/ DGS Risk Management Policy
Title: / Risk Management Policy
Author: / Department of General Service – Information Security Office
Persons Affected: / All DGS Employees
Background: / The Department of General Services (DGS) serves as business manager for the State of California with over 3,500 employees and a budget in excess of one billion dollars. DGS provides centralized services to state agencies in the areas of management of state-owned and leased real estate; approval of architectural designs for local schools and other state-owned building; printing services; procurement of commodities, services, and equipment for state agencies; and management of the state’s vehicle fleet. Furthermore, the Department employs practices that support initiatives to reduce energy consumption and help preserve California resources.
Policy:
Policy
Continued: / DGS’s Risk Management Program (RMP) creates an entity-wide information security, privacy and risk management strategy which includes a clear expression of risk tolerance for the organization, acceptable risk assessment methodologies, risk mitigation strategies, and a process for consistently evaluating risk across the organization with respect to DGS’s risk tolerance, and approaches for monitoring risk over time.
DGSshall provide management commitment and oversightto protectits information assets. Accordingly, DGS assigns the management responsibilities of the RMP by collaboration, communication, and effort within the ISP and subsequently the ISSC and Security Committee.
ISO ensures that the appropriate security controls are in place to protect DGS information and technology assets from risk of accidental or intentional interruption of service as well as unauthorized access, disclosure, modification, or destruction of information assets.
To this end, DGS ISO is responsible for development, implementation, maintenance, and enforcement of the comprehensive RMPto provide information security related guidance, oversight, and management at the following three various levels of therisk management hierarchy:
  1. Organizational Level
The Chief Information Security Officer (CISO) manages the Information Security Office (ISO) and developsthe Information Security Program (ISP) that outlines organization, guidance, direction, and authority for the department’s RMP as required by SAM 5305.6. The ISO implements a risk management strategy which includes a clear expression of risk tolerance for DGS, acceptable risk assessment methodologies, risk mitigations strategies, and a process for consistently evaluating risk across DGS with respect to the department’s risk tolerance. The DGS ISP’s structure and function is the framework for the CISO to collaborate with DGS Executives, IT Governance Council, and Information Security Sub-Committee (ISSC) in creating, approving, and enforcing information security policies and procedures. A Security Committee is established within the Enterprise Technology Solutions (ETS) office to initially identify and evaluate department vulnerabilities and introduce policies or procedures to mitigate risk. The RMP is coordinated within the ISP as shown in the Procedures section of this Policy on page 3.
  1. Mission/Business Process Level
The mission of DGS and the ISO is to successfully achieve the following objectives:
•To protect all IT resources and information (both electronic and physical) from unauthorized use, access, modification, loss, or destruction, or disclosure;
•To ensure the physical security of DGS’s resources;
•To provide and maintain the documented disaster/operational recovery plan;
•To ensure current policies and procedures are maintained regarding federal, state, and departmental mandates and guidelines;
•To identify, assess, and respond to the risks associated with information assets;
•To prevent misuse or loss of state agency information assets by establishing and maintaining a standard of due care; and,
•To preserve the ability to meet program objectives in the event of the unavailability, loss, or misuse of information assets by establishing and maintaining cost-effective risk management practices.
DGS’s business process for the RMP requires the department to assign the management responsibilities of the RMP by collaboration, communication, and effort within the ISP and subsequently the ISSC and Security Committee. The ISP, as required under SAM 5305.2,encompasses the RMP and oversees and monitorsthe following practices and entities in relation to information security risks:
•Information Security Policies and Procedures
  • Approval
  • Implementation
  • Enforcement
•Organizational Practices
  • Security Governance
  • System Security and Certifications
  • Agency Confidentiality
  • Access Controls
  • Physical Security
•Personnel Practices
  • Security Awareness
  • Position Categorization
  • Non-DGS Personnel Security
  • Screening
•Data Security Practices
  • Disaster Recovery (SAM Section 5355.1)
  • Threat management (SAM Section 5305.1)
  • Network Security (SAM Section 5310)
  • Information Backup
  • Data Classifications
  • Information Integrity
  • Software Integrity
  • Appropriate use
  1. Information Asset Level
DGS recognizes and acknowledges that information assets are the foundation of the department and must be secured to ensure that the organization’s mission is achieved. Information assets are protected by the following asset management practices in compliance with SAM 5305.5:
•The department and the ISO will maintain a comprehensive inventory of all information assets that contains a listing of all programs and information systems identified as collecting, using, maintaining, or sharing state entity information.
•The IT Governance Council and ISSC will communicate and document all information assets both physical and electronic in cooperation with the ISO.
•ISO has developed the Information Security Classification (ISC) process in collaboration with Enterprise Technology Solutions (ETS) to set the level of asset management for all information systems.
•All other guidelines dictated in the Information Asset Management Policy.
Authority Reference: / SAM 5300-5305;NIST SP 800-53: SIMM 5330-B; IRS 1075: 9.3.14; HIPAA Section 164.308;
SIMM 5340-A, 5340-C;IPA 1977
Enforcement: / Violation of this standard may result in disciplinary action determined by DGS management.Violated provisions outlined in IRS Publication 1075 and within the Information Practices Act may be subject to criminal prosecution.
Procedures:
Procedures Continued:
Procedures Continued:
Procedures Continued:
Procedures Continued:
Procedures Continued:
Procedures Continued: / The ISO has agency-wide oversight responsibilities to ensure that policies, standards, guidelines, processes, and procedures are in place to support the Risk Management Program (RMP).
The components of the program include risk assessment, mitigation, and evaluation. Risk assessments determine the potential threats and associated risks; risk mitigation is the process of identifying, prioritizing, evaluating, and implementing risk reduction controls; and evaluation is an ongoing and evolving process that integrates the System Development Life Cycle (SDLC) in existing and new systems as well as operational processes.
The ISO is responsible for the RMP, with a primary focus on the integrity and security of automated files, databases, computer systems, and information (electronic and paper). In addition, the ISO ensures that the agency has the appropriate policies and procedures required to be in compliance with applicable laws, regulations, and state policy by establishing the Information Security Program (ISP) as the framework for managing DGS’s information security and risk management oversight. The function of the ISP is coordinated within DGS as shown in the figure on Page 3.
INFORMATION SECURITY PROGRAM

The CISO may designate proper ISO staff to update and maintain the structure of the ISP. The CISO will work with upper management to delegate appropriate staff to the SC and will communicate with the CIO in appointing the appropriate IT Governance Council members to serve on the ISSC.
The ISP requires the creation of the following:
  1. Information Security Sub-Committee: The ISSCis a subcommittee within the DGS IT Governance Council that has the authority to review and approve Information Security policies and procedures enacted by the SC, ISO, and ETS management team. The ISSC also has the authority to direct the evaluation, mitigation, and acceptance of risks on behalf of the department. The ISSC will be responsible for participating in the Department level Risk Assessment and any projects that impact the entire department. The committee shall be comprised of representatives from the following areas:
  2. Audits
  3. Chief Information Officer
  4. Chief Information Security Officer
  5. Technology Recovery Coordinator and/or Business Continuity Coordinator
  6. Finance/Fiscal
  7. Human Resources
  8. Legal
  9. Privacy Coordinator
  10. Program/Division
In the event that a representative from the internal Office of Audit Services (OAS) serves on the IT Governance Council, the OAS individualshall recuse themselves from serving on theISSC and shall be excluded from all Risk Management related duties which may conflict with their role as a Department internal auditor. The OAS representative will notify the IT Governance Council of the duties in which they can participate that comply with OAS’s auditing standards and do not compromise the independence necessary to perform audit functions for DGS.
  1. Security Committee (SC): The CISO works with ETS management to nominate representatives from each ETS section to serve on the committee (See SC Org Chart below). The CISO will chair the SC and may designate an ISO employee to co-chair or coordinate, schedule, and conduct the committee meetings. SC meetings shall be held monthly, or as major incidents occur, to address/discuss the following:
  2. Drafted Information Security policies, procedures, or standards
  3. Potential risks within the office or department
  4. Risk Assessments and vulnerability scans
  5. ETS Practices related to information and physical security
  6. Any other matters determined by the CISO
Important matters from the SC, including approved information security policy/procedure drafts, are routed through ETS Management to the ISSC of the IT Governance Council.

ISP Documentation:
All information and security documents routed through the ISP shall be made available to all involved personnel. The ISO shall create a central repository with access granted appropriately within subfolders for the ISSC as well as the SC and ETS Management team. Documents and incidents to be made available to the public or all department employees shall be determined by the ISSC, IT Governance Council, or DGS Executives and will be published on the appropriate medium of communication such as the DGS intranet or internet webpages.
The ISP expresses a clear goal of transparency as required by theCA Public Records Act but shall determine the vulnerabilities and risks involved with releasing content deemed sensitive by the ISSC or DGS Executives prior to publication.
Training and Role Rotation:
DGS personnel nominated by management shall be provided all information documented in relation to the roles and responsibilities outlined for participating members within the ISP. The ISP accommodates the workloads of participating personnel and allows DGS management to select and rotate individuals as necessary while still ensuring the success and effectiveness of the ISP. New individuals selected to participate in the ISP shall be provided the following:
•All approved Information Security Policies
•Current ISP Organization Chart
•Access to appropriate ISP Documentation
•A clear communication of responsibilities and expectations
The IT Governance Council shall determine the frequency of rotation of ISSC members, if necessary. The CISO will work with ETS Management to determine the rotation necessity of SC members as affected by availability, transfers of duties, conflicts of interest, or separation.
Maintenance and Restructuring:
The CISO, CIO, and ISO will evaluate the effectiveness of the ISP annually in the month of January by reviewing documented lessons-learned and discussing the successes and failures of the ISP in all areas of the program’s scope. Any restructure in the operations of the ISP, including its abolishment, requires a majority approval from the SC, CISO, CIO, and ISSC.
Annual Review of Policies and Procedures:
The ISO, CISO, SC, and ISSC shall annually review and modify, or reapprove, DGS’s information security policies and procedures in the month of January. All information security policies and procedures shall be rerouted through the ISP to identify any potential outdated practices or necessary modifications to ensure the success of DGS’s mission and information security objectives.
RISK MANAGEMENT PROGRAM
The following standards have been established to provide reasonable requirements to identify, assess, mitigate, and accept risks that are associated with the Department’s information assets and technology
  1. Risk Management Standards: The Risk Management Program provides the Department with a standard methodology for assessing, mitigating, accepting, and evaluating risks to the department. The ISO coordinates with the Security Committee (SC) and Information Security Sub-Committee (ISSC) within the Information Security Program (ISP) to develop the specific methodology for conducting formal Risk Assessments in accordance with established information security industry standards.
  1. Risk Management Participation: It is the responsibility of each Deputy Director to ensure that the appropriate staff is identified and participates in the process for Department and Program/Project level Risk Assessments. A key element for participation is an understanding of the program’s business function, process, or project to ensure an objective contribution and assessment as a subject matter expert.
  1. Risk Management Cycle: The process of Risk Management is an ongoing cycle; there are always new risks, vulnerabilities, mitigation strategies, and security solutions due to the ever evolving nature of business and technology. An overview of the Risk Management cycle and what is accomplished in each component is shown in the following figure on Page 6:

  1. Risk Assessment Process: The Risk Assessment process includes conducting a risk analysis, identifying risk mitigation strategies, risk acceptance, and evaluating the effectiveness of the implemented mitigation strategies. This process also applies to Program/Project level Risk Assessments.
  2. Performing the Department Level Risk Assessment: A department level Risk Assessment is performed every two years between the months of January and March.A department level Risk Assessment is also performed when a significant change in information technology occurs. The Department level assessment covers the full scope of DGS processes involving information assets classified as medium or high criticality.
Risk Analysis: The initial step in performing the Department Level Risk Assessment is conducting a risk analysis to identify and assess risks associated with all DGS information assets, processes, and resources. The risk analysis includes the following steps:
  1. Assign the assessment responsibilities to appropriate staff; this encompasses inclusion of the CISO, DGS Executives, IT Governance Council, ETS Management, and Security Committee.
  2. Identify department information assets, with an emphasis on assets that have been deemed critical to the Department’s program operations (See Information Asset Management Policy).
  3. Identify all possible threats to the Department and its assets. This includes:
  4. Accidental or deliberate acts caused by employees and non-employees.
  5. Natural disasters including, fire, flood, earthquake, etc.
  6. Potential process weaknesses.
  7. Loss of power to systems and facilities.
  8. Loss of data communication capabilities.
  9. Conduct an assessment of existing vulnerabilities to identified threats.
  10. Determine probable loss and the consequences for the lossrelated to each vulnerability and estimate the likelihood of such an occurrence.
  11. Identify and estimate cost of protective measures to bring risk to an acceptable level.
Risk Mitigation: After completing the risk analysis, mitigation strategies are developed for the identified risks. Mitigation strategies include all feasible technical, administrative, and physical security controls that may be deployed to mitigate risks such as:
  1. A specific mitigation strategy that will be implemented, including any alternatives that were considered.
  2. Cost/benefit information for the identified mitigation strategies.
  3. Mitigation implementation schedule and staff participation in implementing strategies. Deadlines and mitigation schedules are established by the DGS Executive Team in collaboration with the ISSC and SC.
Risk Acceptance: Not all risks can be mitigated or reduced to an acceptable level. Any risks that are accepted are clearly identified along with a detailed description of why the risk was accepted and are documented with the ISO. These risks may be reported by the CISO to the State Information Security Office or State Auditors.
Evaluation of Mitigation Strategies and Lessons Learned: The final step in the Risk Assessment process is the evaluation of the implemented mitigation strategies. This is a continuous process that emphasizes the effectiveness of the Department’s Risk Management Program. Evaluation allows the Department to report on what mitigation strategies were effective in reducing the level of risks.
  1. Performing Program/Project Level Risk Assessments: Program or project level Risk Assessments are performed when there are new or major changes to business processes that impact division functions, legal conditions, or the technical environment. The process of performing the Program/Project Level Risk Assessment is similar to the Department level process. Examples of when a Program/Project level Risk Assessment must be performed include:
•A fundamental change to the manner in which a business process is executed.
•Facility moves.
•An enhancement or upgrade to the program level information technology infrastructure.
•Implementation of a new information technology system.
•A third party request for access to information assets.
Risk Analysis: The initial step is conducting a risk analysis to identify and assess risks associated with the specific Program/Project. The risk analysis includes the following steps:
  1. Assign the assessment responsibilities to appropriate staff, this encompasses inclusion of the ISO and ETS (for projects involving IT), in addition to program management/staff.
  2. Identify all possible threats to the Program/Project. This includes:
  3. Accidental or deliberate acts caused by employees and non-employees.
  4. Natural disasters including, fire, flood, earthquake, etc.
  5. Potential process weaknesses.
  6. Loss of power to systems and facilities.
  7. Loss of data communication capabilities.
  8. Conduct an assessment of existing vulnerabilities to identified threats.
  9. Determine probable loss and the consequences for the lossrelated to each vulnerability and estimate the likelihood of such an occurrence.
  10. Identify and estimate cost of protective measures to bring risk to an acceptable level.
Risk Mitigation: After completing the risk analysis, mitigation strategies are developed for the identified risks. Mitigation strategies include: