Department of Corrections and Rehabilitation - Operations Manual

Cancel

Chapter 4 – Information Technology

Article 51 – Endpoint Security Policy

Effective December 30, 2021

View All Articles >

49080.1 Introduction and Overview

  • CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) information assets are often used to conduct business functions internally as well as with other State and non-CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) persons and devices on the Internet. Devices used for such CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) business purposes are comprised of servers, network devices, and end user devices including mobile computers, tablets, and smart phones; such devices are collectively called “endpoints” or “endpoint devices.”  Some CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) information assets are more prone to loss or theft due to their size, mobility, or location of use.

  • CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) needs to ensure that endpoints are suitably protected to prevent unauthorized access to data and information that may reside on the endpoints.

49080.2 Objectives

  • Objectives for this policy are to define the requirements to protect CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) endpoints that may routinely interact with unknown or untrusted devices on the Internet, or that are more susceptible to loss or theft.

49080.3 Scope and Applicability

  • The scope of this policy extends to all State and Agency information assets owned and operated by CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA), information assets managed by thirdparties on behalf of the CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA), and all information assets that process or store CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) information in support of CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) services and mission.

  • This policy applies to Owners of Information Assets and Information Asset Custodians.

49080.4 Policy Directives

  • CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) shall ensure that:

    • All CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) endpoints are identified and endpoint asset inventories are documented and continually updated.

    • Risks to individual CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) endpoint device types and the data they access, process, and store are assessed.

    • The requisite endpoint protection controls, as referenced in the Statewide Information Management Manual, are implemented and maintained to mitigate risks to each endpoint.

    • Endpoint protection controls include people (asset users), processes, and technology controls.

    • Endpoint protection controls are continuously monitored.

    • Endpoint protection controls are reviewed at least annually.

49080.5 Roles and Responsibilities

  • CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Chief Information Officer (CIO) or Designee

    • CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) CIO or Designee owns this policy and is responsible for ensuring that all Owners of Information Assets, Information Asset Custodians, and users of CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) information assets are aware of this policy and acknowledge their individual responsibilities.

    • CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) CIO or Designee is responsible for ensuring that this policy is reviewed annually and updated accordingly.

    • CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) CIO or Designee is required to audit and assess compliance with this policy at least once every 2 years.

  • CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Information Security Officer (ISOInformation Security Officer)

    • CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) ISOInformation Security Officer shall assist Owners of Information Assets and Information Asset Custodians with the identification and selection of endpoint protection controls.

    • CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) ISOInformation Security Officer shall ensure that endpoint protection controls meet CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) requirements for security and privacy.

  • CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Owners of Information Assets and Program Management

    • Owners of Information Assets in collaboration with the Information Asset Custodians shall ensure that the endpoint protection controls are defined, documented, and implemented, and that implementation is reviewed annually.

    • Owners of Information Assets in collaboration with the Information Asset Custodians shall ensure the endpoint protection controls commensurate with the sensitivity or criticality of the asset are implemented for assets under their purview.

  • CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Information Asset Custodians

    • Information Asset Custodians shall implement the requisite endpoint protection controls based upon the sensitivity or criticality of the assets as defined by the Owners of Information Assets.

    • Information Asset Custodians shall maintain and update endpoint protection technologies based on best practices.

    • Information Asset Custodians shall maintain records of endpoint protection controls and ensure proper change management.

49080.6 Enforcement

  • Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOMDepartment Operations Manual Chapter 3, Article 22.

  • CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) shall comply with the information security and privacy policies, standards, and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.

  • The consequences of negligence and non-compliance with State laws and policies may include department and personal:

    • Loss of delegated authorities.

    • Negative audit findings.

    • Monetary penalties.

    • Legal actions.

49080.7 Auditing

  • CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) has the right to audit any activities related to the use of State information assets.

  • CDT OIS and CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) have the statutory right to audit CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) readiness to respond and recover from an incident.

49080.8 Reporting

  • Violations of this policy shall be reported to the CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) ISOInformation Security Officer.

49080.9 Security Variance Process

  • If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISOInformation Security Officer

49080.10 Authority

  • This policy complies with the State of California Government Code section 11549.3.

49080.11 Revisions

  • The CIO or designee shall ensure that the contents of this article are current and accurate.

  • References

  • SIMM 5305-A, Information Security Program Management Standard

  • SIMM 5355-A, Endpoint Protection Standard

  • SAMState Administrative Manual, section 5355, Endpoint Defense

  • SAMState Administrative Manual, section 5355.1, Malicious Code Protection

  • NIST SP 800-53, Security Assessment and Authorization, CACorrectional Administrators-7

  • NIST SP 800-53, Configuration Management, CM-2, CM-3, CM-6, CM-7, CM-10, CM-11

  • NIST SP 800-53, System and Communications Protection, SC-8, SC-10, SC-11, SC-13, SC-18, SC-23, SC-24, SC-28, SC-38, SC-42, SC-43

  • NIST SP 800-53, System and Information Integrity, SI-2, SI-3, SI-4, SI-5, SI-7, SI-8, SI11

  • NIST SP 800-53, Program Management, PM-9

  • NIST SP 800-53, Risk Assessment, RA-2, RA-3, RA-5

  • NIST SP 800-53, Physical and Environmental Protection, PE-3, PE-19, PE-20

  • DOMDepartment Operations Manual, Chapter 3, Article 22

  • DOMDepartment Operations Manual, Chapter 4, Article 41, section 48010.5

  • California Government Code section 11549.3

  • Revision History

  • Effective: XX.XX.XXXX

References

  • SIMM 5305-A, Information Security Program Management Standard

  • SIMM 5355-A, Endpoint Protection Standard

  • SAMState Administrative Manual, section 5355, Endpoint Defense

  • SAMState Administrative Manual, section 5355.1, Malicious Code Protection

  • NIST SP 800-53, Security Assessment and Authorization, CACorrectional Administrators-7

  • NIST SP 800-53, Configuration Management, CM-2, CM-3, CM-6, CM-7, CM-10, CM-11

  • NIST SP 800-53, System and Communications Protection, SC-8, SC-10, SC-11, SC-13, SC-18, SC-23, SC-24, SC-28, SC-38, SC-42, SC-43

  • NIST SP 800-53, System and Information Integrity, SI-2, SI-3, SI-4, SI-5, SI-7, SI-8, SI11

  • NIST SP 800-53, Program Management, PM-9

  • NIST SP 800-53, Risk Assessment, RA-2, RA-3, RA-5

  • NIST SP 800-53, Physical and Environmental Protection, PE-3, PE-19, PE-20

  • DOMDepartment Operations Manual, Chapter 3, Article 22

  • DOMDepartment Operations Manual, Chapter 4, Article 41, section 48010.5

  • California Government Code, section 11549.3