Security Policy

Overview

The California Office of Information Security works collaboratively with agency California Highway Patrol (CHP), California Cybersecurity Integration Center (Cal-CSIC), California Military Department (CMD), Office of Health Information Integrity, and other essential agencies on mitigating, identifying, responding to, and reporting information security incidents.

The following policy, standards, and guidelines are provided to assist state agencies in compliance with current incident response and reporting requirements, to establish and maintain internal incident management functions.

SAM 5340 – Incident Management (PDF)

Incident Management Reporting

Incident Reporting

State policy requires agencies to follow a prescribed process when information security incidents occur. Typically, it is each agency’s Information Security Officer’s (ISO) responsibility to notify the proper authorities. The prescribed process includes the following steps:

1. Reporting Incident through the California Compliance and Security Incident Reporting System (Cal-CSIRS)

State policy requires state entities to make notification to the California Office of Information Security (OIS) and the California Highway Patrol (CHP) immediately following discovery of an incident. Each state entity’s Chief Information Officer (CIO), Information Security Officer (ISO), or the assigned incident reporting personnel (as designated on the Cal-CSIRS Designee Request Form (XLSX)), collectively hereinafter referred to as authorized California Compliance and Security Incident Reporting System (Cal-CSIRS) user, is responsible for notifying the proper authorities.

Immediately report the incident through the Cal-CSIRS. Cal-CSIRS will require specific information about the incident and will notify the OIS and the CHP Computer Crimes Investigation Unit (CCIU). A system generated e-mail confirmation will be sent to the authorized Cal-CSIRS users acknowledging the OIS and CCIU have received the Cal-CSIRS notification.

IMPORTANT: Incident notification made to CHP or our Office outside of the Cal-CSIRS notification process by email or other means is NOT an acceptable substitute for the required notification through Cal-CSIRS.

2. Instructions and Guidance for Reporting an Incident

Refer to SIMM 5340-A – Incident Reporting and Response Instructions (PDF) and/or the California Highway Patrol website for guidance when reporting an incident. Notification and reporting requirements, along with security tips, can be found on the CHP’s “Computer Crime Reporting for State Agencies“.

The ISO should attempt to gather the following information before reporting the incident on Cal-CSIRS:

• Name and address of the reporting entity.
• Name, address, e-mail address, and phone number(s) of the reporting person.
• Name, address, e-mail address, and phone number(s) of the ISO.
• Name, address, e-mail address, and phone number(s) of the alternate contact (e.g., alternate ISO, system administrator, etc.).
• Description of the incident.
• Date and time the incident occurred.
• Date and time the incident was discovered.
• Any actions at and following the time of discovery that were taken prior to reporting incident on Cal-CSIRS.

The ISO should attempt to gather the following additional information before reporting incident about incidents involving computer-related theft or crime:

• Make / model of the affected computer(s).
• Serial and state asset identification numbers of affected devices.
• IP address of the affected computer(s).
• Assigned name of the affected computer(s).
• Operating system of the affected computer(s).
• Location of the affected computer(s).

IMPORTANT: Reporting should NOT be delayed until all of this information is gathered. It is understood that in some circumstances this information may not always be readily available when first reported to the ISO. Therefore the ISO should make the report to ENTAC providing as much information as possible at the time of receiving the report.

3. Personally Identifiable Information

During this reporting process, it is also important to report if the incident involves personally identifiable information, such as breach notice-triggering personal information as defined in California Civil Code Section 1798.29.

Effective January 1, 2016, California’s Civil Codes 1798.29 and 1798.82 were amended to require breach notifications to be provided in a specific format and include certain content. Security Breach Reporting and Notification Templates are provided on the Resources page. Policy requires state entities to submit any breach notification to the Office of Information Security for review and approval prior to its release.

Further, Civil Code Section 1798.29 (e) requires any state entity that is required to issue a security breach notification to more than 500 California residents, as a result of a single breach, to electronically submit a sample copy of the breach notification, excluding any personally identifiable information, to the Attorney General. The Attorney General’s procedures for sample submission are available on its website. See SIMM 5340-C for instructions and process.

4. Emergency Assistance Outside of Normal Business Hours

In the case that the Cal-CSIRS system is offline during normal business hours, contact OIS directly by phone at (916) 445-5239 or by e-mail at security@state.ca.gov for assistance. If the Cal-CSIRS system is offline outside of normal business hours and you require immediate law enforcement assistance, contact CHP’s Emergency Notification and Tactical Alert Center (ENTAC) at (916) 843-4199. This telephone number is staffed 24-hours a day, seven days a week. The officers at ENTAC will forward that information to CCIU for immediate assistance. In the situation that notification is made outside of normal business hours through CHP, it is the state entity’s responsibility to notify OIS of the incident the next business day.

5. Additional Information and Forms

Depending upon the nature of the incident and the assets affected by the incidents, the entity may be required to submit the following additional written reports to other state entities:

• Department of General Services (DGS): Property Survey Report, STD. 152 (PDF)
• California Highway Patrol (CHP): Report of Crime on State Property, STD. 99
• California Office of Health Information Integrity (CalOHII): Annual Breach Reporting Form

The CCIU and/or the OIS may contact the entity for additional information.

Questions and Contacts

• California Office of Information Security – (916) 445-5239
• California Highway Patrol ENTAC – (916) 843-4199
• Department of Justice’s Privacy Enforcement and Protection Unit – (916) 322–3360
• California Office of Health Information Integrity (CalOHII) – (916) 654-3454

Other Resources

1. Cal-CSIRS FAQs (PDF)
2. Cal-CSIRS User Manual (v.9) (PDF)
3. California CyberSecurity Integration Center (Cal-CSIC)
4. California Military Department
5. Center for Data Insights and Innovation
6. CHP Computer Crime Reporting for State Agencies
7. Computer Security Incident Handling Guide (NIST 800-61) (PDF)
8. Federal Incident Reporting Guidelines (US-CERT)
9. How to Establish a Computer Security Incident Response Team (CSIRT)
10. Incident Cost Estimator (XLSX)
11. Incident Handling (SANS InfoSec Reading Room)
12. Incident Reporting FAQ
13. List of HIPAA Impacted Departments (PDF)
14. Searching and Seizing Computers and Obtaining Electronic Evidence (PDF)

Security Awareness Videos

1. Protecting Your Computer (thanks to MS-ISAC)
2. Protecting Your Family (thanks to MS-ISAC)
3. Protecting Your Information (thanks to MS-ISAC)
4. The Duhs of Security (thanks to Commonwealth of Virginia)
5. Don’t be a Billy (thanks to staysafeonline.org)
6. Statewide Incident Management Program
7. California Compliance and Security Incident Reporting System – Cal-CSIRS

This section provides resources for California state government agencies on privacy practices and policies for protecting personal information.

Also see our Frequently Asked Questions.

State Employee Privacy Awareness Training

Protecting Privacy in State Government. Basic Training for State Employees.

• Recorded Training
• PowerPoint Presentation (PPTX)
• Protecting Privacy in State Government Guideline and Acknowledgment March 2022 (DOCX) – New April 2022
• CDT OIS Protecting Privacy in State Government Speaker Notes March 2022 (PDF)

Video and Hand Out Materials

• The Basics of Data Classification video
• Data Classification Definitions (PDF)
• Examples of Legally Defined Information Classifications (PDF)
• FIPS 199 Standards for Categorization (PDF)
• NIST Special Publication 800-53B – Control Baselines for Information Systems and Organizations (PDF)
• Classification Categorization Worksheet (PDF)

Privacy Videos

• Managing Privacy Risks With Privacy Impact Assessments – PIAs

Also see our Frequently Asked Questions.

State Administrative Manual (SAM)

The SAM is a central point for statewide policies, procedures, regulations and information developed and issued by authoring agencies such as this Office, the Department of Finance (Finance), Department of General Services (DGS), and Governor’s Office. The following SAM policies directly relate to operational recovery and business continuity. As announced in Management Memo (MM) 08-02 (PDF), the policy sections related to information security and privacy have been restructured and renumbered effective February 19, 2008. No policies were changed through MM 08-02 or this restructure.

• State Administrative Manual (SAM)
• Information Security Program – SAM 5305
• Information Security Program Management – SAM 5305.1
• Compliance Reporting (SAM 5330.2)

Statewide Information Management Manual (SIMM)

The following SIMM sections are applicable to risk management.

Agency Information Security and Privacy Program Compliance Certification (SIMM 5330-B)

The signed Certification acknowledges that each agency is in compliance with state policy governing risk management and privacy requirements as defined in SAM Section 5305.2, Government Code Section 11019.9, and the Information Practices Act (Civil Code Section 1798 et seq.). It is due to the California Office of Information Security by January 31st of each year.

Plan of Action and Milestones (SIMM 5305-C (XLSX)

Each state entity is responsible for establishing an Information Security Program to effectively manage risk. The state entity’s information security program shall incorporate an Information Security Program Plan (ISPP) to provide for the proper use and protection of its information assets, this is to include a Plan of Action and Milestones (POAM) process for addressing information security program deficiencies.

• Statewide Information Management Manual (SIMM)
• SIMM 5330-B – Information Security and Privacy Program Compliance Certification
• SIMM 5305-A – Information Security Program Management Standard
• SIMM 5305-B – Plan of Action and Milestones Instructions
• SIMM 5305-C – Plan of Action and Milestones Worksheet (XLSX)
• SIMM 5305 – Plan of Action and Milestones FAQ’s
• VIDEO – Overview of the Risk Register and Plan of Action and Milestones (RRPOAM-SIMM 5305-C)

Risk Management Resources

These are tools for agencies to use in identifying information security risks and to help mitigate the issues.

Risk Assessment Toolkit

These are tools for agencies to use in identifying information security risks and to help mitigate the issues.

As outlined in the State Administrative Manual (SAM) SAM Section 5305, risk management is the process of taking actions to avoid or reduce risk to acceptable levels. This process includes both the identification and assessment of risk through risk analysis (SAM Section 5305.1) and the initiation and monitoring of appropriate practices in response to that analysis through the agency’s risk management program.

Risk assessment is a critical component of that process to ensure state agencies have an effective risk management plan in place as defined in the SAM Sections 5305 et seq. Although the following tools are available for agencies to use in identifying information security risks and helping to mitigate the issues, it may be difficult for an agency to determine where to start with a risk assessment or which tool might be the best tool to use. Guidance for implementing a suggested strategy for a successful information security program and conducting an effective risk assessment can be found in the following Information.

The California Office of Information Security (Office) web site contains links to other sites that are not owned or controlled by us. The information provided at these sites does not reflect the views of this Office or indicate an endorsement of a particular company or product. Please be aware that our Office is not responsible for the security and privacy practices of such other sites.

Information Security Risk Assessment Checklist (DOCX)

This simple checklist provides a high-level view of common security practices. It is not intended to cover all of the steps agencies must take to complete the annual risk certification process. However, it may be useful as part of a periodic risk analysis or for a targeted review of security practices in specific areas. General instructions for its use are included in the Checklist’s Introduction section. Its targeted audience is generally focused towards executive management to use as a basic tool for risk assessment.

SANS Information Security Management Audit Checklist (DOC)

A comprehensive risk assessment checklist developed by the SANS (SysAdmin, Audit, Network, Security) Institute and based upon the International Organization for Standardization (ISO) 17799:2005 standards for an information security program. This checklist does not provide vendor specific security considerations but rather attempts to provide a generic checklist of security considerations to be used when auditing an organization’s Information Technology Security. Its targeted audience is generally focused towards a team approach, which might include members from the agency’s business and program areas, information technology, human resources, and the agency’s Information Security Officer.

Security Risk Assessment Tool

HIPAA requires every organization that maintains or transmits personal health information to take specific steps to comply with regulations in the areas of privacy, technology, security, and transaction coding. The California Office of Health Information Integrity (CalOHII) has provided the following HIPAA Security Compliance Review Tool to help agencies determine their level of compliance with the Final Security Rule.

Payment Card Industry (PCI) Risk Assessment Guidelines

The Payment Card Industry (PCI) Data Security Standard (DSS) is the set of security and compliance monitoring requirements every organization must follow in order to protect cardholder data and accept payment cards for the reimbursement of fees and services. The following tools are available to assist agencies with meeting these requirements:
This Questionnaire is an important validation tool that is primarily used by smaller merchants and service providers to demonstrate compliance with the PCI DSS.

PCI DSS Supporting Documents

PCI DSS Supporting Documents.

Sample Risk Assessment Report (DOCX)

It is important to document the results of the risk assessment in the form of a report that can be given to the agency’s executive management. This sample report provides a template for a brief overview, the problems identified, and the recommendations for corrections or mitigation. Consider using this format for reporting your findings and recommendations to your executive management.

Sample Matrix Report (DOCX)

This sample report provides an agency the appropriate risk level for action items resulting from an information security risk assessment.

MS-ISAC Nationwide Cyber Security Review Self-Assessment Reporting Tool (NCSR)

The Nationwide Cyber Security Review (NCSR) is a voluntary self-assessment survey designed to evaluate cyber security management. The NCSR will provide participants with instructions and guidance, supplemental documentation, and the ability to contact the NCSR help desk directly from the survey. The survey is available October 1, to coincide with National Cyber Security Awareness Month, and closes on November 30.

Once complete, participants will have immediate access to an individualized report that measures the level of adoption of security controls within their organization and includes recommendations on how to raise the organization’s risk awareness. In alternate years only (odd numbered years) the MS-ISAC and DHS will aggregate all review data and share a high level summary with all participants. The names of participants and their organizations will not be identified in this report. This report is provided to Congress in alternate years (odd numbered years) to highlight cybersecurity gaps and capabilities among our State, Local, Territorial and Tribal Governments.

Risk Management Videos

• At Risk! Securing Government in a Digital World (thanks to NASCIO)

• Are you Ready? From the AT&T Disaster Recovery Presentation
• Government At Risk: Protecting Your IT Infrastructure (thanks to NASCIO)
• DR: Levee Failure (thanks to Department of Water Resources)

Technology Recovery Program

State Administrative Manual (SAM)

The SAM is a central point for statewide policies, procedures, regulations and information developed and issued by authoring agencies such as this Office, the Department of Finance (Finance), Department of General Services (DGS), and Governor’s Office. The following SAM policies directly relate to technology recovery and business continuity requirements.

• Business Continuity with Technology Recovery (SAM 5325)
• Technology Recovery Plan (SAM 5325.1)
• Technology Recovery Training (SAM 5325.2)
• Technology Recovery Testing (SAM 5325.3)
• Alternate Storage and Processing Site (SAM 5325.4)
• Telecommunications Services (SAM 5325.5)
• Information System Backups (SAM 5325.6)

Statewide Information Management Manual (SIMM)

The following SIMM sections are applicable to Technology Recovery Plan requirements.

• SIMM 5325-A – Technology Recovery Plan Instructions
• SIMM 5325-B – Technology Recovery Program Certification 
• SIMM 5330-A – Designation Letter

Schedule for Submission of Technology Recovery Plans

Refer to the Information Security Compliance Reporting Schedule (SIMM 5330-C) for the due date for each organization.

Continuity Planning

The Governor’s Office of Emergency Services’ (Cal OES) Continuity Planning Maintenance Program requirements.

Frequently Asked Questions regarding Technology Recovery Planning

Schedule of Required Reporting Activities

The following provides a summary schedule of required security reporting activities with corresponding due dates. Compliance reporting requirements are clearly outlined in State Administrative Manual (SAM) Section 5330.2. All state entity’s scheduled reporting months are outlined in the Information Security Compliance Reporting Schedule (SIMM 5330-C). 

Designation Letter (SIMM 5330-A)

Due annually on the last business day of the state entity’s scheduled reporting month, and within ten (10) business days of any designee changes.

Information Security and Privacy Program Compliance Certification (SIMM 5330-B)

Due annually on the last business day of the state entity’s scheduled reporting month.

Technology Recovery Program Certification (SIMM 5325-B)

Due annually on the last business day of the state entity’s scheduled reporting month.

Information Security Incident Report

Within ten (10) business days from submittal into the California Compliance and Security Incident Reporting System (Cal-CSIRS).

Plan of Action and Milestones Worksheet (SIMM 5305-C) 

Unless otherwise directed, each state Agency/entity shall provide quarterly updates on progress toward completion of the plans. Quarterly due dates are on the last business day of January, April, July, and October.

Schedule for Submission of Technology Recovery Plans

State Policy, pursuant to State Administrative Manual (SAM) Section 5325.1 requires each agency to file a copy of its Technology Recovery Plan (TRP) with the Office of Information Security annually on the last business day of the state entity’s scheduled reporting month, in accordance with the SIMM 5330-C – Information Security Compliance Reporting Schedule. Due to the confidential nature of the TRP, please hand deliver all TRP’s to our office at:

Office of Information Security
10860 Gold Center Drive, Suite 200
Rancho Cordova, CA 95670

Upon arrival, please go to the 2nd floor security desk (Suite 200). The security desk staff will contact someone from our office to pick up your materials. Note: If you choose to mail in the TRP, be sure to confirm delivery with your selected courier service prior to sending, contracted Delivery/Courier Services may not deliver to the PO Box or to the physical address.

SIMM 5300-B – OIS Foundational Framework

SIMM 5300-B – Foundational Framework (XLSM)

The State Administrative Manual (SAM) is a central point for statewide policies, procedures, regulations and information developed and issued by authoring agencies such as this Office, the Department of Finance (Finance), Department of General Services (DGS), and Governor’s Office. A searchable copy of the document is available by clicking on State Administrative Manual (SAM).

SAM 5300 Definitions

SAM Frequently Asked Questions (FAQ)

Statewide Information Management Manual (SIMM)

The Statewide Information Management Manual (SIMM) Sections 10 through 80 and Sections 5300 et seq. contain standards, instructions, forms and templates that State agencies must use to comply with Information Technology (IT) policy.

Management Memos (MM)

A number of Management Memos are related to information technology. Click on “Management Memos Related to IT” to see a full list of IT related Management Memos.

The following Management Memos are most relevant to information security:

• Safeguarding Against and Responding to a Breach of Security Involving Personal Information (MM 08-11) (PDF)
• Update to Industry Standard Terminology for Disaster Recovery (MM 08-10) (PDF)
• Release of Personal Information for Research (MM 08-09) (PDF)
• Information Technology Capital Planning Process (MM 08-07) (PDF)
• Restructure of SAM Information Security & Privacy Policy Sections (MM 08-02) (PDF)
• Removal of Confidential, Sensitive or Personal Information From State-Owned Surplus Personal Property and State-Owned Surplus Vehicles (MM 07-09) (PDF)
• Protection of Information Assets (MM 06-12) (PDF)

Budget Letters (BL)

A number of Budget Letters are related to information technology. Click on “Budget Letters Related to IT” to see a full list of IT related Budget Letters.

The following Budget Letters are most relevant to information security:

• Transition of IT Project Review, Approval and Oversight Responsibilities from the Department of Finance to the Office of the State Chief Information Officer, and Information Technology Budgeting Guidelines (BL 08-06) (PDF)
• IT Security Policy – Changes to Operational Recovery Planning (BL 07-03) (PDF)
• IT Security Policy – Information Security Notification and Reporting (BL 06-34) (PDF)
• IT Security Policy – Encryption on Portable Computing Devices (BL 05-32) (PDF)
• IT Security Policy – Classification of Information (BL 05-08) (PDF)
• IT Security Policy – Peer-to-Peer File Sharing (BL 05-03) (PDF)
• Safeguarding Access to State Data (BL 04-35) (PDF)
• Safeguards for Firewalls and Servers (BL 03-11) (PDF)

Technology Letters (TL)

Technology Letters contain official communications regarding state IT, including new (or changes to existing) IT policies, procedures, services or standards.