Information Security FAQs Contents About the California Information Security Office Agency Designations Annual Training Incident Reporting Notifications Recovery Planning Business Security in Business Requirements Information Asset Protection Risk Management About the California Information Security OfficeWhere does a state entity find the California Compliance and Security Incident Reporting System (Cal-CSIRS)?What is the Office of Information Security?What authority does the Office of Information Security have for issuing policy and directing state agencies on information security and privacy matters?How does an agency/consumer contact the Office of Information Security?Incident ReportingWhere does a state entity find the California Compliance and Security Incident Reporting System (Cal-CSIRS)?How do I report a security incident that requires immediate assistance from law enforcement, if the California Compliance and Security Incident Reporting System (Cal-CSIRS) is offline outside of normal business hours?How do I report a security incident if the California Compliance and Security Incident Reporting System (Cal-CSIRS) is offline during normal business hours?Are there instructions for completing the Information Security Incident Report?What is a state entity expected to do if the California Highway Patrol (CHP) Computer Crimes Investigations Unit (CCIU) decides to not investigate the incident?What is the purpose of the California Compliance and Security Incident Reporting System (Cal-CSIRS) Incident Report?Once a state entity reports the security incident through the California Compliance and Security Incident Reporting System (Cal-CSIRS), what happens next?Where does a state entity find what information should be collected prior submitting an incident report on the California Compliance and Security Incident Reporting System (Cal-CSIRS)?The incident reporting criteria used to only require the reporting of a loss or theft of state-owned Information Technology (IT) equipment valued at $2,000 or more, but the state policy now requires agencies to report any loss or theft of state-owned IT equipment or any electronic devices containing or storing personal, sensitive, or confidential data. Why did it change from the previous dollar threshold of $2,000?The incident reporting criteria used to only require the reporting of information technology related security incidents, but now state agencies are expected to report those involving paper and other formats. What authority requires agencies to report security incidents involving paper and other formats and why is this necessary?What must be reported by a state entity?What should a state entity do when a security incident occurs? Agency DesignationsWhen are agencies required to submit the Designation Letter (SIMM 5330-A) to the Office of Information Security?Why does the Office of Information Security want to know who is our agency Information Security Officer?Are agencies required to submit the Designation Letter by January 31st of each year, or when the designee changes?NotificationsWhere does an agency find the Requirements to Respond to Incidents Involving a Breach of Personal Information?Are there sample notices available for use as a template?Won't the Office of Information Security and approval process unduly delay the notification process?Why must state agencies submit their notices to the Office of Information Security for review and approval before they are released to affected individuals?Are there alternatives to making notification by written letter to the individual?What must the notice say?What other authority does the state have which supports the notification requirement? Why must an agency notify an individual when there has been an incident involving their personal information?Business Security in Business RequirementsWhat does “Building Security in Business Requirements” mean?Who is the audience for Business Security Requirements Information?Where do we start building Business Security Requirements?Why should State Entities “Build Security in Business Requirements” ?Risk ManagementWhat happens when an agency is not in full compliance with the state information security and privacy policy as specified in the State Administrative Manual Chapter 5300?Where does an agency find the Risk Management and Privacy Program Certification?If an agency finds it is not in full compliance with the state information security and privacy policy as specified in the State Administrative Manual Chapter 5300 by the submission deadline, will the Office of Information Security grant an extension?What happens when an agency does not submit a Risk Management and Privacy Program Certification?Why is the director of an agency required to sign the Risk Management and Privacy Program Certification? Annual TrainingWhat are the consequences for an agency or individuals/employees that fail to comply with provisions of the California Information Practices Act of 1977?What laws, regulations, and or state policies require employees to be trained annually and the employee to acknowledge they have received the training by signing an acknowledgement form?Do all employees in a state agency need to take annual security and privacy training?Recovery PlanningCan the Office of Information Security provide assistance or resources in developing an agency's Technology Recovery Plan?If an agency cannot comply with the Technology Recovery Plan submission, will the Office of Information Security accept an extension?What happens if an agency does not submit a Technology Recovery Plan (TRP) or the TRP does not meet the minimum requirements?What if my agency does not have a business continuity plan? How does that affect development of the Technology Recovery Plan?Why must an agency incorporate the components identified in the Technology Recovery Plan Instructions into their Technology Recovery Plan?What if an agency's Technology Recovery Plan does not follow the Technology Recovery Plan Instructions?When is it possible for an agency to not submit a copy of their Technology Recovery Plan to the Office of Information Security?Are agencies required to follow the Technology Recovery Plan (TRP) Quarterly Reporting Schedule for submitting their TRP to the Office of Information Security?Information Asset ProtectionWhat is information asset classification?When do I need to perform a Risk Assessment?Why is an Information Asset Risk Assessment important?What are the benefits to Information Asset Categorization?Why do I need to categorize my information assets?Who is responsible to classify my Information Assets?Who is an Information Asset Custodian?Who is considered an information asset owner?Why is it important to classify my information?Why do I need to classify my Information Assets?What is Data Classification? Back to FAQs Our department About CDT Contact us regarding our website Resources and support compliance for our website Account Lead Directory Community of practice Artificial Intelligence community of practice Geographic Information Systems community of practice Digital Web Services Network community of practice Project Delivery community of practice State campaigns Register to Vote Save Our Water Flex Alert Website Accessibility Certification
Where does a state entity find the California Compliance and Security Incident Reporting System (Cal-CSIRS)?
What authority does the Office of Information Security have for issuing policy and directing state agencies on information security and privacy matters?
Where does a state entity find the California Compliance and Security Incident Reporting System (Cal-CSIRS)?
How do I report a security incident that requires immediate assistance from law enforcement, if the California Compliance and Security Incident Reporting System (Cal-CSIRS) is offline outside of normal business hours?
How do I report a security incident if the California Compliance and Security Incident Reporting System (Cal-CSIRS) is offline during normal business hours?
What is a state entity expected to do if the California Highway Patrol (CHP) Computer Crimes Investigations Unit (CCIU) decides to not investigate the incident?
What is the purpose of the California Compliance and Security Incident Reporting System (Cal-CSIRS) Incident Report?
Once a state entity reports the security incident through the California Compliance and Security Incident Reporting System (Cal-CSIRS), what happens next?
Where does a state entity find what information should be collected prior submitting an incident report on the California Compliance and Security Incident Reporting System (Cal-CSIRS)?
The incident reporting criteria used to only require the reporting of a loss or theft of state-owned Information Technology (IT) equipment valued at $2,000 or more, but the state policy now requires agencies to report any loss or theft of state-owned IT equipment or any electronic devices containing or storing personal, sensitive, or confidential data. Why did it change from the previous dollar threshold of $2,000?
The incident reporting criteria used to only require the reporting of information technology related security incidents, but now state agencies are expected to report those involving paper and other formats. What authority requires agencies to report security incidents involving paper and other formats and why is this necessary?
When are agencies required to submit the Designation Letter (SIMM 5330-A) to the Office of Information Security?
Why does the Office of Information Security want to know who is our agency Information Security Officer?
Are agencies required to submit the Designation Letter by January 31st of each year, or when the designee changes?
Where does an agency find the Requirements to Respond to Incidents Involving a Breach of Personal Information?
Why must state agencies submit their notices to the Office of Information Security for review and approval before they are released to affected individuals?
Why must an agency notify an individual when there has been an incident involving their personal information?
What happens when an agency is not in full compliance with the state information security and privacy policy as specified in the State Administrative Manual Chapter 5300?
If an agency finds it is not in full compliance with the state information security and privacy policy as specified in the State Administrative Manual Chapter 5300 by the submission deadline, will the Office of Information Security grant an extension?
Why is the director of an agency required to sign the Risk Management and Privacy Program Certification?
What are the consequences for an agency or individuals/employees that fail to comply with provisions of the California Information Practices Act of 1977?
What laws, regulations, and or state policies require employees to be trained annually and the employee to acknowledge they have received the training by signing an acknowledgement form?
Can the Office of Information Security provide assistance or resources in developing an agency's Technology Recovery Plan?
If an agency cannot comply with the Technology Recovery Plan submission, will the Office of Information Security accept an extension?
What happens if an agency does not submit a Technology Recovery Plan (TRP) or the TRP does not meet the minimum requirements?
What if my agency does not have a business continuity plan? How does that affect development of the Technology Recovery Plan?
Why must an agency incorporate the components identified in the Technology Recovery Plan Instructions into their Technology Recovery Plan?
What if an agency's Technology Recovery Plan does not follow the Technology Recovery Plan Instructions?
When is it possible for an agency to not submit a copy of their Technology Recovery Plan to the Office of Information Security?
Are agencies required to follow the Technology Recovery Plan (TRP) Quarterly Reporting Schedule for submitting their TRP to the Office of Information Security?