Chapter 4 – Information Technology

All ITS within the Department are subject to having a risk analysis prior to any approval or authorization for development or implementation. The result of this analysis, “The Risk Analysis and Risk Reduction Report,” shall be submitted as part of the request for approval. This report is a part of the feasibility study for large systems, and stand-alone facilities within small systems. A multipurpose work station is exempt from this requirement unless there is a need for a modem or to store confidential or sensitive information.

The purpose of this policy is to identify and provide for the use of a generic systems approach as part of the Department’s risk management program. This process shall assist users, systems designers, systems developers, and management in answering a number of basic questions, such as:

• What is the nature of the problem?

• What needs to be changed, modified, or accomplished?

• What alternatives are available to solve the problem?

• How, specifically, shall the problem be solved?

• How well does the new solution work?

The following is a description of the organizational responsibilities for administering this program.

The Director

• The Director is responsible for establishing and maintaining a risk management program within the Department. It is the responsibility of the Director to assure that the Department’s information assets are protected from the effects of damage, destruction, and unauthorized or accidental modification, access, or disclosure.

• Specifically, the Director is responsible for ensuring the following:

  • Enforcement of State-level risk management policies.

  • Establishment and maintenance of internal policies and procedures that provide for the security of information technology facilities, software and equipment, and the integrity and security of the agency’s automated information.

  • Department compliance with reporting requirements related to risk management issues.

  • Appointment of a qualified Information Security Officer (ISOInformation Security Officer).

  • Participation of management during the planning, development, modification and implementation of risk management policies and procedures.

Information Security Officer

• GCGovernment Code 1171 requires that the director of each agency designate an ISOInformation Security Officer. The ISOInformation Security Officer is responsible for overseeing agency policies and procedures designed to protect the Department’s information assets. In accordance with State policy, the ISOInformation Security Officer shall be accountable to the CDC Director regarding these responsibilities.

• To avoid conflicts of interest, the ISOInformation Security Officer shall not have direct responsibility for information processing, information access management functions, any departmental computer based systems or have a reporting relationship to an organization that has such responsibilities. The ISOInformation Security Officer shall not have any special allegiance or bias toward a particular program or organization.

• The responsibilities of an ISOInformation Security Officer include overseeing the following:

  • Implementation of necessary procedures to ensure the establishment and maintenance of a risk management program, including a risk analysis process.

  • Establishment of procedures necessary to monitor and ensure compliance of established risk management policies and procedures.

  • Coordination with internal auditors and QCQuality Control personnel to define their role in automated ITS planning, development, implementation, operations, and modifications relative to risk management.

  • Coordination with the data center’s ISOInformation Security Officer or staff on matters related to the planning, development, implementation, modification, or risk management policies and procedures that affect the Department.

  • Establishment of procedures to comply with control agency reporting requirements.

  • Establishment of mechanisms to assure that Department staff (with particular emphasis on the owners, users and custodians of information) are educated and aware of their roles and responsibilities relative to risk management.

  • Establishment of training programs for Department employees related to risk management.

Technical Management

• Department technical management has the following responsibilities relative to CDC’s risk management program:

  • Ensuring that management, the ISOInformation Security Officer, assigned owners, and users/custodians are provided the necessary technical support services with which to define and select cost effective solutions to high risk problems identified through the risk analysis process.

  • Ensuring the implementation of controls and procedures necessary to manage the risk identified through the risk analysis program.

Program Management

• Department program managers have the following responsibilities in relation to CDC’s risk management program:

  • Establishing the procedures necessary to comply with risk management policy in relation to ownership, user and, if appropriate, custodian responsibilities.

  • Ensuring the proper planning, development, and establishment of risk management processes and procedures for new computerbased systems and the files or data bases for which the program has ownership responsibility, and for new physical devices assigned to and located in the program area(s).

Program Personnel

• Program personnel have the following risk management responsibilities:

  • Implementing and monitoring data QAQuality Assurance functions to ensure the integrity of data for which the program is assigned ownership responsibility.

  • Complying with applicable federal, State, and Department risk management policies and procedures.

  • Identifying information system vulnerabilities and informing program management and the ISOInformation Security Officer of those vulnerabilities.

Internal Auditors

• Internal auditors have the following responsibilities in relation to the Department’s risk management efforts:

  • Examination of the Department’s policies and procedures for compliance with State risk management policies.

  • Examination of the Department’s policies and procedures for compliance with control agency audit requirements.

  • Examination of the effectiveness of the Department’s policies and procedures, identification of inadequacies within the existing risk management program, identification of possible corrective actions, and informing management, the ISOInformation Security Officer, and the owners, custodians, and users of information of the findings.

QCQuality Control

• The designated responsible QCQuality Control person/program has the following responsibilities in relation to the Department’s risk management program:

  • Review and evaluation of the risk management process used and its findings, to ensure the effectiveness of controls for automated ITS whether under design and development or operational, with particular emphasis on major systems.

Information Owners

• The owners of information are responsible for classifying the information, filing security incident reports, securing and storing the signed security agreements, and identifying for the ISOInformation Security Officer the level of acceptable risk.

• The owners of CDC information are identified in the system library document maintained by the MISManagement Information Systems Support Unit.

Information users

• It is the responsibility of all users to protect CDC resources, note variances from established procedures, and report such variances to the appropriate manager.

Information Custodians

• The custodians of information are responsible for complying with applicable laws, policies, and procedures. It is also the responsibility of custodians to advise the owner and the ISOInformation Security Officer of any threats to the information, and notify the owner and the ISOInformation Security Officer of any violations of security policies, practices, or procedures.

Audit Requirements

• A section of the EDPElectronic Data Processing (see IT) audit reviews ITS documentation; each system not exempt from the audit requirements shall have an approved risk analysis report.

Critical Functions, System, and Resources

• Elements vital to the organization’s operation, and possibly to the continued, viable existence of the organization.

Current Risk

• Current risks are evident and continuing, and are inherent to a business operation, location, or process.

Data Integrity

• The state that exists when computerized data are the same as that in source documents and have not been exposed to accidental or malicious alteration or destruction.

Data Protection

• Measures to safeguard data from occurrences that could lead to the modification, destruction, or disclosure of data.

Data Security

• Protecting data from modification, destruction, or disclosure.

Potential Risk

• Potential risk is outside normal and purposeful business operations, and results from some intentional or unintentional, indeterminate action.

Risk

• Risk is a measure of the relative value attached to certain circumstances and conditions inherent in any business operation, or change to that operation. Risks are either current or potential.

Risk Analysis Content:

• Technical Analysis

  • For each risk scenario, specify the threat and potential safeguards/controls identified. Each control should be discussed along with its intended purpose and the types of threats it is effective against. If no safeguards are found, then a statement to that effect shall be provided.

• Operational Analysis

  • Each control identified above shall be analyzed and its impact on current operations should be discussed. All operational constraints that would make the safeguard difficult or impractical to implement or operate shall be discussed. Risks that shall be accepted due to the operational unacceptability of their safeguards shall be identified here.

• Economic Analysis

  • For all controls that are technically and operationally feasible, discuss the cost benefit.

• Risk Acceptance Summary

  • Lists all risks, acceptable or unacceptable. If acceptable, then indicate the basis for acceptance.

• Controls Summary

  • Presents the controls to be used for eliminating or reducing the risks identified in the risk acceptance summary. Each control shall be described in terms of its loss reduction or effect, as well as the primary and secondary threat categories against which the control is effective.

• Countermeasures

  • Any type of procedure (e.g., physical, procedural, hardware, software and personnel) used to counteract a threat to the system.

Risk Analysis Management Report:

• Summary

  • A concise overview of the analysis. It shall begin with a statement describing the scope and objectives of the study, followed by the recommendations for risk acceptance and alternatives for reducing or eliminating the unacceptable risks.

• Risk Scenario Summary

  • A summary of the essential data from the risk analysis.

• Risk Management Process

  • Risk management is the work a manager does to identify the risk, assess its level, and create a plan for the acceptance, rejection, or control of the risk. This work is carried out by the application of a well defined analytic process called “risk analysis,” and culminates in a risk analysis report and risk reduction decision study.

• Risk Analysis

  • Involves identifying the assets and resources that are at risk, as well as the threats to those assets and resources and the vulnerabilities in the risk environment that might allow the threats to materialize. Risk analysis also involves estimating the frequency with which the threats might occur, the safeguards currently in place, and the cost/impact that could be incurred if the threats to the risk environment were to materialize (this process correlates to the problem definition and analysis of the “current problem” steps in a generic systems approach).

• Risk Reduction Analysis

  • Involves identifying the availability of potential safeguards, determining the operational and economic feasibility of potential safeguards, and developing a risk reduction decision study for presentation to management (this process correlates to the identification of alternatives, cost-benefit analysis, selection of best alternative, and conceptual system design phases of the generic systems approach).

• Management Decision

  • Management decides which risks are acceptable. For those that are not currently acceptable, management decides which of the alternatives shall be implemented and approves the resources required to purchase, or design and develop, and then implement them (this process corresponds to the management decision phase of the generic systems approach).

• Development of Risk Reduction Plans

  • Outlines the tasks to be performed to implement the safeguards selected by management. Tasks include identification of the specific safeguards, assignment of responsibility for design, development or purchase, and implementation of the safeguards. Plans shall also include a timetable of the milestones leading to implementation (this process corresponds to the detailed design and development/testing phases of the generic systems approach).

• Implementation and Maintenance of Safeguards

  • Involves the installation, operation and maintenance of new or modified safeguards. Implementation shall involve personnel training and coordinating any changes in operations with affected personnel.

• Vulnerability

  • Susceptibility of a system to a specific threat, attack or harmful event, or the opportunity available for a threat agent to mount such an attack.

• Vulnerability Assessment

  • A review of a system or program to determine its susceptibility to loss or unauthorized use.

All requests for approval for new systems development shall indicate if the system is a critical application.

All critical applications shall require a risk analysis. See DOMDepartment Operations Manual 49040, Procedures.

A risk analysis shall be submitted to the Information Security Unit (ISUInstitution Services Unit) for all systems that are non-critical applications but use one or more of the following:

• Telecommunications.

• Programs created or maintained by inmates.

• Inmates as keyboard operators.

These applications require a risk analysis approved by ISUInstitution Services Unit prior to implementation.

The MISManagement Information Systems Committee may direct that a risk analysis be carried out for any new system when deemed necessary.

Requests to ISUInstitution Services Unit for an exemption from information security policy, as it pertains to inmates and computers shall be accompanied by a risk analysis. An exemption shall only be granted by the MISManagement Information Systems Committee based upon the risk analysis and a recommendation by ISOInformation Security Officer.

The Assistant Secretary, EISEnterprise Information Services (formerly Information Services Division), or designee shall be responsible for ensuring that the contents of this article are kept current and accurate.

GCGovernment Code § 1171.

DOMDepartment Operations Manual § 49040.