Chapter 4 – Information Technology

Information technology environments that support CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) business functions and services are complex and dynamic computer network environments, which process, manipulate, and store large amounts of data and information. In order to detect unexpected and suspicious activities and events within such complex networks, it is important to continuously monitor computing environments. Continuous monitoring allows CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) to rapidly identify anomalous or suspicious activities and events, analyze these events, and respond accordingly.

The objective for this policy is to define CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) requirements for continuous monitoring of CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) networks and information assets for signs of malicious use, anomalies, and unexpected behavior and usage patterns. 

The scope of this policy extends to all State and Agency information assets owned or operated by the CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA), and governs the facilities and information assets owned or operated on behalf of the CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) by business partners and service providers.

This policy applies to Owners of Information Assets and Information Asset Custodians.

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) shall ensure that:

• A strategy for security analytics and continuous monitoring will be defined, documented, and implemented.
  

• The strategy will be based on security risk management principles in order to determine optimal monitoring locations, methods, and techniques.
  

• CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA)’s security analytics and continuous monitoring strategy will be integrated with CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA)’s security and event logging and monitoring strategy, threat assessments, and security analytics and event correlation.
  

• CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA)’s continuous monitoring is linked to incident response management and other CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) incident management processes.
  

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Chief Information Officer (CIO) or Designee

• CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) CIO or Designee owns this policy and is responsible for ensuring that all Owners of Information Assets, Information Asset Custodians, and users of CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) information assets are aware of this policy and acknowledge their individual responsibilities.
  

• CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) CIO or Designee is responsible for ensuring that this policy is reviewed annually, and updated accordingly.
  

• CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) CIO or Designee is required to audit and assess compliance with this policy at least once every 2 years.
  

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Information Security Officer (ISOInformation Security Officer)

• CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) ISOInformation Security Officer shall assist Owners of Information Assets and Information Asset Custodians with the implementation of this policy.
  

• CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) ISOInformation Security Officer shall assist Owners of Information Assets and Information Asset Custodians in the analysis and assessment of risks posed by anomalous activities or identified events.
  

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Owners of Information Assets and Program Management

• Owners of Information Assets in collaboration with the Information Asset Custodians shall ensure that this policy is implemented and implementation is reviewed annually.
  

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Information Asset Custodians

• Information Asset Custodians shall implement technology and process controls.
  

• Information Asset Custodians shall maintain records of security monitoring controls implemented.
  

Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOMDepartment Operations Manual Chapter 3, Article 22.

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) shall comply with the information security and privacy policies, standards, and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.

The consequences of negligence and non-compliance with State laws and policies may include department and personal:

• Loss of delegated authorities.
  

• Negative audit findings.
  

• Monetary penalties.
  

• Legal actions.
  

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) has the right to audit any activities related to the use of State information assets.

CDT OIS and CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) have the statutory right to audit CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) readiness to respond and recover from an incident.

Violations of this policy shall be reported to the CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) ISOInformation Security Officer.

If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISOInformation Security Officer. 

This policy complies with the State of California Government Code section 11549.3.

The CIO or designee shall ensure that the contents of this article are current and accurate.

References

SAMState Administrative Manual, section 5335, Information Security Monitoring

SAMState Administrative Manual, section 5335.1, Continuous Monitoring

SAMState Administrative Manual, section 5335.2, Auditable Events

NIST SP 800-53, Audit and Accountability, AU-2, AU-6, AU-7, AU-13

NIST SP 800-53, Incident Response, IR-5, IR-10

NIST SP 800-53, Physical and Environmental Protection, PE-6

NIST SP 800-53, Program Management, PM-9

NIST SP 800-53, Risk Assessment, RA-2, RA-3

NIST SP 800-53, Security Assessment and Authorization, CACorrectional Administrators-7

DOMDepartment Operations Manual, Chapter 3, Article 22

DOMDepartment Operations Manual, Chapter 4, Article 41, section 48010.5

California Government Code section 11549.3

Revision History

Effective: XX.XX.XXXX