Chapter 4 – Information Technology

49150.5  Roles and Responsibilities

• The department Chief Information Officer (CIO) or Designee:

  • Owns this policy and is responsible for ensuring that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.

  • Is responsible for ensuring that this policy is reviewed annually, and updated accordingly.

  • Is required to audit and assess compliance with this policy at least once every two (2) years.

• The department Information Security Officer (ISOInformation Security Officer):

  • Shall facilitate security assessments and authorizations, and shall provide advice as appropriate.

• The department Owners of Information Assets and Program Management in collaboration with Information Asset Custodians shall: 

  • Ensure that this policy is implemented and shall review the policy’s implementation annually.

  • Ensure requisite security controls are implemented in accordance with applicable security requirements and documented authorizations for information assets.

  • Ensure that any security control gaps and residual risks being accepted are formally documented.

  • Ensure that records and results of assessments and risk decisions are maintained.

  • Ensure that records and results of assessments and risk decisions are provided to information security officers in a timely manner.

• The department Information Asset Custodians: 
  Shall implement the requisite security controls based upon the sensitivity or criticality of the assets as defined by the owners of information assets. 

• The department Privacy Officer/Privacy Program Coordinator: 
  Shall ensure that privacy threshold and privacy impact assessments are completed as part of the security assessment and authorization process.