Questionnaire for Information Security and Privacy Components in Feasibility Study Reports and Project-Related Documents



Similar documents
COTS/SaaS Acquisition Information Form

Core Fittings C-Core and CD-Core Fittings

An Information Security and Privacy Perspective for Procurement Services Projects

OFFICE OF CONTRACT ADMINISTRATION PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)

Utica College. Information Security Plan

Release: 3. HLTADM002 Manage Telehealth technology

Guide for the Role and Responsibilities of an Information Security Officer Within State Government

From Chaos to Clarity: Embedding Security into the SDLC

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Information Security Program

CITY UNIVERSITY OF HONG KONG. Information System Acquisition, PUBLIC Development and Maintenance Standard

Ayla Networks, Inc. SOC 3 SysTrust 2015

Concepts for a standard based crossorganizational information security management system in the context of a nationwide EHR

E Governance Security Standards Framework:

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

Information Security Program Management Standard

UIIPA - Security Risk Management. June 2015

By His Excellency DEVAL L. PATRICK GOVERNOR EXECUTIVE ORDER NO. 504 ORDER REGARDING THE SECURITY AND CONFIDEN'TIALITY OF PERSONAL INFORMATION

IT Governance: The benefits of an Information Security Management System

Engage Mobile Security Whitepaper

THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT

Addendum To Agreement With Business Associate

Application Development and Support

BUDGET LETTER PEER-TO-PEER FILE SHARING , , EXECUTIVE ORDER S-16-04

Competency Unit: Exemplar Global AU Management Systems Auditing

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

Pursuant to Convention No. 108 of the Council of Europe for the protection of persons with regard to the automated processing of personal data;

VENDOR MANAGEMENT An Update & Discussion

State of West Virginia Office of Technology Policy: Information Security Audit Program Issued by the CTO

Treasury Offset Program Unemployment Insurance Compensation Debts

HIPAA Business Associate Addendum

ISO 9001:2008 Clause PR001 Document Control Procedure

BUSINESS ASSOCIATE AGREEMENT

SENSITIVE DATA SECURITY AND PROTECTION CALIFORNIA STATE UNIVERSITY, LOS ANGELES. Audit Report January 3, 2012

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Human Resource (HR) and Security Awareness v1.0 September 25, 2013

Quality management systems

Specific observations and recommendations that were discussed with campus management are presented in detail below.

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

IMPORTANT:

MAINTAINING COMPLIANCE AND MANAGING RISK IN OUTSOURCED ENGAGEMENTS. Nick Harrahill PayPal Global Security Operations

Little League International

Making your web application. White paper - August secure

Private Health Insurance Intermediaries. Document 2: Self-Audit Questionnaire. Version 2

A European Company with International Spirit

A Systematic Security Approach in Software Requirements Engineering

Preparing yourself for ISO/IEC

Security Awareness Training

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS

INFORMATION SECURITY Humboldt State University

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office

I. EXECUTIVE SUMMARY. Date: June 30, Sabina Sitaru, Chief Innovation Officer, Metro Hartford Innovation Services

TEST PLAN Issue Date: <dd/mm/yyyy> Revision Date: <dd/mm/yyyy>

Firewall Access Request Form

Commercial Solutions for Classified (CSfC) Customer Handbook Version 1.1

EXAM PREPARATION GUIDE

Foundation Working Group

9/13/ /20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99

PRIVACY IMPACT ASSESSMENT

NEW ACCOUNT APPLICATION

CONTRACT ADDENDUM BUSINESS ASSOCIATE CONTRACT 1

Collaborate on your projects in a secure environment. Physical security. World-class datacenters. Uptime over 99%

A Secure System Development Framework for SaaS Applications in Cloud Computing

Security Controls What Works. Southside Virginia Community College: Security Awareness

Key Considerations for Information Technology Governance. 900 Monroe NW Grand Rapids, MI (616)

INFORMATION SECURITY California Maritime Academy

Is your business prepared for Cyber Risks in 2016

The New Zealand Human Services Quality Framework - ISO9002:2008 to 2012

ISMS Implementation Guide

Approach to Information Security Architecture. Kaapro Kanto Chief Architect, Security and Privacy TeliaSonera

The Health Information Act. Use and Disclosure of Health Information for Research

External Penetration Assessment and Database Access Review

DIVISION OF INFORMATION SECURITY (DIS)

GAMING LABS CERTIFIED MARK FAQs

INFORMATION SECURITY STRATEGIC PLAN

Titus and Cisco IronPort Integration Guide Improving Outbound and Inbound Security. Titus White Paper

AUDITING AND ENFORCEMENT AT THE SPANISH DPA. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL OF PROTECTION

Beyond ISO Intel's Product Security Maturity Model (PSMM)

Information Technology Branch Access Control Technical Standard

IRIS International Railway Industry Standard

CHAPTER BUILDING CODE EFFECTIVENESS GRADING SCHEDULE: MEASURING THE COMMUNITY S COMMITMENT TO ADOPTING AND ENFORCING BUILDING CODES.

Service Level Agreement for Database Hosting Services

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture

HIPAA Compliance Evaluation Report

5 FAM 860 HARDWARE AND SOFTWARE MAINTENANCE

Security Manual Template Policy and Procedure Manual Compliance Management Made Easy ISO / HIPAA / SOX / CobiT / FIPS 199 Compliant

Systems Development Life Cycle (SDLC)

Achieve ISO Certification

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

GMC Inspire Cloud Services

State of Oregon. State of Oregon 1

Management and Use of Information & Information Technology (I&IT) Directive. Management Board of Cabinet

Appendix 10 IT Security Implementation Guide. For. Information Management and Communication Support (IMCS)

OPERATIONAL DIRECTIVE. Data Stewardship and Custodianship Policy. Superseded By:

Cyber Essentials Scheme

Vulnerability Management Policy

WEBSENSE SECURITY SOLUTIONS OVERVIEW

VERSION DATED AUGUST 2013/TEXAS AND CALIFORNIA

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

Transcription:

State of California Department of Technology Questionnaire for Information Security and Privacy Components in Feasibility Study Reports and Project-Related Documents SIMM 20D June 2014

REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES Initial Release July 2008 Office of Information Security & Privacy Protection Update March 2011 Technology Agency - Office of Information Security Update April 2011 Technology Agency - Office of Information Security Update June 2014 Department of Technology Office of Information Security Formatting, name and logo change. Formatting and SIMM Numbering Department of Technology name changes Office of Information Security 1

Table of Contents 1.0 INTRODUCTION... 3 2.0 INFORMATION SECURITY OFFICER (ISO) ROLE AND RESPONSIBILITIES... 3 3.0 PROPOSED SYSTEM... 3 Office of Information Security 2

Questionnaire for Information Security and Privacy Components in Feasibility Study Reports and Project-Related Documents 1.0 INTRODUCTION The following Questionnaire assists Agencies/state entities with describing the information security and privacy components associated with an IT project in its Feasibility Study Reports and other project-related documents. The Office of Information Security reviews these documents to ensure information security and privacy components are addressed by the Agency/state entity and provide its recommendations to the California Department of Technology (Department of Technology). If any of the answers could be considered sensitive in nature, the Agency/state entity should address them in a separate addendum marked Confidential and included as an attachment to the document. 2.0 INFORMATION SECURITY OFFICER (ISO) ROLE AND RESPONSIBILITIES 1. What is the role and responsibilities of the Agency ISO in relationship to this project? 2. Will the ISO be involved in developing and reviewing the security requirements? 3. Will the ISO be involved in developing and reviewing the security testing efforts? 4. Has the ISO participated in the response to these questions and signed off on the project-related document(s)? 3.0 PROPOSED SYSTEM 1. Who will be the designated owner of the proposed system (system)? 2. Who will be the custodians and users of the system? 3. Has the data for the system been classified by the owner? Explain. 4. Does the project require development of new application code or modification of existing code? Explain. 5. Will your Agency/state entity share the data for the system with other entities? If so, who? a. Federal partners b. Local city/county partners c. State agency partners d. Judicial branch e. Universities f. Researchers g. Others 6. If data for the system is to be shared with other entities, will your Agency/state entity implement data exchange agreements with the entities? Explain. 7. Are there checkpoints throughout the software development life cycle (SDLC) verifying and certifying that the security requirements are being met? 8. At what points will risk assessments be performed throughout the SDLC? 9. At what point will vulnerability assessments be performed once the system is put into production (e.g., ongoing risk management after implementation)? Office of Information Security 3

10. Will this system collect federal data? If so, have you yet determined the National Institute for Standards and Technology 800-53 rating (i.e., high / medium / low)? 11. Does your Agency/state entity s IT Capital Plan address information security and privacy as related to this system? Office of Information Security 4

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information