Chapter 4 – Information Technology

Situations may arise that prevent State entities from effectively implementing or complying with official information security policies, standards, or procedures. There may be rare circumstances where business functions take precedence over these policies, standards, or procedures and compliance is not viable or is technically impossible. Any security variance shall be thoroughly assessed relative to the security of the California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation), California Correctional Healthcare Services (CCHCS), and California Prison Industry Authority (CALPIACalifornia Prison Industry Authority (formerly PIA)), hereinafter referred to as department, information assets.

This policy guides the department to make informed decisions regarding whether or not to request a security variance by understanding the associated security risks and the suitability of existing or proposed compensating controls and safeguards to address or mitigate residual security risks.

Objectives for this policy are to ensure the department:

• Formally considers, identifies and assesses all implications and potential security risks related to a policy before a security variance is requested;

• Prepares and maintains risk assessment documentation to support the security variance request; and,

• Identifies, evaluates and documents alternate or compensatory controls and safeguards to mitigate security risks.

The scope of this policy extends to all State and department information security policies and to all State information assets owned or operated by the department.

This policy applies to all department personnel.

The department’s Information Security Officer (ISOInformation Security Officer) shall ensure security variances are documented, reviewed, approved, and implemented.  Approval of security variances shall include risk ownership and acceptance.

Prior to submitting a security variance request, the department ISOInformation Security Officer shall facilitate risk assessments to consider relevant implications and potential security risks introduced as a consequence of the security variance.

The risk assessment shall involve, at minimum, the respective department business unit requesting the variance and the department ISOInformation Security Officer.

The assessment shall include the evaluation and recommendation of additional compensating controls and safeguards to mitigate the security risks identified where applicable.

The term of an approved security variance must not exceed twelve (12) months.

All approved security variances shall be documented and tracked in a risk management system.

The department ISOInformation Security Officer shall continuously monitor the risks associated with the security variance throughout the term permitted.

Approved security variances shall be reviewed annually by the department ISOInformation Security Officer, at which time a recommendation shall be made to the Department Chief Information Officer (CIO) or designee to extend or expire the security variance.

Department Chief Information Officer (CIO) or Designee

• The CIO or designee shall ensure that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.

• The CIO or designee is responsible for ensuring that this policy is reviewed annually and updated accordingly.

• The CIO or designee is required to audit and assess compliance with this policy at least once every two (2) years.

Department Executive Management

• Executive Management is responsible for effectively managing risk and achieving compliance with information security and privacy laws and regulations.

Department Information Security Officer (ISOInformation Security Officer)

• The ISOInformation Security Officer shall review all security variance requests and facilitate risk assessments in collaboration with requesting business or program managers, policy owner, owners of effected information assets and executive management. The ISOInformation Security Officer shall record and communicate the results of risk assessments, and any changes to the risk conditions associated with the security variance during the term permitted to the CIO or designee or executive management.

• The ISOInformation Security Officer is responsible for re-evaluating the requirement for the security variance upon expiration of the term, and to make recommendations to the CIO or designee or executive management to either extend or rescind the permitted security variance.

• The ISOInformation Security Officer shall maintain a record of all security variance requests and associated risk assessments and all approved security variances.

Department Owners Information Assets and Program Management

• Owners of Information Assets are responsible for informing the ISOInformation Security Officer immediately if they become aware of a situation that would change the results of the existing risk assessment level.

Non-compliance with this policy may result in disciplinary or adverse action as set forth in Department Operations Manual (DOMDepartment Operations Manual), Chapter 3, Article 22.

The department shall comply with the information security and privacy policies, standards and procedures issued by the California Department of Technology (CDT), Office of Information Security (OIS). In addition to compliance with the information security and privacy policies, standards, procedures, and filing requirements issued by the OIS, the department shall ensure compliance with all security and privacy laws, regulations, rules, and standards specific to and governing the administration of their programs. Program administrators shall work with their legal counsel, ISOInformation Security Officer, and Privacy Program Officer or Coordinator to identify all security and privacy requirements applicable to their programs and ensure implementation of the requisite controls.

The consequences of negligence and non-compliance with State laws and policies may include department and personal:

• Loss of delegated authorities.

• Negative audit findings.

• Monetary penalties.

• Legal actions.

The department has the right to audit any activities related to the use of State information assets.

CDT OIS and the department have the statutory right to audit department readiness to respond and recover from an incident.

Violations of this policy shall be reported to the department ISOInformation Security Officer.

If compliance is not feasible, or if deviation from this policy is necessary to support a business function, the respective manager shall formally request a security variance as defined by the ISOInformation Security Officer.

This policy complies with State of California Government Code section 11549.3.

The CIO or designee shall ensure that the contents of this article are current and accurate.