Department of Corrections and Rehabilitation - Operations Manual

Cancel

Chapter 4 – Information Technology

Article 67 – Information Security Program Management Policy

Effective March 18, 2024

View All Sections >

49240.5 Roles and Responsibilities

  • Department Chief Information Officer (CIO) or designee

    • The CIO or designee owns this policy and shall ensure that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.

    • The CIO or designee shall ensure that this policy is reviewed annually and updated accordingly.

    • The CIO or designee is required to audit and assess compliance with this policy at least once every two (2) years.

    • The CIO or designee is responsible for the oversight of security for the information technology architecture, the information technology portfolio, and the delivery of information technology services.

  • Department Executive Management

    • Executive Management shall define the strategy and plan for managing the department’s information security program and for ensuring that the strategy and plan are documented.

    • Executive Management shall establish governance and supporting processes related to the management and allocation of personnel and resources to fully implement and maintain the department’s information security program.

    • Executive Management shall achieve and maintain compliance with security and privacy laws and regulations.

    • Executive Management shall ensure that department information security risk management practices and supporting processes are implemented to effectively manage risk.

  • Department Owners of Information Assets and Program Management

    • Owners of Information Assets shall ensure that confidentiality, integrity and availability requirements for information assets under their purview are defined and documented.

    • Owners of Information Assets in collaboration with Information Asset Custodians shall ensure security controls are commensurate with the sensitivity or criticality implemented for assets under their purview.

    • Owners of Information Assets in collaboration with Information Asset Custodians shall ensure that risks to information assets under their purview are identified, managed, monitored, and reported to the department ISOInformation Security Officer or executive management.

  • Department Information Asset Custodians

    • Information Asset Custodians shall assist in the development, implementation and maintenance of the ISPM Plan.

    • Information Asset Custodians shall implement, maintain and monitor technology and process controls based upon the sensitivity or criticality of the assets as defined by Owners of Information Assets.

    • Information Asset Custodians shall maintain all records defined by Owners of Information Assets in the manner prescribed by departmental policies.