{"id":9359,"date":"2020-03-31T16:06:14","date_gmt":"2020-03-31T23:06:14","guid":{"rendered":"http:\/\/cdcr.test\/dom\/chapter-4-information-technology\/article-46-information-systems-risk-management\/49030-3-responsibilities\/"},"modified":"2020-03-31T16:06:14","modified_gmt":"2020-03-31T23:06:14","slug":"49030-3-responsibilities","status":"publish","type":"dom","link":"https:\/\/www.cdcr.ca.gov\/operations-manual\/dom\/chapter-4-information-technology\/article-46-information-systems-risk-management\/49030-3-responsibilities\/","title":{"rendered":"49030.3 Responsibilities"},"content":{"rendered":"\t<ul class=\"cdcr-dom-group-block\">\n\t\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>The following is a description of the organizational responsibilities for administering this program.<\/p>\n\t\t\t\t\t<\/li>\n\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>The Director<\/p>\n\t\t\t\t\t<ul class=\"cdcr-dom-group-block\">\n\t\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>The Director is responsible for establishing and maintaining a risk management program within the Department. It is the responsibility of the Director to assure that the Department&#8217;s information assets are protected from the effects of damage, destruction, and unauthorized or accidental modification, access, or disclosure.<\/p>\n\t\t\t\t\t<\/li>\n\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Specifically, the Director is responsible for ensuring the following:<\/p>\n\t\t\t\t\t<ul class=\"cdcr-dom-group-block\">\n\t\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Enforcement of State-level risk management policies.<\/p>\n\t\t\t\t\t<\/li>\n\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Establishment and maintenance of internal policies and procedures that provide for the security of information technology facilities, software and equipment, and the integrity and security of the agency&#8217;s automated information.<\/p>\n\t\t\t\t\t<\/li>\n\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Department compliance with reporting requirements related to risk management issues.<\/p>\n\t\t\t\t\t<\/li>\n\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Appointment of a qualified Information Security Officer (ISO).<\/p>\n\t\t\t\t\t<\/li>\n\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Participation of management during the planning, development, modification and implementation of risk management policies and procedures.<\/p>\n\t\t\t\t\t<\/li>\n\t\t<\/ul>\n\t\t<\/li>\n\t\t<\/ul>\n\t\t<\/li>\n\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Information Security Officer<\/p>\n\t\t\t\t\t<ul class=\"cdcr-dom-group-block\">\n\t\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>GC 1171 requires that the director of each agency designate an ISO. The ISO is responsible for overseeing agency policies and procedures designed to protect the Department&#8217;s information assets. In accordance with State policy, the ISO shall be accountable to the CDC Director regarding these responsibilities.<\/p>\n\t\t\t\t\t<\/li>\n\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>To avoid conflicts of interest, the ISO shall not have direct responsibility for information processing, information access management functions, any departmental computer based systems or have a reporting relationship to an organization that has such responsibilities. The ISO shall not have any special allegiance or bias toward a particular program or organization.<\/p>\n\t\t\t\t\t<\/li>\n\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>The responsibilities of an ISO include overseeing the following:<\/p>\n\t\t\t\t\t<ul class=\"cdcr-dom-group-block\">\n\t\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Implementation of necessary procedures to ensure the establishment and maintenance of a risk management program, including a risk analysis process.<\/p>\n\t\t\t\t\t<\/li>\n\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Establishment of procedures necessary to monitor and ensure compliance of established risk management policies and procedures.<\/p>\n\t\t\t\t\t<\/li>\n\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Coordination with internal auditors and QC personnel to define their role in automated ITS planning, development, implementation, operations, and modifications relative to risk management.<\/p>\n\t\t\t\t\t<\/li>\n\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Coordination with the data center&#8217;s ISO or staff on matters related to the planning, development, implementation, modification, or risk management policies and procedures that affect the Department.<\/p>\n\t\t\t\t\t<\/li>\n\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Establishment of procedures to comply with control agency reporting requirements.<\/p>\n\t\t\t\t\t<\/li>\n\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Establishment of mechanisms to assure that Department staff (with particular emphasis on the owners, users and custodians of information) are educated and aware of their roles and responsibilities relative to risk management.<\/p>\n\t\t\t\t\t<\/li>\n\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Establishment of training programs for Department employees related to risk management.<\/p>\n\t\t\t\t\t<\/li>\n\t\t<\/ul>\n\t\t<\/li>\n\t\t<\/ul>\n\t\t<\/li>\n\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Technical Management<\/p>\n\t\t\t\t\t<ul class=\"cdcr-dom-group-block\">\n\t\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Department technical management has the following responsibilities relative to CDC&#8217;s risk management program:<\/p>\n\t\t\t\t\t<ul class=\"cdcr-dom-group-block\">\n\t\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Ensuring that management, the ISO, assigned owners, and users\/custodians are provided the necessary technical support services with which to define and select cost effective solutions to high risk problems identified through the risk analysis process.<\/p>\n\t\t\t\t\t<\/li>\n\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Ensuring the implementation of controls and procedures necessary to manage the risk identified through the risk analysis program.<\/p>\n\t\t\t\t\t<\/li>\n\t\t<\/ul>\n\t\t<\/li>\n\t\t<\/ul>\n\t\t<\/li>\n\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Program Management<\/p>\n\t\t\t\t\t<ul class=\"cdcr-dom-group-block\">\n\t\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Department program managers have the following responsibilities in relation to CDC&#8217;s risk management program:<\/p>\n\t\t\t\t\t<ul class=\"cdcr-dom-group-block\">\n\t\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Establishing the procedures necessary to comply with risk management policy in relation to ownership, user and, if appropriate, custodian responsibilities.<\/p>\n\t\t\t\t\t<\/li>\n\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Ensuring the proper planning, development, and establishment of risk management processes and procedures for new computerbased systems and the files or data bases for which the program has ownership responsibility, and for new physical devices assigned to and located in the program area(s).<\/p>\n\t\t\t\t\t<\/li>\n\t\t<\/ul>\n\t\t<\/li>\n\t\t<\/ul>\n\t\t<\/li>\n\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Program Personnel<\/p>\n\t\t\t\t\t<ul class=\"cdcr-dom-group-block\">\n\t\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Program personnel have the following risk management responsibilities:<\/p>\n\t\t\t\t\t<ul class=\"cdcr-dom-group-block\">\n\t\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Implementing and monitoring data QA functions to ensure the integrity of data for which the program is assigned ownership responsibility.<\/p>\n\t\t\t\t\t<\/li>\n\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Complying with applicable federal, State, and Department risk management policies and procedures.<\/p>\n\t\t\t\t\t<\/li>\n\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Identifying information system vulnerabilities and informing program management and the ISO of those vulnerabilities.<\/p>\n\t\t\t\t\t<\/li>\n\t\t<\/ul>\n\t\t<\/li>\n\t\t<\/ul>\n\t\t<\/li>\n\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Internal Auditors<\/p>\n\t\t\t\t\t<ul class=\"cdcr-dom-group-block\">\n\t\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Internal auditors have the following responsibilities in relation to the Department&#8217;s risk management efforts:<\/p>\n\t\t\t\t\t<ul class=\"cdcr-dom-group-block\">\n\t\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Examination of the Department&#8217;s policies and procedures for compliance with State risk management policies.<\/p>\n\t\t\t\t\t<\/li>\n\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Examination of the Department&#8217;s policies and procedures for compliance with control agency audit requirements.<\/p>\n\t\t\t\t\t<\/li>\n\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Examination of the effectiveness of the Department&#8217;s policies and procedures, identification of inadequacies within the existing risk management program, identification of possible corrective actions, and informing management, the ISO, and the owners, custodians, and users of information of the findings.<\/p>\n\t\t\t\t\t<\/li>\n\t\t<\/ul>\n\t\t<\/li>\n\t\t<\/ul>\n\t\t<\/li>\n\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>QC<\/p>\n\t\t\t\t\t<ul class=\"cdcr-dom-group-block\">\n\t\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>The designated responsible QC person\/program has the following responsibilities in relation to the Department&#8217;s risk management program:<\/p>\n\t\t\t\t\t<ul class=\"cdcr-dom-group-block\">\n\t\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Review and evaluation of the risk management process used and its findings, to ensure the effectiveness of controls for automated ITS whether under design and development or operational, with particular emphasis on major systems.<\/p>\n\t\t\t\t\t<\/li>\n\t\t<\/ul>\n\t\t<\/li>\n\t\t<\/ul>\n\t\t<\/li>\n\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Information Owners<\/p>\n\t\t\t\t\t<ul class=\"cdcr-dom-group-block\">\n\t\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>The owners of information are responsible for classifying the information, filing security incident reports, securing and storing the signed security agreements, and identifying for the ISO the level of acceptable risk.<\/p>\n\t\t\t\t\t<\/li>\n\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>The owners of CDC information are identified in the system library document maintained by the MIS Support Unit.<\/p>\n\t\t\t\t\t<\/li>\n\t\t<\/ul>\n\t\t<\/li>\n\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Information users<\/p>\n\t\t\t\t\t<ul class=\"cdcr-dom-group-block\">\n\t\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>It is the responsibility of all users to protect CDC resources, note variances from established procedures, and report such variances to the appropriate manager.<\/p>\n\t\t\t\t\t<\/li>\n\t\t<\/ul>\n\t\t<\/li>\n\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>Information Custodians<\/p>\n\t\t\t\t\t<ul class=\"cdcr-dom-group-block\">\n\t\t\t<li class=\"cdcr-dom-item-block\">\n\t\t\t\t\t<p>The custodians of information are responsible for complying with applicable laws, policies, and procedures. It is also the responsibility of custodians to advise the owner and the ISO of any threats to the information, and notify the owner and the ISO of any violations of security policies, practices, or procedures.<\/p>\n\t\t\t\t\t<\/li>\n\t\t<\/ul>\n\t\t<\/li>\n\t\t<\/ul>\n\t","protected":false},"parent":9356,"template":"","class_list":["post-9359","dom","type-dom","status-publish","hentry"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>49030.3 Responsibilities - Department Operations Manual (DOM)<\/title>\n<meta name=\"robots\" content=\"noindex, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"49030.3 Responsibilities - Department Operations Manual (DOM)\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cdcr.ca.gov\/operations-manual\/dom\/chapter-4-information-technology\/article-46-information-systems-risk-management\/49030-3-responsibilities\/\" \/>\n<meta property=\"og:site_name\" content=\"Department Operations Manual (DOM)\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.cdcr.ca.gov\\\/operations-manual\\\/dom\\\/chapter-4-information-technology\\\/article-46-information-systems-risk-management\\\/49030-3-responsibilities\\\/\",\"url\":\"https:\\\/\\\/www.cdcr.ca.gov\\\/operations-manual\\\/dom\\\/chapter-4-information-technology\\\/article-46-information-systems-risk-management\\\/49030-3-responsibilities\\\/\",\"name\":\"49030.3 Responsibilities - Department Operations Manual (DOM)\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.cdcr.ca.gov\\\/operations-manual\\\/#website\"},\"datePublished\":\"2020-03-31T23:06:14+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.cdcr.ca.gov\\\/operations-manual\\\/dom\\\/chapter-4-information-technology\\\/article-46-information-systems-risk-management\\\/49030-3-responsibilities\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.cdcr.ca.gov\\\/operations-manual\\\/dom\\\/chapter-4-information-technology\\\/article-46-information-systems-risk-management\\\/49030-3-responsibilities\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.cdcr.ca.gov\\\/operations-manual\\\/dom\\\/chapter-4-information-technology\\\/article-46-information-systems-risk-management\\\/49030-3-responsibilities\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.cdcr.ca.gov\\\/operations-manual\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"DOM\",\"item\":\"https:\\\/\\\/www.cdcr.ca.gov\\\/operations-manual\\\/dom\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Chapter 4 &#8211; Information Technology\",\"item\":\"https:\\\/\\\/www.cdcr.ca.gov\\\/operations-manual\\\/dom\\\/chapter-4-information-technology\\\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Article 46 &#8211; Information Systems Risk Management\",\"item\":\"https:\\\/\\\/www.cdcr.ca.gov\\\/operations-manual\\\/dom\\\/chapter-4-information-technology\\\/article-46-information-systems-risk-management\\\/\"},{\"@type\":\"ListItem\",\"position\":5,\"name\":\"49030.3 Responsibilities\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.cdcr.ca.gov\\\/operations-manual\\\/#website\",\"url\":\"https:\\\/\\\/www.cdcr.ca.gov\\\/operations-manual\\\/\",\"name\":\"Operations Manual\",\"description\":\"CDCR\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.cdcr.ca.gov\\\/operations-manual\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"49030.3 Responsibilities - Department Operations Manual (DOM)","robots":{"index":"noindex","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"49030.3 Responsibilities - Department Operations Manual (DOM)","og_url":"https:\/\/www.cdcr.ca.gov\/operations-manual\/dom\/chapter-4-information-technology\/article-46-information-systems-risk-management\/49030-3-responsibilities\/","og_site_name":"Department Operations Manual (DOM)","twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.cdcr.ca.gov\/operations-manual\/dom\/chapter-4-information-technology\/article-46-information-systems-risk-management\/49030-3-responsibilities\/","url":"https:\/\/www.cdcr.ca.gov\/operations-manual\/dom\/chapter-4-information-technology\/article-46-information-systems-risk-management\/49030-3-responsibilities\/","name":"49030.3 Responsibilities - Department Operations Manual (DOM)","isPartOf":{"@id":"https:\/\/www.cdcr.ca.gov\/operations-manual\/#website"},"datePublished":"2020-03-31T23:06:14+00:00","breadcrumb":{"@id":"https:\/\/www.cdcr.ca.gov\/operations-manual\/dom\/chapter-4-information-technology\/article-46-information-systems-risk-management\/49030-3-responsibilities\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.cdcr.ca.gov\/operations-manual\/dom\/chapter-4-information-technology\/article-46-information-systems-risk-management\/49030-3-responsibilities\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.cdcr.ca.gov\/operations-manual\/dom\/chapter-4-information-technology\/article-46-information-systems-risk-management\/49030-3-responsibilities\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.cdcr.ca.gov\/operations-manual\/"},{"@type":"ListItem","position":2,"name":"DOM","item":"https:\/\/www.cdcr.ca.gov\/operations-manual\/dom\/"},{"@type":"ListItem","position":3,"name":"Chapter 4 &#8211; Information Technology","item":"https:\/\/www.cdcr.ca.gov\/operations-manual\/dom\/chapter-4-information-technology\/"},{"@type":"ListItem","position":4,"name":"Article 46 &#8211; Information Systems Risk Management","item":"https:\/\/www.cdcr.ca.gov\/operations-manual\/dom\/chapter-4-information-technology\/article-46-information-systems-risk-management\/"},{"@type":"ListItem","position":5,"name":"49030.3 Responsibilities"}]},{"@type":"WebSite","@id":"https:\/\/www.cdcr.ca.gov\/operations-manual\/#website","url":"https:\/\/www.cdcr.ca.gov\/operations-manual\/","name":"Operations Manual","description":"CDCR","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.cdcr.ca.gov\/operations-manual\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Department Operations Manual (DOM)","distributor_original_site_url":"https:\/\/www.cdcr.ca.gov\/operations-manual","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.cdcr.ca.gov\/operations-manual\/wp-json\/wp\/v2\/dom\/9359","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cdcr.ca.gov\/operations-manual\/wp-json\/wp\/v2\/dom"}],"about":[{"href":"https:\/\/www.cdcr.ca.gov\/operations-manual\/wp-json\/wp\/v2\/types\/dom"}],"version-history":[{"count":0,"href":"https:\/\/www.cdcr.ca.gov\/operations-manual\/wp-json\/wp\/v2\/dom\/9359\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/www.cdcr.ca.gov\/operations-manual\/wp-json\/wp\/v2\/dom\/9356"}],"wp:attachment":[{"href":"https:\/\/www.cdcr.ca.gov\/operations-manual\/wp-json\/wp\/v2\/media?parent=9359"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}