Department of Corrections and Rehabilitation - Operations Manual

Cancel

Chapter 4 – Information Technology

Article 68 – Technology Recovery Planning Policy

Effective March 18, 2024

View All Sections >

49250.5 Roles and Responsibilities

  • The California Department of Technology (CDT) Office of Information Security (OIS)

    • The CDT OIS is responsible for the oversight of all TRP compliance submissions statewide.

  • Department Chief Information Officer (CIO) or designee

    • The CIO or designee shall ensure that all users of the department information assets are aware of this policy and acknowledge their individual responsibilities.

    • The CIO or designee shall ensure that this policy is reviewed annually and updated accordingly.

    • The CIO or designee shall audit and assess compliance with this policy at least once every two (2) years, and timely remediate gaps identified from training and audit exercises.

  • Department Information Security Officer (ISOInformation Security Officer)

    • The ISOInformation Security Officer shall ensure oversight of all department TRPs and associated risks, and ensure the department abides by all applicable standards and guidelines.

    • The ISOInformation Security Officer shall assist with the development of business impact analyses and technology recovery plans.

    • The ISOInformation Security Officer shall assist Owners of Information Assets with ensuring that TRPs meet requirements for security and privacy.

  • Department Owners Information Assets and Program Management

    • Owners of Information Assets and program management supporting the delivery of the department mission, state essential functions, or critical infrastructure shall participate in BIA processes, and ensure that BIAs are conducted according to the organization-defined standard, documented, and maintained.

    • Owners of Information Assets supporting the department mission, state essential functions, or critical infrastructure shall ensure that BIAs are incorporated in department business continuity and other emergency management programs, as appropriate.

    • Owners of Information Assets shall ensure that BIAs include:

      • The categorization and classification of the information asset;

      • Threat and vulnerability assessments; and

      • Identification of measures to mitigate the risk of prolonged service outages, and unacceptable levels of data loss.

    • Owners of Information Assets shall ensure that arrangements for alternate processing and media storage sites are documented, provisioned, and maintained, and that agreements for alternate processing and media storage sites contain priority-of-service provisions in accordance with department requirements.

    • Owners of Information Assets shall ensure that security safeguards for alternate processing and data storage sites are equivalent to department primary sites.

    • Owners of Information Assets shall participate in TRP exercises and ensure that technology backup and recovery plans and technologies for information assets within their purview are exercised annually to determine capabilities and are also continually evaluated to improve response and recovery effectiveness.

  • Department Information Asset Custodians

    • Information Asset Custodians shall assist Owners of Information Assets in developing, documenting, implementing, exercising, and enhancing TRPs and BIAs to meet business objectives for recovery times and data loss and to support the department’s essential mission and business functions.

    • Information Asset Custodians shall develop, document, implement, and maintain technology and telecommunication services backup, contingency and recovery tools, incident response, technologies, processes, and procedures as defined by Owners of Information Assets to support and continually improve technology recovery activities and capabilities.

    • Information Asset Custodians in collaboration with the Owners of Information Assets shall assist in the exercising of TRPs.

    • Information Asset Custodians in collaboration with Owners of Information Assets shall maintain records of exercises (including proof of attendance for required participants), supporting operational documentation, and enhancements to the TRP.

  • The Department Technology Recovery Coordinator (TRC) or Manager

    • TRC participates in the BIA and coordinates activities with the technical teams to identify and prioritize ITInformation Technology systems supporting the department’s business processes.

    • TRC coordinates with the business and technical teams to ensure that TRPs remain updated, and the plans meet the department’s recovery requirements.

    • TRC shall be engaged in the change management and project lifecycle to ensure TRPs remain current, and the changes are reflected in the plans.

    • TRC supports recovery activities as needed in the event of a disruption incident.

    • TRC ensures TRP exercises are planned, exercised, and documented, and also participates in exercises and training activities of other recovery plans, e.g., emergency response plans, continuity of business plans, etc.