Department of Corrections and Rehabilitation - Operations Manual

Cancel

Chapter 4 – Information Technology

Article 61 – Data Security Policy

Effective November 3, 2022

View All Sections >

49180.5 Roles and Responsibilities

  • Department Chief Information Officer (CIO) or Designee

    • The CIO or Designee owns this policy and is responsible for ensuring that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.

    • The CIO or Designee is responsible for ensuring that this policy is reviewed annually and updated accordingly.

    • The CIO or Designee is required to audit and assess compliance with this policy at least once every two (2) years.

  • Department Information Security Officer (ISOInformation Security Officer)

    • The ISOInformation Security Officer shall assist Owners of Information Assets and Information Asset Custodians in the identification of data security controls and processes.

    • The ISOInformation Security Officer shall participate in incidents involving data security.

    • The ISOInformation Security Officer shall ensure that data security controls, methods and processes meet department and applicable regulatory requirements for security and privacy.

  • Department Owners of Information Assets and Program Management

    • Owners of Information Assets shall ensure that this policy is implemented and reviewed annually, and updated as necessary.

    • Owners of Information Assets shall ensure that roles and responsibilities for the identification, classification, and life cycle management of all data and information assets under their purview are defined, documented and implemented.

    • Owners of Information Assets shall ensure confidentiality and integrity controls commensurate with asset classification are implemented for data and information assets under their purview.

    • Owners of Information Assets shall ensure that conditions and rules for access, availability, and use of data and information assets under their purview are commensurate with asset classification.

  • Department Information Asset Custodians

    • Information Asset Custodians shall assist Owners of Information Assets in identifying data security controls commensurate with the classification of the data.

    • Information Asset Custodians shall document, implement, monitor, and maintain data security protection controls as defined by Owners of Information Assets.

    • Information Asset Custodians shall develop and implement tools, technologies, processes, and procedures to support, monitor and maintain data security controls.

    • Information Asset Custodians shall notify respective Owners of Information Assets and the department Information Security Officer (ISOInformation Security Officer) and the Privacy Officer of all security incidents pertaining to the security of department data, particularly if the incident is related to personally identifiable information (PII).

    • Information Asset Custodians shall maintain data security records as defined by Owners of Information Assets commensurate with the classification of the data.

  • Department Users

    • Users of department information assets shall be aware of and adhere to all department information security and privacy policies.