The California Office of Information Security works collaboratively with agency Information Security Officers, California Highway Patrol (CHP), Office of Privacy Protection, Office of Health Information Integrity, and other essential agencies on mitigating, identifying, responding to, and reporting information security incidents.
The following policy, standards, and guidelines are provided to assist state agencies in compliance with current incident response and reporting requirements, and establishing and maintaining internal incident management functions.
- Incident Reporting
- Policy Section 5350 – Incident Management
- Go RIM for Policy Section 5350 - Incident Management
- Questions and Contacts
- Other Resources
State policy requires agencies to follow a prescribed process when information security incidents occur. Typically, it is each agency's Information Security Officer's (ISO) responsibility to notify the proper authorities. The prescribed process includes the following steps:
1. Immediately call (916) 843-4199 to report the incident.
This number is a 24-hour telephone line at the California Highway Patrol (CHP) Emergency Notification and Tactical Alert Center (ENTAC). The ENTAC contact will require specific information about the incident and will forward that information to the Office of Information Security and to the CHP Computer Crimes Investigation Unit (CCIU). Representatives from the Office of Information Security and CCIU will contact you as soon as possible following their receipt of the ENTAC notification.
IMPORTANT: A notification made to CHP or our Office outside of the ENTAC notification process by email or other means is NOT an acceptable substitute for the required notification to ENTAC.
2. Guidance for reporting the incident.
- Name and address of the reporting agency.
- Name, address, e-mail address, and phone number(s) of the reporting person.
- Name, address, e-mail address, and phone number(s) of the ISO.
- Name, address, e-mail address, and phone number(s) of the alternate contact (e.g., alternate ISO, system administrator, etc.).
- Description of the incident.
- Date and time the incident occurred.
- Date and time the incident was discovered.
- Any actions at and following the time of discovery that were taken prior to calling ENTAC.
The ISO should attempt to gather the following additional information before calling ENTAC about incidents involving computer-related theft or crime:
- Make / model of the affected computer(s).
- Serial and state asset identification numbers of affected devices.
- IP address of the affected computer(s).
- Assigned name of the affected computer(s).
- Operating system of the affected computer(s).
- Location of the affected computer(s).
IMPORTANT: Reporting should NOT be delayed until all of this information is gathered. It is understood that in some circumstances this information may not always be readily available when first reported to the ISO. Therefore the ISO should make the report to ENTAC providing as much information as possible at the time of receiving the report.
3. Personally Identifiable Information.
During this reporting process, it is also important to report if the incident involves personally identifiable information, such as breach notice-triggering personal information as defined in California Civil Code Section 1798.29. Note this section now includes categories of medical information and health information.
In November 2008, Management Memo 08-11 announced a new policy requirement and procedural directive related to a state agency’s response to a breach of security involving personal information. The new policy requires state agencies to submit any breach notification to the Office of Information Security for review and approval prior to its release. See SIMM 65D for more information.
Further, effective January 1, 2012, Civil Code Section 1798.29 (e), requires any agency that is required to issue a security breach notification to more than 500 California residents as a result of a single breach to electronically submit a sample copy of the breach notification, excluding any personally identifiable information, to the Attorney General. The Attorney General’s procedures for sample submission are available on its website at: http://oag.ca.gov/ecrime/databreach/reporting
4. Additional Information.
The CCIU, the Office of Information Security, and Office of Privacy Protection may contact the agency for additional information or further investigation.
5. Follow-up Written Reports
An Agency Information Security Incident Report outlining the details of the incident, corrective actions taken or to be taken, and the estimated costs associated with the incident must be completed and forwarded to the Office of Information Security within 10 business days following the incident per SAM Section 5350. The form to be used in making the report is SIMM 65C and must be signed by the agency's director, Information Security Officer, and when applicable the Privacy Officer/Coordinator.
Incident reports should be mailed to:
California Technology Agency
Attention: Office of Information Security
1325 J Street, Suite 1650
Sacramento, CA 95814
Depending upon the nature of the incident and the assets affected by the incidents, the agency may be required to submit the following additional written reports to other state agencies:
Questions and Contacts
See Frequently Asked Questions (FAQ) for more details on this topic.
Contact the Office of Information Security if you have questions or need assistance with incident reporting. Questions may be directed to Security@state.ca.gov or by calling (916) 445-5239.
Other Contact Information:
- California Highway Patrol ENTAC (916) 843-4199
- California Office of Privacy Protection (866) 785–9663
- California Office of Health Information Integrity (CalOHII) (916) 651-6907
Links and resources for incident notification and reporting documentation, "best" practices, and federal standards to help develop and/or update your agency's reporting procedures.
- Information Security Incident Notification Roadmap for Information Security Officers (.pdf, 748k)
- CHP: Computer Crime Incident Response Do's and Don'ts – Provides summary of incident response and other considerations
- National Institute of Standards and Technology (NIST) Special Publication 800-61, Computer Incident Handling Guide (.pdf, 2.71m)
- Federal Incident Reporting Guidelines – United States Computer Emergency Readiness Team (US-CERT)
- United States Computer Emergency Readiness Team (US-CERT) How to Establish a Computer Security Incident Response Team (CSIRT)
- Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations
- SANS InfoSec Reading Room – Incident Handling
The California Office of Information Security (Office) web site contains links to other sites that are not owned or controlled by us. The information provided at these sites does not reflect the views of this Office or indicate an endorsement of a particular company or product. Please be aware that our Office is not responsible for the security and privacy practices of such other sites.