Chapter 4 – Information Technology

It is the policy of the Department to protect against the unauthorized modification, deletion, or disclosure of information included in the Department’s automated files and data bases. Such disclosure might compromise the integrity of Department programs or violate individual rights to privacy, and may constitute a criminal act. The Department regards its information assets, including data processing capabilities and automated files, to be essential public resources. Many aspects of the Department’s operations would effectively cease in the absence of critical computer systems, including automated systems necessary for the protection and safety of persons in the custody of the Department. Accordingly, the Department shall assume full responsibility for the proper classification, use, and protection of its automated information. Further, each element of the Department that employs information technology shall establish risk management and disaster recovery planning processes for identifying, assessing, and responding to the risks associated with its information assets.

The purpose of this policy is to establish and maintain a standard of due care to prevent misuse or loss of Department information assets. This policy establishes internal policies and procedures that:

• Establish and maintain management and staff accountability for the protection of departmental information assets.

• Establish and maintain processes for the analysis of risks associated with departmental information assets.

• Establish and maintain cost-effective risk management processes intended to preserve the Department’s ability to meet program objectives in the event of the unavailability, loss, or misuse of information assets.

• Protect departmental employees who are authorized to access the Department’s information assets from temptation, coercion, and threat.

Information assets covered by this section include: (1) all categories of automated information including, but not limited to, records, files and data bases; and (2) information technology facilities, software, and equipment (including personal computer systems) owned or leased by CDC.

GCGovernment Code 1171 requires the director of each department that uses, receives or provides data processing services to designate an Information Security Officer (ISOInformation Security Officer) who shall be responsible for implementing State policies and standards regarding the confidentiality and security of information within the Department. These policies and standards shall include, but are not limited to, strict controls to prevent unauthorized access of: data maintained in computer files, program documentation, data processing systems, data files, and data processing equipment located physically in the Department.

The primary provisions affecting the classification and dissemination of information under the control of California State agencies is found in the State Constitution, in statutes, and in administrative policies:

• Article 1, Section 1, of the Constitution of the State of California defines pursuing and obtaining privacy as an inalienable right.

• The IPAInformation Practices Act of 1977 (CCCorrectional Counselor 1798, et seq.), places specific requirements on State agencies in the collection, use, maintenance, and dissemination of information relating to individuals.

• The PRAPublic Records Act (GCGovernment Code 6250-6265), provides for the inspection of public records.

• The State Records Management Act (GCGovernment Code 14740-14770), provides for the application of management methods to create, use, maintain, retain, preserve, and dispose of State records, including the determination of records essential to the continuation of State government in the event of a major disaster. SAMState Administrative Manual 1601 through 1699 contain administrative policies to implement provisions of this law.

• The California Computer Crime Statute (Calif. Rev. Stat 1987, Sect. 502, Ch. 1499, 1 January 1988) covers five offenses:

  • Manipulating data, a computer system, or computer network to devise or execute a fraud.

  • Knowingly accessing and without permission taking copies or using any data from a computer or taking any supporting documentation, internal or external, to a computer.

  • Theft of computer services.

  • Knowingly accessing and without permission damaging data, computer software, or computer programs, internal or external, to a computer.

  • Disrupting or denying computer services to an authorized user.

• The Federal Copyright Act of 1976, provides for the prosecution of persons guilty of the theft of computer programs.

Exemptions to this policy may be granted by the Management Information Systems Committee. The decision to grant an exemption shall be based primarily upon a risk analysis submitted to the Committee and the recommendation of the CDC ISOInformation Security Officer.

The Information Management Annual Plan (IMAPInformation Management Annual Plan), submitted by the Department to the DOFDepartment Of Finance, Office of Information Technology (OITOffice of Information Technology), shall contain a certification that the Department is in compliance with State requirements concerning information technology security and risk management. This certification is signed by the CDC Director. In addition, the IMAPInformation Management Annual Plan shall provide the name, title, business address and telephone number of the agency’s ISOInformation Security Officer.

The Department shall file an information copy of its Operation Recovery Plan (ORPOperation Recovery Plan) with OITOffice of Information Technology by January 31 each year. A copy of the ORPOperation Recovery Plan shall be provided to the Teale Data Center.

It is the responsibility of all departmental employees to report all incidents that would place the Department’s information assets at risk. It is the policy of the Department that the following incidents shall be reported through the chain of command to the departmental ISOInformation Security Officer:

• Any incidents involving unauthorized access to automated data, automated files, or data bases.

• Any incident involving the unauthorized modification, destruction or loss of automated data, automated files, or data bases.

• Any incident involving a virus, worm, or other such computer contaminant (see also DOMDepartment Operations Manual 41010).

• Any incident involving the unauthorized use of computer equipment, automated data, automated files, or data bases.

• Any incident involving the misuse of the information assets of the Department.

The following information concerning each incident shall be reported to the departmental ISOInformation Security Officer within five working days of any awareness of the occurrence of the incident:

• Date of the incident.

• Contact person.

• Description of the incident and whether it is a major incident as described in DOMDepartment Operations Manual 49040.36.

Department management shall investigate promptly all reported incidents as defined in DOMDepartment Operations Manual 49010.6.3.

The CDC ISOInformation Security Officer shall investigate each such reported incident to determine the facts and to prepare a report. The report shall have a section that contains a report of the incident prepared by the appropriate local management.

A report of major incidents as illustrated in SAMState Administrative Manual 4845 shall be submitted to OITOffice of Information Technology within ten working days of the Department’s first awareness of an incident involving one or more of the following:

• Unauthorized intentional release, modification, or destruction of confidential or sensitive information, or the theft of such information including information stolen in conjunction with the theft of a computer or data storage device.

• Use of a State information asset in the commission of a crime.

• Intentional damage or destruction of State information assets, or the theft of such assets with an estimated value in excess of $500.

The report shall be signed by the Department Director and the Department ISOInformation Security Officer.

The Chief, ISDInformation Services Division (see EIS), or designee shall be responsible for ensuring that the contents of this article are kept current and accurate.

Federal Copyright Act of 1976.

Article 1, § 1 of the Constitution of the State of California.

California Computer Crime Statute (Calif. Rev. Stat 1987, §. 502, Ch 1499, 1 January 1988) IPAInformation Practices Act of 1977.

PRAPublic Records Act.

GCGovernment Code §§ 1171, 6250 – 6265, and 14740 – 14770 SAMState Administrative Manual §§ 1601 – 1699, and 4845.

DOMDepartment Operations Manual §§ 41010 and 49040.