What happens if an agency does not submit a Technology Recovery Plan (TRP) or the TRP does not meet the minimum requirements?

The Office of Information Security (OIS) has enhanced its Technology Recovery Plan (TRP) compliance review process. The agency will be notified when it does not file a TRP or their TRP does not meet the minimum requirements as identified in the SIMM 5325-A – Technology Recovery Plan Instructions (PDF). Notification is made through an escalation process from the Technology Recovery Coordinator, Information Security Officer, the Chief Information Officer, Agency Director, and in some cases, to the Agency Information Officer.

The OIS is to report to the California Department of Technology, any state agency found to be noncompliant with information security program requirements. Noncompliance may impact the agency’s procurement and information technology (IT) project delegated authority. Also, when conducting an IT audit, state and internal auditors will typically review the agency’s documentation to ensure the agency is complying with the State Administrative Manual requirements. Compliance and noncompliance would be a documented audit finding.