This policy page provides access to State Policy and management directives as published and issued in the State Administrative Manual (SAM), Budget Letters, and Management Memos related to information security, including risk management, disaster recovery, and incident reporting. It also provides access to proposed policy through our Now Vetting area, agency compliance schedules and status, and corresponding State Information Management Manual (SIMM) instructions and forms.
- State Administrative Manual (SAM)
- Statewide Information Management Manual (SIMM)
- Management Memos
- Budget Letters
- Go RIM
The SAM is a central point for statewide policies, procedures, regulations and information developed and issued by authoring agencies such as this Office, the Department of Finance (Finance), Department of General Services (DGS), and Governor's Office.
As announced in Management Memo (mm) 08-02, the policy sections related to information security and privacy have been restructured and renumbered effective February 19, 2008. Note the reference to "*new" means language was added to this section to introduce the section or an edit was made to clarify the existing policy as placed within the new structure. No existing policy was changed through mm 08-02.
The following SIMM sections are applicable to information security:
|Disaster Recovery Documentation for Agencies Preparation Instructions (.pdf)||65A|
|Agency Information Security Incident Notification and Reporting Instructions (.doc)||65B|
|Agency Information Security Incident Report (.doc)||65C|
|Requirements to Respond to Incidents Involving a Breach of Personal Information (.pdf)||65D|
|Telework and Remote Access Security Standard (.pdf)||66A|
|Social Media Standard (.pdf)||66B|
|Agency Designation Letter (.doc)||70A|
|Agency Disaster Recovery Program Certification (.doc)||70B|
|Agency Risk Management and Privacy Program Compliance Certification (.doc)||70C|
The following Management Memos are applicable to information security:
The following Budget Letters are applicable to information security:
The California Office of Information Security (Office) web site contains links to other sites that are not owned or controlled by us. The information provided at these sites does not reflect the views of this Office or indicate an endorsement of a particular company or product. Please be aware that our Office is not responsible for the security and privacy practices of such other sites.