Chapter 4 – Information Technology

The California State Administrative Manual (SAMState Administrative Manual), Section 5200 governs the acquisitions of Information Technology (ITInformation Technology) goods or services regardless of dollar amount, or the type of ITInformation Technology goods or services procured. The California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation), California Correctional Healthcare Services (CCHCS), and California Prison Industry Authority (CALPIACalifornia Prison Industry Authority (formerly PIA)), hereinafter referred to as department, procurement processes are governed by the SAMState Administrative Manual, Section 5200, and consist of three phases: Acquisition Planning, Acquisition, and Post-award Activity.

Department acquisition processes and procedures shall comply with purchasing authority requirements, including laws, regulations, policies, and statutes applicable to the acquisition of ITInformation Technology goods and services.

Objectives for this policy are to guide department ITInformation Technology goods and services acquisition processes to:

• Comply with all federal and state laws and regulations.

• Incorporate security requirements and security specifications, either explicitly or by reference, in information system acquisition contracts based on an assessment of risk and the results of the classification and categorization for the intended information asset.

• Ensure agreements with state and non-state entities include provisions which protect and minimize risk to the State.

• Address the entire systems lifecycle in acquisitions, development and maintenance and operations of ITInformation Technology systems.

The scope of this policy extends to all State and entity information assets owned or operated by the department.

This policy applies to department Owners of Information Assets and program management.

The department shall:

• Ensure that department information assets are managed using a documented System Development Life Cycle methodology during acquisitions, development, and systems operations.

• Ensure that prior to acquiring ITInformation Technology goods and services that assessments are performed to ensure that the goods and services meet any applicable security and privacy laws, regulations, policies, standards, procedures, and other requirements.

• Allocate appropriate funding resources to adequately protect information assets throughout their entire life cycle.

• Ensure system documentation describes security controls and methods in sufficient detail to permit correct functioning, analysis, and testing.

• Require system design, development, functional and security testing, implementation, maintenance, and operations processes to follow security engineering principles.

• Ensure that development environments follow rigorous configuration management control.

• Ensure that services provided by third parties include department requirements and expectations for the protection of department information assets.

The Department Chief Information Officer (CIO) or designee

• The CIO or designee owns this policy and is responsible for ensuring that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.

• The CIO or designee is responsible for ensuring that this policy is reviewed annually and updated accordingly.

• The CIO or designee is required to audit and assess compliance with this policy at least once every two (2) years.

Department Owners Information Assets and Program Management

• Owners of Information Assets shall abide by department ITInformation Technology acquisition policies and processes.

Department Information Asset Custodians

• Information Asset Custodians in collaboration with Owners of Information Assets shall ensure that protection controls are identified and implemented for information assets under their purview and in all ITInformation Technology acquisitions.

Non-compliance with this policy may result in disciplinary or adverse action as set forth in DOMDepartment Operations Manual Chapter 3, Article 22, Section 33030.8.

The department shall comply with the information security and privacy policies, standards and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their legal counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.

The consequences of negligence and non-compliance with State laws and policies may include department and personal:

• Loss of delegated authorities.

• Negative audit findings.

• Monetary penalties.

• Legal actions.

The department has the right to audit any activities related to the use of State information assets.

CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

Violations of this policy shall be reported to the department ISOInformation Security Officer.

If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISOInformation Security Officer.

This policy complies with State of California Government Code Section 11549.3

The CIO or designee shall ensure that the contents of this article are current and accurate.