Article 70 – Security Variance Policy
49270.1 Introduction and Overview
-
Situations may arise that prevent State entities from effectively implementing or complying with official information security policies, standards, or procedures. There may be rare circumstances where business functions take precedence over these policies, standards, or procedures and compliance is not viable or is technically impossible. Any security variance shall be thoroughly assessed relative to the security of the California Department of Corrections and Rehabilitation (CDCRCalifornia Department of Corrections and Rehabilitation), California Correctional Healthcare Services (CCHCS), and California Prison Industry Authority (CALPIACalifornia Prison Industry Authority (formerly PIA)), hereinafter referred to as department, information assets.
-
This policy guides the department to make informed decisions regarding whether or not to request a security variance by understanding the associated security risks and the suitability of existing or proposed compensating controls and safeguards to address or mitigate residual security risks.