Chapter 4 – Information Technology

California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation), California Correctional Healthcare Services (CCHCS), and California Prison Industry Authority (CALPIACalifornia Prison Industry Authority (formerly PIA)), hereinafter referred to as department, management shall promptly investigate incidents involving loss, damage, misuse of information assets, or improper dissemination of information. Incidents could also include unauthorized access of information asset and incidents negatively affecting the operation, confidentiality, integrity, or availability of information assets. All entities are required to report information security incidents in accordance with the State information security notification and reporting requirements.

Effective incident management includes the formulation, adoption, and maintenance of a written incident management plan that provides for the timely assembly of appropriate staff that are capable of developing a response to, appropriate reporting about, and successful recovery from a variety of incidents. A defined and documented security incident response plan shall enable the department to detect, respond, and recover from security incidents in a timely and organized manner so as to minimize the impacts of the security incident.

The objective for this policy is to establish the requirements for a department security incident response plan.

The scope of this policy extends to all State and Agency information assets owned or operated by the department as well as information assets managed by third parties on behalf of the department.

This policy applies to all department personnel.

The department shall:

• Ensure that a security incident response plan and related procedures, including specific responses to incidents involving Personally Identifiable Information (PII) are defined, documented and implemented.

• Ensure that the security incident response plan and procedures clearly define and document roles and responsibilities to address the full incident life cycle, including:

  • Security incident detection and identification

  • Security incident response management

  • Incident handling team(s), with broad participation from other department stakeholders, under the coordination of a designated incident manager.

  • Preservation of evidence, including tracking and maintaining the evidence pertaining to chains of custody and evidence.

• Ensure that mechanisms and procedures are implemented to enable personnel to report security incidents to the appropriate security staff and the department’s Office of Information Security. Ensure all department personnel are aware of incident reporting mechanisms and procedures.

• Immediately report incidents through the California Compliance and Security Incident Reporting System (Cal-CSIRS) providing the incidents meet the reporting requirements. Cal-CSIRS requires specific details about the incident and shall notify the California Department of Technology Office of Information Security (OIS), as well as the California Highway Patrol (CHPCalifornia Highway Patrol) Computer Crimes Investigation Unit.
  

Department Chief Information Officer (CIO) or Designee

• The CIO or Designee owns this policy and is responsible for ensuring that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.

• The CIO or Designee shall ensure that the department has a formally documented and operational incident response plan to address incidents involving the loss, damage, misuse or unauthorized access of information assets, and breaches of security involving personal information in any form, in the most expedient and effective manner.

• The CIO or Designee shall ensure that the security incident response plan and procedures describe the necessary roles and responsibilities, and activities to enable security incident handlers to effectively prepare for, detect, analyze, contain, eradicate and recover from security incidents.

• The CIO or Designee shall ensure that security incident response management is integrated across the department, and with other State and department contingency and emergency management plans, teams and advisory resources.

• The CIO or Designee shall ensure that all department personnel receive incident response and awareness training and education in accordance with the individual’s functional role within the department.

• The CIO or Designee shall ensure that department incident response capabilities are exercised at least annually to test incident response effectiveness, and that results from tests are documented and reviewed to continuously improve capabilities.

• The CIO or Designee shall ensure that post-mortem / lessons-learned sessions following security incident response activities and tests are completed in order to continually improve incident response capabilities.

• The CIO or Designee shall ensure that all security incidents and department responses are monitored and documented, and all related activities and decisions are recorded.

• The CIO or Designee shall ensure that the department incident response plan, procedures and supporting documentation are updated at minimum on an annual basis.

• The CIO or Designee is responsible for ensuring that this policy is reviewed annually and updated accordingly.

• The CIO or Designee is required to audit and assess compliance with this policy at least once every two (2) years.

Department Information Security Officer (ISOInformation Security Officer)

• The ISOInformation Security Officer shall assist Owners of Information Assets and Information Asset Custodians in the development of department incident response plans.

• The ISOInformation Security Officer shall participate in incident response and management activities.

Department Owners of Information Assets and Program Management.

• Owners of Information Assets shall participate and provide assistance with and decisions related to responding to incidents involving information assets under their purview, as required, and as requested by incident managers, the Chief Information Officer (CIO) or Designee and the department ISOInformation Security Officer.

Department Information Asset Custodians

• Information Asset Custodians shall participate and provide assistance with incident response activities as directed and guided by incident managers, ISOs, and Owners of Information Assets, as appropriate.

• Information Asset Custodians shall maintain records related to and supporting individual incident responses.

Department Users

• Users shall be aware of and adhere to all department information security and privacy policies.

• Users shall report any incidents of possible misuse or violation of this policy to the department ISOInformation Security Officer, designee, or appropriate security staff or their immediate supervisor.
  

Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOMDepartment Operations Manual Chapter 3, Article 22.

The department shall comply with the information security and privacy policies, standards and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their general counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.

The consequences of negligence and non-compliance with State laws and policies may include department and personal:

• Loss of delegated authorities.

• Negative audit findings.

• Monetary penalties.

• Legal actions.
  

The department has the right to audit any activities related to the use of State information assets.

CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

Violations of this policy shall be reported to the department ISOInformation Security Officer.

If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISOInformation Security Officer.

This policy complies with State of California Government Code Section 11549.3.

The CIO or Designee shall ensure that the contents of this article are current and accurate.