2007 California Government Code Chapter 5.7. Office Of Information Security And Privacy Protection

CA Codes (gov:11549-11549.6)

11549.  (a) There is in state government, in the State and Consumer
Services Agency, the Office of Information Security and Privacy
Protection. The purpose of the office is to ensure the
confidentiality, integrity, and availability of state systems and
applications, and to promote and protect consumer privacy to ensure
the trust of the residents of this state.
   (b) The office shall be under the direction of an executive
officer, who shall be appointed by, and serve at the pleasure of, the
Governor. The executive officer shall report to the Secretary of
State and Consumer Services, and shall lead the office in carrying
out its mission.
   (c) The duties of the office, under the direction of the executive
officer, shall include, but are not limited to, all of the
following:
   (1) Provide direction for information security and privacy to
state government agencies, departments, and offices, pursuant to
Section 11549.3.
   (2) Administer constituent programs and the Office of Privacy
Protection pursuant to Section 11549.5.



11549.1.  As used in this chapter, the following terms have the
following meanings:
   (a) "Executive officer" means the executive officer of the Office
of Information Security and Privacy Protection.
   (b) "Office" means the Office of Information Security and Privacy
Protection.
   (c) "Program" means an information security program established
pursuant to Section 11549.3.


11549.2.  (a) (1) Employees assigned to the security unit of the
Office of Technology Review, Oversight, and Security within the
Department of Finance, and the employees of the Office of Privacy
Protection within the Department of Consumer Affairs are transferred
to the office, within the State and Consumer Services Agency.
   (2) The status, position, and rights of any employee transferred
pursuant to this section shall not be affected by the transfer.



11549.3.  (a) The executive officer shall establish an information
security program. The program responsibilities include, but are not
limited to, all of the following:
   (1) The creation, updating, and publishing of information security
and privacy policies, standards, and procedures for state agencies
in the State Administrative Manual.
   (2) The creation, issuance, and maintenance of policies,
standards, and procedures directing state agencies to effectively
manage security and risk for all of the following:
   (A) Information technology, which includes, but is not limited to,
all electronic technology systems and services, automated
information handling, system design and analysis, conversion of data,
computer programming, information storage and retrieval,
telecommunications, requisite system controls, simulation, electronic
commerce, and all related interactions between people and machines.

   (B) Information that is identified as mission critical,
confidential, sensitive, or personal, as defined and published by the
office.
   (3) The creation, issuance, and maintenance of policies,
standards, and procedures directing state agencies for the
collection, tracking, and reporting of information regarding security
and privacy incidents.
   (4) The creation, issuance, and maintenance of policies,
standards, and procedures directing state agencies in the
development, maintenance, testing, and filing of each agency's
operational recovery plan.
   (5) Coordination of the activities of agency information security
officers, for purposes of integrating statewide security initiatives
and ensuring compliance with information security and privacy
policies and standards.
   (6) Promotion and enhancement of the state agencies' risk
management and privacy programs through education, awareness,
collaboration, and consultation.
   (7) Representing the state before the federal government, other
state agencies, local government entities, and private industry on
issues that have statewide impact on information security and
privacy.
   (b) (1) Every state agency, department, and office shall comply
with the information security and privacy policies, standards, and
procedures issued pursuant to this chapter by the Office of
Information Security and Privacy Protection.
   (2) Every state agency, department, and office shall comply with
filing requirements and incident notification by providing timely
information and reports as required by policy or directives of the
office.
   (3) The office may conduct, or require to be conducted,
independent security assessments of any state agency, department, or
office, the cost of which shall be funded by the state agency,
department, or office being assessed.
   (4) The office may require an audit of information security to
ensure program compliance, the cost of which shall be funded by the
state agency, department, or office being audited.
   (5) The office shall report to the office of the State Chief
Information Officer any state agency found to be noncompliant with
information security program requirements.


11549.4.  The office shall consult with the State Chief Information
Officer, the Office of Emergency Services, the Director of General
Services, the Director of Finance, and any other relevant agencies
concerning policies, standards, and procedures related to information
security and privacy.


11549.5.  There is hereby created in the office, the Office of
Privacy Protection. The purpose of the Office of Privacy Protection
shall be to protect the privacy of individuals' personal information
in a manner consistent with the California Constitution by
identifying consumer problems in the privacy area and facilitating
the development of fair information practices in adherence with the
Information Practices Act of 1977 (Chapter 1 (commencing with Section
1798) of Title 1.8 of Part 4 of Division 3 of the Civil Code).
   (b) The Office of Privacy Protection shall inform the public of
potential options for protecting the privacy of, and avoiding the
misuse of, personal information.
   (c) The Office of Privacy Protection shall make recommendations to
organizations for privacy policies and practices that promote and
protect the interests of the consumers of this state.
   (d) The Office of Privacy Protection may promote voluntary and
mutually agreed upon nonbinding arbitration and mediation of
privacy-related disputes where appropriate.
   (e) The Office of Privacy Protection shall do all of the
following:
   (1) Receive complaints from individuals concerning any person
obtaining, compiling, maintaining, using, disclosing, or disposing of
personal information in a manner that may be potentially unlawful or
violate a stated privacy policy relating to that individual, and
provide advice, information, and referral, where available.
   (2) Provide information to consumers on effective ways of handling
complaints that involve violations of privacy-related laws,
including identity theft and identity fraud. If appropriate local,
state, or federal agencies are available to assist consumers with
those complaints, the office shall refer those complaints to those
agencies.
   (3) Develop information and educational programs and materials to
foster public understanding and recognition of the purposes of this
article.
   (4) Investigate and assist in the prosecution of identity theft
and other privacy-related crimes, and, as necessary, coordinate with
local, state, and federal law enforcement agencies in the
investigation of similar crimes.
   (5) Assist and coordinate in the training of local, state, and
federal law enforcement agencies regarding identity theft and other
privacy-related crimes, as appropriate.
   (6) The authority of the Office of Privacy Protection to adopt
regulations under this article shall be limited exclusively to those
regulations necessary and appropriate to implement subdivisions (b),
(c), (d), and (e).



11549.6.  This chapter shall not apply to the State Compensation
Insurance Fund, the Legislature, or the Legislative Data Center in
the Legislature Counsel Bureau.