Related Websites

• State and Consumer Services Agency
• State Chief Information Officer
• CA Highway Patrol
• CA Office of HIPAA Implementation
• CA Office of Homeland Security
• CA Office of Emergency Services

Right Column

Frequently Asked Questions

A collection of answers to the most Frequently Asked Questions (FAQ) to provide state agencies a better understanding and details on the specific topic areas listed below.

Topics

• Information Security Incident Notification and Reporting
• Unauthorized Disclosure Notifications
• Agency Designations
• Operational Recovery Planning
• Risk Management and Privacy Program Compliance Certification (SIMM 70)

Information Security Incident Notification and Reporting

The reporting requirements previously identified in the old SAM 4845 are no longer in the revised version.  What happened to them?

They have been incorporated into the new Information Security Incident Notification and Reporting Instructions found in the State Information Management Manual (SIMM) Section 65B.

 

The new version of SAM 4845 now requires agencies to report security incidents involving paper and other formats.  Why is this necessary?

The majority of State agencies are still very much dependent upon paper and other formats, such as microfiche.  When an incident involves the theft, loss or misuse of personal, confidential, or sensitive information, whether it be electronic or other format, it is important that adequate steps are taken to make the necessary notifications.  Safeguarding all personal, confidential or sensitive information, no matter the format, is essential to building trust with State government.  It is also consistent with the requirement identified in Management Memo 06-12.

 

The new version of SAM 4845 now requires agencies to report all state-owned Information Technology (IT) equipment or any electronic devices containing or storing personal, sensitive or confidential data.  Why did it change from the previous dollar threshold of $2,000?

Whenever any information technology equipment, especially those devices that store or contain data/information, is stolen or lost, it is important to report it.  The information collected by the California Highway Patrol, the California Office of Information Security and other agencies from these reports can indicate trends, and helps to focus on finding solutions to particular issues surrounding the incidents.  The dollar threshold was removed for various reasons.  One important reason, many of the pieces of equipment today can be purchased for very low costs.  For example, laptops can be purchased for less than $800, but the data on them can be at high risk if lost or stolen.

 

Who does an agency's Information Security Officer call when a security incident occurs?

As outlined in the Information Security Incident Notification and Reporting Instructions (SIMM 65B), agency Information Security Officers (ISO), or their designated backups, should immediately call the California Highway Patrol (CHP) Emergency Notification and Tactical Alert Center (ENTAC) at (916) 657-8287 to report an information security incident.  ENTAC will take the report and forward it to the State Information Security Office and the CHP Computer Crimes Investigation Unit for further action.

 

Where does an agency's Information Security Officer find what information should be collected prior to calling the California Highway Patrol?

As outlined in the Information Security Incident Notification and Reporting Instructions (SIMM 65B), guidance for reporting the incident can be located on CHP's Web site at www.chp.ca.gov under "Computer Crime Reporting for State Agencies." 

 

Once an agency's Information Security Officer reports the security incident, what happens next?

CHP's ENTAC will take the report and forward it to the Office of Information Security and the CHP Computer Crimes Investigation Unit for further action.  Depending upon the incident's type, the Office of Privacy Protection may also play a role in assisting the agency.

 

Where does an agency's Information Security Officer find the Agency Information Security Incident Report (SIMM 65C, formally SIMM 140)? 

The Agency Information Security Incident Report (SIMM 65C) can be located on the Tools page.  The old version of the report was formally numbered SIMM 140B.  It was renumbered to SIMM 65C to more closely align with the Information Security Incident Notification and Reporting Instructions (SIMM 65B). 

 

Unauthorized Disclosure Notifications

Why must we notify individuals when there has been a breach of their personal information?

The California Breach Notification requirement (Civil Code Section 1798.29) requires a notification be made to individuals when the breach involves unencrypted "Notice Triggering" information as defined in the section. Technically, the law is applicable to a breach in computerized data. However, the State has taken the position that a notification should be made when a breach of this same "Notice Triggering" data involves paper or other types of media, as the breach would expose individuals to the same financial/identity theft risk and concerns. Safeguarding all personal, confidential or sensitive information, no matter the format, is essential to building trust with State government. The objective is to make timely notification to individuals so that they take appropriate steps to protect themselves.

 

What other authority does the State have which supports the disclosure notification requirement?

State policy was adopted to require the reporting of incidents involving the breach of personal, confidential or sensitive information maintained in paper documents and other media types. Refer to State Administrative Manual (SAM) Section 4845, BL 06-34, Information Security Notification and Reporting, and MM 06-12, Protection of Information Assets, for additional requirements and details.

 

What must the notification say?

Both the California Office of Information Security and the California Office of Privacy Protection (COPP) can provide guidance in this area. COPP has samples and recommendations on their website at www.oispp.ca.gov/consumer_privacy/, and are available to assist by telephone at (916) 574-8180. However, depending upon the breach it is highly recommended that the development of any disclosure notification involve executive management, information security and privacy disclosure officers, legal counsel and others as appropriate.

 

Are there alternatives to making notification by written letter to the individual?

Yes. The law provides for substitute notice in certain circumstances (see CC 1798.29g3). In such circumstances, notice may be made by email, Web site posting, and major statewide media.

 

How does an agency contact the Office of Information Security?

Agencies can contact the Office of Information Security at security@oispp.ca.gov or by calling the main phone number at (916) 445-5239. 

Agency Designations

Are agencies still required to submit the Agency Designation Letter (SIMM Section 70A) by January 31st of each year, or when the designee changes?

Yes.  This is very important as it informs the California Office of Information Security, with the new information, which allows us to update our records.  One of the benefits is that it ensures the new designees receive important updates and news as it is released.

 

Why does the Office of Information Security want to know who our agency Information Security Officer (ISO) is?

There are many reasons that it is important for the Office of Information Security to maintain a current list of agency ISO contacts.  Our Office notifies the agency ISOs of important information on a frequent basis, such as critical software updates, vulnerabilities, or other types of threats that may require immediate action on the part of your agency.  It is also a good communication tool for notifying ISOs of upcoming events, such as quarterly ISO meetings, training, workshops, and other important news. Finally, it provides our Office and the California Highway Patrol's Computer Crimes Unit with a central agency contact who we can contact about security incidents and who can work directly with us to resolve security issues.

 

When are agencies required to submit the designation of an Information Security Officer to the Office of Information Security?

Agencies are required to submit their designation of an Information Security Officer and his/her backup to the Office of Information Security by January 31st of each year, or as designee changes occur.  When designee changes occur, agencies must submit an updated Letter within ten (10) business days.  The Agency Designation Letter (SIMM Section 70A) can be located on this web site at www.oispp.ca.gov/government/tools.asp.

Operational Recovery Planning

Are the "costs" in Section B (g) those costs paid for by the State?

Yes. If a notification was required and a non-state entity paid the associated costs, those costs are not included in the costs in Section B. However, a description of how the notification was funded should be included in Section B (f).

 

When are the new components outlined in the Operational Recovery Documentation Instructions (SIMM 65A) effective?

All policy described in the Budget Letter 07-03 is effective immediately.  Agencies must incorporate the ORP content and format into their 2007 submittals to the California Office Information Security, and each submittal thereafter. 

 

The elements found the old SAM 4543 for operational recovery development are no longer in the revised version.  What happened to them?

They have been incorporated into the new Operational Recovery Documentation Instructions found in the State Information Management Manual (SIMM) Section 65A.

What elements found in the old SAM 4543 policy are no longer valid?

There were three elements removed: identification and evaluation of alternative recovery strategies, preparation of a cost benefit analysis for each alternative, and selection of the alternative that best responds to the agency's requirements for disaster recovery. 

 

Are agencies still required to follow the Operational Recovery Plan Quarterly Reporting Schedule (SIMM Section 05) for submitting their Operational Recovery Plans to the California Office of Information Security?

Yes, the schedule remains the same.  The schedule is located at http://www.oispp.ca.gov/government/schedule.asp.

 

When is it possible for an agency to not submit a copy of their Operational Recovery Plan to the California Office of Information Security?

As outlined in SAM Section 4843.1, the Operational Recovery Plan Certification (SIMM Section 70B) may be submitted in place of the full ORP if both of the following conditions exist:

• A full plan was submitted the previous year and is on file; and
• No changes are needed to the current plan.

It should be noted that the new component requirements outlined in the Operational Recovery Plan Documentation Instructions (SIMM 65A) may not allow for the Certification to be submitted until agencies comply with the new requirements. Agencies with an April and July 2007 filing date may qualify to submit the Agency Operational Recovery Certification (see SAM 4841.1); however, they must also provide a cover sheet with that Certification indicating where the information for each topic area in the SIMM Section 65A is located in the agency's ORP.

 

What if an agency's Operational Recovery Plan does not follow the Operational Recovery Plan Documentation Instructions (SIMM Section 65A)?

If an agency's ORP does not follow the framework outlined in the Instructions, then a cover sheet must be included in the submission to the California Office of Information Security, indicating where information on each component can be found.

 

Why is it necessary for an agency to now incorporate the new components identified in the Operational Recovery Plan Documentation Instructions (SIMM Section 65A) into their Operational Recovery Plan?

The new components were implemented to assist agencies in the development and refinement of their ORPs.  Agencies with a more mature and fully developed operational recovery program will want to include specific topic areas beyond the minimum requirements to aid in the full recoverability of critical systems/applications in the event of an unplanned outage.

 

What if my agency does not have a business continuity plan? How does that affect the Operational Recovery Plan?

Every agency should be developing their Continuity of Operations and Continuity of Government (COOP/COG) program to include a full business continuity plan.  This is a recent requirement outlined by the Office of Emergency Services.  However, if an agency does not have a COOP/COG, then three additional components must be included in your ORP as directed in Section 2 (Supplemental ORP Requirements) of the Operational Recovery Plan Documentation Instructions (SIMM 65A).

 

What would prompt an audit if an agency does not submit an Operational Recovery Plan or the Plan does not meet the minimum requirements?

During the next year, the California Office of Information Security will be enhancing its ORP review process for compliance.  Also, State and internal auditors, when they conduct an IT audit will typically review the documentation to ensure the agency is complying with SAM requirements.

 

If an agency cannot comply with the submission timeline to accommodate these new minimum ORP requirements, will the California Office of Information Security accept an extension?

The California Office of Information Security will work with agencies.  However, it should be recognized that ORPs have been a requirement for many years.  Many of the components in the new requirements were previously required under the old SAM 4843 and SAM 4843.1.  If agencies closely followed the old requirements, adapting it to the new requirements shouldn't be too difficult.  Before an extension will be given, agencies will need to provide a compelling business reason and a timeline as to when it will comply with the new requirements.

 

Can the California Office of Information Security provide assistance or resources in developing an agency's Operational Recovery Plan?

Unfortunately, the California Office of Information Security does not have the resources available to help in developing an ORP.  Assistance can be identified through a number of mechanisms including contracting with vendors, coordinating with Department of Technology Services, or forming workgroups with possibly other agencies to help with the development. 

California Office of Information Security has and does offer guidance and training in general operational recovery planning that may assist agencies with the development of their ORPs.

 

What might the expected costs be to modify an existing Operational Recovery Plan to meet the new minimum requirements?

The costs should be minimal.  Many of these components were already in place with the previous SAM 4843 – 4843.1 policies, so they should not be new to agencies.  Many of the processes identified in the new Instructions should already be documented by agencies, such as backup and offsite storage documentation, which can fairly easily be incorporated into the agency's ORP.

Risk Management and Privacy Program Compliance Certification (SIMM 70)

As the director of an agency, why am I being asked to sign this revised Certification?

The SIMM 70C has been updated and now includes a requirement for Privacy Program compliance.  As outlined in Government Code Section 11019.9, each agency shall enact and maintain a permanent privacy program in adherence with the Information Practices Act of 1977 (Civil Code 1978 et seq).  The privacy program must include an annual training component to provide ongoing education for all employees and contractors who handle personal, sensitive or confidential information.  The requirement for an established Privacy Program is not new.  The new requirement is that agencies certify a program is in place.

Additionally, as in the past, this form also certifies that agencies are in compliance with state policy governing information technology risk management as specified in SAM Section 4842.2.

 

When must this Certification be submitted to the California Office of Information Security?

This Certification must be submitted by January 31st of each year.

 

Do all employees need to take annual security and privacy training provided by my agency?

Yes, all employees must receive training, at least once annually, on state and departmental information security and privacy policies and laws, including the consequences of violating them. Additionally, all contractors who have access to personal, confidential, or sensitive state information should receive the same type of training on an annual basis. Refer to BL 06-34, Information Security Notification and Reporting, and MM 06-12, Protection of Information Assets, for additional requirements and details.

 

---

The California Office of Information Security (Office) web site contains links to other sites that are not owned or controlled by us. The information provided at these sites does not reflect the views of this Office or indicate an endorsement of a particular company or product. Please be aware that our Office is not responsible for the security and privacy practices of such other sites.