Chapter 4 – Information Technology

It is the policy of the California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation or the department) that the secure protection of Information Technology (ITInformation Technology) capabilities and information requires special resources and considerations when the information involved is sensitive or confidential in nature. In such instances, augmented security measures shall be implemented.

The purpose of this section is to clarify that, in addition to other ITInformation Technology security policies and procedures contained in this manual, all the CDCRCalifornia Department of Corrections and Rehabilitation employees shall, where applicable, adhere to the security requirements of this section. This section outlines the responsibilities of the department’s designated Authorizing Official or Assistant Authorizing Official and Security Monitor or Assistant Security Monitor pertaining to certain personnel and payroll information.

CDCRCalifornia Department of Corrections and Rehabilitation shall appoint a departmental Authorizing Official, Assistant Authorizing Official, and Security Monitor or Assistant Security Monitor from within the department’s Personnel/Payroll Office with responsibilities sanctioned by the State Controller’s Office (SCOState Controller’s Office) Personnel and Payroll Services Division (PPSD) Decentralized Security Program Manual. A Security Monitor shall be appointed at each facility. The Authorizing Official and Security Monitors shall have access to the SCOState Controller’s Office system and database.

The responsibility of protecting confidential data residing on the SCOState Controller’s Office system is a shared effort amongst all CDCRCalifornia Department of Corrections and Rehabilitation personnel staff. Once data information is removed or viewable within the department’s Personnel/Payroll Office, the information is the responsibility of the staff and management of that office.

It is the responsibility of the department’s personnel office to ensure training on the SCOState Controller’s Office system as part of risk management. Training may be available in-house and through SCOState Controller’s Office.

• Authorizing Official or Assistant Authorizing Official

  • The Authorizing Official shall perform the following duties:

    • Ensures compliance with the standards and procedures in this manual, which includes providing SCOState Controller’s Office PPSD with the documents referenced below.

    • Submits the PSD041 by January 31 of each year on behalf of the department.

    • Submits the PSD125A on behalf of the department.

    • Submits the PSD108 on behalf of the department.

    • Verifies access and level of access of existing staff listed on the PSD125A.

    • When an employee has a name change, a new PSD108 is required advising SCOState Controller’s Office PPSD of the change.

    • Designates a Security Monitor or Assistant Security Monitor on the PSD040.

• Security Monitors

  • The Security Monitor shall perform the following duties:

    • Act as a liaison with the SCOState Controller’s Office Decentralized Security Administrator (DSA).

    • Act as the security resource for all departmental personnel/payroll office employees including facility personnel offices.

    • Maintain the Decentralized Security Program Manual and current Security Authorization forms.

    • Review all documents for accuracy prior to approval.

    • Verify access and level of access of existing staff listed on the PSD125A.

    • List new users on the current PSD125A with appropriate attachments.

    • Submit the PSD125A.

    • Retain the PSD125A and PSD108 for five years after the date of last access for any user that is no longer active at that department.

    • Apply deletions (must refer to the SCOState Controller’s Office Personnel and Payroll Services Division Decentralized Security Program Manual for the most updated processes and guidelines).

    • Apply changes to additional access, reduction in access, name changes, leave of absence, return to work.

    • Advise PPSD of an employee’s name change, by a using PSD108.
      

The sites of SCOState Controller’s Office computer equipment shall be kept secure (by means of locking devices, guards, badges or barriers) from unauthorized physical or visual access. The site shall be located in an area restricted from the public and unauthorized employees. Entry shall be monitored during work hours, and restricted areas shall be locked when unattended. Keys shall be distributed on a limited and controlled basis to authorized employees only.

• Layout plans for equipment shall include the following:

  • Floor Plan

    • The site layout shall include an analysis of employee work areas, the manner in which employees shall enter and exit the office, the location of SCOState Controller’s Office equipment, and the location and type of all locking devices and barriers.

  • Doors

    • Doors shall be solid, locking, full or Dutch-style doors that are accessible only with the correct key or electronic key/badge. Doors shall remain closed and locked at all times.

  • Windows

    • Interior windows shall be frosted or covered completely to eliminate visual access to the terminal screens. Exterior windows on a ground floor shall be frosted, covered, and secured if easily opened.

  • Locks

    • Locks shall be installed on all interior and exterior doors allowing access to the secured area. Acceptable locks include, but are not limited to, the following:

      • Key-controlled locks.

      • Code-controlled locks.

      • Electronic locks.

      • Double-bolting locks Dutch doors.

  • Counters

    • If a counter exists in the secured area, access into the work area shall be controlled and monitored. Records of approved access shall be maintained by the Security Monitor.

  • Changes To Site

    • Any changes to an approved, decentralized site require notification to the Security Monitor.

To ensure the security of SCOState Controller’s Office equipment and information, all department’s personnel employees shall adhere to the following equipment security guidelines:

• Equipment shall be located in restricted areas that are monitored during working hours and locked during any unattended periods.

• Only authorized employees shall have access to terminals, printers, control units and modems.

• System access shall be completely signed off when not in use.

• Terminals shall be locked, keys removed, and screen intensity turned completely down when the terminals are unattended.

The following shall be stored in a vault or locked cabinet when not in use:

• Keys to terminals.

• Manuals for system software and hardware.

• Other instructional and operational manuals.

No equipment shall be attached to any authorized configuration of decentralized equipment, except for testing and installation tools used by the vendor or telephone company.

Deviations from the requirements listed above shall have prior written approval from the department Authorizing Official.

Equipment Changes

• The following types of changes to the SCOState Controller’s Office decentralized system require prior, written approval from the department Authorizing Official:

  • Changes of any kind to the location of decentralized equipment.

  • Switching of terminals from one control unit to another.

  • Any additions or removals of decentralized equipment.

Personnel employees shall consider all information residing in the SCOState Controller’s Office database as confidential, and shall protect information from unauthorized access.

• Other Special Data Security Considerations:

  • Security access authority, and protection of information, data and physical system assets of the State of California are mandated by California Penal Code, Section 502.

  • Department staff shall ensure that all personnel with access to department data and information assets are properly trained in accordance with their roles and responsibilities regarding data access and handling.

  • Ensure that department data and information assets are used solely for their intended purpose.

  • Ensure that department data and information assets are securely destroyed and disposed of once they are no longer required by the department.

  • The department has the right to audit any activities related to the use of State information assets.

  • Adhere to the Decentralized Security Manual.

• Hardcopy

  • Employees shall consider all data hardcopy (including printouts) gained from the SCOState Controller’s Office system as confidential, and shall handle and destroy hardcopy accordingly. The various user manuals provided by the SCOState Controller’s Office contain confidential access instructions and shall be stored in a vault or locked cabinet when not in use.

  • Ensure that department data and information assets are used solely for their intended purpose.

• Authorized Personnel

  • Access to information provided through the SCOState Controller’s Office system is restricted to authorized personnel. Only the following persons shall be considered authorized personnel:

    • A state employee or bona fide representative of the SCOState Controller’s Office who:

      • Demonstrates either a need for or a legal right to the information;

      • Receives formal authorization from the Authorizing Official; and,

      • Accepts legal responsibility for preserving the security of the information.

  • Persons who require access to the SCOState Controller’s Office system shall demonstrate the need for such access by defining their specific, relevant duties. Any change in these duties requires a reevaluation of the need for access.

  • Access shall be revoked if the need for access no longer exists.

• User Identification

  • Each person authorized to access the SCOState Controller’s Office system shall be provided with a unique user identification (IDInstitutions Division (see DAI)). Requests for a new user IDInstitutions Division (see DAI) or an IDInstitutions Division (see DAI) revocation shall be directed to the Security Monitor.

    • CDCRCalifornia Department of Corrections and Rehabilitation employees are required to read SCOState Controller’s Office’s Decentralized Security Guidelines and sign the PSD108, Statement of Understanding, prior to receiving access to SCOState Controller’s Office. New IDs and IDInstitutions Division (see DAI) revocations are recorded on the PSD Form 125A.

• Passwords

  • Access to the SCOState Controller’s Office system is restricted through the use of passwords. Use of any user IDInstitutions Division (see DAI) also requires the associated password, known only to its owner. User passwords shall comply with SCOState Controller’s Office password configuration policies.

    • To protect system security, the IDInstitutions Division (see DAI) owner shall not:

      • Reveal the password to anyone.

      • Write the password on any media.

      • Walk away from an active terminal session; users shall log off the system prior to leaving.

      • Log on in order to provide access or allow use by any unauthorized person.

      • Use an obvious password, such as the owner’s nickname, or any other easily identifiable password.

    • If a password does not operate correctly and the IDInstitutions Division (see DAI) owner is sure that the correct password has been used, the owner shall notify the Security Monitor immediately.

    • An IDInstitutions Division (see DAI) owner who has forgotten the password shall contact the SCOState Controller’s Office Information Security Office.

    • Anyone who suspects that a password has been compromised shall notify the Security Monitor immediately. In addition, a CDCRCalifornia Department of Corrections and Rehabilitation information security incident report (ISIR) shall be submitted to the department Security Monitor as appropriate.

All employees who utilize department equipment while working remotely shall follow the guidelines of the Telework Agreement as indicated within the Department Operations Manual (DOMDepartment Operations Manual), Chapter 3 Article 25 – Telework Program. Additionally, employees shall adhere to the security requirements documented in this policy unless otherwise provisioned.

The CIO or designee shall be responsible for ensuring the contents of this Article are kept current and accurate.