Chapter 4 – Information Technology

The California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation), in collaboration with the California Correctional Health Care Services (CCHCS) and the California Prison Industry Authority (CALPIACalifornia Prison Industry Authority (formerly PIA)) has developed this policy to provide standards and establish requirements for all CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) personnel when using  social media.

Only authorized CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) personnel shall represent the Department on social media. Social media is a tool that may be used to convey information and facilitate communication to support the CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA)’s mission.

This policy provides the parameters that all CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) personnel must follow in order to access or use social media.

• The only authorized use of social media falls within two fundamental categories.

  • Obtaining information, consuming content, or performing research for tasks or assignments.
    

  • Creating or managing content relevant to the Department’s mission.
    

The scope of this policy extends to all CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) personnel as well as all information assets owned or operated by CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA). Scope also extends to CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) personnel who use social media outside of the CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) network on non-CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) managed or owned devices where it may be perceived that such activities are on behalf of the Department.

The following are the policy requirements for the management and use of social media.

• CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Authorized Content Managers

  • Content managers authorized to represent the Department on social media are limited to the following:

    • The Office of Public and Employee Communications (OPECOffice of Public and Employee Communications) for CDCRCalifornia Department of Corrections and Rehabilitation and CCHCS

    • CALPIACalifornia Prison Industry Authority (formerly PIA) designee(s)

  • Authorized content managers shall ensure that an auditable record of all postings and modifications to social media content are retained subject to Department data retention policies.

  • Accessing social media, including but not limited to, viewing and managing content through the CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) network requires approval through the established Workgroup Computing Policy. This policy and related forms can be found in Department Operations Manual (DOMDepartment Operations Manual) Chapter 4, Article 41.

• CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Acceptable Use

  • Access to social media available through the Department network is provided for official business.

  • Posting of any content on behalf of the Department must be approved by the OPECOffice of Public and Employee Communications or CALPIACalifornia Prison Industry Authority (formerly PIA) designee.

• CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Unacceptable Use

  • As with other forms of communications, employees’ use of social media should comply with CDCRCalifornia Department of Corrections and Rehabilitation’s Code of Conduct as found in DOMDepartment Operations Manual Chapter 3, Article 22, Section 33030.3. Using social media in an unacceptable manner through CDCRCalifornia Department of Corrections and Rehabilitation assets may result in the loss of access to social media through the CDCRCalifornia Department of Corrections and Rehabilitation network, disciplinary action, or both.  Unacceptable use of social media includes, but is not limited to, the following:

    • CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) personnel shall not post social media content on behalf of CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA), unless specifically authorized by the OPECOffice of Public and Employee Communications or CALPIACalifornia Prison Industry Authority (formerly PIA) designee.

    • CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) personnel shall not create social media accounts that mislead the public that content posted is on behalf of CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA), including the use of CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) images or logos.

    • CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) personnel shall not use State-issued assets to post material that could discredit the reputation of the Department or its agents.

    • CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) personnel shall not post or release personnel, contractor, offender, victim or their family’s private, confidential, sensitive or other protected information under state or federal law, including, but not limited to, CDCRCalifornia Department of Corrections and Rehabilitation intellectual property on social media unless explicitly authorized by OPECOffice of Public and Employee Communications or CALPIACalifornia Prison Industry Authority (formerly PIA) designee, whether or not the post of such information is from State-issued equipment or device or an individual’s personal equipment or personal device.

    • CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) personnel shall not utilize tools or techniques to spoof, masquerade, or assume another current or former CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) identity including business units and individual personnel except for legitimate law enforcement purposes.

    • Use of social media shall not be conducted in a manner that undermines the privacy, safety and security of personnel, contractors, offenders, victims, or families thereof.

Agency Chief Information Officer (CIO), OPECOffice of Public and Employee Communications and CALPIACalifornia Prison Industry Authority (formerly PIA) designee:

• Is responsible for ensuring that all users of CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) information assets are aware of this policy and acknowledge their individual responsibilities.

• Is responsible for ensuring that this policy will be reviewed annually in order to make recommendations for policy changes or the introduction of new policy to the Information Security Officer (ISOInformation Security Officer) for the bi-annual review and update cycle.

• Shall ensure that authorized users with access to social media are trained regarding their roles and responsibilities.

OPECOffice of Public and Employee Communications and CALPIACalifornia Prison Industry Authority (formerly PIA) designee:

• Are responsible for identifying the CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) authorized users of social media.

• Are responsible for reviewing and approving all CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) social media content posted or shared on behalf of the Department or its representatives.

The Information Security Officer (ISOInformation Security Officer):

• Is responsible for the periodic auditing and assessment of compliance with this policy.

• Is responsible for the review and update of this policy every two years.

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Managers and Supervisors:

• Are responsible for obtaining approval from OPECOffice of Public and Employee Communications, CALPIACalifornia Prison Industry Authority (formerly PIA) or designee, for any content posted or shared to official CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) social media.

• Are responsible for ensuring that personnel comply with this policy.

All CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Personnel Speaking On Behalf Of CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA):

• Shall provide content developed for social media to OPECOffice of Public and Employee Communications designated reviewers for approval and publication.

• Shall connect to, and exchange information with, only authorized social media web sites in accordance with the requirements of this policy and other CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) and State information security policies.

• Are required to abide by this policy and applicable CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) information security and privacy policies.

• Who are authorized to speak on behalf of CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA)  or the State shall identify themselves by: a) Full Name; b) Title; c) Department; and d) Department Contact Information, when posting or exchanging information on social media forums, and shall address issues only within the scope of their specific authorization.

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Information Technology Administrators shall:

• Limit Internet access to social media websites according to the Department’s acceptable use policy, while allowing authorized users to access content necessary to conduct CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) business. Limitations may include, but are not limited to:

  • Only allowing social media access to users who are specifically authorized (see CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Authorized Users) through the use of the CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Workgroup Computing Policy regarding internet access.

  • Disabling unnecessary functionality within social media web sites, such as Instant Messaging (IMInstructional Memorandum) or file exchange.

  • Minimize or eliminate the addition of web links within posts to other web sites, to minimize the risk of exposing a user to a link that leads to inappropriate, unauthorized, or potentially malicious content.

• Enable security controls to mitigate risk to the extent possible. These controls may include, but are not limited to:

  • Monitoring and auditing of all social media web site content posted, viewed or both.

  • Inspecting all files transmitted to or from social media web sites.

  • Securing social media platform and website account credentials (user names and passwords) from unauthorized access.

  • Utilize Multi-Factor Authentication (MFA) as required where supported by the social media account.

Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOMDepartment Operations Manual Chapter 3, Article 22, Section 33030.15.5.

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) shall comply with the information security and privacy policies, standards and procedures issued by the California Department of Technology, Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) personnel should understand that the consequences of  negligence and non-compliance with State laws and policies may include Department and personal:

• Loss of delegated authorities.

• Negative audit findings.

• Monetary penalties.

• Legal actions.

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) has the right to inspect any activities related to the use of social media on State information assets.

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) has the right to inspect any publicly available information posted or shared on social media and other forums at its sole discretion.

This policy complies with the State of California Government Code Section 11549.3.

The CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) uses the information security and privacy definitions issued by the California Department of Technology OIS in implementing information security and privacy policy. Terms and definitions are defined here and are on the California Department of Technology website at https://cdt.ca.gov/security/technical-definitions/.

• Instant Messaging (IMInstructional Memorandum): An application that allows real-time electronic messaging or chatting.

• Internet: A global computer network providing a variety of information and communication facilities.

• NIST: National Institute of Standards and Technology – https://www.nist.gov/

• Personally Identifiable Information (PII): Information that can be used by itself or used in combination with other personal identifiable information to distinguish or trace an individual’s identity.

• Social Media Platform: Interactive computer-mediated technologies that facilitate the creation and sharing of information, ideas, career interests and other forms of expression via virtual communities and networks.

• Social Media: Sites that enable the connection with others to form an online community. IMInstructional Memorandum, file sharing and Web logs (blogs) are common features of Social Media. These sites may contain offensive material in the community-created content. This category may be used in conjunction with another category for more narrowly-focused social media, such as professional networking sites or social networking sections of personals or dating sites.

The Agency CIO, OPECOffice of Public and Employee Communications or CALPIACalifornia Prison Industry Authority (formerly PIA) designee shall ensure that the contents of this article are current and accurate. 

DOMDepartment Operations Manual Chapter 4, Articles 38, 41, 45

DOMDepartment Operations Manual Chapter 3, Article 22

California Government Code Section 11549.3

SAMState Administrative Manual, Section 4989.3, Agency/State Entity Roles and Responsibilities

SAMState Administrative Manual, Section 5305.3, Information Security Roles and Responsibilities

SAMState Administrative Manual, Section 5310.7, Security Safeguards

SAMState Administrative Manual, Section 5320.4, Personnel Security

SAMState Administrative Manual, Section 5360, Identity and Access Management

SIMM Section 66-B, Social Media Standard

Effective April 21, 2021