Department of Corrections and Rehabilitation - Operations Manual

Cancel

Chapter 4 – Information Technology

Article 45 – Information Security

Revised May 20, 2013

View All Sections >

49020.2 Purpose

  • The purpose of this Policy is to establish and maintain a standard of due care to prevent misuse or loss of Department information assets. This policy establishes internal policies and procedures that:

    • Establish and maintain management and staff accountability for the protection of departmental information assets.

    • Establish and maintain processes for the analysis of risks associated with departmental information assets.

    • Establish and maintain cost-effective risk management processes intended to preserve the Department’s ability to meet program objectives in the event of the unavailability, loss, or misuse of information assets.

    • Protect departmental employees who are authorized to access the Department’s information assets from temptation, coercion, and threat.

    • Establish agreements with state and non-state entities to cover, at a minimum, the following:

      • Appropriate levels of confidentiality for the data based on data classification (see State Administrative Manual [SAMState Administrative Manual], § 5320.5).

      • Standards for transmission and storage of the data, if applicable (see SAMState Administrative Manual § 5310).

      • Agreement to comply with all state policy and law regarding use of information resources and data.

      • Signed confidentiality statements.

      • Agreements to apply security patches and upgrades, and keep virus software up-to-date on all systems on which data may be used.

      • Agreements to notify the information owners promptly if a security incident involving the data occurs.

    • Establish appropriate policies and procedures to protect and secure ITInformation Technology infrastructure.

    • Require that if a data file is downloaded to a mobile device or desktop computer from another computer system, the specifications for information integrity and security which have been established for the original data file must be applied in the new environment (SAMState Administrative Manual § 5310).

    • Require encryption, or equally effective measures, for all personal, sensitive, or confidential information that is stored on portable electronic storage media (including, but not limited to, CDs and thumb drives) and on portable computing devices (including, but not limited to, laptop and notebook computers). This policy does not apply to mainframe and server tapes. (See SAMState Administrative Manual § 5345.2).