Chapter 4 – Information Technology

This document defines the policy for all servers, physical and virtual, owned or operated by CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA).  Effective implementation of this policy minimizes the risk of server vulnerabilities that can result in system unavailability, data corruption, unauthorized access, information and resource misuse, and service disruption.

The objective of this policy is to establish the base configuration of internal server equipment that is owned and operated by CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA).  Effective implementation of this policy will minimize unauthorized access to CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) proprietary information and technology.   

The scope of this policy extends to all information assets owned or operated by CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA), including critical infrastructure, as well as information assets owned or operated by third-parties on behalf of the CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA).

This policy applies to Owners of Information Assets and Information Asset Custodians.

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) shall:

• Only create server service accounts when necessary.
  

• Use the Principle of Least Privileged (POLP) to limit user access rights to a minimum.
  

• Not use administrative accounts (e.g., root, administrator, O365 Global) when a non-privileged account will suffice.
  

• Disable/lock/delete all accounts except those required to provide necessary services.
  

• Change the default passwords for all accounts and follow password security best practices outlined in SIMM 5300-A, Org-Defined Standards, (NIST IA-5(1)).
  

• Limit access to administrative accounts to only those who have operational need and have been authorized.
  

• Ensure service accounts are not part of Local Administrators or Domain Administrator accounts.
  

• Authorize and document all administrative (privileged) accounts.
  

• Encrypt all passwords and all sensitive and confidential data while in transit. Passwords shall adhere to State Org-Defined Policy. (See SAMState Administrative Manual 5350.1, SIMM 5300-B and NIST SP 800-63B, FIPS 140-2).
  

• Authenticate users over encrypted protocols.
  

• Log all access to the server and services that are protected through access control methods.
  

• Establish and implement controls to ensure that service account functions are authorized using service account credentials only.
  

Systems Configuration and Maintenance

• Servers shall be patched and hardened before attaching them to the network.  Security patches shall be installed on the system not less than monthly. If an intelligence source advises of an imminent threat, patches shall be installed according to documented information technology standards.
  

• Servers shall be physically secured in locations accessible only to authorized personnel.
  

• Only required services shall be enabled or installed on the server. Services that are not required shall be uninstalled or disabled.
  

• Regular back-ups of the server shall be completed according to the back-up and retention policy and tested on a periodic schedule.
  

• Monitoring
  

• The server shall capture and archive critical user, network, system, and security event logs to enable review of system data for forensic and recovery purposes.
  

• Security-related events shall be reviewed and investigated. Events include, but are not limited to:
  

• Account lockouts
  

• Failed user account logins
  

• Evidence of unauthorized access to privileged accounts
  

• Anomalous occurrences that are not related to specific applications on the server
  

• Security incidents shall be handled immediately in accordance with SAMState Administrative Manual and SIMM and reported to the CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Information Security Officer (ISOInformation Security Officer), the data owners or their designees.
  

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Chief Information Officer (CIO) or Designee

• CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) CIO or Designee owns this policy and is responsible for ensuring that all Owners of Information Assets, Information Asset Custodians, and users of CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) information assets are aware of this policy and acknowledge their individual responsibilities.
  

• CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) CIO or Designee is responsible for ensuring that this policy is reviewed annually, and updated accordingly.
  

• CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) CIO or Designee is required to audit and assess compliance with this policy at least once every 2 years.
  

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) ISOInformation Security Officer

• CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) ISOInformation Security Officer shall assist Owners of Information Assets and information asset custodians in the identification of data security controls and processes.
  

• CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) ISOInformation Security Officer shall ensure data security controls, methods, and processes meet CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) and applicable regulatory requirements for security.
  

• CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) ISOInformation Security Officer shall participate in all incidents involving information security.
  

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Owners of Information Assets and Program Management

• Owners of Information Assets, in collaboration with the Information Asset Custodians, shall ensure that this policy is implemented and implementation is reviewed annually and as appropriate.
  

• Owners of Information Assets shall audit user access rights and privileges to ensure alignment with individual job roles and functions on an annual or more frequent basis as appropriate.
  

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) Information Asset Custodians

• Information Asset Custodians shall review accounts with privileged access no less than semi-annually and verify that continued privileged access is required.
  

• Information Asset Custodians, in collaboration with Owners of Information Assets, shall ensure the information security control measures are commensurate with the sensitivity or criticality of information assets under their purview.
  

• Information Asset Custodians shall assist Owners of Information Assets in identifying data security controls commensurate with the classification of the data.
  

• Information Asset Custodians shall document, implement, monitor, and maintain data security protection controls based upon the sensitivity or criticality of the assets.
  

• Information Asset Custodians shall develop and implement tools, technologies, processes, and procedures to support, monitor, and maintain data security controls.
  

• Information Asset Custodians shall maintain data security records.
  

Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOMDepartment Operations Manual Chapter 3, Article 22.

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) shall comply with the information security and privacy policies, standards, and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.

The consequences of negligence and non-compliance with State laws and policies may include department and personal:

• Loss of delegated authorities.
  

• Negative audit findings.
  

• Monetary penalties.
  

• Legal actions.
  

CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) has the right to audit any activities related to the use of State information assets.

CDT OIS and CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) have the statutory right to audit CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) readiness to respond and recover from an incident.

Violations of this policy shall be reported to the CDCRCalifornia Department of Corrections and Rehabilitation / CCHCS / CALPIACalifornia Prison Industry Authority (formerly PIA) ISOInformation Security Officer.

If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISOInformation Security Officer. 

This policy complies with the State of California Government Code section 11549.3.

The CIO or Designee shall ensure that the contents of this article are current and accurate.

References

SIMM, section 5300-B, Foundational Framework

SIMM, section 5305-A, Information Security Program Management Standard

SAMState Administrative Manual, section 5305.5, Information Asset Management

SAMState Administrative Manual, section 5310.4, Individual Access to Personal Information

SAMState Administrative Manual, section 5310.6, Data Retention and Destruction

SAMState Administrative Manual, section 5310.7, Security Safeguards

SAMState Administrative Manual, section 5340, Information Security Incident Management

SAMState Administrative Manual, section 5340.1, Incident Response Training

SAMState Administrative Manual, section 5340.2, Incident Response Testing

SAMState Administrative Manual, section 5340.3, Incident Handling

SAMState Administrative Manual, section 5340.4, Incident Reporting

SAMState Administrative Manual, section 5350.1, Encryption

SAMState Administrative Manual, section 5365, Physical Security

SAMState Administrative Manual, section 5365.1, Access Control for Output Devices

SAMState Administrative Manual, section 5365.2, Media Protection

SAMState Administrative Manual, section 5365.3, Media Disposal

Federal Information Processing Standards, FIPS 199

Federal Information Processing Standards, FIPS 140-2

NIST SP 800-53, Access Control, AC-3, AC-4

NIST SP 800-53, Audit and Accountability, AU-2, AU-3, AU-13

NIST SP 800-53, Configuration Management, CM-8

NIST SP 800-53, Identification and Authentication, IA-5(1)

NIST SP 800-53, Media Protection, MP-1, MP-2, MP-3, MP-4, MP-5, MP-6, MP-7

NIST SP 800-53, Physical and Environmental Protection, PE-5, PE-19, PE-20

NIST SP 800-53, Planning, PL-4

NIST SP 800-53, Program Management, PM-9

NIST SP 800-53, Risk Assessment, RA-2, RA-3

NIST SP 800-53, Security and Communications Protection, SC-4, SC-8, SC-13, SC-17, SC-28

NIST SP 800-63B, Digital Identity Guidelines, Authentication and Lifecycle Management

DOMDepartment Operations Manual, Chapter 3, Article 22

DOMDepartment Operations Manual, Chapter 4, Article 41, section 48010.5

California Government Code section 11549.3

Revision History

Effective: XX.XX.XXXX