Chapter 4 – Information Technology

44010.5 Project Compliance Review

• The Department is subject to compliance reviews conducted by OITOffice of Information Technology, or by specified units within CDC. The purpose of a compliance review is to verify CDC adherence to Department and State information technology policies and procedures.

• Types of Compliance Reviews

  • ITS within CDC are subject to four types of reviews:

    • Type 1. Policy compliance reviews (SAMState Administrative Manual Section 4942).

    • Type 2. EDPElectronic Data Processing (see IT) audit reviews (see DOMDepartment Operations Manual 49050).

    • Type 3. Information security, risk management, operational recovery compliance reviews (SAMState Administrative Manual Sections 4840 through 4845; DOMDepartment Operations Manual 49000).

    • Type 4. Facility peer reviews.

• Policy Compliance Review

  • Type 1 – Policy compliance reviews are conducted by OITOffice of Information Technology. Responses to this type of review shall be coordinated by the central clearinghouse function of ISDInformation Services Division (see EIS).

• EDPElectronic Data Processing (see IT) Audit Reviews

  • Type 2 – EDPElectronic Data Processing (see IT) audit reviews are part of an audit required by SAMState Administrative Manual, and are usually conducted by the Internal Audits Unit of PFABProgram and Fiscal Audits Branch (see OACC). Alternately, it is possible that Type 2 reviews shall be carried out by the Audits Group of DOFDepartment Of Finance, but responsibility for the audit reviews remains with PFABProgram and Fiscal Audits Branch (see OACC). The owner of an information system is responsible for providing responses to audit findings regarding that system.

• Security, Risk, and Operational Compliance Reviews

  • Type 3 – Information security, risk management, and operational recovery compliance reviews are ongoing and conducted by the Information Security Unit within PFABProgram and Fiscal Audits Branch (see OACC). These reviews are usually not oriented to a specific system or project, and are limited in scope to the policies contained in SAMState Administrative Manual Sections 4840 through 4845, and DOMDepartment Operations Manual Subchapter 49000.

• Facility Peer Reviews

  • Type 4 – Facility peer reviews are reviews of business services operations conducted by the Department on a rotational basis at each of CDC’s facilities. The EDPElectronic Data Processing (see IT) portion of the peer review includes a functional review of Offender Based Information Services, the DDPSDistributed Data Processing System, and personal computer security practices and system utilization.

  • The review teams are composed of business services and administrative staff from headquarters and the facilities.

• NonDelegated Projects

  • OITOffice of Information Technology reviews project reporting documentation in conjunction with its compliance review and oversight responsibilities.

• Delegated Projects

  • For delegated projects, the MISManagement Information Systems Committee shall determine when a compliance review is to be conducted, the scope of the review, and who shall perform the review.