Information Security - Policy

Incident Management

Overview

The California Office of Information Security works collaboratively with agency Information Security Officers, California Highway Patrol (CHP), California Cybersecurity Integration Center (Cal-CSIC), California Miltary Department (CMD), Office of Health Information Integrity, and other essential agencies on mitigating, identifying, responding to, and reporting information security incidents.

The following policy, standards, and guidelines are provided to assist state agencies in compliance with current incident response and reporting requirements,  to establish and maintain internal incident management functions.

SAM 5340Incident Management [PDF]

Incident Management Reporting

Incident Reporting

State policy requires agencies to follow a prescribed process when information security incidents occur. Typically, it is each agency’s Information Security Officer’s (ISO) responsibility to notify the proper authorities. The prescribed process includes the following steps:

1. Reporting Incident through the California Compliance and Security Incident Reporting System (Cal-CSIRS)

State policy requires state entities to make notification to the California  Office of Information Security (OIS) and the California Highway Patrol (CHP) immediately following discovery of an incident. Each state entity’s Chief Information Officer (CIO), Information Security Officer (ISO), or the assigned incident reporting personnel (as designated on the Instructions and Format for Cal-CSIRS Designee Information [XLSX]), collectively hereinafter referred to as authorized California Compliance and Security Incident Reporting System (Cal-CSIRS) user, is responsible for notifying the proper authorities.

Immediately report the incident through the Cal-CSIRS. Cal-CSIRS will require specific information about the incident and will notify the OIS and the CHP Computer Crimes Investigation Unit (CCIU). A system generated e-mail confirmation will be sent to the authorized Cal-CSIRS users acknowledging the OIS and CCIU have received the Cal-CSIRS notification.

IMPORTANT: Incident notification made to CHP or our Office outside of the Cal-CSIRS notification process by email or other means is NOT an acceptable substitute for the required notification through Cal-CSIRS.


2. Instructions and Guidance for Reporting an Incident

Refer to SIMM 5340-A [PDF] instructions and/or the California Highway Patrol website for guidance when reporting an incident. Notification and reporting requirements, along with security tips, can be found on the CHP’s “Computer Crime Reporting for State Agencies“.

The ISO should attempt to gather the following information before reporting the incident on Cal-CSIRS:

  • Name and address of the reporting entity.
  • Name, address, e-mail address, and phone number(s) of the reporting person.
  • Name, address, e-mail address, and phone number(s) of the ISO.
  • Name, address, e-mail address, and phone number(s) of the alternate contact (e.g., alternate ISO, system administrator, etc.).
  • Description of the incident.
  • Date and time the incident occurred.
  • Date and time the incident was discovered.
  • Any actions at and following the time of discovery that were taken prior to reporting incident on Cal-CSIRS.

The ISO should attempt to gather the following additional information before reporting incident about incidents involving computer-related theft or crime:

  • Make / model of the affected computer(s).
  • Serial and state asset identification numbers of affected devices.
  • IP address of the affected computer(s).
  • Assigned name of the affected computer(s).
  • Operating system of the affected computer(s).
  • Location of the affected computer(s).

IMPORTANT: Reporting should NOT be delayed until all of this information is gathered. It is understood that in some circumstances this information may not always be readily available when first reported to the ISO. Therefore the ISO should make the report to ENTAC providing as much information as possible at the time of receiving the report.


3. Personally Identifiable Information

During this reporting process, it is also important to report if the incident involves personally identifiable information, such as breach notice-triggering personal information as defined in California Civil Code Section 1798.29.

Effective January 1, 2016, California’s Civil Codes 1798.29 and 1798.82 were amended to require breach notifications to be provided in a specific format and include certain content. Security Breach Reporting and Notification Templates are provided on the Resources page. Policy requires state entities to submit any breach notification to the Office of Information Security for review and approval prior to its release.

Further, Civil Code Section 1798.29 (e) requires any state entity that is required to issue a security breach notification to more than 500 California residents, as a result of a single breach, to electronically submit a sample copy of the breach notification, excluding any personally identifiable information, to the Attorney General. The Attorney General’s procedures for sample submission are available on its website. See SIMM 5340-C [PDF] for instructions and process.


4. Emergency Assistance Outside of Normal Business Hours

In the case that the Cal-CSIRS system is offline during normal business hours, contact OIS directly by phone at (916) 445-5239 or by e-mail at security@state.ca.gov for assistance. If the Cal-CSIRS system is offline outside of normal business hours and you require immediate law enforcement assistance, contact CHP’s Emergency Notification and Tactical Alert Center (ENTAC) at (916) 843-4199. This telephone number is staffed 24-hours a day, seven days a week. The officers at ENTAC will forward that information to CCIU for immediate assistance. In the situation that notification is made outside of normal business hours through CHP, it is the state entity’s responsibility to notify OIS of the incident the next business day.


5. Additional Information and Forms

Depending upon the nature of the incident and the assets affected by the incidents, the entity may be required to submit the following additional written reports to other state entities:

The CCIU and/or the OIS may contact the entity for additional information.

Questions and Contacts

Risk Management
 

The following resources provide policy, standards, and guidelines to assist state agencies in the development and maintenance of their risk management programs.

Also see our Frequently Asked Questions.

State Administrative Manual (SAM)

The SAM is a central point for statewide policies, procedures, regulations and information developed and issued by authoring agencies such as this Office, the Department of Finance (Finance), Department of General Services (DGS), and Governor’s Office. The following SAM policies directly relate to operational recovery and business continuity.As announced in Management Memo (MM) 08-02 [PDF], the policy sections related to information security and privacy have been restructured and renumbered effective February 19, 2008. No policies were changed through MM 08-02 or this restructure.

Statewide Information Management Manual (SIMM)

The following SIMM sections are applicable to risk management.

 

 

Agency Risk Management and Privacy Program Compliance Certification (SIMM 5330-B)

The signed Certification acknowledges that each agency is in compliance with state policy governing risk management and privacy requirements as defined in SAM Section 5305.2, Government Code Section 11019.9, and the Information Practices Act (Civil Code Section 1798 et seq.). It is due to the California Office of Information Security by January 31st of each year.

Plan of Action and Milestones (SIMM 5305-C)

Each state entity is responsible for establishing an Information Security Program to effectively manage risk. The state entity’s information security program shall incorporate an Information Security Program Plan (ISPP) to provide for the proper use and protection of its information assets, this is to include a Plan of Action and Milestones (POAM) process for addressing information security program deficiencies.

Risk Management Resources

These are tools for agencies to use in identifying information security risks and to help mitigate the issues.

 

 

Risk Assessment Toolkit

These are tools for agencies to use in identifying information security risks and to help mitigate the issues.

As outlined in the State Administrative Manual (SAM) Section 5305 et seq., risk management is the process of taking actions to avoid or reduce risk to acceptable levels. This process includes both the identification and assessment of risk through risk analysis (SAM Section 5305.1) and the initiation and monitoring of appropriate practices in response to that analysis through the agency’s risk management program.

Risk assessment is a critical component of that process to ensure state agencies have an effective risk management plan in place as defined in the SAM Sections 5305 et seq. Although the following tools are available for agencies to use in identifying information security risks and helping to mitigate the issues, it may be difficult for an agency to determine where to start with a risk assessment or which tool might be the best tool to use. Guidance for implementing a suggested strategy for a successful information security program and conducting an effective risk assessment can be found in the Information Security Program Guide for State Agencies.

The California Office of Information Security (Office) web site contains links to other sites that are not owned or controlled by us. The information provided at these sites does not reflect the views of this Office or indicate an endorsement of a particular company or product. Please be aware that our Office is not responsible for the security and privacy practices of such other sites.

Information Security Program Guide for State Agencies [PDF]

Guidance for implementing a suggested strategy for a successful information security program and conducting an effective risk assessment.

Information Security Risk Assessment Checklist [DOC]

This simple checklist provides a high-level view of common security practices. It is not intended to cover all of the steps agencies must take to complete the annual risk certification process. However, it may be useful as part of a periodic risk analysis or for a targeted review of security practices in specific areas. General instructions for its use are included in the Checklist’s Introduction section. Its targeted audience is generally focused towards executive management to use as a basic tool for risk assessment.

SANS Information Security Management Audit Checklist [DOC]

A comprehensive risk assessment checklist developed by the SANS (SysAdmin, Audit, Network, Security) Institute and based upon the International Organization for Standardization (ISO) 17799:2005 standards for an information security program. This checklist does not provide vendor specific security considerations but rather attempts to provide a generic checklist of security considerations to be used when auditing an organization’s Information Technology Security. Its targeted audience is generally focused towards a team approach, which might include members from the agency’s business and program areas, information technology, human resources, and the agency’s Information Security Officer.

Security Risk Assessment Tool

HIPAA requires every organization that maintains or transmits personal health information to take specific steps to comply with regulations in the areas of privacy, technology, security, and transaction coding. The California Office of Health Information Integrity (CalOHII) has provided the following HIPAA Security Compliance Review Tool to help agencies determine their level of compliance with the Final Security Rule.

Payment Card Industry (PCI) Self-Assessment Questionnaire

The Payment Card Industry (PCI) Data Security Standard (DSS) is the set of security and compliance monitoring requirements every organization must follow in order to protect cardholder data and accept payment cards for the reimbursement of fees and services. The following tools are available to assist agencies with meeting these requirements: This Questionnaire  is an important validation tool that is primarily used by smaller merchants and service providers to demonstrate compliance with the PCI DSS.

PCI DSS Supporting Documents

PCI DSS Supporting Documents.

Sample Risk Assessment Report [DOC]

It is important to document the results of the risk assessment in the form of a report that can be given to the agency’s executive management. This sample report provides a template for a brief overview, the problems identified, and the recommendations for corrections or mitigation. Consider using this format for reporting your findings and recommendations to your executive management.

Sample Matrix Report [DOC]

This sample report provides an agency the appropriate risk level for action items resulting from an information security risk assessment.

MS-ISAC Nationwide Cyber Security Review Self-Assessment Reporting Tool (NCSR)

The Nationwide Cyber Security Review (NCSR) is a voluntary self-assessment survey designed to evaluate cyber security management. The NCSR will provide participants with instructions and guidance, supplemental documentation, and the ability to contact the NCSR help desk directly from the survey. The survey is available October 1, to coincide with National Cyber Security Awareness Month, and closes on November 30.

Once complete, participants will have immediate access to an individualized report that measures the level of adoption of security controls within their organization and includes recommendations on how to raise the organization’s risk awareness. In alternate years only (odd numbered years) the MS-ISAC and DHS will aggregate all review data and share a high level summary with all participants. The names of participants and their organizations will not be identified in this report. This report is provided to Congress in alternate years (odd numbered years) to highlight cybersecurity gaps and capabilities among our State, Local, Territorial and Tribal Governments.

Technology Recovery Management
 

Technology Recovery Program

State Administrative Manual (SAM)

The SAM is a central point for statewide policies, procedures, regulations and information developed and issued by authoring agencies such as this Office, the Department of Finance (Finance), Department of General Services (DGS), and Governor’s Office. The following SAM policies directly relate to technology recovery and business continuity requirements.

Statewide Information Management Manual (SIMM)

The following SIMM sections are applicable to Technology Recovery Plan requirements.

Schedule for Submission of Technology Recovery Plans

The Schedule for Submission of Technology Recovery Plans indicates the due date for each organization.

Continuity Planning

The Governor’s Office of Emergency Services’ (Cal OES) Continuity Planning Maintenance Program requirements.

Frequently Asked Questions regarding Technology Recovery Planning

State Administrative Manual (SAM) 5300
 

The State Administrative Manual (SAM) is a central point for statewide policies, procedures, regulations and information developed and issued by authoring agencies such as this Office, the Department of Finance (Finance), Department of General Services (DGS), and Governor’s Office. A searchable copy of the document is available by clicking on State Administrative Manual (SAM).

Policy Resources
 

Statewide Information Management Manual (SIMM)

The Statewide Information Management Manual (SIMM) Sections 10 through 80 and Sections 5300 et seq. contain standards, instructions, forms and templates that State agencies must use to comply with Information Technology (IT) policy.

Compliance Schedules

Schedule of Required Reporting Activities

The following provides a summary schedule of required security reporting activities with corresponding due dates. Unless otherwise noted, all reports are submitted in hard copy with original signature(s) to the Office of Information Security. Compliance reporting requirements are clearly outlined in State Administrative Manual (SAM) Section 5330.2.

Designation Letter SIMM 5330-A

Annually by January 31 and within ten (10) business days of any change in designee.

Risk Management and Privacy Program Compliance Certification SIMM 5330-B

Annually by January 31.

Technology Recovery Program Certification SIMM 5325-A; SIMM 5325-B

Annually pursuant to the TRP Submission Schedule.

Information Security Incident Report SIMM 5340-A; SIMM 5340-B; SIMM 5340-C

Within ten (10) business days from submittal into the California Compliance and Security Incident Reporting System (Cal-CSIRS).

Schedule for Submission of Technology Recovery Plans

State Policy, pursuant to State Administrative Manual (SAM) Section 5325.1 requires each agency to file a copy of its Technology Recovery Plan (TRP) with the Office of Inforamtion Security in accordance with the TRP schedule.

This schedule can be sorted by Organization Code (Org. Code), State Agency, and Submission Date. To do so, mouse click on the corresponding column heading. For example, mouse click on State Agency to sort list by agency name.

Due to the confidential nature of the TRP, please hand deliver all TRP’s to our office at:

Office of Information Security

10860 Gold Center Drive, Suite 200

Rancho Cordova, CA 95670

Upon arrival, please go to the 2nd floor security desk (Suite 200). The security desk staff will contact someone from our office to pick up your materials.

Note: If you choose to mail in the TRP, be sure to confirm delivery with your selected courier service prior to sending, contracted Delivery/Courier Services may not deliver to the PO Box or to the physical address.

Status of Required Security Reporting Activities

Given the government’s increased use of Information Technology (IT) and Internet-based services, the state has a compelling need to ensure the confidentiality, integrity and availability of those systems and services are adequately protected from known and anticipated threats. In addition, there is an increasing demand for broader transparency and accountability in reporting government activities.

 

 

Each state agency is responsible for the designation of officials within their agency to fulfill key security functions and reporting on its status of compliance with security policy, standards and procedures.

While agency reporting and self-certification activities alone do not ensure the security of state information assets, they do demonstrate an agency’s acknowledgement of the requirements and provide a measure of accountability.

Consistent with Chapter 404, Statues of 2010 (AB 2408), Information Technology Policy Letter (ITPL) 10-13 was written to ensure the following:

  • Establish the Security Reporting Scorecard process for reporting on state Agency and department participation in required security reporting activities.
  • Remind Department Directors, Agency Chief Information Officers (Agency CIOs), Department Chief Information Officers (CIOs), Agency Information Security Officers (AISO) and Information Security Officers (ISOs) of their reporting responsibilities.

Status of Required Security Reporting Activities [PDF] (Updated March 2017)

Technology Letters (TL)

Technology Letters contain official communications regarding state IT, including new (or changes to existing) IT policies, procedures, services or standards.