Chapter 4 – Information Technology

Business functions are highly dependent on secure and stable Information Technology (ITInformation Technology) operating environments. Secure and reliable ITInformation Technology environments are enabled through both maintaining standard configurations and establishing processes and procedures to effectively manage changes to the operating environments.

The goal of formalized ITInformation Technology change management is to facilitate ITInformation Technology changes as defined in enterprise standards, guidelines, and procedures while minimizing negative impacts to the organization.

The goal of ITInformation Technology configuration management is to establish, implement, and manage information asset baseline configurations and maintain consistency throughout the system lifecycle.

This policy establishes CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA)’s requirement for formal change and configuration management.

The objective for this policy is to establish CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) requirements for standardized methods and procedures for the management of information asset configurations and changes to CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA)’s information and technology environments, while integrating security and risk considerations.

The scope of this policy extends to all State and Agency information assets owned and operated by CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA), information assets managed by third parties on behalf of CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA), and all information assets that process or store CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) information in support of CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) services and mission.

This policy applies to Owners of Information Assets and Information Asset Custodians.

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) shall: 

• Formally manage all changes to information assets.
  

• Utilize the Change Control Board, which includes a change advisory board that meets on a regular basis to review changes to information assets.
  

• Ensure that the change advisory board comprises representation from appropriate stakeholders, and in particular from impacted business areas.
  

• Ensure that the change advisory board includes formal security representation, and that change management processes formally integrate security evaluations and risk impact assessments in all change activities.
  

• Establish comprehensive enterprise-wide change management, comprised of supporting processes, workflows, and a centralized repository for all changes, including changes to baseline configurations.
  

• Establish, implement, and manage CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) operating baselines for information asset configurations.
  

• Establish and implement technologies, processes, and procedures to maintain and manage information asset configurations.

• Ensure third parties and contractors are subject to change and configuration management policies, discipline, and practices. Any changes to CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) information assets proposed by service providers, regardless of whose environment they operate in, shall be governed by CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) change and configuration management processes.
  

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Chief Information Officer (CIO) or Designee

• CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) CIO or Designee owns this policy and is responsible for ensuring that all Owners of Information Assets, Information Asset Custodians, and users of CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) information assets are aware of this policy and acknowledge their individual responsibilities.
  

• CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) CIO or Designee is responsible for ensuring that this policy is reviewed annually and updated accordingly.
  

• CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) CIO or Designee is required to audit and assess compliance with this policy at least once every 2 years.
  

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Information Security Officer (ISOInformation Security Officer) 

• Information Asset Custodians shall implement configuration and change management technology, process, and workflow controls as approved by Owners of Information Assets.
  

• Information Asset Custodians shall maintain change and configuration management records for a minimum period of 12 months.  Secure deletion or destruction of these records shall be in accordance with the records retention schedule.
  

Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOMDepartment Operations Manual Chapter 3, Article 22.

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) shall comply with the information security and privacy policies, standards, and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.

The consequences of negligence and non-compliance with State laws and policies may include department and personal:

• Loss of delegated authorities.
  

• Negative audit findings.
  

• Monetary penalties.
  

• Legal actions.
  

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) has the right to audit any activities related to the use of State information assets.

CDT OIS and CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) have the statutory right to audit CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) readiness to respond and recover from an incident.

Violations of this policy shall be reported to the CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) ISOInformation Security Officer.

If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISOInformation Security Officer. 

This policy complies with the State of California Government Code section 11549.3.

The CIO or Designee shall ensure that the contents of this article are current and accurate.

References

SIMM 19C, Project Approval Lifecycle Stage 3 – Solution Development

SIMM, sections 58C, 58D, 66B, 5305-A, 5310-A and B; 5325-A and B; 5330-A, B, and C; 5340-A and C; and 5360-B

SAMState Administrative Manual, section 5315, Information Security Integration

SAMState Administrative Manual, section 5315.5, Configuration Management

SAMState Administrative Manual, section 5355, Endpoint Defense

NIST SP 800-53, Configuration Management, CM-2, CM-3, CM-4, CM-5, CM-6, CM-9

DOMDepartment Operations Manual, Chapter 3, Article 22

DOMDepartment Operations Manual, Chapter 4, Article 45, section 49020.9

California Government Code section 11549.3

Revision History

Effective: XX.XX.XXXX

SIMM, 19C, Project Approval Lifecycle Stage 3 – Solution Development

SIMM, sections 58C, 58D, 66B, 5305-A, 5310-A and B; 5325-A and B; 5330-A, B, and C; 5340-A and C; and 5360-B

SAMState Administrative Manual, section 5315, Information Security Integration

SAMState Administrative Manual, section 5315.5, Configuration Management

SAMState Administrative Manual, section 5355, Endpoint Defense

NIST SP 800-53, Configuration Management, CM-2, CM-3, CM-4, CM-5, CM-6, CM-9

DOMDepartment Operations Manual, Chapter 3, Article 22

DOMDepartment Operations Manual, Chapter 4, Article 45, section 49020.9

California Government Code, section 11549.3