Article 45 – Information Security
49020.10.2 Information Security‑Responsibilities of Supervisors
-
People are provided passwords because their jobs require them to access CDCRCalifornia Department of Corrections and Rehabilitation information systems. When a password owner terminates employment or is reassigned to duties that do not require such access, the immediate supervisor shall, without delay, notify the applicable party of the change.
-
The authority to access CDCRCalifornia Department of Corrections and Rehabilitation computers entails a significant risk to the Department’s ability to function. Such authority is restricted to persons with a demonstrated need for access. Because that need is, by definition, a function of the person’s specific job duties, any change in those duties requires a reevaluation of the need for access. If the duties change such that the need for access no longer exists, the access shall be revoked.
-
If any password owner changes job duties (via resignation, promotion, transfer, reorganization, separation, etc.), that individual’s immediate supervisor shall initiate the following:
-
Reevaluate whether the person’s new duties still require the authority to access CDCRCalifornia Department of Corrections and Rehabilitation’s computers.
-
Notify the local ITInformation Technology support staff or the access management group if the person no longer requires access authority.
-
Notify the owner of the relevant CDCRCalifornia Department of Corrections and Rehabilitation information so that the appropriate paperwork can be initiated to document the removal of the person’s access privileges if the person no longer requires access authority.
-
-
The lack of use of the access authority is assumed to be proof that the authority is no longer required. Access authority to information assets may be revoked without notice if they are not used regularly.