Article 45 – Information Security
49020.8.2 Physical Access Management to Protect Data and Information
-
Access to facilities that host critical CDCRCalifornia Department of Corrections and Rehabilitation ITInformation Technology infrastructure, systems and programs must follow the principle of least privileged access. Personnel, including full and part-time staff, contractors and vendors’ staff should be granted access to only those facilities and systems that are necessary for the fulfillment of their job responsibilities.
-
The process of granting physical access to information resource facilities must include the approval of the Director of EISEnterprise Information Services (formerly Information Services Division), or his/her designee. Access reviews must be conducted at least quarterly, or more frequently, depending on the nature of the systems that are being protected. Removal of individuals who no longer require access must then be completed in a timely manner.
-
Access cards and keys must be appropriately protected, not shared or transferred, and returned when no longer needed. Lost or stolen cards/keys must be reported immediately.
-
Security clearance for visitors should include, but is not limited to, a sign-in book which includes the date and time of entry and departure, employee escort within a secured area, IDInstitutions Division (see DAI) check and IDInstitutions Division (see DAI) badges where critical information resources are contained.