Chapter 4 – Information Technology

49020.4 Departmental Approach to Information Security

• The departmental approach to information security consists of the following components:

  • Assigned management responsibilities for ITInformation Technology risk management. See SAMState Administrative Manual § 5315.

  • Provisions for the integrity and security of automated and paper information, produced or used in the course of CDCRCalifornia Department of Corrections and Rehabilitation operations. See SAMState Administrative Manual § 5310 through 5350.

  • Provisions for the security of ITInformation Technology facilities, software, and equipment utilized for automation. See SAMState Administrative Manual § 5330.

  • Establishment and maintenance of an ITInformation Technology risk management program, including a risk analysis process. See SAMState Administrative Manual § 5305.

  • Establishment and maintenance of an agency Disaster Recovery Plan. See SAMState Administrative Manual § 5355.

  • A security and ongoing privacy program, including an annual training component for all employees and contractors. Refer to GCGovernment Code 11019.9 and CCCorrectional Counselor 1798.

  • Compliance with state audit requirements relating to the integrity of information assets. See SAMState Administrative Manual § 20000 et seq.

  • Policies to ensure that information security and information privacy are incorporated at each phase of the Information Systems Development Life Cycle.

  • Risk assessments in accordance with SAMState Administrative Manual, § 5305.1 to ascertain the threats and vulnerabilities that impact the CDCRCalifornia Department of Corrections and Rehabilitation’s information assets and implement appropriate mitigations.

  • ProvideInformation security training for to all employees who use information assets in the course of their assigned duties to ensure awareness and understanding of the Department’s policies.

  • Conduct Coordination of information security audits for compliance with security policies.

  • Reporting of deficiencies for noncompliance with the CDCRCalifornia Department of Corrections and Rehabilitation security policies for management’s corrective action.

  • Reporting violations of this policy to the hiring authority of the employee alleged to have committed the act or the Office of Internal Affairs (OIAOffice of Internal Affairs), when appropriate.

  • Adherence to requirements established in SAMState Administrative Manual, § 4841. 5300.3.

  • Periodically review of security policies for changes that may be necessary as a result of technology evolution or changes in Department operations.

• This policy includes, but is not limited to, the following information assets:

  • All categories of automated information including, but not limited to, records, files, and data bases.

  • ITInformation Technology facilities, software, and equipment (including personal computer systems) owned or leased by the CDCRCalifornia Department of Corrections and Rehabilitation.