Policy

Overview

This policy page provides access to State Policy and management directives as published and issued in the State Administrative Manual (SAM), Budget Letters, and Management Memos related to information security, including risk management, disaster recovery, and incident reporting.  It also provides access to proposed policy through our Now Vetting area, agency compliance schedules and status, and corresponding State Information Management Manual (SIMM) instructions and forms.

State Administrative Manual (SAM)

The SAM is a central point for statewide policies, procedures, regulations and information developed and issued by authoring agencies such as this Office, the Department of Finance (Finance), Department of General Services (DGS), and Governor's Office.

As announced in Management Memo (mm) 08-02, the policy sections related to information security and privacy have been restructured and renumbered effective February 19, 2008. Note the reference to "*new" means language was added to this section to introduce the section or an edit was made to clarify the existing policy as placed within the new structure. No existing policy was changed through mm 08-02.

Topic New SAM Section Old SAM Section(s)/ Comments
Introduction 5300 *New Introduction
Statutory Provisions 5300.1 *New Introduction, 4840.2, and
GO RIM description
Applicability 5300.2 4840.3, 4819.32 (revised)
Agency Responsibilities 5300.3 4841, 4841.2
Definitions 5300.4 New June 2008
     
Risk Management 5305 4840, 4842
Risk Analysis 5305.1 4842.1
Agency Risk Management Program 5305.2 4842.2
     
Policy Management 5310 4840.1, 4841.2, *new language added for clarity
     
Organizing Information Security 5315 4842.2
Agency Management Responsibilities 5315.1 4840, 4841.1, 4841.2, *new form added
Agency Designations 5315.2 4845, *NEW added privacy program coordinator reference
     
Asset Protection 5320 4841.2
Ownership of Information 5320.1 4841.4
Responsibility of Owners of Information 5320.2 4841.5
Responsibility of Custodians of Information 5320.3 4841.6
Responsibility of Users of Information 5320.4 4841.7
Classification of Information 5320.5 4841.3
     
Human Resources Security 5325 4842.2
     
Physical and Environmental Security 5330 4842.2
     
Communications and Operations Management 5335 *new Introduction
Information Integrity and Data Security 5335.1 4841.2, 4842.2
Personal Computer Security 5335.2 4842.2
     
Access Control 5340 *new Introduction, 4841.2
     
Information Systems Acquisition, Development, and Maintenance 5345 *new Introduction
Software Licensing Integrity 5345.1 4842.2
Cryptography 5345.2 4841.2
     
Incident Management 5350 4841.2, 4845
Information Security Incident Reporting Requirements 5350.1 4845
Criteria for Reporting Incidents 5350.2 4845
Incident Follow-up Report 5350.3 4845
Incidents Involving Personal Information 5350.4 New December 2008
     
Disaster Recovery Management 5355 *new Introduction, 4842.2
Disaster Recovery Planning 5355.1 4843
Agency Disaster Recovery Plan 5355.2 4843.1, *new form added
Additional State Data Center Requirements 5355.3 4842.2, 4842.21
     
Compliance 5360 *new Introduction, 4845
Compliance Summary 5360.1 4845

SAM 484x to SAM 53xx Cross Walk - Detail

 

Statewide Information Management Manual (SIMM)

The following SIMM sections are applicable to information security:

Topic Section
Disaster Recovery Documentation for Agencies Preparation Instructions (.pdf) 65A
Agency Information Security Incident Notification and Reporting Instructions (.doc) 65B
Agency Information Security Incident Report (.doc) 65C
Requirements to Respond to Incidents Involving a Breach of Personal Information (.pdf) 65D
Telework and Remote Access Security Standard (.pdf) 66A
Social Media Standard (.pdf) 66B
Agency Designation Letter (.doc) 70A
Agency Disaster Recovery Program Certification (.doc) 70B
Agency Risk Management and Privacy Program Compliance Certification (.doc) 70C

 

Management Memos

The following Management Memos are applicable to information security:

Topic Management Memo Number
Safeguarding Against and Responding to a Breach of Security Involving Personal Information (.pdf) 08-11
Update to Industry Standard Terminology for Disaster Recovery (.pdf)
 08-10
Release of Personal Information for Research 08-09
Information Technology Capital Planning Process 08-07
Restructure of SAM Information Security & Privacy Policy Sections 08-02
Removal of Confidential, Sensitive or Personal Information From State-Owned Surplus Personal Property and State-Owned Surplus Vehicles 07-09
Protection of Information Assets 06-12

 

Budget Letters

The following Budget Letters are applicable to information security:

Topic Budget Letter Number
Transition of IT Project Review, Approval and Oversight Responsibilities from the Department of Finance to the Office of the State Chief Information Officer, and Information Technology Budgeting Guidelines 08-06
IT Security Policy - Changes to Operational Recovery Planning 07-03
IT Security Policy - Information Security Notification and Reporting 06-34
IT Security Policy - Encryption on Portable Computing Devices 05-32
IT Security Policy - Classification of Information 05-08
IT Security Policy - Peer-to-Peer File Sharing 05-03
Safeguarding Access to State Data 04-35
Safeguards for Firewalls and Servers 03-11

The California Office of Information Security (Office) web site contains links to other sites that are not owned or controlled by us. The information provided at these sites does not reflect the views of this Office or indicate an endorsement of a particular company or product. Please be aware that our Office is not responsible for the security and privacy practices of such other sites.


Last Updated: Thursday, April 04, 2013
 
Governor BrownCalifornia Technology Agency - www.cio.ca.govMichelle Robinson - Office of Information Security Acting Director
 

·Cyber Threat Level

·Quick Links

 

·Related Websites

Data Privacy Day

Stop Think Connect

A guide to Data Privacy