Chapter 4 – Information Technology

49240.4 Policy Directives

• The department shall:

  • Define and document the department’s strategy and prioritization approach to addressing information security, privacy and risk management.

  • Ensure that an approved department ISPM Plan, describing both in place and planned security program management, is defined, documented, implemented and maintained.

  • Define and document requirements for the management of the department’s information security program, and for complying with applicable information security laws and regulations.

  • Ensure that statewide information security program management coordinates the activities and ensures the participation of a broad spectrum of stakeholders.

  • Assign and document information security roles, responsibilities, and management commitment.

  • Ensure that a plan of action and milestones (POAM) process to address program deficiencies and security risks, and to track the progress of risk treatment actions is developed and maintained.

  • Ensure that methods for integrating information security resource requirements into the department’s capital planning and funding request process are formally defined and documented.

  • Ensure that information security incidents are reported to the proper authorities, as required.

  • Ensure that the department ISPM Plan and policy are reviewed annually and updated as needed.