Chapter 4 – Information Technology

49270.5 Roles and Responsibilities

• Department Chief Information Officer (CIO) or Designee

  • The CIO or designee shall ensure that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.

  • The CIO or designee is responsible for ensuring that this policy is reviewed annually and updated accordingly.

  • The CIO or designee is required to audit and assess compliance with this policy at least once every two (2) years.

• Department Executive Management

  • Executive Management is responsible for effectively managing risk and achieving compliance with information security and privacy laws and regulations.

• Department Information Security Officer (ISOInformation Security Officer)

  • The ISOInformation Security Officer shall review all security variance requests and facilitate risk assessments in collaboration with requesting business or program managers, policy owner, owners of effected information assets and executive management. The ISOInformation Security Officer shall record and communicate the results of risk assessments, and any changes to the risk conditions associated with the security variance during the term permitted to the CIO or designee or executive management.

  • The ISOInformation Security Officer is responsible for re-evaluating the requirement for the security variance upon expiration of the term, and to make recommendations to the CIO or designee or executive management to either extend or rescind the permitted security variance.

  • The ISOInformation Security Officer shall maintain a record of all security variance requests and associated risk assessments and all approved security variances.

• Department Owners Information Assets and Program Management

  • Owners of Information Assets are responsible for informing the ISOInformation Security Officer immediately if they become aware of a situation that would change the results of the existing risk assessment level.