Chapter 4 – Information Technology

49020.16 Information Security Architecture Standards and Guidelines

• Data processing equipment in CDCRCalifornia Department of Corrections and Rehabilitation’s automated network environment (computers and peripherals) shall be secured against access by unauthorized persons. Any equipment that is not stand-alone is considered teleprocessing data processing equipment. This includes all workstations that are connected to each other or to any other server or mainframe, mini or micro, system, whether by dial-up, cabling (including, but not limited to, coax, twisted pair, and fiber), LANs, gateways, routers, and all other network components. Access to CDCRCalifornia Department of Corrections and Rehabilitation’s network shall be restricted to CDCRCalifornia Department of Corrections and Rehabilitation employees and approved consultants. The methods by which CDCRCalifornia Department of Corrections and Rehabilitation’s data processing equipment is secured shall be documented in the CDCRCalifornia Department of Corrections and Rehabilitation ISSG. Any exception or modification to the ISSG must be approved in writing by the AISO prior to implementation.

• The ISSG shall include descriptions of procedures to protect and preserve the data processing teleprocessing equipment from access by unauthorized persons. The procedures are constrained by the following:

  • Only authorized personnel shall have access to terminals, printers, control units, concentrators, telephone wiring panels, modems, and emulation cards.

  • Control of access through the CDCRCalifornia Department of Corrections and Rehabilitation telecommunications system to the Internet is the responsibility of the EISEnterprise Information Services (formerly Information Services Division), and is administered in accordance with the ISSGISA. Additional access not described in the ISSG ISAInformation Systems Analyst constitutes a request for a modification to the ISSG ISAInformation Systems Analyst and must be submitted and approved in accordance with this policy prior to implementation.

  • Persons not authorized to access the CDCRCalifornia Department of Corrections and Rehabilitation’s telecommunications system shall obtain approval from the designated local ISCInformation Security Coordinators. Unauthorized persons include representatives of control agencies, CDCRCalifornia Department of Corrections and Rehabilitation personnel from another site, equipment vendors, telephone companies, etc.

  • Any division with custodianship of decentralized applications shall locate equipment in restricted areas that shall be monitored during working hours and locked during unattended periods.

  • Access to computers, either connected to a CDCRCalifornia Department of Corrections and Rehabilitation network or stand-alone, shall be limited by the use of a password-protected screensaver and/or key-controlled access to the power supply and/or keyboard with the keys physically removed and stored away from the workstation.

  • Computers connected in any way to CDCRCalifornia Department of Corrections and Rehabilitation’s telecommunications system or stand-alone computers with modems connected to them may not be located in areas where inmates have access, except for work assignments when the inmates are under the direct and constant supervision of custody staff.

  • Control units shall be locked whenever possible and the keys removed and stored in a secure environment.

  • Storage media including, but not limited to, diskettes, CDs, removable hard drives, and tapes shall be removed from equipment that reads them and stored in a secure environment when not in use.

  • Documentation pertaining to the hardware, system software, and configuration of the CDCRCalifornia Department of Corrections and Rehabilitation’s telecommunication system are confidential.

  • All facility phone rooms and other locations where network components are kept shall be labeled “Out of Bounds. Authorized Personnel Only.”