Incident Management

Topics on this page

The California Office of Information Security works collaboratively with agency Information Security Officers, California Highway Patrol (CHP), California Information Security Office, Office of Health Information Integrity, and other essential agencies on mitigating, identifying, responding to, and reporting information security incidents.

The following policy, standards, and guidelines are provided to assist state agencies in compliance with current incident response and reporting requirements, and establishing and maintaining internal incident management functions.

Also see our Frequently Asked Questions regarding Incident Reporting

Incident Reporting

State policy requires agencies to follow a prescribed process when information security incidents occur. Typically, it is each agency's Information Security Officer's (ISO) responsibility to notify the proper authorities. The prescribed process includes the following steps:

1.  Reporting Incident through the California Compliance and Security Incident Reporting System (Cal-CSIRS):

State policy requires state entities to make notification to the California Information Security Office (CISO) and the California Highway Patrol (CHP) immediately following discovery of an incident. Each state entity's Chief Information Officer (CIO), Information Security Officer (ISO), or the assigned incident reporting personnel (as designated on the Instructions and Format for Cal-CSIRS Designee Information form), collectively hereinafter referred to as authorized California Compliance and Security Incident Reporting System (Cal-CSIRS) user, is responsible for notifying the proper authorities.

Immediately report the incident through the Cal-CSIRS. Cal-CSIRS will require specific information about the incident and will notify the CISO and the CHP Computer Crimes Investigation Unit (CCIU). A system generated e-mail confirmation will be sent to the authorized Cal-CSIRS users acknowledging the CISO and CCIU have received the Cal-CSIRS notification.

IMPORTANT: Incident notification made to CHP or our Office outside of the Cal-CSIRS notification process by email or other means is NOT an acceptable substitute for the required notification through Cal-CSIRS.

2.  Instructions and Guidance for Reporting an Incident.

Refer to SIMM 5340-A instructions and/or the California Highway Patrol website for guidance when reporting an incident. Notification and reporting requirements, along with security tips, can be found on the CHP’s "Computer Crime Reporting for State Agencies"

The ISO should attempt to gather the following information before reporting the incident on Cal-CSIRS:

  • Name and address of the reporting entity.
  • Name, address, e-mail address, and phone number(s) of the reporting person.
  • Name, address, e-mail address, and phone number(s) of the ISO.
  • Name, address, e-mail address, and phone number(s) of the alternate contact (e.g., alternate ISO, system administrator, etc.).
  • Description of the incident.
  • Date and time the incident occurred.
  • Date and time the incident was discovered.
  • Any actions at and following the time of discovery that were taken prior to reporting incident on Cal-CSIRS.

The ISO should attempt to gather the following additional information before reporting incident about incidents involving computer-related theft or crime:

  • Make / model of the affected computer(s).
  • Serial and state asset identification numbers of affected devices.
  • IP address of the affected computer(s).
  • Assigned name of the affected computer(s).
  • Operating system of the affected computer(s).
  • Location of the affected computer(s).

IMPORTANT: Reporting should NOT be delayed until all of this information is gathered. It is understood that in some circumstances this information may not always be readily available when first reported to the ISO.  Therefore the ISO should make the report to ENTAC providing as much information as possible at the time of receiving the report.

3.  Personally Identifiable Information.

During this reporting process, it is also important to report if the incident involves personally identifiable information, such as breach notice-triggering personal information as defined in California Civil Code Section 1798.29.

Effective January 1, 2016, California’s Civil Codes 1798.29 and 1798.82 were amended to require breach notifications to be provided in a specific format and include certain content. Security Breach Reporting and Notification templates are provided on the CISO Risk Management page. Policy requires state entities to submit any breach notification to CISO for review and approval prior to its release.

Further, Civil Code Section 1798.29 (e) requires any state entity that is required to issue a security breach notification to more than 500 California residents, as a result of a single breach, to electronically submit a sample copy of the breach notification, excluding any personally identifiable information, to the Attorney General. The Attorney General’s procedures for sample submission are available on its website at: See SIMM 5340-C for instructions and process.

4.  Emergency Assistance Outside of Normal Business Hours:

In the case that the Cal-CSIRS system is offline during normal business hours, contact CISO directly by phone at (916) 445-5239 or by e-mail at for assistance. If the Cal-CSIRS system is offline outside of normal business hours and you require immediate law enforcement assistance, contact CHP's Emergency Notification and Tactical Alert Center (ENTAC) at (916) 843-4199. This telephone number is staffed 24-hours a day, seven days a week. The officers at ENTAC will forward that information to CCIU for immediate assistance. In the situation that notification is made outside of normal business hours through CHP, it is the state entity’s responsibility to notify CISO of the incident the next business day.

5.  Additional Information and Forms:

Depending upon the nature of the incident and the assets affected by the incidents, the entity may be required to submit the following additional written reports to other state entities:

The CCIU and/or CISO may contact the entity for additional information.

Questions and Contacts

Answers to frequently asked questions can be found in the Cal-CSIRS FAQ. Contact the Office of Information Security if you have additional questions or need assistance with incident reporting. Questions may be directed to or by calling (916) 445-5239.
Other Contact Information:

Other Resources

Links and resources for incident notification and reporting documentation, "best" practices, and federal standards to help develop and/or update your agency's reporting procedures can be found in the Incident Management Program Resources (pdf) document.

Other Resources:

The California Office of Information Security (Office) web site contains links to other sites that are not owned or controlled by us. The information provided at these sites does not reflect the views of this Office or indicate an endorsement of a particular company or product. Please be aware that our Office is not responsible for the security and privacy practices of such other sites.

Last Updated: Friday, November 18, 2016