Department of Corrections and Rehabilitation - Operations Manual

Cancel

Chapter 4 – Information Technology

Article 45 – Information Security

Revised May 20, 2013

View All Sections >

49020.5 Roles and Responsibilities

  • The Department has established the necessary policies, procedures, practices, and controls to protect information assets from accidental or intentional disclosure, destruction, or modification, and to comply with all applicable State and federal privacy acts. Information assets covered by this Article include, but are not limited to:

    • All categories of automated information including, but not limited to, records, files, and data bases.

    • ITInformation Technology facilities, software, and equipment (including personal computer systems) owned or leased by the CDCRCalifornia Department of Corrections and Rehabilitation.

  • The following is a description of the organizational responsibilities for administering this program:

    • Secretary

      • The Secretary has the ultimate responsibility for ensuring a risk management program is established that:

        • Assigns management responsibilities for ITInformation Technology risk management.

        • Provides for the integrity and security of automated and paper information, produced or used in the course of agency operations.

        • Complies with state and audit requirements relating to the integrity of information assets.

    • Director of Enterprise Information Services (EISEnterprise Information Services (formerly Information Services Division))

      • The Director of EISEnterprise Information Services (formerly Information Services Division) has the delegated responsibility for establishing and maintaining an information security program within the Department. It is the responsibility of the Director of EISEnterprise Information Services (formerly Information Services Division) to assure that information assets are protected from the effects of damage and destruction, as well as from unauthorized or accidental modification, access, or disclosure. Specifically, the Director of EISEnterprise Information Services (formerly Information Services Division) is responsible for ensuring:

        • Enforcement of State-level security policies.

        • Establishment and maintenance of internal policies that provide for the security of ITInformation Technology facilities, software and equipment, and the integrity and security of the agency’s automated information.

        • Department compliance with reporting requirements related to security issues.

        • Appointment of a qualified AISO.

        • The participation of management during the planning, development, modification, and implementation of security policies and procedures.

    • ISOInformation Security Officer Agency Information Security Officer (AISO)

      • SAMState Administrative Manual, § 5315.1 requires that each agency designate an ISOInformation Security Officer AISO. Additionally, to avoid conflicts of interest, the following restrictions shall apply to the AISO:

        • The AISO shall not have direct responsibility for information processing.

        • The AISO shall not have direct responsibility for access management functions.

        • The AISO shall not have direct responsibility for any departmental computerbased systems.

        • The AISO shall not have any special allegiance or bias toward a particular program or organization.

        • The AISO will have direct responsibility for the CDCRCalifornia Department of Corrections and Rehabilitation Information Security Office.

        • The AISO will report allegations of misconduct or criminal activity to OIAOffice of Internal Affairs and assist with investigations as necessary.

    • The AISO is responsible for overseeing Agency policies and procedures designed to protect its information assets. In accordance with State policy, the AISO shall be accountable to the Secretary with respect to the following responsibilities:

      • Implementation of necessary procedures to ensure the establishment and maintenance of a security program.

      • Establishment of security policies and procedures designed to protect information assets.

      • Identification of confidential and sensitive information and critical applications.

      • Identification of vulnerabilities that may cause inappropriate or accidental access, destruction or disclosure of information, and the establishment of security controls necessary to eliminate or minimize their potential effects.

      • Establishment of procedures necessary to monitor and ensure the compliance of established security and risk management policies and procedures.

      • Coordination with internal auditors to define their roles in automated information system planning, development, implementation, operations, and modifications relative to security.

      • Coordination with the applicable data center’s ISOInformation Security Officer Information Security Officer or staff on matters related to the planning, development, implementation, or modification of information security policies and procedures that affect the Department.

      • Acquisition of appropriate security equipment and software.

      • Establishment of procedures to comply with control agency reporting requirements.

      • Development and maintenance of controls and safeguards to control user access to information.

      • Establishment of mechanisms to assure that CDCRCalifornia Department of Corrections and Rehabilitation staff (with particular emphasis on the owners, users, and custodians of information) are educated and aware of their roles and responsibilities relative to information security.

      • Establishment of training programs for CDCRCalifornia Department of Corrections and Rehabilitation employees related to information security.

    • EISEnterprise Information Services (formerly Information Services Division) Technical Management

      • Department technical management has the following responsibilities relative to the Department’s information security program:

        • Ensuring that management, the Information Security OfficeISO, assigned owners, custodians, and users are provided the necessary technical support services with which to define and select cost effective security controls, policies, and procedures.

        • Ensuring the implementation of security controls and procedures as defined by the owners of information.

        • Ensuring the implementation of system controls necessary to identify actual or attempted violations of security policies or procedures.

        • Ensuring that the owners of information and the ISOInformation Security Officer Information Security Office are notified of any actual or attempted violations of security policies and procedures.

    • Program Management

      • Department program managers have the following responsibilities in relation to the Department’s security program:

        • Establishing the procedures necessary to comply with State information security policy in relation to ownership, user, and if appropriate, custodian of information responsibilities.

        • Ensuring that State program policies and requirements are identified relative to security requirements.

        • Ensuring the proper data classification of automated information for which the program is assigned ownership responsibility.

        • Ensuring the participation of the Information Security Office ISOInformation Security Officer and technical staff in identifying and selecting appropriate and cost-effective security controls and procedures, and to protect information assets.

        • Ensuring that appropriate security requirements for user access to automated information are defined for files or data bases for which the program is assigned ownership responsibility.

        • Ensuring the proper planning, development, and establishment of security policies and procedures for files or data bases for which the program has ownership responsibility, and for physical devices assigned to and located in the program area(s).

        • Ensuring that custodians of program information are provided the appropriate direction to implement the security controls and procedures that have been defined.

        • Ensuring that procedures are established to comply with control agency reporting requirements.

    • Program Personnel and Users

      • Program personnel have the following security responsibilities:

        • Implementing and monitoring data quality assurance functions to ensure the integrity of data for which the program is assigned ownership responsibility.

        • Complying with applicable federal, State, and Department security policies and procedures.

        • Complying with applicable federal and State statutes.

        • Identifying security vulnerabilities and informing program management and the Information Security Office of those vulnerabilities.

        • Ensuring that management, the Information Security Office, ISOInformation Security Officer, and assigned owners, custodians, and other users are provided the necessary technical support services with which to define and select cost-effective security controls, policies, and procedures.

        • Ensuring the implementation of security controls and procedures as defined by the owners of information.

        • Ensuring the implementation of system controls necessary to identify actual or attempted violations of security policies or procedures.

        • Ensuring that the owners of information and the Information Security Office are notified of any actual or attempted violations of security policies and procedures.

    • Data Owners

      • The owners of information are responsible for classifying the information, defining precautions for its integrity, disposing of the information, defining initial levels of access needed, filing security incident reports, securing signed security agreements, and forwarding them to the Data Custodian, and identifying the level of acceptable risk.

    • Data Custodians

      • The custodians of information, including the Office of Technology Services (OTech) Data Center, are responsible for complying with applicable laws, policies and procedures established by the owner and the AISO, advising the owner and the AISO of any threats to the information, and notifying the owners and the AISO of any violations of security policies, practices, and procedures.

      • In addition, the data custodians for an information system have the following access management responsibilities:

        • Access Authorization – The granting of permission to execute a set of operations in the system. Access privileges shall be allocated to users on a need-to-use basis, with the minimum required privileges required for their functional role.

        • Access Control – Enabling the performance of tasks by hardware, software, and administrative controls that would have the effect of monitoring a system’s operation, ensuring data recovery, performing user identification, and granting access to users.

        • Accountability – The work necessary to set up the ability to trace violations or attempted violations of system security to the individual(s) responsible.

    • Internal Auditors

      • The Information Security Unit of the Office of Audits and Compliance has the following audit responsibilities in relation to the Department’s information security program (DOMDepartment Operations Manual, Chapter 4, Article 48, Electronic Data Processing Auditing).

    • Examination of the Department’s information security policies and procedures for compliance with State information security policies, including control agency audit requirements.

    • Identification of possible corrective actions.

    • Informing management, the ISOInformation Security Officer, and the owners, custodians, and users of information of audit findings.

    • Access Management

      • Access Management within the CDCRCalifornia Department of Corrections and Rehabilitation is:

        • A critical responsibility of information system owners and custodians.

        • An organizational unit within the EISEnterprise Information Services (formerly Information Services Division).

        • The access management group and each organization with owner or custodial responsibilities for an information system have the following access management responsibilities:

    • Access Authorization. The granting of permission to execute a set of operations in the system. At the lowest level, for example, this would be to grant permission for inmate trust personnel to access the classification of inmates on the Distributed Data Processing System (DDPSDistributed Data Processing System). At the highest level, for example, this would be working with the information system owners to physically allow access to a specific information system.

    • Access Control. Enabling the performance of tasks by hardware, software, and administrative controls that would have the effect of monitoring a system’s operation, ensuring data integrity, performing user identification, recording system access and charges, and granting access to users.

    • Accountability. The work necessary to set up the ability to trace violations or attempted violations of system security to the individual(s) responsible.

    • Additionally, the access management group of the EISEnterprise Information Services (formerly Information Services Division) shall maintain the central file of all signed self/joint certification statements and security agreements, and shall provide the ISOInformation Security Officer, management, and owners with appropriate status reports.

    • Information Security Coordinators

      • Every organizational entity that uses computer systems, or uses computer applications shall designate an Information Security Coordinator (ISCInformation Security Coordinators) for each site maintained by that entity. The designated ISCInformation Security Coordinators shall be responsible for ensuring that applicable CDCRCalifornia Department of Corrections and Rehabilitation policies and procedures are followed, and shall act as the security liaison to the Information Security Office. The CDCRCalifornia Department of Corrections and Rehabilitation Information Security Office will serve as the ISCInformation Security Coordinators for EISEnterprise Information Services (formerly Information Services Division) staff.

    • A procedure shall be developed by each of these organizational entities, subject to approval by the AISO. The procedure shall be constrained as follows:

      • The designation of an ISCInformation Security Coordinators for the decentralized or control entity shall be in writing and shall identify the name, work address, and telephone number of the ISCInformation Security Coordinators.

      • The AISO shall maintain a file of all current and past designated ISCs.

      • The designated ISCInformation Security Coordinators shall be aware that they are the designated ISCInformation Security Coordinators and the responsibility that the designation entails.

      • The designated ISCInformation Security Coordinators shall ensure compliance with information security policies and procedures, and with any security guidelines issued by the owners of decentralized automated systems.