Chapter 4 – Information Technology

Information assets owned by the California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation), California Correctional Health Care Services (CCHCS), and California Prison Industry Authority (CALPIACalifornia Prison Industry Authority (formerly PIA)) (including but not limited to department  data and information, laptops, cell phones, and removable storage devices) are strategic assets intended for official business use, and are entrusted to State personnel in the performance of their job-related duties.

Inappropriate use of CDCRCalifornia Department of Corrections and Rehabilitation, CCHCS, and CALPIACalifornia Prison Industry Authority (formerly PIA) (hereinafter referred to as department) information assets could negatively affect the confidentiality, integrity, or availability of the information, information systems, or other information assets of the department and the State of California. Consequently, it is important for all users to access or use information assets in a responsible, ethical, and legal manner that safeguards department data and information.

Additionally, the appropriate use of information assets benefits the State and the department by strengthening the protection of the department and its personnel and business partners from illegal or potentially damaging activities.

This policy defines and establishes the requirements for the appropriate use and safeguarding of department information assets.

Data and information in hard copy format and that which is electronically created, sent, received, processed, or stored on information assets owned, leased, administered, or otherwise under the custody and control of the department are the property of the State. Any information, not specifically identified as the property of other parties and that is transmitted, processed, or stored on the department’s and business partner ITInformation Technology facilities and resources (including e-mail, messages, and files) is considered the property of the department.

Individual access and use of department information assets is neither personal nor private. As such, department management reserves the right to monitor and log all employee use of department information assets with or without advanced notice.

The scope of this policy extends to all information assets owned or operated by the department and to all personnel authorized to use these assets.

The department shall ensure that users use and protect department information assets in accordance with this policy and applicable information security and privacy policies.

Department Unacceptable Use 
The department shall ensure that users do not:

• Use department information assets to engage in or solicit the performance of any activity that violates laws, regulations, rules, policies, standards, and other applicable requirements issued by the federal government, the State of California, and the department.

• Use department information assets for personal enjoyment, private gain or advantage, personal gain, political activity, unsolicited advertising, unauthorized fundraising, or an outside endeavor not related to State business.

• Engage in any activity that attempts to circumvent or alter the function of the department’s security controls (e.g., spoofing email, anonymous proxies, or unauthorized encryption), or other activities that may degrade the performance of information resources, or may deprive an authorized user access to department assets.

• Share their work-related account(s), passwords, Personal Identification Numbers (PIN), security questions/answers, security tokens (e.g., smartcard, key fob), or similar information or devices used for authentication and authorization purposes.

• Use department information assets to send or arrange to send emails or intentionally access sites that contain pornographic, racist, or offensive material, chain letters or unauthorized mass mailings, and malicious code.

• Users shall not connect or otherwise attach unauthorized devices or equipment to the department network infrastructure.

The department Chief Information Officer (CIO) or Designee:

• Owns this policy and is responsible for ensuring that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.

• Is responsible for ensuring that this policy is reviewed annually and updated accordingly.

• Is required to audit and assess compliance with this policy at least once every two (2) years.

Department Information Asset Users:

• Shall use and protect department information assets in accordance with this policy and applicable information security and privacy policies.

• Shall report any security concerns pertaining to department information asset security of which they become aware to the department Information Security Officer (ISOInformation Security Officer), designee, appropriate security staff or their immediate supervisor. Security concerns with information assets may include unexpected software or system behavior, which could result in unintentional disclosure of information or exposure to security threats.

• Shall report any suspected or actual activities or events indicating misuse or violation of this policy to the department ISOInformation Security Officer, designee, appropriate security staff or their immediate supervisor.

• Shall be aware of and adhere to all department information security and privacy policies.

Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOMDepartment Operations Manual Chapter 3, Article 22.

The department shall comply with the information security and privacy policies, standards, and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.

The consequences of negligence and non-compliance with State laws and policies may include department and personal:

• Loss of delegated authorities.

• Negative audit findings.

• Monetary penalties.

• Legal actions.

The department has the right to audit any activities related to the use of State information assets.

CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

Violations of this policy shall be reported to the department ISOInformation Security Officer.

If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the department ISOInformation Security Officer.

This policy complies with the State of California Government Code Section 11549.3.

The CIO or designee shall ensure that the contents of this article are current and accurate.