Article 45 – Information Security
49020.11.3 Security of System Files
-
To minimize the risk of corruption to operation systems, the following procedures shall be implemented:
-
The updating of operation software, applications, and program libraries, shall only be performed by trained administrators upon management authorization;
-
Operational systems shall only contain approved executable code, and not development code or compilers;
-
A rollback strategy shall be in place before changes are implemented;
-
An audit log shall be maintained of all updates to operational program libraries;
-
Previous versions of application software shall be retained as a contingency measure.
-
-
Decisions to upgrade to a new software release should take into account the business requirements for the change, and the security of the release, i.e. the introduction of new security functionality or the number and severity of security problems affecting this version. Software patches shall be applied when they can help to remove or reduce security weaknesses.
-
Physical or logical access shall only be given to non-CDCRCalifornia Department of Corrections and Rehabilitation employees for support services when necessary, and with approval from the AISO. Access to CDCRCalifornia Department of Corrections and Rehabilitation information resources should be monitored. Computer software that relies on externally supplied software and modules shall be monitored and controlled to avoid unauthorized changes, which could introduce security weaknesses.