5360.1    COMPLIANCE SUMMARY
(Revised 10/09)

Designation of Information Security Officer, Disaster Recovery Coordinator and Privacy Coordinator - Due by January 31 of each year, or as designee changes occur. Upon the designation of a new ISO, Disaster Recovery Coordinator, and/or Privacy Program Coordinator, the agency must submit an updated Agency Designation Letter to the Office within ten (10) business days using the Agency Designation Letter (SIMM Section 70A). See SAM Section 5315.1

1. Agency Risk Management and Privacy Program Compliance Certification - Due by January 31 of each year. The director of each agency must certify that the agency is in compliance with state policy governing information technology risk management and privacy program compliance by submitting the Agency Risk Management and Privacy Program Compliance Certification (SIMM Section 70C). See SAM Section 5315.1. Per Government Code Section 11019.9, agencies are required to maintain a permanent privacy policy, in adherence with the Information Practices Act of 1977 (Civil Code Section 1798 et seq.) that includes, but is not limited to, assigning a designated individual to oversee the program.
   
   
2. Disaster Recovery Plan - Due by the date outlined in the Agency Disaster Recovery Plan Submission Schedule, found on the Office's Web site at www.infosecurity.ca.gov/ :
   
   
   
   1. Disaster Recovery Plan - Each agency must file a copy of its Disaster Recovery Plan (DRP) with the Agency Disaster Recovery Plan Transmittal Letter (SIMM Section 70D) with the Office by the due date outlined in the Agency Disaster Recovery Plan Submission Schedule. If the agency employs the services of a state data center, it must also provide the data center with a copy of its plan or subset of the relevant recovery information from the agency's DRP. See SAM Section 5355.1.
      
      
   2. Agency Disaster Recovery Plan Certification - An Agency Disaster Recovery Plan Certification (SIMM Section 70B) may be filed in place of a full DRP by the due date outlined in the Agency Disaster Recovery Plan Submission Schedule, if specific conditions exist. See SAM Section 5355.1.
   
   
   
3. Incident Follow-up Report - Each agency having ownership responsibility for the asset (SAM Section 5320.1) must complete an Agency Information Security Incident Report (SIMM Section 65C) for each incident. The report must be submitted to the Office within ten (10) business days from the date of notification.

The Office may require that the agency provide additional information in conjunction with its assessment of the incident.

AUTHORITY          STANDARDS          GUIDANCE          FORMS          TOOLS