Chapter 4 – Information Technology

49020.7.3 Information Security Awareness

• It is the responsibility of CDCRCalifornia Department of Corrections and Rehabilitation management at all levels to ensure that personnel are aware of their responsibilities:

  • All employees are accountable for the implementation of information security policies and procedures within their areas of responsibility.

  • Accountability requires that employees be aware of the Department’s information security policies and procedures.

  • All employees that are owners, users, or custodians of a departmental information system shall receive annual information security training.

  • Security awareness training shall be given as a part of each employee’s orientation and annually thereafter. Each employee shall receive a copy of the security policy. All employees that access or use information assets shall annually complete and sign a selfcertification form.

  • All employees changing jobs or exiting owner, user, or custodian status, shall have their security privileges reviewed immediately, and such persons shall be prevented from having any further opportunity to access information which they no longer have a business need based on their new job duties.

  • Employees with the status of owner, user, or custodian shall have a job description that details that status and the security requirements therein.

  • Systems, including CDCRCalifornia Department of Corrections and Rehabilitation’s mission critical systems and Internet access, shall be monitored and activity logs maintained as per the Department’s ISSG.