People, Process and Technology:

A Navigational Guide for Agency/State

Entities to Achieve Effective Information
Security
PEOPLE

PROCESS

TECHNOLOGY

Office of Information Security

People, Process and Technology: A Navigational Guide for Agency/State Entities to Achieve Effective Information Security
September 2022
 REVISION HISTORY
Revision Date of Release Owner Summary of Changes

Initial November 2017 Office of New guidance document intended to help

Release Informatio Agencies/state entities better understand
n Security the state policy and procedural
(OIS) requirements for establishment of effective
enterprise-wide information security
programs.
Minor September OIS Revised to include NIST 800-53, Rev 5.
Update 2022

Note: Refer to SAM 5300 for complete policy - http://sam.dgs.ca.gov/TOC/5300.aspx Page 1

September 2022
 Introduction

Information security is an entity-wide responsibility and achieved through a combination of people, process
and technology. The state's information assets, including its data processing capabilities, information
technology infrastructure and data are an essential public resource. For many Agency/state entities, program
operations would effectively cease in the absence of key computer systems. In some cases, public health and
safety would be immediately jeopardized by the failure or disruption of a system. The non-availability of state
information systems and resources can also have a detrimental impact on the state economy and the citizens
who rely on state programs. Furthermore, the unauthorized acquisition, access, modification, deletion, or
disclosure of information included in Agency/state entity files and databases can compromise the integrity of
state programs, violate individual right to privacy, and constitute a criminal act.
This document is intended to help Agencies/state entities better understand the state policy and procedural
requirements for establishment of effective enterprise-wide information security programs. For navigational
ease, the policy requirements have been grouped in this document by categories aligned with People, Process
and Technology so that entities can more easily understand what is needed to achieve state security
objectives. Note: There may be some requirements that appear in multiple groupings. This was intentional.
For the complete published policy visit: http://sam.dgs.ca.gov/TOC/5300.aspx

Note: Refer to SAM 5300 for complete policy - http://sam.dgs.ca.gov/TOC/5300.aspx Page 2

September 2022
Table of Contents
Personnel Management .......................................................................................................................................................... 3
Data Management ................................................................................................................................................................... 5
Organization/Strategy ............................................................................................................................................................. 8
Incident Management ........................................................................................................................................................... 11
Threat Management .............................................................................................................................................................. 12
Access Management .............................................................................................................................................................. 14
Contingency Planning ............................................................................................................................................................ 16
Contracts/Procurement Management .................................................................................................................................. 17

Note: Refer to SAM 5300 for complete policy - http://sam.dgs.ca.gov/TOC/5300.aspx Page 3

September 2022
 PERSONNEL MANAGEMENT

Policy Requirement(s) Reference(s) Frequency

5305.3 Information Security All personnel have a role and responsibility in the Information Security Initially,
Roles and Responsibilities proper use and protection of state information assets. Program ongoing
Each state entity shall ensure the information security Management
program roles and responsibilities identified in SIMM Standard (SIMM
5305-A are acknowledged and understood by all state 5305-A)
entity personnel.

5305.4 Personnel Management
Each state entity must identify security and privacy Information Security Initially,
roles and responsibilities for all personnel to ensure Program ongoing
personnel are informed of their roles and Management
responsibilities for using state entity information Standard (SIMM
assets, to reduce the risk of inappropriate use, and a 5305-A)
documented process to remove access when changes

PERSONNEL MANAGEMENT
occur.

5320 Training And Awareness
For Information Security And
Privacy
Each state entity must establish and maintain an NIST SP 800-53: Initially,
information security and privacy training and Awareness and ongoing
awareness program to assess the skills and Training (AT)
knowledge of its personnel in relation to job
requirements, identify and document training and
professional development needs, and provide suitable
training within the limits of available resources.

5320.1 Security And Privacy
Awareness
Each state entity shall provide basic security and Initially,
privacy awareness training, which meets state annually
requirements, to all information asset users (all
personnel, including managers and senior executives)
as part of initial training for new users and annually
thereafter.

5320.2 Security And Privacy Each state entity shall determine the appropriate Civil Code section Initially,
Training content of security and privacy training based on the 1798; annually
assigned roles and responsibilities of individuals and NIST SP 800-53:
the specific security requirements of the state entity Awareness and
and the information assets to which personnel have Training (AT)
access.

Note: Refer to SAM 5300 for complete policy - http://sam.dgs.ca.gov/TOC/5300.aspx Page 4

September 2022
Policy Requirement(s) Reference(s) Frequency
5320.3 Security And Privacy Each state entity shall document and monitor NIST SP 800-53: Initially,
Training Records individual information security and privacy training Awareness and annually
activities including basic security and privacy Training (AT)
awareness training and specific information system
security training; and retain individual training
records to support corrective action, audit and
assessment processes. The ISO is responsible for
ensuring that training content is maintained and
updated as necessary.

5320.4 Personnel Security
PERSONNEL MANAGEMENT
Each state entity shall establish processes and NIST SP 800-53: Initially,
procedures to ensure that individual access to Personnel Security ongoing
information assets is commensurate with job-related (PS)
responsibilities, and individuals requiring access is
commensurate with job-related responsibilities, and
individuals requiring access to information assets sign
appropriate user agreements prior to being granted
access.

5325.2 Technology Recovery Each state entity shall establish technology recovery NIST SP 800-53: Initially,
Training training and exercises for personnel involved in Contingency Planning ongoing
technology recovery, to ensure availability of skilled (CP)
staff.

5340.1 Incident Response Each state entity shall provide incident response NIST SP 800-53:
Training training to information system users consistent with Incident Response (IR)
assigned roles and responsibilities.

Note: Refer to SAM 5300 for complete policy - http://sam.dgs.ca.gov/TOC/5300.aspx Page 5

September 2022

Policy
5305.5 Information Asset
Management
5310.1 State Entity Privacy
Statement And Notice On
Collection
5310.2 Limiting Collection
5310.3 Limiting Use And
Disclosure
5310.4 Individual Access to
Personal Information
Note: Refer to SAM 5300 for complete policy - http://sam.dgs.ca.gov/TOC/5300.aspx
September 2022
DATA MANAGEMENT
Requirement(s) Reference(s) Frequency
Each state entity shall establish and maintain an Information
inventory of all of its information assets, including Security Program
information systems, information system components, Management
and information repositories (both electronic and Standard (SIMM
paper). The inventory must include categorization and 5305-A); Civil Code
classification of the information assets by program section 1798; NIST
management, based on the Information Security SP 800-53:
Program Management Standard (SIMM 5305-A, Planning (PL); FIPS
California Public Records Act, Information Practices Publication 199
Act, FIPS Publication 199, and laws governing
administration of the state entity’s programs.
Information asset owners shall be open about state NIST SP 800-53;
entity information handling practices, including the Privacy Statement
purposes for which the state entity collects, uses, and and Notices
discloses personal information of individuals. Each Standard (SIMM
state entity Privacy Program Coordinator shall 5310-A);
DATA MANAGEMENT
prepare, publish, and maintain a General Privacy Government Code
Policy Statement and a Privacy Notice on Collection for section 11019.9
each personal information collection.
Information asset owners shall collect the least NIST SP 800-53
amount of personal information that is required to
fulfill the purposes for which it is being collected.
Information asset owners shall obtain personal
information only through lawful means and shall
collect personal information to the greatest extent
practicable directly from the individual who is the
subject of the information rather than from another
source.
Information asset owners, custodians and users shall Civil Code section
not disclose, use, or make available personal 1798.24; NIST SP
information collected from individuals for purposes 800-53: Privacy
other than those for which it was originally collected. Individual Access
(Exceptions for certain situations) Standard (SIMM
5310-B)
Each state entity shall ensure individuals are provided NIST SP 800-
with information about their access rights and the 53;Privacy
procedures for exercising those rights. Individual Access
Standard (SIMM
5310-B)
Page 6
 Policy Requirement(s) Reference(s) Frequency
5310.5 Information Integrity Information asset owners shall maintain all records NIST SP 800-53
with accuracy, relevance, timeliness, and
completeness.

Information asset owners shall retain and/or destroy

records of personal information in accordance with the
state entity’s record retention and destruction policy
and the Privacy Individual Access Standard (SIMM NIST SP 800-53:
5310.6 Data Retention and 5310-B). Information asset owners shall take Privacy Individual
Destruction reasonable steps to keep personal information only as Access Standard
long as is necessary to carry out the purposes for (SIMM 5310-B)
which the information was collected.

5310.7 Security Safeguards Information asset owners shall apply all applicable NIST SP 800-53
statewide and state entity information security laws,
policies, standards, and procedures in order to protect
personal information under the information asset

DATA MANAGEMENT
owner’s responsibility.

5315.2 System Development Each state entity shall manage its information assets NIST SP 800-53:
Lifecycle using a documented SDLC methodology. System and
Services
Acquisition (SA)

5315.3 Information Asset In conjunction with Records Management (SAM NIST SP 800-53:
Documentation Chapter 1600) and Property Accounting (SAM Chapter System and
8600) requirements, each state entity shall ensure Services
information security documentation is prepared and Acquisition (SA);
maintained as part of the overall documentation for all SAM Chapters
information assets. 1600 and 8600

5350.1 Encryption End-to-end encryption or approved compensating FIPS Publications

security control(s) shall be used to protect confidential, 140-2 and 197;
sensitive, or personal information that is transmitted NIST SP 800-53:
or accessed outside the secure internal network (e.g., Access Control
email, remote access, file transfer, Internet/website (AC); System and
communication tools) of the state entity, or stored on Communications
portable electronic storage media (e.g., USB flash Protection (SC)
drives, tapes, CDs, DVDs, disks, SD cards, portable hard
drives), mobile computing devices (e.g., laptops,
netbooks, tablets, and smartphones), and other mobile
electronic devices.

Note: Refer to SAM 5300 for complete policy - http://sam.dgs.ca.gov/TOC/5300.aspx Page 7

September 2022
Policy Requirement(s) Reference(s) Frequency
5365.2 Media Protection Each state entity shall safeguard media in digital NIST SP 800-53:
and/or non-digital form from unauthorized access, Media Protection

DATA MANAGEMENT
use, modification or disposal, inside or outside of the (MP)
state entity’s control areas whether in storage or
transport.

5365.3 Media Disposal
Each state entity shall sanitize digital and non-digital NIST SP 800-53:
media prior to disposal or release for reuse, in Media Protection
accordance with applicable standards and policies, (MP)
including media found in devices such as hard drives,
mobile devices, scanners, copiers, and printers.

Note: Refer to SAM 5300 for complete policy - http://sam.dgs.ca.gov/TOC/5300.aspx Page 8

September 2022
 ORGANIZATION/STRATEGY

Policy Requirement(s) Reference(s) Frequency

5300.2 Governing Provisions In addition to compliance with the information Government Code
security and privacy policies, standards, procedures, Section 11549.3;
and filing requirements issued by the CISO, state California Constitution;
entities shall ensure compliance with all security and California Information
privacy laws, regulations, rules, and standards Practices Act; California
specific to and governing the administration of their Public Records Act;
programs. Program administrators shall work with State Records
their general counsel, Information Security Officer Management Act; The
(ISO), and Privacy Program Officer/Coordinator to Comprehensive
identify all security and privacy requirements Computer Data Access
applicable to their programs and ensure and Fraud Act
implementation of the requisite controls.

5300.4 Definitions
ORGANIZATION/STRATEGY
Each state entity shall use the information security SAM 5300 Definitions
and privacy definitions issued by the CISO in
implementing information security and privacy policy
in their daily operations.

5300.5 Minimum Security Each state entity shall use the FIPS and NIST SP 800- FIPS; NIST SP 800-53
Controls 53 in the planning, development, implementation,
and maintenance of their information security
programs. Adoption of these standards will facilitate
a more consistent, comparable, and repeatable
approach for securing state assets; and, create a
foundation from which standardized assessment
methods and procedures may be used to measure
security program effectiveness.

5305 Information Security Each state entity is responsible for establishing an NIST SP 800-53:
Program information security program. The program shall Planning (PL); Program
include planning, oversight, and coordination of its Management (PM);
information security program activities to effectively
manage risk, provide for the protection of
information assets, and prevent illegal activity, fraud,
waste, and abuse in the use of information assets.

Note: Refer to SAM 5300 for complete policy - http://sam.dgs.ca.gov/TOC/5300.aspx Page 9

September 2022
Policy
5305.1 Information Security
Program Management
5305.2 Policy, Procedure and
Standards Management
5305.6 Risk Management
5305.9 Information Security
Program Metrics
Note: Refer to SAM 5300 for complete policy - http://sam.dgs.ca.gov/TOC/5300.aspx
September 2022
Requirement(s) Reference(s) Frequency
Each state entity must provide for the proper use and NIST SP 800-53:
protection of its information assets. Planning (PL); Program
Management (PM);
Information Security
Program Management
Standard (SIMM 5305-
A); Risk Register and
Plan of Action and
Milestones (SIMM
5305-B); Risk Register
and Plan of Action and
Milestones Worksheet
(SIMM 5305-C)
Each state entity must provide for the protection of NIST SP 800-53:
its information assets by establishing appropriate Planning (PL); Program
ORGANIZATION/STRATEGY
administrative, operational and technical policies, Management (PM);
standards, and procedures to ensure its operations Information Security
conform with business requirements, laws, and Program Management
administrative policies, and personnel maintain a Standard (SIMM 5305-
standard of due care to prevent misuse, loss, A)
disruption or compromise of state entity information
assets.
Each state entity shall create a state entity-wide NIST SP 800-53:
information security, privacy and risk management Planning (PL); Program
strategy which includes a clear expression of risk Management (PM);
tolerance for the organization, acceptable risk Information Security
assessment methodologies, risk mitigation strategies, Program Management
and a process for consistently evaluating risk across Standard (SIMM 5305-
the organization with respect to the state entity’s risk A)
tolerance, and approaches for monitoring risk over
time.
Each state entity shall establish outcome-based NIST SP 800-53: System
metrics to measure the effectiveness and efficiency of and Services
the state entity’s information security program, and Acquisition (SA);
the security controls deployed. Assessment,
Authorization, and
Monitoring (CA);
Contingency Planning
(CP)
Page 10
 Policy Requirement(s) Reference(s) Frequency
5310 Privacy State entity heads shall direct the establishment of an Civil Code section 1798;
entity-specific Privacy Program. The Privacy Program Fair Information
shall ensure, and privacy coordinators shall confirm, Practice Principles
that the requirements contained in the California (FIPPS); California
Information Practices Act, this policy and the Constitution Article 1,
associated standards are adhered to by the state Section 1; Government
entity and its personnel. Code section 11019.9;
NIST SP 800-53

5315.7 Software Usage Each state entity shall ensure its Software SAM sections 4846.1
Restrictions Management Plan (SAM sections 4846.1 and 4846.2) and 4846.2; NIST SP
addresses three installation requirements. 800-53: Configuration
Management (CM)

5315.9 Security Authorization
Consistent with the State Information Management SAM section 4800
Principles, Record of Decisions (SAM section 4800),
each state entity shall establish a documented
security authorization method which tracks official
management decisions authorizing the operation of

ORGANIZATION/STRATEGY
information assets and explicit acceptance of risks
based on implementation of agreed-upon information
security measures.

5330 Information Security Each state entity shall validate compliance with NIST SP 800-53:
Compliance statewide information security policy, standards, and Assessment,
procedures as set forth in this Chapter, and the state Authorization, and
entity’s internal information security policies to verify Monitoring (CA)
that security measures are in place and functioning as
intended.

5330.2 Compliance Reporting
Each state entity shall comply with reporting Designation Letter Varies by
requirements as directed by the CISO. These reports (SIMM 5330-A); report.
include Designation Letter, Information Security and Information Security
Privacy Program Compliance Certification, and Privacy Program
Technology Recovery Program Certification and/or Compliance
Technology Recovery Plan, and the California Certification (SIMM
Compliance and Security Incident Reporting System 5330-B); Technology
(CAL-CSIRS) Report. Recovery Program
Certification (SIMM
5325-B); California
Compliance and
Security Incident
Reporting System (CAL-
CSIRS); Risk Register
and Plan of Action and
Milestones (SIMM
5305-B); Risk Register
and Plan of Action and
Milestones Worksheet
(SIMM 5305-C)

Note: Refer to SAM 5300 for complete policy - http://sam.dgs.ca.gov/TOC/5300.aspx Page 11

September 2022
 ORGANIZATION/STRATEGY
Policy Requirement(s) Reference(s) Frequency
5335.1 Continuous Monitoring Each state entity shall develop a continuous NIST SP 800-53: Audit
monitoring strategy and implement a continuous and Accountability
monitoring program. (AU); Physical and
Environmental
Protection (PE); Risk
Assessment (RA);
Assessment,
Authorization, and
Monitoring (CA)

Note: Refer to SAM 5300 for complete policy - http://sam.dgs.ca.gov/TOC/5300.aspx Page 12

September 2022

Policy
5340 Information Security
Incident Management
INCIDENT MANAGEMENT
Requirement(s) Reference(s) Frequency
Each state entity must promptly investigate NIST SP 800-53:
incidents involving loss, theft, damage, misuse of Incident Response
information assets, or improper dissemination of (IR); Incident
information. All state entities are required to report Reporting and
information security incidents consistent with the Response
security reporting requirements in this policy and Instructions (SIMM
manage information security incidents to determine 5340-A);
the cause, scope, and impact of incidents to stop Requirements to
unwanted activity, limit loss and damage, and Respond to Incidents
prevent recurrence. Involving a Breach of
Personal Information
(SIMM 5340-C)

5340.2 Incident Response Testing Each state entity shall exercise or test their incident NIST SP 800-53:
response capability to determine its effectiveness, Incident Response

INCIDENT MANAGEMENT
document the results and incorporate lessons (IR)
learned to continually improve the plan.

5340.3 Incident Handling Each state entity shall implement incident handling SAM section 5325;
for information security and privacy incidents that NIST SP 800-53:
includes preparation, detection and analysis, Incident Response
containment, eradication, and recovery. Incident (IR); Risk Register
handling shall coordinate with business continuity and Plan of Action
planning activities (SAM section 5325). and Milestones
(SIMM 5305-B); Risk
Register and Plan of
Action and
Milestones
Worksheet (SIMM
5305-C)

5340.4 Incident Reporting Each state entity shall follow the incident reporting NIST SP 800-53:
procedures as described in SIMM 5340-A. Incident Response
(IR); Incident
Reporting and
Response
Instructions (SIMM
5340-A)

Note: Refer to SAM 5300 for complete policy - http://sam.dgs.ca.gov/TOC/5300.aspx Page 13

September 2022
 THREAT MANAGEMENT

Policy Requirement(s) Reference(s) Frequency

NIST SP 800-53: Risk
Assessment (RA)

5315.5 Configuration Each state entity shall establish a documented NIST SP 800-53:
Management process regarding controlled modifications to Configuration
hardware, firmware, and software to protect the Management (CM)
information asset against improper modification
before, during, and after system implementation.

THREAT MANAGEMENT
NIST SP 800-53:
Assessment,
Authorization, and
Monitoring (CA)

NIST SP 800-53:
Audit and
Accountability (AU);
Physical and
Environmental
Protection (PE); Risk
Assessment (RA)

5335.2 Auditable Events
Each state entity shall ensure that information NIST SP 800-53:
systems are capable of being audited and the events Audit and
necessary to reconstruct transactions and support Accountability (AU);
after-the-fact investigations are maintained. Physical and
Environmental
Protection (PE); Risk
Assessment (RA)

Note: Refer to SAM 5300 for complete policy - http://sam.dgs.ca.gov/TOC/5300.aspx Page 14

September 2022
 Policy Requirement(s) Reference(s) Frequency
5345 Vulnerability and Threat Each state entity shall continuously identify and NIST SP 800-53: Risk
Management remediate vulnerabilities before they can be Assessment (RA);
exploited. System and Services
Acquisition (SA);
System and
Communications
Protection (SC)

5350 Operational Security Each state entity shall develop, implement, and NIST SP 800-53:
document, disseminate, and maintain operational System and
security practices and each state entity’s security Information

THREAT MANAGEMENT
architecture shall align with best practices and Integrity (SI);
documented security controls. System and
Communications
Protection (SC)

5355.2 Security Alerts, Each state entity shall continuously identify and NIST SP 800-53: Risk
Advisories, and Directives remediate vulnerabilities before they can be Assessment (RA);
exploited. System and Services
Acquisition (SA);
System and
Communications
Protection (SC)

Note: Refer to SAM 5300 for complete policy - http://sam.dgs.ca.gov/TOC/5300.aspx Page 15

September 2022

Policy
5315.6 Activate Only Essential
Functionality
5315.8 Information Asset
Connections
5350 Operational Security
5355 Endpoint Defense
5355.1 Malicious Code Protection
Note: Refer to SAM 5300 for complete policy - http://sam.dgs.ca.gov/TOC/5300.aspx
September 2022
ACCESS MANAGEMENT
Requirement(s) Reference(s) Frequency
Each state entity shall configure information assets to NIST SP 800-53:
provide only essential capabilities and functionality, Configuration
and shall adhere to the principle of least privilege and Management (CM)
restrict the use of unnecessary ports, protocols, and/or
services to minimize the state entity’s risk.
Each state entity shall carefully consider the risks that NIST SP 800-53:
may be introduced when information assets are Access Control (AC)
connected to other systems with different security
requirements and security controls, both within the
state entity and external to the state entity.
Each state entity shall identify and maintain an
inventory of its authorized information system
connections with other state entities which establish
authorized connections from information assets as
defined by their authorization boundary, to other
information systems.
ACCESS MANAGEMENT
Each state entity shall develop, implement, and NIST SP 800-53:
document, disseminate, and maintain operational System and
security practices and each state entity’s security Information
architecture shall align with best practices and Integrity (SI);
documented security controls. System and
Communications
Protection (SC)
Each state entity shall be responsible for protecting NIST SP 800-53:
information on computers that routinely interact with System and
untrusted devices on the internet or may be prone to Information
loss or theft. Integrity (SI)
Each state entity shall employ malicious code NIST SP 800-53:
protection mechanisms at information asset entry System and
and exit points and at workstations, servers, or Information
mobile computing devices on the network to detect Integrity (SI)
and eradicate malicious code.
Page 16
 Policy Requirement(s) Reference(s) Frequency
5360 Identity and Access Each state entity shall safeguard access to NIST SP 800-53:
Management information assets by managing the identities of System and
users and devices and controlling access to resources Information
and data bases on a need-to-know basis throughout Integrity (SI)
the identity lifecycle.

5360.1 Remote Access
Each entity shall establish, and document allowed NIST SP 800-53:
methods of remote access to its information systems; Access Control (AC);
establish usage restrictions and implementation Telework and
guidance for each allowed remote access method; Remote Access
and monitor the information asset for unauthorized Security Standard
remote access. Allowed methods shall comply with (SIMM 5360-A)
the Telework and Remote Access Security Standard
(SIMM 5360-A).

ACCESS MANAGEMENT
5360.2 Wireless Access Each state entity shall establish appropriate NIST SP 800-53:
restrictions and implementation instructions for Access Control (AC);
wireless access and enforce requirements for wireless Telework and
connections to information systems. Each state entity Remote Access
shall also proactively search for unauthorized wireless Security Standard
connections including scans for unauthorized Wi-Fi (SIMM 5360-A)
access points.

5365 Physical Security Each state entity shall establish and implement NIST SP 800-53:
physical security and environmental protection controls Physical and
to safeguard information assets against unauthorized Environmental
access, use, disclosure, disruption, modification or Protection (PE)
destruction.

5365.1 Access Control for Output Each state entity shall control access to information NIST SP 800-53:
Devices system output devices, such as printers and facsimile Physical and
devices, to prevent unauthorized individuals from Environmental
obtaining the output. Protection (PE)

Note: Refer to SAM 5300 for complete policy - http://sam.dgs.ca.gov/TOC/5300.aspx Page 17

September 2022

Policy
5325 Business Continuity with
Technology Recovery
5325.1 Technology Recovery Plan
5325.3 Technology Recovery
Testing
5325.4 Alternate Storage and
Processing Site
5325.5 Telecommunications
Services
Note: Refer to SAM 5300 for complete policy - http://sam.dgs.ca.gov/TOC/5300.aspx
September 2022
CONTINGENCY PLANNING
Requirement(s) Reference(s) Frequency
Each state entity shall ensure individuals with NIST SP 800-34;
knowledge about business functions of the NIST SP 800-53:
organization lead and participate in the business Contingency
continuity planning. Note: The Business Continuity Planning (CP); OES
Plan must also address the Office of Emergency Continuity Planning
Services’ (OES) continuity planning requirements.
Each state entity shall develop a TRP in support of the NIST SP 800-34;NIST
state entity’s Continuity Plan and the business need SP 800-53:
to protect critical information assets to ensure their Contingency
availability following an interruption or disaster. Each Planning;
state entity must keep its TRP up-to-date and provide Technology
annual documentation for those updates to the CISO. Recovery Plan
Instructions (SIMM
5325-A);
Technology
Recovery Program
Certification (SIMM
CONTINGENCY PLANNING
5325-B)
Each state entity shall test the TRP to determine its NIST SP 800-53:
effectiveness and the state entity’s readiness to Contingency
execute the TRP in the event of a disaster. Each state Planning
entity shall initiate corrective actions and
improvements to the TRP based upon deficiencies
identified during testing and exercises.
Each state entity shall establish an alternate storage NIST SP 800-53:
site, including the necessary agreements to permit Contingency
the storage and recovery of backup information. Each Planning
state entity shall ensure that the alternate storage
site provides information security safeguards
equivalent to that of the primary site.
Each state entity shall ensure they have alternate NIST SP 800-53:
telecommunications services including necessary Contingency
agreements to permit the resumption of information Planning
asset operations for essential missions and business
functions when the primary telecommunications
capabilities are unavailable at either the primary or
alternate processing or storage sites.
Page 18
 Policy Requirement(s) Reference(s) Frequency

CONTINGENCY PLANNING
5325.6 Information System Each state entity shall perform regularly scheduled NIST SP 800-53:
Backups backups of system and user-level information. Contingency
Planning

Note: Refer to SAM 5300 for complete policy - http://sam.dgs.ca.gov/TOC/5300.aspx Page 19

September 2022
 CONTRACTS/PROCUREMENT MANAGEMENT
Policy
5315 Information Security
Integration
5315.4 System Developer
Security Testing
5315.5 Configuration
Management
5335.2 Auditable Events
5305.8 Provisions for
Agreements with State and
Non-State Entities
5315.1 System and Services
Acquisition
Note: Refer to SAM 5300 for complete policy - http://sam.dgs.ca.gov/TOC/5300.aspx
September 2022
Requirement(s) Reference(s) Frequency
Each state entity is responsible for the integration of SAM section 4800;
information security and privacy within the NIST SP 800-53:
organization. This includes, but is not limited to, the System and Services
designing of appropriate security controls in new Acquisition (SA)
systems, or systems that are undergoing substantial
redesign, including both in-house and outsourced
solutions.
Each state entity shall require that system developers NIST SP 800-53:
CONTRACTS/PROCUREMENT MANAGEMENT
create and implement a security test and evaluation System and Services
plan as part of the system design and build. When a Acquisition (SA)
contract is required, it shall specify the acceptance
criteria for security test and evaluation plans and
vulnerability remediation processes.
Each state entity shall establish a documented NIST SP 800-53:
process regarding controlled modifications to Configuration
hardware, firmware, and software to protect the Management (CM)
information asset against improper modification
before, during, and after system implementation.
Each state entity shall ensure that information NIST SP 800-53:
systems are capable of being audited and the events Audit and
necessary to reconstruct transactions and support Accountability (AU);
after-the-fact investigations are maintained. Physical and
Environmental
Protection (PE); Risk
Assessment (RA)
Each state entity shall ensure agreements with state NIST SP 800-53:
and non-state entities include provisions which System and Services
protect and minimize risk to the state. Acquisition (SA);
FIPS Publication 199
Each state entity shall determine the information NIST SP 800-53:
security requirements (confidentiality, integrity, and System and Services
availability) for its information assets in Acquisition (SA)
mission/business process planning; determine,
document and allocate the resources required to
protect the information assets as part of its capital
planning and investment control process; and,
establish organizational programming and budgeting
documentation.
Page 20
Policy Requirement(s) Reference(s) Frequency

CONTRACTS/PROCUREMENT MANAGEMENT
5315.2 System Development Each state entity shall manage its information assets NIST SP 800-53:
Lifecycle using a documented SDLC methodology. Systems and
Services Acquisition
(SA)

Note: Refer to SAM 5300 for complete policy - http://sam.dgs.ca.gov/TOC/5300.aspx Page 21

September 2022