Chapter 4 – Information Technology

49140.5  Roles and Responsibilities

• The department Chief Information Officer (CIO) or Designee:

  • Owns this policy and is responsible for ensuring that all users of department information assets are aware of this policy and acknowledge their individual responsibilities. 

  • Is responsible for ensuring that this policy is reviewed annually and updated accordingly.

  • Is required to audit and assess compliance with this policy at least once every two (2) years.

• The department Owners of Information Assets and Program Management:

  • Shall formally approve and authorize access and revocation of access to information assets.

  • In collaboration with the Information Asset Custodians shall validate access to information assets under their purview on an annual basis, or when staffing, resource or job function changes occur.

  • In collaboration with the Information Asset Custodians shall validate protection requirements for information assets under their purview on an annual basis.

• The department Information Asset Custodians:

  • In collaboration with the Owners of Information Assets shall define protection requirements for information assets under their purview.

  • Shall implement, manage, maintain, monitor, and periodically test physical and environmental protection controls to safeguard State information assets for which they have custodianship and as defined by the respective Owners of Information Assets.

  • Shall track and monitor all access to information assets, including physical access, as defined by Owners of Information Assets, and physical and environmental controls to validate correct operation.

  • Shall maintain all maintenance records and results of periodic tests.