5300.3    AGENCY RESPONSIBILITIES
(New 03/08)

Each agency must provide for the proper use and protection of its information assets. Accordingly, each agency must perform the following:

1. Assign management responsibilities for information technology risk management, including the appointment of an Information Security Officer. See SAM Section 5315.
   
   
2. Provide for the integrity and security of automated and paper information, produced or used in the course of agency operations. See SAM Sections 5310 through 5350.
   
   
3. Provide for the security of information technology facilities, software, and equipment utilized for automated information processing. See SAM Section 5330.
   
   
4. Establish and maintain an information technology risk management program, including a risk analysis process. See SAM Section 5305.
   
   
5. Prepare and maintain an agency Operational Recovery Plan. See SAM Section 5355.
   
   
6. Maintain a security and ongoing privacy program including an annual training component for all employees and contractors. Refer to Government Code 11019.9 and Civil Code 1798 et seq.
   
   
7. Comply with the state audit requirements relating to the integrity of information assets. See SAM Section 20000 et seq.
   
   
8. Comply with state reporting requirements. See SAM Section 5360.

Each state data center must carry out these responsibilities for those automated files, databases, and computer systems for which it has ownership responsibility. See SAM Sections 5320 and 5355.3.

AUTHORITY          STANDARDS          GUIDANCE          FORMS          TOOLS