Chapter 4 – Information Technology

The California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation), California Correctional Healthcare Services (CCHCS), and California Prison Industry Authority (CALPIACalifornia Prison Industry Authority (formerly PIA)), hereinafter referred to as department, are dependent on underlying information technology and telecommunications infrastructures, resources and services. Unavailability of these underlying elements due to various conditions can render a business function or service non-operational, and thereby directly impact the delivery of mission critical services.

Objectives for this policy are to establish department requirements for the systematic approach to the availability of technology infrastructure resources and to identify and formally plan for and maintain related services. The Technology Recovery Plan’s (TRP) goal is to support the State and organization’s business services and critical infrastructure at the expected level of availability as determined by the department’s senior management.

The scope of this policy extends to all State and department information assets, including critical infrastructure, as well as information assets, owned or operated by third parties (if applicable) on behalf of the department.

This policy applies to the department’s Chief Information Officer (CIO) or designee, program management, owners of critical infrastructure, information assets, Department Information Security Officers, Technical Recovery Program Coordinators, and Information Asset Custodians.

The department shall:

• Ensure recovery capabilities and requirements are considered during the earlier stages of solution planning and the recovery strategies and plans are developed and implemented for all information technology systems supporting the organization’s business services.

• Ensure that Business Impact Analyses (BIAs) identify mission and state critical processes, and regularly review critical infrastructure and associated contingency requirements (e.g., systems supporting essential state, organizational missions, and business functions). BIAs shall include acceptable periods of non-availability of the system, restoration time requirements and acceptable data loss. The department’s business divisions are responsible for conducting and updating BIAs. The Owners of Information Assets and Information Asset Custodians shall be closely engaged throughout the BIA process. BIAs shall be reviewed and updated according to the organization’s defined standard, or sooner if there is a major change in the department’s business process or technical environment.

Ensure that state critical ITInformation Technology systems supporting department mission critical business functions, essential state functions, and critical infrastructure (if applicable) are identified and included in the TRP.

Ensure that the department’s technology recovery program incorporates change management and quality assurance processes.

Ensure that the TRP is developed, documented, regularly tested, maintained, and continually improved in order to resume the department and State’s essential mission and business functions under adverse or disruptive conditions. Ensure the TRP is reviewed annually and updated as needed.

Ensure that a department recovery strategy is defined, documented and implemented. The strategy shall describe how recovery will be accomplished based on levels of incident impact. The recovery strategy shall consider department relevant technology and security risks in determining the most appropriate recovery option.

Ensure that alternate technology backup and recovery sites are provisioned as required to support essential mission and business functions.

Ensure that TRPs contain detailed resource requirements for each ITInformation Technology system to support recovery efforts, including information assets and personnel.

Ensure that roles and responsibilities for members of department technology recovery teams are defined and documented, and that they are suitably trained according to their roles. This includes, but is not limited to, maintaining the security of technology recovery assets.

Ensure that TRPs integrate appropriate communication strategies and information to collaborate with other teams and plans, including disaster incident management, security incident response teams and plans, procedures for notification, reporting in California Compliance and Security Incident Reporting System (Cal-CSIRS), and collaboration and communication with internal teams and external entities as needed. TRPs and other plans shall include roles and responsibilities, decision-making protocols, staff assignment, and guidance on activities to be performed during disaster response and recovery phases.

Ensure that TRPs are coordinated with other state entities’ contingency, emergency management plans, incident management plans, and teams as appropriate.

Ensure that components of the TRP are exercised annually and the staff are trained for their roles during the recovery and response phases. Lessons learned shall be documented and addressed as part of the annual update and maintenance plan.

Ensure the department’s gaps between current and required capabilities for system recovery are identified, reported to the organization’s management, as well as the state Office of Information Security (OIS) along with the plans to remediate the gaps as identified in the Plan of Action and Milestones (POAM).

Ensure that department TRPs are submitted to the state Office of Information Security, in accordance with the Information Security Compliance Reporting submission schedule.

The California Department of Technology (CDT) Office of Information Security (OIS)

• The CDT OIS is responsible for the oversight of all TRP compliance submissions statewide.

Department Chief Information Officer (CIO) or designee

• The CIO or designee shall ensure that all users of the department information assets are aware of this policy and acknowledge their individual responsibilities.

• The CIO or designee shall ensure that this policy is reviewed annually and updated accordingly.

• The CIO or designee shall audit and assess compliance with this policy at least once every two (2) years, and timely remediate gaps identified from training and audit exercises.

Department Information Security Officer (ISOInformation Security Officer)

• The ISOInformation Security Officer shall ensure oversight of all department TRPs and associated risks, and ensure the department abides by all applicable standards and guidelines.

• The ISOInformation Security Officer shall assist with the development of business impact analyses and technology recovery plans.

• The ISOInformation Security Officer shall assist Owners of Information Assets with ensuring that TRPs meet requirements for security and privacy.

Department Owners Information Assets and Program Management

• Owners of Information Assets and program management supporting the delivery of the department mission, state essential functions, or critical infrastructure shall participate in BIA processes, and ensure that BIAs are conducted according to the organization-defined standard, documented, and maintained.

• Owners of Information Assets supporting the department mission, state essential functions, or critical infrastructure shall ensure that BIAs are incorporated in department business continuity and other emergency management programs, as appropriate.

• Owners of Information Assets shall ensure that BIAs include:

  • The categorization and classification of the information asset;

  • Threat and vulnerability assessments; and

  • Identification of measures to mitigate the risk of prolonged service outages, and unacceptable levels of data loss.

• Owners of Information Assets shall ensure that arrangements for alternate processing and media storage sites are documented, provisioned, and maintained, and that agreements for alternate processing and media storage sites contain priority-of-service provisions in accordance with department requirements.

• Owners of Information Assets shall ensure that security safeguards for alternate processing and data storage sites are equivalent to department primary sites.

• Owners of Information Assets shall participate in TRP exercises and ensure that technology backup and recovery plans and technologies for information assets within their purview are exercised annually to determine capabilities and are also continually evaluated to improve response and recovery effectiveness.

Department Information Asset Custodians

• Information Asset Custodians shall assist Owners of Information Assets in developing, documenting, implementing, exercising, and enhancing TRPs and BIAs to meet business objectives for recovery times and data loss and to support the department’s essential mission and business functions.

• Information Asset Custodians shall develop, document, implement, and maintain technology and telecommunication services backup, contingency and recovery tools, incident response, technologies, processes, and procedures as defined by Owners of Information Assets to support and continually improve technology recovery activities and capabilities.

• Information Asset Custodians in collaboration with the Owners of Information Assets shall assist in the exercising of TRPs.

• Information Asset Custodians in collaboration with Owners of Information Assets shall maintain records of exercises (including proof of attendance for required participants), supporting operational documentation, and enhancements to the TRP.

The Department Technology Recovery Coordinator (TRC) or Manager

• TRC participates in the BIA and coordinates activities with the technical teams to identify and prioritize ITInformation Technology systems supporting the department’s business processes.

• TRC coordinates with the business and technical teams to ensure that TRPs remain updated, and the plans meet the department’s recovery requirements.

• TRC shall be engaged in the change management and project lifecycle to ensure TRPs remain current, and the changes are reflected in the plans.

• TRC supports recovery activities as needed in the event of a disruption incident.

• TRC ensures TRP exercises are planned, exercised, and documented, and also participates in exercises and training activities of other recovery plans, e.g., emergency response plans, continuity of business plans, etc.

Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOMDepartment Operations Manual Chapter 3, Article 22.

The department shall comply with the information security and privacy policies, standards and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their legal counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.

The consequences of negligence and non-compliance with State laws and policies may include department and personal:

• Loss of delegated authorities.

• Negative audit findings.

• Monetary penalties.

• Legal actions.

The department has the right to audit any activities related to the use of State information assets.

CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

The department ISOInformation Security Officer has oversight authority and responsibility for the department’s compliance and capacity for backup and recovery.

Violations of this policy shall be reported to the department ISOInformation Security Officer.

If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISOInformation Security Officer.

This policy complies with State of California Government Code section 11549.3.

The CIO or designee shall ensure that the contents of this article are current and accurate.