Department of Corrections and Rehabilitation - Operations Manual

Cancel

Chapter 4 – Information Technology

Article 49 – Special Security Considerations

View All Sections >

49060.6 Special Data Security Considerations

  • Personnel employees shall consider all information residing in the SCOState Controller’s Office database as confidential, and shall protect information from unauthorized access.

    • Other Special Data Security Considerations:

      • Security access authority, and protection of information, data and physical system assets of the State of California are mandated by California Penal Code, Section 502.

      • Department staff shall ensure that all personnel with access to department data and information assets are properly trained in accordance with their roles and responsibilities regarding data access and handling.

      • Ensure that department data and information assets are used solely for their intended purpose.

      • Ensure that department data and information assets are securely destroyed and disposed of once they are no longer required by the department.

      • The department has the right to audit any activities related to the use of State information assets.

      • Adhere to the Decentralized Security Manual.

    • Hardcopy

      • Employees shall consider all data hardcopy (including printouts) gained from the SCOState Controller’s Office system as confidential, and shall handle and destroy hardcopy accordingly. The various user manuals provided by the SCOState Controller’s Office contain confidential access instructions and shall be stored in a vault or locked cabinet when not in use.

      • Ensure that department data and information assets are used solely for their intended purpose.

    • Authorized Personnel

      • Access to information provided through the SCOState Controller’s Office system is restricted to authorized personnel. Only the following persons shall be considered authorized personnel:

        • A state employee or bona fide representative of the SCOState Controller’s Office who:

          • Demonstrates either a need for or a legal right to the information;

          • Receives formal authorization from the Authorizing Official; and,

          • Accepts legal responsibility for preserving the security of the information.

      • Persons who require access to the SCOState Controller’s Office system shall demonstrate the need for such access by defining their specific, relevant duties. Any change in these duties requires a reevaluation of the need for access.

      • Access shall be revoked if the need for access no longer exists.

    • User Identification

      • Each person authorized to access the SCOState Controller’s Office system shall be provided with a unique user identification (IDInstitutions Division (see DAI)). Requests for a new user IDInstitutions Division (see DAI) or an IDInstitutions Division (see DAI) revocation shall be directed to the Security Monitor.

        • CDCRCalifornia Department of Corrections and Rehabilitation employees are required to read SCOState Controller’s Office’s Decentralized Security Guidelines and sign the PSD108, Statement of Understanding, prior to receiving access to SCOState Controller’s Office. New IDs and IDInstitutions Division (see DAI) revocations are recorded on the PSD Form 125A.

    • Passwords

      • Access to the SCOState Controller’s Office system is restricted through the use of passwords. Use of any user IDInstitutions Division (see DAI) also requires the associated password, known only to its owner. User passwords shall comply with SCOState Controller’s Office password configuration policies.

        • To protect system security, the IDInstitutions Division (see DAI) owner shall not:

          • Reveal the password to anyone.

          • Write the password on any media.

          • Walk away from an active terminal session; users shall log off the system prior to leaving.

          • Log on in order to provide access or allow use by any unauthorized person.

          • Use an obvious password, such as the owner’s nickname, or any other easily identifiable password.

        • If a password does not operate correctly and the IDInstitutions Division (see DAI) owner is sure that the correct password has been used, the owner shall notify the Security Monitor immediately.

        • An IDInstitutions Division (see DAI) owner who has forgotten the password shall contact the SCOState Controller’s Office Information Security Office.

        • Anyone who suspects that a password has been compromised shall notify the Security Monitor immediately. In addition, a CDCRCalifornia Department of Corrections and Rehabilitation information security incident report (ISIR) shall be submitted to the department Security Monitor as appropriate.