Chapter 4 – Information Technology

49040.4 Responsibilities

• The CDC approach to risk management requires that active support and ongoing participation be obtained from individuals representing multiple disciplines and all management levels. This includes the support of executive, program, and technical management, as well as owners, custodians, and users of the information.

  • Director

    • It is the responsibility of the Director to assure that the Department’s information assets are protected from the effects of damage, destruction, and unauthorized or accidental modification, access, or disclosure. Specifically, the Director is responsible for ensuring the following:

      • Enforcement of State-level operational recovery policies.

      • Establishment and maintenance of internal policies and procedures that provide for the security of information technology facilities, software, and equipment, and the integrity and security of the Department’s automated information.

      • Department compliance with reporting requirements related to operational recovery.

      • Preparation and maintenance of the Department’s operational recovery plan, and the continuation of vital information support services in case of a disaster.

      • Participation of management during the planning, development, modification, and implementation of operational recovery policies and procedures.

  • Information Security Officer

    • GCGovernment Code 1171 requires that the director of each State agency designate an Information Security Officer (ISOInformation Security Officer). The ISOInformation Security Officer is responsible for overseeing agency policies and procedures designed to protect the Department’s information assets. In accordance with State policy, the ISOInformation Security Officer shall be responsible to the CDC Director for such responsibilities.

    • Additionally, to avoid conflicts of interest, the ISOInformation Security Officer shall not have direct responsibility for information processing, information access management functions, or any departmental computer based systems, or have a reporting relationship to an organization that has such responsibilities. The ISOInformation Security Officer shall not have any special allegiance or bias toward a particular program or organization.

    • The responsibilities of an ISOInformation Security Officer include overseeing the following:

      • Development and maintenance of an operational recovery plan to protect the Department against the potential effects of a disaster.

      • Establishment of procedures to comply with control agency reporting requirements relating to operational recovery.

  • Technical Management

    • Department technical management has the following responsibility relative to the Department’s operational recovery program:

      • Ensuring the implementation and maintenance of an operational recovery plan in cooperation with Department management, the ISOInformation Security Officer, and the assigned owners, users, and custodians of information.

  • Program Management

    • Department program managers have the following responsibilities in relation to the CDC security program:

      • Establishing procedures necessary to comply with operational recovery policy pertaining to ownership, user, and, if appropriate, custodian responsibilities.

      • Ensuring that operational recovery plans are in place for hardware, software, and files or data bases for which the program is assigned ownership responsibility.

      • Ensuring that custodians of program information are provided the appropriate direction to implement the operational recovery plans that have been defined.

      • Ensuring that procedures are established to comply with departmental operational recovery reporting requirements.

  • Internal Auditors

    • Internal auditors have the following responsibilities in relation to the Department’s operational recovery planning efforts:

      • Examination of the Department’s policies and procedures for compliance with State policies.

      • Examination of the Department’s policies and procedures for compliance with control agency audit requirements.

      • Examination of the effectiveness of the Department’s policies and procedures; identification of inadequacies within the existing operational recovery programs, and identification of possible corrective actions.

      • Provision of applicable findings to management, the ISOInformation Security Officer, and the owners, custodians, and users of information.

  • QCQuality Control

    • The designated responsible QCQuality Control person/program has the following responsibilities in relation to the Department’s operational recovery program:

      • Review and evaluation of the effectiveness of operational recovery plans for automated ITS, whether under development or operational, and with particular emphasis on major systems.

  • Information Owners

    • The owners of information are responsible for classifying the information, defining precautions for controlling access, disposing of the information, authorizing/denying access to the information, filing security incident reports, securing the signed security agreements and storing them for reference, and identifying (for the ISOInformation Security Officer) the level of acceptable risk.

    • The owners of CDC information are identified in the system library document maintained by the MISManagement Information Systems-SU.

  • Information Users

    • It is the responsibility of all users to protect CDC resources, to note variances from established procedures, and to report such variances to the appropriate manager.

  • Information Custodians

    • The custodians of information are responsible for complying with applicable laws and policies, complying with policies and procedures established by the owner and the ISOInformation Security Officer, advising the owner and the ISOInformation Security Officer of any threats to the information, and notifying the owners and the ISOInformation Security Officer of any violations of security policies, practices, or procedures.