Article 45 – Information Security
49020.6.1 Information Security Ownership/Authority
-
An owner of any CDCRCalifornia Department of Corrections and Rehabilitation information shall be the approval authority for all requests for access to such information under his or her control. Approval authority may be delegated to a designated representative. The owner has an obligation to restrict access to the specific information to instances that are necessary and sufficient to meet the demonstrated need or right of the requestor. The owner shall consult with EISEnterprise Information Services (formerly Information Services Division) to determine the most appropriate on-line access mechanisms for a specific request, keeping in mind that EISEnterprise Information Services (formerly Information Services Division) is obligated to restrict the mechanisms to those that are necessary and sufficient to meet the requestor’s need for, or right to, such information.
-
The owner is ultimately responsible for the integrity of the entrusted information. This responsibility requires that the owner have control over who can access, modify, disclose, or destroy information. The owner shall exercise the responsibility to communicate information security requirements to all appropriate personnel, and to make use of all available security features. Additionally, the owner shall determine that implemented security measures are adequate to meet the requirements of the application, and ensure that an employee’s access authority is removed immediately upon separation or change of duties such that access is no longer necessary.