Department of Corrections and Rehabilitation - Operations Manual

Cancel

Chapter 4 – Information Technology

Article 45 – Information Security

Revised May 20, 2013

View All Sections >

49020.10 Access Control

  • Access to any of the CDCRCalifornia Department of Corrections and Rehabilitation’s computerized information on any of the CDCRCalifornia Department of Corrections and Rehabilitation’s computers or the OTech Data Center is restricted to authorized persons. All access to CDCRCalifornia Department of Corrections and Rehabilitation’s information systems shall be protected by at least user IDInstitutions Division (see DAI)/password access control. Any software installed on information systems which use password protection features shall provide for non-display of, and restricted control over, passwords. No software that allows the authentication process to be bypassed or comprised may be installed on those computers.

    • Any person requiring such access shall:

    • Be a State employee or a bona fide representative of the Department.

    • Demonstrate either a need for, or a legal right to, the information.

    • Receive formal authorization from the owner of the information.

    • Accept legal responsibility for preserving the security of the information.

  • The sensitivity of the information residing in the CDCRCalifornia Department of Corrections and Rehabilitation’s computerized environments requires strict controls over who is allowed access to that environment, which information may be accessed, and how that information may be accessed.

  • The following uniform access authorization procedure assumes that all pertinent procedures have been followed, and all CDCRCalifornia Department of Corrections and Rehabilitation-required system approvals have been obtained. This policy procedure is for access to existing information resources. The uniform access authorization procedure is as follows.

    • All access requests shall be sent to the system owner with a copy to the AISO. The request shall contain the following:

      • The name of the requester.

      • The specific information for which access is desired.

      • The reason(s) why the requestor has a need for, or right to, the information.

      • The frequency and duration of the requested access.

      • The type of access (e.g., read, update, copy, etc.).

  • After the data owner approves the request for access and returns it to the requestor, the approval is then routed to either EISEnterprise Information Services (formerly Information Services Division) or the requesting organization’s ISCInformation Security Coordinators for action.