Chapter 4 – Information Technology

The continued evolution of information security threats presents increasing risks to the security and privacy of California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation), California Correctional Healthcare Services (CCHCS), and California Prison Industry Authority (CALPIACalifornia Prison Industry Authority (formerly PIA)), hereinafter referred to as department, information assets. The risks have the potential to not only disrupt the department’s business functions, but can also jeopardize the department’s essential missions, its image and reputation.

The department’s information security program management strategy and approach shall be described in the Information Security Program Management Plan (ISPM Plan).

Objectives for this policy are to identify the requirements for the department’s ISPM Plan, which shall document the department’s strategy and approach for managing security and privacy risks to the state’s mission, functions, assets, image, and reputation. The department’s ISPM Plan shall also define how the confidentiality, integrity, and availability of the department’s information assets shall be protected.

The scope of this policy extends to all information assets owned or operated by the department and governs all access to and use of department information assets.

This policy applies to the department Chief Information Officer (CIO) or designee, executive management, program management, owners and custodians of information assets, Information Security Officer (ISOInformation Security Officer) and Privacy Officer or Program Coordinator.

Department Chief Information Officer (CIO) or designee

• The CIO or designee owns this policy and shall ensure that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.

• The CIO or designee shall ensure that this policy is reviewed annually and updated accordingly.

• The CIO or designee is required to audit and assess compliance with this policy at least once every two (2) years.

• The CIO or designee is responsible for the oversight of security for the information technology architecture, the information technology portfolio, and the delivery of information technology services.

Department Executive Management

• Executive Management shall define the strategy and plan for managing the department’s information security program and for ensuring that the strategy and plan are documented.

• Executive Management shall establish governance and supporting processes related to the management and allocation of personnel and resources to fully implement and maintain the department’s information security program.

• Executive Management shall achieve and maintain compliance with security and privacy laws and regulations.

• Executive Management shall ensure that department information security risk management practices and supporting processes are implemented to effectively manage risk.

Department Owners of Information Assets and Program Management

• Owners of Information Assets shall ensure that confidentiality, integrity and availability requirements for information assets under their purview are defined and documented.

• Owners of Information Assets in collaboration with Information Asset Custodians shall ensure security controls are commensurate with the sensitivity or criticality implemented for assets under their purview.

• Owners of Information Assets in collaboration with Information Asset Custodians shall ensure that risks to information assets under their purview are identified, managed, monitored, and reported to the department ISOInformation Security Officer or executive management.

Department Information Asset Custodians

• Information Asset Custodians shall assist in the development, implementation and maintenance of the ISPM Plan.

• Information Asset Custodians shall implement, maintain and monitor technology and process controls based upon the sensitivity or criticality of the assets as defined by Owners of Information Assets.

• Information Asset Custodians shall maintain all records defined by Owners of Information Assets in the manner prescribed by departmental policies.

Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOMDepartment Operations Manual Chapter 3, Article 22.

The department shall comply with the information security and privacy policies, standards and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their legal counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.

The consequences of negligence and non-compliance with State laws and policies may include department and personal:

• Loss of delegated authorities.

• Negative audit findings.

• Monetary penalties.

• Legal actions.

The department has the right to audit any activities related to the use of State information assets.

CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

Violations of this policy shall be reported to the department ISOInformation Security Officer.

If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISOInformation Security Officer.

This policy complies with State of California Government Code Section 11549.3.