOMDepartment Operations Manual 43030.3, User Project Manager, for project reporting responsibilities.
Responsibilities
- The ISDInformation Services Division (see EIS)-SSUSpecial Services Unit central clearinghouse monitors all external and internal quarterly project reports, special project reports, and post-implementation assessments. Project managers shall ensure that appropriate sign-off is attained on all projects before documents are submitted to the central clearinghouse. It is the responsibility of the central clearinghouse to:
  - Develop a cataloging system to monitor the completion and distribution of required reporting per schedule.
  - Notify project managers of scheduled reports prior to the report due date.
  - Review completed reports to ensure adherence to the Staterequired format.
  - Maintain copies of all reports and, in effect, act as a liaison between OITOffice of Information Technology and CDC project management concerning reporting requirements throughout the life cycle of the project.
Summary Information Report
- Since ITS approval and oversight are the responsibility of the MISManagement Information Systems Committee, the central clearinghouse function shall provide summary information on each ITS project to the MISManagement Information Systems Staff Committee at its quarterly meetings. This summary information shall include:
  - The project title.
  - MISManagement Information Systems approval date.
  - Projected completion date.
  - OITOffice of Information Technology delegation status.
  - FSRFeasibility Study Reports status.
  - QPR status.
  - PIERPost Implementation Evaluation Report status.
The central clearinghouse shall also provide the MISManagement Information Systems Committee with a summary project status profile which may be in the form of the project’s most current QPR and, if necessary, SPRSpecial Project Reports.

44010.5 Project Compliance Review

The Department is subject to compliance reviews conducted by OITOffice of Information Technology, or by specified units within CDC. The purpose of a compliance review is to verify CDC adherence to Department and State information technology policies and procedures.
Types of Compliance Reviews
- ITS within CDC are subject to four types of reviews:
  - Type 1. Policy compliance reviews (SAMState Administrative Manual Section 4942).
  - Type 2. EDPElectronic Data Processing (see IT) audit reviews (see DOMDepartment Operations Manual 49050).
  - Type 3. Information security, risk management, operational recovery compliance reviews (SAMState Administrative Manual Sections 4840 through 4845; DOMDepartment Operations Manual 49000).
  - Type 4. Facility peer reviews.
Policy Compliance Review
- Type 1 – Policy compliance reviews are conducted by OITOffice of Information Technology. Responses to this type of review shall be coordinated by the central clearinghouse function of ISDInformation Services Division (see EIS).
EDPElectronic Data Processing (see IT) Audit Reviews
- Type 2 – EDPElectronic Data Processing (see IT) audit reviews are part of an audit required by SAMState Administrative Manual, and are usually conducted by the Internal Audits Unit of PFABProgram and Fiscal Audits Branch (see OACC). Alternately, it is possible that Type 2 reviews shall be carried out by the Audits Group of DOFDepartment Of Finance, but responsibility for the audit reviews remains with PFABProgram and Fiscal Audits Branch (see OACC). The owner of an information system is responsible for providing responses to audit findings regarding that system.
Security, Risk, and Operational Compliance Reviews
- Type 3 – Information security, risk management, and operational recovery compliance reviews are ongoing and conducted by the Information Security Unit within PFABProgram and Fiscal Audits Branch (see OACC). These reviews are usually not oriented to a specific system or project, and are limited in scope to the policies contained in SAMState Administrative Manual Sections 4840 through 4845, and DOMDepartment Operations Manual Subchapter 49000.
Facility Peer Reviews
- Type 4 – Facility peer reviews are reviews of business services operations conducted by the Department on a rotational basis at each of CDC’s facilities. The EDPElectronic Data Processing (see IT) portion of the peer review includes a functional review of Offender Based Information Services, the DDPSDistributed Data Processing System, and personal computer security practices and system utilization.
- The review teams are composed of business services and administrative staff from headquarters and the facilities.
NonDelegated Projects
- OITOffice of Information Technology reviews project reporting documentation in conjunction with its compliance review and oversight responsibilities.
Delegated Projects
- For delegated projects, the MISManagement Information Systems Committee shall determine when a compliance review is to be conducted, the scope of the review, and who shall perform the review.

44010.6 Revisions

Revised January 4, 2010

The Assistant Secretary, EISEnterprise Information Services (formerly Information Services Division), or designee shall be responsible for ensuring that the contents of this Article are kept current and accurate.

44010.7 References

SAMState Administrative Manual §§ 4819.3 to 4819.39, 4840 – 4845, 4940, 4942, and 4944 – 4946.2.
DOMDepartment Operations Manual §§ 49000, 49020, 49030, 49040, 49050, 43030.5.
DOFDepartment Of Finance publication, “Information Technology Security and Risk Management Guidelines.”

Article 11 – Project Reporting Requirements

Revised October 17, 1994

44020.1 Policy

It is the policy of the Department to monitor the implementation and outcome of EDPElectronic Data Processing (see IT) projects within the Department to ensure that progress and outcome information is tracked and reported, as specified by SAMState Administrative Manual 4940 and as otherwise required by State oversight agencies. Additional requirements may be specified by the Office of Information Technology (OITOffice of Information Technology) in response to the Department’s Information Management Annual Plan (IMAPInformation Management Annual Plan) or in response to other needs reported by the Department (see SAMState Administrative Manual 4819.3 through 4819.39 for departmental requirements).

44020.2 Purpose

The purpose of this policy is to ensure that adherence to all project reporting requirements outlined by State oversight agencies is monitored and met.

44020.3 Project Reporting Requirements Compliance Review Reporting Schedule

The Compliance Review Reporting Schedule for both delegated and non-delegated projects is set by the MISManagement Information Systems Committee in accordance with central control agency and Department requirements, and is reported to the central clearinghouse.

44020.4 Project Reporting Requirements‑Audit of Information Technology Projects

All information technology projects are subject to audit, with project reporting and evaluation documents being an essential aspect of the audit trail (SAMState Administrative Manual Section 4943). CDC is subject to project audits by control agencies as well as internal audits. Documentation supporting project decisions shall be kept by the Department in the central clearinghouse for a minimum period of two years following approval of the post-implementation assessment.
Nondelegated Projects
- OITOffice of Information Technology audits project reporting documentation in conjunction with its audit and oversight responsibilities.
Delegated Projects
- For delegated projects, the MISManagement Information Systems Committee shall determine when an audit is to be conducted, the scope of the audit, and who shall perform the audit.

44020.5 Project Reporting Requirements Project Audit Reporting Schedule

The project audit reporting schedule for both delegated and non-delegated projects is set by the MISManagement Information Systems Committee in accordance with central control agency and Department requirements, and is reported to the central clearinghouse.

44020.6 Project Reporting Requirements Quarterly Project Report Requirements

Quarterly Project Reports (QPR) are usually required of the project manager in the case of projects subject to monitoring by OITOffice of Information Technology, and may be required as an additional reporting responsibility for delegated projects. OITOffice of Information Technology’s response to the Department’s IMAPInformation Management Annual Plan or FSRFeasibility Study Reports specifies the necessity of preparing QPRs for particular projects. On occasion, reporting on other than a quarterly basis is established by the FSRFeasibility Study Reports and approved by the MISManagement Information Systems Committee.
Every external QPR shall be reviewed and approved by the affected division, and by the Director, or designee. Two copies of the QPR shall be submitted to the central clearinghouse for submittal to OITOffice of Information Technology by no later than the 15th day of the month following the end of each fiscal quarter (i.e., October 15, January 15, April 15, and July 15). A copy of the QPR shall be forwarded to the Office of the Legislative Analyst.
CDC also encourages use of the QPR format to document project activity for projects that do not qualify as reportable, or for which project monitoring has been delegated to the Department. These internal QPRs shall be reviewed and approved by the affected division. It is not necessary to forward copies of these reports to OITOffice of Information Technology or the Office of the Legislative Analyst unless so required by OITOffice of Information Technology.
The QPR shall contain a brief summary of project status including an explanation of any minor deviations from the original project plan. An updated Project Management Schedule (see SAMState Administrative Manual Section 4928.4) showing actual completion dates of specific tasks/deliverables shall be attached. The QPR shall conform to the standard format provided in SAMState Administrative Manual Section 4944.1.
Some deviations from the project plan require preparation and submission of a Special Project Report (SPRSpecial Project Reports). The conditions that require preparation of an SPRSpecial Project Reports are defined in SAMState Administrative Manual Sections 4945 and 4945.1.

44020.7 Project Reporting Requirements Special Project Reports

General Reporting Requirements (SAMState Administrative Manual Section 4945): Preparation of an SPRSpecial Project Reports is required whenever a project deviates substantially from the costs, benefits or schedules documented in the approved FSRFeasibility Study Reports, or when a major revision occurs in project requirements or methodology. No expenditure of funds shall be made to implement an alternative course of action until approval has been received from OITOffice of Information Technology or the Director of CDC, as appropriate (SAMState Administrative Manual Section 4945). SAMState Administrative Manual Section 4945.1 lists specific conditions for the required submission of an SPRSpecial Project Reports to OITOffice of Information Technology.
SPRs, which must be submitted to OITOffice of Information Technology, shall be transmitted within 30 days after recognition of a substantial deviation. Two copies of the SPRSpecial Project Reports shall be submitted to OITOffice of Information Technology and one copy to the Office of the Legislative Analyst. SPRs shall be signed by the Director of CDC or designee.
If a QPR is due to OITOffice of Information Technology during the period the Department is engaged in preparing the SPRSpecial Project Reports, CDC shall submit the QPR (see SAMState Administrative Manual Sections 4944 through 4944.1) stating that an SPRSpecial Project Reports is under development and providing an approximate date for its completion.
The format and content of the SPRSpecial Project Reports transmittal letter for each non-delegated or delegated project shall conform to the standard formats provided in SAMState Administrative Manual Section 4945.
Conditions Requiring Submission to OITOffice of Information Technology (SAMState Administrative Manual Section 4945.1):
- Projects subject to OITOffice of Information Technology approval/oversight – an SPRSpecial Project Reports shall be submitted to OITOffice of Information Technology if:
  - The information technology project’s total costs deviate p roj, or are anticipated to deviate, by ten percent (higher or lower) from the estimated information technology ect budget (to be measured against the combined total of each fiscal year’s One-time Costs plus Continuing Costs on the Summary Fact Sheet, SAMState Administrative Manual 4930 Illustration 1.
  - The project schedule falls behind or is anticipated to fall behind by 10 percent or more (to be measured using the key management milestones critical to project success reported on the Summary Fact Sheet, SAMState Administrative Manual Section 4930, Illustration1).
  - The total program benefits deviate or are anticipated to deviate by 10 percent (higher or lower) from the estimated total program benefits (to be measured against the combined total of each fiscal year’s Cost Savings and Cost Avoidances on the Summary Fact Sheet, SAMState Administrative Manual 4930, Illustration 1).
  - A major change occurs in project requirements or methodology.
- Projects subject to approval and oversight by the Special Project Director (delegated or nonreportable), and projects for which project reporting has been delegated to the Director after OITOffice of Information Technology approval of the FSRFeasibility Study Reports: Submission of an SPRSpecial Project Reports to OITOffice of Information Technology is required if the revised project costs exceed or are estimated to exceed CDC’s IMAPInformation Management Annual Plan cost threshold (SAMState Administrative Manual Section 4902.12), and one or more of the following conditions are true:
  - The total information technology project costs deviate or are anticipated to deviate by 10 percent (higher or lower) from the estimated information technology project budget (to be measured against the combined total of each fiscal year’s One-time Costs vs. Continuing Costs on the Summary Fact Sheet, SAMState Administrative Manual Section 4930 Illustration 1).
  - The project schedule falls behind or is anticipated to fall behind by 10 percent or more (to be measured using the key management milestones critical to project success reported on the Summary Fact Sheet, SAMState Administrative Manual 4930, Illustration 1).
  - The total program benefits deviate or are anticipated to deviate by 10 percent (higher or lower) from the estimated total program benefits (to be measured against the combined total of each fiscal year’s Cost Savings and CostAvoidances on the Summary Fact Sheet, SAMState Administrative Manual Section 4930, Illustration 1.
  - A major change occurs in project requirements or methodology.
- If an SPRSpecial Project Reports for a delegated project must be submitted to OITOffice of Information Technology, attach to the SPRSpecial Project Reports a copy of the approved FSRFeasibility Study Reports and the project approval letter signed by the Director or designee.
- Internal special project reports Delegated or nonreportable projects which exceed projected project development costs but do not (according to control agency requirements) require an SPRSpecial Project Reports.
An internal SPRSpecial Project Reports shall be required when the cost thresholds below are exceeded:
- By less than $100,000 The project exceeds cost projections by 25 percent or more.
- Between $100,000 and $200,000 The project exceeds costs projections by 15 percent or more.
- Over $200,000 The project exceeds cost projections by 10 percent or more.
The SPRSpecial Project Reports shall provide sufficient information for Department management, executive branch control agencies, and the Legislature to assess the merits of the proposed project change and determine the nature and extent of future project oversight requirements. If an SPRSpecial Project Reports lacks sufficient information for these purposes, OITOffice of Information Technology may request that the Department provide additional information.
SPRs shall be commensurate with the level of deviation from the approved FSRFeasibility Study Reports. Therefore, the Department shall determine whether to prepare a revised FSRFeasibility Study Reports, provide the information required by the minimum content for an SPRSpecial Project Reports (defined below), or do something in between these two extremes.
The minimum content for an SPRSpecial Project Reports consists of a description of the project status, an explanation of the reason for the project deviation, a revised project management schedule, and economic summary information. CDC shall prepare an SPRSpecial Project Reports with at least the minimum content described below:
- Project Status – An explanation of the problems encountered or opportunities identified that have led to the preparation of the SPRSpecial Project Reports. This section of the SPRSpecial Project Reports shall include as appropriate:
  - Changes in Project Requirements or Methodology – An explanation of the proposed change from the anticipated course of action, including the reasons for the change and why this proposed alternative methodology is now the preferred course of action.
  - Cost Benefit or Schedule Deviations – An explanation of the deviation from the originally anticipated costs, benefits or schedule. This section shall include the reasons for the deviation and the proposed course of action to bring the project back within planned costs, benefits, or schedule.
- Summary Fact Sheet – This section shall include a revised Summary Fact Sheet (SAMState Administrative Manual Sections 4930 through 4930.1) indicating accomplishments to date by using actual dates in the Target Date fields of the Project Schedule, then continuing the schedule by focusing on the yet to be accomplished milestones critical to project success. The cost analysis portion shall contain all actual costs to date plus revised projected costs through the end of the project.
For example, this may be the second fiscal year that the project has been under development: indicate the actual project costs for last year and place them in the first column of Personnel Years (PYs) and Costs, then combine the actual costs for the current fiscal year-to-date with the anticipated costs for the remainder of this fiscal year, and place them in the second column of PYs and Costs. Indicate the anticipated costs for each succeeding budget year through the end of the project.
If the feasibility of the project was documented through the preparation of a FSRFeasibility Study Reports, the following additional content shall be provided:
- Project Management Schedule – A revised Project Management Schedule (SAMState Administrative Manual Section 4928.4) indicating accomplishments to date and focusing on the duration of critical tasks, major management decision-points, and progress reporting milestones shall be included in the SPRSpecial Project Reports.
- Economic Analysis Worksheet – A revised Economic Analysis Worksheet (SAMState Administrative Manual Sections 4929 through 4929.2) shall be provided. The worksheet shall contain all actual costs to date plus revised projected costs through the end of the project.
For example, this may be the second fiscal year that the project has been under development: Indicate the actual project costs for last year and place them in the first column of PYs and Costs, then combine the actual costs for the current fiscal year-to-date with the anticipated costs for the remainder of this fiscal year, and place them in the second column of PYs and Costs. Indicate the anticipated costs for each succeeding budget year through the end of the project.

44020.8 Project Reporting Requirements – Formal Project Review

A Formal Project Review (FPRFormal Project Review) may be initiated by Department management or required by OITOffice of Information Technology for any information technology project. The FPRFormal Project Review typically provides a formal management or control agency checkpoint after completion of the project’s general design phase, but before substantial resources have been committed. It may also provide a formal management assessment of a project at any point during the development cycle. FPRs may be scheduled during the procurement process if doing so does not violate procurement requirements.) OITOffice of Information Technology may notify the Department that an FPRFormal Project Review is required in its response to the Department’s IMAPInformation Management Annual Plan, in an FSRFeasibility Study Reports approval document, or in any correspondence subsequent to project approval.
SAMState Administrative Manual Section 4946.1 provides guidance in the form of recommended content for the preparation and presentation of an FPRFormal Project Review. Depending upon the complexity, sensitivity, and size of the project, an FPRFormal Project Review presentation shall usually require between two and four hours. When the Department receives services from a data center or from another agency, responsible staff should request that representatives of the data center or the servicing agency attend.
Content and Organization
- The FPRFormal Project Review provides an opportunity for a final critique of the merits of the proposed information technology project prior to commitment of substantial resources. It shall be used also as a checkpoint during project development to maintain management involvement and awareness with respect to crucial decision points. The FPRFormal Project Review allows assessment of: (1) systems design, (2) current estimates of costs and benefits, (3) management controls, and (4) probability of project success.
Composition of Formal Project Reviews (FPRFormal Project Review)
- An FPRFormal Project Review topic outline is provided in SAMState Administrative Manual Section 4946.1, Illustration 1. Typically, the FPRFormal Project Review is organized into four major sections:
  - Background.
  - Technical Strategy.
  - Project Management Controls.
  - Summary.
- The suggested content of each of these sections is specified in SAMState Administrative Manual Sections 4946.11 through 4946.14.
- It is important to adapt the presentation to suit the audience. Executive management, for example, may not be interested in the technical details of a project, but may be anxious to know the time frames for system operation and the capture of proposed tangible and intangible benefits.
Background Section
- The Background Section of the FPRFormal Project Review shall provide the facts necessary to understand the problem or opportunity being addressed by the project, and the defined project objectives within their program context.
- Typically, this portion of the presentation shall include:
  - A summary of the information contained in the requirements section of the FSRFeasibility Study Reports, with a note of any significant changes since preparation of the FSRFeasibility Study Reports.
  - A brief overview of the project technical strategy as defined in the FSRFeasibility Study Reports’s functional requirements (technical topics are normally covered in detail during the technical strategy section of the FPRFormal Project Review).
  - A brief description of project organization as it relates to the overall organization of the Department, and any specific user organization within the Department.
  - An overview of the information contained in the Management Plan Section of the FSRFeasibility Study Reports.
  - A management summary that concentrates on costs, benefits, savings, PYPersonnel Year reductions, or other quantifiable or non-quantifiable management benefits that were described in the FSRFeasibility Study Reports.
  - A synopsis of anticipated decisions that shall be necessary at the conclusion of the presentation.
- Ideally, the FPRFormal Project Review is based upon information that is more current than is contained in the FSRFeasibility Study Reports; therefore, the estimates should be an update to the economic analysis portions of the FSRFeasibility Study Reports.
- The presentation on technical strategy shall include typically:
  - Major system processes, including file or data section base relationships, interfaces with existing systems, and impact on other systems currently in operation, planned, or under development. This overview of systems capabilities should inform the audience regarding methods for processing information, input mechanisms, output mechanisms, error detection techniques, and data distribution or access.
  - Specific hardware and software requirements for development and operation of the system; the level of presentation detail should be based on the audience’s technical background and need to make informed decisions.
  - Lease versus purchase decisions for equipment and software, and the procurement mechanism and schedule.
  - Requirements for security and asset protection: level of security, security methods, and contingency plans.
Project Management
- This section provides an overview of the project management plan based upon the Management Plan section of the FSRFeasibility Study Reports with updates to reflect changes since the preparation of the FSRFeasibility Study Reports. Additionally, a review of the project phases is typically presented including design, development, testing, implementation, conversion, and acceptance. Coordination of responsibility for these phases is also presented.
- Other topics included in the project management section of the presentation are:
  - Training requirements, plans, and costs for technical and user staff.
  - Special management requirements for system conversion.
  - User or technical responsibilities for data conversion.
  - The time frame for accomplishment of conversion.
Summary
- The concluding section of the FPRFormal Project Review normally summarizes the current status of the project, describes the next steps in the project, highlights potential problems for the project, and closes with any required decisions that may be necessary.

44020.9 Revisions

Revised January 4, 2010

The Assistant Secretary, EISEnterprise Information Services (formerly Information Services Division), or designee shall be responsible for ensuring that the contents of this Article are kept current and accurate.

44020.10 References

SAMState Administrative Manual §§ 4819.3 – 4819.39, 4902.12, 4928.4, 4929 to 4929.2, 4930 to 4930.1, 4940, 4943, 4944 to 4944.1, 4945 to 4945.1, 4946.1, and 4946.11 – 4946.14.

Article 12 – Project Evaluation

Revised October 17, 1994

44030.1 Policy

It is the policy of the Department to evaluate its EDPElectronic Data Processing (see IT) projects as required by the SAMState Administrative Manual 4940, and as otherwise required by State oversight agencies. Additional requirements may be specified by the Office of Information Technology (OITOffice of Information Technology) in response to the Department’s Information Management Annual Plan (IMAPInformation Management Annual Plan) or in response to other needs reported by the Department.

44030.2 Purpose

The purpose of this policy is to ensure the implementation of all project evaluation requirements specified by laws and regulations, and State and departmental policies.

44030.3 Post‑implementation Evaluation Report (PIER) General Information

A post-implementation assessment shall be carried out by the Department following the completion of each information technology project. No project is considered complete until the report of that assessment, the Post-implementation Evaluation Report (PIERPost Implementation Evaluation Report), has been approved by OITOffice of Information Technology or the Department Director, as specified in OITOffice of Information Technology’s response to the Department’s IMAPInformation Management Annual Plan and in accordance with SAMState Administrative Manual 4819.36 and 4941. Approval of a PIERPost Implementation Evaluation Report by OITOffice of Information Technology or The Director, as required, terminates project reporting requirements.
The post-implementation assessment shall be conducted after the new information technology capability has been operational for a sufficient period of time to allow its benefits and costs to be accurately assessed. Initial operational problems shall have been resolved and sufficient experience and data shall have been accumulated to determine whether the project met the proposed objectives, was completed within the anticipated time and budgetary constraints, and achieved the proposed benefits. The optimum time after implementation to conduct the assessment depends upon the nature of the project. Six months after implementation is typical. The assessment shall be completed within two years of implementation of the information technology capability.
The required content for a PIERPost Implementation Evaluation Report is defined in SAMState Administrative Manual Section 4947.2. The format and content of the PIERPost Implementation Evaluation Report Transmittal Letter for each nondelegated project shall conform to the standard format shown in SAMState Administrative Manual 4947, Illustration 1. The format and content of the Transmittal Letter for each delegated project requiring submission of the PIERPost Implementation Evaluation Report to OITOffice of Information Technology shall conform to the standard format shown in SAMState Administrative Manual 4947, Illustration 2.

44030.4 PIER Reporting Requirements

Two copies of the PIERPost Implementation Evaluation Report shall be submitted to OITOffice of Information Technology and one copy to the Office of the Legislative Analyst if the project was subject to approval and oversight by OITOffice of Information Technology. If OITOffice of Information Technology has delegated project approval authority to CDC, but in conjunction with that delegation has required that CDC submit a copy of the PIERPost Implementation Evaluation Report following completion of the project, CDC’s submission of the PIERPost Implementation Evaluation Report shall include a copy of the approved FSRFeasibility Study Reports with its signed Project Approval Letter.
PIERs for projects subject to approval and oversight by the Department Director (delegated or non-reportable) or projects for which project reporting has been delegated to the Department Director after OITOffice of Information Technology approval of the FSRFeasibility Study Reports shall be approved by the Director or designee (see SAMState Administrative Manual 4971.1).

44030.5 PIER Content and Format

The level of detail included in the PIERPost Implementation Evaluation Report shall be commensurate with the scope and complexity of the project and its anticipated benefits. The narrative portion of the PIERPost Implementation Evaluation Report for a minor project can be as brief as one or two pages. However, it shall provide sufficient information for Department management, executive branch control agencies, and the Legislature to assess the success of the project (see SAMState Administrative Manual Section 4947.2).
PIERPost Implementation Evaluation Report Composition
- The PIERPost Implementation Evaluation Report is comprised of five sections:
  - Background and Summary of Results Section. A brief summary is provided of the project history, objectives, and results. Topics to be discussed normally include: how the project was initiated, how it progressed, problems that were overcome, user and management acceptance of the operational application, how Department management views the management of the project, and how the application fits into the Department’s overall management and operations strategy.
  - Attainment of Objectives Section. Specific objectives are established during the feasibility study for each project and are documented in the FSRFeasibility Study Reports. These objectives, which are normally defined in terms of measurable impact on Department programs and resources, provide the baseline for measurement of the project’s success. Accordingly, the narrative portion of this section of the PIERPost Implementation Evaluation Report shall describe the project outcome with respect to each objective included in the FSRFeasibility Study Reports. This section shall also include a clear statement regarding the capture of benefits and whether they were achieved as anticipated.
- Two attachments shall be included with this section of the PIERPost Implementation Evaluation Report:
  - Attachment 1 – PIERPost Implementation Evaluation Report Economic Summary Report. Project costs and benefits shall be summarized using the PIERPost Implementation Evaluation Report Economic Summary (SAMState Administrative Manual 4947.2 Illustration1). This spreadsheet allows comparison of the anticipated costs of the selected alternative, as documented in the FSRFeasibility Study Reports Economic Analysis Summary (SAMState Administrative Manual 4929.3), with actual project costs from the project start date through the period of project operation chosen as the basis for the PIERPost Implementation Evaluation Report. For detailed information on the completion of entries in the PIEREconomic Summary, see the instructions for the FSREconomic Analysis Worksheet (SAMState Administrative Manual 4929.1 through 4929.2) and the Economic Analysis Summary (SAMState Administrative Manual 4929.3).
  - Significant deviations from the anticipated costs shall be explained in the narrative portion of this section.
  - Attachment 2 Project Management Schedule Report. Arevised Project Management Schedule (see SAMState Administrative Manual 4928.4) showing targeted and actual completion dates for major accomplishments during the project shall be provided, with significant deviations from the original schedule explained in the narrative.
  - Projected Operations/Maintenance Costs Section. The Summary of Projected Operations/Maintenance Costs documents anticipated costs of systems operation and maintenance by fiscal year over the expected operational life of the application or system. These costs shall begin where the costs contained in the PIERPost Implementation Evaluation Report Economic Summary ended. For detailed information on completion of the specific line items in the Summary of Projected Operations/Maintenance Costs, see the instructions for continuing costs found on lines 9-16 of the FSRFeasibility Study Reports Economic Analysis Worksheet contained in SAMState Administrative Manual 4929.1 through 4929.2.
  - Special Observations Section. This section is optional. If completed, it should contain a narrative of any notable occurrences or factors that contributed to the project’s success, or problems or other information that could be helpful during future project efforts.
  - Corrective Actions Section. This section shall be included when the project is deemed to be a limited success or a failure, or when there are significant differences between project expectations (as expressed in the FSRFeasibility Study Reports) and project results.
    - If the project was a limited success or involved significant differences between expectations and results, alternatives for improving the outcome shall be summarized. If the project was a failure, available alternatives for addressing the problem or opportunity shall be summarized.

44030.6 Revisions

Revised January 4, 2010

The Assistant Secretary, EISEnterprise Information Services (formerly Information Services Division), or designee shall be responsible for ensuring that the contents of this Article are kept current and accurate.

44030.7 References

SAMState Administrative Manual §§ 4819.36, 4928.4, 4929.1 – 4929.3, 4941, 4941, 4941.1, and 4947 – 4947.1.

Article 13 – Policy and General Information

Revised October 19, 1994

45010.1 Policy

The Department shall require competitive acquisition of EDPElectronic Data Processing (see IT) goods and services in accordance with applicable provisions of the SAMState Administrative Manual, the PCCPublic Contract Code, the GCGovernment Code, and the LCLabor Code.

45010.2 Purpose

This section describes the departmental requirements for procurement and contract of EDPElectronic Data Processing (see IT) goods and services.

45010.3 EDP

EDPElectronic Data Processing (see IT) is referred to as information technology, encompassing all computerized and auxiliary automated information handling including systems analysis and design, conversion of data, computer programming, information storage and retrieval, voice/video aspects, requisite system controls, data communications, simulation, and all related interactions between people and machines.

45010.4 Responsibility

Contract Services Section
- The Department’s Contract Services Section (CSS) shall supervise EDPElectronic Data Processing (see IT) contracts entered into by CDC in a manner that:
  - Conserves the financial interests of the Department and the State.
  - Prevents, so far as possible, any thriftless acts by employees of CDC.
  - Avoids unnecessary expenditures.
BSS
- The BSS is responsible for the preparation of purchase documents for all EDPElectronic Data Processing (see IT) equipment and data-related items for use in CDC headquarters or by the P&CSDParole & Community Services Division (see DAPO). As directed by the Department, the BSS is responsible also for the procurement of EDPElectronic Data Processing (see IT) equipment by specific facilities.
  - BSS shall ensure that all requests submitted for purchase are complete and the necessary documentation is included, such as certifications or FSRs.
  - BSS is the departmental contact with the DGSDepartment of General Services, Office of Procurement, for all EDPElectronic Data Processing (see IT) procurements processed for CDC headquarters and P&CSDParole & Community Services Division (see DAPO), as well as for specified facility procurements.
- P&CDPlanning and Construction Division (see FPCM) The P&CDPlanning and Construction Division (see FPCM) is responsible for procurement of EDPElectronic Data Processing (see IT) equipment for new prison construction projects.
DGSDepartment of General Services
- The DGSDepartment of General Services is the State agency that exercises supervision over EDPElectronic Data Processing (see IT) contracts entered into by all other State agencies.
- The DOFDepartment Of Finance and DGSDepartment of General Services have general powers of supervision over matters concerning the financial and business policies of the State, and they are empowered to institute investigations and procedures deemed proper in the best interests of the State.
- While most types of contracts are reviewed and approved by the Legal Services Division of DGSDepartment of General Services, EDPElectronic Data Processing (see IT) contracts are reviewed and approved by the DGSDepartment of General Services, EDPElectronic Data Processing (see IT) Acquisitions Unit. This unit reviews contracts to ensure that the best interests of the State are preserved, that State agencies comply with applicable laws, rules, and regulations, and that expenditures are made as wisely and economically as possible given the needs of agencies.

45010.5 Procurement/Contracting Project Authorization

Before a contract or purchase order for a new EDPElectronic Data Processing (see IT) project can be let for the purchase of goods and services, the program concept and any needed equipment and services shall be evaluated by the Department’s MISManagement Information Systems Committee. Also, the program concept and any equipment/services shall be contained in the Department’s Information Management Annual Plan (IMAPInformation Management Annual Plan) filed with DOFDepartment Of Finance (see DOMDepartment Operations Manual 43010, Information Management Planning, for additional information). If accepted for incorporation in the IMAPInformation Management Annual Plan, a feasibility study is conducted to thoroughly evaluate the concept and analyze the cost/benefits. The completed FSRFeasibility Study Reports shall be approved at all appropriate levels of Department management, and by the Director.
The FSRFeasibility Study Reports shall then be forwarded to the DOFDepartment Of Finance, Office of Information Technology (OITOffice of Information Technology) for review and approval, unless the project is delegated to the Department (refer to DOMDepartment Operations Manual 43020, FSRFeasibility Study Reports Policy, for additional information). If approved, a budget concept paper may be prepared or a BCPBudget Change Proposal initiated for review and approval by top management of the Department and DOFDepartment Of Finance. Approval of the Legislature and the Governor also may be required through the budget enactment process. If the project is authorized, the drafting of contracts shall be initiated.

45010.6 Certification Affidavit for an EDP Purchase Order/Contract

Certain EDPElectronic Data Processing (see IT) purchase orders and contracts must be accompanied by a “Certification of Compliance with Policies Pursuant to SAMState Administrative Manual 4819.39 and 4832,” as specified in SAMState Administrative Manual 4819.39 and 4832. Procurements not requiring such certification are:
- Procurements for less than $10,000;
- Procurements limited to only maintenance services;
- Procurements in support of previously approved efforts (see SAMState Administrative Manual 4819.38);
- Procurements of services to conduct a feasibility study provided the services are limited to supporting or conducting the feasibility study and/or preparing the FSRFeasibility Study Reports; or
- Procurements of/for excluded activities as described in SAMState Administrative Manual 4819.32.
The certification attests that the program or function for which the purchase documents are being processed has been approved by the DOFDepartment Of Finance. SAMState Administrative Manual 4832 provides a sample of the certification affidavit.
In order to comply with the certification requirement, all EDPElectronic Data Processing (see IT) contracts and purchase orders not included by the above criteria shall be forwarded to headquarters. Additionally, every amendment to such EDPElectronic Data Processing (see IT) contracts or interagency agreements shall include a certification affidavit.
Certifications for microcomputers, peripheral equipment and software shall be prepared by MISManagement Information Systems-SU. Certification for all other EDPElectronic Data Processing (see IT) equipment shall be prepared by the ISDInformation Services Division (see EIS). The certification shall contain a statement signed by the Director, or designee affirming that the equipment is in compliance with SAMState Administrative Manual-requirements concerning information technology. In CDC, the Director has delegated approval authority to the Deputy Director, ASDSee Division of Administrative Services (DAS) (see ASB), and the Assistant Director, OOCOffice Of Compliance (see OACC). Adherence to this certification requirement adds approximately two weeks to the routing process within CDC headquarters.

45010.7 Revisions

Revised January 4, 2010

The Assistant Secretary, EISEnterprise Information Services (formerly Information Services Division), or designee shall be responsible for ensuring that the contents of this Article are kept current and accurate.

45010.8 References

SAMState Administrative Manual §§ 4800, 4819.39, and 4832.
DOMDepartment Operations Manual §§ 43010 and 43020.

Article 14 – Methods of Procurement

Revised January 16, 2026

45020.1 Policy

January 16, 2026

The California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation or the department) shall utilize acceptable methods of procurement when purchasing or contracting for Information Technology (ITInformation Technology) goods and services. The department shall follow acceptable procurement practices and methods as defined by the Enterprise Information Services (EISEnterprise Information Services (formerly Information Services Division)) and defined in the State Contracting Manual (SCM) Volume 2, State Administrative Manual (SAMState Administrative Manual), and the Department Operations Manual (DOMDepartment Operations Manual).

45020.2 Purpose

January 16, 2026

The purpose of this section is to outline the acceptable methods of procurement and provide references to information and procedures for initiating an ITInformation Technology procurement, the methods used to purchase ITInformation Technology goods and services, and meeting the general contract requirements provided in SAMState Administrative Manual and SCM Volume 2.

45020.3 Process for the Procurement of IT Goods and Services

January 16, 2026

The process for procurement of ITInformation Technology goods and services is more complicated than for procurement of non-ITInformation Technology goods and services. There is no single procurement method best suited universally for all categories of acquisition. Each procurement consists of differing elements that, overall, lend themselves more appropriately to one technique than to another. It is the responsibility of the EISEnterprise Information Services (formerly Information Services Division) Information Technology Goods and Services Procurement (ITGSP) to select the method of procurement to be used for each ITInformation Technology acquisition. All procurements for ITInformation Technology related goods and services shall be processed by ITGSP only, within EISEnterprise Information Services (formerly Information Services Division).

45020.4 Methods of Procurement

January 16, 2026

There are three acquisition methods of procurement:
- Competitive
- Non-Competitive
- Leveraged Procurements

45020.4.1 Competitive Methods

January 16, 2026

Competitive procurement methods have several industry-standard methods established in SCM Vol. 2, that may be used for soliciting and awarding contracts and purchase orders. The competitive procurement methods include:
- Formal
  - Invitation for Bid (IFBInvitation For Bids) – This is the most common written format for formal purchases at or above $1,000,000.
  - Request for Proposal (RFPRequest For Proposal) – Used for formal solicitations more than $1,000,000. The RFPRequest For Proposal identifies a complex business or elevated risk.
- Informal
  - Request for Quote (RFQRequest For Quotations) – Used for competitive solicitations below $1,000,000.00.
- Small Business (SB) and Disabled Veteran Business Enterprise (DVBEDisabled Veteran Business Enterprises) Option.
  - CDCRCalifornia Department of Corrections and Rehabilitation shall utilize the SB/DVBEDisabled Veteran Business Enterprises method first. This is the most recommended method to satisfy state mandates relating to SB/DVBEDisabled Veteran Business Enterprises or DVBEDisabled Veteran Business Enterprises guidelines and may be used for acquisitions between $5,000 and $249,999.99.
- Limited to Brand (LTB)
  - This is used for specific brand or trade name solicitations in accordance with Public Contract Code (PCCPublic Contract Code) section 12102(b) for ITInformation Technology goods, and sections 10301 and 10302 for Non-ITInformation Technology goods. Refer to CDCRCalifornia Department of Corrections and Rehabilitation Purchasing Authority Approval Letter (PAAL) for maximum threshold for the department’s LTB justification purchasing authority, which requires departmental or the Department of General Services (DGSDepartment of General Services) approval prior to solicitation.
For a complete detailed list of Competitive Methods of Procurement, refer to SCM Vol. 2, section 1401, Competitive Acquisition Methods List.

45020.4.2 Non‑Competitive Methods

January 16, 2026

Non-competitive procurement methods most commonly used by the department include:
- Non-Competitive Bid (NCB)
  - These are competitive transactions adhering to a specific approval process in which only a single supplier is afforded the opportunity to offer the state a price for the specified goods or services.
- Fair and Reasonable (F&R)
  - If the transaction is less than $20,000, a F& R solicitation is acceptable.
  - The requestor shall solicit one vendor and utilize one of the five techniques to establish whether a supplier’s price can be determined to be F&R. See SCM Volume 2, section 1510.
- Community-Based Rehabilitation Program (CRP)
  - Meets the criteria of Welfare and Institutions Code (WIC), section 19404. An NCB justification is NOT required.
- Emergency
  - Emergency contracts are necessary for the immediate preservation of the public health, welfare, safety, or the protection of CDCRCalifornia Department of Corrections and Rehabilitation property and programs. EISEnterprise Information Services (formerly Information Services Division) must be notified as soon as the emergency has been identified.
    - Emergency – Non-Natural Disaster – Contracts that meet SCM criteria and that are subject to purchasing authority dollar thresholds, refer to CDCRCalifornia Department of Corrections and Rehabilitation PAAL for maximum threshold. EISEnterprise Information Services (formerly Information Services Division) must be notified as soon as the emergency has been identified.
- Exempt by Law
  - Interagency Agreement (IAA) – Contracts for ITInformation Technology work or services with other state agencies, California State University, University of California institutions, or California Department of Technology (CDT).
  - Other – Contracts with other public entities such as another state, local, or Federal agency pursuant to PCCPublic Contract Code, sections 10335(a) and 10340(b)(3).
- Exempt by Policy
  - Proprietary software maintenance services meeting criteria noted in the SCM may be executed without an NCB justification up to the dollar threshold identified in SCM, refer to CDCRCalifornia Department of Corrections and Rehabilitation PAAL for maximum threshold.
  - Proprietary software purchases meeting criteria noted in the SCM may be executed without an NCB justification up to the dollar thresholds identified in SCM and must not exceed purchasing authority dollar thresholds, refer to CDCRCalifornia Department of Corrections and Rehabilitation PAAL for maximum threshold.
  - Contracts with business entities operating Community-Based Rehabilitation Programs (CRP), which meet the criteria established by Welfare and Institutions Code, section 19404. Note: Exception does not apply to contracts justified pursuant to Government Code (GCGovernment Code), section 19130(a). See SCM Vol. 2, section 1506.
Purchases, although exempt by law or policy, must still be reasonable in cost and justification. Procurement files must include documentation to support fair and reasonable pricing.
For complete detailed list of Non-Competitive Methods of Procurement refer to SCM Vol. 2, section 1501, Non-Competitive Acquisitions Methods List.

45020.4.3 Leveraged Procurement Agreements

January 16, 2026

Leveraged Procurement Agreements (LPA) are purchasing agreements established by the Department of General Services'(DGSDepartment of General Services) Procurement Division (PD), enabling streamlined State purchases by removing repetitive, resource intensive, costly and time-consuming bid processes by departments, per PCCPublic Contract Code, sections 10290, et seq. and 12101.5. The following are the LPAs offered by the DGSDepartment of General Services:
- California Multiple Award Schedule (CMAS) – refer to CDCRCalifornia Department of Corrections and Rehabilitation PAAL for maximum threshold.
- Cooperative Agreements (such as National Association of State Procurement Officials, Value Point which is consolidated with the former Western States Contracting Alliance, etc.) – refer to CDCRCalifornia Department of Corrections and Rehabilitation PAAL for maximum threshold.
- Master Agreement/Master Service Agreement (MA/MSAMerit Salary Adjustment) – refer to CDCRCalifornia Department of Corrections and Rehabilitation PAAL for maximum threshold.
- Software Licensing Program.
- State Price Schedule (SPSState Price Schedule) – refer to CDCRCalifornia Department of Corrections and Rehabilitation PAAL for maximum threshold.
- Statewide Contracts.
Some LPAs are mandatory; therefore, buyers must know how to find LPAs and verify whether the specific goods and or services they require are available on a mandatory LPA. DGSDepartment of General Services maintains a State Contracts Index Listing, refer to DGSDepartment of General Services’s PD webpage for additional information. Buyer shall refer to LPA user instructions for details on procurement.
For detailed information on each of these LPA methods, refer to the individual LPA user instructions.

45020.5 Responsibility

January 16, 2026

EISEnterprise Information Services (formerly Information Services Division)/ITGSP is responsible to ensure that all State Contracting Guidelines for both ITInformation Technology good and services are followed.

45020.6 IT Procurement and Documentation

January 16, 2026

All purchase documents for procurement of ITInformation Technology goods and services for CDCRCalifornia Department of Corrections and Rehabilitation shall be processed through EISEnterprise Information Services (formerly Information Services Division) ITGSP.
Capital outlay purchases and/or by bond funds for new prison construction, including ITInformation Technology needs, are supported by the Facility Planning, Construction and Management. For further details see DOMDepartment Operations Manual, Chapter 1, Article 31, section 15040.2 – Facility Planning and Finance Branch.

45020.7 General IT Goods and Services Procurement Advertising Requirements in California State Contracts Register (CSCR)

January 16, 2026

For specific ITInformation Technology advertising requirements refer to SCM Volume 2, section 1402.3.

45020.8 General IT Goods and Services Procurement Approval Authority

January 16, 2026

The DGSDepartment of General Services has delegated authority to all State departments to approve procurements for ITInformation Technology goods and services per PAAL. All ITInformation Technology procurements for goods and services exceeding PAAL delegation shall be forwarded for review and approval to the appropriate DGSDepartment of General Services unit or CDT, whichever control agency applies.
All contracts for the acquisition of Information Technology (ITInformation Technology) goods and services related to ITInformation Technology projects, as defined in SAMState Administrative Manual section 4819.2, shall be made by or under the supervision of the CDT. The department entities shall not conduct an acquisition for ITInformation Technology goods and services related to an ITInformation Technology project under acquisition authority (aka “purchasing” authority) granted by DGSDepartment of General Services unless the CDT has either:
- Delegated project authority to the department; or
- Authorized the department to conduct the acquisition.

45020.9 Revisions

January 16, 2026

The Chief Information Officer (CIO) or designee, shall be responsible for ensuring the contents of this Article are kept current and accurate.

References

January 16, 2026

(1) DOMDepartment Operations Manual, Chapter 1, Article 31, § 15040.2.
(2) GCGovernment Code, § 19130(a).
(3) PCCPublic Contract Code, §§ 10290 et seq., 10301-10302, 10335(a), 10340(b)(3), 12101.5, and 12102(b).
(4) NCDOMNotice of Change to Department Operations Manual 26-03 1/16/26 5
(5) SCM Volume 2, §§ 100.3, 1401, 1402.3, 1501, 1506, and 1510.
(6) WIC, § 19404.

Revision History

January 16, 2026

(1) Revised: October 19, 1994.
(2) Revised Section 45020.6: January 4, 2010.
(3) Revised: January 16, 2026.

Article 15 – Unassigned

Revised January 16, 2026

Article 16 – Unassigned

Revised January 16, 2026

Article 17 – Unassigned

Revised January 16, 2026

Article 18 – Unassigned

Revised January 16, 2026

Article 19 – Unassigned

Revised January 16, 2026

Article 20 – Unassigned

Revised January 16, 2026

Article 21 – Unassigned

Revised January 16, 2026

Article 22 – Unassigned

Revised December 10, 2025

Article 23 – Information Technology (IT) Equipment Maintenance

Revised January 16, 2026

46020.1 Policy

January 16, 2026

The California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation or the department) shall maintain Information Technology (ITInformation Technology) equipment in accordance with State requirements and in ways that maximize the operating efficiency of the equipment while minimizing equipment failure and down time. Furthermore, ITInformation Technology equipment maintenance shall be performed by State personnel, or performed by maintenance service organizations in the private sector whose services are acquired through the Department Operations Manual (DOMDepartment Operations Manual), Chapter to the State Contracting Manual (SCM) Vol. 2 and Department Operations Manual (DOMDepartment Operations Manual), Chapter 4, Article 14. Specific criteria for ITInformation Technology equipment maintenance services shall be defined and applied in the development of procurement specifications. ITInformation Technology equipment maintenance policies and guidelines shall be applied in determining appropriate maintenance coverage for ITInformation Technology equipment installed throughout the department.

46020.2 Purpose

January 16, 2026

The purpose of this section is to specify that ITInformation Technology equipment maintenance shall be performed as required by State Administrative Manual (SAMState Administrative Manual) sections 5001 and 5010.

46020.3 Responsibility for Maintenance of IT Equipment

January 16, 2026

Maintenance coverage for ITInformation Technology equipment is the responsibility of the department ITInformation Technology personnel or designee at the user location. Funding for maintenance coverage is the responsibility of the division, facility, or parole region that is procuring the equipment.

46020.4 Acquisition of Maintenance Services for IT Equipment Within Department

January 16, 2026

Acquisition of ITInformation Technology equipment maintenance services is conducted through the State’s procurement process. ITInformation Technology goods and services procurement follows all guidelines established by the Department of General Services (DGSDepartment of General Services).

46020.5 Revisions

January 16, 2026

The Chief Information Officer (CIO) or designee shall be responsible for ensuring the contents of this Article are kept current and accurate.

46020.6 References

January 16, 2026

(1) SAMState Administrative Manual, §§ 5001, 5010, and 5210-5291.

Revision History

January 16, 2026

(1) Revised: October 20, 1994.
(2) Revised Section 46020.5: January 4, 2010.
(3) Revised: January 16, 2026.

Article 24 – IT Equipment Inventory

Revised January 16, 2026

46030.1 Policy

January 16, 2026

The California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation or the department) shall maintain an accurate inventory of its Information Technology (ITInformation Technology) equipment, peripheral devices, and software. All purchased ITInformation Technology equipment shall concur with the technical specifications contained in the State Administrative Manual (SAMState Administrative Manual), section 4989.3. All ITInformation Technology hardware shall be inventoried at the time of installation, identified with a CDCRCalifornia Department of Corrections and Rehabilitation property tag, if applicable. The department shall ensure ITInformation Technology equipment does not sit idle pending procurement activities, and instead be implemented expeditiously for the benefit of CDCRCalifornia Department of Corrections and Rehabilitation’s mission and the proper oversight of taxpayer dollars.

46030.2 Purpose

January 16, 2026

The purpose of this policy is to ensure that CDCRCalifornia Department of Corrections and Rehabilitation is in compliance with SAMState Administrative Manual, section 4989.3, and to provide departmental administrators with an accurate listing of their ITInformation Technology equipment resources. There shall be a biannual reconciliation of the ITInformation Technology inventory to update for changes in the system. This policy establishes the asset ownership for all ITInformation Technology equipment acquired by any CDCRCalifornia Department of Corrections and Rehabilitation division or project that will be identified and documented by the CDCRCalifornia Department of Corrections and Rehabilitation Enterprise Information Services (EISEnterprise Information Services (formerly Information Services Division)).

46030.3 Inventory Responsibility

January 16, 2026

The local information asset custodian or designee shall be responsible for maintaining an accurate ITInformation Technology equipment inventory for the corresponding division, facility or parole region. Inventories shall be forwarded no later than April 1 and October 1 of each year to Deputy Director of Operations, who shall be responsible for the coordination, compilation, and retention of the departmental ITInformation Technology equipment inventories and useful life-cycle schedule.

46030.4 IT Equipment Inventory Documentation

January 16, 2026

The ITInformation Technology inventory shall include the following data elements:
- Primary Location: division/branch, facility, or parole region where equipment is located.
- Secondary Location: unit or office where equipment is located.
- Brand of Equipment: monitors, keyboards, printers, etc.
- Model Number: monitors, keyboards, printers, etc.
- Serial Number: monitors, keyboards, printers, software, etc.
- Ownership: whether CDCRCalifornia Department of Corrections and Rehabilitation or specified other owns.
- Version Number: software.
- Date of Acquisition: date equipment was received.
- Date of Installation: date equipment/software was installed.
- Date of Relocation: date equipment/software was relocated.
- Relocation Location: unit or office where equipment has been relocated.
- Signature: signature of the local ITInformation Technology personnel, or designee, or the ITInformation Technology personnel’s supervisor.

46030.5 IT Equipment Ownership and Inventory Redirection

January 16, 2026

ITInformation Technology equipment purchased for use within the department’s EISEnterprise Information Services (formerly Information Services Division) ITInformation Technology services is a CDCRCalifornia Department of Corrections and Rehabilitation asset, not owned by the individual division, unit, or project that funded the purchase.
- Exceptions include:
  - Equipment participating in non-routed communication and attached to the CDCRCalifornia Department of Corrections and Rehabilitation network. Examples of these types of equipment are networked printers and scanners, security cameras, et. cetera.
  - Equipment tied to State or Federal funding that requires the asset to be used exclusively for a one-time purpose.
- When a reorganization occurs or a project is cancelled or completed, all the ITInformation Technology equipment utilized is entered into the CDCRCalifornia Department of Corrections and Rehabilitation general EISEnterprise Information Services (formerly Information Services Division) ITInformation Technology inventory.
  - The CDCRCalifornia Department of Corrections and Rehabilitation division responsible for the unit or project will be given first right of refusal to select new placement of the recovered equipment if there is an immediate use case for its redeployment.
  - Redeployment of ITInformation Technology equipment is not always necessary or possible, and therefore not guaranteed.
Facility infrastructure services such as electrical infrastructure, cooling systems, fixed uninterruptible power supplies, and plant ITInformation Technology infrastructure (e.g. plant fiber optics, plant copper data cables) installation costs cannot be recouped (exceptions may exist with certain contracts). EISEnterprise Information Services (formerly Information Services Division) will not be responsible for the costs associated with redeployment of recovered ITInformation Technology equipment assets requiring new facility infrastructure.

46030.6 Roles and Responsibilities

January 16, 2026

EISEnterprise Information Services (formerly Information Services Division) is responsible for:
- ITInformation Technology development and enforcement standards.
- ITInformation Technology assets and service procurement approval.
- ITInformation Technology inventory control.
- ITInformation Technology refresh deployment and configuration.
- Configuration and management of ITInformation Technology assets.
- ITInformation Technology security standards.
- ITInformation Technology customer support for CDCRCalifornia Department of Corrections and Rehabilitation employees.
  - Direct ITInformation Technology customer support is not provided by EISEnterprise Information Services (formerly Information Services Division) staff to incarcerated persons. However, instructors or other CDCRCalifornia Department of Corrections and Rehabilitation staff may request and receive support for ITInformation Technology services and assets used by the incarcerated population.
CDCRCalifornia Department of Corrections and Rehabilitation divisions are responsible for:
- Identification of business needs and expected outcomes from ITInformation Technology services and systems.
- Funding procurements for ITInformation Technology assets needed for the division’s specific efforts and projects.
  - Exceptions may occur where a Budget Change Proposal (BCPBudget Change Proposal) may be the funding source initiated by EISEnterprise Information Services (formerly Information Services Division) on behalf of the department for ITInformation Technology services and assets.
    - Fair Share may be a funding source based on prior negotiation and addition of the asset type to the Fair Share yearly allotments as approved by EISEnterprise Information Services (formerly Information Services Division), the Budget Management Branch (BMBBudget Management Branch), and appropriate department stakeholders.
    - Replacement of damaged equipment due to negligence.
      - If ITInformation Technology equipment is damaged due to negligence of the division/site to maintain a clean and controlled environment (e.g. water damage from a leaking roof, water damage from pipe bursts, local staff damage due to mishandling, electrical damage to facility wiring, etc.) replacement of the damaged equipment will be the responsibility of the division/site.
Third parties are responsible for:
- Procurement of department-approved ITInformation Technology assets and services including initial maintenance and licensing for deployment.
  - Ongoing maintenance and licensing should be included, when possible, for the length of the third-party engagement with CDCRCalifornia Department of Corrections and Rehabilitation.
- Providing logging data capture and storage for reporting on request.
  - 90 days of logs minimum for third party managed services.

46030.7 Revisions

January 16, 2026

The Chief Information Officer (CIO) or designee shall be responsible for ensuring the contents of this Article are kept current and accurate.

References

(1) SAMState Administrative Manual, § 4989.3.

Revision History

January 16, 2026

(1) Revised: October 20, 1994.
(2) Revised Section 46030.5: January 4, 2010.
(3) Revised: January 16, 2026.

Article 25 – IT Equipment Maintenance Records

Revised February 3, 2026

46040.1 Policy

February 3, 2026

The California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation or the department) shall establish a uniform method for recording data pertaining to the repair and maintenance of Information Technology (ITInformation Technology) equipment as required by the State Administrative Manual (SAMState Administrative Manual), section 4989.3 to aid in the tracking of ITInformation Technology equipment and maintenance expenses and costs associated with vendor support.

46040.2 Purpose

February 3, 2026

The purpose of this section is to ensure consistency in reporting, in the capture of data at the time of an incident, and in review by appropriate levels of management of reports made. These are all essential to the effective management and control of ITInformation Technology equipment maintenance.

46040.3 Responsibility for IT Equipment Maintenance Records

February 3, 2026

Maintenance record keeping for ITInformation Technology equipment is the responsibility of the Information Technology personnel or designee at each user location involved. Maintenance records shall be forwarded no later than April 1 and October 1 of each year to the Enterprise Information Services (EISEnterprise Information Services (formerly Information Services Division)) Section Chief or designee for review and analysis of information, and shall be retained by the EISEnterprise Information Services (formerly Information Services Division) Deputy Director or designee for as long as the component is in service or there is a possibility of any contractual claim.

46040.4 Documentation of Maintenance for IT Equipment

February 3, 2026

The responsible unit or party shall maintain records of ITInformation Technology equipment which contain essential data pertaining to repair and maintenance. Such essential data that are required to resolve disputes between the vendor and the department concerning vendor performance include:
- Document control number: composed of a two-digit year and a two-digit month, followed by a sequence number starting with “one” at the beginning of each month.
- Name of originating facility.
- Name, unit, and phone number of the on-site contact person responsible for taking action to correct a deficiency.
- Date and time the need for maintenance was first noticed.
- Name and phone number of vendor that was notified.
- Date and time vendor was notified of problem.
- Date and time vendor personnel arrived to repair malfunction.
- Dateandtime component and system were returned to service.
- Identification of affected component/system by manufacturer identification or serial number, and by CDCRCalifornia Department of Corrections and Rehabilitation property tag number.
- Type of service: regularly scheduled preventative maintenance or unscheduled maintenance required to remedy malfunctions or incidents.
- Justification for any delays in the completion of maintenance.
- Description of malfunction or incident.
- Signatures of vendor personnel and a departmental representative.
A maintenance form is to be initiated whenever a system or any component of a system is inoperative because of the need for equipment repair or maintenance, and is to remain open until the problem has been corrected and the component has been returned to service.

46040.5 Revisions

February 3, 2026

The Chief Information Officer (CIO) or designee shall be responsible for ensuring the contents of this Article are kept current and accurate.

46040.6 References

February 3, 2026

SAMState Administrative Manual, § 4989.3.

Revision History

February 3, 2026

(1) Revised: October 20, 1994.
(2) Revised Section 46040.5: January 4, 2010.
(3) Revised: February 3, 2026.

Article 26 – Disposal of IT Equipment and Supplies

Revised February 3, 2026

46050.1 Policy

February 3, 2026

The California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation or the department) is committed to ensuring that compliance is maintained with the procedures set forth in the State Administrative Manual (SAMState Administrative Manual) sections 5951, 8633, and 8640 – 8642 and Government Code sections (GCs) 14673 – 14675, regarding the disposal of Information Technology (ITInformation Technology) equipment and supplies. CDCRCalifornia Department of Corrections and Rehabilitation shall also act in accordance with Department of General Services (DGSDepartment of General Services) policies, with respect to its oversight responsibilities for the disposal of all state-owned ITInformation Technology equipment and supplies.

46050.2 Purpose

February 3, 2026

The purpose of this policy is to ensure the efficient and economical disposal of surplus ITInformation Technology consumable equipment and supplies, while maximizing the salvage value of State-owned ITInformation Technology equipment and supplies in a manner that is in the best interests of the department.

46050.3 Responsibility for Disposal of IT Equipment and Supplies

February 3, 2026

It is the responsibility of the local ITInformation Technology personnel or designee to inform the EISEnterprise Information Services (formerly Information Services Division), Operations Manager, of ITInformation Technology equipment or supplies determined to require an exchange, a transfer, a sale, or a disposal.

46050.4 Responsibility for Lost, Damaged, or Misused IT Equipment

February 3, 2026

In accordance with SAMState Administrative Manual, sections 8643 and 20080, the department must report losses of state property due to fraud or embezzlement to the Department of Finance’s Office of State Audits and Evaluations and the California State Auditor’s Office.
The department management must promptly investigate incidents involving loss, damage, or misuse of information assets.
The department shall immediately notify the California Highway Patrol upon discovery of all ITInformation Technology security incidents and computer-related crimes.
Employees will be charged with any loss and damages to state property due to their negligence or unauthorized use.

46050.5 Revisions

February 3, 2026

The Chief Information Officer (CIO) or designee shall be responsible for ensuring the contents of this Article are kept current and accurate.

46050.6 References

February 3, 2026

(1) SAMState Administrative Manual, §§ 5951, 8633, and 8640 – 8642, and 20080.
(2) GCGovernment Code, §§ 14673, 14674, and 14675.

Revision History

February 3, 2026

(1) Revised: October 20, 1994.
(2) Revised Section 46050.5: January 4, 2010.
(3) Revised: February 3, 2026.

Article 27 – Unassigned

Revised February 3, 2026

Article 28 – Offender Based Information System

47010.1 Policy

The Department shall maintain complete and accurate case records on all prisoners in the custody of the Department as required by PCPenal Code 2081.5. Case records include all information received by the Department from courts, probation departments, sheriff and police departments, DA offices, the State DOJDepartment Of Justice, the FBIFederal Bureau of Investigation, and other pertinent agencies and persons.
OBISOffender Based Information System was created to provide for automated tracking of all inmates assigned to the Department’s jurisdiction from the time of admission through discharge from prison or parole.

47010.2 Purpose

The purpose of this policy is to ensure that complete and accurate records are maintained on all prisoners under the jurisdiction of the Department, and to establish and fix responsibility and accountability for the management of OBISOffender Based Information System.

47010.3 Responsibilities

Overall responsibility (e.g., security, data integrity, QAQuality Assurance, QCQuality Control) for OBISOffender Based Information System resides with the Director and Chief Deputy Director. Delegated responsibility resides with OISBOffender Information Services Branch of the ASDSee Division of Administrative Services (DAS) (see ASB), and with management, supervisory, and end-user personnel involved with OBISOffender Based Information System use. OISBOffender Information Services Branch is responsible for training data input staff and providing QCQuality Control oversight to ensure data integrity in OBISOffender Based Information System.
As primary users of this system, the case records offices in facilities, parole regions, and headquarters, as well as OISBOffender Information Services Branch, input and update offender information in OBISOffender Based Information System.
As the custodian of this system, the ISDInformation Services Division (see EIS) is responsible for application, hardware, and software support, and maintenance of OBISOffender Based Information System.
Parole Violator Work Credit Subsystem
- The Parole Violator Work Credit Subsystem records paroleeatlarge, parole revocation, and revocation extension information, and applies work credit earned/lost from the inmate work incentive subsystem to calculate violator revocation release dates.

47010.4 Overview of OBIS

Revised July 15, 1993

OBISOffender Based Information System is a centralized, on-line, mainframe system that links all facilities, parole regions, selected parole field units, and headquarters to the Teale Data Center. OBISOffender Based Information System is the only database which tracks an inmate from initial admission in a state prison through discharge from prison or parole.
Composition Of OBISOffender Based Information System
- OBISOffender Based Information System is comprised of the following subsystems: movement, commitment, descriptive, inmate work incentive; and holds, wants, and detainers.
Movement Subsystem
- The movement subsystem records each movement and status change of an inmate from the date of reception from the committing court to discharge from CDC jurisdiction.
Commitment Subsystem
- The commitment subsystem records the legal commitment received from the California Superior Court that sentenced the offender to the jurisdiction of the Department.
Descriptive Subsystem
- The descriptive subsystem records detailed information regarding each offender’s height, weight, hair color, ethnicity, social security number, CII number, FBIFederal Bureau of Investigation number, and date and place of birth.
Inmate Work Incentive Subsystem
- The inmate work incentive subsystem is a collection of an offender’s applied credits (including vested credits, administrative time, work and vocational assignments, work credit losses and restorations) that affect the release date of the offender.
Inmate Time Collection System
- The Inmate Time Collection System (ITCS) is used to track the hours of inmates participating in the IW/TIP. Inmates who participate in the IW/TIP shall earn work time credit toward the reduction of their sentence.
- The ITCS introduces a scanning process to the existing time collection system. The scanning system is designed to provide the following:
  - Key data entry workload relief for the facility.
  - A more expedient method of updating OBISOffender Based Information System.
- The ITCS scanning process uses revisions of the CDC Form 191, Inmate Timecard, the CDC Form 1697, Work Supervisor Log, and a Sentry 4000 scanner. The work supervisor tracks the inmate work time for a 31 day period, using the CDC Form 1697. Information from the CDC Form 1697 is transferred on to the CDC Form 191. The CDC Form 191 is sent to the case records office for scanning and timecard retention. Scanned information is used to update the OBISOffender Based Information System database, and generate error and statistical reports.
Holds, Wants and Detainer Subsystem
- The Holds/Wants/Detainer subsystem records holds, wants (warrants), and detainers (HWDHolds/Wants/Detainer) on a particular offender. HWDs are entered on-line immediately after receipt from another agency (e.g., federal, other states) which may have a legal right to hold the offender.
- Requests for offender information residing on the OBISOffender Based Information System database shall be addressed to the Information System Support and Specialized Reporting Unit, located in OISBOffender Information Services Branch.

47010.5 Revisions

Revised January 4, 2010

The Assistant Secretary, EISEnterprise Information Services (formerly Information Services Division), or designee shall be responsible for ensuring that the contents of this Article are kept current and accurate.

47010.6 References

PCPenal Code § 2081.5.

Article 29 – SCO Systems

Revised December 10, 2025

47020.1 Policy

The California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation or the Department) Personnel Office shall prepare and release all personnel-and payroll-related data utilizing the State Controller’s Office (SCOState Controller’s Office) Personnel and Payroll Services Division (PPSD) system.
Authorization and guidelines established under the uniform state payroll system are controlled and defined by the PPSD system within SCOState Controller’s Office.

47020.2 Purpose

The purpose of utilizing the SCOState Controller’s Office system is to ensure all employee personnel information which is considered sensitive and confidential is recorded and updated, and that all such data be protected under a strictly controlled environment accessed only to inquire and update the following:
- Current and historical information concerning employee status, payment history, or miscellaneous, fixed and voluntary payroll deductions.
- An employee’s name, position number, effective date of appointment, salary, range, bargaining unit, probation status, and effective date ending appointment.
- An employee’s State and federal withholding tax information and home address.

47020.3 Responsibilities

The delegated responsibility for the security, maintenance, monitoring and integrity of the SCOState Controller’s Office system resides with an authorized department Personnel Officer or human resources personnel at each facility and at headquarters. Major users of the system are department Personnel Specialists who access the system to update all personnel and payroll history on departmental employees. Other users of the system authorized human resources personnel for job-related inquiries basis only.

47020.4 SCO System Security

Refer to Department Operations Manual (DOMDepartment Operations Manual), Chapter 4, Article 49 regarding guidelines for equipment security.

47020.5 Management Information Retrieval System (MIRS)

The department uses the MIRSManagement Information Retrieval System to extract personnel and payroll information from the SCOState Controller’s Office and to generate supplemental reports for management.

47020.6 MIRS – Reports

Revised December 10, 2025

The department generates the following supplemental reports from the MIRSManagement Information Retrieval System extractions:
- Accounting/Budget/Payroll Reports.
- Intermittent Hours Tracking.
- Equal Employment Opportunity.
- Leave Accounting Reports.
- Personnel Reports.
- Position Inventory Reports.
- Historical Transaction Data Reports.

47020.7 MIRS – Responsibilities

Revised December 10, 2025

The Personnel Officer/Manager will delegate authorized administrative staff access to the SCOState Controller’s Office system to provide MIRSManagement Information Retrieval System reports. For access to the SCOState Controller’s Office system, please see DOMDepartment Operations Manual, Chapter 4, Article 49, section 49060.3, Department Responsibilities.

47020.8 MIRS – Equipment Security

Revised April 16, 1993

Refer to DOMDepartment Operations Manual, Chapter 4, Article 49 regarding guidelines for equipment security.

47020.9 Revisions

Revised January 11, 2013

The CIO or designee shall be responsible for ensuring the contents of this Article are kept current and accurate.

References

Revised April 16, 1993

(1) SCOState Controller’s Office: MIRSManagement Information Retrieval System Manual.
(2) GCGovernment Code §§ 12470.
(3) SAMState Administrative Manual §§ 4846.1, 4989.3, 5300, 5305.2, 5305.4.
(4) SCOState Controller’s Office: Personnel Action Manual.
(5) DOMDepartment Operations Manual, Chapter 4, Article 49, § 49060.3.

Revision History

(1) Revised: November 25, 1992.
(2) Revised Section 47020.9: January 11, 2013.
(3) Revised Sections 47020.6, 47020.7, 47020.8, and 47020.10: April 16, 1993.
(4) Revised: December 10, 2025.

Article 30 – C.L.E.T.S.

47030.1 Policy

As a part of its continuing support for all California law enforcement agencies, the Department participates in the utilization of the California Law Enforcement Telecommunications System (CLETSCalifornia Law Enforcement Telecommunications System), developed for use by law enforcement agencies. Government Code (GCGovernment Code) 15150 through 15167 require that the California Department of Justice (DOJDepartment Of Justice) maintain such a telecommunication system and provide services to California law enforcement agencies when, at their own expense, they require authorized connection to the system.

47030.2 Purpose

The purpose of this section is to describe the relationship between the California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation) and the CLETSCalifornia Law Enforcement Telecommunications System and specify the Department’s participation in this system.
CLETSCalifornia Law Enforcement Telecommunications System accommodates all public law enforcement user agencies with the capability of providing and receiving fast and efficient point-to-point delivery of messages and information contained in federal and State computerized files. Local information reported to DOJDepartment Of Justice may also be accessed.
CLETSCalifornia Law Enforcement Telecommunications System is a cooperative system whereby the State provides central switching equipment, personnel to staff the switching center, and sufficient circuitry from the switching center to county locations as authorized by law for handling law enforcement message traffic. Department use of the circuitry and terminal equipment extending beyond the CLETSCalifornia Law Enforcement Telecommunications System county termination point is provided by CDCRCalifornia Department of Corrections and Rehabilitation.

47030.3 Responsibility

Operational responsibility, system supervision, monitoring of traffic for conformity to rules and regulations, and recommendations for corrective actions are under the direction of DOJDepartment Of Justice. System rules are designed to provide the most efficient operating system. Adherence to the rules shall provide the Department the maximum effectiveness with CLETSCalifornia Law Enforcement Telecommunications System. Violations of these rules shall result in investigative and appropriate disciplinary action. The Agency CLETSCalifornia Law Enforcement Telecommunications System Coordinators (ACC) shall direct requests for information concerning the general administration of CLETSCalifornia Law Enforcement Telecommunications System to the CLETSCalifornia Law Enforcement Telecommunications System Executive Secretary, Department of Justice, P.O. Box 903417, Sacramento, California 94203-4170.
Enterprise Information Services (EISEnterprise Information Services (formerly Information Services Division)) is responsible for coordinating with DOJDepartment Of Justice on the acquisition, relocation and use of the local CLETSCalifornia Law Enforcement Telecommunications System. The ACC shall direct requests for information concerning changes or additions to CDCRCalifornia Department of Corrections and Rehabilitation’s use of CLETSCalifornia Law Enforcement Telecommunications System to the Chief of Network Engineering, EISEnterprise Information Services (formerly Information Services Division), P.O. Box 942883, Sacramento, California 94283- 0001.
Local facilities are responsible for the funding and maintenance of their CLETSCalifornia Law Enforcement Telecommunications System equipment.

47030.4 CLETS – Acquisition Process

Revised June 13, 2025

The acquisition processing time for CLETSCalifornia Law Enforcement Telecommunications System varies depending upon the location of the requesting facility: Up to six months should be allowed from the date the request is received for processing at EISEnterprise Information Services (formerly Information Services Division).
It is the local ACC’s responsibility to:
- Initiate an appropriate request for additions or changes (other than relocation) to CLETSCalifornia Law Enforcement Telecommunications System services at an existing location. The request shall include a cover memo to the Chief of Network Engineering, EISEnterprise Information Services (formerly Information Services Division), indicating justification for a CLETSCalifornia Law Enforcement Telecommunications System addition or change and a completed CDCRCalifornia Department of Corrections and Rehabilitation Form 954, Intraoffice Requisition and Procurement Worksheet.
- Upon receipt of the approved requisition, order equipment and acquire maintenance with facility funding.
- Initiate an authorized request for the relocation of CLETSCalifornia Law Enforcement Telecommunications System equipment. The request shall consist of a memorandum with appropriate approval signatures to the Chief of Network Engineering, EISEnterprise Information Services (formerly Information Services Division), justifying the relocation.
It is the responsibility of the Chief of Network Engineering, EISEnterprise Information Services (formerly Information Services Division), to:
- Review the request, obtain certification approval, and return the completed package to the ACC for their equipment purchase.
- Procure approval from DOJDepartment Of Justice and appropriate county sheriff’s offices for CLETSCalifornia Law Enforcement Telecommunications System usage.
- Coordinate CLETSCalifornia Law Enforcement Telecommunications System installation with DOJDepartment Of Justice, county sheriff’s offices, and the ACC.
- Notify ACC of approved mnemonic (i.e., “NME”) and originating agency (i.e., “ORI”) numbers.
- Maintain inventory for departmental CLETSCalifornia Law Enforcement Telecommunications System circuitry.
- Review requests for and coordinate the relocation of CLETSCalifornia Law Enforcement Telecommunications System equipment.
Terminals connected directly to CLETSCalifornia Law Enforcement Telecommunications System shall be approved by DOJDepartment Of Justice. A hard copy printer shall be included with each terminal authorized to receive unsolicited or point-to-point, non-data-base traffic. unsolicited or point-to-point, non-data-base traffic.

47030.5 Integrity of CLETS Information

In order to maintain the integrity of CLETSCalifornia Law Enforcement Telecommunications System and ensure the security of information received and transmitted by use of the system, the following policies shall be adhered to:
- Reasonable measures shall be taken to protect equipment from vandalism or sabotage and preclude access by other than authorized personnel by locating equipment in a secure area.
- Mobile digital terminals shall not be allowed to access DOJDepartment Of Justice’s criminal history system.
- Personnel with access to sensitive or confidential records derived from CLETSCalifornia Law Enforcement Telecommunications System and/or access to offender information within any database are required to complete the CLETSCalifornia Law Enforcement Telecommunications System Employee/Volunteer Statement, accessible through the Learning Management System (LMS).
Personnel authorized to access CLETSCalifornia Law Enforcement Telecommunications System are either sworn law enforcement personnel or nonsworn law enforcement personnel that have been subject to a character or security clearance. The clearance shall include the following:
- DMVDepartment of Motor Vehicles: driver’s license check.
- DOJDepartment Of Justice: fingerprint check.
- CDCRCalifornia Department of Corrections and Rehabilitation: background investigation. An agency head’s authorization for the employee to operate CLETSCalifornia Law Enforcement Telecommunications System equipment shall be placed in the employee’s personnel file.
In all matters pertaining to personnel security, the agency head shall be responsible for making the final determination of the individual’s suitability for the job.
All CLETSCalifornia Law Enforcement Telecommunications System messages are confidential and for official use only. Examples of acceptable messages are:
- Requests for record validation.
- Requests for incarcerated person pickup and transportation.
- Requests for mail-back information from data bases.
- Information regarding the circumstances surrounding the death of an officer killed in the line of duty.
- Listings of stolen property when identifiable by serial numbers or unique markings.
All subpoenas transmitted by CLETSCalifornia Law Enforcement Telecommunications System shall be processed in accordance with Penal Code (PCPenal Code) 1328(b) and 1328(c). A subpoena relative to civil proceedings or any subpoenas which could be delivered in a timely manner by other means are not acceptable for transmission.
DOJDepartment Of Justice publishes manuals for CLETSCalifornia Law Enforcement Telecommunications System operators containing information for proper system utilization. These manuals shall be obtained and maintained for CLETSCalifornia Law Enforcement Telecommunications System operators.

47030.6 CLETS – Training/Coordinators

Revised June 13, 2025

Each facility, parole region, and headquarters’ division shall provide the ACC and the Information Technology Manager II, of Infrastructure Services, with the names and phone numbers of their CLETSCalifornia Law Enforcement Telecommunications System Training Coordinator(s). In addition, facilities with 24-hour shifts shall submit the names and phone numbers of alternate (off-shift) CLETSCalifornia Law Enforcement Telecommunications System coordinators.
It is the equipment vendor’s responsibility to provide training on the operation of their terminals when initially procured/installed.
It is the responsibility of State DOJDepartment Of Justice field service/training office to provide training for information access in the:
- Criminal Justice Information System (CJIS) database.
- National Crime Information Center (NCICNational Crime Information Center).
- National Law Enforcement Telecommunications System (NLETS).
- Department of Motor Vehicles (DMVDepartment of Motor Vehicles).
- Oregon Law Enforcement Data System (LEDS).
The Agency CLETSCalifornia Law Enforcement Telecommunications System Coordinator should call the specified telephone number for the name and telephone number of their DOJDepartment Of Justice field service/training representative.

47030.7 Revisions

Revised January 11, 2013

The Director of EISEnterprise Information Services (formerly Information Services Division), or designee shall be responsible for ensuring that the contents of this Article are kept current and accurate.

References

(1) GCGovernment Code §§ 15150 – 15167.
(2) PCPenal Code §§ 1328(b) and 1328(c).

Revised History

(1) Revised April 16, 1993.
(2) Revised January 11, 2013.
(3) Revised June 13, 2025.

Article 31 – Audio‑Video Surveillance Systems

47040.1 Policy

March 2, 2026

In order to promote safety and enhance security, the California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation) may use audio, video, or both forms of recording technology within and in proximity to any of its facilities, perimeter fencing, or vehicles. CDCRCalifornia Department of Corrections and Rehabilitation does not intentionally record inside of cells, or bunk areas in dorms with the Audio-Video Surveillance System (AVSS) fixed camera systems, except in case of emergency or investigation as authorized by the Warden or their designee. However, the interior of cells and bunk areas within the dorms may be captured peripherally by AVSS fixed camera systems while covering other areas.

47040.2 Purpose

March 2, 2026

The primary purpose of the AVSS is to enhance public safety and facility security by providing the ability for real-time monitoring and recording in order to conduct investigations and after-the-fact reviews by utilizing audio or video recording technology or both.

47040.3 Responsibility and Roles for Audio‑Video Surveillance Systems

Enterprise Information Services (EISEnterprise Information Services (formerly Information Services Division))
- For implementations of AVSS, Enterprise Information Services (EISEnterprise Information Services (formerly Information Services Division)) is responsible for managing the procurement, architecture, data communication network, implementation, access control, ongoing hardware and software support contracts and licensing. All proposed AVSS shall be evaluated and approved by EISEnterprise Information Services (formerly Information Services Division) to ensure that all hardware, software, and communication platforms comply with CDCRCalifornia Department of Corrections and Rehabilitation standards and guidelines. AVSS shall not be procured or installed without the knowledge and approval of EISEnterprise Information Services (formerly Information Services Division). AVSS or installations by the Office of Internal
  Affairs (OIAOffice of Internal Affairs) for investigative purposes are exempt from this notification requirement, except for those that utilize the CDCRCalifornia Department of Corrections and Rehabilitation network.
- For repair or replacement of video or audio equipment that was implemented prior to the AVSS, EISEnterprise Information Services (formerly Information Services Division) will evaluate each request to ensure purchases align with the new statewide standard for equipment and service where possible and feasible.
Institution Staff
- The Warden shall designate a local AVSS Coordinator responsible for maintaining a Department Operations Manual (DOMDepartment Operations Manual) Supplement and instructing staff on use of the system. Plant Operations staff are responsible for the removal and replacement of camera(s) for repair.

47040.4 Notification of Recording

March 2, 2026

Public notice that recording technology may be in use shall be placed at the gatehouse, front entrance, and vehicle sally ports of all correctional institutions and include the following minimum text: “This area is subject to audio and video surveillance.”

47040.5 Audio‑Video Monitoring Stations

March 2, 2026

The AVSS is capable of being monitored from designated areas within the institution as determined by the Hiring Authority. Staff generally monitor the AVSS on a periodic basis or in response to a specific incident. The AVSS may not be monitored continuously. Staff shall utilize their personal alarm device, whistle, telephone, or radio to summon additional staff if assistance is needed.
Upon notification of potential criminal or improper activity in a particular location, the hiring authority, facility supervisor or manager, Investigative Services Unit (ISUInstitution Services Unit), or other designated staff may review information obtained from the AVSS in conjunction with its review of such activity.
The viewing of live or review of recorded video shall not be used for routine supervision of staff. For example, audio, video, or both forms of recording technology will not be used to monitor staff’s arrival or departure from the job site. However, if during the review of audio, video, or both forms of recording technology, staff misconduct is identified, the video recording can be used as part of the disciplinary process, inquiries, administrative investigations, or criminal investigations. Stored audio, video, or both forms of recording technology shall not normally be used to identify whether or not previous similar behavior occurred. However, when information is received alleging staff misconduct occurred on prior occasions or over an expressed period of time, the AVSS recordings during the expressed timeframe may also be reviewed.

47040.6 Audio‑Video Recording and Storage

March 2, 2026

Any information collected from the AVSS shall be considered CDCRCalifornia Department of Corrections and Rehabilitation property and/or records. Recorded audio, video, or both forms of recording technology is generally used for the safety and security of CDCRCalifornia Department of Corrections and Rehabilitation facilities and review of incidents. AVSS may also be used for corrective action, the disciplinary process, inquiries, administrative investigations, or criminal investigations. Any available audio, video, or both forms of recording technology associated with a specific retention trigger shall be exported and stored on a digital medium according to authorized procedures and policy. The audio, video, or both forms of evidence retained for storage on a digital medium shall be managed by the institution’s ISUInstitution Services Unit or as directed by the hiring authority for a period of not less than 90 days. Data may be preserved for a longer period upon conditions being met pursuant to Section 47040.9. Unauthorized release of any AVSS footage is strictly prohibited.

47040.7 Upgrading or Replacing AVSS Equipment

March 2, 2026

Institutions upgrading or replacing their AVSS equipment shall ensure their Labor Relations Analyst invites the local Chapter President of the California Correctional Peace Officer Association or designee to all design and implementation meetings (not including pre-planning discussions) related to the local AVSS system.

47040.8 AVSS Retention Triggers

The following events shall require staff to preserve the recorded data as potential evidence in an inquiry, investigation, and/or an administrative, civil, or criminal proceeding:
- Any use of force incident.
- Riots.
- Suspected felonious criminal activity.
- Any incident resulting in serious bodily injury, great bodily injury, or death.
- Sexual assault allegations.
- Allegations of inmate misconduct [i.e. serious Rules Violation Reports (RVRs)] by staff.
- Allegations of staff misconduct by an inmate, employee, visitor, or other person.
- Incidents that may potentially be referred to the District Attorney’s Office.
- An employee report to supervisor of on-the-job injury, and;
- Inmate claims with the Department of General Services, Office of Risk and Insurance Management, or Government Claims Program.

47040.9 Preserving Recorded Data

March 2, 2026

When an event occurs that requires staff to preserve recorded data, the following process shall be utilized:
- During business hours, a telephone call or verbal request will be made to the ISUInstitution Services Unit immediately following an AVSS retention trigger.
- The Neptune Intelligence Computer Engineering (NICE) Investigate digital evidence management system, where available, is considered the sole source of evidence. Whether or not NICE Investigate is available, staff shall ensure that all relevant camera angles are captured. In addition, footage of the events leading up to the event or subsequent footage following the event shall be reviewed and preserved to the extent that such footage provides a more thorough picture of the entirety of the incident.
- For institutions that have deployed NICE Investigate, requestors submit the automated CDCRCalifornia Department of Corrections and Rehabilitation Form 1027, Audio/Video Surveillance System Evidence Request (for fixed cameras) or CDCRCalifornia Department of Corrections and Rehabilitation Form 1118, Body-Worn Camera Video Evidence Request (for body-worn cameras) in the NICE Investigate portal.
  - Those who are not authorized to submit automated requests in NICE Investigate should contact their institution’s ISUInstitution Services Unit Lieutenant. The ISUInstitution Services Unit Lieutenant can either grant access to NICE Investigate or ensure requests are submitted on their behalf by the ISUInstitution Services Unit team.
  - ISUInstitution Services Unit shall process the request and make the data available in NICE Investigate to the approved requestor within 24 hours of the occurrence or request.
- For institutions that have not yet deployed NICE Investigate, following the verbal notification to ISUInstitution Services Unit or if the event occurs after business hours, a CDCRCalifornia Department of Corrections and Rehabilitation Form 1027 or 1118, shall be submitted to ISUInstitution Services Unit for timely processing. ISUInstitution Services Unit shall process the request and capture the requested event on a digital medium within 24 hours of the occurrence or request. This stored event shall be made accessible to the approved requestor. ISUInstitution Services Unit shall save and keep on file a hard copy of the CDCRCalifornia Department of Corrections and Rehabilitation Form 1027 or 1118. ISUInstitution Services Unit shall make a second copy of the event to be stored as evidence in ISUInstitution Services Unit.
An audio, video, or both forms of recording that becomes evidence in an OIAOffice of Internal Affairs investigation shall be stored until resolution of any investigation and written release by the OIAOffice of Internal Affairs, Office of Legal Affairs (OLAOffice of Legal Affairs), and Office of the Attorney General (OAGOffice of the Attorney General). An audio, video, or both forms of recording that CDCRCalifornia Department of Corrections and Rehabilitation has reason to believe may become evidence in an administrative, civil, or criminal proceeding shall be stored indefinitely unless other direction is given by the OIAOffice of Internal Affairs, OLAOffice of Legal Affairs, or in the event of a criminal proceeding, the Office of the District Attorney. Audio, video, or both forms of recordings must be destroyed in a secure manner consistent with EISEnterprise Information Services (formerly Information Services Division) policy as soon as they are no longer needed for the purpose for which they were retained.

47040.10 Review Criteria

March 2, 2026

Only individuals having a legitimate need to view the live images or recorded media shall be permitted to do so. When an event occurs that requires the preservation of recorded data, managers, supervisors, and the Grievance Coordinators from the Office of Grievances (OOG) shall be responsible for filling out and submitting the CDCRCalifornia Department of Corrections and Rehabilitation Forms 1027 or 1118, either in NICE Investigate or hard copy form submitted electronically (e.g., via electronic mail) for institutions that have not yet deployed NICE Investigate. In the event the AVSS becomes inoperable, staff will notify the AVSS Coordinator, or the Watch Commander if after hours, and submit a service ticket to local Information Technology staff for resolution.
Criteria for the review or viewing of video shall constitute a legitimate need, which includes:
- Reviewing the circumstances of a crime or suspected crime.
- Reviewing the circumstances of an accident or near accident.
- For routine matters (including use of force incidents pursuant to DOMDepartment Operations Manual Chapter 5, Article 2, Use of Force) that do not involve the criteria in subsections (A) or (B) below, Bargaining Unit (BU) 6 employees shall be granted an opportunity to review audio or video data of an incident they were involved in from their Body-Worn Camera (BWC) or institutional fixed camera(s). The procedures to request to review AVSS data, and the viewing of AVSS data relative to report writing, shall be in accordance with the procedures in the current Memorandum of Understanding (MOUMemorandum Of Understanding) for BU 6, section 9.16, Video Recordings. If staff are denied approval to review institutional fixed camera video by the Incident Commander for any of the reasons noted in subsections (A) or (B) below, they will be provided with either an automated email notification from NICE Investigate, or, for institutions that have not yet deployed NICE Investigate, a CDCRCalifornia Department of Corrections and Rehabilitation Form 1028, Audio/Video Surveillance System Evidence Request Denial signed by the Captain or their designee, denying the request. A copy of the CDCRCalifornia Department of Corrections and Rehabilitation Form 1028 or email denial notification from NICE Investigate will be forwarded by the requestor to the Labor Relations Analyst who will notify the appropriate local BU chapter president. For BWC data reviewing denial process see the California Code of Regulations (CCRCalifornia Code of Regulations), Title 15, section 3270.3.
  - An incident involving allegations of misconduct (defined as situations where the Hiring Authority has determined and initiated the CDCRCalifornia Department of Corrections and Rehabilitation Form 989, Confidential Request for Internal Affairs Investigation/Notification of Direct Adverse Action process) or where administrative action is reviewed: the employee shall be granted an opportunity to review CDCRCalifornia Department of Corrections and Rehabilitation video recording(s) upon approval of the Warden, Chief Deputy Warden, or above. If staff are denied approval to review video data for this reason, no further questions or clarifications may be requested of the employee by the hiring authority.
  - An incident where criminal or deadly force is reviewed: the employee shall only be granted the opportunity to observe CDCRCalifornia Department of Corrections and Rehabilitation video data upon approval of the OIAOffice of Internal Affairs or investigating or prosecuting agency. If staff are denied approval to observe video data during the review process, no further questions or clarifications may be requested of the employee by the hiring authority.
- The OOG may request to review audio and video recordings when conducting an inquiry as it relates to a submitted incarcerated person grievance or third-party complaint.
- The Allegation Investigation Unit (AIU) may request to review and be provided access to audio and video recordings when conducting an inquiry or investigation as it relates to allegations involving misconduct towards incarcerated or supervised persons.
- The author of an RVR may submit the automated CDCRCalifornia Department of Corrections and Rehabilitation Form 1027 or 1118 request in NICE Investigate, or for institutions that have not yet deployed NICE Investigate submit CDCRCalifornia Department of Corrections and Rehabilitation Form 1027 or 1118 to their supervisor to have the video data (with or without audio) captured as related to the circumstances of the RVR. The Senior Hearing Officer during the hearing process will examine video that is submitted with a serious RVR, and ensure the incarcerated person has had an opportunity to examine any audio or video, as appropriate.

47040.11 Public Records Act Requests

March 2, 2026

Upon receipt of a Public Records Act (PRAPublic Records Act) request for AVSS footage, institutions or program areas shall contact the Division of Correctional Policy, Research and Internal Oversight, Office of Public Records (OPR) for guidance. Upon receipt of a PRAPublic Records Act request for AVSS footage or audio recordings pursuant to Penal Code 832.7(b), institutions or program areas shall contact the OPR video redaction staff. AVSS footage includes fixed cameras and BWCs.
Only designated OPR video redaction staff shall redact AVSS footage or audio recordings in response to a PRAPublic Records Act request or a Penal Code section 832.7(b) PRAPublic Records Act request.
AVSS footage can often require significant staff time to redact. If a request for AVSS footage is vague or covers an overly broad timeframe (a “blanket” request), the assigned OPR video redaction staff shall attempt to clarify the request. The purpose of the clarification process is to assist the requestor in locating the AVSS footage by narrowing the request to a specific person(s) involved, date, time, location (e.g., institution, housing unit, yard, etc.), or event. If attempts to clarify a “blanket” request are unsuccessful, the assigned OPR staff shall submit to have the PRAPublic Records Act request denied by sending the request to the OLAOffice of Legal Affairs PRAPublic Records Act mailbox. Any denials based on a blanket request shall be reviewed and approved by CDCRCalifornia Department of Corrections and Rehabilitation’s General Counsel.

47040.12 Notification, Identification, and Review Process

Revised September 28, 2023

Institutions or program areas shall notify employee(s) in writing prior to the release and disclosure of any AVSS footage or audio recording pursuant to a PRAPublic Records Act request which reasonably or easily identifies the employee.
To assist in notifying reasonably or easily identifiable employee(s), the DAIDivision of Adult Institutions (formerly Institutions Division) PRAU or OLAOffice of Legal Affairs video redaction staff shall provide the institution or program area a copy of or instructions to access the AVSS footage. The DAIDivision of Adult Institutions (formerly Institutions Division) PRAU or OLAOffice of Legal Affairs video redaction staff shall determine which employee(s) require notification and provide the institution or program area any information regarding the employee(s) identified in the AVSS footage. The institution or program area shall review the AVSS footage and identify any employees the DAIDivision of Adult Institutions (formerly Institutions Division) PRAU or OLAOffice of Legal Affairs video redaction staff were unable to identify.
The notification shall be completed utilizing the CDCRCalifornia Department of Corrections and Rehabilitation Form 1110, Notification of Release and Disclosure of Video Footage, Audio Recording, or Both. The
CDCRCalifornia Department of Corrections and Rehabilitation Form 1110 shall be completed prior to the release and disclosure of any AVSS footage or audio recording pursuant to a PRAPublic Records Act request. Institutions shall retain the completed CDCRCalifornia Department of Corrections and Rehabilitation Form 1110 and forward a copy to the DAIDivision of Adult Institutions (formerly Institutions Division) PRAU or OLAOffice of Legal Affairs video redaction staff. The DAIDivision of Adult Institutions (formerly Institutions Division) PRAU or OLAOffice of Legal Affairs video redaction staff shall retain the CDCRCalifornia Department of Corrections and Rehabilitation Form 1110 copy with the corresponding PRAPublic Records Act request.
If a notified employee requests to review the AVSS footage or audio recording, the institution shall accommodate the employee within seven calendar days, barring any facility emergency. An employee’s inability to review the AVSS footage or audio recording shall not delay the release of the PRAPublic Records Act request beyond the allotted seven calendar days.
The institution shall document and maintain the employee’s review of the PRAPublic Records Act request to include the following:
- The employee’s name.
- PERNR number.
- Date.
- PRAPublic Records Act request number.
- The AVSS footage or audio recording(s) being reviewed.
If the notified employee has sufficient facts to demonstrate that releasing their identity to the public presents a specific threat to their safety, the employee is directed to immediately notify, in writing, the assigned Litigation Coordinator for their area. The employee’s written statement shall contain any specific, articulable, and particularized facts about how disclosure of the records to the PRAPublic Records Act requester would pose a significant danger to their physical safety or to the physical safety of someone else. The Litigation Coordinator shall forward the information to the Hiring Authority and the DAIDivision of Adult Institutions (formerly Institutions Division) PRAU or OLAOffice of Legal Affairs video redaction staff.
- The Hiring Authority shall evaluate the employee’s written statement and make a determination within five business days.
  - If the Hiring Authority determines the employee’s written statement contains a
    non-specific or general in-nature threat, the Hiring Authority shall immediately notify the employee in writing that the threat was evaluated and determined to be invalid. The Hiring Authority shall forward a copy to the DAIDivision of Adult Institutions (formerly Institutions Division) PRAU or OLAOffice of Legal Affairs video redaction staff.
  - If the Hiring Authority determines the employee’s written statement contains a specific, articulable threat, the Hiring Authority shall forward the employee’s written statement to ISUInstitution Services Unit or other appropriate investigatory staff and ensure an investigation is completed. The assigned investigator(s) shall have 14 calendar days to complete the investigation and determine the legitimacy of the threat. The Hiring Authority shall forward the results of the investigation and all supporting documentation to CDCRCalifornia Department of Corrections and Rehabilitation’s General Counsel via the OLAOffice of Legal Affairs PRAPublic Records Act mailbox for final determination and notify the DAIDivision of Adult Institutions (formerly Institutions Division) PRAU or OLAOffice of Legal Affairs video redaction staff of the submission.
  - If the Hiring Authority determines the employee’s written statement concerns a documented threat, the Hiring Authority shall submit all supporting documentation to CDCRCalifornia Department of Corrections and Rehabilitation’s General Counsel via the OLAOffice of Legal Affairs PRAPublic Records Act mailbox for final determination and notify the DAIDivision of Adult Institutions (formerly Institutions Division) PRAU or OLAOffice of Legal Affairs video redaction staff of the submission.
  - CDCRCalifornia Department of Corrections and Rehabilitation’s General Counsel determination shall be provided to the Hiring Authority and the DAIDivision of Adult Institutions (formerly Institutions Division) PRAU or OLAOffice of Legal Affairs video redaction staff. The Hiring Authority shall immediately provide the decision to the employee.
A PRAPublic Records Act request for AVSS footage depicting a person’s death shall require notification to the Next of Kin (NOK) to allow the NOK an opportunity to review the AVSS footage prior to release.
- When the DAIDivision of Adult Institutions (formerly Institutions Division) PRAU or OLAOffice of Legal Affairs video redaction staff receives a PRAPublic Records Act request for AVSS footage depicting a person’s death, the institution shall be notified before the scheduled release. The DAIDivision of Adult Institutions (formerly Institutions Division) PRAU or OLAOffice of Legal Affairs video redaction staff shall provide the Hiring Authority and PRAPublic Records Act Coordinator access to the redacted AVSS footage.
- The institution shall contact the NOK and schedule a review as soon as possible. The NOK shall have seven calendar days to review the AVSS footage. The review may occur at an institution or alternate CDCRCalifornia Department of Corrections and Rehabilitation location as needed due to distance from the NOK or other factors. The NOK may bring two other people to the review for a maximum of three people. Only redacted footage shall be reviewed by, or released to, the NOK.
- If the NOK decides not to review the AVSS footage but requests a copy, the institution shall work with the NOK and make a copy available. Once the seven calendar days have elapsed, the AVSS footage shall be deemed ready for release.
- If contact with the NOK cannot be made within 72 hours of the initial attempt to contact, the Hiring Authority shall notify their respective Associate Director (AD) or Director, and the DAIDivision of Adult Institutions (formerly Institutions Division) PRAU or OLAOffice of Legal Affairs video redaction staff that all reasonable means for obtaining the NOK contact information have been exhausted. The AD or Director shall contact OCSOffice of Correctional Safety for additional assistance locating the NOK. OCSOffice of Correctional Safety shall forward the results of the attempt to the AD or Director. If the attempt was successful, the AD or Director shall communicate the results to the institution or program area for completion per 47040.12(g). If the attempt is unsuccessful, the AD or Director shall communicate the results to the DAIDivision of Adult Institutions (formerly Institutions Division) PRAU or OLAOffice of Legal Affairs video redaction staff. The DAIDivision of Adult Institutions (formerly Institutions Division) PRAU or OLAOffice of Legal Affairs video redaction staff shall document the results in the Public Records Portal and release the footage to the PRAPublic Records Act requestor.

47040.13 AVSS License Plate Recognition

March 2, 2026

Policy
- To promote safety and enhance security by enabling thorough, timely, and effective investigations, the CDCRCalifornia Department of Corrections and Rehabilitation utilizes License Plate Reader (LPR) technology that collects and accesses data from internal AVSSs on institutional grounds. LPR is different from subscription-based, Automated LPR (ALPR), which accesses data from external sources. ALPR policies are detailed in DOMDepartment Operations Manual Chapter 5, Article 32.
Purpose
- This policy provides guidance regarding the collection, access, use, sharing, storage, and retention of LPR information.
- CDCRCalifornia Department of Corrections and Rehabilitation manages LPR information to further its mission of ensuring the public safety of California residents by assisting CDCRCalifornia Department of Corrections and Rehabilitation with enforcement of Federal and California laws. LPR information is collected through an LPR system, which consists of fixed cameras that capture images of license plates within their field of view.
- CDCRCalifornia Department of Corrections and Rehabilitation operates a fixed LPR system.

47040.14 Definitions

March 2, 2026

LPR system is a searchable computerized database resulting from the operation of one or more fixed cameras combined with computer algorithms to read and convert images of registration plates and the characters they contain into computer readable data.
LPR recognition information is information or data collected using an LPR system.
LPR end-user is a person that accesses or uses an LPR system.
A public agency is the state, any city, county, or city and county, or any agency or political subdivision of the state or a city, county, or city and county, including, but not limited to, a law enforcement agency. By definition, “public agency” does not include federal law enforcement agencies, out-of-state law enforcement agencies, or private entities.

47040.15 Authorized Uses

March 2, 2026

Authorized uses of LPR information shall be in accordance with DOMDepartment Operations Manual section 53060.4.

47040.16 LPR Division Administrator Roles and Responsibilities

March 2, 2026

CDCRCalifornia Department of Corrections and Rehabilitation has designated “LPR Division Administrators,” who shall be responsible for ensuring compliance with this policy and Civil Code sections 1798.90.5, et seq.
The Division of Adult Institutions (DAIDivision of Adult Institutions (formerly Institutions Division)) and Office of Internal Affairs (OIAOffice of Internal Affairs) shall designate, at a minimum, a primary and secondary LPR Division Administrator responsible for supervising the usage of LPR technology. The primary administrator shall be at the rank of Associate Warden, Special Agent-In-Charge, equivalent or above.
The LPR Division Administrators are responsible for ensuring that LPR technology is utilized in a responsible manner consistent with all applicable policies, laws, and regulations. Division Administrators shall ensure compliance with LPR User Management, Audits, and Administrator Access as identified in DOMDepartment Operations Manual subsections 53060.5(c)(1), (c)(2), and (c)(3).

47040.17 Enterprise Information Services (EIS) Roles and Responsibilities

March 2, 2026

For implementations of LPR technology, EISEnterprise Information Services (formerly Information Services Division) is responsible for managing the procurement, architecture, data communication network, implementation, ongoing hardware and software support contracts, and licensing. LPR technology shall not be procured or installed without the knowledge and approval of EISEnterprise Information Services (formerly Information Services Division).
- EISEnterprise Information Services (formerly Information Services Division) shall designate, at a minimum, a primary and secondary system administrator of LPR technology, who are responsible for overall technical support of the systems and the support of other LPR Division Administrators.

47040.18 CDCR LPR End‑Users Roles and Responsibilities

March 2, 2026

Approved CDCRCalifornia Department of Corrections and Rehabilitation staff will be granted general user access to LPR technology to query information based on their job role. The employees designated to access the LPR system and information are:
- Special Agent series.
- Investigative Services Unit custody staff.
LPR end-user requirements are in accordance with DOMDepartment Operations Manual subsection 53060.7(b).

47040.19 Training

March 2, 2026

CDCRCalifornia Department of Corrections and Rehabilitation employees who are authorized to access LPR information must undergo training in accordance with DOMDepartment Operations Manual section 53060.8.

47040.20 LPR Data Retention and Accuracy

March 2, 2026

LPR data collected by CDCRCalifornia Department of Corrections and Rehabilitation cameras is stored in CDCRCalifornia Department of Corrections and Rehabilitation’s secure video management system.
- LPR digital snapshot images uploaded to CDCRCalifornia Department of Corrections and Rehabilitation’s system are maintained for a period of 90 days. After 90 days, the information will be overwritten. Text information converted from digital snapshot images shall be retained for a period of five years.
- Hot lists (i.e., stored lists of vehicles of interest) uploaded to CDCRCalifornia Department of Corrections and Rehabilitation’s LPR system shall be maintained until the conclusion of the investigation and then manually deleted.
- LPR footage related to an investigation, litigation, or criminal charges shall be retained in accordance with DOMDepartment Operations Manual subsection 47040.9(b).
LPR information can only be accessed and downloaded by authorized users with CDCRCalifornia Department of Corrections and Rehabilitation AVSS workstations.
- Any LPR information downloaded or accessed must be maintained in a secure location.
- LPR information may be exported for use in an ongoing investigation or as evidence.
- Any LPR information downloaded or otherwise shared or printed must be destroyed in accordance with current data retention policies found in DOMDepartment Operations Manual Chapter 1, Article 23.
Records shall be kept of any access given to LPR information; this record must include, at a minimum, the following:
- The date and time the information is accessed.
- The license plate number or other data elements used to query the LPR system.
- The username of the person who accesses the information.
- The purpose for accessing the information.
Verification of LPR data accuracy shall be in accordance with this policy.
- End-users shall attempt to verify LPR matches by visual confirmation using the photo associated with the match event. If the visual confirmation discovers the LPR match was invalid, the end-user shall report the error to the LPR Division Administrator.
- If feasible, the user should verify an LPR response through the California Law Enforcement Telecommunications System (CLETSCalifornia Law Enforcement Telecommunications System) before taking enforcement action that is based solely on an LPR alert.

47040.21 LPR Data Sharing and Access

March 2, 2026

CDCRCalifornia Department of Corrections and Rehabilitation does not allow other public agencies or private entities to access CDCRCalifornia Department of Corrections and Rehabilitation’s LPR systems.
CDCRCalifornia Department of Corrections and Rehabilitation shall not sell, share, or transfer LPR information, except to another public agency (as defined in DOMDepartment Operations Manual section 47040.14), and only as permitted by law.

47040.22 Revisions

March 2, 2026

The Director of Division of Adult Institutions, or designee, shall be responsible for ensuring the contents of this Article are kept current and accurate.

References

March 2, 2026

CCRCalifornia Code of Regulations, § (15) 3084.7, 3270.2, 3270.3, 3288, 3314, and 3315.
GCGovernment Code, § 7284 et seq. (California Values Act), and § 7922.000.
PCPenal Code Sections 832.7(b) and 13778.2.
MOUMemorandum Of Understanding for BU 6.
CACorrectional Administrators Civil Code, Title 1.81.23., Collective of License Plate Information [1798.90.5 – 1798.90-55].

Revision History

March 2, 2026

New November 4, 2020.
Revised June 2, 2021.
Established Section 47040.12 and revised Sections 47040.11 and 47040.13: September 28, 2023.
Revised Section 47040.10: October 3, 2025.
Revised: March 2, 2026.

Article 32 – Public Safety Radio Communications Systems

47050.1 Policy

The California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation) requires that in the institutional setting two-way radios shall be used to communicate information necessary for the effective custody and control of wards, inmates, and parolees. Radios shall be issued to personnel operating where fixed communication devices (telephones and intercoms) are not available, practical, or will not meet critical institutional communications needs. In the field setting two-way radios shall be issued to departmental peace officers and will be used as necessary to communicate with departmental personnel and other law enforcement agencies as needed to meet parole supervision and other field operational needs. Where appropriate and necessary, field units may utilize/communicate via Federal Communication Commissions (FCCFederal Communications Commission) approved local law enforcement telecommunications systems and utilize FCCFederal Communications Commission approved local law enforcement radios.

47050.2 Purpose

This Article is the official departmental policy on public safety radio communications, not withstanding any program’s procedures. This Article ensures that the design, procurement, deployment, maintenance, and use of State-issued radio communications equipment within the CDCRCalifornia Department of Corrections and Rehabilitation institutions and field units are appropriate to meet departmental radio communications needs.

47050.3 Usage

Acceptable Use
- Departmental radio communications shall:
  - Be conducted using CDCRCalifornia Department of Corrections and Rehabilitation-owned, leased, and managed radios and peripheral radio equipment. Exceptions may be made during emergencies, when conducting tactical operations, or when a law enforcement agency agrees to provide radio equipment that conforms to FCCFederal Communications Commission Rules and Regulations.
  - Operate on radio frequencies licensed for departmental use. The use of radios and frequencies provided by another public safety entity for events including but not limited to tactical exercises, mutual aid, or dispatch services shall be pre-approved by the Radio Communications Unit (RCU). The locally approved temporary use of another public safety agency’s FCCFederal Communications Commission approved radio frequencies is authorized when necessary during an emergency or to protect public safety.
  - Be used in conformance with the FCCFederal Communications Commission Rules and Regulations.
  - Be used for the express purpose of communicating Department information to authorized personnel.
Unacceptable Use
- The use of non-approved two-way radio equipment is prohibited and shall be considered contraband.
- The use of, or possession on institutional grounds of non-approved two-way radio equipment by an employee of the Department shall be subject to progressive discipline up to and including possible adverse action consistent with Department Operations Manual (DOMDepartment Operations Manual) Chapter 3, Article 22, Employee Discipline.
- The use of non-standard equipment, such as Family Radio Service (FRS) and radio scanners, is prohibited. Possession of such devices on institutional grounds is strictly forbidden.
- Inmates, wards, and parolees shall not be allowed to use CDCRCalifornia Department of Corrections and Rehabilitation radio equipment described in this Article or have access to the radio communications equipment for personal monitoring, except as authorized below:
  - Inmates assigned to fire camps may be authorized to use a departmental radio as long as it is restricted to accessing mutual aid or fire channels; no access shall be permitted to the trunked radio communications system at any institution, with the exception of the Fire Talk Group. Inmates who are assigned to the institutional fire departments have access to the Fire Talk Group on the trunked radio system, which resides on the Control Station (staff/inmate dispatch console at the fire department) and in the fire vehicles. Inmates shall not have access to the fire department’s hand held portable radios which are programmed with other institutional operational talk groups.
  - In the event an employee is incapacitated, an inmate or a parolee may use the radio to call for emergency assistance.

47050.4 Responsibilities

47050.4.1 Radio Communications Unit (RCU)

The Enterprise Information Services (EISEnterprise Information Services (formerly Information Services Division)), Infrastructure Services (ISInformation Systems), RCU is responsible for all departmentally-owned radio communications systems utilized within CDCRCalifornia Department of Corrections and Rehabilitation. This includes the responsibility and authority for oversight of the policy and procedures related to the use of radio communications within the Department.
Funding for institution and division radio program needs shall be directed through the RCU. This does not preclude a division from purchasing RCU-approved radio equipment to meet its operational needs when the funding is not available through the RCU.
The RCU is responsible for review and approval of all public safety radio equipment purchases, including systems, subsystems, and end-user equipment.
The RCU shall maintain site-specific radio matrices that reflect the application of the radio assignment policy.
Departmental program areas shall contact the RCU to arrange for the use of another agency’s radio frequency. Other agencies that wish to use a CDCRCalifornia Department of Corrections and Rehabilitation-owned frequency shall make such request to the RCU.
The RCU is responsible for chairing a multi-discipline “Operable/Interoperable Communications Committee” (Committee) composed of departmental radio communications stakeholders. The purpose of this Committee is to address all issues related to emergency and non-emergency communications and the operable/interoperable needs of CDCRCalifornia Department of Corrections and Rehabilitation. RCU will schedule an annual meeting of the Committee and other meetings, as needed.
The RCU will process service requests and/or incident tickets submitted by radio liaisons on the Department’s web-based automated ITInformation Technology ticket system. The RCU will contact and coordinate with Office of the State Chief Information Officer, Public Safety Communications Division, as necessary. In some instances, non-functioning equipment cannot be repaired in the field and must be removed from service for repair. The RCU shall determine whether available spare equipment is appropriate for use to replace the non-operative equipment in order to keep the system including but not limited to portable or mobile radios in service or whether new equipment is required.

47050.4.2 Radio Liaison

Each CDCRCalifornia Department of Corrections and Rehabilitation division will establish a radio liaison. The division radio liaison will facilitate communication between the division and the RCU. Each Adult Institution, Juvenile Justice Facility, Conservation Camp, Parole Region (adult and juvenile), the Office of Correctional Safety, Statewide Transportation Unit, and the Office of Internal Affairs shall designate a radio liaison.
- The division radio liaison is a single point of contact between each division and the RCU to ensure that the regional communications issues or needs are forwarded to the Committee.
- The radio liaison shall notify RCU to have all radio communications equipment including but not limited to mobile radio, antenna, and speakers removed from vehicles designated to be surveyed.
- The program area/institution/facility radio liaison may communicate directly with the RCU to address locally specific needs such as radio equipment failures.

47050.4.3 Office of the Chief Information Officer – Public Safety Communications Division (OCIO‑PSCD)

The OCIO-PSCD:
- Is responsible for maintaining the CDCRCalifornia Department of Corrections and Rehabilitation’s public safety radio communications systems and subsystem equipment.
- Is responsible for ensuring proper radio system design and assists with frequency acquisition and utilization.
- Employs local radio technicians who are responsible for removing and replacing defective equipment as arranged by the RCU. Defective portable radios or accessories shall be delivered to the RCU or directly to the OCIO-PSCD as directed by the RCU.

47050.5 Radio Communications Systems – Standard Design

The RCU shall identify and establish technical standards for radio communications equipment consistent with the Public Safety Communications Act of 2002, Government Code Section 8592, et seq. Equipment standards shall be published in the CDCRCalifornia Department of Corrections and Rehabilitation Enterprise Architecture Decision Framework. Requests to purchase or utilize technology not identified as General ITInformation Technology Standards must be accompanied by an exemption request detailing the specific reason identified technologies are not fit for use. The RCU may issue a waiver from the published standard if no available standard technology is suitable to the particular need.

47050.6 Regional Radio Communications System Access

Regional radio communications system access refers to contracts for radio system access where there are fees to the CDCRCalifornia Department of Corrections and Rehabilitation by the host public safety agency for primary use on their radio communications system. With exception of contracts that were already in place prior to the implementation of this Article, regional radio communications system access contracts shall be reviewed and approved by the RCU prior to contract execution. Refer to the Radio Communications Policy and Procedures Handbook.
The CDCRCalifornia Department of Corrections and Rehabilitation shall operate its radio communications equipment utilizing FCCFederal Communications Commission assigned frequencies in accordance with FCCFederal Communications Commission Rules and Regulations. Departmental transmissions are prohibited on any FCCFederal Communications Commission-managed frequency unless CDCRCalifornia Department of Corrections and Rehabilitation has written authorization via a formal radio frequency use agreement (TD-400) that must be kept on file with the RCU and the OCIO-PSCD, or has authorization to operate on a local public safety agency’s regional radio communications system. The CDCRCalifornia Department of Corrections and Rehabilitation relies on the resources of other emergency services providers; therefore, cooperation and coordination with other agencies, organizations, and private enterprises shall be extended when practical in order to serve and protect the public. Divisions within the Department, including fire departments, may request utilization of other public safety radio systems. With the exception of existing utilization agreements that predate the implementation of this Article, such requests shall be submitted to the RCU for negotiation with the public safety agency’s radio system operator. Approved requests must be accompanied by a “Letter of Authorization to Transmit” from the licensee on its letterhead, along with a copy of its FCCFederal Communications Commission Station and Mobile license.

47050.7 Mutual Aid Frequency Use Agreement:

A mutual aid frequency use agreement is required for each instance of shared frequency use. The agreement must include the type of frequency that the public safety agency is authorizing CDCRCalifornia Department of Corrections and Rehabilitation to use, and must be without cost to the Department. These types of agreements are not considered Memorandum of Understanding (MOUMemorandum Of Understanding) and are not subject to CDCRCalifornia Department of Corrections and Rehabilitation’s MOUMemorandum Of Understanding procedures. Refer to the Radio Communications Policy and Procedures Handbook.
CDCRCalifornia Department of Corrections and Rehabilitation-owned radio equipment shall be maintained and repaired by OCIO-PSCD staff or locally approved radio technicians; frequency use agreements may not contain provisions that allow non-OCIO-PSCD approved maintenance or repair CDCRCalifornia Department of Corrections and Rehabilitation-owned telecommunications equipment. Agreements containing maintenance and/or repair provisions will not be approved.

47050.8 Radio Assignments and Use

For institutional and juvenile justice facility radio assignments, refer to Restricted DOMDepartment Operations Manual, Chapter 5, Section 55000.

47050.8.1 Conservation Camps

Camp staff shall be capable of communicating critical information to departmental institutions, facilities, local and/or other public safety agencies, and to agencies that contract for inmate services. Each CDCRCalifornia Department of Corrections and Rehabilitation camp vehicle shall be equipped, at a minimum, with one mobile radio.

47050.8.2 Outside Transportation Unit Vehicles and Institution/Facility Transportation Vehicles

Refer to Restricted DOMDepartment Operations Manual, Chapter 5, Section 55060.

47050.8.3 Office of Correctional Safety

Agents assigned to the Office of Correctional Safety shall be capable of routine and emergency communications with all departmental institutions/facilities and field offices as well as local and/or other public safety agencies. Vehicles assigned to these agents shall be equipped with mobile radios designated for undercover use. Additionally, each field agent shall be assigned a two-way, portable radio.

47050.8.4 Office of Internal Affairs

Agents assigned to the Office of Internal Affairs shall be capable of routine and emergency communications with all departmental institutions/facilities and field offices as well as local and/or other public safety agencies. Vehicles assigned to these agents shall be equipped with mobile radios designated for undercover use. Additionally, each field agent shall be assigned a two-way, portable radio.

47050.8.5 Division of Adult/Juvenile Parole Operations

Division of Adult/Juvenile Parole Operations staff, including case-carrying agents, transportation staff, and appropriate community correctional facility staff, must be capable of routine and emergency communications with field offices and local and state public safety agencies. Each Field agent shall be assigned a two-way portable radio, and/or a vehicle mounted radio as dictated by local needs.

47050.9 Telecommunications Equipment Management – General

All CDCRCalifornia Department of Corrections and Rehabilitation facilities and vehicles equipped with radio communications equipment shall inventory such equipment annually pursuant to DOMDepartment Operations Manual Section 22030.12.6.

47050.10 Radio Communications Equipment in Surveyed or Disabled Vehicles

The RCU will coordinate with the OCIO-PSCD to determine whether the equipment shall be repaired, replaced, or surveyed from service.

47050.11 Sensitive Property and Physical Inventory

Consistent with DOMDepartment Operations Manual Chapter 2, Subsection 22030.12.1, all portable and mobile radio equipment shall be considered sensitive property as well as safety equipment. While on duty, radios shall be easily accessible by the assigned staff and shall be turned on. When a radio is issued to a staff member for on-going use, the staff member shall be responsible for maintaining the radio with a charged battery and shall be responsible for immediately notifying their supervisor if the radio or related equipment has been lost, stolen, or damaged. The employee’s supervisor shall be responsible to notify the radio liaison of the lost or damaged equipment. Portable radios shall not be left in clearly visible areas of unattended vehicles, or accessible to inmates, wards, or parolees. If the equipment is lost, stolen, or damaged due to negligence or culpability, the employee may be subject to actions in accordance with DOMDepartment Operations Manual, Section 85050.5.
Each institution and juvenile justice facility housing public safety radio communications equipment shall ensure the communications vault is alarm controlled and monitored.
Each division operating approved CDCRCalifornia Department of Corrections and Rehabilitation radio equipment shall develop an inventory plan that shall include an annual physical inventory conducted on all portable, mobile, and fixed radio equipment and reconciled with the RCU.

47050.12 Revisions

The Assistant Secretary, EISEnterprise Information Services (formerly Information Services Division), or his/her designee is responsible for ensuring the contents of this Article are kept current and accurate.

47050.13 References

DOMDepartment Operations Manual Chapter 2, §§ 22030.12.1 and 22030.12.6; Chapter 3, Article 22; Chapter 5, §§ 55000 and 55060 Gov Code §§ 8592 15250-15254, 15275-15277, 53108.5, 53114-53114.2, 53115 SAMState Administrative Manual § 4500 47 CFR 90, Part 90 47 CFR 2, Subpart B

Article 33 – Unassigned

Revised December 15, 2025

Article 34 – Unassigned

Article 35 – Computer Room Construction

Revised June 13, 2025

47080.1 Policy

Approval is required prior to the expansion, modification, or new construction of any computer room space or site. This policy defines roles and responsibilities for the processing of requests for the expansion, modification, or new construction of any computer room space or site.

47080.2 Purpose

The purpose of this Article is to support the Global Warming Solutions Act (AB32), which was passed in 2006 and requires that by 2020 California’s greenhouse gas emissions be reduced to 1990 levels, a roughly 25 percent reduction under business-as-usual estimates. It also supports Government Code 11545(b)(3), which calls for “minimizing overlap, redundancy, and cost in state operations by promoting the efficient and effective use of information technology.” In addition, this Article supports California Department of Technology (CDT) Technology Letter (TL) 12-5 which states that agencies are no longer required to submit an Information Technology (ITInformation Technology) Facilities/Space Construction review form to the CTA for approval before undertaking any computer room construction, expansion, or modification.

47080.3 Definitions

For purposes of this policy, the following definitions are used.
- Computer room: any space that houses computer operations. Such computer operations could utilize mainframes, servers, or any computer resource functioning as a server.
- CRUISE: “Customer Requests: Upgraded Information Sharing Environment,” the online system used by agencies to request services from the Department of General Services (DGSDepartment of General Services) Real Estate Services Division.
- Emergency: a sudden, unexpected occurrence that poses a clear and imminent danger, requiring immediate action to prevent or mitigate the loss or impairment of life, health, property, or essential public services.
- Enhancement: a change that increases the capacity of a computer room physical plant, including electrical, cooling, and heat recovery capacities.
- Expansion: an enlargement of a computer room which increases the floor space for additional servers and/or server racks. An expansion may or may not require an enhancement of the site’s electrical, cooling, or heat recovery capacities.
- Information Technology (ITInformation Technology) activities: ITInformation Technology facility preparation, operation, and maintenance.
- Modification: a change to a computer room structure and configuration that does not increase the floor space. A modification may or may not include an enhancement of the site’s electrical, cooling, or heat recovery capacities.
- Site evaluation: evaluation of request for computer room construction at a particular site.
- Third-party energy assessment: an energy assessment performed by an entity outside of the Department, such as a utility company or private vendor.

47080.4 Responsibilities

All requests for computer room construction, expansion, or modification require that a site evaluation be conducted by Enterprise Information Services (EISEnterprise Information Services (formerly Information Services Division)) and approved by the Infrastructure Main Distribution Frame and Intermediate Distribution Frame and Fiber Plant Governance Board.

47080.5 Facilities Management Division

As the request initiator, Facilities Management Division:
- Prepares an ITInformation Technology Facilities/Space Construction Review form to request construction, expansion, or modification of any computer room space or site.
- Requests that a site evaluation be conducted by EISEnterprise Information Services (formerly Information Services Division) prior to the initiation of a CRUISE request to DGSDepartment of General Services.
- Prepares CRUISE requests and submits them to DGSDepartment of General Services.

47080.6 Enterprise Information Services

EISEnterprise Information Services (formerly Information Services Division) is responsible for the following:
- Completes the site evaluation.
- Obtains the authorized approving signature from the Agency Secretary or official designee.
- Describes and justifies proposed computer room construction, expansion, or modification in CDCRCalifornia Department of Corrections and Rehabilitation’s Agency Consolidation Plan.
- Communicates requests for third-party energy assessments with the program area if required.

47080.7 Exemptions

Computer room repairs that are required as a result of an emergency do not require prior EISEnterprise Information Services (formerly Information Services Division) approval. Emergency repairs may be completed with concurrent notification to EISEnterprise Information Services (formerly Information Services Division). Emergency expenditures which exceed $25,000 require prior approval from the Department of Finance. Construction or modification of computer rooms at CDCRCalifornia Department of Corrections and Rehabilitation institutions is exempt from this policy. This exemption includes, but is not limited to, modifications and/or construction of computer rooms, telecom rooms, and all related ITInformation Technology support equipment at all adult and juvenile institutions.

47080.8 Revisions

The Director of EISEnterprise Information Services (formerly Information Services Division), or designee is responsible for ensuring that the contents of this Article are kept current and accurate.
June 7, 2012.
September 1, 2023.

References

(a) SAMState Administrative Manual 4819.2, 6560.
(b) GCGovernment Code 11545(b)(3).
(c) ITInformation Technology Policy Letter 09-04.
(d) PCCPublic Contract Code 1102.
(e) SIMM Section 18.
(f) CTA TL 12-5.

Revision History

(1) Revised June 7, 2012.
(2) Revised September 1, 2023.
(3) Revised June 13, 2025.

Article 36 – Unassigned

Revised December 15, 2025

Article 37 – Classification Tracking System

Revised April 16, 1993

Unassigned

Article 38 – Electronic Mail

47110.1 Policy

The California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation) maintains an e-mail system to facilitate business communications and assist employees in performing their daily work activities. This policy outlines the approved use of CDCRCalifornia Department of Corrections and Rehabilitation e-mail and does not supersede State or federal laws or any other agency policies regarding confidentiality, information dissemination, or standards of conduct.
- The State reserves the right to monitor and/or keep a record of all e-mail communications without prior notice.
- Employees should have no expectation of privacy in the use of CDCRCalifornia Department of Corrections and Rehabilitation e-mail systems or in anything they store, send or receive on the CDCRCalifornia Department of Corrections and Rehabilitation’s e-mail system.
- The contents of e-mails properly obtained for discovery or management purposes may be disclosed without the permission of the user who created the message.
- E-mail shall be treated as business records that shall be retained and can be used as evidence in litigation, audits, and investigations.
- E-mail may be subject to various types of access requests, including, but not limited to, requests for records under California Government Code (GCGovernment Code) section 6250 et seq.
High Risk Confidential Information (HRCI) shall not be transmitted using e-mail without CDCRCalifornia Department of Corrections and Rehabilitation approved encryption being applied. Any exclusions or modification to this requirement must be approved in writing by the Information Owner and/or the Information Security Office (ISOInformation Security Officer).

47110.2 Purpose

It is the goal of the CDCRCalifornia Department of Corrections and Rehabilitation to ensure e-mail communications are being created, maintained and retained consistent with CDCRCalifornia Department of Corrections and Rehabilitation policy and state and federal laws. The purpose of this policy is to detail the standards relating to the use of e-mail on the CDCRCalifornia Department of Corrections and Rehabilitation network and is intended to:
- Protect CDCRCalifornia Department of Corrections and Rehabilitation information.
- Describe privacy considerations when using the CDCRCalifornia Department of Corrections and Rehabilitation e-mail system.
- Outline the acceptable usage rules when using the CDCRCalifornia Department of Corrections and Rehabilitation e-mail system.
- Maintain availability of the CDCRCalifornia Department of Corrections and Rehabilitation e-mail system to sustain critical business operations.
Proper e-mail usage and security is a team effort involving the participation and support of every CDCRCalifornia Department of Corrections and Rehabilitation employee. It is the responsibility of every computer user to know these guidelines, and to conduct his/her activities accordingly.
This document is not all-inclusive, and the ISOInformation Security Officer has the authority and discretion to appropriately address any unacceptable behavior and/or practice not specifically mentioned herein.

47110.3 Scope

This policy covers appropriate use and retention of the CDCRCalifornia Department of Corrections and Rehabilitation provided e-mail and applies to all employees, vendors, volunteers, and agents operating on behalf of the CDCRCalifornia Department of Corrections and Rehabilitation.

47110.4 Access to E‑mail

CDCRCalifornia Department of Corrections and Rehabilitation staff may be provided an IDInstitutions Division (see DAI) for access to e-mail on the CDCRCalifornia Department of Corrections and Rehabilitation Network. All access to e-mail shall be protected by password, and all policies pertaining to the use and protection of passwords shall apply. No generic or group access to an IDInstitutions Division (see DAI) shall be used. A “group mailbox” is acceptable as long as each individual in the group has his/her own IDInstitutions Division (see DAI) and password. If you require someone in addition to yourself to access or monitor your e-mail, establish a rule to forward/copy your mail to another’s CDCRCalifornia Department of Corrections and Rehabilitation mailbox or add them as a delegate. Sharing a password for any reason is prohibited.

47110.5 Acceptable Use

The e-mail system is provided for official CDCRCalifornia Department of Corrections and Rehabilitation business. Using e-mail in an inappropriate manner may result in the loss of e-mail privileges and/or disciplinary action. Examples of appropriate use of the CDCRCalifornia Department of Corrections and Rehabilitation e-mail system include, but are not limited to, the following:
- Scheduling, coordinating, and documenting business meetings and/or assignments.
- Notifying CDCRCalifornia Department of Corrections and Rehabilitation personnel of changes in work policies and/or work procedures after the appropriate approval process has been completed (shall be followed up in writing).
- Transmitting and/or sharing non-HRCI work related material, including documents, files, reference material, and links to Internet sites.
- Sending and receiving business related Internet mail.
- Notifying employees of CDCRCalifornia Department of Corrections and Rehabilitation sanctioned employee events including, but not limited to, the Medal of Honor ceremony, United California State Employees Campaigns, and similar approved activities.
- Scheduling appointments including personal appointments and lunch breaks on an electronic calendar.
- Creating or sending notes or messages of a predominantly personal nature, or for personal use, shall be kept to a minimum.

47110.6 Unacceptable Use

Examples include, but are not limited to, the following:
- Using the system to discuss, distribute, or share HRCI without CDCRCalifornia Department of Corrections and Rehabilitation approved encryption controls.
- Reviewing, receiving, and/or intercepting the electronic communications of another employee without express, advance authorization by the employee or their management.
- Logging on with a user IDInstitutions Division (see DAI) and password other than your own.
- Copying or routing notes, messages, documents, or memoranda to individuals who are not involved in the relevant work project or who otherwise have no business related interest in the subject matter of the note, message, document, or memorandum.
- Except as otherwise provided in this policy, reading e-mail of another employee without his/her knowledge and consent.
- Sending sports pool or other forms of gambling messages.
- Using e-mail for any unlawful or illegal endeavor.
- Soliciting or advertising for non-CDCRCalifornia Department of Corrections and Rehabilitation activities, including fundraising or items of a political nature.
- Allowing access to inmates, wards or parolees, or sending messages on behalf of inmates, wards or parolees.
- Transmitting profanity, obscenity, threatening language, gossip, or derogatory remarks.
- Distributing jokes, poems, chain-letters, or other non-business related material.
- Chain letters and e-mail containing religious, humorous, and political messages are forbidden. E-mail that contains promises, hoaxes, or threats shall not be distributed. Receipt of such e-mail should be reported to management. Forwarding of non-CDCRCalifornia Department of Corrections and Rehabilitation e-mail is forbidden. It is recognized that recipients cannot control in-coming mail.
- E-mail shall be free of offensive or unlawful material, including slanderous, discriminatory, sexual, pornographic, profane, or revolutionary content. This prohibition applies to e-mail attachments and to the content of Internet sites referenced or linked from e-mail. Displaying, printing, disseminating, or possession of such material may be reason for disciplinary action. The exception to this policy is any material regarding subject matter that may otherwise be considered objectionable that is required for specific work-related purposes may be sent or attached to an e-mail when the material is being sent to a limited number of specified individuals, and not to be sent to group e-mail lists or broadcast statewide.
- Use of the CDCRCalifornia Department of Corrections and Rehabilitation e-mail system to distribute copyright-protected material such as photographs, graphics, music, documents, etc., without the expressed consent of the copyright holder constitutes a copyright violation, and may result in disciplinary action.
Restrictions on the use of e-mail wallpaper and stationary will be left to the discretion of each Hiring Authority.

47110.7 Privacy and Confidentiality

All CDCRCalifornia Department of Corrections and Rehabilitation e-mail is considered property of CDCRCalifornia Department of Corrections and Rehabilitation and may be subject to inspection, investigation, Public Records Act (PRAPublic Records Act) requests, and/or litigation. Employees, contractors and consultants have no right of privacy with respect to information or messages sent using state-owned equipment and/or resources. E-mail is not private and is subject to monitoring with or without notice.

47110.8 Confidential and Sensitive Information

Certain types of information maintained by the CDCRCalifornia Department of Corrections and Rehabilitation are confidential and protected by State and federal law. The use of e-mail to send confidential information should be limited to an as needed basis. Never type the information in the body of the e-mail, and never send a password or decryption key in the same e-mail. Unless the file is encrypted or password-protected, it can be read by others and, therefore, is not considered private communication.
Following is a list of the types of information defined as HRCI that shall not be included in e-mail or attached to an e-mail, unless the e-mail and/or attachments are encrypted:
- Personally identifiable information such as a person’s name in conjunction with the person’s social security number, credit or debit card information, individual financial account, driver’s license number, state IDInstitutions Division (see DAI) number, or passport number, or a name in conjunction with biometric information;
- Personal health information such as any information about health status, provisions of health care, or payment for health care information as protected under the Health Insurance Portability and Accountability Act of 1996 (HIPAA);
- Correctional Offender Record Information as defined in California Penal Code sections 13100-13104;
- Information that if disclosed would reveal vulnerabilities to, or otherwise increase the potential for an attack on, an information technology system of a public agency as specified in GCGovernment Code section 6254.19. Examples include but are not limited to firewall and router configuration information, server names and IP addresses, and other system configuration details;
- Any documentation of information which contains information or data within any Gang Database as defined in the CDCRCalifornia Department of Corrections and Rehabilitation Department Operations Manual (DOMDepartment Operations Manual) sections 52070.22-52070.24;
- Records of investigations, intelligence information, or security procedures as specified in GCGovernment Code section 6254(f); this includes but is not limited to information identifying confidential informants and security procedures contained in DOMDepartment Operations Manual section 55000.
- Personnel, medical, or similar files, the disclosure of which would constitute an unwarranted invasion of personal privacy protected under GCGovernment Code section 6254(c) or the Peace Officers Bill of Rights under GCGovernment Code section 3300 et seq.
Encrypted e-mail must be used when HRCI information is sent to non-CDCRCalifornia Department of Corrections and Rehabilitation e-mail addresses by placing the keywords of “CDCRCalifornia Department of Corrections and Rehabilitation Encrypted Message” into the subject line of the e-mail without the quotes. This method should be used only when transmitting HRCI, confidential, or sensitive data.
Prior to sending any e-mail, verify the accuracy of the recipient’s e-mail address to prevent unintentionally sending it to an unauthorized individual. Once an e-mail is sent outside the Department, it cannot be recalled and/or undone.

47110.9 Personal Information

Employees shall not seek out or use personal information maintained by the CDCRCalifornia Department of Corrections and Rehabilitation for their own private interest or advantage. Personal information shall not be transmitted in e-mail or as attachments to e-mail without appropriate encryption controls.

47110.10 Unsolicited E‑Mail

Unsolicited e-mail may carry viruses. If the sender’s identity and intent cannot be verified, such e-mail should be deleted unopened. Unsolicited e-mail from unknown senders should always be deleted unopened. Do not open attachments or Internet links accompanying such unsolicited e- mail.

47110.11 Use of Global Distribution Lists

Use of the global distribution list should be limited to departmental, State, or national emergencies, and information from executive levels or program areas that affect all employees. Distribution of information not required by all employees shall be limited to the affected work groups or physical locations.

47110.12 E‑Mail Administration

Enterprise Information Services (EISEnterprise Information Services (formerly Information Services Division)) shall perform all administration functions including, but not limited to, establishment of server mailboxes, system-wide filters, and virus scanning functions. EISEnterprise Information Services (formerly Information Services Division) shall determine the disk space required to ensure correct functionality of the e-mail system.

47110.13 E‑Mail Virus Protection

EISEnterprise Information Services (formerly Information Services Division) shall manage the virus protection program for all workstations, servers, and network devices. All workstations connected to the CDCRCalifornia Department of Corrections and Rehabilitation Network or that are Internet accessible shall have the most current Virus Protection software, determined by the EISEnterprise Information Services (formerly Information Services Division). CDCRCalifornia Department of Corrections and Rehabilitation Network workstations shall be configured to automatically update the virus protection software. Staff shall not disable or turn off this feature. Distribution of virus-laden e-mail may result in performance degradation of the CDCRCalifornia Department of Corrections and Rehabilitation network and the removal from the network of the workstation(s) from which the infected e-mail is sent.

47110.14 Local E‑Mail Usage Guidelines

Local operating procedures and guidelines may apply to e-mail content and handling. Local guidelines and procedures are in addition to this e-mail policy and may not be in conflict with or contradictory to this policy.

47110.15 Electronic Document Management

The CDCRCalifornia Department of Corrections and Rehabilitation is committed to ensuring that all departmental electronic documents, including e-mail messages used by staff in the course of their employment, are retained efficiently and in compliance with the Records Management Act, GCGovernment Code section 14740, et seq.

47110.16 E‑Mail Retention

E-mail messages are official records and are subject to State, federal and CDCRCalifornia Department of Corrections and Rehabilitation rules and policies for retention and deletion. The E-mail Retention Policy defines how long information sent or received by e-mail should be retained. These policy guidelines cover only information that is either stored or shared via e-mail, including e-mail attachments. This policy establishes retention parameters to effectively capture, manage, and retain e-mail messages. All e-mail (e.g., administrative correspondence, fiscal correspondence, general correspondence) is subject to this policy. This policy applies to all individuals using the CDCRCalifornia Department of Corrections and Rehabilitation e-mail system. All sent and received e-mail from the department’s e-mail system shall be retained for a period of three years.
When litigation is pending or future litigation is reasonably probable, the law imposes a duty upon CDCRCalifornia Department of Corrections and Rehabilitation to preserve all documents and records that pertain to certain issues. A litigation hold directive overrides any retention policy until the litigation hold has been cleared. E-mail for employees that have been placed on litigation hold must be retained by CDCRCalifornia Department of Corrections and Rehabilitation until the litigation hold is released or 3 years have passed, whichever occurs later.

47110.17 Enforcement

Failure to comply with this policy and associated policies, standards, guidelines, and procedures may result in disciplinary action up to and including dismissal from State service for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal action also may be taken for violations of applicable regulations and laws.

47110.18 Deviation from Policy

CDCRCalifornia Department of Corrections and Rehabilitation staff, contractors, volunteers, and agents operating on behalf of CDCRCalifornia Department of Corrections and Rehabilitation must comply with all applicable policies rules, standards, procedures and guidelines. Variations and exceptions to this policy will be based on instances where the cost to remediate non-compliant systems exceeds the cost and the risk of remaining non-compliant. Deviations to policy requests are reviewed and analyzed by the ISOInformation Security Officer, and if the request creates significant risks without compensating controls, it will not be approved.
All approved deviations to policy requests shall have an expiration date and must be reviewed prior to that date to ensure that assumptions or business conditions have not changed, and be reapproved if the deviation policy is still valid.

47110.19 Revisions

The Director, EISEnterprise Information Services (formerly Information Services Division), or designee shall be responsible for ensuring that the contents of this Article are kept current and accurate.

47110.20 References

Government Code §§ 6250-6265.
California Code of Regulations, Title 15 § 3261.2.
California Labor Code § 92.
Civil Code, Information Practices Act § 1798.
California State Administrative Manual § 5320.5.
California Penal Code §§ 13100-13104.
California Civil Codes § 17.

Article 39 – Social Media Policy

47120.1 Purpose

The California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation), in collaboration with the California Correctional Health Care Services (CCHCS) and the California Prison Industry Authority (CALPIACalifornia Prison Industry Authority (formerly PIA)) has developed this policy to provide standards and establish requirements for all CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) personnel when using social media.
Only authorized CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) personnel shall represent the Department on social media. Social media is a tool that may be used to convey information and facilitate communication to support the CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA)’s mission.
This policy provides the parameters that all CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) personnel must follow in order to access or use social media.
- The only authorized use of social media falls within two fundamental categories.
  - Obtaining information, consuming content, or performing research for tasks or assignments.
  - Creating or managing content relevant to the Department’s mission.

47120.2 Scope

The scope of this policy extends to all CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) personnel as well as all information assets owned or operated by CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA). Scope also extends to CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) personnel who use social media outside of the CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) network on non-CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) managed or owned devices where it may be perceived that such activities are on behalf of the Department.

47120.3 Policy

The following are the policy requirements for the management and use of social media.
- CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Authorized Content Managers
  - Content managers authorized to represent the Department on social media are limited to the following:
    - The Office of Public and Employee Communications (OPECOffice of Public and Employee Communications) for CDCRCalifornia Department of Corrections and Rehabilitation and CCHCS
    - CALPIACalifornia Prison Industry Authority (formerly PIA) designee(s)
  - Authorized content managers shall ensure that an auditable record of all postings and modifications to social media content are retained subject to Department data retention policies.
  - Accessing social media, including but not limited to, viewing and managing content through the CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) network requires approval through the established Workgroup Computing Policy. This policy and related forms can be found in Department Operations Manual (DOMDepartment Operations Manual) Chapter 4, Article 41.
- CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Acceptable Use
  - Access to social media available through the Department network is provided for official business.
  - Posting of any content on behalf of the Department must be approved by the OPECOffice of Public and Employee Communications or CALPIACalifornia Prison Industry Authority (formerly PIA) designee.
- CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Unacceptable Use
  - As with other forms of communications, employees’ use of social media should comply with CDCRCalifornia Department of Corrections and Rehabilitation’s Code of Conduct as found in DOMDepartment Operations Manual Chapter 3, Article 22, Section 33030.3. Using social media in an unacceptable manner through CDCRCalifornia Department of Corrections and Rehabilitation assets may result in the loss of access to social media through the CDCRCalifornia Department of Corrections and Rehabilitation network, disciplinary action, or both. Unacceptable use of social media includes, but is not limited to, the following:
    - CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) personnel shall not post social media content on behalf of CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA), unless specifically authorized by the OPECOffice of Public and Employee Communications or CALPIACalifornia Prison Industry Authority (formerly PIA) designee.
    - CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) personnel shall not create social media accounts that mislead the public that content posted is on behalf of CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA), including the use of CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) images or logos.
    - CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) personnel shall not use State-issued assets to post material that could discredit the reputation of the Department or its agents.
    - CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) personnel shall not post or release personnel, contractor, offender, victim or their family’s private, confidential, sensitive or other protected information under state or federal law, including, but not limited to, CDCRCalifornia Department of Corrections and Rehabilitation intellectual property on social media unless explicitly authorized by OPECOffice of Public and Employee Communications or CALPIACalifornia Prison Industry Authority (formerly PIA) designee, whether or not the post of such information is from State-issued equipment or device or an individual’s personal equipment or personal device.
    - CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) personnel shall not utilize tools or techniques to spoof, masquerade, or assume another current or former CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) identity including business units and individual personnel except for legitimate law enforcement purposes.
    - Use of social media shall not be conducted in a manner that undermines the privacy, safety and security of personnel, contractors, offenders, victims, or families thereof.

47120.4 Roles and Responsibilities

Agency Chief Information Officer (CIO), OPECOffice of Public and Employee Communications and CALPIACalifornia Prison Industry Authority (formerly PIA) designee:
- Is responsible for ensuring that all users of CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) information assets are aware of this policy and acknowledge their individual responsibilities.
- Is responsible for ensuring that this policy will be reviewed annually in order to make recommendations for policy changes or the introduction of new policy to the Information Security Officer (ISOInformation Security Officer) for the bi-annual review and update cycle.
- Shall ensure that authorized users with access to social media are trained regarding their roles and responsibilities.
OPECOffice of Public and Employee Communications and CALPIACalifornia Prison Industry Authority (formerly PIA) designee:
- Are responsible for identifying the CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) authorized users of social media.
- Are responsible for reviewing and approving all CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) social media content posted or shared on behalf of the Department or its representatives.
The Information Security Officer (ISOInformation Security Officer):
- Is responsible for the periodic auditing and assessment of compliance with this policy.
- Is responsible for the review and update of this policy every two years.
CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Managers and Supervisors:
- Are responsible for obtaining approval from OPECOffice of Public and Employee Communications, CALPIACalifornia Prison Industry Authority (formerly PIA) or designee, for any content posted or shared to official CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) social media.
- Are responsible for ensuring that personnel comply with this policy.
All CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Personnel Speaking On Behalf Of CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA):
- Shall provide content developed for social media to OPECOffice of Public and Employee Communications designated reviewers for approval and publication.
- Shall connect to, and exchange information with, only authorized social media web sites in accordance with the requirements of this policy and other CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) and State information security policies.
- Are required to abide by this policy and applicable CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) information security and privacy policies.
- Who are authorized to speak on behalf of CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) or the State shall identify themselves by: a) Full Name; b) Title; c) Department; and d) Department Contact Information, when posting or exchanging information on social media forums, and shall address issues only within the scope of their specific authorization.
CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Information Technology Administrators shall:
- Limit Internet access to social media websites according to the Department’s acceptable use policy, while allowing authorized users to access content necessary to conduct CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) business. Limitations may include, but are not limited to:
  - Only allowing social media access to users who are specifically authorized (see CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Authorized Users) through the use of the CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Workgroup Computing Policy regarding internet access.
  - Disabling unnecessary functionality within social media web sites, such as Instant Messaging (IMInstructional Memorandum) or file exchange.
  - Minimize or eliminate the addition of web links within posts to other web sites, to minimize the risk of exposing a user to a link that leads to inappropriate, unauthorized, or potentially malicious content.
- Enable security controls to mitigate risk to the extent possible. These controls may include, but are not limited to:
  - Monitoring and auditing of all social media web site content posted, viewed or both.
  - Inspecting all files transmitted to or from social media web sites.
  - Securing social media platform and website account credentials (user names and passwords) from unauthorized access.
  - Utilize Multi-Factor Authentication (MFA) as required where supported by the social media account.

47120.5 Enforcement

Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOMDepartment Operations Manual Chapter 3, Article 22, Section 33030.15.5.
CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) shall comply with the information security and privacy policies, standards and procedures issued by the California Department of Technology, Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.
CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) personnel should understand that the consequences of negligence and non-compliance with State laws and policies may include Department and personal:
- Loss of delegated authorities.
- Negative audit findings.
- Monetary penalties.
- Legal actions.

47120.6 Auditing

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) has the right to inspect any activities related to the use of social media on State information assets.
CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) has the right to inspect any publicly available information posted or shared on social media and other forums at its sole discretion.

47120.7 Authority

This policy complies with the State of California Government Code Section 11549.3.

47120.8 Definitions of Key Terms

The CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) uses the information security and privacy definitions issued by the California Department of Technology OIS in implementing information security and privacy policy. Terms and definitions are defined here and are on the California Department of Technology website at https://cdt.ca.gov/security/technical-definitions/.
- Instant Messaging (IMInstructional Memorandum): An application that allows real-time electronic messaging or chatting.
- Internet: A global computer network providing a variety of information and communication facilities.
- NIST: National Institute of Standards and Technology – https://www.nist.gov/
- Personally Identifiable Information (PII): Information that can be used by itself or used in combination with other personal identifiable information to distinguish or trace an individual’s identity.
- Social Media Platform: Interactive computer-mediated technologies that facilitate the creation and sharing of information, ideas, career interests and other forms of expression via virtual communities and networks.
- Social Media: Sites that enable the connection with others to form an online community. IMInstructional Memorandum, file sharing and Web logs (blogs) are common features of Social Media. These sites may contain offensive material in the community-created content. This category may be used in conjunction with another category for more narrowly-focused social media, such as professional networking sites or social networking sections of personals or dating sites.

47120.9 Revisions

The Agency CIO, OPECOffice of Public and Employee Communications or CALPIACalifornia Prison Industry Authority (formerly PIA) designee shall ensure that the contents of this article are current and accurate.

References

DOMDepartment Operations Manual Chapter 4, Articles 38, 41, 45
DOMDepartment Operations Manual Chapter 3, Article 22
California Government Code Section 11549.3
SAMState Administrative Manual, Section 4989.3, Agency/State Entity Roles and Responsibilities
SAMState Administrative Manual, Section 5305.3, Information Security Roles and Responsibilities
SAMState Administrative Manual, Section 5310.7, Security Safeguards
SAMState Administrative Manual, Section 5320.4, Personnel Security
SAMState Administrative Manual, Section 5360, Identity and Access Management
SIMM Section 66-B, Social Media Standard

Revision History

Effective April 21, 2021

Article 40 – Unassigned

Revised December 15, 2025

Article 41 – Unassigned

Revised February 3, 2026

Article 42 – Departmental Modem Policy*

Revised June 13, 2025

Article 43 – Unassigned

Revised December 10, 2025

Article 44 – General Information

49010.1 Policy

It is the policy of the Department to protect against the unauthorized modification, deletion, or disclosure of information included in the Department’s automated files and data bases. Such disclosure might compromise the integrity of Department programs or violate individual rights to privacy, and may constitute a criminal act. The Department regards its information assets, including data processing capabilities and automated files, to be essential public resources. Many aspects of the Department’s operations would effectively cease in the absence of critical computer systems, including automated systems necessary for the protection and safety of persons in the custody of the Department. Accordingly, the Department shall assume full responsibility for the proper classification, use, and protection of its automated information. Further, each element of the Department that employs information technology shall establish risk management and disaster recovery planning processes for identifying, assessing, and responding to the risks associated with its information assets.

49010.2 Purpose

The purpose of this policy is to establish and maintain a standard of due care to prevent misuse or loss of Department information assets. This policy establishes internal policies and procedures that:
- Establish and maintain management and staff accountability for the protection of departmental information assets.
- Establish and maintain processes for the analysis of risks associated with departmental information assets.
- Establish and maintain cost-effective risk management processes intended to preserve the Department’s ability to meet program objectives in the event of the unavailability, loss, or misuse of information assets.
- Protect departmental employees who are authorized to access the Department’s information assets from temptation, coercion, and threat.

49010.3 Information Assets Applicability Within the Department

Information assets covered by this section include: (1) all categories of automated information including, but not limited to, records, files and data bases; and (2) information technology facilities, software, and equipment (including personal computer systems) owned or leased by CDC.

49010.4 Statutory References Concerning the Confidentiality and Security of Information Within CDC

GCGovernment Code 1171 requires the director of each department that uses, receives or provides data processing services to designate an Information Security Officer (ISOInformation Security Officer) who shall be responsible for implementing State policies and standards regarding the confidentiality and security of information within the Department. These policies and standards shall include, but are not limited to, strict controls to prevent unauthorized access of: data maintained in computer files, program documentation, data processing systems, data files, and data processing equipment located physically in the Department.
The primary provisions affecting the classification and dissemination of information under the control of California State agencies is found in the State Constitution, in statutes, and in administrative policies:
- Article 1, Section 1, of the Constitution of the State of California defines pursuing and obtaining privacy as an inalienable right.
- The IPAInformation Practices Act of 1977 (CCCorrectional Counselor 1798, et seq.), places specific requirements on State agencies in the collection, use, maintenance, and dissemination of information relating to individuals.
- The PRAPublic Records Act (GCGovernment Code 6250-6265), provides for the inspection of public records.
- The State Records Management Act (GCGovernment Code 14740-14770), provides for the application of management methods to create, use, maintain, retain, preserve, and dispose of State records, including the determination of records essential to the continuation of State government in the event of a major disaster. SAMState Administrative Manual 1601 through 1699 contain administrative policies to implement provisions of this law.
- The California Computer Crime Statute (Calif. Rev. Stat 1987, Sect. 502, Ch. 1499, 1 January 1988) covers five offenses:
  - Manipulating data, a computer system, or computer network to devise or execute a fraud.
  - Knowingly accessing and without permission taking copies or using any data from a computer or taking any supporting documentation, internal or external, to a computer.
  - Theft of computer services.
  - Knowingly accessing and without permission damaging data, computer software, or computer programs, internal or external, to a computer.
  - Disrupting or denying computer services to an authorized user.
- The Federal Copyright Act of 1976, provides for the prosecution of persons guilty of the theft of computer programs.

49010.5 Exemptions From Information Systems Security Policy

Exemptions to this policy may be granted by the Management Information Systems Committee. The decision to grant an exemption shall be based primarily upon a risk analysis submitted to the Committee and the recommendation of the CDC ISOInformation Security Officer.

49010.6 Information Management Annual Plan Reporting Requirements

The Information Management Annual Plan (IMAPInformation Management Annual Plan), submitted by the Department to the DOFDepartment Of Finance, Office of Information Technology (OITOffice of Information Technology), shall contain a certification that the Department is in compliance with State requirements concerning information technology security and risk management. This certification is signed by the CDC Director. In addition, the IMAPInformation Management Annual Plan shall provide the name, title, business address and telephone number of the agency’s ISOInformation Security Officer.

49010.6.1 Operational Recovery Plan Reporting Requirements

The Department shall file an information copy of its Operation Recovery Plan (ORPOperation Recovery Plan) with OITOffice of Information Technology by January 31 each year. A copy of the ORPOperation Recovery Plan shall be provided to the Teale Data Center.

49010.6.2 Incident Reporting Requirements

It is the responsibility of all departmental employees to report all incidents that would place the Department’s information assets at risk. It is the policy of the Department that the following incidents shall be reported through the chain of command to the departmental ISOInformation Security Officer:
- Any incidents involving unauthorized access to automated data, automated files, or data bases.
- Any incident involving the unauthorized modification, destruction or loss of automated data, automated files, or data bases.
- Any incident involving a virus, worm, or other such computer contaminant (see also DOMDepartment Operations Manual 41010).
- Any incident involving the unauthorized use of computer equipment, automated data, automated files, or data bases.
- Any incident involving the misuse of the information assets of the Department.

49010.6.3 Incident Report Format

The following information concerning each incident shall be reported to the departmental ISOInformation Security Officer within five working days of any awareness of the occurrence of the incident:
- Date of the incident.
- Contact person.
- Description of the incident and whether it is a major incident as described in DOMDepartment Operations Manual 49040.36.

49010.6.4 Incident Investigation

Department management shall investigate promptly all reported incidents as defined in DOMDepartment Operations Manual 49010.6.3.
The CDC ISOInformation Security Officer shall investigate each such reported incident to determine the facts and to prepare a report. The report shall have a section that contains a report of the incident prepared by the appropriate local management.

49010.6.5 Information Security Incident Report to DOF

A report of major incidents as illustrated in SAMState Administrative Manual 4845 shall be submitted to OITOffice of Information Technology within ten working days of the Department’s first awareness of an incident involving one or more of the following:
- Unauthorized intentional release, modification, or destruction of confidential or sensitive information, or the theft of such information including information stolen in conjunction with the theft of a computer or data storage device.
- Use of a State information asset in the commission of a crime.
- Intentional damage or destruction of State information assets, or the theft of such assets with an estimated value in excess of $500.
The report shall be signed by the Department Director and the Department ISOInformation Security Officer.

49010.7 Revisions

Revised April 16, 1993

The Chief, ISDInformation Services Division (see EIS), or designee shall be responsible for ensuring that the contents of this article are kept current and accurate.

49010.8 References

Revised April 16, 1993

Federal Copyright Act of 1976.
Article 1, § 1 of the Constitution of the State of California.
California Computer Crime Statute (Calif. Rev. Stat 1987, §. 502, Ch 1499, 1 January 1988) IPAInformation Practices Act of 1977.
PRAPublic Records Act.
GCGovernment Code §§ 1171, 6250 – 6265, and 14740 – 14770 SAMState Administrative Manual §§ 1601 – 1699, and 4845.
DOMDepartment Operations Manual §§ 41010 and 49040.

Article 45 – Information Security

Revised May 20, 2013

49020.1 Policy

It is the policy of the California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation) to protect against the unauthorized modification, deletion, or disclosure of information included in agency files and databases. The Department regards its information assets, including data processing capabilities and automated files, to be essential resources. The Department shall assume full responsibility for ensuring the security and integrity of its information resources.

49020.2 Purpose

The purpose of this Policy is to establish and maintain a standard of due care to prevent misuse or loss of Department information assets. This policy establishes internal policies and procedures that:
- Establish and maintain management and staff accountability for the protection of departmental information assets.
- Establish and maintain processes for the analysis of risks associated with departmental information assets.
- Establish and maintain cost-effective risk management processes intended to preserve the Department’s ability to meet program objectives in the event of the unavailability, loss, or misuse of information assets.
- Protect departmental employees who are authorized to access the Department’s information assets from temptation, coercion, and threat.
- Establish agreements with state and non-state entities to cover, at a minimum, the following:
  - Appropriate levels of confidentiality for the data based on data classification (see State Administrative Manual [SAMState Administrative Manual], § 5320.5).
  - Standards for transmission and storage of the data, if applicable (see SAMState Administrative Manual § 5310).
  - Agreement to comply with all state policy and law regarding use of information resources and data.
  - Signed confidentiality statements.
  - Agreements to apply security patches and upgrades, and keep virus software up-to-date on all systems on which data may be used.
  - Agreements to notify the information owners promptly if a security incident involving the data occurs.
- Establish appropriate policies and procedures to protect and secure ITInformation Technology infrastructure.
- Require that if a data file is downloaded to a mobile device or desktop computer from another computer system, the specifications for information integrity and security which have been established for the original data file must be applied in the new environment (SAMState Administrative Manual § 5310).
- Require encryption, or equally effective measures, for all personal, sensitive, or confidential information that is stored on portable electronic storage media (including, but not limited to, CDs and thumb drives) and on portable computing devices (including, but not limited to, laptop and notebook computers). This policy does not apply to mainframe and server tapes. (See SAMState Administrative Manual § 5345.2).

49020.3 Statutory References Concerning the Confidentiality and Security of Information within CDCR

SAMState Administrative Manual section 5300.3 requires the Secretary/Director of each State agency that uses, receives, or provides services to designate an Agency Information Security Officer (ISOInformation Security Officer) who shall be responsible for implementing State policies and standards regarding the confidentiality and security of information within the Department. These policies and standards shall include, but are not limited to, strict controls to prevent unauthorized access of data maintained in computer files, program documentation, data processing systems, data files, and data processing equipment located physically in the Department and to establish guidelines for the dissemination of information under the control of California State agencies is as found in the State Constitution, in statutes, and in administrative policies:
- Article 1, Section 1, of the Constitution of the State of California defines pursuing and obtaining privacy as an inalienable right.
- The Information Practices Act of 1977 (Civil Code [CCCorrectional Counselor], § 1798, et seq.), places specific requirements on State agencies in the collection, use, maintenance, and dissemination of information relating to individuals.
- The California Public Records Act (Government Code [GCGovernment Code], §§ 6250-6265), provides for the inspection of public records.
- The State Records Management Act (GCGovernment Code, §§ 14740-14770) provides for the application of management methods to create, use, maintain, retain, preserve, and dispose of State records, including the determination of records essential to the continuation of State government in the event of a major disaster. SAMState Administrative Manual, §§ 1601-1699 contains administrative policies to implement provisions of this law.
- The California Penal Code (PCPenal Code), § 502 covers the following offenses:
  - Manipulating data, a computer system, or computer network to devise or execute a fraud.
  - Knowingly accessing and, without permission, taking copies or using any data from a computer or taking any supporting documentation, internal or external, to a computer.
  - Theft of computer services.
  - Knowingly accessing and without permission, damaging data, computer software, or applications/programs, internal or external, to a computer.
  - Disrupting or denying computer services to an authorized user.
- The California PCPenal Code § 11142 provides that, “Any person authorized by law to receive a record or information obtained from a record who knowingly furnishes the record or information to a person who is not authorized by law to receive the record or information is guilty of a misdemeanor.”
- The Federal Copyright Act of 1976 provides for the prosecution of persons guilty of the theft of computer programs.

49020.4 Departmental Approach to Information Security

The departmental approach to information security consists of the following components:
- Assigned management responsibilities for ITInformation Technology risk management. See SAMState Administrative Manual § 5315.
- Provisions for the integrity and security of automated and paper information, produced or used in the course of CDCRCalifornia Department of Corrections and Rehabilitation operations. See SAMState Administrative Manual § 5310 through 5350.
- Provisions for the security of ITInformation Technology facilities, software, and equipment utilized for automation. See SAMState Administrative Manual § 5330.
- Establishment and maintenance of an ITInformation Technology risk management program, including a risk analysis process. See SAMState Administrative Manual § 5305.
- Establishment and maintenance of an agency Disaster Recovery Plan. See SAMState Administrative Manual § 5355.
- A security and ongoing privacy program, including an annual training component for all employees and contractors. Refer to GCGovernment Code 11019.9 and CCCorrectional Counselor 1798.
- Compliance with state audit requirements relating to the integrity of information assets. See SAMState Administrative Manual § 20000 et seq.
- Policies to ensure that information security and information privacy are incorporated at each phase of the Information Systems Development Life Cycle.
- Risk assessments in accordance with SAMState Administrative Manual, § 5305.1 to ascertain the threats and vulnerabilities that impact the CDCRCalifornia Department of Corrections and Rehabilitation’s information assets and implement appropriate mitigations.
- ProvideInformation security training for to all employees who use information assets in the course of their assigned duties to ensure awareness and understanding of the Department’s policies.
- Conduct Coordination of information security audits for compliance with security policies.
- Reporting of deficiencies for noncompliance with the CDCRCalifornia Department of Corrections and Rehabilitation security policies for management’s corrective action.
- Reporting violations of this policy to the hiring authority of the employee alleged to have committed the act or the Office of Internal Affairs (OIAOffice of Internal Affairs), when appropriate.
- Adherence to requirements established in SAMState Administrative Manual, § 4841. 5300.3.
- Periodically review of security policies for changes that may be necessary as a result of technology evolution or changes in Department operations.
This policy includes, but is not limited to, the following information assets:
- All categories of automated information including, but not limited to, records, files, and data bases.
- ITInformation Technology facilities, software, and equipment (including personal computer systems) owned or leased by the CDCRCalifornia Department of Corrections and Rehabilitation.

49020.5 Roles and Responsibilities

The Department has established the necessary policies, procedures, practices, and controls to protect information assets from accidental or intentional disclosure, destruction, or modification, and to comply with all applicable State and federal privacy acts. Information assets covered by this Article include, but are not limited to:
- All categories of automated information including, but not limited to, records, files, and data bases.
- ITInformation Technology facilities, software, and equipment (including personal computer systems) owned or leased by the CDCRCalifornia Department of Corrections and Rehabilitation.
The following is a description of the organizational responsibilities for administering this program:
- Secretary
  - The Secretary has the ultimate responsibility for ensuring a risk management program is established that:
    - Assigns management responsibilities for ITInformation Technology risk management.
    - Provides for the integrity and security of automated and paper information, produced or used in the course of agency operations.
    - Complies with state and audit requirements relating to the integrity of information assets.
- Director of Enterprise Information Services (EISEnterprise Information Services (formerly Information Services Division))
  - The Director of EISEnterprise Information Services (formerly Information Services Division) has the delegated responsibility for establishing and maintaining an information security program within the Department. It is the responsibility of the Director of EISEnterprise Information Services (formerly Information Services Division) to assure that information assets are protected from the effects of damage and destruction, as well as from unauthorized or accidental modification, access, or disclosure. Specifically, the Director of EISEnterprise Information Services (formerly Information Services Division) is responsible for ensuring:
    - Enforcement of State-level security policies.
    - Establishment and maintenance of internal policies that provide for the security of ITInformation Technology facilities, software and equipment, and the integrity and security of the agency’s automated information.
    - Department compliance with reporting requirements related to security issues.
    - Appointment of a qualified AISO.
    - The participation of management during the planning, development, modification, and implementation of security policies and procedures.
- ISOInformation Security Officer Agency Information Security Officer (AISO)
  - SAMState Administrative Manual, § 5315.1 requires that each agency designate an ISOInformation Security Officer AISO. Additionally, to avoid conflicts of interest, the following restrictions shall apply to the AISO:
    - The AISO shall not have direct responsibility for information processing.
    - The AISO shall not have direct responsibility for access management functions.
    - The AISO shall not have direct responsibility for any departmental computerbased systems.
    - The AISO shall not have any special allegiance or bias toward a particular program or organization.
    - The AISO will have direct responsibility for the CDCRCalifornia Department of Corrections and Rehabilitation Information Security Office.
    - The AISO will report allegations of misconduct or criminal activity to OIAOffice of Internal Affairs and assist with investigations as necessary.
- The AISO is responsible for overseeing Agency policies and procedures designed to protect its information assets. In accordance with State policy, the AISO shall be accountable to the Secretary with respect to the following responsibilities:
  - Implementation of necessary procedures to ensure the establishment and maintenance of a security program.
  - Establishment of security policies and procedures designed to protect information assets.
  - Identification of confidential and sensitive information and critical applications.
  - Identification of vulnerabilities that may cause inappropriate or accidental access, destruction or disclosure of information, and the establishment of security controls necessary to eliminate or minimize their potential effects.
  - Establishment of procedures necessary to monitor and ensure the compliance of established security and risk management policies and procedures.
  - Coordination with internal auditors to define their roles in automated information system planning, development, implementation, operations, and modifications relative to security.
  - Coordination with the applicable data center’s ISOInformation Security Officer Information Security Officer or staff on matters related to the planning, development, implementation, or modification of information security policies and procedures that affect the Department.
  - Acquisition of appropriate security equipment and software.
  - Establishment of procedures to comply with control agency reporting requirements.
  - Development and maintenance of controls and safeguards to control user access to information.
  - Establishment of mechanisms to assure that CDCRCalifornia Department of Corrections and Rehabilitation staff (with particular emphasis on the owners, users, and custodians of information) are educated and aware of their roles and responsibilities relative to information security.
  - Establishment of training programs for CDCRCalifornia Department of Corrections and Rehabilitation employees related to information security.
- EISEnterprise Information Services (formerly Information Services Division) Technical Management
  - Department technical management has the following responsibilities relative to the Department’s information security program:
    - Ensuring that management, the Information Security OfficeISO, assigned owners, custodians, and users are provided the necessary technical support services with which to define and select cost effective security controls, policies, and procedures.
    - Ensuring the implementation of security controls and procedures as defined by the owners of information.
    - Ensuring the implementation of system controls necessary to identify actual or attempted violations of security policies or procedures.
    - Ensuring that the owners of information and the ISOInformation Security Officer Information Security Office are notified of any actual or attempted violations of security policies and procedures.
- Program Management
  - Department program managers have the following responsibilities in relation to the Department’s security program:
    - Establishing the procedures necessary to comply with State information security policy in relation to ownership, user, and if appropriate, custodian of information responsibilities.
    - Ensuring that State program policies and requirements are identified relative to security requirements.
    - Ensuring the proper data classification of automated information for which the program is assigned ownership responsibility.
    - Ensuring the participation of the Information Security Office ISOInformation Security Officer and technical staff in identifying and selecting appropriate and cost-effective security controls and procedures, and to protect information assets.
    - Ensuring that appropriate security requirements for user access to automated information are defined for files or data bases for which the program is assigned ownership responsibility.
    - Ensuring the proper planning, development, and establishment of security policies and procedures for files or data bases for which the program has ownership responsibility, and for physical devices assigned to and located in the program area(s).
    - Ensuring that custodians of program information are provided the appropriate direction to implement the security controls and procedures that have been defined.
    - Ensuring that procedures are established to comply with control agency reporting requirements.
- Program Personnel and Users
  - Program personnel have the following security responsibilities:
    - Implementing and monitoring data quality assurance functions to ensure the integrity of data for which the program is assigned ownership responsibility.
    - Complying with applicable federal, State, and Department security policies and procedures.
    - Complying with applicable federal and State statutes.
    - Identifying security vulnerabilities and informing program management and the Information Security Office of those vulnerabilities.
    - Ensuring that management, the Information Security Office, ISOInformation Security Officer, and assigned owners, custodians, and other users are provided the necessary technical support services with which to define and select cost-effective security controls, policies, and procedures.
    - Ensuring the implementation of security controls and procedures as defined by the owners of information.
    - Ensuring the implementation of system controls necessary to identify actual or attempted violations of security policies or procedures.
    - Ensuring that the owners of information and the Information Security Office are notified of any actual or attempted violations of security policies and procedures.
- Data Owners
  - The owners of information are responsible for classifying the information, defining precautions for its integrity, disposing of the information, defining initial levels of access needed, filing security incident reports, securing signed security agreements, and forwarding them to the Data Custodian, and identifying the level of acceptable risk.
- Data Custodians
  - The custodians of information, including the Office of Technology Services (OTech) Data Center, are responsible for complying with applicable laws, policies and procedures established by the owner and the AISO, advising the owner and the AISO of any threats to the information, and notifying the owners and the AISO of any violations of security policies, practices, and procedures.
  - In addition, the data custodians for an information system have the following access management responsibilities:
    - Access Authorization – The granting of permission to execute a set of operations in the system. Access privileges shall be allocated to users on a need-to-use basis, with the minimum required privileges required for their functional role.
    - Access Control – Enabling the performance of tasks by hardware, software, and administrative controls that would have the effect of monitoring a system’s operation, ensuring data recovery, performing user identification, and granting access to users.
    - Accountability – The work necessary to set up the ability to trace violations or attempted violations of system security to the individual(s) responsible.
- Internal Auditors
  - The Information Security Unit of the Office of Audits and Compliance has the following audit responsibilities in relation to the Department’s information security program (DOMDepartment Operations Manual, Chapter 4, Article 48, Electronic Data Processing Auditing).
- Examination of the Department’s information security policies and procedures for compliance with State information security policies, including control agency audit requirements.
- Identification of possible corrective actions.
- Informing management, the ISOInformation Security Officer, and the owners, custodians, and users of information of audit findings.
- Access Management
  - Access Management within the CDCRCalifornia Department of Corrections and Rehabilitation is:
    - A critical responsibility of information system owners and custodians.
    - An organizational unit within the EISEnterprise Information Services (formerly Information Services Division).
    - The access management group and each organization with owner or custodial responsibilities for an information system have the following access management responsibilities:
- Access Authorization. The granting of permission to execute a set of operations in the system. At the lowest level, for example, this would be to grant permission for inmate trust personnel to access the classification of inmates on the Distributed Data Processing System (DDPSDistributed Data Processing System). At the highest level, for example, this would be working with the information system owners to physically allow access to a specific information system.
- Access Control. Enabling the performance of tasks by hardware, software, and administrative controls that would have the effect of monitoring a system’s operation, ensuring data integrity, performing user identification, recording system access and charges, and granting access to users.
- Accountability. The work necessary to set up the ability to trace violations or attempted violations of system security to the individual(s) responsible.
- Additionally, the access management group of the EISEnterprise Information Services (formerly Information Services Division) shall maintain the central file of all signed self/joint certification statements and security agreements, and shall provide the ISOInformation Security Officer, management, and owners with appropriate status reports.
- Information Security Coordinators
  - Every organizational entity that uses computer systems, or uses computer applications shall designate an Information Security Coordinator (ISCInformation Security Coordinators) for each site maintained by that entity. The designated ISCInformation Security Coordinators shall be responsible for ensuring that applicable CDCRCalifornia Department of Corrections and Rehabilitation policies and procedures are followed, and shall act as the security liaison to the Information Security Office. The CDCRCalifornia Department of Corrections and Rehabilitation Information Security Office will serve as the ISCInformation Security Coordinators for EISEnterprise Information Services (formerly Information Services Division) staff.
- A procedure shall be developed by each of these organizational entities, subject to approval by the AISO. The procedure shall be constrained as follows:
  - The designation of an ISCInformation Security Coordinators for the decentralized or control entity shall be in writing and shall identify the name, work address, and telephone number of the ISCInformation Security Coordinators.
  - The AISO shall maintain a file of all current and past designated ISCs.
  - The designated ISCInformation Security Coordinators shall be aware that they are the designated ISCInformation Security Coordinators and the responsibility that the designation entails.
  - The designated ISCInformation Security Coordinators shall ensure compliance with information security policies and procedures, and with any security guidelines issued by the owners of decentralized automated systems.

49020.6 CDCR Information Asset Protection

CDCRCalifornia Department of Corrections and Rehabilitation shall provide for the integrity and security of its information assets by identifying all automated files and databases for which CDCRCalifornia Department of Corrections and Rehabilitation has ownership responsibility, and ensuring that responsibility for each automated file or database is defined with respect to the following:
- Owners of the information within CDCRCalifornia Department of Corrections and Rehabilitation.
- Custodians of the information.
- Users of the information.
- Classification of the information to ensure that each automated file or database is identified as to its information class in accordance with law and administrative policy.

49020.6.1 Information Security Ownership/Authority

An owner of any CDCRCalifornia Department of Corrections and Rehabilitation information shall be the approval authority for all requests for access to such information under his or her control. Approval authority may be delegated to a designated representative. The owner has an obligation to restrict access to the specific information to instances that are necessary and sufficient to meet the demonstrated need or right of the requestor. The owner shall consult with EISEnterprise Information Services (formerly Information Services Division) to determine the most appropriate on-line access mechanisms for a specific request, keeping in mind that EISEnterprise Information Services (formerly Information Services Division) is obligated to restrict the mechanisms to those that are necessary and sufficient to meet the requestor’s need for, or right to, such information.
The owner is ultimately responsible for the integrity of the entrusted information. This responsibility requires that the owner have control over who can access, modify, disclose, or destroy information. The owner shall exercise the responsibility to communicate information security requirements to all appropriate personnel, and to make use of all available security features. Additionally, the owner shall determine that implemented security measures are adequate to meet the requirements of the application, and ensure that an employee’s access authority is removed immediately upon separation or change of duties such that access is no longer necessary.

49020.6.2 Classification of Information

CDCRCalifornia Department of Corrections and Rehabilitation’s records, automated files, and databases are essential public resources that must be given appropriate protections from unauthorized use, access, disclosure, modification, loss, or deletion. The discovery and classification of CDCRCalifornia Department of Corrections and Rehabilitation Information Assets is a continuing endeavor and requires the ongoing support of information owners and other stakeholders.
- The EISEnterprise Information Services (formerly Information Services Division) Enterprise Architecture organization is responsible for maintaining and facilitating the processes and procedures for enterprise governance of CDCRCalifornia Department of Corrections and Rehabilitation Information Assets and engaging Information Owners and Stakeholders for Information Security Classification decision-making and governance.
- Information Owners are responsible for reviewing and classifying information, solely or with others, for information they own or share ownership of, and for participating in the CDCRCalifornia Department of Corrections and Rehabilitation Information Governance process; the final ruling for Security Classification decisions rests with the Information Owners.
- Stakeholders are responsible for raising Information security concerns with respect to Information Security Classification and ensuring information is treated appropriately based on duly made classification decisions.
- All users of CDCRCalifornia Department of Corrections and Rehabilitation Information are responsible for protecting CDCRCalifornia Department of Corrections and Rehabilitation Information under their control or influence from unauthorized use, access, disclosure, modification, loss, or deletion, including notifying appropriate CDCRCalifornia Department of Corrections and Rehabilitation authorities when vulnerabilities to CDCRCalifornia Department of Corrections and Rehabilitation Information is noticed or when Security Classifications or protections for CDCRCalifornia Department of Corrections and Rehabilitation Information appear inadequate.
CDCRCalifornia Department of Corrections and Rehabilitation will classify each record, file, and database using the following classification structure:
- Public Information – information maintained by CDCRCalifornia Department of Corrections and Rehabilitation that is not exempt from disclosure under the provisions of the California Public Records Act (GCGovernment Code §§ 6250-6265) or other applicable state or federal laws (SAMState Administrative Manual § 5320.5).
- Confidential Information – information maintained by CDCRCalifornia Department of Corrections and Rehabilitation that is exempt from disclosure under the provisions of the California Public Records Act (GCGovernment Code §§ 6250-6265) or other applicable state or federal laws (SAMState Administrative Manual § 5320.5).
- High Risk Confidential Information (HRCI) – Non-public information that if disclosed could result in a significant harm (including financial, legal, risk to life and safety or reputational damage) to the CDCRCalifornia Department of Corrections and Rehabilitation or individual(s) if compromised through alteration, corruption, loss, misuse, or unauthorized disclosure. Examples of HRCI include, but are not limited to, information such as the following:
  - Personally identifiable information such as person’s name in conjunction with the person’s social security, credit or debit card information, individual financial account, driver’s license number, state IDInstitutions Division (see DAI) number, or passport number, or a name in conjunction with biometric information;
  - Personal health information such as any information about health status, provisions of health care, or payment for health care information as protected under the Health Insurance and Portability Act of 1996;
  - Correctional Offender Record Information as defined in California PCPenal Code §§ 13100-13104;
  - All ITInformation Technology infrastructure information that would reveal vulnerabilities to, or otherwise increase the potential for an attack on, an information technology system of a public agency, including but not limited to firewall and router configurations, server names, IP addresses, and other system configurations;
  - Any document which contains information identifying any Confidential Informant, or confidential information provided, as defined in CCRCalifornia Code of Regulations Title 15, § 3321;
  - Any documentation of information which contains information or data within any Gang Data Base as defined in the Department Operations Manual (DOMDepartment Operations Manual) §§ 52070.22 through 52070.24;
  - Records of investigations, intelligence information, or security procedures as specified in the PRAPublic Records Act Section 6254(f).
- Personnel, medical, or similar files, the disclosure of which would constitute an unwarranted invasion of personal privacy protected under the California Government Code § 6254(c) or the Peace Officers Bill of Rights under Government Code §§ 3300 et seq.
- Sensitive Information – information maintained by CDCRCalifornia Department of Corrections and Rehabilitation that requires a higher than normal assurance of accuracy and completeness. Thus the key factor for sensitive information is that of integrity. Typically, sensitive information includes records of financial transactions and regulatory actions.
Personal Information requested by researchers not under the authority of CDCRCalifornia Department of Corrections and Rehabilitation may only be received by University of California or other non-profit educational institutions and in accordance with the provisions set forth in law, including the prior review and approval by the Committee for the Protection of Human Subjects (CPHS) of the California Health and Human Services Agency before such information is released (SAMState Administrative Manual § 5320.5). See Civil Code § 1798.24(t).

49020.7 Human Resources Security

CDCRCalifornia Department of Corrections and Rehabilitation requires that personnel practices related to security management must include:
- Employment history and background checks on all employees.
- The signing of the Computing Technology User Agreement Form 1857 for all staff that uses CDCRCalifornia Department of Corrections and Rehabilitation’s Information Technology, thereby agreeing to abide by CDCRCalifornia Department of Corrections and Rehabilitation’s Workgroup Computing policies.
- The signing of the CDCRCalifornia Department of Corrections and Rehabilitation Security Awareness Self-Certification and Confidentiality Form ISOInformation Security Officer-3025 on an annual basis, thereby certifying the employee shall comply with CDCRCalifornia Department of Corrections and Rehabilitation’s Information Security Policy.

49020.7.1 Segregation of Duties in the Information Security Program

There shall be a strict separation of duties among, and within, all organizations responsible for using, operating, and developing computer based information systems. Separation of duties shall be maintained to ensure a separation of responsibilities for initiating and authorizing transactions, recording of transactions, and custody of assets. Segregation of duties, similar to that required in manual systems, shall be implemented in computerized systems.
The following guidelines shall be used regarding such separation of duties:
- Convert and Conceal – No one person should be able to convert a resource to their personal use and be able to conceal the action.
- Custody and Control – No one person should have custody of an asset and at the same time be solely responsible for the accounting for that asset.
- Custody and Access – No one person shall have custody of an asset and, at the same time, have unrestricted access to the records pertaining to that asset.
- Origination and Authorization – No one person shall both originate and authorize a transaction.
- Originate and Maintain – No one person shall both enter a transaction and maintain the related master file.
- Access and Restriction – Access to transactions shall be on a needtoknow basis.
EISEnterprise Information Services (formerly Information Services Division) is charged with the responsibility for the development and maintenance of computer based systems for the CDCRCalifornia Department of Corrections and Rehabilitation. In this capacity, EISEnterprise Information Services (formerly Information Services Division) provides a service to actual or potential users of computer-based information systems. In addition, there are several computer “user” groups throughout the Department. Each of these organizations is providing a service to all actual or potential users of computer based information systems.
To ensure that assigned responsibilities are met and that separation of duties is maintained, individuals/programs shall not originate or authorize transactions, have custody or control over online data processing assets, or have the authority to originate master file changes. Source documents shall originate and be controlled by functions independent of such persons/programs.
Appropriate procedures shall be developed, subject to approval by the AISO, to ensure that adequate controls exist to ensure the separation of duties and responsibilities.
The procedures may include variances to the Change Management Process in order to resolve failures of critical applications. Such variances shall provide for audit trails and retroactive release or approval documentation, and require the prior approval of the AISO.

49020.7.2 Annual Information Security Self Certification

All CDCRCalifornia Department of Corrections and Rehabilitation employees requiring access to CDCRCalifornia Department of Corrections and Rehabilitation information assets are responsible for annually self-certifying that they are in compliance with applicable CDCRCalifornia Department of Corrections and Rehabilitation information security policies. The ISOInformation Security Officer is responsible for ensuring compliance with this policy. Responsibility for the dissemination of the policies rests with the owner and the designated ISCInformation Security Coordinators; responsibility for compliance rests with the end-users.
The following is required to ensure compliance with the above is maintained:
- A separate statement of selfcertification shall be signed by every employee that accesses or uses CDCRCalifornia Department of Corrections and Rehabilitation’s information assets.
- Each selfcertification shall be signed by a representative of the senior management from the organizational entity.
- Each selfcertification is to be filed with the local ISCInformation Security Coordinators and available for review by the Information Security Office.

49020.7.3 Information Security Awareness

It is the responsibility of CDCRCalifornia Department of Corrections and Rehabilitation management at all levels to ensure that personnel are aware of their responsibilities:
- All employees are accountable for the implementation of information security policies and procedures within their areas of responsibility.
- Accountability requires that employees be aware of the Department’s information security policies and procedures.
- All employees that are owners, users, or custodians of a departmental information system shall receive annual information security training.
- Security awareness training shall be given as a part of each employee’s orientation and annually thereafter. Each employee shall receive a copy of the security policy. All employees that access or use information assets shall annually complete and sign a selfcertification form.
- All employees changing jobs or exiting owner, user, or custodian status, shall have their security privileges reviewed immediately, and such persons shall be prevented from having any further opportunity to access information which they no longer have a business need based on their new job duties.
- Employees with the status of owner, user, or custodian shall have a job description that details that status and the security requirements therein.
- Systems, including CDCRCalifornia Department of Corrections and Rehabilitation’s mission critical systems and Internet access, shall be monitored and activity logs maintained as per the Department’s ISSG.

49020.7.3.1 Security Awareness Training within CDCR

All persons who have access to any CDCRCalifornia Department of Corrections and Rehabilitation information shall be provided security awareness training at the time such access begins and at minimum annually thereafter. The Information Security Coordinators shall ensure that security awareness training is provided prior to the employees’ self-certification of their awareness of CDCRCalifornia Department of Corrections and Rehabilitation’s information security policies, and the renewal of access privileges to CDCRCalifornia Department of Corrections and Rehabilitation information resources.
Security awareness training falls into the following two categories:
- Information Security
  - All individuals having access to CDCRCalifornia Department of Corrections and Rehabilitation information shall be made aware of the background, scope, and objectives of CDCRCalifornia Department of Corrections and Rehabilitation’s information security program and of specific CDCRCalifornia Department of Corrections and Rehabilitation information security policies and procedures that are applicable to the level and type of access granted to the individual. The minimum training shall consist of completion of the departmental computer-based training module.
- Incident Reporting
  - All CDCRCalifornia Department of Corrections and Rehabilitation employees shall also be made aware of the events and activities that constitute threats to the organization for which they work and of the actions to be taken when confronted by those events or activities (see DOMDepartment Operations Manual § 49020.12).

49020.7.4 Consequences of Information Security Violations

During the time that a suspected violation is under investigation, the suspected violator’s access privileges may be revoked or other appropriate action taken to prevent harm to the CDCRCalifornia Department of Corrections and Rehabilitation.
All violations of security policies or procedures are subject to disciplinary action up to and including dismissal from State service. The specific disciplinary action that shall be taken depends upon the nature of the violation and the impact of the violation on the CDCRCalifornia Department of Corrections and Rehabilitation’s information assets and related facilities. For further information see DOMDepartment Operations Manual Chapter 3, Article 22, Employee Discipline.

49020.7.5 Return of Information Assets

All employees, contractors, and third party users shall immediately return all of the CDCRCalifornia Department of Corrections and Rehabilitation’s information and assets in their possession upon termination of their employment, contract, or agreement.

49020.7.6 Removal of Access Rights

Upon termination, position change or change of duties, the access rights of an individual to assets associated with information systems and services shall be evaluated. This will determine whether it is necessary to remove access rights. Changes of employment should be reflected in removal of all access rights that were not approved for the new position. The access rights that should be removed or adapted include physical and logical access, keys, identification cards, information processing facilities, subscriptions, and removal from any documentation that identifies them as a current member of the group. If a departing employee, contractor or third-party user has known passwords for accounts remaining active, these should be changed upon termination or change of employment, contract or agreement.

49020.8 Physical Access Control to Information Assets and Environmental Safety

The sensitivity of CDCRCalifornia Department of Corrections and Rehabilitation’s information assets and personnel safety requires that all CDCRCalifornia Department of Corrections and Rehabilitation computer facilities have physical controls to prevent unauthorized access.
All information resource facilities must be physically protected in proportion to the criticality or importance of their function. Physical access procedures must be documented, and access to such facilities must be controlled. Access lists must be reviewed at least quarterly or more frequently depending on the nature of the systems that are being protected.
Each owner and custodian of departmental information systems shall establish physical controls over their information assets. This requirement applies to workstations with confidential or sensitive information and includes network and data communications components, as well as, application and database servers.

49020.8.1 Use of Secure Areas to Protect Data and Information

Use physical methods to control access to areas. These methods include, but are not limited to, locked doors, secured cage areas, vaults, IDInstitutions Division (see DAI) cards, and biometrics.
Restrict building access to authorized personnel.
Identify areas within a building that should receive special protection and be designated as a secure area. An example is a server room.
Security methods should be commensurate with security risk.
Ensure that physical barriers are used to prevent contamination from external environmental sources.
Compliance with fire codes.
Installation, use and maintenance of air handling, cooling, UPS and generator backup to protect the ITInformation Technology investment in server rooms.

49020.8.2 Physical Access Management to Protect Data and Information

Access to facilities that host critical CDCRCalifornia Department of Corrections and Rehabilitation ITInformation Technology infrastructure, systems and programs must follow the principle of least privileged access. Personnel, including full and part-time staff, contractors and vendors’ staff should be granted access to only those facilities and systems that are necessary for the fulfillment of their job responsibilities.
The process of granting physical access to information resource facilities must include the approval of the Director of EISEnterprise Information Services (formerly Information Services Division), or his/her designee. Access reviews must be conducted at least quarterly, or more frequently, depending on the nature of the systems that are being protected. Removal of individuals who no longer require access must then be completed in a timely manner.
Access cards and keys must be appropriately protected, not shared or transferred, and returned when no longer needed. Lost or stolen cards/keys must be reported immediately.
Security clearance for visitors should include, but is not limited to, a sign-in book which includes the date and time of entry and departure, employee escort within a secured area, IDInstitutions Division (see DAI) check and IDInstitutions Division (see DAI) badges where critical information resources are contained.

49020.8.3 Protecting Against External and Environmental Threats

Consideration shall be given to any security threats presented by neighboring premises, e.g. a fire in a neighboring building, water leaking from the roof or in floors below ground level or an explosion in the street.
The following guidelines should be considered to avoid damage from the fire, flood, earthquake, explosion, civil unrest, and other forms of natural or man-made disaster:
- Hazardous or combustible materials should be stored at a safe distance from a secure area. Bulk supplies such as stationary should not be store within a secure area;
- Fallback equipment and back-up media should be sited at a safe distance to avoid damage from a disaster affecting the main site;
- Appropriate firefighting equipment should be provided and suitably placed.
Working in Secure Areas
- Physical protection and guidelines for working in secured areas shall be applied. The following guidelines should be considered:
  - Personnel should only be aware of the existence of, or activities within, a secure area on a need to know basis;
  - Unsupervised personnel working in secure areas should be avoided both for safety reasons and to prevent opportunities for malicious activities;
  - Vacant secure areas should be physically locked and periodically checked;
  - Photographic, video, audio or other recording equipment, such as cameras in mobile devices, should not be allowed, unless authorized.

49020.8.4 Data Processing Equipment Siting and Protection

Data processing equipment shall be sited and protected to reduce the risks from environment threats and hazards, and opportunities for unauthorized access.
The following guidelines shall be applied to protect equipment:
- Equipment should be sited to minimize unnecessary access into work areas;
- Facilities handling sensitive data should be positioned and the viewing angle restricted to reduce the risk of information be viewed by unauthorized persons during their use, and storage facilities secured to avoid unauthorized access;
- Items requiring special protection should be isolated to reduce the general level of protection required;
- Controls shall be adopted to minimize the risk of potential physical threats, e.g., theft, fire, explosive, smoke, water (or water supply failure), dust, vibration, chemical effects, electrical supply interference, communications interference, electromagnetic radiation, and vandalism;
- Guidelines for eating, drinking, and smoking in proximity to facilities should be established;
- Equipment processing confidential and/or sensitive information shall be protected to minimize the risk of information leakage due to emanation.

49020.8.5 Cabling Security

Power and telecommunications cabling carrying data or supporting information services shall be protected from interception or damage. The following guidelines should be considered:
- Power and telecommunication lines into facilities shall be underground, where possible, or subject to adequate alternative protection;
- Network cabling shall be protected from unauthorized interception or damage, for example by using conduit or by avoiding routes through public areas;
- Power cables should be segregated from communications cables to prevent interference;
- Clearly identifiable cable and equipment markings shall be used to minimize handling errors, such as accidental patching of wrong network cables;
- For sensitive or critical systems further controls to consider include:
  - Installation of armored conduit and locked rooms or boxes at inspection and termination points;
  - Use of alternative routings and/or transmission media providing appropriate security;
  - Use of fiber optic cabling;
  - Use of electromagnetic shielding to protect the cables
  - Initiation of technical sweeps and physical inspections for unauthorized devices being attached to cables;
  - Controlled access to patch panels and cable rooms.

49020.8.6 Secure Disposal or Re‑Use of Equipment

All items of equipment containing storage media shall be checked by the appropriate ITInformation Technology support staff to ensure that any confidential or sensitive data and licensed software has been removed or securely overwritten prior to disposal.

49020.8.7 Removal of Property

Equipment, information or software shall not be taken off-site without prior authorization.
For administrative purposes, all information residing on CDCRCalifornia Department of Corrections and Rehabilitation’s computers that is considered to be sensitive or confidential shall be treated as such by all persons who have access to it and shall be protected from unauthorized access.

49020.9 Information Integrity and Data Security

Security controls shall be established to ensure that data entered into and stored in its automated files or databases are complete and accurate, as well as ensuring the accuracy of disseminated information. Security measures will be established to ensure that access is limited to authorized users.

49020.9.1 High Risk Confidential Information

No High Risk Confidential Information (HRCI) shall be present on any computer resource, including workstations that are not under the CDCRCalifornia Department of Corrections and Rehabilitation’s direct control unless authorized on a case-by-case basis by the ISOInformation Security Officer AISO and the owner of the information unless encrypted using a CDCRCalifornia Department of Corrections and Rehabilitation approved encryption standard. HRCI is defined as non-public information that if disclosed could result in a significant harm (including financial, legal, risk to life and safety or reputational damage) to the CDCRCalifornia Department of Corrections and Rehabilitation or individual(s) if compromised through alternation, corruption, loss, misuse, or unauthorized disclosure. Examples of HRCI include, but are not limited to, information such as the following:
- Personally identifiable information such as person’s name in conjunction with the person’s social security, credit or debit card information, individual financial account, driver’s license number, state IDInstitutions Division (see DAI) number, or passport number, or a name in conjunction with biometric information;
- Personal health information such as any information about health status, provisions of health care, or payment for health care information as protected under the Health Insurance Portability and Accountability Act of 1996;
- Correctional Offender Record Information as defined in California PCPenal Code §§ 13100-13104;
- All ITInformation Technology infrastructure information that would reveal vulnerabilities to, or otherwise increase the potential for an attack on, an information technology system of a public agency, including but not limited to firewall and router configurations, server names, IP addresses, and other system configurations;
- Any Document which contains information identifying any Confidential Informant, or information provided, as defined in CCRCalifornia Code of Regulations Title 15, Section 3321;
- Any documentation of information which contains information or data within any Gang Data Base as defined in the DOMDepartment Operations Manual §§ 52070.22 through 52070.24;
- Records of investigations, intelligence information, or security procedures as specified in the PRAPublic Records Act § 6254(f).
Appropriate procedures to utilize confidential CDCRCalifornia Department of Corrections and Rehabilitation information on any of CDCRCalifornia Department of Corrections and Rehabilitation’s computer resources, including any computer such as mainframes, serversmid-range, workstation, and other information assets on the CDCRCalifornia Department of Corrections and Rehabilitation network are outlined in this Article. The level of security measures shall be commensurate with the data classification of the information involved.

49020.9.2 Confidentiality of Security Mechanisms

The specific security mechanisms used by the Department to control access to its information resources are confidential.
Information concerning specific details of access controls shall not be divulged except on a need-to-know basis, and then only to persons for whom there are signed security agreements on file.

49020.9.3 Confidentiality of Production Application Software

All documentation concerning production applications residing on the CDCRCalifornia Department of Corrections and Rehabilitation’s mainframes, servers, network infrastructure, and workstations is confidential.
Appropriate procedures to protect and preserve the confidentiality of an application’s documentation are to be developed by the data custodian that has responsibility for, or custody of, such application. The procedures shall ensure that documentation is not divulged except on a needtoknow basis, and then only to persons for whom there are signed security agreements on file.

49020.9.4 Confidentiality of Information on CDCR Information Systems

Appropriate procedures shall be developed by the appropriate data custodians to protect and preserve the confidentiality of the Department’s information stored or residing in or on CDCRCalifornia Department of Corrections and Rehabilitation controlled environments, such as the CDCRCalifornia Department of Corrections and Rehabilitation Network, individual stand-alone desktop and laptop workstations, browser-based applications such as Parole-LEADS, and the SOMSStrategic Offender Management. Additionally, no High Risk Confidential Information shall be faxed, reproduced (e.g., photocopied), distributed via unencrypted e-mail, downloaded to a non-confidential system, given to an unauthorized recipient, or transmitted by telephone to any entity without appropriate security controls in place that are documented in the CDCRCalifornia Department of Corrections and Rehabilitation ISAInformation Systems Analyst ISSG.

49020.9.5 Confidentiality Agreements

Requirements for confidentiality or non-disclosure agreements reflecting the CDCRCalifornia Department of Corrections and Rehabilitation’s needs for the protection of information should be identified and regularly reviewed. Confidentiality and non-disclosure agreements protect organizational information and inform signatories of their responsibility to protect, use, and disclose information in a responsible and authorized manner.
Confidentiality or non-disclosure agreements should address the requirement to protect confidential information using legally enforceable terms. To identify requirements for confidentiality or non-disclosure agreements, the following elements should be considered:
- A definition of the information to be protected (e.g., confidential information);
- Expected duration of an agreement, including cases where confidentiality might need to be maintained indefinitely;
- Required actions when an agreement is terminated;
- Responsibilities and actions of signatories to avoid unauthorized information disclosure (such as “need to know”);
- Ownership of information, trade secrets and intellectual property, and how this relates to the protection of confidential information;
- The permitted use of confidential information, and rights of the signatory to use information;
- The right to audit and monitor activities that involve confidential information;
- Process for notification and reporting of unauthorized disclosure or confidential information breaches;
- Terms for information to be returned or destroyed at agreement cessation; and
- Expected actions to be taken in case of a breach of this agreement.
Based on the CDCRCalifornia Department of Corrections and Rehabilitation’s security requirements, other elements may be needed in a confidentiality or non-disclosure agreement. Confidentiality and non-disclosure agreements should comply with all applicable laws and regulations for the jurisdiction to which it applies. Requirements for confidentiality and non-disclosure agreements should be previewed periodically and when changes occur that influence these requirements.

49020.9.6 Information Sharing with External Parties

The risk to CDCRCalifornia Department of Corrections and Rehabilitation’s information and facilities from business processes involving external parties should be identified and appropriate controls implemented before granting access.
When there is a need to allow an external party access to the facilities or information of the CDCRCalifornia Department of Corrections and Rehabilitation, a risk assessment should be carried out to identify any requirements for specific controls. The identification of risks related to external party access should take into account the following issues:
- The facilities an external party is required to access;
- The type of access the external party will have to the information and facilities, e.g., physical access to offices, computer rooms, filing cabinets or logical access to an organization’s databases and information systems;
- Network connectivity between the organization’s and the external party’s network(s), e.g., permanent connection, remote access;
- Whether the access is taking place on-site or off-site;
- The value and sensitivity of the information involved, and its criticality for business operations;
- The controls necessary to protect information that is not intended to be accessible by external parties;
- The external party personnel involved in handling the organization’s information;
- How the organization or personnel authorized to have access can be identified, the authorization verified, and how often this needs to be reconfirmed;
- The controls employed by the external party when storing, processing, communicating, sharing, and exchanging information;
- The impact of access not being available to the external party when required, and the external party’s entering or receiving inaccurate or misleading information;
- Practices and procedures to deal with information security incidents and potential damages, and the terms and conditions for the continuation of external party access in the case of an information security incident;
- Legal and regulatory requirements and other contractual obligations relevant to the external party that should be taken into account; and
- How the interests of any other stakeholders may be affected by the arrangements. Access by external parties to the CDCRCalifornia Department of Corrections and Rehabilitation’s information should not be provided until the appropriate controls have been implemented and, where feasible, a Data Sharing Agreement (DSA) or Memorandum of Understanding (MOUMemorandum Of Understanding) has been signed, defining the terms and conditions for the connection or access and the working arrangement. Generally, all security requirements resulting from work with external parties or internal controls should be reflected by the agreement with the external party.
It should be ensured that the external party is aware of their obligations, and accepts the responsibilities and liabilities involved in accessing, processing, communicating, or managing the organization’s information and facilities.

49020.9.7 Personal Computer Security

Information maintained in a personal computer system, including laptop computers and mobile devices, must be subjected to the same degree of management control and verification of accuracy that is provided for information that is maintained in other automated files. Files containing High Risk Confidential Information or sensitive data shall not be stored in personal computer systems unless it can be demonstrated that doing so is in the best interest of CDCRCalifornia Department of Corrections and Rehabilitation and that security measures have been implemented to provide adequate protection. Proposals to use desktop or laptop computers to maintain or access files containing High Risk Confidential Information or sensitive data must be approved by the Agency Information Security Officer (SAMState Administrative Manual § 5315.1) before implementation. The Agency Information Security Officer will determine that the proposal complies with all applicable provisions of the SAMState Administrative Manual dealing with information security and risk management (SAMState Administrative Manual §§ 5300 through 5399).

49020.9.8 Personal Computing Devices

Using personally-owned devices to access departmental information resources may jeopardize the integrity and security of CDCRCalifornia Department of Corrections and Rehabilitation’s information resources. In regard to personally-owned devices, the following provisions shall be followed:
- Personally-owned electronic devices shall not connect to, transfer data to or from, or be used to copy data to or from the CDCRCalifornia Department of Corrections and Rehabilitation Network;
- Personally-owned smartphones such as Android devices, iPhones, Treos, Blackberry devices shall not connect to, transfer data to or from, or be used to copy data to or from the CDCRCalifornia Department of Corrections and Rehabilitation Network. CDCRCalifornia Department of Corrections and Rehabilitation e-mail shall not be setup for delivery or used on any personally-owned Smartphone or electronic device;
- Personally-owned USB memory “sticks,” “cards,” or “external drives” shall not be used to copy, forward, or transfer CDCRCalifornia Department of Corrections and Rehabilitation data from CDCRCalifornia Department of Corrections and Rehabilitation local drives, networks, or e-mail systems.
Exemptions to these provisions shall require approval from all impacted data owners and the Agency Information Security Officer.

49020.9.9 Mobile Computing and Storage Devices

All mobile computing and storage devices that access the CDCRCalifornia Department of Corrections and Rehabilitation network and/or store CDCRCalifornia Department of Corrections and Rehabilitation data must be compliant with CDCRCalifornia Department of Corrections and Rehabilitation Information Security Policies and Standards. In regard to mobile computing and storage devices, the following provisions shall be followed:
- High Risk Confidential Information on any stored on mobile computing and storage devices must be encrypted;
- Any and all mobile computing devices used within the CDCRCalifornia Department of Corrections and Rehabilitation information and computing environments must meet all applicable CDCRCalifornia Department of Corrections and Rehabilitation encryption standards. Mobile computing devices shall be tracked in an information assets inventory;
- CDCRCalifornia Department of Corrections and Rehabilitation information security policies applicable to desktop or workstation computers apply to mobile computing devices;
- Employees will delete information from their portable device or portable storage media once it is no longer needed;
- All CDCRCalifornia Department of Corrections and Rehabilitation laptops shall connect to the CDCRCalifornia Department of Corrections and Rehabilitation network at a minimum of 42 days or another designated time frame to receive updates;
- Personal long distance calls shall not be made from state-issued handheld devices except as authorized in DOMDepartment Operations Manual Chapter 1 Organizational Structure, Article 12 – Telephones, Facsimiles, and Cellular Type Telephones.
- Personal local calls shall not be made from state-issued handheld devices except as authorized in DOMDepartment Operations Manual Chapter 1 Organizational Structure, Article 12 – Telephones, Facsimiles, and Cellular Type Telephones.

49020.10 Access Control

Access to any of the CDCRCalifornia Department of Corrections and Rehabilitation’s computerized information on any of the CDCRCalifornia Department of Corrections and Rehabilitation’s computers or the OTech Data Center is restricted to authorized persons. All access to CDCRCalifornia Department of Corrections and Rehabilitation’s information systems shall be protected by at least user IDInstitutions Division (see DAI)/password access control. Any software installed on information systems which use password protection features shall provide for non-display of, and restricted control over, passwords. No software that allows the authentication process to be bypassed or comprised may be installed on those computers.
- Any person requiring such access shall:
- Be a State employee or a bona fide representative of the Department.
- Demonstrate either a need for, or a legal right to, the information.
- Receive formal authorization from the owner of the information.
- Accept legal responsibility for preserving the security of the information.
The sensitivity of the information residing in the CDCRCalifornia Department of Corrections and Rehabilitation’s computerized environments requires strict controls over who is allowed access to that environment, which information may be accessed, and how that information may be accessed.
The following uniform access authorization procedure assumes that all pertinent procedures have been followed, and all CDCRCalifornia Department of Corrections and Rehabilitation-required system approvals have been obtained. This policy procedure is for access to existing information resources. The uniform access authorization procedure is as follows.
- All access requests shall be sent to the system owner with a copy to the AISO. The request shall contain the following:
  - The name of the requester.
  - The specific information for which access is desired.
  - The reason(s) why the requestor has a need for, or right to, the information.
  - The frequency and duration of the requested access.
  - The type of access (e.g., read, update, copy, etc.).
After the data owner approves the request for access and returns it to the requestor, the approval is then routed to either EISEnterprise Information Services (formerly Information Services Division) or the requesting organization’s ISCInformation Security Coordinators for action.

49020.10.1 Information Security‑Responsibilities of Password Owners

Access to CDCRCalifornia Department of Corrections and Rehabilitation’s information systems is restricted by password to only authorized persons. Authorized persons shall never reveal their passwords to anyone for any reason. Authorized persons using a computer shall log off or activate a password-protected screensaver before leaving the immediate vicinity of the computer or terminal. Additionally, no ability shall exist for a user to store, load, or invoke the log on process on any CDCRCalifornia Department of Corrections and Rehabilitation computer, by any method that includes the user Resource Access Control Facility (RACF), IDInstitutions Division (see DAI), or the password. Violation of this Policy may result in the revocation of all access privileges and appropriate disciplinary action. Such disciplinary action may be based not only on the violation itself, but also on all activity performed by those obtaining access to a system or information asset due to a violation of this Policy.
The password is a major “key” to the integrity of CDCRCalifornia Department of Corrections and Rehabilitation’s automated environment. The password policy exists to protect the integrity of that “key.” User IDs shall never be duplicated. User IDInstitutions Division (see DAI) security is backed up by the existence of passwords. Owners are responsible for anything for which their password is used. Therefore, as a matter of self-protection, the password owner shall:
- Not tell anyone what their password is.
- Not write down their the password.
- Not use an obvious password. Obvious passwords include one’s name or nickname, the names of one’s children, one’s user IDInstitutions Division (see DAI), names, or words associated with hobbies (“DANCER,” “SKIER,” “GOLFER,” etc.), names associated with favorite books, TV shows, or movies (“JEDI,” “FRODO,” “PICARD,” “RHETT,” etc.), “SECRET,” “SECURE,” “PASSWORD,” all spaces or the “enter” key, “9999999”, “XXXXXXX,” driver’s license, social security numbers, the name of the current month, etc.
- Not use words that can be looked up in any dictionary, including foreign languages (e.g., Latin).
- Use non-obvious passwords, such as word combinations rather than single words (“COMPUTERUSER,” “SKIBUM,” “IAMADANCER,” etc.) intentionally misspelled words (“KRAKER,” “KORECTUNS,” etc.), or random combinations of letters and numbers, etc.
- Use passwords that are at least seven eight characters long.
- Change the password in accordance with specific application requirements, every 30 to 90 days, depending on the application.
If the password owner becomes aware that a correct password is being rejected, that user should immediately notify the local ISCInformation Security Coordinators and the AISO, since this may indicate that someone has discovered the password and has changed it without the owner’s permission, resulting in the owner no longer knowing his or her own password.
If a password is forgotten, the local ITInformation Technology support staff ISCInformation Security Coordinators or the CDCRCalifornia Department of Corrections and Rehabilitation Help Desk shall be contacted for a password reset. They shall validate the owner’s identity and give a new temporary, one-time password. The owner shall change this password immediately.
If anyone asks for a password, the owner shall refuse to provide it and shall refer the person to a supervisor. The owner shall then notify the supervisor.
Anyone who knows that any password has been compromised should take the following actions:
- Notify the ISCInformation Security Coordinators;
- Notify the immediate manager/supervisor;
- Notify the Information Security Office;
- Complete a “security incident report” and submit it to the Information Security Office.

49020.10.2 Information Security‑Responsibilities of Supervisors

People are provided passwords because their jobs require them to access CDCRCalifornia Department of Corrections and Rehabilitation information systems. When a password owner terminates employment or is reassigned to duties that do not require such access, the immediate supervisor shall, without delay, notify the applicable party of the change.
The authority to access CDCRCalifornia Department of Corrections and Rehabilitation computers entails a significant risk to the Department’s ability to function. Such authority is restricted to persons with a demonstrated need for access. Because that need is, by definition, a function of the person’s specific job duties, any change in those duties requires a reevaluation of the need for access. If the duties change such that the need for access no longer exists, the access shall be revoked.
If any password owner changes job duties (via resignation, promotion, transfer, reorganization, separation, etc.), that individual’s immediate supervisor shall initiate the following:
- Reevaluate whether the person’s new duties still require the authority to access CDCRCalifornia Department of Corrections and Rehabilitation’s computers.
- Notify the local ITInformation Technology support staff or the access management group if the person no longer requires access authority.
- Notify the owner of the relevant CDCRCalifornia Department of Corrections and Rehabilitation information so that the appropriate paperwork can be initiated to document the removal of the person’s access privileges if the person no longer requires access authority.
The lack of use of the access authority is assumed to be proof that the authority is no longer required. Access authority to information assets may be revoked without notice if they are not used regularly.

49020.10.3 Requesting Authority to Access CDCR’s Mainframe Environments

Access to an entire mainframe environment shall not be authorized. Access to specific portions of that environment, such as, but not limited to, the system development facilities, shall be authorized for specific organizations. Access to a specific application can be authorized by the Information Owner as a means of meeting a specific request for specific information.

49020.10.4 Unattended Workstations

Active workstations or terminal sessions must not be left unattended. Any authorized or unauthorized activity on an unattended workstation will be attributed to the person whose logon and password activated the terminal or workstation. All sessions shall either be terminated when leaving the immediate area, or protected with a password-activated screensaver.

49020.10.5 Restrictions on Using CDCR Information Assets

The use of all CDCRCalifornia Department of Corrections and Rehabilitation information assets including any mainframe computers, servers,minicomputers notebook, laptop and workstation desktop systems, network components, and applications run on or accessed from CDCRCalifornia Department of Corrections and Rehabilitation computers is restricted to official CDCRCalifornia Department of Corrections and Rehabilitation business.

49020.10.6 Reassignment of Workstations

The local computer coordinators shall erase all electronic documents from the hard drive of a computer once any staff member of the CDCRCalifornia Department of Corrections and Rehabilitation has ceased using that computer. All forms of electronic documents that the previous staff member created, received, or used shall be removed. As needed, the electronic documents may be transferred to another computer. Notification of the previous staff member’s being placed on litigation hold or being under investigation requires that the information be stored and properly secured until further notification. All CDCRCalifornia Department of Corrections and Rehabilitation employees shall also be made aware of the events and activities that constitute threats to the organization for which they work and of the actions to be taken when confronted by those events or activities.

49020.11 Information Systems Acquisitions, Development and Maintenance

Information systems include operating systems, infrastructure, business applications, off-the-shelf products, services, and user-developed applications. The design and implementation of the information system supporting the business process can be crucial to security. Security requirements shall be identified and agreed upon prior to the development and/or implementation of information systems. All security requirements shall be identified at the requirements phase of a project and justified, agreed upon, and documented as part of the overall business case for an information system.

49020.11.1 Correct Processing in Applications

Appropriate controls shall be designed into applications to ensure correct processing. These controls should include data validation of input data, internal processing and output data. Additional controls may be required for systems that process, or have an impact on, sensitive, valuable or critical information.

49020.11.1.1 Input Data Validation

Checks shall be applied to the input of transactions. The following guidelines should be considered:
- Dual input or other input checks, such as boundary checking or limiting fields to specific ranges of input data;
- Periodic review of the content of key fields or data files to confirm their validity and integrity;
- Inspecting hard-copy input documents for any unauthorized changes (all changes to input documents should be authorized);
- Procedures for responding to validation errors;
- Procedures for testing the plausibility of the input data;
- Defining the responsibilities of all personnel involved in the data input process;
- Creating a log of the activities involved in the data input process.

49020.11.1.2 Message Integrity

An assessment of security risks should be carried out to determine whether message integrity is required and to identify the most appropriate method of implementation. Data output from an application shall be validated to ensure that the processing of stored information is correct.
Output validation may include:
- Plausibility checks to test whether the output data is reasonable;
- Reconciliation control counts to ensure processing of all data;
- Providing sufficient information for a reader or subsequent processing system to determine the accuracy, completeness, precision, and classification of the information;
- Procedures for responding to output validation tests;
- Defining the responsibilities of all personnel involved in the data output process;
- Creating a log of activities in the data output validation process.

49020.11.2 Cryptographic Controls

Cryptographic controls should be considered to achieve:
- Confidentiality: using encryption of information to protect sensitive or critical information either stored or transmitted;
- Integrity/authenticity: using digital signatures or message authentication codes to protect the authenticity and integrity of stored or transmitted sensitive or critical information;
- Non-repudiation: using cryptographic techniques to obtain proof of the occurrence or non-occurrence of an event or action.
Based on a risk assessment, the required level of protection shall be identified taking into account the type, strength, and quality of the encryption algorithm required. All cryptographic keys shall be protected against modification, loss, and/or destruction.

49020.11.3 Security of System Files

To minimize the risk of corruption to operation systems, the following procedures shall be implemented:
- The updating of operation software, applications, and program libraries, shall only be performed by trained administrators upon management authorization;
- Operational systems shall only contain approved executable code, and not development code or compilers;
- A rollback strategy shall be in place before changes are implemented;
- An audit log shall be maintained of all updates to operational program libraries;
- Previous versions of application software shall be retained as a contingency measure.
Decisions to upgrade to a new software release should take into account the business requirements for the change, and the security of the release, i.e. the introduction of new security functionality or the number and severity of security problems affecting this version. Software patches shall be applied when they can help to remove or reduce security weaknesses.
Physical or logical access shall only be given to non-CDCRCalifornia Department of Corrections and Rehabilitation employees for support services when necessary, and with approval from the AISO. Access to CDCRCalifornia Department of Corrections and Rehabilitation information resources should be monitored. Computer software that relies on externally supplied software and modules shall be monitored and controlled to avoid unauthorized changes, which could introduce security weaknesses.

49020.11.4 Protection of System Data

The use of operational databases containing personal information or any other sensitive information for testing purposes should be avoided. If personal or otherwise sensitive information is used for testing purposes, all sensitive details and content should be removed or modified beyond recognition before use.

49020.11.5 Access Control to Program Source Code

Access to program source code and associated items (such as designs, specifications, verification plans and validation plans) shall be strictly controlled, in order to prevent the introduction of unauthorized functionality and to avoid unintentional changes.

49020.11.6 Security in Development and Support Processes

Ensuring the security of application system software and information is essential. As such, production environments shall be strictly controlled.

49020.11.6.1 Change Control Procedures

Formal change control procedures shall be documented and enforced in order to minimize the corruption of information systems. Introduction of new systems and all changes that could possibly have an impact on the users or system availability shall follow a formal process of documentation, specification, testing, quality control, and managed implementation.
This process shall include an analysis of the impacts of changes, and specification of security controls needed. This process shall also ensure that existing security and control procedures are not compromised, that support programmers are given access only to those parts of the system necessary to perform or complete their work, and that formal agreement and approval for any change is obtained.
The following operational change control procedures shall be integrated:
- Maintain a record of the agreed authorization levels;
- Ensure changes are submitted by authorization users and have management approval;
- Review controls and integrity procedures to ensure that nothing will not be compromised by the changes;
- Identify all software, information, database entities, and hardware that require amendment;
- Obtain form approval from the Change Control Board before work commences;
- Ensure system documentation is updated on the completion of the change and that old documentation is archived or disposed of;
- Maintain version control for all software updates;
- Maintain an audit trail of change requests;
- Ensure that operating documentation and user procedures are changed as necessary to remain appropriate;
- Ensure that the implementation of changes take place at the right time and does not have a significant impact to the business involved.

49020.11.6.2 Technical Review of Applications after Operating System Changes

When operating systems are changed, critical business applications shall be reviewed and tested to ensure there is no adverse impact on operations or security.

49020.11.6.3 Outsourced Software Development

Outsourced software development shall be supervised and monitored by EISEnterprise Information Services (formerly Information Services Division).

49020.12 Incident Management

To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective actions to be taken, formal event reporting and escalation procedures shall be in place. All employees, contractors and third-party users shall be made aware of the procedures for reporting the different types of events and weaknesses that might have an impact on the security of the CDCRCalifornia Department of Corrections and Rehabilitation’s information assets.
Incident Reporting
It is the responsibility of all departmental employees to report all incidents that would place the Department’s information assets at risk. The following incidents shall be reported through the local ISCInformation Security Coordinators to the Information Security Office within three days of becoming aware that a security an incident has occurred:
- Unauthorized access to, or modification of, State-owned or State-managed data, including non-electronic data such as reports, documentation, and hard copy files.
- Unauthorized use of, or access to, State computer resources, including computer networks and services as well as systems not necessarily connected to a network.
- Unauthorized access to, or modification of, computer software, including operating systems, networks, configurations, and applications. This includes the introduction of malicious software such as viruses, worms, and other malicious software.
- Deliberate or unauthorized acts resulting in disruption of State computer services, including “Denial of Service” attacks.
- Unauthorized use of user account or Internet domain names.
- Destruction of, or damage to, State facilities and/or information assets.
- Break-in or other unauthorized access to State facilities resulting in compromise to the data or computer systems housed within those facilities.
- Security weaknesses that pose a threat to CDCRCalifornia Department of Corrections and Rehabilitation information resources.
The Information Security Office shall investigate all incidents.

49020.12.1 Incident Report Format

The following information concerning each incident shall be reported to the ISOInformation Security Officer Information Security Office within three working days of becoming aware of the occurrence of the incident:
- Date and time.
- Location.
- Description of what happened.
- Estimated damages.
- Description of corrective action taken or planned.
- Estimated costs associated with corrective actions.
- If known, identity of those responsible for the incident.
- Descriptions of actions taken or planned against those responsible for the incident.
- Contact name and phone number of the person reporting the incident.
The report submitted to the ISOInformation Security Officer Information Security Office shall be signed by the appropriate Warden, Regional Parole Administrator, Director, or Assistant Secretary.
Incidents involving the following shall be forwarded to the State Office of Information Services (OIS) within five business days of the initial report, and shall be signed by the AISO and Secretary or there authorized delegate:
- CDCRCalifornia Department of Corrections and Rehabilitation-owned or CDCRCalifornia Department of Corrections and Rehabilitation managed data, without authorization, was damaged, destroyed, deleted, shared, altered, or copied, or used for non-state business. This includes computer documentation and configuration information, as well as electronic and non-electronic data and reports.
- Unauthorized parties accessed one or more CDCRCalifornia Department of Corrections and Rehabilitation computers, computer systems, or computer networks. This includes deliberate and unauthorized uses of CDCRCalifornia Department of Corrections and Rehabilitation-owned computer services, as well as, “hacker attacks.”
- Someone has accessed and without permission added, altered, damaged, deleted, or destroyed any computer programs which reside or exist internal or external to a CDCRCalifornia Department of Corrections and Rehabilitation computer, computer system, or computer network.
- Disruption of CDCRCalifornia Department of Corrections and Rehabilitation computer services or denial of computer services occurred in a manner that appears to have been caused by deliberate and unauthorized acts.
- A contaminant was introduced into a CDCRCalifornia Department of Corrections and Rehabilitation computer, computer system, or computer network. This includes, but is not limited to, viruses, Trojans, worms, and other types of malicious attacks.
- Internet domain names and/or users account names have been used without permission in connection with the sending of one or more electronic mail messages, and thereby caused damage to a CDCRCalifornia Department of Corrections and Rehabilitation computer, computer system, or computer network, or misrepresented CDCRCalifornia Department of Corrections and Rehabilitation or CDCRCalifornia Department of Corrections and Rehabilitation employees in electronic communications.
- Damage or destruction of CDCRCalifornia Department of Corrections and Rehabilitation information processing facilities has occurred.
- Physical intrusions into CDCRCalifornia Department of Corrections and Rehabilitation facilities have occurred that may have resulted in the compromise of CDCRCalifornia Department of Corrections and Rehabilitation data or computer systems.
- Lost, damaged, or stolen devices used for information processing.
The California Highway Patrol’s Emergency Notification and Tactical Alert Center (ENTAC) shall be notified of the occurrence of an incident within one day of receipt of the initial report. Incidents involving “Personally Identifiable Information” (PII) or “Personal Health Information” (PHI) involving more than 500 California Residents shall be reported to the Attorney General.

49020.12.2 Collection of Evidence

When misconduct is discovered which constitutes an information security incident in conjunction with a possible violation of departmental policy or criminal violation, precaution must be taken to avoid contamination of the possible electronic evidence. Prior to taking action, the discoverer should contact the Hiring Authority and/or the Office of Internal Affairs (OIAOffice of Internal Affairs) for direction, if the misconduct could lead to an administrative investigation. If the misconduct rises to the level of criminal misconduct, the OIAOffice of Internal Affairs must be notified immediately prior to any action being taken.
When there is any incident that involves the preservation of any evidence and after the first responder has consulted with the Hiring Authority/OIAOffice of Internal Affairs, the first responder is responsible to preserve the electronic crime scene and recognize, collect, and safeguard the digital evidence and/or non-digital evidence. First responders and managers who supervise personnel who process such events should be familiar with the information in this section and perform their duties.
Digital evidence includes all information and data of value to an investigation that is stored on, received, or transmitted by an electronic device. All other evidence is non-digital evidence.
When dealing with digital evidence, general forensic and procedural principles should be applied:
- The process of collecting, securing, and transporting digital evidence should never change the evidence and integrity of the chain of evidence must be maintained.
- Digital evidence should only be examined and/or acquired by those trained specifically for that purpose. First responders without proper training, equipment, or skills should not attempt to explore the contents of or to recover information from any electronic device.
- Everything done during the seizure, transportation, and storage of digital evidence should be fully documented, and preserved. Documentation should include the specific location of the evidence found, how it was collected, labeled, and preserved.
- Package and transport digital evidence in a secure manner consistent with chain of evidence procedures.
- Any Forensic work shall be performed on copies of the digital evidence. The original device(s) shall be secured and protected for the entire process until a matter has been determined closed. The original drive shall not be imaged or cloned without consulting first with the OIAOffice of Internal Affairs.
When dealing with all other forms of non-digital evidence:
- The original evidence shall be kept securely with a record of the individual who located it.
- The individual who located the original evidence shall prepare a record of the location of the evidence, when the evidence was found, who witnessed the discovery of the evidence.
- Package and transport of non-digital evidence in a secure manner consistent with chain of evidence procedures.

49020.13 Failure to Correct Information Security Deficiencies

Should any audit indicate that the State’s security policies are not established or that the Department has not taken corrective action with respect to security deficiencies, the Department may be subject to any or all of the following:
- Further audit and review by the Department of Finance (DOFDepartment Of Finance), Bureau of State Audits (BSA), State Controller’s Office (SCOState Controller’s Office), and/or Department of Justice (DOJDepartment Of Justice).
- Revocation by the DOFDepartment Of Finance of delegated approval authority for ITInformation Technology projects.
- Application of penalties specified in GCGovernment Code § 1222.

49020.14 Technical Vulnerabilities Management

Technical vulnerability management shall be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness.
A current and complete inventory of information assets will be maintained. Specific information gathered should include software vendor, version numbers, software installed and person(s) responsible for the software installation. Appropriate timely action shall be taken in response to the identification of potential technical vulnerabilities. The following should be established:
- EISEnterprise Information Services (formerly Information Services Division) shall define and establish the roles and responsibilities associated with technical vulnerability management, including vulnerability monitoring, vulnerability risk assessment, patching, asset tracking, and any coordination responsibilities required;
- Information resources that will be used to identify relevant technical vulnerabilities and to maintain awareness about them should be identified for software and other technology (based on the asset inventory list,); these information resources should be updated based on changes in the inventory, or when other new or useful resources are found;
- A timeline should be defined to react to notifications of potentially relevant technical vulnerabilities;
- Once a potential technical vulnerability has been identified, EISEnterprise Information Services (formerly Information Services Division) shall identify the associated risks and the actions to be taken;
- Depending on the urgency of which a technical vulnerability needs to be addressed, the action taken shall be carried out according to change control procedures or by following the Department’s information security incident response procedures;
- If a patch is available, the risks associated with installing the patch should be assessed (the risks posed by the vulnerability should be compared with the risk of installing the patch);
- Patches should be tested and evaluated before they are installed to ensure they are effective and do not result in side effects that cannot be tolerated; if no patch is available, other controls should be considered, such as:
  - Turning off services or capabilities related the vulnerability
  - Adapting or adding access controls, e.g., firewall rules, at the network border;
  - Increased monitoring to detect or prevent actual attacks;
  - Raising awareness of the vulnerability.
Employees, contractors, and third-party users of information systems and services shall not attempt to prove suspected security vulnerabilities. Testing vulnerabilities may be interpreted as a potential misuse of the system and could cause damage to the information system or service and result in disciplinary actions for the individual performing the test.

49020.15 Confidential or Sensitive Information Stored on Workstations

The nature of information classified as confidential or sensitive requires strict controls over access to such assets (SAMState Administrative Manual, § 5335.2). Files containing confidential or sensitive data (as defined in SAMState Administrative Manual § 5335.2) should not be stored in personal computer systems unless it has been demonstrated that doing so is in the best interest of the Department and that security measures have been implemented to provide adequate protection and approval from the AISO has been given.
With the aforementioned approval, confidential or sensitive information may be stored on or accessed with workstations in accordance with the following provisions:
- Only authorized personnel may have access to confidential or sensitive data.
- Workstations containing or capable of accessing such data shall be equipped with hardware and/or software that provide for authentication techniques, such as password protection of confidential files.
- HRCI and sensitive files shall be encrypted, if the owner deems it necessary. Encryption software must comply with standards documented in the ISAInformation Systems Analyst. the AISO’s ISSG.
- Backup files of confidential data shall be maintained in a locked cabinet away from the location of the workstation containing the program providing access to such files.
- Security hardware/software shall comply with standards documented in the. ISSG.
- At least two individuals shall be authorized access and have knowledge of the location where data files, backup files, and forms are stored.

49020.15.1 Software Controls on CDCR’s Workstations

The following software controls shall be established for all CDCRCalifornia Department of Corrections and Rehabilitation workstations:
- No software shall be loaded, installed, and/or activated on any CDCRCalifornia Department of Corrections and Rehabilitation workstation without prior review and written approval from the local ISCInformation Security Coordinators and the requestor’s supervisor, or EISEnterprise Information Services (formerly Information Services Division).
- Controls that ensure that the CDCRCalifornia Department of Corrections and Rehabilitation is in compliance with all State-mandated requirements (SAMState Administrative Manual §§ 4820,5310 and 5345.1). 4989.7, and 4990.1).
- Appropriate procedures shall be developed by ISCs for use by each CDCRCalifornia Department of Corrections and Rehabilitation division that has workstations. These procedures are subject to approval by the AISO, Department’s ISOInformation Security Officer, and are constrained by the requirements of the CDCRCalifornia Department of Corrections and Rehabilitation workstation policy.

49020.15.2 Data File Transfers

Electronic transfer (file transfer) of information to or from any CDCRCalifornia Department of Corrections and Rehabilitation information system file or database is restricted to authorized persons who shall use an approved file transfer mechanism. The same level of protection afforded the information in its originating system shall be provided by the computer environment to which the information is transferred.
Transfer of information from one CDCRCalifornia Department of Corrections and Rehabilitation computer to another does not alter the sensitive nature of the information or eliminate the need to protect the confidentiality of the information. An appropriate procedure shall be developed by EISEnterprise Information Services (formerly Information Services Division) for use by each CDCRCalifornia Department of Corrections and Rehabilitation division that uses file transfer mechanisms. The procedure shall be constrained as follows:
- The user is responsible for providing the necessary controls to secure all confidential information maintained in the workstation environment. A Security Plan must be approved by the ISOInformation Security Officer prior to High Risk Confidential Information or sensitive information being stored on a workstation.
- Dial-up access to the Department’s databases is prohibited without explicit authorization from the data owner and Information Security Office.
- All requests to transfer information shall be approved by the owners of the information and the custodians of the information. The owners shall provide the necessary authorization for access (if the request is approved) and the custodian shall provide the methodology.
- Confidentiality and integrity of information shall be maintained.
- Any workstation performing file transfers shall be subject to additional hardware and software controls (e.g., encryption and dynamic password user authentication) to enhance the security environment of the workstation.Interagency data file transfers are subject to requirements described above as well as those defined in DOMDepartment Operations Manual, Chapter 4, Article 45, Information Security, § 49020.5.

49020.16 Information Security Architecture Standards and Guidelines

Data processing equipment in CDCRCalifornia Department of Corrections and Rehabilitation’s automated network environment (computers and peripherals) shall be secured against access by unauthorized persons. Any equipment that is not stand-alone is considered teleprocessing data processing equipment. This includes all workstations that are connected to each other or to any other server or mainframe, mini or micro, system, whether by dial-up, cabling (including, but not limited to, coax, twisted pair, and fiber), LANs, gateways, routers, and all other network components. Access to CDCRCalifornia Department of Corrections and Rehabilitation’s network shall be restricted to CDCRCalifornia Department of Corrections and Rehabilitation employees and approved consultants. The methods by which CDCRCalifornia Department of Corrections and Rehabilitation’s data processing equipment is secured shall be documented in the CDCRCalifornia Department of Corrections and Rehabilitation ISSG. Any exception or modification to the ISSG must be approved in writing by the AISO prior to implementation.
The ISSG shall include descriptions of procedures to protect and preserve the data processing teleprocessing equipment from access by unauthorized persons. The procedures are constrained by the following:
- Only authorized personnel shall have access to terminals, printers, control units, concentrators, telephone wiring panels, modems, and emulation cards.
- Control of access through the CDCRCalifornia Department of Corrections and Rehabilitation telecommunications system to the Internet is the responsibility of the EISEnterprise Information Services (formerly Information Services Division), and is administered in accordance with the ISSGISA. Additional access not described in the ISSG ISAInformation Systems Analyst constitutes a request for a modification to the ISSG ISAInformation Systems Analyst and must be submitted and approved in accordance with this policy prior to implementation.
- Persons not authorized to access the CDCRCalifornia Department of Corrections and Rehabilitation’s telecommunications system shall obtain approval from the designated local ISCInformation Security Coordinators. Unauthorized persons include representatives of control agencies, CDCRCalifornia Department of Corrections and Rehabilitation personnel from another site, equipment vendors, telephone companies, etc.
- Any division with custodianship of decentralized applications shall locate equipment in restricted areas that shall be monitored during working hours and locked during unattended periods.
- Access to computers, either connected to a CDCRCalifornia Department of Corrections and Rehabilitation network or stand-alone, shall be limited by the use of a password-protected screensaver and/or key-controlled access to the power supply and/or keyboard with the keys physically removed and stored away from the workstation.
- Computers connected in any way to CDCRCalifornia Department of Corrections and Rehabilitation’s telecommunications system or stand-alone computers with modems connected to them may not be located in areas where inmates have access, except for work assignments when the inmates are under the direct and constant supervision of custody staff.
- Control units shall be locked whenever possible and the keys removed and stored in a secure environment.
- Storage media including, but not limited to, diskettes, CDs, removable hard drives, and tapes shall be removed from equipment that reads them and stored in a secure environment when not in use.
- Documentation pertaining to the hardware, system software, and configuration of the CDCRCalifornia Department of Corrections and Rehabilitation’s telecommunication system are confidential.
- All facility phone rooms and other locations where network components are kept shall be labeled “Out of Bounds. Authorized Personnel Only.”

49020.16.1 Requests for Modifications of the Information Security Architecture ISSG

The sensitivity of the CDCRCalifornia Department of Corrections and Rehabilitation’s automated information assets requires strict controls over who can use equipment that is configured to access assets. Also, the monetary value f the equipment itself warrants physical controls to deter theft or damage to the equipment. Requests for modification of the ISSG shall be submitted to the AISO.

49020.17 Modem Usage

The critical and sensitive nature of the informational resources residing in CDCRCalifornia Department of Corrections and Rehabilitation’s computers requires stringent controls of devices attached to these computers, and over which persons are allowed to use these devices.
All access to the CDCRCalifornia Department of Corrections and Rehabilitation’s systems shall be monitored and controlled by EISEnterprise Information Services (formerly Information Services Division). All other means of accessing CDCRCalifornia Department of Corrections and Rehabilitation systems including, but not limited to, wireless communication devices and dialup modem, are prohibited unless approved by the ISOInformation Security Officer.
Modem use is restricted to computers not connected to the CDCRCalifornia Department of Corrections and Rehabilitation Network, unless such use is an approved part of the ISAInformation Systems Analyst. Requests for additional modems to be used within the CDCRCalifornia Department of Corrections and Rehabilitation teleprocessing environment are subject to approval.
Modems may be used to access remotely the CDCRCalifornia Department of Corrections and Rehabilitation network resources through EISEnterprise Information Services (formerly Information Services Division)-supported access mechanisms. They may also be used to provide access to the Internet and specific destinations and e-mail capability when such access is not available through the CDCRCalifornia Department of Corrections and Rehabilitation network resources. Justification and procurement of modems for these purposes shall be conducted in accordance with DOMDepartment Operations Manual, Chapter 4, Article 41, Departmental Workgroup Computing Policy.
Specific restrictions on the use of modems are:
- There shall be no inmate or parolee access to any computer for which a modem has been approved. Computers that are attached to modems shall not be located in areas where inmates or parolees have access.
- No applications that were developed by inmates shall be implemented on a modem-equipped computer.
- No modems shall be installed on any computer that is a part of a LANLocal Area Network that has been approved for inmate use.
- The location and usage of all modems must be tracked and monitored at all times.
- Computers with “pocket” modems may not be used within the secured perimeter of facilities. They shall not be used in parole offices unless the area where the modem is to be used is secured from parolee access.
- Non-CDCRCalifornia Department of Corrections and Rehabilitation computers shall not access the CDCRCalifornia Department of Corrections and Rehabilitation Network via modem.

49020.18 Inmate/Ward Use of Computers

It is the policy of the Department to allow inmates, wards or parolees access to computers, computer terminals, or computer keyboards only within the constraints of the policies contained in this Article. For the purpose of this section, “Inmate” means a male or female offender who is committed under sentence to or confined in a penal or correctional institution under the authority of CDCRCalifornia Department of Corrections and Rehabilitation, which includes youth offenders under the jurisdiction of the CDCRCalifornia Department of Corrections and Rehabilitation’s Division of Juvenile Justice. Any request for exception shall be referred to the AISO ISOInformation Security Officer for review.

49020.18.1 Restrictions on Computer – Knowledgeable Inmates

Revised November 4, 2013

Inmates who have a history of computer fraud or abuse, as defined in Penal Code (PCPenal Code), § 502, shall not be placed in any assignment that provides access to a computer.
Inmates that have documented histories of computer fraud or abuse, as noted during the initial classification process, shall be identified on the initial classification chrono. Any occurrence of computer abuse after admittance to the prison system shall also be recorded in the inmate’s records.
The use of inmates as programmers and system experts shall be prohibited where there is a risk to the information assets of the Department or public, as determined by the institution head or the ISOInformation Security Officer. Inmates shall not be used as programmers or system experts for departmental business applications, systems, and data, per CCRCalifornia Code of Regulations Title 15 § 3041.3(c)(1). Staff assigned to supervise inmates using computers must be able to monitor inmates’ activities.

49020.18.2 Inmate Access to Computer – Based Tools

Inmates shall not be allowed access to any computer-based tools that could be utilized to create a virus, Trojan Horse, worm, or cause damage to data files or a computer’s operating system, except in an approved Computer Refurbishment Program.

49020.18.3 Inmate Access to Computers and Telecommunications Devices

Inmates may access workstations for the purpose of completing specific tasks or assignments while under direct and constant supervision. The approved uses of workstations by inmates shall be carried out only under very tightly controlled circumstances:
- Each computer shall be labeled to indicate whether inmate access is authorized.
- Computers used by inmates shall not be used concurrently for any other purpose.
- The local ISCInformation Security Coordinators shall approve or disapprove the movement of computers from an “inmate use” status to other work and vice versa.
- Any computer that is being repurposed from employee use to inmate use shall have the hard drive erased of all data prior to the redeployment using the methods in the department’s data wiping standards.
- Inmates with a work assignment involving a particular computer shall not be assigned to work on other computers.
- Areas where inmates are authorized to work on computers shall be posted as such.
- All inmates shall be under the supervision of a knowledgeable employee within a controlled, designated area when using computers.
- There shall be no communications capabilities in the designated area, such as a telephone line, computer network line, telephone punch panel, cell phones, wireless communication devices such as pagers or handheld computers or radio communication devices without approval of the AISO.
- Inmates shall not have access to computer utility programs used to modify the functionality of the computer or to view system configuration information, except in an approved Computer Refurbishment Program.
- Inmates shall not have electronic storage media in their possession except within an approved area.
- Inmates may not have access to computer application development tools.
- An inventory and appropriate controls shall be maintained on all portable storage mediadiskettes. Diskettes Portable storage media for inmate use shall be labeled “For Inmate Use.” Reports and other printed output from inmate-utilized computers shall be reviewed closely by staff, and appropriate distribution of such output shall be monitored.
- Inmates shall not have access to the operating system of any computer. Inmates shall not have access to any interface that allows access to the system configuration of any computer including, but not limited to, dialogue boxes, setup, and configuration screens. Additionally, inmates shall not have access to operating system commands that allow viewing or modification of any aspect of a computer operating system or the configuration of a computer, except in an approved Computer Refurbishment Program.
- Inmates shall not be allowed to load software onto hard disks, except in an approved Computer Refurbishment Program.
- No inmate shall have access to, or possession of, any telecommunication capability, including Internet accessible computers, wireless devices such as pagers or handheld computing devices or cell phones without approval from the Agency Information Security Officer.
- There shall be no inmate access to a computer outside the inmate’s authorized work, vocational, or educational areas, unless approved by the AISOISO.

49020.18.4 Operation of Computer Programs Created by Inmates

Any computer-based system that was created by inmate programmers that is used to accomplish or complete the CDCRCalifornia Department of Corrections and Rehabilitation-related work shall not be operated or maintained by any inmate.

49020.18.5 Supervision of Inmates Using Computers

The persons responsible for supervising inmates’ use of computers shall certify in writing that these policies are being adhered to at their specific site.
A copy of this certification shall be kept on site by the local ISCInformation Security Coordinators.

49020.18.6 Education Computers

The use of computers for academic and vocational education is subject to the same requirement of due care applying to all personnel that use computers within applicability of the Department’s information security and risk management program.

49020.18.7 CALPIA Systems

Inmate use of computers in CALPIACalifornia Prison Industry Authority (formerly PIA) and in CDCRCalifornia Department of Corrections and Rehabilitation facilities shall be in accordance with the departmental policies and institutional procedures.

49020.19 Information Security‑Warnings

All critical Department systems shall display a criticality warning at the first screen that any user of the system will see when the computer system is accessed.

49020.20 Revisions

The Director of EISEnterprise Information Services (formerly Information Services Division) or designee shall be responsible for ensuring that the contents of this Article are kept current and accurate.

49020.21 References

Revised November 4, 2013

The Constitution of the State of California, Article 1, Section 1.
The Information Practices Act of 1977, Civil Code § 1798.
The Federal Copyright Act of 1976.
The California Public Records Act.
Title 15 § 3041.3(c)(1).
PCPenal Code, Penal Code §§ 502, 2702, 11075-11081, 11142.
SAMState Administrative Manual, §§ 1601-1699, 4820, 4841, 4841.3, 4842.1, 4989.7, 4990.1. 5300-5360.1.
GCGovernment Code §§ 1222, 6250-6265, 14740-14770.
DOMDepartment Operations Manual §§ Chapter 1, Article 23, and Chapter 4, Articles 31, 40, 41, 46, 48.

Article 46 – Information Systems Risk Management

49030.1 Policy

Revised April 16, 1993

All ITS within the Department are subject to having a risk analysis prior to any approval or authorization for development or implementation. The result of this analysis, “The Risk Analysis and Risk Reduction Report,” shall be submitted as part of the request for approval. This report is a part of the feasibility study for large systems, and stand-alone facilities within small systems. A multipurpose work station is exempt from this requirement unless there is a need for a modem or to store confidential or sensitive information.

49030.2 Purpose

The purpose of this policy is to identify and provide for the use of a generic systems approach as part of the Department’s risk management program. This process shall assist users, systems designers, systems developers, and management in answering a number of basic questions, such as:
- What is the nature of the problem?
- What needs to be changed, modified, or accomplished?
- What alternatives are available to solve the problem?
- How, specifically, shall the problem be solved?
- How well does the new solution work?

49030.3 Responsibilities

The following is a description of the organizational responsibilities for administering this program.
The Director
- The Director is responsible for establishing and maintaining a risk management program within the Department. It is the responsibility of the Director to assure that the Department’s information assets are protected from the effects of damage, destruction, and unauthorized or accidental modification, access, or disclosure.
- Specifically, the Director is responsible for ensuring the following:
  - Enforcement of State-level risk management policies.
  - Establishment and maintenance of internal policies and procedures that provide for the security of information technology facilities, software and equipment, and the integrity and security of the agency’s automated information.
  - Department compliance with reporting requirements related to risk management issues.
  - Appointment of a qualified Information Security Officer (ISOInformation Security Officer).
  - Participation of management during the planning, development, modification and implementation of risk management policies and procedures.
Information Security Officer
- GCGovernment Code 1171 requires that the director of each agency designate an ISOInformation Security Officer. The ISOInformation Security Officer is responsible for overseeing agency policies and procedures designed to protect the Department’s information assets. In accordance with State policy, the ISOInformation Security Officer shall be accountable to the CDC Director regarding these responsibilities.
- To avoid conflicts of interest, the ISOInformation Security Officer shall not have direct responsibility for information processing, information access management functions, any departmental computer based systems or have a reporting relationship to an organization that has such responsibilities. The ISOInformation Security Officer shall not have any special allegiance or bias toward a particular program or organization.
- The responsibilities of an ISOInformation Security Officer include overseeing the following:
  - Implementation of necessary procedures to ensure the establishment and maintenance of a risk management program, including a risk analysis process.
  - Establishment of procedures necessary to monitor and ensure compliance of established risk management policies and procedures.
  - Coordination with internal auditors and QCQuality Control personnel to define their role in automated ITS planning, development, implementation, operations, and modifications relative to risk management.
  - Coordination with the data center’s ISOInformation Security Officer or staff on matters related to the planning, development, implementation, modification, or risk management policies and procedures that affect the Department.
  - Establishment of procedures to comply with control agency reporting requirements.
  - Establishment of mechanisms to assure that Department staff (with particular emphasis on the owners, users and custodians of information) are educated and aware of their roles and responsibilities relative to risk management.
  - Establishment of training programs for Department employees related to risk management.
Technical Management
- Department technical management has the following responsibilities relative to CDC’s risk management program:
  - Ensuring that management, the ISOInformation Security Officer, assigned owners, and users/custodians are provided the necessary technical support services with which to define and select cost effective solutions to high risk problems identified through the risk analysis process.
  - Ensuring the implementation of controls and procedures necessary to manage the risk identified through the risk analysis program.
Program Management
- Department program managers have the following responsibilities in relation to CDC’s risk management program:
  - Establishing the procedures necessary to comply with risk management policy in relation to ownership, user and, if appropriate, custodian responsibilities.
  - Ensuring the proper planning, development, and establishment of risk management processes and procedures for new computerbased systems and the files or data bases for which the program has ownership responsibility, and for new physical devices assigned to and located in the program area(s).
Program Personnel
- Program personnel have the following risk management responsibilities:
  - Implementing and monitoring data QAQuality Assurance functions to ensure the integrity of data for which the program is assigned ownership responsibility.
  - Complying with applicable federal, State, and Department risk management policies and procedures.
  - Identifying information system vulnerabilities and informing program management and the ISOInformation Security Officer of those vulnerabilities.
Internal Auditors
- Internal auditors have the following responsibilities in relation to the Department’s risk management efforts:
  - Examination of the Department’s policies and procedures for compliance with State risk management policies.
  - Examination of the Department’s policies and procedures for compliance with control agency audit requirements.
  - Examination of the effectiveness of the Department’s policies and procedures, identification of inadequacies within the existing risk management program, identification of possible corrective actions, and informing management, the ISOInformation Security Officer, and the owners, custodians, and users of information of the findings.
QCQuality Control
- The designated responsible QCQuality Control person/program has the following responsibilities in relation to the Department’s risk management program:
  - Review and evaluation of the risk management process used and its findings, to ensure the effectiveness of controls for automated ITS whether under design and development or operational, with particular emphasis on major systems.
Information Owners
- The owners of information are responsible for classifying the information, filing security incident reports, securing and storing the signed security agreements, and identifying for the ISOInformation Security Officer the level of acceptable risk.
- The owners of CDC information are identified in the system library document maintained by the MISManagement Information Systems Support Unit.
Information users
- It is the responsibility of all users to protect CDC resources, note variances from established procedures, and report such variances to the appropriate manager.
Information Custodians
- The custodians of information are responsible for complying with applicable laws, policies, and procedures. It is also the responsibility of custodians to advise the owner and the ISOInformation Security Officer of any threats to the information, and notify the owner and the ISOInformation Security Officer of any violations of security policies, practices, or procedures.

49030.4 ITS – Risk Management Definitions

Audit Requirements
- A section of the EDPElectronic Data Processing (see IT) audit reviews ITS documentation; each system not exempt from the audit requirements shall have an approved risk analysis report.
Critical Functions, System, and Resources
- Elements vital to the organization’s operation, and possibly to the continued, viable existence of the organization.
Current Risk
- Current risks are evident and continuing, and are inherent to a business operation, location, or process.
Data Integrity
- The state that exists when computerized data are the same as that in source documents and have not been exposed to accidental or malicious alteration or destruction.
Data Protection
- Measures to safeguard data from occurrences that could lead to the modification, destruction, or disclosure of data.
Data Security
- Protecting data from modification, destruction, or disclosure.
Potential Risk
- Potential risk is outside normal and purposeful business operations, and results from some intentional or unintentional, indeterminate action.
Risk
- Risk is a measure of the relative value attached to certain circumstances and conditions inherent in any business operation, or change to that operation. Risks are either current or potential.
Risk Analysis Content:
- Technical Analysis
  - For each risk scenario, specify the threat and potential safeguards/controls identified. Each control should be discussed along with its intended purpose and the types of threats it is effective against. If no safeguards are found, then a statement to that effect shall be provided.
- Operational Analysis
  - Each control identified above shall be analyzed and its impact on current operations should be discussed. All operational constraints that would make the safeguard difficult or impractical to implement or operate shall be discussed. Risks that shall be accepted due to the operational unacceptability of their safeguards shall be identified here.
- Economic Analysis
  - For all controls that are technically and operationally feasible, discuss the cost benefit.
- Risk Acceptance Summary
  - Lists all risks, acceptable or unacceptable. If acceptable, then indicate the basis for acceptance.
- Controls Summary
  - Presents the controls to be used for eliminating or reducing the risks identified in the risk acceptance summary. Each control shall be described in terms of its loss reduction or effect, as well as the primary and secondary threat categories against which the control is effective.
- Countermeasures
  - Any type of procedure (e.g., physical, procedural, hardware, software and personnel) used to counteract a threat to the system.
Risk Analysis Management Report:
- Summary
  - A concise overview of the analysis. It shall begin with a statement describing the scope and objectives of the study, followed by the recommendations for risk acceptance and alternatives for reducing or eliminating the unacceptable risks.
- Risk Scenario Summary
  - A summary of the essential data from the risk analysis.
- Risk Management Process
  - Risk management is the work a manager does to identify the risk, assess its level, and create a plan for the acceptance, rejection, or control of the risk. This work is carried out by the application of a well defined analytic process called “risk analysis,” and culminates in a risk analysis report and risk reduction decision study.
- Risk Analysis
  - Involves identifying the assets and resources that are at risk, as well as the threats to those assets and resources and the vulnerabilities in the risk environment that might allow the threats to materialize. Risk analysis also involves estimating the frequency with which the threats might occur, the safeguards currently in place, and the cost/impact that could be incurred if the threats to the risk environment were to materialize (this process correlates to the problem definition and analysis of the “current problem” steps in a generic systems approach).
- Risk Reduction Analysis
  - Involves identifying the availability of potential safeguards, determining the operational and economic feasibility of potential safeguards, and developing a risk reduction decision study for presentation to management (this process correlates to the identification of alternatives, cost-benefit analysis, selection of best alternative, and conceptual system design phases of the generic systems approach).
- Management Decision
  - Management decides which risks are acceptable. For those that are not currently acceptable, management decides which of the alternatives shall be implemented and approves the resources required to purchase, or design and develop, and then implement them (this process corresponds to the management decision phase of the generic systems approach).
- Development of Risk Reduction Plans
  - Outlines the tasks to be performed to implement the safeguards selected by management. Tasks include identification of the specific safeguards, assignment of responsibility for design, development or purchase, and implementation of the safeguards. Plans shall also include a timetable of the milestones leading to implementation (this process corresponds to the detailed design and development/testing phases of the generic systems approach).
- Implementation and Maintenance of Safeguards
  - Involves the installation, operation and maintenance of new or modified safeguards. Implementation shall involve personnel training and coordinating any changes in operations with affected personnel.
- Vulnerability
  - Susceptibility of a system to a specific threat, attack or harmful event, or the opportunity available for a threat agent to mount such an attack.
- Vulnerability Assessment
  - A review of a system or program to determine its susceptibility to loss or unauthorized use.

49030.5 ITS – Risk Management New System Requests

All requests for approval for new systems development shall indicate if the system is a critical application.

49030.6 ITS – Risk Management Critical Applications

All critical applications shall require a risk analysis. See DOMDepartment Operations Manual 49040, Procedures.

49030.7 ITS – Risk Management Other Systems

Revised April 16, 1993

A risk analysis shall be submitted to the Information Security Unit (ISUInstitution Services Unit) for all systems that are non-critical applications but use one or more of the following:
- Telecommunications.
- Programs created or maintained by inmates.
- Inmates as keyboard operators.
These applications require a risk analysis approved by ISUInstitution Services Unit prior to implementation.
The MISManagement Information Systems Committee may direct that a risk analysis be carried out for any new system when deemed necessary.

49030.8 Risk Management Exemption for Inmate Use

Requests to ISUInstitution Services Unit for an exemption from information security policy, as it pertains to inmates and computers shall be accompanied by a risk analysis. An exemption shall only be granted by the MISManagement Information Systems Committee based upon the risk analysis and a recommendation by ISOInformation Security Officer.

49030.9 Revisions

Revised May 6, 2010

The Assistant Secretary, EISEnterprise Information Services (formerly Information Services Division), or designee shall be responsible for ensuring that the contents of this article are kept current and accurate.

49030.10 References

GCGovernment Code § 1171.
DOMDepartment Operations Manual § 49040.

Article 47 – Disaster Recovery Planning

49040.1 Policy

It is the policy of the Department that each element of the Department utilizing information technology shall establish disaster recovery planning processes for identifying, assessing, and responding to the risks associated with its information assets. See the DOMDepartment Operations Manual 49010 for additional details.

49040.2 Purpose

The purpose of disaster recovery planning is to ensure continuity in computer operations for the support of critical applications, provide the greatest possible benefit from remaining limited resources, and achieve a systematic and orderly migration toward the resumption of all automation activities within the affected segment of the Department.

49040.3 Classification of Computers According to Type

The information assets of the Department are distributed over many geographically separated entities. However, any usage of computer resources in CDC will fall within one of four different types. The primary factors associated with each type represent the complexity and scope of operational use of the computer or system involved. In the context of this policy, “system” means a computer program and the computer resources necessary to achieve the objective of the program. It is possible for similar computers to be classified differently depending upon the program being used. This is especially true in the inmate education area. DOMDepartment Operations Manual 47000 contains information on each of the critical systems utilized by the Department.
- Type 1
  - Most of the large, Departmentwide computer systems are comprised of a computer at a central site, and a telecommunication network (phone lines) with terminals, printer, modems, and controllers located at a local site. Examples of this type of configuration include the OBISOffender Based Information System, the Inmate Trust System, and the Personnel and Leave Accounting System.
  - Each of these systems would be affected by any disaster occurring within the data center or any disaster that would disrupt part or all of the communication lines. While the operational recovery of these systems is the data center’s responsibility, each of the user sites shall have contingency plans ready to enable actions that minimize disruptions to business activities.
- Type 2
  - The computer-based system is approved for departmental use and is to be implemented at all appropriate sites. This type of system can be found at many sites. These systems are not connected electronically. Each site uses the same programs to support the same work. Examples of Type 2 systems are the Critical Case Factor System and the microcomputer-based Inmate Appeals System: both of these are examples of stand-alone departmental ITS.
- Type 3
  - This type of computer system is normally found at only one site. Type 3 systems are created because the multipurpose work station is available and there is an identified need.
- Type 4
  - Type 4 systems are found only in the academic or vocational education areas. These systems are intended to be used strictly for the education of inmates.

49040.4 Responsibilities

The CDC approach to risk management requires that active support and ongoing participation be obtained from individuals representing multiple disciplines and all management levels. This includes the support of executive, program, and technical management, as well as owners, custodians, and users of the information.
- Director
  - It is the responsibility of the Director to assure that the Department’s information assets are protected from the effects of damage, destruction, and unauthorized or accidental modification, access, or disclosure. Specifically, the Director is responsible for ensuring the following:
    - Enforcement of State-level operational recovery policies.
    - Establishment and maintenance of internal policies and procedures that provide for the security of information technology facilities, software, and equipment, and the integrity and security of the Department’s automated information.
    - Department compliance with reporting requirements related to operational recovery.
    - Preparation and maintenance of the Department’s operational recovery plan, and the continuation of vital information support services in case of a disaster.
    - Participation of management during the planning, development, modification, and implementation of operational recovery policies and procedures.
- Information Security Officer
  - GCGovernment Code 1171 requires that the director of each State agency designate an Information Security Officer (ISOInformation Security Officer). The ISOInformation Security Officer is responsible for overseeing agency policies and procedures designed to protect the Department’s information assets. In accordance with State policy, the ISOInformation Security Officer shall be responsible to the CDC Director for such responsibilities.
  - Additionally, to avoid conflicts of interest, the ISOInformation Security Officer shall not have direct responsibility for information processing, information access management functions, or any departmental computer based systems, or have a reporting relationship to an organization that has such responsibilities. The ISOInformation Security Officer shall not have any special allegiance or bias toward a particular program or organization.
  - The responsibilities of an ISOInformation Security Officer include overseeing the following:
    - Development and maintenance of an operational recovery plan to protect the Department against the potential effects of a disaster.
    - Establishment of procedures to comply with control agency reporting requirements relating to operational recovery.
- Technical Management
  - Department technical management has the following responsibility relative to the Department’s operational recovery program:
    - Ensuring the implementation and maintenance of an operational recovery plan in cooperation with Department management, the ISOInformation Security Officer, and the assigned owners, users, and custodians of information.
- Program Management
  - Department program managers have the following responsibilities in relation to the CDC security program:
    - Establishing procedures necessary to comply with operational recovery policy pertaining to ownership, user, and, if appropriate, custodian responsibilities.
    - Ensuring that operational recovery plans are in place for hardware, software, and files or data bases for which the program is assigned ownership responsibility.
    - Ensuring that custodians of program information are provided the appropriate direction to implement the operational recovery plans that have been defined.
    - Ensuring that procedures are established to comply with departmental operational recovery reporting requirements.
- Internal Auditors
  - Internal auditors have the following responsibilities in relation to the Department’s operational recovery planning efforts:
    - Examination of the Department’s policies and procedures for compliance with State policies.
    - Examination of the Department’s policies and procedures for compliance with control agency audit requirements.
    - Examination of the effectiveness of the Department’s policies and procedures; identification of inadequacies within the existing operational recovery programs, and identification of possible corrective actions.
    - Provision of applicable findings to management, the ISOInformation Security Officer, and the owners, custodians, and users of information.
- QCQuality Control
  - The designated responsible QCQuality Control person/program has the following responsibilities in relation to the Department’s operational recovery program:
    - Review and evaluation of the effectiveness of operational recovery plans for automated ITS, whether under development or operational, and with particular emphasis on major systems.
- Information Owners
  - The owners of information are responsible for classifying the information, defining precautions for controlling access, disposing of the information, authorizing/denying access to the information, filing security incident reports, securing the signed security agreements and storing them for reference, and identifying (for the ISOInformation Security Officer) the level of acceptable risk.
  - The owners of CDC information are identified in the system library document maintained by the MISManagement Information Systems-SU.
- Information Users
  - It is the responsibility of all users to protect CDC resources, to note variances from established procedures, and to report such variances to the appropriate manager.
- Information Custodians
  - The custodians of information are responsible for complying with applicable laws and policies, complying with policies and procedures established by the owner and the ISOInformation Security Officer, advising the owner and the ISOInformation Security Officer of any threats to the information, and notifying the owners and the ISOInformation Security Officer of any violations of security policies, practices, or procedures.

49040.5 Definitions

Application Disaster Recovery Plan
- A plan devised to process an application after it has been disrupted for some period of time.
Back-up Procedures
- Methods used to recover computer programs and files after a disaster or system failure.
Contingency Planning
- The procedure of developing a back-up plan to restore business and data center operations in the event of a disaster or interruption. Also called “disaster recovery planning” or “business resumption planning.” Contingency Program The everyday work activities and procedures (e.g., backing-up critical data files) that fulfill the requirements of recoverability.
Disaster
- A human or natural occurrence causing destruction and distress, after which a business is deemed unable to function.
Disaster Recovery Operation
- The act of recovering from the effects of disruption to a computer facility, and the pre-planned restoration of facility capabilities.
Disaster Recovery Plan
- The preplanned steps that make possible the recovery of a business computer facility or the applications processed therein. Also called a “contingency plan” or “business resumption plan.”
Emergency Response
- The immediate action taken to protect hardware and sensitive magnetic media in the event of natural disasters, fire, power failures, equipment breakdown, theft, vandalism, or tampering.

49040.6 Disaster Recovery Planning – Critical Systems

Revised April 16, 1993

Department Operational Recovery Plan
- The Department operational recovery plan shall cover a minimum of four topic areas:
  - Summary of the strategy for managing disaster situations.
  - Distinct management and staff assignment of responsibilities immediately following a disaster and continuing through the period of normal operations re-establishment.
  - Priorities for the recovery of critical applications.
  - Operational procedures documented in systematic fashion that shall allow recovery to be achieved in a timely and orderly way.
Type 1 and Type 2 Operational Recovery Plans
- All Type 1 and Type 2 systems shall require an operational recovery plan that answers the following questions:
  - Identification and evaluation of alternative recovery strategies.
  - Selection of the alternative that best responds to the organization’s requirements for disaster recovery.
  - Assessment of the resource requirements (space, equipment, communications, data, software, personnel, and time) required for operational recovery of the critical application.

49040.7 ITS Disaster Recovery Coordinator (ISDRC)

The ITS Disaster Recovery Coordinator (ISDRC) for CDC is the computer operations section manager from ISDInformation Services Division (see EIS).

49040.7.1 Responsibilities of the ISDRC

Revised April 16, 1993

The ISDRC is responsible for maintaining a Department operational recovery plan that identifies computer applications deemed critical to the Department’s operations, the information assets that are necessary for those applications, and the Department’s plans for resuming operations following a disaster affecting those applications. The ISDRC shall coordinate the preparation of the operational recovery plan with the disaster recovery coordinator of the Institutions Division and with the CDC Data Center. The ISDRC is responsible for ensuring that periodic testing of the Department operational recovery plan is carried out.

49040.8 Submitting the Disaster Recovery Operational Recovery Plan

The CDC Disaster Recovery Coordinator shall file an informational copy of the Department operational recovery plan with the Office of Information Technology, DOFDepartment Of Finance, no later than January 31 of each year. A copy of this plan shall be sent to the Teale Data Center.

49040.9 Approval of New Critical Department ITS

Revised April 16, 1993

Each request for approval to proceed with the development of a critical Department information system shall address the issue of the operational recovery of the system to be developed. All resource requirements associated with the operational recovery methods shall be identified as part of the critical ITS’ cost.
Prior to the implementation of any critical system, project management shall submit to ISDInformation Services Division (see EIS) a copy of the critical system’s operational recovery plan for inclusion in the annual submittal to the control agency.

49040.10 Revisions

Revised April 16, 1993

The Chief, ISDInformation Services Division (see EIS), or designee shall be responsible for ensuring that the contents of this article are kept current and accurate.

49040.11 References

Revised April 16, 1993

GCGovernment Code § 1171.
DOMDepartment Operations Manual § 47000.
DOMDepartment Operations Manual § 49010.

Article 48 – Unassigned

Revised December 10, 2025

Article 49 – Special Security Considerations

49060.1 Policy

It is the policy of the California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation or the department) that the secure protection of Information Technology (ITInformation Technology) capabilities and information requires special resources and considerations when the information involved is sensitive or confidential in nature. In such instances, augmented security measures shall be implemented.

49060.2 Purpose

The purpose of this section is to clarify that, in addition to other ITInformation Technology security policies and procedures contained in this manual, all the CDCRCalifornia Department of Corrections and Rehabilitation employees shall, where applicable, adhere to the security requirements of this section. This section outlines the responsibilities of the department’s designated Authorizing Official or Assistant Authorizing Official and Security Monitor or Assistant Security Monitor pertaining to certain personnel and payroll information.

49060.3 Department Responsibilities

CDCRCalifornia Department of Corrections and Rehabilitation shall appoint a departmental Authorizing Official, Assistant Authorizing Official, and Security Monitor or Assistant Security Monitor from within the department’s Personnel/Payroll Office with responsibilities sanctioned by the State Controller’s Office (SCOState Controller’s Office) Personnel and Payroll Services Division (PPSD) Decentralized Security Program Manual. A Security Monitor shall be appointed at each facility. The Authorizing Official and Security Monitors shall have access to the SCOState Controller’s Office system and database.
The responsibility of protecting confidential data residing on the SCOState Controller’s Office system is a shared effort amongst all CDCRCalifornia Department of Corrections and Rehabilitation personnel staff. Once data information is removed or viewable within the department’s Personnel/Payroll Office, the information is the responsibility of the staff and management of that office.
It is the responsibility of the department’s personnel office to ensure training on the SCOState Controller’s Office system as part of risk management. Training may be available in-house and through SCOState Controller’s Office.
- Authorizing Official or Assistant Authorizing Official
  - The Authorizing Official shall perform the following duties:
    - Ensures compliance with the standards and procedures in this manual, which includes providing SCOState Controller’s Office PPSD with the documents referenced below.
    - Submits the PSD041 by January 31 of each year on behalf of the department.
    - Submits the PSD125A on behalf of the department.
    - Submits the PSD108 on behalf of the department.
    - Verifies access and level of access of existing staff listed on the PSD125A.
    - When an employee has a name change, a new PSD108 is required advising SCOState Controller’s Office PPSD of the change.
    - Designates a Security Monitor or Assistant Security Monitor on the PSD040.
- Security Monitors
  - The Security Monitor shall perform the following duties:
    - Act as a liaison with the SCOState Controller’s Office Decentralized Security Administrator (DSA).
    - Act as the security resource for all departmental personnel/payroll office employees including facility personnel offices.
    - Maintain the Decentralized Security Program Manual and current Security Authorization forms.
    - Review all documents for accuracy prior to approval.
    - Verify access and level of access of existing staff listed on the PSD125A.
    - List new users on the current PSD125A with appropriate attachments.
    - Submit the PSD125A.
    - Retain the PSD125A and PSD108 for five years after the date of last access for any user that is no longer active at that department.
    - Apply deletions (must refer to the SCOState Controller’s Office Personnel and Payroll Services Division Decentralized Security Program Manual for the most updated processes and guidelines).
    - Apply changes to additional access, reduction in access, name changes, leave of absence, return to work.
    - Advise PPSD of an employee’s name change, by a using PSD108.

49060.4 Special Site Security Guidelines

The sites of SCOState Controller’s Office computer equipment shall be kept secure (by means of locking devices, guards, badges or barriers) from unauthorized physical or visual access. The site shall be located in an area restricted from the public and unauthorized employees. Entry shall be monitored during work hours, and restricted areas shall be locked when unattended. Keys shall be distributed on a limited and controlled basis to authorized employees only.
- Layout plans for equipment shall include the following:
  - Floor Plan
    - The site layout shall include an analysis of employee work areas, the manner in which employees shall enter and exit the office, the location of SCOState Controller’s Office equipment, and the location and type of all locking devices and barriers.
  - Doors
    - Doors shall be solid, locking, full or Dutch-style doors that are accessible only with the correct key or electronic key/badge. Doors shall remain closed and locked at all times.
  - Windows
    - Interior windows shall be frosted or covered completely to eliminate visual access to the terminal screens. Exterior windows on a ground floor shall be frosted, covered, and secured if easily opened.
  - Locks
    - Locks shall be installed on all interior and exterior doors allowing access to the secured area. Acceptable locks include, but are not limited to, the following:
      - Key-controlled locks.
      - Code-controlled locks.
      - Electronic locks.
      - Double-bolting locks Dutch doors.
  - Counters
    - If a counter exists in the secured area, access into the work area shall be controlled and monitored. Records of approved access shall be maintained by the Security Monitor.
  - Changes To Site
    - Any changes to an approved, decentralized site require notification to the Security Monitor.

49060.5 Special Equipment Security Considerations

To ensure the security of SCOState Controller’s Office equipment and information, all department’s personnel employees shall adhere to the following equipment security guidelines:
- Equipment shall be located in restricted areas that are monitored during working hours and locked during any unattended periods.
- Only authorized employees shall have access to terminals, printers, control units and modems.
- System access shall be completely signed off when not in use.
- Terminals shall be locked, keys removed, and screen intensity turned completely down when the terminals are unattended.
The following shall be stored in a vault or locked cabinet when not in use:
- Keys to terminals.
- Manuals for system software and hardware.
- Other instructional and operational manuals.
No equipment shall be attached to any authorized configuration of decentralized equipment, except for testing and installation tools used by the vendor or telephone company.
Deviations from the requirements listed above shall have prior written approval from the department Authorizing Official.
Equipment Changes
- The following types of changes to the SCOState Controller’s Office decentralized system require prior, written approval from the department Authorizing Official:
  - Changes of any kind to the location of decentralized equipment.
  - Switching of terminals from one control unit to another.
  - Any additions or removals of decentralized equipment.

49060.6 Special Data Security Considerations

Personnel employees shall consider all information residing in the SCOState Controller’s Office database as confidential, and shall protect information from unauthorized access.
- Other Special Data Security Considerations:
  - Security access authority, and protection of information, data and physical system assets of the State of California are mandated by California Penal Code, Section 502.
  - Department staff shall ensure that all personnel with access to department data and information assets are properly trained in accordance with their roles and responsibilities regarding data access and handling.
  - Ensure that department data and information assets are used solely for their intended purpose.
  - Ensure that department data and information assets are securely destroyed and disposed of once they are no longer required by the department.
  - The department has the right to audit any activities related to the use of State information assets.
  - Adhere to the Decentralized Security Manual.
- Hardcopy
  - Employees shall consider all data hardcopy (including printouts) gained from the SCOState Controller’s Office system as confidential, and shall handle and destroy hardcopy accordingly. The various user manuals provided by the SCOState Controller’s Office contain confidential access instructions and shall be stored in a vault or locked cabinet when not in use.
  - Ensure that department data and information assets are used solely for their intended purpose.
- Authorized Personnel
  - Access to information provided through the SCOState Controller’s Office system is restricted to authorized personnel. Only the following persons shall be considered authorized personnel:
    - A state employee or bona fide representative of the SCOState Controller’s Office who:
      - Demonstrates either a need for or a legal right to the information;
      - Receives formal authorization from the Authorizing Official; and,
      - Accepts legal responsibility for preserving the security of the information.
  - Persons who require access to the SCOState Controller’s Office system shall demonstrate the need for such access by defining their specific, relevant duties. Any change in these duties requires a reevaluation of the need for access.
  - Access shall be revoked if the need for access no longer exists.
- User Identification
  - Each person authorized to access the SCOState Controller’s Office system shall be provided with a unique user identification (IDInstitutions Division (see DAI)). Requests for a new user IDInstitutions Division (see DAI) or an IDInstitutions Division (see DAI) revocation shall be directed to the Security Monitor.
    - CDCRCalifornia Department of Corrections and Rehabilitation employees are required to read SCOState Controller’s Office’s Decentralized Security Guidelines and sign the PSD108, Statement of Understanding, prior to receiving access to SCOState Controller’s Office. New IDs and IDInstitutions Division (see DAI) revocations are recorded on the PSD Form 125A.
- Passwords
  - Access to the SCOState Controller’s Office system is restricted through the use of passwords. Use of any user IDInstitutions Division (see DAI) also requires the associated password, known only to its owner. User passwords shall comply with SCOState Controller’s Office password configuration policies.
    - To protect system security, the IDInstitutions Division (see DAI) owner shall not:
      - Reveal the password to anyone.
      - Write the password on any media.
      - Walk away from an active terminal session; users shall log off the system prior to leaving.
      - Log on in order to provide access or allow use by any unauthorized person.
      - Use an obvious password, such as the owner’s nickname, or any other easily identifiable password.
    - If a password does not operate correctly and the IDInstitutions Division (see DAI) owner is sure that the correct password has been used, the owner shall notify the Security Monitor immediately.
    - An IDInstitutions Division (see DAI) owner who has forgotten the password shall contact the SCOState Controller’s Office Information Security Office.
    - Anyone who suspects that a password has been compromised shall notify the Security Monitor immediately. In addition, a CDCRCalifornia Department of Corrections and Rehabilitation information security incident report (ISIR) shall be submitted to the department Security Monitor as appropriate.

49060.7 Telework Considerations

Revised December 10, 2025

All employees who utilize department equipment while working remotely shall follow the guidelines of the Telework Agreement as indicated within the Department Operations Manual (DOMDepartment Operations Manual), Chapter 3 Article 25 – Telework Program. Additionally, employees shall adhere to the security requirements documented in this policy unless otherwise provisioned.

49060.8 Revision

Revised December 10, 2025

The CIO or designee shall be responsible for ensuring the contents of this Article are kept current and accurate.

References

(1) California Penal Code § 502.
(2) DOMDepartment Operations Manual Chapter 3, Article 25.
(3) 5 U.S.C. § 552a.
(4) SCOState Controller’s Office PPSD – Decentralized Security Program Manual.

Revision History

(1) Revised: November 30, 1992.
(2) Revised Section 49060.8: April 16, 1993.
(3) Revised: December 10, 2025.

Article 50 – Change and Configuration Management Policy

49070.1 Introduction and Overview

Business functions are highly dependent on secure and stable Information Technology (ITInformation Technology) operating environments. Secure and reliable ITInformation Technology environments are enabled through both maintaining standard configurations and establishing processes and procedures to effectively manage changes to the operating environments.
The goal of formalized ITInformation Technology change management is to facilitate ITInformation Technology changes as defined in enterprise standards, guidelines, and procedures while minimizing negative impacts to the organization.
The goal of ITInformation Technology configuration management is to establish, implement, and manage information asset baseline configurations and maintain consistency throughout the system lifecycle.
This policy establishes CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA)’s requirement for formal change and configuration management.

49070.2 Objectives

The objective for this policy is to establish CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) requirements for standardized methods and procedures for the management of information asset configurations and changes to CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA)’s information and technology environments, while integrating security and risk considerations.

49070.3 Scope and Applicability

The scope of this policy extends to all State and Agency information assets owned and operated by CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA), information assets managed by third parties on behalf of CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA), and all information assets that process or store CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) information in support of CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) services and mission.
This policy applies to Owners of Information Assets and Information Asset Custodians.

49070.4 Policy Directives

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) shall:
- Formally manage all changes to information assets.
- Utilize the Change Control Board, which includes a change advisory board that meets on a regular basis to review changes to information assets.
- Ensure that the change advisory board comprises representation from appropriate stakeholders, and in particular from impacted business areas.
- Ensure that the change advisory board includes formal security representation, and that change management processes formally integrate security evaluations and risk impact assessments in all change activities.
- Establish comprehensive enterprise-wide change management, comprised of supporting processes, workflows, and a centralized repository for all changes, including changes to baseline configurations.
- Establish, implement, and manage CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) operating baselines for information asset configurations.
- Establish and implement technologies, processes, and procedures to maintain and manage information asset configurations.
- Ensure third parties and contractors are subject to change and configuration management policies, discipline, and practices. Any changes to CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) information assets proposed by service providers, regardless of whose environment they operate in, shall be governed by CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) change and configuration management processes.

49070.5 Roles and Responsibilities

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Chief Information Officer (CIO) or Designee
- CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) CIO or Designee owns this policy and is responsible for ensuring that all Owners of Information Assets, Information Asset Custodians, and users of CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) information assets are aware of this policy and acknowledge their individual responsibilities.
- CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) CIO or Designee is responsible for ensuring that this policy is reviewed annually and updated accordingly.
- CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) CIO or Designee is required to audit and assess compliance with this policy at least once every 2 years.
CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Information Security Officer (ISOInformation Security Officer)
- Information Asset Custodians shall implement configuration and change management technology, process, and workflow controls as approved by Owners of Information Assets.
- Information Asset Custodians shall maintain change and configuration management records for a minimum period of 12 months. Secure deletion or destruction of these records shall be in accordance with the records retention schedule.

49070.6 Enforcement

Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOMDepartment Operations Manual Chapter 3, Article 22.
CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) shall comply with the information security and privacy policies, standards, and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.
The consequences of negligence and non-compliance with State laws and policies may include department and personal:
- Loss of delegated authorities.
- Negative audit findings.
- Monetary penalties.
- Legal actions.

49070.7 Auditing

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) has the right to audit any activities related to the use of State information assets.
CDT OIS and CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) have the statutory right to audit CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) readiness to respond and recover from an incident.

49070.8 Reporting

Violations of this policy shall be reported to the CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) ISOInformation Security Officer.

49070.9 Security Variance Process

If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISOInformation Security Officer.

49070.10 Authority

This policy complies with the State of California Government Code section 11549.3.

49070.11 Revisions

The CIO or Designee shall ensure that the contents of this article are current and accurate.
References
SIMM 19C, Project Approval Lifecycle Stage 3 – Solution Development
SIMM, sections 58C, 58D, 66B, 5305-A, 5310-A and B; 5325-A and B; 5330-A, B, and C; 5340-A and C; and 5360-B
SAMState Administrative Manual, section 5315, Information Security Integration
SAMState Administrative Manual, section 5315.5, Configuration Management
SAMState Administrative Manual, section 5355, Endpoint Defense
NIST SP 800-53, Configuration Management, CM-2, CM-3, CM-4, CM-5, CM-6, CM-9
DOMDepartment Operations Manual, Chapter 3, Article 22
DOMDepartment Operations Manual, Chapter 4, Article 45, section 49020.9
California Government Code section 11549.3
Revision History
Effective: XX.XX.XXXX

References

SIMM, 19C, Project Approval Lifecycle Stage 3 – Solution Development
SIMM, sections 58C, 58D, 66B, 5305-A, 5310-A and B; 5325-A and B; 5330-A, B, and C; 5340-A and C; and 5360-B
SAMState Administrative Manual, section 5315, Information Security Integration
SAMState Administrative Manual, section 5315.5, Configuration Management
SAMState Administrative Manual, section 5355, Endpoint Defense
NIST SP 800-53, Configuration Management, CM-2, CM-3, CM-4, CM-5, CM-6, CM-9
DOMDepartment Operations Manual, Chapter 3, Article 22
DOMDepartment Operations Manual, Chapter 4, Article 45, section 49020.9
California Government Code, section 11549.3

Article 51 – Endpoint Security Policy

Effective December 30, 2021

49080.1 Introduction and Overview

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) information assets are often used to conduct business functions internally as well as with other State and non-CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) persons and devices on the Internet. Devices used for such CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) business purposes are comprised of servers, network devices, and end user devices including mobile computers, tablets, and smart phones; such devices are collectively called “endpoints” or “endpoint devices.” Some CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) information assets are more prone to loss or theft due to their size, mobility, or location of use.
CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) needs to ensure that endpoints are suitably protected to prevent unauthorized access to data and information that may reside on the endpoints.

49080.2 Objectives

Objectives for this policy are to define the requirements to protect CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) endpoints that may routinely interact with unknown or untrusted devices on the Internet, or that are more susceptible to loss or theft.

49080.3 Scope and Applicability

The scope of this policy extends to all State and Agency information assets owned and operated by CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA), information assets managed by thirdparties on behalf of the CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA), and all information assets that process or store CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) information in support of CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) services and mission.
This policy applies to Owners of Information Assets and Information Asset Custodians.

49080.4 Policy Directives

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) shall ensure that:
- All CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) endpoints are identified and endpoint asset inventories are documented and continually updated.
- Risks to individual CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) endpoint device types and the data they access, process, and store are assessed.
- The requisite endpoint protection controls, as referenced in the Statewide Information Management Manual, are implemented and maintained to mitigate risks to each endpoint.
- Endpoint protection controls include people (asset users), processes, and technology controls.
- Endpoint protection controls are continuously monitored.
- Endpoint protection controls are reviewed at least annually.

49080.5 Roles and Responsibilities

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Chief Information Officer (CIO) or Designee
- CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) CIO or Designee owns this policy and is responsible for ensuring that all Owners of Information Assets, Information Asset Custodians, and users of CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) information assets are aware of this policy and acknowledge their individual responsibilities.
- CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) CIO or Designee is responsible for ensuring that this policy is reviewed annually and updated accordingly.
- CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) CIO or Designee is required to audit and assess compliance with this policy at least once every 2 years.
CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Information Security Officer (ISOInformation Security Officer)
- CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) ISOInformation Security Officer shall assist Owners of Information Assets and Information Asset Custodians with the identification and selection of endpoint protection controls.
- CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) ISOInformation Security Officer shall ensure that endpoint protection controls meet CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) requirements for security and privacy.
CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Owners of Information Assets and Program Management
- Owners of Information Assets in collaboration with the Information Asset Custodians shall ensure that the endpoint protection controls are defined, documented, and implemented, and that implementation is reviewed annually.
- Owners of Information Assets in collaboration with the Information Asset Custodians shall ensure the endpoint protection controls commensurate with the sensitivity or criticality of the asset are implemented for assets under their purview.
CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Information Asset Custodians
- Information Asset Custodians shall implement the requisite endpoint protection controls based upon the sensitivity or criticality of the assets as defined by the Owners of Information Assets.
- Information Asset Custodians shall maintain and update endpoint protection technologies based on best practices.
- Information Asset Custodians shall maintain records of endpoint protection controls and ensure proper change management.

49080.6 Enforcement

Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOMDepartment Operations Manual Chapter 3, Article 22.
CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) shall comply with the information security and privacy policies, standards, and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.
The consequences of negligence and non-compliance with State laws and policies may include department and personal:
- Loss of delegated authorities.
- Negative audit findings.
- Monetary penalties.
- Legal actions.

49080.7 Auditing

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) has the right to audit any activities related to the use of State information assets.
CDT OIS and CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) have the statutory right to audit CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) readiness to respond and recover from an incident.

49080.8 Reporting

Violations of this policy shall be reported to the CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) ISOInformation Security Officer.

49080.9 Security Variance Process

If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISOInformation Security Officer.

49080.10 Authority

This policy complies with the State of California Government Code section 11549.3.

49080.11 Revisions

The CIO or designee shall ensure that the contents of this article are current and accurate.
References
SIMM 5305-A, Information Security Program Management Standard
SIMM 5355-A, Endpoint Protection Standard
SAMState Administrative Manual, section 5355, Endpoint Defense
SAMState Administrative Manual, section 5355.1, Malicious Code Protection
NIST SP 800-53, Security Assessment and Authorization, CACorrectional Administrators-7
NIST SP 800-53, Configuration Management, CM-2, CM-3, CM-6, CM-7, CM-10, CM-11
NIST SP 800-53, System and Communications Protection, SC-8, SC-10, SC-11, SC-13, SC-18, SC-23, SC-24, SC-28, SC-38, SC-42, SC-43
NIST SP 800-53, System and Information Integrity, SI-2, SI-3, SI-4, SI-5, SI-7, SI-8, SI11
NIST SP 800-53, Program Management, PM-9
NIST SP 800-53, Risk Assessment, RA-2, RA-3, RA-5
NIST SP 800-53, Physical and Environmental Protection, PE-3, PE-19, PE-20
DOMDepartment Operations Manual, Chapter 3, Article 22
DOMDepartment Operations Manual, Chapter 4, Article 41, section 48010.5
California Government Code section 11549.3
Revision History
Effective: XX.XX.XXXX

References

SIMM 5305-A, Information Security Program Management Standard
SIMM 5355-A, Endpoint Protection Standard
SAMState Administrative Manual, section 5355, Endpoint Defense
SAMState Administrative Manual, section 5355.1, Malicious Code Protection
NIST SP 800-53, Security Assessment and Authorization, CACorrectional Administrators-7
NIST SP 800-53, Configuration Management, CM-2, CM-3, CM-6, CM-7, CM-10, CM-11
NIST SP 800-53, System and Communications Protection, SC-8, SC-10, SC-11, SC-13, SC-18, SC-23, SC-24, SC-28, SC-38, SC-42, SC-43
NIST SP 800-53, System and Information Integrity, SI-2, SI-3, SI-4, SI-5, SI-7, SI-8, SI11
NIST SP 800-53, Program Management, PM-9
NIST SP 800-53, Risk Assessment, RA-2, RA-3, RA-5
NIST SP 800-53, Physical and Environmental Protection, PE-3, PE-19, PE-20
DOMDepartment Operations Manual, Chapter 3, Article 22
DOMDepartment Operations Manual, Chapter 4, Article 41, section 48010.5
California Government Code, section 11549.3

Article 52 – Security Analytics and Continuous Monitoring Policy

XXXX XX, XXXX

49090.1 Introduction and Overview

Information technology environments that support CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) business functions and services are complex and dynamic computer network environments, which process, manipulate, and store large amounts of data and information. In order to detect unexpected and suspicious activities and events within such complex networks, it is important to continuously monitor computing environments. Continuous monitoring allows CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) to rapidly identify anomalous or suspicious activities and events, analyze these events, and respond accordingly.

49090.2 Objectives

The objective for this policy is to define CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) requirements for continuous monitoring of CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) networks and information assets for signs of malicious use, anomalies, and unexpected behavior and usage patterns.

49090.3 Scope and Applicability

The scope of this policy extends to all State and Agency information assets owned or operated by the CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA), and governs the facilities and information assets owned or operated on behalf of the CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) by business partners and service providers.
This policy applies to Owners of Information Assets and Information Asset Custodians.

49090.4 Policy Directives

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) shall ensure that:
- A strategy for security analytics and continuous monitoring will be defined, documented, and implemented.
- The strategy will be based on security risk management principles in order to determine optimal monitoring locations, methods, and techniques.
- CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA)’s security analytics and continuous monitoring strategy will be integrated with CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA)’s security and event logging and monitoring strategy, threat assessments, and security analytics and event correlation.
- CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA)’s continuous monitoring is linked to incident response management and other CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) incident management processes.

49090.5 Roles and Responsibilities

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Chief Information Officer (CIO) or Designee
- CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) CIO or Designee owns this policy and is responsible for ensuring that all Owners of Information Assets, Information Asset Custodians, and users of CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) information assets are aware of this policy and acknowledge their individual responsibilities.
- CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) CIO or Designee is responsible for ensuring that this policy is reviewed annually, and updated accordingly.
- CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) CIO or Designee is required to audit and assess compliance with this policy at least once every 2 years.
CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Information Security Officer (ISOInformation Security Officer)
- CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) ISOInformation Security Officer shall assist Owners of Information Assets and Information Asset Custodians with the implementation of this policy.
- CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) ISOInformation Security Officer shall assist Owners of Information Assets and Information Asset Custodians in the analysis and assessment of risks posed by anomalous activities or identified events.
CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Owners of Information Assets and Program Management
- Owners of Information Assets in collaboration with the Information Asset Custodians shall ensure that this policy is implemented and implementation is reviewed annually.
CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Information Asset Custodians
- Information Asset Custodians shall implement technology and process controls.
- Information Asset Custodians shall maintain records of security monitoring controls implemented.

49090.6 Enforcement

Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOMDepartment Operations Manual Chapter 3, Article 22.
CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) shall comply with the information security and privacy policies, standards, and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.
The consequences of negligence and non-compliance with State laws and policies may include department and personal:
- Loss of delegated authorities.
- Negative audit findings.
- Monetary penalties.
- Legal actions.

49090.7 Auditing

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) has the right to audit any activities related to the use of State information assets.
CDT OIS and CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) have the statutory right to audit CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) readiness to respond and recover from an incident.

49090.8 Reporting

Violations of this policy shall be reported to the CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) ISOInformation Security Officer.

49090.9 Security Variance Process

If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISOInformation Security Officer.

49090.10 Authority

This policy complies with the State of California Government Code section 11549.3.

49090.11 Revisions

The CIO or designee shall ensure that the contents of this article are current and accurate.
References
SAMState Administrative Manual, section 5335, Information Security Monitoring
SAMState Administrative Manual, section 5335.1, Continuous Monitoring
SAMState Administrative Manual, section 5335.2, Auditable Events
NIST SP 800-53, Audit and Accountability, AU-2, AU-6, AU-7, AU-13
NIST SP 800-53, Incident Response, IR-5, IR-10
NIST SP 800-53, Physical and Environmental Protection, PE-6
NIST SP 800-53, Program Management, PM-9
NIST SP 800-53, Risk Assessment, RA-2, RA-3
NIST SP 800-53, Security Assessment and Authorization, CACorrectional Administrators-7
DOMDepartment Operations Manual, Chapter 3, Article 22
DOMDepartment Operations Manual, Chapter 4, Article 41, section 48010.5
California Government Code section 11549.3
Revision History
Effective: XX.XX.XXXX

Article 53 – Server Configuration Policy

XXXX XX, XXXX

49100.1 Introduction and Overview

This document defines the policy for all servers, physical and virtual, owned or operated by CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA). Effective implementation of this policy minimizes the risk of server vulnerabilities that can result in system unavailability, data corruption, unauthorized access, information and resource misuse, and service disruption.

49100.2 Objectives

The objective of this policy is to establish the base configuration of internal server equipment that is owned and operated by CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA). Effective implementation of this policy will minimize unauthorized access to CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) proprietary information and technology.

49100.3 Scope and Applicability

The scope of this policy extends to all information assets owned or operated by CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA), including critical infrastructure, as well as information assets owned or operated by third-parties on behalf of the CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA).
This policy applies to Owners of Information Assets and Information Asset Custodians.

49100.4 Policy Directives

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) shall:
- Only create server service accounts when necessary.
- Use the Principle of Least Privileged (POLP) to limit user access rights to a minimum.
- Not use administrative accounts (e.g., root, administrator, O365 Global) when a non-privileged account will suffice.
- Disable/lock/delete all accounts except those required to provide necessary services.
- Change the default passwords for all accounts and follow password security best practices outlined in SIMM 5300-A, Org-Defined Standards, (NIST IA-5(1)).
- Limit access to administrative accounts to only those who have operational need and have been authorized.
- Ensure service accounts are not part of Local Administrators or Domain Administrator accounts.
- Authorize and document all administrative (privileged) accounts.
- Encrypt all passwords and all sensitive and confidential data while in transit. Passwords shall adhere to State Org-Defined Policy. (See SAMState Administrative Manual 5350.1, SIMM 5300-B and NIST SP 800-63B, FIPS 140-2).
- Authenticate users over encrypted protocols.
- Log all access to the server and services that are protected through access control methods.
- Establish and implement controls to ensure that service account functions are authorized using service account credentials only.
Systems Configuration and Maintenance
- Servers shall be patched and hardened before attaching them to the network. Security patches shall be installed on the system not less than monthly. If an intelligence source advises of an imminent threat, patches shall be installed according to documented information technology standards.
- Servers shall be physically secured in locations accessible only to authorized personnel.
- Only required services shall be enabled or installed on the server. Services that are not required shall be uninstalled or disabled.
- Regular back-ups of the server shall be completed according to the back-up and retention policy and tested on a periodic schedule.
- Monitoring
- The server shall capture and archive critical user, network, system, and security event logs to enable review of system data for forensic and recovery purposes.
- Security-related events shall be reviewed and investigated. Events include, but are not limited to:
- Account lockouts
- Failed user account logins
- Evidence of unauthorized access to privileged accounts
- Anomalous occurrences that are not related to specific applications on the server
- Security incidents shall be handled immediately in accordance with SAMState Administrative Manual and SIMM and reported to the CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Information Security Officer (ISOInformation Security Officer), the data owners or their designees.

49100.5 Roles and Responsibilities

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Chief Information Officer (CIO) or Designee
- CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) CIO or Designee owns this policy and is responsible for ensuring that all Owners of Information Assets, Information Asset Custodians, and users of CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) information assets are aware of this policy and acknowledge their individual responsibilities.
- CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) CIO or Designee is responsible for ensuring that this policy is reviewed annually, and updated accordingly.
- CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) CIO or Designee is required to audit and assess compliance with this policy at least once every 2 years.
CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) ISOInformation Security Officer
- CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) ISOInformation Security Officer shall assist Owners of Information Assets and information asset custodians in the identification of data security controls and processes.
- CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) ISOInformation Security Officer shall ensure data security controls, methods, and processes meet CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) and applicable regulatory requirements for security.
- CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) ISOInformation Security Officer shall participate in all incidents involving information security.
CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Owners of Information Assets and Program Management
- Owners of Information Assets, in collaboration with the Information Asset Custodians, shall ensure that this policy is implemented and implementation is reviewed annually and as appropriate.
- Owners of Information Assets shall audit user access rights and privileges to ensure alignment with individual job roles and functions on an annual or more frequent basis as appropriate.
CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Information Asset Custodians
- Information Asset Custodians shall review accounts with privileged access no less than semi-annually and verify that continued privileged access is required.
- Information Asset Custodians, in collaboration with Owners of Information Assets, shall ensure the information security control measures are commensurate with the sensitivity or criticality of information assets under their purview.
- Information Asset Custodians shall assist Owners of Information Assets in identifying data security controls commensurate with the classification of the data.
- Information Asset Custodians shall document, implement, monitor, and maintain data security protection controls based upon the sensitivity or criticality of the assets.
- Information Asset Custodians shall develop and implement tools, technologies, processes, and procedures to support, monitor, and maintain data security controls.
- Information Asset Custodians shall maintain data security records.

49100.6 Enforcement

Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOMDepartment Operations Manual Chapter 3, Article 22.
CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) shall comply with the information security and privacy policies, standards, and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.
The consequences of negligence and non-compliance with State laws and policies may include department and personal:
- Loss of delegated authorities.
- Negative audit findings.
- Monetary penalties.
- Legal actions.

49100.7 Auditing

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) has the right to audit any activities related to the use of State information assets.
CDT OIS and CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) have the statutory right to audit CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) readiness to respond and recover from an incident.

49100.8 Reporting

Violations of this policy shall be reported to the CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) ISOInformation Security Officer.

49100.9 Security Variance Process

If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISOInformation Security Officer.

49100.10 Authority

This policy complies with the State of California Government Code section 11549.3.

49100.11 Revisions

The CIO or Designee shall ensure that the contents of this article are current and accurate.
References
SIMM, section 5300-B, Foundational Framework
SIMM, section 5305-A, Information Security Program Management Standard
SAMState Administrative Manual, section 5305.5, Information Asset Management
SAMState Administrative Manual, section 5310.4, Individual Access to Personal Information
SAMState Administrative Manual, section 5310.6, Data Retention and Destruction
SAMState Administrative Manual, section 5310.7, Security Safeguards
SAMState Administrative Manual, section 5340, Information Security Incident Management
SAMState Administrative Manual, section 5340.1, Incident Response Training
SAMState Administrative Manual, section 5340.2, Incident Response Testing
SAMState Administrative Manual, section 5340.3, Incident Handling
SAMState Administrative Manual, section 5340.4, Incident Reporting
SAMState Administrative Manual, section 5350.1, Encryption
SAMState Administrative Manual, section 5365, Physical Security
SAMState Administrative Manual, section 5365.1, Access Control for Output Devices
SAMState Administrative Manual, section 5365.2, Media Protection
SAMState Administrative Manual, section 5365.3, Media Disposal
Federal Information Processing Standards, FIPS 199
Federal Information Processing Standards, FIPS 140-2
NIST SP 800-53, Access Control, AC-3, AC-4
NIST SP 800-53, Audit and Accountability, AU-2, AU-3, AU-13
NIST SP 800-53, Configuration Management, CM-8
NIST SP 800-53, Identification and Authentication, IA-5(1)
NIST SP 800-53, Media Protection, MP-1, MP-2, MP-3, MP-4, MP-5, MP-6, MP-7
NIST SP 800-53, Physical and Environmental Protection, PE-5, PE-19, PE-20
NIST SP 800-53, Planning, PL-4
NIST SP 800-53, Program Management, PM-9
NIST SP 800-53, Risk Assessment, RA-2, RA-3
NIST SP 800-53, Security and Communications Protection, SC-4, SC-8, SC-13, SC-17, SC-28
NIST SP 800-63B, Digital Identity Guidelines, Authentication and Lifecycle Management
DOMDepartment Operations Manual, Chapter 3, Article 22
DOMDepartment Operations Manual, Chapter 4, Article 41, section 48010.5
California Government Code section 11549.3
Revision History
Effective: XX.XX.XXXX

Article 54 – Access Control Policy

Effective March 14, 2022

49110.1 Introduction and Overview

Information assets owned by the California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation), California Correctional Health Care Services (CCHCS), and California Prison Industry Authority (CALPIACalifornia Prison Industry Authority (formerly PIA)) are strategic assets intended for official business use, and are entrusted to State personnel and business partners in the performance of their job related duties.
Access may enable or restrict the ability to do something with a resource. Access control, then, is the selective restriction of these abilities and is comprised of both physical and logical access.

49110.2 Objectives

Objectives for this policy are to:
- Enable the development and implementation of a CDCRCalifornia Department of Corrections and Rehabilitation, CCHCS, and CALPIACalifornia Prison Industry Authority (formerly PIA) (hereinafter referred to as department) identity and access management strategy that comprehensively addresses all access to department information assets.
- Document requirements for the appropriate control and management of physical and logical access to, and the use of department information assets.
- Require the use of appropriate authentication methods based on the type and sensitivity of information assets being accessed.
- Govern the use of privileged access rights, such as those assigned to Administrator and Privileged Accounts.

49110.3 Scope and Applicability

This policy applies to all personnel; all information assets owned or operated by the department; and all forms of physical and logical access to department information assets, including using wired, wireless, and remote access network connections. All department personnel shall comply with this policy.

49110.4 Policy Directives

Before department ITInformation Technology infrastructure network access, users shall be identified and authenticated.
Users accessing sensitive or confidential information shall be appropriately provisioned before accessing department owned or operated information assets and associated facilities.
In the case of physical access to facilities, where access control is a manual process, authentication shall be accomplished by manual verification of an identity (e.g., photoID).
Access to department information assets and associated permissions shall be approved by the respective department information asset owner.
Records of all user account creations, deletions, and changes to user access and permissions shall be maintained for a period of at least twelve (12) months.
The department shall develop a comprehensive identity and access management strategy based on statutory and organizational business requirements, including:
- Supporting unique identification, individual user types and groups, job roles and access methods.
- Limiting access to information assets and associated facilities to authorized users, processes, or devices, and to authorized activities and transactions.
- Defining roles and assigning responsibilities pertaining to access control tools, technologies and processes.
- Developing and implementing standards, technologies and processes to support its access control strategy.
- Formally defining and documenting user account types and groups, and access use cases, commensurate with employment responsibilities.
- Employing multi-factor authentication for remote access, and risk-based user authentication methods to accommodate approved logical access use cases.
- Publicly available or published access and authentication credentials, such as default credentials, anonymous credentials and guest credentials, shall not be reused, and shall be replaced as a matter of standard procedure.
- Display a notification of system use or security warning banner message on each system that requires affirmative acknowledgement by the user before authentication.
The department shall ensure that access to non-active personnel is deactivated before or immediately after termination, as appropriate.
The department shall review and validate user access and associated access permissions and privileges at least every twelve (12) months to ensure alignment with individual job roles and functions.
Certain department information technology support personnel and network administrators shall require specific privileges to perform their duties.
- For all Administrators and Privileged Account holders, the department shall:
  - Identify and document all Administrator and Privileged Account holders.
  - Ensure that administrative and privileged accesses are granted to users through established or approved local provisioning processes.
  - Ensure that such users acknowledge the privileges and only use those accounts to fulfill the specific job responsibilities for which the privileges apply.
  - Ensure automated processes including service accounts with privileged access to information systems shall follow established standards for password rotation, limited access and auditing.
  - Review and validate the continued business need for all Administrator and Privileged Accounts on an annual basis or when staffing, resource, or job function changes occur.
User access and permissions shall be based on the principles of least privilege and separation of duties.
The department shall define and document all auditable system events related to data and information access that shall be recorded.
The department shall ensure access control management systems are configured to capture and record audit and security information related to access events.
Audit and security records shall be securely stored and protected against tampering; audit and security records shall be maintained for the period defined in the records retention schedule.
Monitoring and alerting of anomalous or suspicious activities and events is most effectively accomplished through automated and real-time reviews of audit and security logs.
The department shall implement suitable controls to monitor for unauthorized changes to user access. Where feasible, unauthorized changes shall generate automated alerts to notify responsible department individuals.
In the absence of automated monitoring and alerting, the department Information Security Officer (ISOInformation Security Officer) shall review access record reports on a quarterly basis. Access records include: new user account creation requests, user access revocation requests, active user lists, and user termination lists.

49110.5 Roles and Responsibilities

The department Chief Information Officer (CIO) or Designee:
- Owns this policy and is responsible for ensuring that all users of department Information Assets are aware of this policy and acknowledge their individual responsibilities.
- Is responsible for ensuring that this policy is reviewed annually, and updated accordingly.
- Is required to audit and assess compliance with this policy at least once every two (2) years.
Department Owners of Information Assets and Program Management:
- In collaboration with the Information Asset Custodians shall ensure that this policy is implemented and implementation is reviewed at minimum annually.
- Shall audit and assess user access rights and privileges to ensure alignment with individual job roles and functions on an annual basis.
Department Information Asset Custodians:
- Shall implement user access and associated rights and privileges as requested and approved by Owners of Information Assets.
- In collaboration with Owners of Information Assets, shall periodically review accounts with elevated privileges and verify that continued privilege account access is required.
- In collaboration with Owners of Information Assets shall ensure access technology and process controls are commensurate with the sensitivity or criticality of information assets under their purview.
- Shall revoke or modify individual user access rights and privileges upon notification from the Owners of Information Assets.
- Shall maintain access records consistent with the retention schedule.

49110.6 Enforcement

Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOMDepartment Operations Manual Chapter 3, Article 22.
The department shall comply with the information security and privacy policies, standards, and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.
The consequences of negligence and non-compliance with State laws and policies may include department and personal:
- Loss of delegated authorities.
- Negative audit findings.
- Monetary penalties.
- Legal actions.

49110.7 Auditing

The department has the right to audit any activities related to the use of State information assets.
CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

49110.8 Reporting

Violations of this policy shall be reported to the department ISOInformation Security Officer.

49110.9 Security Variance Process

If compliance is not feasible or is technically impossible, if existing policy currently in place already meets these requirements, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variation as defined by the department ISOInformation Security Officer.

49110.10 Authority

This policy complies with California Government Code Section 11549.3.

49110.11 Revisions

The CIO or designee shall ensure that the contents of this article are current and accurate.

References

SIMM 5305-A, Information Security Program Management Standard
SAMState Administrative Manual, Section 5305.4, Personnel Management
SAMState Administrative Manual, Section 5305.7, Risk Assessment
SAMState Administrative Manual, Section 5315, Information Security Integration
SAMState Administrative Manual, Section 5335, Information Security Monitoring
SAMState Administrative Manual, Section 5335.1, Continuous Monitoring
SAMState Administrative Manual, Section 5335.2, Auditable Events
SAMState Administrative Manual, Section 5355, Endpoint Defense
SAMState Administrative Manual, Section 5355.1, Malicious Code Protection
SAMState Administrative Manual, Section 5360, Identity And Access Management
SAMState Administrative Manual, Section 5360.1, Remote Access
SAMState Administrative Manual, Section 5360.2, Wireless Access
SAMState Administrative Manual, Section 5365.1, Access Control for Output Devices
NIST SP 800-53, Access Control AC-1, AC-2 (1)(2)(3)(4), AC-3, AC-4, AC-5, AC-6 (1)(2)(5)(9)(10), AC-7, AC-8, AC-11, AC-12, AC-14, AC-17(1)(2)(3)(4), AC-18(1), AC19(5), AC-20(1)(2), AC-21, AC-22, AC-24
NIST SP 800-53, Audit & Accountability AU-3, AU-6, AU-7, AU-8, AU-9, AU-10, AU11, AU-13
NIST SP 800-53, Awareness & Training AT-2
NIST SP 800-53, Identification & Authorization IA-1, IA-2, IA-3, IA-4, IA-5, IA-6, IA-7, IA8, IA-9, IA-10, IA-11
NIST SP 800-53, Risk Assessment RA-1, RA-2, RA-3
DOMDepartment Operations Manual, Chapter 3, Article 22
DOMDepartment Operations Manual, Chapter 4, Article 45, Section 49020.6.1, 49020.7.1, 49020.9, 49020.10
California Government Code Section 11549.3

Revision History

Effective 03/14/22

Article 55 – Acceptable Use Policy

March 14, 2022

49120.1 Introduction and Overview

Information assets owned by the California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation), California Correctional Health Care Services (CCHCS), and California Prison Industry Authority (CALPIACalifornia Prison Industry Authority (formerly PIA)) (including but not limited to department data and information, laptops, cell phones, and removable storage devices) are strategic assets intended for official business use, and are entrusted to State personnel in the performance of their job-related duties.
Inappropriate use of CDCRCalifornia Department of Corrections and Rehabilitation, CCHCS, and CALPIACalifornia Prison Industry Authority (formerly PIA) (hereinafter referred to as department) information assets could negatively affect the confidentiality, integrity, or availability of the information, information systems, or other information assets of the department and the State of California. Consequently, it is important for all users to access or use information assets in a responsible, ethical, and legal manner that safeguards department data and information.
Additionally, the appropriate use of information assets benefits the State and the department by strengthening the protection of the department and its personnel and business partners from illegal or potentially damaging activities.

49120.2 Objectives

This policy defines and establishes the requirements for the appropriate use and safeguarding of department information assets.

49120.3 Ownership of Information

Data and information in hard copy format and that which is electronically created, sent, received, processed, or stored on information assets owned, leased, administered, or otherwise under the custody and control of the department are the property of the State. Any information, not specifically identified as the property of other parties and that is transmitted, processed, or stored on the department’s and business partner ITInformation Technology facilities and resources (including e-mail, messages, and files) is considered the property of the department.
Individual access and use of department information assets is neither personal nor private. As such, department management reserves the right to monitor and log all employee use of department information assets with or without advanced notice.

49120.4 Scope and Applicability

The scope of this policy extends to all information assets owned or operated by the department and to all personnel authorized to use these assets.

49120.5 Policy Directives

The department shall ensure that users use and protect department information assets in accordance with this policy and applicable information security and privacy policies.
Department Unacceptable Use
The department shall ensure that users do not:
- Use department information assets to engage in or solicit the performance of any activity that violates laws, regulations, rules, policies, standards, and other applicable requirements issued by the federal government, the State of California, and the department.
- Use department information assets for personal enjoyment, private gain or advantage, personal gain, political activity, unsolicited advertising, unauthorized fundraising, or an outside endeavor not related to State business.
- Engage in any activity that attempts to circumvent or alter the function of the department’s security controls (e.g., spoofing email, anonymous proxies, or unauthorized encryption), or other activities that may degrade the performance of information resources, or may deprive an authorized user access to department assets.
- Share their work-related account(s), passwords, Personal Identification Numbers (PIN), security questions/answers, security tokens (e.g., smartcard, key fob), or similar information or devices used for authentication and authorization purposes.
- Use department information assets to send or arrange to send emails or intentionally access sites that contain pornographic, racist, or offensive material, chain letters or unauthorized mass mailings, and malicious code.
- Users shall not connect or otherwise attach unauthorized devices or equipment to the department network infrastructure.

49120.6 Roles and Responsibilities

The department Chief Information Officer (CIO) or Designee:
- Owns this policy and is responsible for ensuring that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.
- Is responsible for ensuring that this policy is reviewed annually and updated accordingly.
- Is required to audit and assess compliance with this policy at least once every two (2) years.
Department Information Asset Users:
- Shall use and protect department information assets in accordance with this policy and applicable information security and privacy policies.
- Shall report any security concerns pertaining to department information asset security of which they become aware to the department Information Security Officer (ISOInformation Security Officer), designee, appropriate security staff or their immediate supervisor. Security concerns with information assets may include unexpected software or system behavior, which could result in unintentional disclosure of information or exposure to security threats.
- Shall report any suspected or actual activities or events indicating misuse or violation of this policy to the department ISOInformation Security Officer, designee, appropriate security staff or their immediate supervisor.
- Shall be aware of and adhere to all department information security and privacy policies.

49120.7 Enforcement

Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOMDepartment Operations Manual Chapter 3, Article 22.
The department shall comply with the information security and privacy policies, standards, and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.
The consequences of negligence and non-compliance with State laws and policies may include department and personal:
- Loss of delegated authorities.
- Negative audit findings.
- Monetary penalties.
- Legal actions.

49120.8 Auditing

The department has the right to audit any activities related to the use of State information assets.
CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

49120.9 Reporting

Violations of this policy shall be reported to the department ISOInformation Security Officer.

49120.10 Security Variance Process

If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the department ISOInformation Security Officer.

49120.11 Authority

This policy complies with the State of California Government Code Section 11549.3.

49120.12 Revisions

The CIO or designee shall ensure that the contents of this article are current and accurate.

References

SIMM, Section 5305-A, Information Security Program Management Standard
SAMState Administrative Manual, Section 5305.3, Information Security Roles and Responsibilities
SAMState Administrative Manual, Section 5320.4, Personnel Security
DOMDepartment Operations Manual Chapter 3, Article 22
DOMDepartment Operations Manual Chapter 4, Article 41, Section 48010.5
California Government Code Section 11549.3

Revision History

Effective 03/14/22

Article 56 – Firewall Configuration Policy

March 14, 2022

49130.1 Introduction and Overview

Network firewalls act as a communications buffer between internal and external devices while simultaneously keeping out unwanted users, viruses, worms, or other malicious programs trying to access the protected network. Firewalls and the technology and procedures that support them help protect internal networks and manage traffic in and out of California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation), California Correctional Health Care Services (CCHCS), and California Prison Industry Authority (CALPIACalifornia Prison Industry Authority (formerly PIA))’s network.

49130.2 Objectives

The objective of this policy is to define how firewalls are to be configured, implemented, and managed within the CDCRCalifornia Department of Corrections and Rehabilitation, CCHCS, and CALPIACalifornia Prison Industry Authority (formerly PIA) (hereinafter referred to as department).

49130.3 Scope and Applicability

The scope of this policy extends to all information assets owned or operated by the department, including mission critical infrastructure and information assets owned or operated by third parties (if applicable) on behalf of the department.
This policy applies to the department Chief Information Officer or their designee, Information Technology functions, information security sections, owners of critical infrastructure, Agency and Department Information Security Officers, Technology Recovery Plan coordinators, and Information Asset Custodians.

49130.4 Policy Directives

The department shall use a multi-layered approach to protect computer resources and assets. Network security design shall include firewall functionality at all places in the network where opportunities exist for outside exploitation. This may include placing a firewall in areas other than the network perimeter to provide an additional layer of security and protect devices that are placed directly onto external networks (i.e. the demilitarized zone or DMZ) or between different trusted and untrusted segments of the network.
Firewall Configuration
The department shall:
- Implement configurations that restrict all inbound and outbound traffic associated with untrusted wired/wireless networks and hosts.
- Deny all traffic by default and only allow inbound and outbound traffic thru approved exceptions.
- Disable unnecessary user accounts and default accounts (e.g. Administrator, Guest, etc.).
- Disable all unused and unnecessary ports, protocols, and services before deployment into a production environment.
- Implement a Demilitarized Zone (DMZ) that limits inbound traffic to the internal trusted network and permits authorized publicly accessible services, protocols, and ports/services.
- Log all changes to firewall configuration parameters, enabled services, and permitted connectivity paths for a period of one (1) year. The department data retention procedures shall be followed.
- Physically secure firewalls in a location accessible only to authorized personnel. The placement of firewalls in an open area within a general-purpose data center is prohibited.

49130.5 Firewall Administration and Management

The following firewall management practices shall be utilized:
- Configuration of rulesets and policies shall be managed through an internal change management process.
- Firewall security logs shall be reviewed no less than every six (6) months to detect any unauthorized entry attempts or network anomalies, and shall be retained for a period of one (1) year.
- All enterprise firewall rulesets shall be reviewed according to documented processes and procedures.
- All new inbound and outbound connections requiring firewall rulesets to be applied shall have a valid business justification and the approval of the Information Asset Custodian on behalf of the Information Asset Owner.
- Current security updates, patches, and anti-virus definitions shall be applied in accordance with documented standards, threat intelligence, and product/vendor guidance.
- Administrative access shall be restricted to authorized and approved Information Asset Custodians and designated security personnel.
- Access to management and administrative interfaces shall be available only from locations that are deemed appropriate.

49130.6 Roles and Responsibilities

The department Chief Information Officer (CIO) or Designee:
- Owns this policy and is responsible for ensuring that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.
- Is responsible for ensuring that this policy is reviewed annually and updated accordingly.
- Is required to audit and assess compliance with this policy at least once every two (2) years.
The department Information Security Officer (ISOInformation Security Officer):
- Is responsible for the oversight and coordination of entity information security policies and procedures.
The department Owners of Information Assets and Program Management:
- In collaboration with the Information Asset Custodians, are responsible for ensuring the protection of information assets under their purview.
The department Information Asset Custodians:
- In collaboration with the Information Asset Owners, are responsible for ensuring implementation of this policy and its directives.
- Shall review firewall security logs in accordance with this policy.
- Shall notify the department ISOInformation Security Officer and the asset owner shall a security incident occur.
The department Firewall Administrators:
Are responsible for managing firewall policies, updates, upgrades, software, installations, as well as other network security solutions. As access and network requirements change, firewall policies shall be updated to reflect these changes.

49130.7 Enforcement

Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOMDepartment Operations Manual Chapter 3, Article 22.
The department shall comply with the information security and privacy policies, standards, and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, The department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.
The consequences of negligence and non-compliance with State laws and policies may include department and personal:
- Loss of delegated authorities.
- Negative audit findings.
- Monetary penalties.
- Legal actions.

49130.8 Auditing

The department has the right to audit any activities related to the use of State information assets.
CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

49130.9 Reporting

Violations of this policy shall be reported to the department ISOInformation Security Officer.

49130.10 Security Variance Process

If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variation as defined by the department ISOInformation Security Officer.

49130.11 Authority

This policy complies with State of California Government Code Section 11549.3 and SAMState Administrative Manual-5350 Operational Security.

49130.12 Revisions

The CIO or designee shall ensure that the contents of this article are current and accurate.

References

SAMState Administrative Manual, Section 5305.5, Information Asset Management
SAMState Administrative Manual, Section 5310.4, Individual Access to Personal Information
SAMState Administrative Manual, Section 5310.6, Data Retention and Destruction
SAMState Administrative Manual, Section 5310.7, Security Safeguards
SAMState Administrative Manual, Section 5340, Information Security Incident Management
SAMState Administrative Manual, Section 5340.1, Incident Response Training
SAMState Administrative Manual, Section 5340.2, Incident Response Testing
SAMState Administrative Manual, Section 5340.3, Incident Handling
SAMState Administrative Manual, Section 5340.4, Incident Reporting
SAMState Administrative Manual, Section 5350.1, Encryption
SAMState Administrative Manual, Section 5365, Physical Security
SAMState Administrative Manual, Section 5365.1, Access Control for Output Devices
SAMState Administrative Manual, Section 5365.2, Media Protection
SAMState Administrative Manual, Section 5365.3, Media Disposal
Federal Information Processing Standard, FIPS 199
NIST SP 800-53, Access Control, AC-3 Access Enforcement, AC-4 Information Flow Enforcement
NIST SP 800-53, Audit and Accountability, AU-2 Event Logging, AU-3 Content of Audit Records, AU-13 Monitoring for Information Disclosure
NIST SP 800-53, Configuration Management, CM-8 System Component Inventory
NIST SP 800-53, Media Protection, MP-1, MP-2, MP-3, MP-4, MP-5, MP-6, MP-7
NIST SP 800-53, Physical and Environmental Protection, PE-5 Access Control for Output Devices, PE-19 Information Leakage, PE-20 Asset Monitoring and Tracking
NIST SP 800-53, Planning, PL-4 Rules of Behavior
NIST SP 800-53, Program Management, PM-9 Risk Management Strategy
NIST SP 800-53, Risk Assessment, RA-2 Security Categorization, RA-3 Risk Assessment
NIST SP 800-53, Assessment, Authorization and Monitoring, CACorrectional Administrators-7 Continuous Monitoring
NIST SP 800-53, System and Communications Protection, SC-4 Information in Shared Resources, SC-8 Transmission Confidentiality and Integrity, SC-13 Cryptographic Protection, SC-17 Public Key Infrastructure Certificates, SC-28 Protection of Information at Rest
DOMDepartment Operations Manual Chapter 3, Article 22
DOMDepartment Operations Manual Chapter 4, Article 45, Sections 49020.8, 49020.9 and 49020.10
California Government Code Section 11549.3

Revision History

Effective 03/14/22

Article 57 – Physical and Environmental Protection Policy

March 14, 2022

49140.1 Introduction and Overview

Information assets owned by the California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation), California Correctional Health Care Services (CCHCS), and California Prison Industry Authority (CALPIACalifornia Prison Industry Authority (formerly PIA)) (including but not limited to department data and information, servers, laptops, tablets, cell phones, and removable storage devices) are strategic assets intended for official business use, and they are entrusted to State personnel in the performance of their jobrelated duties.
Restricting physical access to information assets reduces the potential for their damage and misuse. Implementing and maintaining environmental controls provides optimal operating conditions for information assets that are critical to CDCRCalifornia Department of Corrections and Rehabilitation, CCHCS, and CALPIACalifornia Prison Industry Authority (formerly PIA) (hereinafter referred to as department) business functions.

49140.2 Objectives

Objectives for this policy are to establish physical security and environmental protection control requirements to safeguard department information assets against unauthorized access, use, disclosure, disruption, modification, or destruction.

49140.3 Scope and Applicability

The scope of this policy extends to all State information assets owned or operated by the department, and governs physical access to department information assets.
This policy applies to all department personnel.

49140.4 Policy Directives

The department shall define the control requirements for the physical environmental protection of information assets.
The department shall implement, manage, monitor, and regularly maintain physical security and environmental protection controls to safeguard State information assets for which they have custodianship.
Personnel identification systems and facility access controls shall be implemented for all personnel and visitors. Access logs shall be reviewed at minimum annually.
Environmental controls shall be implemented in computer rooms and data centers, including but not limited to, temperature and humidity regulators, fire detection and suppression, and electrical power conditioning.
Supporting controls, processes, and procedures to control physical access (e.g., security gates), handling digital media, and emergency processes and procedures shall be implemented.
Service records of periodic maintenance of physical and environmental protection controls (e.g., heating/cooling unit servicing) and results of tests of environmental controls (e.g., power outage) shall be retained for a minimum of six (6) months.
Security risks shall be identified, remediated, and reported to the department Information Security Officer (ISOInformation Security Officer).

49140.5 Roles and Responsibilities

The department Chief Information Officer (CIO) or Designee:
- Owns this policy and is responsible for ensuring that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.
- Is responsible for ensuring that this policy is reviewed annually and updated accordingly.
- Is required to audit and assess compliance with this policy at least once every two (2) years.
The department Owners of Information Assets and Program Management:
- Shall formally approve and authorize access and revocation of access to information assets.
- In collaboration with the Information Asset Custodians shall validate access to information assets under their purview on an annual basis, or when staffing, resource or job function changes occur.
- In collaboration with the Information Asset Custodians shall validate protection requirements for information assets under their purview on an annual basis.
The department Information Asset Custodians:
- In collaboration with the Owners of Information Assets shall define protection requirements for information assets under their purview.
- Shall implement, manage, maintain, monitor, and periodically test physical and environmental protection controls to safeguard State information assets for which they have custodianship and as defined by the respective Owners of Information Assets.
- Shall track and monitor all access to information assets, including physical access, as defined by Owners of Information Assets, and physical and environmental controls to validate correct operation.
- Shall maintain all maintenance records and results of periodic tests.

49140.6 Enforcement

Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOMDepartment Operations Manual Chapter 3, Article 22.
The department shall comply with the information security and privacy policies, standards and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the CDT OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.
The consequences of negligence and non-compliance with State laws and policies may include department and personal:
- Loss of delegated authorities.
- Negative audit findings.
- Monetary penalties.
- Legal actions.

49140.7 Auditing

The department has the right to audit any activities related to the use of State information assets.
CDT OIS and the department have the statutory right to audit department’s readiness to respond and recover from an incident.

49140.8 Reporting

Violations of this policy shall be reported to the department ISOInformation Security Officer.

49140.9 Security Variance Process

If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISOInformation Security Officer.

49140.10 Authority

This policy complies with State of California Government Code Section 11549.3.

49140.11 Revisions

The CIO or designee shall ensure that the contents of this article are current and accurate.

References

SAMState Administrative Manual, Section 5325, Business Continuity Planning
SAMState Administrative Manual, Section 5360, Identity and Access Management
SAMState Administrative Manual, Section 5365, Physical Security
NIST SP 800-53, Physical and Environmental Protection, PE-1, PE-2, PE-3, PE-4, PE-5, PE-6, PE-8, PE-9, PE-10, PE-11, PE-12, PE-13, PE-14, PE-15, PE-16, PE-17
NIST SP 800-53, Maintenance, MA-1, MA-2, MA-3, MA-4, MA-5
NIST SP 800-53, Contingency Planning, CP-2, CP-3
NIST SP 800-53, Incident Response, IR-1, IR-2, IR-3, IR-4, IR-5, IR-6, IR-7
NIST SP 800-53, Media Protection, MP-1, MP-2, MP-3, MP-4, MP-5, MP-6, MP-7
DOMDepartment Operations Manual Chapter 3, Article 22
DOMDepartment Operations Manual Chapter 4, Article 45, Section 49020.9, 49020.10
California Government Code Section 11549.3

Revision History

Effective 03/14/22

Article 58 – Security Assessment and Authorization Policy

March 14, 2022

49150.1 Introduction and Overview

California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation), California Correctional Health Care Services (CCHCS), and California Prison Industry Authority (CALPIACalifornia Prison Industry Authority (formerly PIA)) is responsible for the integration of information security and privacy within the organization. This includes, but is not limited to, the design and early identification of appropriate security controls in information asset acquisitions, in the design of new systems, or existing systems that are undergoing substantial redesign, including both in-house and outsourced solutions.
The CDCRCalifornia Department of Corrections and Rehabilitation, CCHCS, and CALPIACalifornia Prison Industry Authority (formerly PIA) (hereinafter referred to as department) shall ensure its Information Security Officer (ISOInformation Security Officer) and, where applicable, its Privacy Program Coordinator and Technology Recovery Coordinator, are actively engaged with both the owners of information assets, and any relevant project, procurement, and technical personnel, to identify and implement the appropriate security controls required to manage risk to acceptable levels. Where applicable, the department ISOInformation Security Officer shall also work with other stakeholders, as appropriate.

49150.2 Objectives

The objective for this policy is to establish a documented security assessment and authorization plan.

49150.3 Scope and Applicability

The scope of this policy extends to all State and Agency information assets owned or operated by the department.
This policy applies to the department ISOInformation Security Officer, Privacy Officer, Privacy Program Coordinator, program management, Owners of Information Assets and Information Asset Custodians.

49150.4 Policy Directives

The department shall ensure that a plan for assessing security controls in department information assets is defined and documented. The plan shall include the following:
- Roles and responsibilities for security assessments and authorization.
- Assessments are integrated in life cycle processes and operational assessments, and identify weaknesses and deficiencies early in information asset acquisition, development, and integration processes.
- Essential information needed to make risk management decisions as part of security authorization processes is provided to the defined risk decision makers.

49150.5 Roles and Responsibilities

The department Chief Information Officer (CIO) or Designee:
- Owns this policy and is responsible for ensuring that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.
- Is responsible for ensuring that this policy is reviewed annually, and updated accordingly.
- Is required to audit and assess compliance with this policy at least once every two (2) years.
The department Information Security Officer (ISOInformation Security Officer):
- Shall facilitate security assessments and authorizations, and shall provide advice as appropriate.
The department Owners of Information Assets and Program Management in collaboration with Information Asset Custodians shall:
- Ensure that this policy is implemented and shall review the policy’s implementation annually.
- Ensure requisite security controls are implemented in accordance with applicable security requirements and documented authorizations for information assets.
- Ensure that any security control gaps and residual risks being accepted are formally documented.
- Ensure that records and results of assessments and risk decisions are maintained.
- Ensure that records and results of assessments and risk decisions are provided to information security officers in a timely manner.
The department Information Asset Custodians:
Shall implement the requisite security controls based upon the sensitivity or criticality of the assets as defined by the owners of information assets.
The department Privacy Officer/Privacy Program Coordinator:
Shall ensure that privacy threshold and privacy impact assessments are completed as part of the security assessment and authorization process.

49150.6 Enforcement

Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOMDepartment Operations Manual Chapter 3, Article 22.
The department shall comply with the information security and privacy policies, standards, and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, The department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.
The consequences of negligence and non-compliance with State laws and policies may include department and personal:
- Loss of delegated authorities.
- Negative audit findings.
- Monetary penalties.
- Legal actions.

49150.7 Auditing

The department has the right to audit any activities related to the use of State information assets.
CDT OIS and the department have the statutory right to audit department’s readiness to respond and recover from an incident.

49150.8 Reporting

Violations of this policy shall be reported to the department ISOInformation Security Officer.

49150.9 Security Variance Process

If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the department ISOInformation Security Officer.

49150.10 Authority

This policy complies with the State of California Government Code Section 11549.3.

49150.11 Revisions

The CIO or designee shall ensure that the contents of this article are current and accurate.

References

SIMM, Section 5305-A, Information Security Program Management Standard
SAMState Administrative Manual, Section 5305.7, Risk Assessment
SAMState Administrative Manual, Section 5315, Information Security Integration
SAMState Administrative Manual, Section 5315.9, Security Authorization
NIST SP 800-53, Asset, Authorization, and Monitoring, (CACorrectional Administrators), CACorrectional Administrators-1, CACorrectional Administrators-2, CACorrectional Administrators-4, CACorrectional Administrators-6
NIST SP 800-53, System and Information Integrity Policy and Procedures (SI), SI-1, SI6, SI-12
NIST 800-37, Risk Management Framework for Information Systems and Organizations: A Systems Life Cycle Approach for Security and Privacy
DOMDepartment Operations Manual Chapter 3, Article 22
DOMDepartment Operations Manual Chapter 4, Article 45, Sections 49020.9
California Government Code Section 11549.3

Revision History

Effective 03/14/22

Article 59 – Audit and Accountability Policy

Effective November 3, 2022

49160.1 Introduction and Overview

In order to detect and respond to signs of attack, anomalies, and suspicious or inappropriate activities, California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation), California Correctional Healthcare Services (CCHCS), and California Prison Industry Authority (CALPIACalifornia Prison Industry Authority (formerly PIA)), hereinafter referred to as department, requires an audit and security event logging strategy to continuously monitor access and activities conducted using department information assets.
Information assets owned by the department are strategic assets intended for official business use, and are entrusted to State personnel and business partners in the performance of their job-related duties. Since inappropriate or unauthorized access and use of department information assets could result in harm to the State and to the department, it is important to detect and respond to signs of attack, anomalies, and suspicious or inappropriate activities in a timely and proper manner.

49160.2 Objectives

This policy guides the development and implementation of department event logging and continuous monitoring strategy and supporting processes to identify and respond to indicators of attack, anomalies, and suspicious or inappropriate activities.

49160.3 Scope and Applicability

The scope of this policy extends to all information assets owned or operated by the department.
This policy is applicable to department Owners of Information Assets and Information Asset Custodians.

49160.4 Policy Directives

Department Owners of Information Assets in collaboration with Information Asset Custodians and the department Information Security Officer (ISOInformation Security Officer) shall develop and implement an event logging and continuous monitoring strategy of access and activities conducted using department information assets. This strategy shall include, at a minimum, the following items:
- Define and document the audit logging requirements and security events that shall be recorded, monitored, and reviewed.
- Identify and implement controls for audit trails and auditability of events for each system as well as for the internal network, accounting for segregation of duties, as appropriate.
- Perform, at minimum, monthly monitoring of event logs of critical information assets to identify and respond to indicators of attacks, anomalies, and suspicious or inappropriate activities in a timely manner.
- Define secure storage and retention of event logs.
- Clearly define roles and responsibilities for event logging and monitoring.

49160.5 Roles and Responsibilities

Department Chief Information Officer (CIO) or Designee
- The CIO or Designee owns this policy and is responsible for ensuring that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.
- The CIO or Designee is responsible for ensuring that this policy is reviewed annually and updated accordingly.
- The CIO or Designee is required to audit and assess compliance with this policy at least once every two (2) years.
Department Information Security Officer (ISOInformation Security Officer)
- The ISOInformation Security Officer shall guide the development and implementation of the department event logging and continuous monitoring strategy.
Department Owners of Information Assets and Program Management
- Owners of Information Assets in collaboration with Information Asset Custodians are responsible for ensuring the protection of information assets under their purview.
- Owners of Information Assets shall participate in the development and implementation of an event logging and continuous monitoring strategy.
- Owners of Information Assets shall ensure assets are independently and continuously monitored based on the criticality of information assets.
Department Information Asset Custodians
- Information Asset Custodians shall participate in the development and implementation of an event logging and continuous monitoring strategy.
- Information Asset Custodians shall implement and maintain the department event logging and continuous monitoring strategy.

49160.6 Enforcement

Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOMDepartment Operations Manual Chapter 3, Article 22.
The department shall comply with the information security and privacy policies, standards and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.
The consequences of negligence and non-compliance with State laws and policies may include department and personal:
- Loss of delegated authorities.
- Negative audit findings.
- Monetary penalties.
- Legal actions.

49160.7 Auditing

The department has the right to audit any activities related to the use of State information assets.
CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

49160.8 Reporting

Violations of this policy shall be reported to the department ISOInformation Security Officer.

49160.9 Security Variance Process

If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISOInformation Security Officer.

49160.10 Authority

This policy complies with State of California Government Code Section 11549.3.

49160.11 Revisions

The CIO or Designee shall ensure that the contents of this article are current and accurate.

References

SIMM 5305-A, Information Security Program Management Standard
SIMM 5340-A, Incident Reporting and Response Instructions
SAMState Administrative Manual, Section 5335, Information Security Monitoring
SAMState Administrative Manual, Section 5335.1, Continuous Monitoring
SAMState Administrative Manual, Section 5335.2, Auditable Event
NIST SP 800-53, Audit and Accountability, AU-1, AU-2, AU-3, AU-4, AU-5, AU-6, AU-7, AU-8, AU-9, AU-10, AU-11
NIST SP 800-53, Physical and Environmental Protection, PE-2, PE-6, PE-8
NIST SP 800-53, Risk Assessment, RA-3
DOMDepartment Operations Manual Chapter 3, Article 22
California Government Code Section 11549.3

Revision History

Effective: November 2, 2022.

Article 60 – Data Retention and Destruction Policy

Effective November 3, 2022

49170.1 Introduction and Overview

The purpose of this policy is to ensure that necessary records and documents are adequately protected and maintained. Records that have reached the records retention maximum lifespan or that are no longer deemed necessary by the California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation), California Correctional Healthcare Services (CCHCS), and California Prison Industry Authority (CALPIACalifornia Prison Industry Authority (formerly PIA)), hereinafter referred to as department, are to be destroyed at the proper time and in a secure manner, consistent with records management policies outlined by the Secretary of State’s Office. The policy also describes the obligations of department employees to retain electronic and non-electronic documents and their proper disposal.

49170.2 Objectives

The objective of this policy is to establish the requirements for retaining or disposing of paper and electronic documents including but not limited to:
- E-mails, texts, chats, and instant messages.
- Video, audio, and image files.
- Word processing and spreadsheet files.
- Website activity and history.
- Information posted on social networking websites.
- Voice mails and video mail.
- Computer programming information, system and audit logs, configuration details.
- Physical paper documents, media and artifacts.

49170.3 Scope and Applicability

The scope of this policy extends to all State information assets owned or operated by the department, as well as information assets owned and operated by third parties (if applicable) on behalf of the department.
This policy applies to the department’s Chief Information Officer (CIO) or Designee, program management, Owners of Information Assets, Department Information Security Officers, Records Management Coordinators (RMC), Records Management Assistant Coordinators (RMAC), Technology Recovery Plan Coordinators, and Information Asset Custodians.

49170.4 Policy Directives

Pursuant to California Government Code Sections 12270-12279, the department shall set records retention schedules to address legal, statutory, and compliance requirements as well as litigation needs, business processes, and data privacy concerns. Storage requirements shall be coordinated with the department RMC to ensure compliance with the State Records Management Act.
The department shall:
- Ensure that roles and responsibilities for the identification, classification, and life cycle management of all department data and information assets are defined, documented, and implemented.
- Ensure that all department information assets, including information and information systems, are categorized according to their criticality to department in accordance with SAMState Administrative Manual 5305.5, as well as to their sensitivity and susceptibility to inadvertent damage, loss or exposure and corresponding impacts to department.
- Ensure that methods to protect the confidentiality, integrity, and availability of department data and information assets according to their classification are defined, documented, and implemented.
- Ensure that conditions for access to and use of department information assets for all personnel are defined and documented.
- Ensure that all personnel with access to department data and information assets are trained regarding data access and handling according to their roles and responsibilities.
- Ensure that department data and information assets are used solely for their intended purpose.
- Ensure that department data and information assets are securely destroyed and disposed of once they are no longer required by the department.
- Ensure regular backups shall be completed based on department back-up and retention policy.

49170.5 Data Retention Requirements

Retention procedures shall specify:
- Steps used to archive information and locations where this information is stored.
- The appropriate destruction of stored information, electronic or other format, after the identified retention period expires. Such steps shall adhere to the requirements outlined in this policy.
- Chain of custody and handling of stored information, electronic or other format, when under litigation.
In certain instances, individual business units have unique record retention requirements outside of documented groups. These requirements shall be documented as part of internal processes and procedures and communicated to the Information Security Officer (ISOInformation Security Officer), RMC and RMAC. Such requirements may include contractual obligations with customers or business contacts or data retention requirements to maintain business operations. In some instances, departments may need to retain electronically stored information for a historical archive.
During the appropriate retention period for electronic records, archived data shall be retrievable. Doing so requires the following protocols:
- As new software or hardware is implemented, appropriate department support staff shall ensure new systems and file formats can read legacy data. This may require that older data is converted to newer formats where possible.
- Data that is encrypted shall be retrievable. The department shall implement key management procedures to ensure encrypted data can be decrypted when needed.
When establishing record retention periods, the department shall rely on (in order of precedence):
- Federal and state laws and statutes and regulations.
- State guidelines, recommendations, rules, and statutory requirements.
- Internal department requirements and policies.

49170.6 Audit Controls and Managment

Documented procedures shall be in place for this policy and reviewed annually and updated as needed. Effective organizational management, audit controls, and employee practices include:
- Documented record retention schedules and archival information of the department.
- Procedures and anecdotal evidence of data migrations to manage electronic record compatibility with newer systems.
- Documented encryption and decryption strategies that allow for retrieval of archival electronic records.
- Employee procedures and documentation of records management and archival processes.
- Direct observation of archival records organization and storage.

49170.7 Expiration of Retention Period

Once a record or data has reached its designated retention period date, the Owner of Information Assets shall refer to the department Data Retention Schedule for appropriate action in accordance with the California State Records Management Act.

49170.8 Sanitization and Destruction

When no longer usable, hard drives, diskettes, tape cartridges, CDs, ribbons, hard copies, print-outs, and other similar items used to process, store or transmit sensitive or confidential data shall be properly disposed of in accordance with measures established by SAMState Administrative Manual 5900 and 1600. (See NIST 800-88, Guidelines for Media Sanitization for further assistance.)
- Physical media (paper print-outs and other physical media) shall be disposed of by one of the following methods:
  - Shredded using department issued cross-cut shredders.
  - Placed in locked shredding bins for third party shredding to come on-site, retrieve bins and securely shred.
- Electronic/Magnetic media (hard drives, tape cartridges, CDs, printer ribbons, flash drives, printer and copier hard drives, smart devices, etc.) shall be disposed of by one of the following methods: (See NIST 800-88, Guidelines for Media Sanitization, Appendix A for further details.)
  - Clear – applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques.
  - Purge – applies physical or logical techniques that render Target Data recovery infeasible.
  - Destroy – renders Target Data recovery infeasible and results in the subsequent inability to use the media for storage of data.
ITInformation Technology systems that have been used to process, store, or transmit sensitive or confidential information shall not be released from the department’s control until the equipment has been sanitized and all stored information has been cleared using one of the above methods.

49170.9 Suspension of Records Disposal in Event of Litigation Hold

Preservation of data is a response to issues involving litigation, legislation, and requests for data pursuant to public records requests. The department shall comply with multiple federal and state laws, legal proceedings, state regulations and standards for the proper preservation and delivery of relevant physical and electronically stored information (ESI) in a timely and reliable manner. Legal counsel shall take such steps as necessary to promptly inform all staff of any suspension in the further disposal of documents. Please refer to the department eDiscovery and Litigation Hold Policy for further details.

49170.10 Roles and Responsibilities

Department Chief Information Officer (CIO) or Designee
- The CIO or Designee owns this policy and is responsible for ensuring that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.
- The CIO or Designee is responsible for ensuring that this policy is reviewed annually and updated accordingly.
- The CIO or Designee is required to audit and assess compliance with this policy at least once every two (2) years.
Department Information Security Officer (ISOInformation Security Officer)
- The ISOInformation Security Officer shall ensure processes exist for the secure destruction of paper and electronic records when no longer needed.
- The ISOInformation Security Officer shall ensure specific retention requirements for sensitive or confidential data as defined by the Owners of Information Assets are adhered to.
- The ISOInformation Security Officer shall ensure the safe and secure disposal of confidential data and information assets.
- The ISOInformation Security Officer shall assist Owners of Information Assets and Information Asset Custodians in the identification of data security controls and processes.
Department Owners of Information Assets and Program Management
- Owners of Information Assets shall ensure that no document is retained for longer than is legally or contractually allowed.
- Owners of Information Assets shall implement data retention and disposal guidelines limiting data storage and retention times in accordance with legal, regulatory, and business requirements.
- Owners of Information Assets shall define and enforce data retention requirements.
Department Information Asset Custodians
- Information Asset Custodians shall assist Owners of Information Assets in identifying data retention security controls commensurate with the classification of the data.
- Information Asset Custodians shall document, implement, monitor, and maintain data retention security protection controls as defined by Owners of Information Assets.
- Information Asset Custodians shall develop and implement tools, technologies, processes, and procedures to support, monitor and maintain data retention security controls.
Department Records Management Coordinator (RMC) and Records Management Assistant Coordinator (RMAC)
- The RMC, pursuant to Gov. Code 12274, shall assist the RMACs, Owners and Custodians of Information Assets in establishing proper data retention periods.
- The RMC shall assist in training identified RMACs and entity staff in records retention.
- The RMACs shall ensure that required data retention periods are maintained and data beyond the lifecycle of established policy is properly disposed.

49170.11 Enforcement

Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOMDepartment Operations Manual Chapter 3, Article 22.
The department shall comply with the information security and privacy policies, standards and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, Information Security Officer (ISOInformation Security Officer), and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.
The consequences of negligence and non-compliance with State laws and policies may include department and personal:
- Loss of delegated authorities.
- Negative audit findings.
- Monetary penalties.
- Legal actions.

49170.12 Auditing

The department has the right to audit any activities related to the use of State information assets.
CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

49170.13 Reporting

Violations of this policy shall be reported to the department ISOInformation Security Officer.

49170.14 Security Variance Process

If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISOInformation Security Officer.

49170.15 Authority

This policy complies with State of California Government Code Section 11549.3.

49170.16 Revisions

The CIO or Designee shall ensure that the contents of this article are current and accurate.

References

SAMState Administrative Manual, Section 5305.5, Information Asset Management
SAMState Administrative Manual, Section 5310.4, Individual Access to Personal Information
SAMState Administrative Manual, Section 5310.6, Data Retention and Destruction
SAMState Administrative Manual, Section 5310.7, Security safeguards
SAMState Administrative Manual, Section 5340, Information Security Incident Management
SAMState Administrative Manual, Section 5340.1, Incident Response Training
SAMState Administrative Manual, Section 5340.2, Incident Response Testing
SAMState Administrative Manual, Section 5340.3, Incident Handling
SAMState Administrative Manual, Section 5340.4, Incident Reporting
SAMState Administrative Manual, Section 5350, Encryption
SAMState Administrative Manual, Section 5365, Physical access
SAMState Administrative Manual, Section 5365.1, Access Control for Output Devices
SAMState Administrative Manual, Section 5365.2, Media Protection
SAMState Administrative Manual, Section 5365.3, Media Disposal
Federal Information Processing Standard, FIPS 199
NIST SP 800-53, Access Control, AC-3, AC-4
NIST SP 800-53, Audit and Accountability, AU-2, AU-3, AU-13
NIST SP 800-53, Configuration Management, CM-8
NIST SP 800-53, Media Protection, MP-1, MP-2, MP-3, MP-4, MP-5, MP-6, MP-7
NIST SP 800-53, Physical and Environmental Protection, PE-5, PE-19, PE-20
NIST SP 800-53, Planning, PL-4
NIST SP 800-53, Program Management, PM-9
NIST SP 800-53, Risk Assessment, RA-2, RA-3
NIST SP 800-53, Security Assessment and Authorization, CACorrectional Administrators-7
NIST SP 800-53, System and Communications Protection, SC-4, SC-8, SC-13, SC-17, SC-28
NIST SP 800-53, System and Services Acquisition, SA-11
NIST SP 800-53, System and Information Integrity, SI-12
DOMDepartment Operations Manual Chapter 3, Article 22
DOMDepartment Operations Manual Chapter 1, Article 23, Sections 14060.6.5, 14060.6.6
DOMDepartment Operations Manual Chapter 4, Article 38, Section 47110.15
California Government Code Section 11549.3

Revision History

Effective: November 2, 2022.

Article 61 – Data Security Policy

Effective November 3, 2022

49180.1 Introduction and Overview

California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation), California Correctional Healthcare Services (CCHCS), and California Prison Industry Authority (CALPIACalifornia Prison Industry Authority (formerly PIA)), hereinafter referred to as department, collects, processes, transmits, and stores large amounts of data to support essential missions and business functions. Some data maintained by the department may be sensitive or confidential, and may require special precautions to protect it from unauthorized modification, or deletion as per the State Administrative Manual.
The department has the responsibility to classify its data and information assets, and to implement suitable controls to protect it from unauthorized access, corruption, or loss.

49180.2 Objectives

The primary objective for this policy is to define department requirements to manage the confidentiality, integrity, and availability of department data and information assets throughout their lifecycles: from collection, creation, storage, and use, to destruction and disposal.

49180.3 Scope and Applicability

The scope of this policy extends to all state and agency data and information assets owned or operated by the department, and operated by third parties on behalf of the department, and governs all state and department data and information assets in all forms and media types, including digital and physical formats.
This policy applies to all department personnel.

49180.4 Policy Directives

The department shall:
- Ensure that roles and responsibilities for the identification, classification, and life cycle management of all department data and information assets are defined, documented, and implemented.
- Ensure that all department information assets, including information and information systems, are categorized according to their criticality, as well as their sensitivity and susceptibility to inadvertent damage, loss, or exposure and corresponding impact to the department.
- Ensure that methods to protect the confidentiality, integrity, and availability of department data and information assets according to their classification are defined, documented, and implemented.
- Ensure that conditions for access to and use of department information assets for all personnel are defined and documented.
- Ensure that all personnel with access to department data and information assets are trained regarding data access and handling according to their roles and responsibilities.
- Ensure that department data and information assets are used solely for their intended purpose.
- Ensure that department data and information assets are securely destroyed and disposed of once they are no longer required by the department.
- Ensure that the proper authorities are notified of data security incidents as required.

49180.5 Roles and Responsibilities

Department Chief Information Officer (CIO) or Designee
- The CIO or Designee owns this policy and is responsible for ensuring that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.
- The CIO or Designee is responsible for ensuring that this policy is reviewed annually and updated accordingly.
- The CIO or Designee is required to audit and assess compliance with this policy at least once every two (2) years.
Department Information Security Officer (ISOInformation Security Officer)
- The ISOInformation Security Officer shall assist Owners of Information Assets and Information Asset Custodians in the identification of data security controls and processes.
- The ISOInformation Security Officer shall participate in incidents involving data security.
- The ISOInformation Security Officer shall ensure that data security controls, methods and processes meet department and applicable regulatory requirements for security and privacy.
Department Owners of Information Assets and Program Management
- Owners of Information Assets shall ensure that this policy is implemented and reviewed annually, and updated as necessary.
- Owners of Information Assets shall ensure that roles and responsibilities for the identification, classification, and life cycle management of all data and information assets under their purview are defined, documented and implemented.
- Owners of Information Assets shall ensure confidentiality and integrity controls commensurate with asset classification are implemented for data and information assets under their purview.
- Owners of Information Assets shall ensure that conditions and rules for access, availability, and use of data and information assets under their purview are commensurate with asset classification.
Department Information Asset Custodians
- Information Asset Custodians shall assist Owners of Information Assets in identifying data security controls commensurate with the classification of the data.
- Information Asset Custodians shall document, implement, monitor, and maintain data security protection controls as defined by Owners of Information Assets.
- Information Asset Custodians shall develop and implement tools, technologies, processes, and procedures to support, monitor and maintain data security controls.
- Information Asset Custodians shall notify respective Owners of Information Assets and the department Information Security Officer (ISOInformation Security Officer) and the Privacy Officer of all security incidents pertaining to the security of department data, particularly if the incident is related to personally identifiable information (PII).
- Information Asset Custodians shall maintain data security records as defined by Owners of Information Assets commensurate with the classification of the data.
Department Users
- Users of department information assets shall be aware of and adhere to all department information security and privacy policies.

49180.6 Enforcement

Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOMDepartment Operations Manual Chapter 3, Article 22.
The department shall comply with the information security and privacy policies, standards and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.
The consequences of negligence and non-compliance with State laws and policies may include department and personal:
- Loss of delegated authorities.
- Negative audit findings.
- Monetary penalties.
- Legal actions.

49180.7 Auditing

The department has the right to audit any activities related to the use of State information assets.
CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

49180.8 Reporting

Violations of this policy shall be reported to the department ISOInformation Security Officer.

49180.9 Security Variance Process

If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISOInformation Security Officer.

49180.10 Authority

This policy complies with State of California Government Code Section 11549.3.

49180.11 Revisions

The CIO or Designee shall ensure that the contents of this article are current and accurate.

References

SIMM 5305-A, Information Security Program Management Standard
SAMState Administrative Manual, Section 5305.5, Information Asset Management
SAMState Administrative Manual, Section 5310.4, Individual Access to Personal Information
SAMState Administrative Manual, Section 5310.6, Data Retention and Destruction
SAMState Administrative Manual, Section 5310.7, Security safeguards
SAMState Administrative Manual, Section 5340, Information Security Incident Management
SAMState Administrative Manual, Section 5340.1, Incident Response Training
SAMState Administrative Manual, Section 5340.2, Incident Response Testing
SAMState Administrative Manual, Section 5340.3, Incident Handling
SAMState Administrative Manual, Section 5340.4, Incident Reporting
SAMState Administrative Manual, Section 5350, Encryption
SAMState Administrative Manual, Section 5365, Physical access
SAMState Administrative Manual, Section 5365.1, Access Control for Output Devices
SAMState Administrative Manual, Section 5365.2, Media Protection
SAMState Administrative Manual, Section 5365.3, Media Disposal
Federal Information Processing Standard, FIPS 199
NIST SP 800-53, Access Control, AC-3, AC-4
NIST SP 800-53, Audit and Accountability, AU-2, AU-3, AU-13
NIST SP 800-53, Configuration Management, CM-8
NIST SP 800-53, Media Protection, MP-1, MP-2, MP-3, MP-4, MP-5, MP-6, MP-7
NIST SP 800-53, Physical and Environmental Protection, PE-5, PE-19, PE-20
NIST SP 800-53, Planning, PL-4
NIST SP 800-53, Program Management, PM-9
NIST SP 800-53, Risk Assessment, RA-2, RA-3
NIST SP 800-53, Security Assessment and Authorization, CACorrectional Administrators-7
NIST SP 800-53, System and Communications Protection, SC-4, SC-8, SC-13, SC-17, SC-28
NIST SP 800-53, System and Services Acquisition, SA-11
NIST SP 800-53, System and Information Integrity, SI-12
DOMDepartment Operations Manual Chapter 3, Article 22
DOMDepartment Operations Manual Chapter 4, Article 45, Section 49020.6, 49020.6.1, 49020.6.2
DOMDepartment Operations Manual Chapter 4, Article 46, Section 49030.4
California Government Code Section 11549.3

Revision History

November 2, 2022.

Article 62 – eDiscovery and Litigation Hold Policy

Effective November 3, 2022

49190.1 Introduction and Overview

Preserving data is necessary in response to reasonably foreseeable litigation, subpoenas, or Public Records Act (PRAPublic Records Act) requests, and may be required under applicable state and federal laws and regulations. Data may include both physical and electronically stored information (ESI). ESI is broadly defined as any information stored in an electronic medium, regardless of its manner of creation or use.

49190.2 Objectives

The objective of this policy is to establish California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation), California Correctional Healthcare Services (CCHCS), and California Prison Industry Authority (CALPIACalifornia Prison Industry Authority (formerly PIA)), hereinafter referred to as department, requirements for identification, preservation, capture, and delivery of relevant data in response to requests for information, audit, archive, and legal proceedings.

49190.3 Scope and Applicability

The scope of this policy extends to all information assets owned or operated by the department, as well as information assets owned or operated by third parties (if applicable) on behalf of the department.
This policy applies to the department’s Chief Information Officer (CIO) or their Designee, data owners, legal compliance staff, Agency and Department Information Security Officers, Privacy Officers, Privacy Program Coordinators, Records Management Coordinator (RMC), Records Management Assistant Coordinators (RMACs), Information Asset Custodians, and all users of department information systems.

49190.4 Policy Directives

The department shall:
- Preserve specific active and archived stored information and follow department data classification procedures when a litigation hold request is made.
- Provide a written litigation hold notice to all involved parties with clear instructions on what should be preserved and held.
- Ensure data and metadata are stored in a manner such that the data source is known and secured.
- Ensure necessary and appropriate record retention systems are created and maintained consistent with the records management policies outlined by the Secretary of State’s Office.
- Ensure proper controls for the preservation of data are implemented, including electronic communications which may reasonably be subject to legal proceedings.
- Establish a process for the intake and fulfillment of PRAPublic Records Act requests.
- Establish standard protocols for the collection, analysis, and delivery of data including chain of custody, data integrity and auditability of records.
- Provide Records Retention and eDiscovery training to appropriate staff.
- Return or destroy all preserved or archived data to the affected individuals and resume the normal destruction schedule after the legal duty to preserve evidence ends.

49190.5 Electronically Stores Information Subject to Discovery

ESI is any information stored in an electronic medium, regardless of its format, location, or medium. ESI is subject to discovery in civil litigation and may also be requested under the PRAPublic Records Act. ESI includes, but is not limited to:
- E-mails, texts, chats, and instant messages.
- Video, audio, and image files.
- Word processing and spreadsheet files.
- Website activity and history.
- Information posted on social networking websites.
- Voice mails and video mail.
- Computer programming information, system and audit logs, configuration details.
In the event of a litigation hold, this policy shall supersede requirements set forth in the Data Retention and Destruction Policy.

49190.6 Roles and Responsibilities

Department Chief Information Officer (CIO) or Designee
- The CIO or Designee owns this policy and is responsible for ensuring that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.
- The CIO or Designee is responsible for ensuring that this policy is reviewed annually and updated accordingly.
- The CIO or Designee is required to audit and assess compliance with this policy at least once every two (2) years.
- The CIO or Designee is responsible for establishing eDiscovery teams in order to efficiently and properly coordinate the responses to PRAPublic Records Act requests and information, audit, archive and legal proceedings.
Department Information Security Officer (ISOInformation Security Officer)
- The ISOInformation Security Officer is responsible for the oversight of all department data preservation and compliance requirements and ensures that all applicable standards and guidelines are maintained and reviewed regularly.
- The ISOInformation Security Officer shall assist in the development of data preservation, planning, and production of entity data assets.
- The ISOInformation Security Officer shall assist the RMC, RMACs, Owners of Information Assets, and Information Asset Custodians with ensuring that data preservation, storage, integrity, and delivery meet the SAMState Administrative Manual 5310, 5310.5, 5310.6 and SAMState Administrative Manual 5305 requirements for security and privacy.
Department Owners of Information Assets and Program Management
- Owners of Information Assets and program management supporting the department mission, state essential functions, or critical infrastructure shall participate in records retention processes, and ensure data is classified, labeled, and managed according to defined standards.
- Owners of Information Assets supporting the department mission, state essential functions, or critical infrastructure shall ensure that records management is incorporated into standard business operation practices.
- Owners of Information Assets shall ensure that all pertinent data that is required for the eDiscovery process is preserved and maintained according to the department’s defined standards.
Department Information Asset Custodians
- Information Asset Custodians shall only assist with authorized data collection and preservation requests.
- Information Asset Custodians shall ensure that the integrity of the data collection and preservation process is maintained and the request is fulfilled.
- Information Asset Custodians shall ensure the requested data is secure and available to the legal team as needed.
Department Legal Counsel
- Legal Counsel shall provide the department eDiscovery designee a written notice to suspend routine or intentional purging of relevant data including overwriting, reusing, deleting, or any other destruction of electronic relevant information.
- Legal Counsel shall notify appropriate parties when the obligation to retain the preserved data ends.
Department Records Management Coordinator (RMC) and Records Management Assistant Coordinator
- The RMC, pursuant to Gov. Code 12274, shall assist the RMACs, Owners, and Custodians of Information Assets in establishing appropriate data retention periods.
- The RMC shall assist in training identified RMACs and entity staff in records retention.
- The RMACs shall ensure that required data retention periods are maintained and data beyond the lifecycle of established policy is properly disposed.

49190.7 Enforcement

Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOMDepartment Operations Manual Chapter 3, Article 22.
The department shall comply with the information security and privacy policies, standards and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.
The consequences of negligence and non-compliance with State laws and policies may include department and personal:
- Loss of delegated authorities.
- Negative audit findings.
- Monetary penalties.
- Legal actions.

49190.8 Auditing

The department has the right to audit any activities related to the use of State information assets.
CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

49190.9 Reporting

Violations of this policy shall be reported to the department ISOInformation Security Officer.

49190.10 Security Variance Process

If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISOInformation Security Officer.

49190.11 Authority

This policy complies with State of California Government Code Section 11549.3.

49190.12 Revisions

The CIO or Designee shall ensure that the contents of this article are current and accurate.

References

SIMM, Section 5305-A, Data Retention and Destruction
SAMState Administrative Manual, Section 5010, Maintenance Records
SAMState Administrative Manual, Section 1600, Records Management
SAMState Administrative Manual, Section 5310.6, Data Retention and Destruction
Federal Information Processing Standard, FIPS 199
NIST SP 800-53, Access Control, AC-3, AC-4
NIST SP 800-53, Audit and Accountability, AU-2, AU-3, AU-13
NIST SP 800-53, Configuration Management, CM-8
NIST SP 800-53, Media Protection, MP-1, MP-2, MP-3, MP-4, MP-5, MP-6, MP-7
NIST SP 800-53, Physical and Environmental Protection, PE-5, PE-19, PE-20
NIST SP 800-53, Planning, PL-4
NIST SP 800-53, Program Management, PM-9
NIST SP 800-53, Risk Assessment, RA-2, RA-3
NIST SP 800-53, Security Assessment and Authorization, CACorrectional Administrators-7
NIST SP 800-53, System and Communications Protection, SC-4, SC-8, SC-13, SC‑17, SC-28
DOMDepartment Operations Manual Chapter 1, Article 16, Sections 13040.7, 13040.7.1, 13040.7.2
DOMDepartment Operations Manual Chapter 3, Article 22
DOMDepartment Operations Manual Chapter 4, Article 36, Section 47090.10
DOMDepartment Operations Manual Chapter 4, Article 38, Sections 47110.7, 47110.16
DOMDepartment Operations Manual Chapter 4, Article 45, Section 49020.10.6
California Government Code Section 6250
California Government Code Section 11549.3

Revision History

Effective: November 2, 2022.

Article 63 – Identification and Authentication Policy

Effective November 3, 2022

49200.1 Introduction and Overview

Information assets owned by California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation), California Correctional Healthcare Services (CCHCS), and California Prison Industry Authority (CALPIACalifornia Prison Industry Authority (formerly PIA)), hereinafter referred to as department, are intended to be accessed by authorized entities and used exclusively for department business purposes. Consequently, it is imperative that all entities requesting access to department information assets are uniquely identified prior to being granted access.

49200.2 Objectives

The objective for this policy is to establish department requirements to control access to information assets by uniquely identifying the entities requesting access before access is granted.

49200.3 Scope and Applicability

The scope of this policy extends to all State and Agency information assets owned and operated by the department, information assets managed by third parties on behalf of the department, and all information assets that process or store department information in support of department services and mission.
This policy applies to all department personnel and processes acting on behalf of the department.
This policy governs physical and logical access. Logical access includes local access and network, including remote access.

49200.4 Policy Directives

The department shall ensure that a department identity and access management (IAM) strategy is developed, clearly defined, documented, and implemented.
The department IAM strategy shall include the following:
- Requirements to meet all State and Federal requirements.
- The unique identification of all authorized personnel or processes acting on behalf of the department that access department information assets prior to being granted access.
- The use of appropriate credentials for the identification of non-State personnel.
- Implement methods that enable non-repudiation of access requests to information assets containing sensitive and confidential data, and protect related audit logs for a period of no less than 6 months.
- Implementation of a suitable IAM infrastructure supporting department requirements.
- Implementation of safeguards to protect the confidentiality, integrity, and availability of the supporting IAM infrastructure.
- Definition and implementation of authentication mechanisms based on the type and method of access and the inherent risks associated with each access use case.
- Control and management of access by administrative and privileged users, including the ability to immediately revoke access when necessary.
- Requirement to implement application level identification and authentication in addition to platform level access to provide additional security, as appropriate by Owners of Information Assets.
- Definition, documentation, and implementation of audit and security activity and event logging requirements for privileged use.
- Identification, development, and implementation of supporting identity and access management processes and procedures.

49200.5 Roles and Responsibilities

Department Chief Information Officer (CIO) or Designee
- The CIO or Designee owns this policy and is responsible for ensuring that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.
- The CIO or Designee is responsible for ensuring that this policy is reviewed annually and updated accordingly.
- The CIO or Designee is required to audit and assess compliance with this policy at least once every two (2) years.
Department Owners of Information Assets and Program Management
- Owners of Information Assets shall ensure that this policy is implemented and shall review the policy’s implementation annually.
- Owners of Information Assets in collaboration with Information Asset Custodians shall ensure that identification and authentication technologies and process controls commensurate with the sensitivity or criticality of the asset are implemented for assets under their purview.
Department Information Asset Custodians
- Information Asset Custodians shall assist Owners of Information Assets in selecting and implementing identification and authentication technologies and process controls commensurate with the sensitivity or criticality of the asset.
- Information Asset Custodians shall maintain the identification and authentication infrastructure and supporting processes and procedures.
- Information Asset Custodians shall maintain identification and authentication records as defined by Owners of Information Assets for a minimum of twelve (12) months, or as defined by the department’s Information Security Officer (ISOInformation Security Officer).
Department Users
- Users shall report any incidents of possible misuse or violation of this policy to the department ISOInformation Security Officer, designee, appropriate security staff or their immediate supervisor.
- Users shall be aware of and adhere to all department information security and privacy policies.

49200.6 Enforcement

Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOMDepartment Operations Manual Chapter 3, Article 22.
The department shall comply with the information security and privacy policies, standards and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.
The consequences of negligence and non-compliance with State laws and policies may include department and personal:
- Loss of delegated authorities.
- Negative audit findings.
- Monetary penalties.
- Legal actions.

49200.7 Auditing

The department has the right to audit any activities related to the use of State information assets.
CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

49200.8 Reporting

Violations of this policy shall be reported to the department ISOInformation Security Officer.

49200.9 Security Variance Process

If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISOInformation Security Officer.

49200.10 Authority

This policy complies with State of California Government Code Section 11549.3.

49200.11 Revisions

The CIO or Designee shall ensure that the contents of this article are current and accurate.

References

SIMM 5340-A, Incident Reporting and Response Instructions
SIMM 5360-A, Telework and Remote Access Security Standard
SAMState Administrative Manual, Section 5335, Information Security Monitoring
SAMState Administrative Manual, Section 5340, Information Security Incident Management
SAMState Administrative Manual, Section 5360, Identity and Access Management
NIST SP 800-53, Identification and Authentication, IA-1, IA-2, IA-3, IA-4, IA-5, IA-6, IA‑7, IA-8, IA-9, IA-10, IA-11, IA-12
NIST SP 800-53, Access Control, AC-1, AC-2, AC-3, AC-4, AC-5, AC-5, AC-7, AC-8, AC‑9, AC-10, AC-11, AC-12, AC-13, AC-14, AC-15, AC-16, AC-17, AC-18, AC-19, AC‑20, AC-21, AC-22, AC-23, AC-24, AC-25
NIST SP 800-53, Audit and Accountability, AU-1, AU-2, AU-10, AU-11, AU-12, AU-13
DOMDepartment Operations Manual Chapter 3, Article 22
DOMDepartment Operations Manual Chapter 4, Article 45, Sections 49020.5, 49020.10
California Government Code Section 11549.3

Revision History

November 2, 2022.

Article 64 – Incident Response Policy

Effective November 3, 2022

49210.1 Introduction and Overview

California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation), California Correctional Healthcare Services (CCHCS), and California Prison Industry Authority (CALPIACalifornia Prison Industry Authority (formerly PIA)), hereinafter referred to as department, management shall promptly investigate incidents involving loss, damage, misuse of information assets, or improper dissemination of information. Incidents could also include unauthorized access of information asset and incidents negatively affecting the operation, confidentiality, integrity, or availability of information assets. All entities are required to report information security incidents in accordance with the State information security notification and reporting requirements.
Effective incident management includes the formulation, adoption, and maintenance of a written incident management plan that provides for the timely assembly of appropriate staff that are capable of developing a response to, appropriate reporting about, and successful recovery from a variety of incidents. A defined and documented security incident response plan shall enable the department to detect, respond, and recover from security incidents in a timely and organized manner so as to minimize the impacts of the security incident.

49210.2 Objectives

The objective for this policy is to establish the requirements for a department security incident response plan.

49210.3 Scope and Applicability

The scope of this policy extends to all State and Agency information assets owned or operated by the department as well as information assets managed by third parties on behalf of the department.
This policy applies to all department personnel.

49210.4 Policy Directives

The department shall:
- Ensure that a security incident response plan and related procedures, including specific responses to incidents involving Personally Identifiable Information (PII) are defined, documented and implemented.
- Ensure that the security incident response plan and procedures clearly define and document roles and responsibilities to address the full incident life cycle, including:
  - Security incident detection and identification
  - Security incident response management
  - Incident handling team(s), with broad participation from other department stakeholders, under the coordination of a designated incident manager.
  - Preservation of evidence, including tracking and maintaining the evidence pertaining to chains of custody and evidence.
- Ensure that mechanisms and procedures are implemented to enable personnel to report security incidents to the appropriate security staff and the department’s Office of Information Security. Ensure all department personnel are aware of incident reporting mechanisms and procedures.
- Immediately report incidents through the California Compliance and Security Incident Reporting System (Cal-CSIRS) providing the incidents meet the reporting requirements. Cal-CSIRS requires specific details about the incident and shall notify the California Department of Technology Office of Information Security (OIS), as well as the California Highway Patrol (CHPCalifornia Highway Patrol) Computer Crimes Investigation Unit.

49210.5 Roles and Responsibilities

Department Chief Information Officer (CIO) or Designee
- The CIO or Designee owns this policy and is responsible for ensuring that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.
- The CIO or Designee shall ensure that the department has a formally documented and operational incident response plan to address incidents involving the loss, damage, misuse or unauthorized access of information assets, and breaches of security involving personal information in any form, in the most expedient and effective manner.
- The CIO or Designee shall ensure that the security incident response plan and procedures describe the necessary roles and responsibilities, and activities to enable security incident handlers to effectively prepare for, detect, analyze, contain, eradicate and recover from security incidents.
- The CIO or Designee shall ensure that security incident response management is integrated across the department, and with other State and department contingency and emergency management plans, teams and advisory resources.
- The CIO or Designee shall ensure that all department personnel receive incident response and awareness training and education in accordance with the individual’s functional role within the department.
- The CIO or Designee shall ensure that department incident response capabilities are exercised at least annually to test incident response effectiveness, and that results from tests are documented and reviewed to continuously improve capabilities.
- The CIO or Designee shall ensure that post-mortem / lessons-learned sessions following security incident response activities and tests are completed in order to continually improve incident response capabilities.
- The CIO or Designee shall ensure that all security incidents and department responses are monitored and documented, and all related activities and decisions are recorded.
- The CIO or Designee shall ensure that the department incident response plan, procedures and supporting documentation are updated at minimum on an annual basis.
- The CIO or Designee is responsible for ensuring that this policy is reviewed annually and updated accordingly.
- The CIO or Designee is required to audit and assess compliance with this policy at least once every two (2) years.
Department Information Security Officer (ISOInformation Security Officer)
- The ISOInformation Security Officer shall assist Owners of Information Assets and Information Asset Custodians in the development of department incident response plans.
- The ISOInformation Security Officer shall participate in incident response and management activities.
Department Owners of Information Assets and Program Management.
- Owners of Information Assets shall participate and provide assistance with and decisions related to responding to incidents involving information assets under their purview, as required, and as requested by incident managers, the Chief Information Officer (CIO) or Designee and the department ISOInformation Security Officer.
Department Information Asset Custodians
- Information Asset Custodians shall participate and provide assistance with incident response activities as directed and guided by incident managers, ISOs, and Owners of Information Assets, as appropriate.
- Information Asset Custodians shall maintain records related to and supporting individual incident responses.
Department Users
- Users shall be aware of and adhere to all department information security and privacy policies.
- Users shall report any incidents of possible misuse or violation of this policy to the department ISOInformation Security Officer, designee, or appropriate security staff or their immediate supervisor.

49210.6 Enforcement

Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOMDepartment Operations Manual Chapter 3, Article 22.
The department shall comply with the information security and privacy policies, standards and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.
The consequences of negligence and non-compliance with State laws and policies may include department and personal:
- Loss of delegated authorities.
- Negative audit findings.
- Monetary penalties.
- Legal actions.

49210.7 Auditing

The department has the right to audit any activities related to the use of State information assets.
CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

49210.8 Reporting

Violations of this policy shall be reported to the department ISOInformation Security Officer.

49210.9 Security Variance Process

If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISOInformation Security Officer.

49210.10 Authority

This policy complies with State of California Government Code Section 11549.3.

49210.11 Revisions

The CIO or Designee shall ensure that the contents of this article are current and accurate.

References

SIMM 5340-A, Incident Reporting and Response Instructions
SIMM 5340-B, Information Security Incident Report (Cal-CSIRS)
SIMM 5340-C, Requirements to Respond to Incidents Involving a Breach of Personal Information
SAMState Administrative Manual, Section 5340, Information Security Incident Management
SAMState Administrative Manual, Section 5340.1, Incident Response Training
SAMState Administrative Manual, Section 5340.2, Incident Response Testing
SAMState Administrative Manual, Section 5340.3, Incident Handling
SAMState Administrative Manual, Section 5340.4, Incident Reporting
NIST SP 800-53, Contingency Planning, CP-2, CP-9, CP-10, CP-13
NIST SP 800-53, Incident Response, IR-1, IR-2, IR-3, IR-4, IR-5, IR-6, IR-7, IR-8, IR‑9, IR-10
NIST SP 800-53, Program Management, PM-9
NIST SP 800-53, Risk Assessment, RA-2, RA-3
NIST SP 800-53, Security Assessment and Authorization, CACorrectional Administrators-7
DOMDepartment Operations Manual Chapter 3, Article 22
DOMDepartment Operations Manual Chapter 4, Article 45, 49020.12, 49020.12.1, 49020.12.2
California Government Code Section 11549.3

Revision History

Effective: November 2, 2022.

Article 65 – Security and Privacy Awareness Training Policy

Effective November 3, 2022

49220.1 Introduction and Overview

A well-trained workforce, aware of information privacy and security risk, plays a crucial role in protecting organizations against a variety of information security threats. Consequently, a formal privacy and security awareness training program is a key component of California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation), California Correctional Healthcare Services (CCHCS), and California Prison Industry Authority (CALPIACalifornia Prison Industry Authority (formerly PIA))’s, hereinafter referred to as department, information security program.

49220.2 Objectives

Objectives for this policy are to establish the requirement of a formal and effective department privacy and security awareness and training program for all department personnel.

49220.3 Scope and Applicability

The scope of this policy applies to all department personnel and governs all forms of access to department information assets.

49220.4 Policy Directives

The department shall:
- Establish a formal department privacy and security awareness training program, with clearly defined roles and responsibilities, designed to be delivered to all personnel with access to department information assets.
- Provide privacy and security awareness training to all personnel upon commencement of their employment with the department, and on an annual basis thereafter.
- Ensure role-based privacy and security awareness training content is delivered commensurate with personnel roles and responsibilities.
- Ensure effectiveness of the security awareness program through a process of tracking and reporting metrics.
- Maintain individual records of all security and privacy training undertaken annually by department personnel for a period of three (3) years or as defined in the records retention schedule.

49220.5 Roles and Responsibilities

Department Chief Information Officer (CIO) or Designee
- The CIO or Designee owns this policy and is responsible for ensuring that all users of department information assets are aware of this policy and their individual responsibilities.
- The CIO or Designee is responsible for ensuring that this policy is reviewed annually and updated accordingly.
- The CIO or Designee is required to audit and assess compliance with this policy at least once every two (2) years.
Department Information Security Officer (ISOInformation Security Officer)
- The ISOInformation Security Officer shall ensure the development implementation, and compliance of the department’s security awareness training program.
Department Privacy Officer
- The Privacy Officer shall ensure the development, implementation, and compliance of the department’s privacy awareness training program.
Department Users
- Users shall participate in all required privacy and security awareness training annually.
- Users shall be aware of and adhere to all department information security and privacy policies.

49220.6 Enforcement

Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOMDepartment Operations Manual Chapter 3, Article 22.
The department shall comply with the information security and privacy policies, standards and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.
The consequences of negligence and non-compliance with State laws and policies may include department and personal:
- Loss of delegated authorities.
- Negative audit findings.
- Monetary penalties.
- Legal actions.

49220.7 Auditing

The department has the right to audit any activities related to the use of State information assets.
CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

49220.8 Reporting

The department Information Security Officer (ISOInformation Security Officer), Chief Privacy Officer or Coordinator and Training Coordinator shall provide department program management with regular reports on personnel participation in, and the effectiveness of privacy and security and awareness training.
Violations of this policy shall be reported to the department ISOInformation Security Officer.

49220.9 Security Variance Process

If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISOInformation Security Officer.

49220.10 Authority

This policy complies with State of California Government Code Section 11549.3.

49220.11 Revisions

The CIO or Designee shall ensure that the contents of this article are current and accurate.

References

SAMState Administrative Manual, Section 5305.3, Information Security Roles and Responsibilities
SAMState Administrative Manual, Section 5320, Training and Awareness for Security and Privacy
SAMState Administrative Manual, Section 5320.1, Security and Privacy Awareness
SAMState Administrative Manual, Section 5320.2, Security and Privacy Training
SAMState Administrative Manual, Section 5320.3, Security and Privacy Training Records
SAMState Administrative Manual, Section 5320.4, Personnel Security
NIST SP 800-53, Planning, PL-4
NIST SP 800-53, Awareness and Training, AT-1, AT-2, AT-3, AT-04
DOMDepartment Operations Manual Chapter 3, Article 22
DOMDepartment Operations Manual Chapter 4, Article 41, Section 48010.5
DOMDepartment Operations Manual Chapter 4, Article 45, Sections 49020.4, 49020.7.2, 49020.7.3, 49020.7.3.1
California Government Code Section 11549.3

Revision History

Effective: November 2, 2022.

Article 66 – Software Management and Licensing Policy

Effective November 3, 2022

49230.1 Introduction and Overview

State entities are required to establish and maintain an inventory of all information assets, including information systems, information system components, software, and information repositories (both electronic and paper). The inventory shall contain a listing of all programs and information systems identified as processing, storing, or transmitting California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation), California Correctional Healthcare Services (CCHCS), and California Prison Industry Authority (CALPIACalifornia Prison Industry Authority (formerly PIA)), hereinafter referred to as department, information.
The department uses computer software applications that are owned by the State, as well as commercial software and open-source software (OSS) licensed for use from vendors.
This policy identifies department requirements for the management of department software assets.

49230.2 Objectives

The objective of this policy is to establish formalized control and management of all types of software including the development of requisite tools, processes procedures and standards.

49230.3 Scope and Applicability

The scope of this policy extends to all State and Agency software assets owned or licensed by the department.
This policy applies to the department Information Security Officer, Program Management, Owners of Information Assets, and Information Asset Custodians.

49230.4 Policy Directives

The department shall:
- Maintain a detailed inventory of all approved department state-owned, commercial and open-source software, including licensing requirement(s), currency, and the cost of the software.
- Control and manage all instances and usage of approved department software installed on department information assets in order to comply with all applicable legal, copyright, and licensing requirements.
- Establish a continuous monitoring process to identify, detect, and remove all unapproved department software installed or operating on department information assets.
- Develop, implement, and maintain a software management plan.
- Identify and track any department software that is at end-of-support /end-of-life, and shall ensure that maintenance agreements and processes are in place where appropriate to ensure software can remain operational to meet business requirements.
- Establish and maintain controls to prevent unauthorized personnel from installing software applications on state information assets.

49230.5 Roles and Responsibilities

Department Chief Information Officer (CIO) or Designee
- The CIO or Designee owns this policy and is responsible for ensuring that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.
- The CIO or Designee is responsible for ensuring that this policy is reviewed annually and updated accordingly.
- The CIO or Designee is required to audit and assess compliance with this policy at least once every two (2) years.
Department Information Security Officer (ISOInformation Security Officer)
- The ISOInformation Security Officer shall assist and provide advice in the evaluation and selection of department software.
- The ISOInformation Security Officer shall assist and provide advice in the identification of security requirements that software shall comply with.
Department Owners of Information Assets and Program Management
- Owners of Information Assets shall ensure that this policy is implemented and shall review the policy’s implementation annually.
- Owners of Information Assets shall ensure that software assets under their purview are controlled and managed
Department Information Asset Custodians
- Information Asset Custodians shall implement software management, licensing, and usage controls as approved by Owners of Information Assets.
- Information Asset Custodians shall maintain all department software licenses associated with commercial products on behalf of Owners of Information Assets.

49230.6 Enforcement

Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOMDepartment Operations Manual Chapter 3, Article 22.
The department shall comply with the information security and privacy policies, standards and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.
The consequences of negligence and non-compliance with State laws and policies may include department and personal:
- Loss of delegated authorities.
- Negative audit findings.
- Monetary penalties.
- Legal actions.

49230.7 Auditing

The department has the right to audit any activities related to the use of State information assets.
CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

49230.8 Reporting

Violations of this policy shall be reported to the department ISOInformation Security Officer.

49230.9 Security Variance Process

If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISOInformation Security Officer.

49230.10 Authority

This policy complies with State of California Government Code Section 11549.3.

49230.11 Revisions

The CIO or Designee shall ensure that the contents of this article are current and accurate.

References

SIMM 5305-A, Information Security Program Management Standard
SIMM 120, Software Management Plan Guidelines
SAMState Administrative Manual, Section 5305.5, Information Asset Management
SAMState Administrative Manual, Section 5315.7, Software Usage Restrictions
SAMState Administrative Manual, Section 4846.1, Software Management Plan
SAMState Administrative Manual, Section 4846.2, Software Management Policy Reporting Requirements
NIST SP 800-53, Configuration Management, CM-8, CM-10, CM-11
NIST SP 800-53, System and Information Integrity, SI-7
DOMDepartment Operations Manual Chapter 3, Article 22
DOMDepartment Operations Manual Chapter 4, Article 45, Section 46030.4
California Government Code Section 11549.3

Revision History

Effective: November 2, 2022.

Article 67 – Information Security Program Management Policy

Effective March 18, 2024

49240.1 Introduction and Overview

The continued evolution of information security threats presents increasing risks to the security and privacy of California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation), California Correctional Healthcare Services (CCHCS), and California Prison Industry Authority (CALPIACalifornia Prison Industry Authority (formerly PIA)), hereinafter referred to as department, information assets. The risks have the potential to not only disrupt the department’s business functions, but can also jeopardize the department’s essential missions, its image and reputation.
The department’s information security program management strategy and approach shall be described in the Information Security Program Management Plan (ISPM Plan).

49240.2 Objectives

Objectives for this policy are to identify the requirements for the department’s ISPM Plan, which shall document the department’s strategy and approach for managing security and privacy risks to the state’s mission, functions, assets, image, and reputation. The department’s ISPM Plan shall also define how the confidentiality, integrity, and availability of the department’s information assets shall be protected.

49240.3 Scope and Applicability

The scope of this policy extends to all information assets owned or operated by the department and governs all access to and use of department information assets.
This policy applies to the department Chief Information Officer (CIO) or designee, executive management, program management, owners and custodians of information assets, Information Security Officer (ISOInformation Security Officer) and Privacy Officer or Program Coordinator.

49240.4 Policy Directives

The department shall:
- Define and document the department’s strategy and prioritization approach to addressing information security, privacy and risk management.
- Ensure that an approved department ISPM Plan, describing both in place and planned security program management, is defined, documented, implemented and maintained.
- Define and document requirements for the management of the department’s information security program, and for complying with applicable information security laws and regulations.
- Ensure that statewide information security program management coordinates the activities and ensures the participation of a broad spectrum of stakeholders.
- Assign and document information security roles, responsibilities, and management commitment.
- Ensure that a plan of action and milestones (POAM) process to address program deficiencies and security risks, and to track the progress of risk treatment actions is developed and maintained.
- Ensure that methods for integrating information security resource requirements into the department’s capital planning and funding request process are formally defined and documented.
- Ensure that information security incidents are reported to the proper authorities, as required.
- Ensure that the department ISPM Plan and policy are reviewed annually and updated as needed.

49240.5 Roles and Responsibilities

Department Chief Information Officer (CIO) or designee
- The CIO or designee owns this policy and shall ensure that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.
- The CIO or designee shall ensure that this policy is reviewed annually and updated accordingly.
- The CIO or designee is required to audit and assess compliance with this policy at least once every two (2) years.
- The CIO or designee is responsible for the oversight of security for the information technology architecture, the information technology portfolio, and the delivery of information technology services.
Department Executive Management
- Executive Management shall define the strategy and plan for managing the department’s information security program and for ensuring that the strategy and plan are documented.
- Executive Management shall establish governance and supporting processes related to the management and allocation of personnel and resources to fully implement and maintain the department’s information security program.
- Executive Management shall achieve and maintain compliance with security and privacy laws and regulations.
- Executive Management shall ensure that department information security risk management practices and supporting processes are implemented to effectively manage risk.
Department Owners of Information Assets and Program Management
- Owners of Information Assets shall ensure that confidentiality, integrity and availability requirements for information assets under their purview are defined and documented.
- Owners of Information Assets in collaboration with Information Asset Custodians shall ensure security controls are commensurate with the sensitivity or criticality implemented for assets under their purview.
- Owners of Information Assets in collaboration with Information Asset Custodians shall ensure that risks to information assets under their purview are identified, managed, monitored, and reported to the department ISOInformation Security Officer or executive management.
Department Information Asset Custodians
- Information Asset Custodians shall assist in the development, implementation and maintenance of the ISPM Plan.
- Information Asset Custodians shall implement, maintain and monitor technology and process controls based upon the sensitivity or criticality of the assets as defined by Owners of Information Assets.
- Information Asset Custodians shall maintain all records defined by Owners of Information Assets in the manner prescribed by departmental policies.

49240.6 Compliance

Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOMDepartment Operations Manual Chapter 3, Article 22.
The department shall comply with the information security and privacy policies, standards and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their legal counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.
The consequences of negligence and non-compliance with State laws and policies may include department and personal:
- Loss of delegated authorities.
- Negative audit findings.
- Monetary penalties.
- Legal actions.

49240.7 Auditing

The department has the right to audit any activities related to the use of State information assets.
CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

49240.8 Reporting

Violations of this policy shall be reported to the department ISOInformation Security Officer.

49240.9 Security Variance Process

If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISOInformation Security Officer.

49240.10 Authority

This policy complies with State of California Government Code Section 11549.3.

49240.11 Revisions

The CIO or designee shall ensure that the contents of this article are current and accurate.

References

SIMM 5305-A, Information Security Management Standard.
SIMM 5305-B, Plan of Action and Milestones Instructions.
SIMM 5305-C, Plan of Action and Milestones Worksheet.
SAMState Administrative Manual, Section 5305, Information Security Program.
SAMState Administrative Manual, Section 5305.1, Information Security Program Management.
SAMState Administrative Manual, Section 5305.3, Information Security Roles and Responsibilities.
SAMState Administrative Manual, Section 5305.4, Personnel Management.
SAMState Administrative Manual, Section 5305.5, Information Asset Management.
SAMState Administrative Manual, Section 5305.6, Risk Management.
SAMState Administrative Manual, Section 5305.7, Risk Assessment.
SAMState Administrative Manual, Section 5305.8, Provisions for Agreements with State and Non-State Entities.
SAMState Administrative Manual, Section 5305.9, Information Security Program Metric.
SAMState Administrative Manual, Section 5310, Privacy.
NIST SP 800-53, Program Management, PM-1, PM-2, PM-3, PM-4, PM-5, PM-6.
NIST SP 800-53, Planning, PL-1, PL-2, PL-4, PL-7, PL-8, PL-9.
DOMDepartment Operations Manual Chapter 3, Article 22, Section 33030.8.
DOMDepartment Operations Manual Chapter 4, Article 41, Section 48010.9.
DOMDepartment Operations Manual Chapter 4, Article 45, Section 49020.2, 49020.4, 49020.5, 49020.7.1.
California Government Code Section 11549.3.

Revision History

Effective: March 18, 2024.

Article 68 – Technology Recovery Planning Policy

Effective March 18, 2024

49250.1 Introduction and Overview

The California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation), California Correctional Healthcare Services (CCHCS), and California Prison Industry Authority (CALPIACalifornia Prison Industry Authority (formerly PIA)), hereinafter referred to as department, are dependent on underlying information technology and telecommunications infrastructures, resources and services. Unavailability of these underlying elements due to various conditions can render a business function or service non-operational, and thereby directly impact the delivery of mission critical services.

49250.2 Objective

Objectives for this policy are to establish department requirements for the systematic approach to the availability of technology infrastructure resources and to identify and formally plan for and maintain related services. The Technology Recovery Plan’s (TRP) goal is to support the State and organization’s business services and critical infrastructure at the expected level of availability as determined by the department’s senior management.

49250.3 Scope and Applicability

The scope of this policy extends to all State and department information assets, including critical infrastructure, as well as information assets, owned or operated by third parties (if applicable) on behalf of the department.
This policy applies to the department’s Chief Information Officer (CIO) or designee, program management, owners of critical infrastructure, information assets, Department Information Security Officers, Technical Recovery Program Coordinators, and Information Asset Custodians.

49250.4 Policy Directives

The department shall:
- Ensure recovery capabilities and requirements are considered during the earlier stages of solution planning and the recovery strategies and plans are developed and implemented for all information technology systems supporting the organization’s business services.
- Ensure that Business Impact Analyses (BIAs) identify mission and state critical processes, and regularly review critical infrastructure and associated contingency requirements (e.g., systems supporting essential state, organizational missions, and business functions). BIAs shall include acceptable periods of non-availability of the system, restoration time requirements and acceptable data loss. The department’s business divisions are responsible for conducting and updating BIAs. The Owners of Information Assets and Information Asset Custodians shall be closely engaged throughout the BIA process. BIAs shall be reviewed and updated according to the organization’s defined standard, or sooner if there is a major change in the department’s business process or technical environment.
Ensure that state critical ITInformation Technology systems supporting department mission critical business functions, essential state functions, and critical infrastructure (if applicable) are identified and included in the TRP.
Ensure that the department’s technology recovery program incorporates change management and quality assurance processes.
Ensure that the TRP is developed, documented, regularly tested, maintained, and continually improved in order to resume the department and State’s essential mission and business functions under adverse or disruptive conditions. Ensure the TRP is reviewed annually and updated as needed.
Ensure that a department recovery strategy is defined, documented and implemented. The strategy shall describe how recovery will be accomplished based on levels of incident impact. The recovery strategy shall consider department relevant technology and security risks in determining the most appropriate recovery option.
Ensure that alternate technology backup and recovery sites are provisioned as required to support essential mission and business functions.
Ensure that TRPs contain detailed resource requirements for each ITInformation Technology system to support recovery efforts, including information assets and personnel.
Ensure that roles and responsibilities for members of department technology recovery teams are defined and documented, and that they are suitably trained according to their roles. This includes, but is not limited to, maintaining the security of technology recovery assets.
Ensure that TRPs integrate appropriate communication strategies and information to collaborate with other teams and plans, including disaster incident management, security incident response teams and plans, procedures for notification, reporting in California Compliance and Security Incident Reporting System (Cal-CSIRS), and collaboration and communication with internal teams and external entities as needed. TRPs and other plans shall include roles and responsibilities, decision-making protocols, staff assignment, and guidance on activities to be performed during disaster response and recovery phases.
Ensure that TRPs are coordinated with other state entities’ contingency, emergency management plans, incident management plans, and teams as appropriate.
Ensure that components of the TRP are exercised annually and the staff are trained for their roles during the recovery and response phases. Lessons learned shall be documented and addressed as part of the annual update and maintenance plan.
Ensure the department’s gaps between current and required capabilities for system recovery are identified, reported to the organization’s management, as well as the state Office of Information Security (OIS) along with the plans to remediate the gaps as identified in the Plan of Action and Milestones (POAM).
Ensure that department TRPs are submitted to the state Office of Information Security, in accordance with the Information Security Compliance Reporting submission schedule.

49250.5 Roles and Responsibilities

The California Department of Technology (CDT) Office of Information Security (OIS)
- The CDT OIS is responsible for the oversight of all TRP compliance submissions statewide.
Department Chief Information Officer (CIO) or designee
- The CIO or designee shall ensure that all users of the department information assets are aware of this policy and acknowledge their individual responsibilities.
- The CIO or designee shall ensure that this policy is reviewed annually and updated accordingly.
- The CIO or designee shall audit and assess compliance with this policy at least once every two (2) years, and timely remediate gaps identified from training and audit exercises.
Department Information Security Officer (ISOInformation Security Officer)
- The ISOInformation Security Officer shall ensure oversight of all department TRPs and associated risks, and ensure the department abides by all applicable standards and guidelines.
- The ISOInformation Security Officer shall assist with the development of business impact analyses and technology recovery plans.
- The ISOInformation Security Officer shall assist Owners of Information Assets with ensuring that TRPs meet requirements for security and privacy.
Department Owners Information Assets and Program Management
- Owners of Information Assets and program management supporting the delivery of the department mission, state essential functions, or critical infrastructure shall participate in BIA processes, and ensure that BIAs are conducted according to the organization-defined standard, documented, and maintained.
- Owners of Information Assets supporting the department mission, state essential functions, or critical infrastructure shall ensure that BIAs are incorporated in department business continuity and other emergency management programs, as appropriate.
- Owners of Information Assets shall ensure that BIAs include:
  - The categorization and classification of the information asset;
  - Threat and vulnerability assessments; and
  - Identification of measures to mitigate the risk of prolonged service outages, and unacceptable levels of data loss.
- Owners of Information Assets shall ensure that arrangements for alternate processing and media storage sites are documented, provisioned, and maintained, and that agreements for alternate processing and media storage sites contain priority-of-service provisions in accordance with department requirements.
- Owners of Information Assets shall ensure that security safeguards for alternate processing and data storage sites are equivalent to department primary sites.
- Owners of Information Assets shall participate in TRP exercises and ensure that technology backup and recovery plans and technologies for information assets within their purview are exercised annually to determine capabilities and are also continually evaluated to improve response and recovery effectiveness.
Department Information Asset Custodians
- Information Asset Custodians shall assist Owners of Information Assets in developing, documenting, implementing, exercising, and enhancing TRPs and BIAs to meet business objectives for recovery times and data loss and to support the department’s essential mission and business functions.
- Information Asset Custodians shall develop, document, implement, and maintain technology and telecommunication services backup, contingency and recovery tools, incident response, technologies, processes, and procedures as defined by Owners of Information Assets to support and continually improve technology recovery activities and capabilities.
- Information Asset Custodians in collaboration with the Owners of Information Assets shall assist in the exercising of TRPs.
- Information Asset Custodians in collaboration with Owners of Information Assets shall maintain records of exercises (including proof of attendance for required participants), supporting operational documentation, and enhancements to the TRP.
The Department Technology Recovery Coordinator (TRC) or Manager
- TRC participates in the BIA and coordinates activities with the technical teams to identify and prioritize ITInformation Technology systems supporting the department’s business processes.
- TRC coordinates with the business and technical teams to ensure that TRPs remain updated, and the plans meet the department’s recovery requirements.
- TRC shall be engaged in the change management and project lifecycle to ensure TRPs remain current, and the changes are reflected in the plans.
- TRC supports recovery activities as needed in the event of a disruption incident.
- TRC ensures TRP exercises are planned, exercised, and documented, and also participates in exercises and training activities of other recovery plans, e.g., emergency response plans, continuity of business plans, etc.

49250.6 Compliance

Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOMDepartment Operations Manual Chapter 3, Article 22.
The department shall comply with the information security and privacy policies, standards and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their legal counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.
The consequences of negligence and non-compliance with State laws and policies may include department and personal:
- Loss of delegated authorities.
- Negative audit findings.
- Monetary penalties.
- Legal actions.

49250.7 Auditing

The department has the right to audit any activities related to the use of State information assets.
CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.
The department ISOInformation Security Officer has oversight authority and responsibility for the department’s compliance and capacity for backup and recovery.

49250.8 Reporting

Violations of this policy shall be reported to the department ISOInformation Security Officer.

49250.9 Security Variance Process

If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISOInformation Security Officer.

49250.10 Authority

This policy complies with State of California Government Code section 11549.3.

49250.11 Revisions

The CIO or designee shall ensure that the contents of this article are current and accurate.

References

SIMM 5325-A, OIS Technology Recovery Plan Instructions.
SIMM 5325-B, OIS Technology Recovery Program Certification.
SIMM 5330-A, Designation Letter.
Cal OES Business Continuity Requirements.
SAMState Administrative Manual, Section 5325, Business Continuity with Technology Recovery.
SAMState Administrative Manual, Section 5325.1, Technology Recovery Plan.
SAMState Administrative Manual, Section 5325.2, Technology Recovery Training.
SAMState Administrative Manual, Section 5325.3, Technology Recovery Testing.
SAMState Administrative Manual, Section 5325.4, Alternate Storage and Processing Site.
SAMState Administrative Manual, Section 5325.5, Telecommunications Services.
SAMState Administrative Manual, Section 5325.6, Information System Backups.
NIST SP 800-53, Contingency Planning, CP-1, CP-2, CP-3, CP-4, CP-6, CP-7, CP-8, CP‑9, CP-10, CP-11, CP-12, CP-13.
NIST SP 800-53, Incident Response, IR-4, IR-8, IR-10.
NIST SP 800-53, Maintenance, MA-2, MA-6.
NIST SP 800-53, Media Protection, MP-2, MP-4, MP-5.
NIST SP 800-53, Security Assessment and Authorization, CACorrectional Administrators-7.
NIST SP 800-53, Appendix G: Information Security Programs, PM-8, PM-9, PM-11.
DOMDepartment Operations Manual Chapter 3, Article 22, Section 33030.8.
DOMDepartment Operations Manual Chapter 4, Article 47.
California Government Code Section 11549.3.

Revision History

Effective: March 18, 2024.

Article 69 – System and Services Acquisition Policy

Effective March 18, 2024

49260.1 Introduction and Overview

The California State Administrative Manual (SAMState Administrative Manual), Section 5200 governs the acquisitions of Information Technology (ITInformation Technology) goods or services regardless of dollar amount, or the type of ITInformation Technology goods or services procured. The California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation), California Correctional Healthcare Services (CCHCS), and California Prison Industry Authority (CALPIACalifornia Prison Industry Authority (formerly PIA)), hereinafter referred to as department, procurement processes are governed by the SAMState Administrative Manual, Section 5200, and consist of three phases: Acquisition Planning, Acquisition, and Post-award Activity.
Department acquisition processes and procedures shall comply with purchasing authority requirements, including laws, regulations, policies, and statutes applicable to the acquisition of ITInformation Technology goods and services.

49260.2 Objectives

Objectives for this policy are to guide department ITInformation Technology goods and services acquisition processes to:
- Comply with all federal and state laws and regulations.
- Incorporate security requirements and security specifications, either explicitly or by reference, in information system acquisition contracts based on an assessment of risk and the results of the classification and categorization for the intended information asset.
- Ensure agreements with state and non-state entities include provisions which protect and minimize risk to the State.
- Address the entire systems lifecycle in acquisitions, development and maintenance and operations of ITInformation Technology systems.

49260.3 Scope and Applicability

The scope of this policy extends to all State and entity information assets owned or operated by the department.
This policy applies to department Owners of Information Assets and program management.

49260.4 Policy Directives

The department shall:
- Ensure that department information assets are managed using a documented System Development Life Cycle methodology during acquisitions, development, and systems operations.
- Ensure that prior to acquiring ITInformation Technology goods and services that assessments are performed to ensure that the goods and services meet any applicable security and privacy laws, regulations, policies, standards, procedures, and other requirements.
- Allocate appropriate funding resources to adequately protect information assets throughout their entire life cycle.
- Ensure system documentation describes security controls and methods in sufficient detail to permit correct functioning, analysis, and testing.
- Require system design, development, functional and security testing, implementation, maintenance, and operations processes to follow security engineering principles.
- Ensure that development environments follow rigorous configuration management control.
- Ensure that services provided by third parties include department requirements and expectations for the protection of department information assets.

49260.5 Roles and Responsibilities

The Department Chief Information Officer (CIO) or designee
- The CIO or designee owns this policy and is responsible for ensuring that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.
- The CIO or designee is responsible for ensuring that this policy is reviewed annually and updated accordingly.
- The CIO or designee is required to audit and assess compliance with this policy at least once every two (2) years.
Department Owners Information Assets and Program Management
- Owners of Information Assets shall abide by department ITInformation Technology acquisition policies and processes.
Department Information Asset Custodians
- Information Asset Custodians in collaboration with Owners of Information Assets shall ensure that protection controls are identified and implemented for information assets under their purview and in all ITInformation Technology acquisitions.

49260.6 Compliance

Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOMDepartment Operations Manual Chapter 3, Article 22, Section 33030.8.
The department shall comply with the information security and privacy policies, standards and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their legal counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.
The consequences of negligence and non-compliance with State laws and policies may include department and personal:
- Loss of delegated authorities.
- Negative audit findings.
- Monetary penalties.
- Legal actions.

49260.7 Auditing

The department has the right to audit any activities related to the use of State information assets.
CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

49260.8 Reporting

Violations of this policy shall be reported to the department ISOInformation Security Officer.

49260.9 Security Variance Process

If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISOInformation Security Officer.

49260.10 Authority

This policy complies with State of California Government Code Section 11549.3

49260.11 Revisions

The CIO or designee shall ensure that the contents of this article are current and accurate.

References

SIMM, Section 19C, Project Approval Lifecycle Stage 3 – Solution Development.
SIMM, Sections 58C, 58D, 66B, 5305-A, 5310-A and B, 5325-A and B, 5330-A, B, and C, 5340-A, B, and C, and 5360-B.
SAMState Administrative Manual, Section 5230, General Procurement Procedures: Procurement of Goods and Services – Uniform Standards.
SAMState Administrative Manual, Section 5305.5, Information Asset Management.
SAMState Administrative Manual, Section 5305.7, Risk Assessment.
SAMState Administrative Manual, Section 5305.8, Provisions for Agreements With State And Non-State Entities.
SAMState Administrative Manual, Section 5315.1, System and Services Acquisition.
SAMState Administrative Manual, Section 5335.2, Auditable Events.
SAMState Administrative Manual, Section 5315.9, Security Authorization.
SAMState Administrative Manual, Section 4983, Cloud Computing Policy.
SAMState Administrative Manual, Section 4800 – 5399, CDT Procurement: Sections 4819.2, 4981, 4983, and Chapters 5100 and 5300.
NIST SP 800-53, System and Services Acquisition, SA-1, SA-2, SA-3, SA-4, SA-5, SA‑8, SA-9, SA-10, SA-11.
NIST SP 800-53, Configuration Management, CM-3, CM-4, CM-5.
Public Contract Code, Section 12100, Chapter 3. Acquisition of Information Technology Goods and Services [12100 – 12113].
State Contracting Manual (SCM), Volume 3.
ITInformation Technology General Provisions (GSPD 401-ITInformation Technology).
Personal Services Contracts, Article 4. Personal Services Contracts [19130 – 19135].
DGSDepartment of General Services Bulletin #P-20-14.
DOMDepartment Operations Manual Chapter 3, Article 22, Section 33030.8.
DOMDepartment Operations Manual Chapter 4, Articles 14, 15, 16, 17, 18, 19, 20, 21.
California Government Code Section 11545, 11546, 11549.3.

Revision History

Effective: March 18, 2024.

Article 70 – Security Variance Policy

Effective March 18, 2024

49270.1 Introduction and Overview

Situations may arise that prevent State entities from effectively implementing or complying with official information security policies, standards, or procedures. There may be rare circumstances where business functions take precedence over these policies, standards, or procedures and compliance is not viable or is technically impossible. Any security variance shall be thoroughly assessed relative to the security of the California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation), California Correctional Healthcare Services (CCHCS), and California Prison Industry Authority (CALPIACalifornia Prison Industry Authority (formerly PIA)), hereinafter referred to as department, information assets.
This policy guides the department to make informed decisions regarding whether or not to request a security variance by understanding the associated security risks and the suitability of existing or proposed compensating controls and safeguards to address or mitigate residual security risks.

49270.2 Objectives

Objectives for this policy are to ensure the department:
- Formally considers, identifies and assesses all implications and potential security risks related to a policy before a security variance is requested;
- Prepares and maintains risk assessment documentation to support the security variance request; and,
- Identifies, evaluates and documents alternate or compensatory controls and safeguards to mitigate security risks.

49270.3 Scope and Applicability

The scope of this policy extends to all State and department information security policies and to all State information assets owned or operated by the department.
This policy applies to all department personnel.

49270.4 Policy Directives

The department’s Information Security Officer (ISOInformation Security Officer) shall ensure security variances are documented, reviewed, approved, and implemented. Approval of security variances shall include risk ownership and acceptance.
Prior to submitting a security variance request, the department ISOInformation Security Officer shall facilitate risk assessments to consider relevant implications and potential security risks introduced as a consequence of the security variance.
The risk assessment shall involve, at minimum, the respective department business unit requesting the variance and the department ISOInformation Security Officer.
The assessment shall include the evaluation and recommendation of additional compensating controls and safeguards to mitigate the security risks identified where applicable.
The term of an approved security variance must not exceed twelve (12) months.
All approved security variances shall be documented and tracked in a risk management system.
The department ISOInformation Security Officer shall continuously monitor the risks associated with the security variance throughout the term permitted.
Approved security variances shall be reviewed annually by the department ISOInformation Security Officer, at which time a recommendation shall be made to the Department Chief Information Officer (CIO) or designee to extend or expire the security variance.

49270.5 Roles and Responsibilities

Department Chief Information Officer (CIO) or Designee
- The CIO or designee shall ensure that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.
- The CIO or designee is responsible for ensuring that this policy is reviewed annually and updated accordingly.
- The CIO or designee is required to audit and assess compliance with this policy at least once every two (2) years.
Department Executive Management
- Executive Management is responsible for effectively managing risk and achieving compliance with information security and privacy laws and regulations.
Department Information Security Officer (ISOInformation Security Officer)
- The ISOInformation Security Officer shall review all security variance requests and facilitate risk assessments in collaboration with requesting business or program managers, policy owner, owners of effected information assets and executive management. The ISOInformation Security Officer shall record and communicate the results of risk assessments, and any changes to the risk conditions associated with the security variance during the term permitted to the CIO or designee or executive management.
- The ISOInformation Security Officer is responsible for re-evaluating the requirement for the security variance upon expiration of the term, and to make recommendations to the CIO or designee or executive management to either extend or rescind the permitted security variance.
- The ISOInformation Security Officer shall maintain a record of all security variance requests and associated risk assessments and all approved security variances.
Department Owners Information Assets and Program Management
- Owners of Information Assets are responsible for informing the ISOInformation Security Officer immediately if they become aware of a situation that would change the results of the existing risk assessment level.

49270.6 Compliance

Non-compliance with this policy may result in disciplinary or adverse action as set forth in Department Operations Manual (DOMDepartment Operations Manual), Chapter 3, Article 22.
The department shall comply with the information security and privacy policies, standards and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their legal counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.
The consequences of negligence and non-compliance with State laws and policies may include department and personal:
- Loss of delegated authorities.
- Negative audit findings.
- Monetary penalties.
- Legal actions.

49270.7 Auditing

The department has the right to audit any activities related to the use of State information assets.
CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

49270.8 Reporting

Violations of this policy shall be reported to the department ISOInformation Security Officer.

49270.9 Security Variance Process

If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISOInformation Security Officer.

49270.10 Authority

This policy complies with State of California Government Code section 11549.3.

49270.11 Revisions

The CIO or designee shall ensure that the contents of this article are current and accurate.

References

SAMState Administrative Manual, Section 5305.2, Policy, Procedures and Standards Management.
SAMState Administrative Manual, Section 5305.7, Risk Assessment.
SAMState Administrative Manual, Section 5315.9, Security Authorization.
SAMState Administrative Manual, Section 5330, Information Security Compliance.
DOMDepartment Operations Manual Chapter 3, Article 22, Section 33030.8.
DOMDepartment Operations Manual Chapter 4, Article 41, Sections 48010.6, 48010.8.1.
DOMDepartment Operations Manual Chapter 4, Article 45, Section 49020.4.
California Government Code Section 11549.3.

Revision History

Established: March 18, 2024.