Frequently Asked Questions


A collection of answers to the most Frequently Asked Questions (FAQ) to provide state agencies a better understanding and details on the specific topic areas listed below.

Topics on this page

About the California Information Security Office

What is the California Information Security Office?
The California Information Security Office is an office within the California Department of Technology. The CISO is the primary state government authority charged with ensuring the confidentiality, integrity, and availability of state systems and applications, and ensuring the protection of state information assets. The CISO is involved in a broad range of activities within the state and collaborates with federal, state and local security professionals, higher education, private industry, and others on security related matters. The CISO is committed to securing the state's information assets to build and maintain the trust of Californians.
How does an agency/consumer contact the California Information Security Office?
Agencies can contact the California Information Security Office at security@state.ca.gov or by calling our main line at (916) 445-5239.
What authority does the California Information Security Office have for issuing policy and directing state agencies on information security and privacy matters?
Government Code Section 11549.3 charges the California Information Security Office with responsibility for, among other things, the creation, updating, and publishing of information security and privacy policies, standards, and procedures directing state agencies to effectively manage security and risk for information and information technology.

Agency Designations

Are agencies required to submit the Designation Letter by January 31st of each year, or when the designee changes?
Yes. This is very important to provide the California Information Security Office (CISO) with the names and contact information for individuals authorized by the agency director to handle key information security functions.  The CISO may need to reach these individuals in the event that security, technology recovery and privacy protection issues arise.  One of the benefits of filing the Designation Letter (SIMM 5330-A) is to ensure the designees receive important early warnings, policy updates, and news about upcoming events as it is released.
Why does the California Information Security Office want to know who is our agency Information Security Officer?
There are many reasons why the California Information Security Office (CISO) must know who the agency has designated as their Information Security Officer (ISO). First, it is important for the CISO to maintain a current list of agency ISO contacts because the CISO notifies the agency ISOs of important information on a frequent basis, such as critical software updates, vulnerabilities, or other types of threats that may require immediate action by state agencies. It is also a good communication tool for notifying agency ISOs of upcoming events, such as quarterly ISO meetings, training, workshops, changes in state policy, and other important news. Finally, it provides the CISO and the California Highway Patrol (CHP) Computer Crimes Investigations Unit (CCIU) with the name and contact information for individuals who can be contacted about security incidents and work with us to resolve security issues within their agency. In an emergency, the CISO and the CHP CCIU may need to reach these individuals, so it is important to ensure the agency’s designations are kept current.
When are agencies required to submit the designation of an Information Security Officer to the California Information Security Office?
Agencies are required to submit their Designation Letter (SIMM 5330-A) specifying an Information Security Officer and his/her backup to the CISO by January 31st of each year, or within ten (10) business days as designee changes occur.

Annual Security and Privacy Program Training Requirement

Do all employees in a state agency need to take annual security and privacy training?
Yes.  All employees and contractors must receive security and privacy training, at least once annually, on state and departmental information security and privacy policies and laws, including the consequences of violating them. Additionally, all third parties who have access to personal, confidential, or sensitive state information must receive the security and privacy training on an annual basis. Refer to Budget Letter 06-34, Information Security Notification and Reporting, and Management Memo 06-12, Protection of Information Assets, for additional requirements and details.
What laws, regulations, and or state policies require employees to be trained annually and the employee to acknowledge they have received the training by signing an acknowledgement form?
The legal requirement for training is found in the California Information Practices Act of 1977 (Civil Code Sections 1798 et seq.) and specifically Civil Code Section 1798.20, which requires all state agencies to establish rules of conduct for persons involved with personal information and instruct such individuals on the rules and the remedies and penalties for noncompliance. The applicable state policy requirements are:
  1. State Administrative Manual (SAM) Section 5305 states an agency must maintain a security program and an ongoing privacy program, as outlined in Government Code Section 11019 and Civil Code Sections 1798 et seq.
  2. SAM Section 5320 states an agency’s personnel practices related to security management must include training of agency employees with respect to individual, agency, and statewide security responsibilities and policies; signing of acknowledgments of security responsibility by all employees; and termination procedures that ensure that agency information assets are not accessible to former employees.

What are the consequences for an agency or individuals/employees that fail to comply with provisions of the California Information Practices Act of 1977?
Depending upon the circumstances, the following consequences can occur:
  1. Adverse action (individual/employee), including termination, pursuant to Government Code 19572.
  2. Lawsuits (civil action) against the agency or an individual/employee pursuant to Civil Code Sections 1789.45 through 1798.53.
  3. Penalties (disciplinary action, including termination; monetary; misdemeanor charges; imprisonment) assessed against individuals pursuant to Civil Code Sections 1798.55 through 1798.57.
  4. Other legal actions (criminal charges) may be brought against employees/individuals under other applicable sections of law where the employee/individual has knowingly and willfully obtained, sold, or used another individual's personal information.
  5. Contractor may be held in breach of contract, forfeits future contract awards, etc. pursuant to terms of contract and state contracting requirements.

Technology Recovery Planning

Are agencies required to follow the Technology Recovery Plan (TRP) Quarterly Reporting Schedule for submitting their TRP to the California Information Security Office?
Yes. The schedule remains the same and is available at http://www.cio.ca.gov/OIS/Government/schedule.asp.
When is it possible for an agency to not submit a copy of their Technology Recovery Plan to the California Information Security Office?
As outlined in the State Administrative Manual Section 5325.1, and the Technology Recovery Program Certification (SIMM 5325-B), a full Technology Recovery Plan may not be required to be submitted with an agency's SIMM 5325-B if both of the following conditions exist:
  1. A full plan was submitted the previous year and is on file; and
  2. No changes are needed to the current plan.
What if an agency's Technology Recovery Plan does not follow the Technology Recovery Plan Instructions?
If an agency's Technology Recovery Plan does not follow the framework outlined in the Technology Recovery Plan Instructions (SIMM 5325-A), then a cross reference sheet must also be included with their submission to the California Information Security Office identifying where information on each component can be found. The cross reference sheet is found on pages 2 and 3 of the Technology Recovery Program Certification (SIMM 5325-B).
Why must an agency incorporate the components identified in the Technology Recovery Plan Instructions into their Technology Recovery Plan?
These components were implemented to assist an agency in the development and refinement of their Technology Recovery Plan. An agency with a more mature and fully developed technology recovery program may want to include specific topic areas beyond the minimum requirements to aid in the full recoverability of critical systems/applications in the event of an unplanned outage.
What if my agency does not have a business continuity plan? How does that affect development of the Technology Recovery Plan?
Every agency should be developing their Continuity Planning program to include a full business continuity plan. This is a requirement outlined by the Governor's Office of Emergency Services. However, if an agency does not have a Continuity Plan, then three additional components must be included in an agency’s Technology Recovery Plan (TRP) as directed in Section 2: Supplemental TRP Requirements of the Technology Recovery Plan Instructions (SIMM 5325-A).
What happens if an agency does not submit a Technology Recovery Plan (TRP) or the TRP does not meet the minimum requirements?
The California Information Security Office (CISO) has enhanced its Technology Recovery Plan (TRP) compliance review process. The agency will be notified when it does not file a TRP or their TRP does not meet the minimum requirements as identified in the Technology Recovery Plan Instructions (SIMM 5325-A). Notification is made through an escalation process from the Technology Recovery Coordinator, Information Security Officer, the Chief Information Officer, Agency Director, and in some cases, to the Agency Information Officer.
The CISO is to report to the California Department of Technology, any state agency found to be noncompliant with information security program requirements. Noncompliance may impact the agency’s procurement and information technology (IT) project delegated authority.
Also, when conducting an IT audit, state and internal auditors will typically review the agency’s documentation to ensure the agency is complying with the State Administrative Manual requirements. Compliance and noncompliance would be a documented audit finding.
If an agency cannot comply with the Technology Recovery Plan submission, will the California Information Security Office accept an extension?
Because the purpose of the Technology Recovery Plan (TRP) is to provide continuity of computing operations in support of critical business functions, there is no extension process for TRP submissions. The agency Director must be apprised of the risk associated with not having a complete and comprehensive TRP which provides the ability to perform a full recovery of critical/essential IT systems and applications in support of the agency’s critical business functions.
One alternative is to submit a Technology Recovery Program Certification (SIMM 5325-B), marking the box that indicates, “My state entity is NOT in full compliance with the Technology Recovery Management Program requirements, but has a comprehensive plan to achieve full compliance by [insert date]. I understand and accept the risk associated with the gaps in our current program, and have attached a remediation plan which includes a schedule for completion.” If this option is submitted, a remediation plan specifying the date when the TRP will be delivered to the California Information Security Office must also be submitted with the SIMM 5325-B submittal.
Can the California Information Security Office provide assistance or resources in developing an agency's Technology Recovery Plan?
The California Information Security Office (CISO) will provide assistance in a limited consulting capacity. For example, the CISO will meet with an agency to help ensure the agency fully understands the requirements for submission and content of the Technology Recovery Plan (TRP), and answer any questions about whether or not the agency's plan or approach meets the requirements.
Unfortunately, the CISO does not have the resources to develop an agency's TRP or to be part of the agency’s TRP development team. This type of assistance can be acquired through a number of mechanisms including contracting with vendors, coordinating with the Office of Technology Services, or possibly forming workgroups with other agencies for assistance with the development.
NOTE: The CISO has and does offer guidance and training in technology recovery planning to assist agencies in the development of their TRPs.

Incident Reporting

What should a state entity do when a security incident occurs?
Immediately report the incident through the California Compliance and Security Incident Reporting System (Cal-CSIRS). Cal-CSIRS will require specific information about the incident and will notify the CISO and the CHP Computer Crimes Investigation Unit (CCIU).
What must be reported by a state entity?
All actual or suspected security incidents that negatively affect the security (confidentiality, integrity, or availability) of a state information asset must be reported. Incidents meeting the criteria for reporting an incident outlined in the Incident Reporting and Response Instructions (SIMM 5340-A) must be reported.
The incident reporting criteria used to only require the reporting of information technology related security incidents, but now state agencies are expected to report those involving paper and other formats. What authority requires agencies to report security incidents involving paper and other formats and why is this necessary?
In September 2006, the California Information Security Office (then located within the Department of Finance) issued Management Memo 06-12, adding paper and other formats to the state incident reporting criteria.
The majority of state agencies are still very much dependent upon paper and other formats, such as microfiche. When an incident involves the theft, loss, or misuse of personal, confidential, or sensitive information, whether it is electronic or other format, it is important that adequate steps are taken to notify individuals that may be in jeopardy as a result of the incident. Safeguarding all personal, confidential, or sensitive information, no matter the format, is essential to maintaining the public’s trust in government.
The incident reporting criteria used to only require the reporting of a loss or theft of state-owned Information Technology (IT) equipment valued at $2,000 or more, but the state policy now requires agencies to report any loss or theft of state-owned IT equipment or any electronic devices containing or storing personal, sensitive, or confidential data. Why did it change from the previous dollar threshold of $2,000?
The dollar threshold was removed for various reasons. One important reason is that many devices or equipment can be purchased today for very low costs. For example, laptops can be purchased for less than $800, but the data on them can be at high risk if lost or stolen. Another important reason is that the state must be able to track and assess the impact of security incidents from a statewide perspective. It is important to report any loss of state IT equipment, especially those devices that store or contain data/information. The information collected by the California Information Security Office, the California Highway Patrol, and other agencies from these reports can indicate trends, and help the state focus on finding solutions to address issues affecting all or multiple agencies.
Where does a state entity find what information should be collected prior submitting an incident report on the California Compliance and Security Incident Reporting System (Cal-CSIRS)?
A state entity should immediately report the incident, providing all of the known information available about the incident, upon discovery and should not delay reporting due to an inability to gather all of the information on this list. Guidance on information to be collected can be located on CHP's website under "Computer Crime Reporting for State Agencies" and in the Incident Reporting and Response Instructions (SIMM 5340-A).
Once a state entity reports the security incident through the California Compliance and Security Incident Reporting System (Cal-CSIRS), what happens next?
A system generated e-mail confirmation will be sent to the authorized Cal-CSIRS users acknowledging the CISO and CCIU have received the Cal-CSIRS notification. The CHP CCIU and/or the CISO may contact the state entity for additional information or further investigation. The extent of the CISO and the CCIU involvement will depend upon the type of incident and facts of the case.
What is the purpose of the California Compliance and Security Incident Reporting System (Cal-CSIRS) Incident Report?
The (Cal-CSIRS) report provides documentation and accountability in response to incidents. It helps the state entity identify and correct problems and control deficiencies within the state entity, and ensures that the head of the state entity is aware of the incident and its cause, so that he/she can direct the state entity’s response and corrective action plan to prevent similar occurrences in the future.
It also helps the California Information Security Office monitor and mitigate statewide problems or trends.
What is a state entity expected to do if the California Highway Patrol Computer Crimes Investigations Unit decides to not investigate the incident?
A state entity is expected to complete and submit the California Compliance and Security Incident Reporting System (Cal-CSIRS) incident report to the California Information Security Office (CISO). The California Highway Patrol (CHP) Computer Crimes Investigations Unit (CCIU) criteria to investigate are not the same as the criteria to identify an incident and file an incident report with the CISO. These are separate paths. The CHP CCIU may have many reasons for not pursuing a criminal investigation, such as insufficient evidence in which to build a case or an inability to meet a specific dollar threshold. The CHP CCIU’s decision not to investigate does not eliminate the requirements for agencies to conduct their administrative investigation and root cause analysis, to pursue appropriate administrative remedies and corrective actions, to submit a Cal-CSIRS incident report with the CISO or, if needed, to notify individuals that their personal information was improperly accessed or acquired (see "Notifying Individuals..." below).
The (Cal-CSIRS) incident report provides documentation and accountability in response to incidents. It helps the state entity identify and correct problems and control deficiencies within the state entity, and ensures that the head of the state entity is aware of the incident and its cause, so that he/she can direct the state entity’s response and corrective action plan to prevent similar occurrences in the future.
Where does a state entity find the California Compliance and Security Incident Reporting System (Cal-CSIRS)?
The Cal-CSIRS incident reporting system can be found at https://calcsirs.rsam.com/.
Are there instructions for completing the Information Security Incident Report?
Yes. Detailed instructions are provided on within the Incident Reporting and Response Instructions (SIMM 5340-A).
What else should be reported and to whom?
Any suspicious activity, behavioral characteristics, or unlawful activity, that may suggest involvement in terrorist activity should be reported immediately to a state entity’s Terrorism Liaison Officer, or the Sacramento Regional Terrorism Threat Assessment Center at 1-888-884-8383 or by email to sacrttac@sacsheriff.com.
Suspicious activity may include the following: 1) unusual items in a vehicle or residence (e.g., extremist posters, weapons/explosives materials, altered identification documents); 2) the probing of security systems and first responder procedures (e.g., unplanned building evacuations due to “false alarms”); or 3) other signs of pre-operational terrorist planning and surveillance (e.g., requests for system documentation or other sensitive organizational information).
It is most helpful in pursuing tips and leads, if while observing the suspicious activity, information about the subject(s), vehicle(s), activity, or location is gathered and documented as much as possible. For example, the name and physical description of subject(s) and vehicle License Plate number(s) involved.
How do I report a security incident if the California Compliance and Security Incident Reporting System (Cal-CSIRS) is offline during normal business hours?
If the Cal-CSIRS system is offline during normal business hours, contact CISO directly by phone at (916) 445-5239 or by e-mail at security@state.ca.gov for assistance.
How do I report a security incident that requires immediate assistance from law enforcement, if the California Compliance and Security Incident Reporting System (Cal-CSIRS) is offline outside of normal business hours?
If Cal-CSIRS is offline outside of normal business hours and you require immediate law enforcement assistance, contact CHP's Emergency Notification and Tactical Alert Center (ENTAC) at (916) 843-4199. This telephone number is staffed 24-hours a day, seven days a week. The officers at ENTAC will forward that information to CCIU for immediate assistance. In the situation that notification is made outside of normal business hours through CHP, it is the state entity’s responsibility to notify CISO of the incident the next business day.
IMPORTANT: A report made to CHP, other law enforcement agencies, or the CISO outside of the (Cal-CSIRS) notification process by email or other means is NOT an acceptable substitute for the required report through (Cal-CSIRS).

Notifying Individuals About An Incident Involving Their Personal Information

Why must an agency notify an individual when there has been an incident involving their personal information?
The California Breach Notification law (Civil Code Section 1798.29) requires a notification be made to individuals when the breach involves unencrypted "Notice Triggering" personal information as defined in the section. Technically, the law is applicable to a breach involving computerized data. However, the state has taken the position that a notification should be made when a breach of this same "Notice Triggering" data involves paper or other types of media, as the breach would expose individuals to the same financial/identity theft risk and concerns. Safeguarding all personal, confidential, or sensitive information, no matter the format, is essential to maintaining trust in state government. The objective is to make timely notification to individuals so that they may take appropriate steps to protect themselves.
What other authority does the state have which supports the notification requirement?
State policy was adopted to require the reporting of security incidents involving personal, confidential, or sensitive information maintained in paper documents and other media types. Refer to State Administrative Manual Section 5340, Budget Letter 06-34, Information Security Notification and Reporting, and Management Memo 06-12, Protection of Information Assets, for additional requirements and details.
What must the notice say?
The notice must contain the appropriate elements given the facts involved. To be helpful to the recipient, the notice must contain, at a minimum, a clear indication of what happened, what specifically is at risk, and what the recipient can or should consider doing to protect themselves. The California Information Security Office (CISO) has published a Statewide Information Management Manual (SIMM) document entitled Requirements to Respond to Incidents Involving a Breach of Personal Information  (SIMM 5340-C). SIMM 5340-C outlines the notification requirements for state agencies, and provides additional instructions and guidance to state agencies in the handling of security incidents involving personal information. State agencies are strongly encouraged to read through SIMM 5340-C in advance of an incident, so they are more prepared to respond to an incident involving personal information if encountered by their agency. The SIMM 5340-C is available on the “Privacy Information for State Government: Security Breach Notification” webpage at: http://www.cio.ca.gov/Government/IT_Policy/SIMM/SIMM5340_C.pdf
Are there alternatives to making notification by written letter to the individual?
Yes. The law provides for substitute notification (see Civil Code Section 1798.29(g) (3)) such that the notice must be made by email, website posting, and major statewide media (all three). Please refer to Requirements to Respond to Incidents Involving a Breach of Personal Information (SIMM 5340-C) for additional information about the criteria that must be met in order to make substitute notification.
Why must state agencies submit their notices to the California Information Security Office for review and approval before they are released to affected individuals?
In order to be effective and helpful to individuals placed in jeopardy by a breach, the notice must contain the appropriate elements given the facts involved. For example, a notice that advises an individual to place a fraud alert on their credit files when only limited medical information, such as a treatment diagnosis were involved, and not their social security or driver’s license number will do little to help the individual mitigate their risk in this situation.
The California Information Security Office (CISO) must review the notice to ensure, given the data elements involved, the circumstances of the loss or theft, and any number of other relevant factors that the notice serves to mitigate further risk and potential impact to both individuals and the state. Some of the potential impacts from an erroneously worded notice are: 1) recipient confusion about the steps they should take; 2) further recipient frustration and escalation from inaccurate or incomplete instructions; and, 3) a surge in follow-up inquiries for both the reporting agency and the CISO.
Won't the California Information Security Office review and approval process unduly delay the notification process?
No. The California Information Security Office (CISO) is usually able to turn a notice around within a couple of hours, and definitely within one business day. Through our partnership with the former California Office of Privacy Protection, we are aware of the type of language that has been used in the past that has caused recipient confusion and has resulted in an increased number of follow-on inquiries. The additional few minutes spent up front to ensure the notice addresses all anticipated questions and provides clear and accurate instructions can save the agency many hours associated with responding to follow-on inquiries.
Are there sample notices available for use as a template?
Yes. State agencies should refer to the appendices in the Requirements to Respond to Incidents Involving a Breach of Personal Information (SIMM 5340-C).
Where does an agency find the Requirements to Respond to Incidents Involving a Breach of Personal Information?
The Requirements to Respond to Incidents Involving a Breach of Personal Information (SIMM 5340-C) is available on the CISO website. Private sector businesses should refer to the Business Resources webpage available on the Department of Justice, Privacy Enforcement and Protection Unit at http://www.privacy.ca.gov/

Risk Management and Privacy Program Compliance Certification

Why is the director of an agency required to sign the Risk Management and Privacy Program Certification?
The Risk Management and Privacy Program Certification (SIMM 5330-B) is a certification of the agency’s compliance with state information security and privacy policy requirements as specified in the State Administrative Manual Chapter 5300.
It also provides an indicator of the state’s security posture and helps ensure that the agency Director is aware of the requirements, and the agency’s status in meeting these requirements.
When must the Risk Management and Privacy Program Certification be submitted to the California Information Security Office?
This Risk Management and Privacy Program Certification (SIMM 5330-B) must be submitted by January 31st of each year.
What happens when an agency does not submit a Risk Management and Privacy Program Certification?
The California Information Security Office (CISO) has enhanced its Risk Management and Privacy Program Certification compliance review process. The Director and Agency Director for the agency will be notified when an agency has failed to meet this reporting requirement.
The CISO is to report to the California Department of Technology any state agency found to be noncompliant with information security program requirements. Noncompliance may impact the agency’s procurement and information technology (IT) project delegated authority.
Also, when conducting an IT audit, state and internal auditors will typically review the agency’s documentation to ensure the agency is complying with the State Administrative Manual requirements. Compliance and noncompliant status would be documented in the audit findings.
What happens when an agency is not in full compliance with the state information security and privacy policy as specified in the State Administrative Manual Chapter 5300?
The agency has an option of certifying whether or not they are in full compliance with all State Administrative Manual Chapter 5300. When the agency finds it has NOT yet implemented all required components, the agency must check the second box on the Risk Management and Privacy Program Certification (SIMM 5330-B) and attach a remediation plan with the certification when it is submitted to California Information Security Office. The remediation plan identifies the noncompliant components along with the timeline(s) indicating when the agency will be compliant.
If an agency finds it is not in full compliance with the state information security and privacy policy as specified in the State Administrative Manual Chapter 5300 by the submission deadline, will the California Information Security Office grant an extension?
No. To meet the filing requirement, the agency must submit a Risk Management and Privacy Program Certification (SIMM 5330-B) and remediation plan, if they are not in full compliance. The remediation plan identifies the noncompliant components along with the timeline(s) indicating when the agency will be compliant. The California Information Security Office will follow-up with agencies on their remediation activities to ensure they are completed within the identified timeframes.
Where does an agency find the Risk Management and Privacy Program Certification?
The Risk Management and Privacy Program Certification (SIMM 5330-B) is available on the Schedule of Required Reporting Activities webpage.

The California Information Security Office (CISO) web site contains links to other sites that are not owned or controlled by us. The information provided at these sites does not reflect the views of this Office or indicate an endorsement of a particular company or product. Please be aware that our Office is not responsible for the security and privacy practices of such other sites.

 
Last Updated: Friday, November 18, 2016