Chapter 4 – Information Technology

California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation), California Correctional Healthcare Services (CCHCS), and California Prison Industry Authority (CALPIACalifornia Prison Industry Authority (formerly PIA)), hereinafter referred to as department, collects, processes, transmits, and stores large amounts of data to support essential missions and business functions. Some data maintained by the department may be sensitive or confidential, and may require special precautions to protect it from unauthorized modification, or deletion as per the State Administrative Manual.

The department has the responsibility to classify its data and information assets, and to implement suitable controls to protect it from unauthorized access, corruption, or loss.

The primary objective for this policy is to define department requirements to manage the confidentiality, integrity, and availability of department data and information assets throughout their lifecycles: from collection, creation, storage, and use, to destruction and disposal.

The scope of this policy extends to all state and agency data and information assets owned or operated by the department, and operated by third parties on behalf of the department, and governs all state and department data and information assets in all forms and media types, including digital and physical formats.

This policy applies to all department personnel.

The department shall:

• Ensure that roles and responsibilities for the identification, classification, and life cycle management of all department data and information assets are defined, documented, and implemented.

• Ensure that all department information assets, including information and information systems, are categorized according to their criticality, as well as their sensitivity and susceptibility to inadvertent damage, loss, or exposure and corresponding impact to the department.

• Ensure that methods to protect the confidentiality, integrity, and availability of department data and information assets according to their classification are defined, documented, and implemented.

• Ensure that conditions for access to and use of department information assets for all personnel are defined and documented.

• Ensure that all personnel with access to department data and information assets are trained regarding data access and handling according to their roles and responsibilities.

• Ensure that department data and information assets are used solely for their intended purpose.

• Ensure that department data and information assets are securely destroyed and disposed of once they are no longer required by the department.

• Ensure that the proper authorities are notified of data security incidents as required.
  

Department Chief Information Officer (CIO) or Designee

• The CIO or Designee owns this policy and is responsible for ensuring that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.

• The CIO or Designee is responsible for ensuring that this policy is reviewed annually and updated accordingly.

• The CIO or Designee is required to audit and assess compliance with this policy at least once every two (2) years.

Department Information Security Officer (ISOInformation Security Officer)

• The ISOInformation Security Officer shall assist Owners of Information Assets and Information Asset Custodians in the identification of data security controls and processes.

• The ISOInformation Security Officer shall participate in incidents involving data security.

• The ISOInformation Security Officer shall ensure that data security controls, methods and processes meet department and applicable regulatory requirements for security and privacy.

Department Owners of Information Assets and Program Management

• Owners of Information Assets shall ensure that this policy is implemented and reviewed annually, and updated as necessary.

• Owners of Information Assets shall ensure that roles and responsibilities for the identification, classification, and life cycle management of all data and information assets under their purview are defined, documented and implemented.

• Owners of Information Assets shall ensure confidentiality and integrity controls commensurate with asset classification are implemented for data and information assets under their purview.

• Owners of Information Assets shall ensure that conditions and rules for access, availability, and use of data and information assets under their purview are commensurate with asset classification.

Department Information Asset Custodians

• Information Asset Custodians shall assist Owners of Information Assets in identifying data security controls commensurate with the classification of the data.

• Information Asset Custodians shall document, implement, monitor, and maintain data security protection controls as defined by Owners of Information Assets.

• Information Asset Custodians shall develop and implement tools, technologies, processes, and procedures to support, monitor and maintain data security controls.

• Information Asset Custodians shall notify respective Owners of Information Assets and the department Information Security Officer (ISOInformation Security Officer) and the Privacy Officer of all security incidents pertaining to the security of department data, particularly if the incident is related to personally identifiable information (PII).

• Information Asset Custodians shall maintain data security records as defined by Owners of Information Assets commensurate with the classification of the data.

Department Users

• Users of department information assets shall be aware of and adhere to all department information security and privacy policies.

Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOMDepartment Operations Manual Chapter 3, Article 22.

The department shall comply with the information security and privacy policies, standards and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.

The consequences of negligence and non-compliance with State laws and policies may include department and personal:

• Loss of delegated authorities.

• Negative audit findings.

• Monetary penalties.

• Legal actions.
  

The department has the right to audit any activities related to the use of State information assets.

CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

Violations of this policy shall be reported to the department ISOInformation Security Officer.

If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISOInformation Security Officer.

This policy complies with State of California Government Code Section 11549.3.

The CIO or Designee shall ensure that the contents of this article are current and accurate.