Department of Corrections and Rehabilitation - Operations Manual

Cancel

Chapter 4 – Information Technology

Article 46 – Information Systems Risk Management

View All Sections >

49030.3 Responsibilities

  • The following is a description of the organizational responsibilities for administering this program.

  • The Director

    • The Director is responsible for establishing and maintaining a risk management program within the Department. It is the responsibility of the Director to assure that the Department’s information assets are protected from the effects of damage, destruction, and unauthorized or accidental modification, access, or disclosure.

    • Specifically, the Director is responsible for ensuring the following:

      • Enforcement of State-level risk management policies.

      • Establishment and maintenance of internal policies and procedures that provide for the security of information technology facilities, software and equipment, and the integrity and security of the agency’s automated information.

      • Department compliance with reporting requirements related to risk management issues.

      • Appointment of a qualified Information Security Officer (ISOInformation Security Officer).

      • Participation of management during the planning, development, modification and implementation of risk management policies and procedures.

  • Information Security Officer

    • GCGovernment Code 1171 requires that the director of each agency designate an ISOInformation Security Officer. The ISOInformation Security Officer is responsible for overseeing agency policies and procedures designed to protect the Department’s information assets. In accordance with State policy, the ISOInformation Security Officer shall be accountable to the CDC Director regarding these responsibilities.

    • To avoid conflicts of interest, the ISOInformation Security Officer shall not have direct responsibility for information processing, information access management functions, any departmental computer based systems or have a reporting relationship to an organization that has such responsibilities. The ISOInformation Security Officer shall not have any special allegiance or bias toward a particular program or organization.

    • The responsibilities of an ISOInformation Security Officer include overseeing the following:

      • Implementation of necessary procedures to ensure the establishment and maintenance of a risk management program, including a risk analysis process.

      • Establishment of procedures necessary to monitor and ensure compliance of established risk management policies and procedures.

      • Coordination with internal auditors and QCQuality Control personnel to define their role in automated ITS planning, development, implementation, operations, and modifications relative to risk management.

      • Coordination with the data center’s ISOInformation Security Officer or staff on matters related to the planning, development, implementation, modification, or risk management policies and procedures that affect the Department.

      • Establishment of procedures to comply with control agency reporting requirements.

      • Establishment of mechanisms to assure that Department staff (with particular emphasis on the owners, users and custodians of information) are educated and aware of their roles and responsibilities relative to risk management.

      • Establishment of training programs for Department employees related to risk management.

  • Technical Management

    • Department technical management has the following responsibilities relative to CDC’s risk management program:

      • Ensuring that management, the ISOInformation Security Officer, assigned owners, and users/custodians are provided the necessary technical support services with which to define and select cost effective solutions to high risk problems identified through the risk analysis process.

      • Ensuring the implementation of controls and procedures necessary to manage the risk identified through the risk analysis program.

  • Program Management

    • Department program managers have the following responsibilities in relation to CDC’s risk management program:

      • Establishing the procedures necessary to comply with risk management policy in relation to ownership, user and, if appropriate, custodian responsibilities.

      • Ensuring the proper planning, development, and establishment of risk management processes and procedures for new computerbased systems and the files or data bases for which the program has ownership responsibility, and for new physical devices assigned to and located in the program area(s).

  • Program Personnel

    • Program personnel have the following risk management responsibilities:

      • Implementing and monitoring data QAQuality Assurance functions to ensure the integrity of data for which the program is assigned ownership responsibility.

      • Complying with applicable federal, State, and Department risk management policies and procedures.

      • Identifying information system vulnerabilities and informing program management and the ISOInformation Security Officer of those vulnerabilities.

  • Internal Auditors

    • Internal auditors have the following responsibilities in relation to the Department’s risk management efforts:

      • Examination of the Department’s policies and procedures for compliance with State risk management policies.

      • Examination of the Department’s policies and procedures for compliance with control agency audit requirements.

      • Examination of the effectiveness of the Department’s policies and procedures, identification of inadequacies within the existing risk management program, identification of possible corrective actions, and informing management, the ISOInformation Security Officer, and the owners, custodians, and users of information of the findings.

  • QCQuality Control

    • The designated responsible QCQuality Control person/program has the following responsibilities in relation to the Department’s risk management program:

      • Review and evaluation of the risk management process used and its findings, to ensure the effectiveness of controls for automated ITS whether under design and development or operational, with particular emphasis on major systems.

  • Information Owners

    • The owners of information are responsible for classifying the information, filing security incident reports, securing and storing the signed security agreements, and identifying for the ISOInformation Security Officer the level of acceptable risk.

    • The owners of CDC information are identified in the system library document maintained by the MISManagement Information Systems Support Unit.

  • Information users

    • It is the responsibility of all users to protect CDC resources, note variances from established procedures, and report such variances to the appropriate manager.

  • Information Custodians

    • The custodians of information are responsible for complying with applicable laws, policies, and procedures. It is also the responsibility of custodians to advise the owner and the ISOInformation Security Officer of any threats to the information, and notify the owner and the ISOInformation Security Officer of any violations of security policies, practices, or procedures.