5360.1    COMPLIANCE SUMMARY
(New 03/08)

Designation of Information Security Officer, Operational Recovery Coordinator and Privacy Coordinator - Due by January 31 of each year, or as designee changes occur. Upon the designation of a new ISO, Operational Recovery Coordinator, and/or Privacy Program Coordinator, the agency must submit an updated Agency Designation Letter to the Office within ten (10) business days using the Agency Designation Letter (SIMM Section 70A). See SAM Section 5315.1

1. Agency Risk Management and Privacy Program Compliance Certification - Due by January 31 of each year. The director of each agency must certify that the agency is in compliance with state policy governing information technology risk management and privacy program compliance by submitting the Agency Risk Management and Privacy Program Compliance Certification (SIMM Section 70C). See SAM Section 5315.1. Per Government Code Section 11019.9, agencies are required to maintain a permanent privacy policy, in adherence with the Information Practices Act of 1977 (Civil Code Section 1798 et seq.) that includes, but is not limited to, assigning a designated individual to oversee the program.
   
   
2. Operational Recovery Plan - Due by the date outlined in the Agency Operational Recovery Plan Submission Schedule, found on the Office's Web site at www.infosecurity.ca.gov/ :
   
   
   
   1. Operational Recovery Plan - Each agency must file a copy of its Operational Recovery Plan (ORP) with the Agency Operational Recovery Plan Transmittal Letter (SIMM Section 70D) with the Office by the due date outlined in the Agency Operational Recovery Plan Submission Schedule. If the agency employs the services of a state data center, it must also provide the data center with a copy of its plan or subset of the relevant recovery information from the agency's ORP. See SAM Section 5355.1.
      
      
   2. Agency Operational Recovery Plan Certification - An Agency Operational Recovery Plan Certification (SIMM 70B) may be filed in place of a full ORP by the due date outlined in the Agency Operational Recovery Plan Submission Schedule, if specific conditions exist. See SAM Section 5355.1.
   
   
   
3. Incident Follow-up Report - Each agency having ownership responsibility for the asset (SAM Section 5320.1) must complete an Agency Information Security Incident Report (SIMM Section 65C) for each incident. The report must be submitted to the Office within ten (10) business days from the date of notification.

The Office may require that the agency provide additional information in conjunction with its assessment of the incident.

AUTHORITY          STANDARDS          GUIDANCE          FORMS          TOOLS