11549.3.
(a) The chief shall establish an information security program in consultation with the Director of the Office of Cybersecurity. The program responsibilities include, but are not limited to, all of the following:(1) The creation, updating, and publishing of information security and privacy policies, standards, and procedures for state agencies in the State Administrative Manual.
(2) The creation, issuance, and maintenance of policies, standards, and procedures directing state agencies to effectively
manage security and risk for both of the following:
(A) Information technology, which includes, but is not limited to, all electronic technology systems and services, automated information handling, system design and analysis, conversion of data, computer programming, information storage and retrieval, telecommunications, requisite system controls, simulation, electronic commerce, and all related interactions between people and machines.
(B) Information that is identified as mission critical, confidential, sensitive, or personal, as defined and published by the office.
(3) The creation, issuance, and maintenance of policies, standards, and procedures directing state agencies for the collection, tracking,
and reporting of information regarding security and privacy incidents.
(4) The creation, issuance, and maintenance of policies, standards, and procedures directing state agencies in the development, maintenance, testing, and filing of each state agency’s disaster recovery plan.
(5) Coordination of the activities of state agency information security officers for purposes of integrating statewide security initiatives and ensuring compliance with information security and privacy policies and standards.
(5)
(6) Promotion and enhancement of the state agencies’ risk management and privacy programs through education, awareness, collaboration, and consultation.
(6)
(7) Representing the state state, in consultation with the Office of Cybersecurity, before the federal government, other state
agencies, local government entities, and private industry on issues that have statewide impact on information security and privacy.
(8) In coordination with the Office of Cybersecurity, the creation and operation of select centralized security services, including, but not limited to, the California Department of Technology Security Operations Center.
(b) Each state agency, as defined in Section 11000, shall implement the policies and procedures issued by the office, including, but not limited to, performing both of the following duties:
(1) Comply with the information security and privacy policies, standards, and procedures issued pursuant to this
chapter by the office.
(2) Comply with filing requirements and incident notification by providing timely information and reports as required by the office.
(c) The Office of Information Security, in consultation with the Office of Cybersecurity, shall perform all the following duties:
(1) Annually require no fewer than 35 state entities to perform an independent security assessment, the cost of which shall be funded by the state agency, department, or office being assessed.
(2) Determine criteria and rank state entities based on an information security risk index that may include, but not be limited to, analysis of the relative amount of the
following factors within state agencies:
(A) Personally identifiable information protected by law.
(B) Health information protected by law.
(C) Confidential financial data.
(D) Self-certification of compliance and indicators of unreported noncompliance with security provisions in the following areas:
(i) Information asset management.
(ii) Risk management.
(iii) Information security program management.
(iv) Information
security incident management.
(v) Technology recovery planning.
(3) Determine the basic standards of services to be performed as part of independent security assessments required by this subdivision.
(4) The Military Department may perform an independent security assessment of any state agency, department, or office, the cost of which shall be funded by the state agency, department, or office being assessed.
(d) State agencies and entities required to conduct or receive an independent security assessment pursuant to paragraph (7) of subdivision (c) of Section 12095 shall transmit the complete results of that assessment and recommendations for mitigating
system vulnerabilities, if any, to the Office of Information Security
and the Office of Cybersecurity.
(e) (1) Notwithstanding any other law, during the process of conducting an independent security assessment pursuant to
paragraph (7) (6) of subdivision (c) of Section 12095, 12095 or an information security audit pursuant to subdivision (f) of Section 12095, information and records concerning the independent security assessment are confidential and shall not be disclosed, except that the information and records may be transmitted to state employees and state contractors who have been approved as necessary to receive the information and records to perform that independent security assessment, subsequent remediation activity, or monitoring of remediation activity.
(2) The results of a completed independent security assessment performed pursuant to paragraph (7) of subdivision (c) of Section 12095 and any related information shall be subject to all disclosure and confidentiality provisions pursuant to any state law, including, but not limited to, the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1), including, but not limited to, Section 6254.19.