InformationSecurity RequestSubmittal Requirements · 3. Provide proof or documentation of State Entity’s risk management strategy (e.g., POAM, record of risk register, and risk

Information Security Program Audit Request Submittal Requirements

The Articles Request (AR) is a critical part of the Office of Information Security Audit Program. It provides relevant information about your Entity—the objectives,

people, processes and systems—that support initial assessment of your Entity’s control processes. The AR provides us with the insight, information, and perspective needed to support a successful audit. *Please note: Additional documents may be requested.

The following list of informational articles (also referred to as documents) is requested to begin the audit of your Entity. Articles as used in this document are

tangible representations of your strategy, organization, programs, facilities, and technology. Articles, for audit purposes, also include results of assessments,

audits, and reviews that have taken place in the year prior to the information security program audit kickoff. We require that you follow the below Document

Naming & Submittal Requirements for all documents submitted. If documentation does not follow the naming and submittal requirements, those documents

will not be reviewed.

Your Entity may have one or more articles related to a category. For example, some Entities have an enterprise risk management plan, and a separate

information technology risk management plan. In such cases, simply name each file according to the requirements below. Questions about the AR and related

forms may be addressed to the lead auditor for your engagement.

Document Naming & Submittal Requirements

1. Name each document using 1) a Category ID, 2) a Short Document Description, 3) [optional] Document Iteration #, and 4) a File Extension. o [Category ID]_[Short Document Description]_[Document Iteration #].[File Extension]

When only a single document is applicable:

ID.AM-2_Software Application Component_Inventory.xls

When there are more than one applicable documents:

Example A: o ID.GV-1-4_Enterprise Risk Management Strategy.pdf o ID.GV-1-4_IT Risk Management Strategy.pdf

Example B: o PR.AC-5_Network Segmentation_1.vsd o PR.AC-5_Network Segmentation_2.pdf

2. File path should not exceed 255 characters and not contain special characters. Also, please do not include embedded file structures.

3. Create a single folder to place all of the documents into, then compress (ZIP) the contents within that folder

4. Create a SHA-256 checksum on the compressed (ZIP) file and add the computed/hash value into a separate document. This can be performed using a utility such as

7-Zip or CertUtil (a Windows command line function).

5. Submit the compressed (ZIP) file and the document containing computed checksum/hash value via SAFE, CDT’s Secure File Transfer Service.

Articles Request April 2019 Page 1 of 9


CATEGORY ID CATEGORY DOCUMENT REQUEST DESCRIPTION

Statute or

SAM

§5300

Controls

NIST CONTROLS

ID.GV-1

ID.GV-1 Entity information security policy is established and governance and risk management processes address cybersecurity risks. ID.GV-4 Governance and risk management processes address cybersecurity risks

1. Risk management strategy that includes risk identification, assessment, response and monitoring. 2. Proof of implementation, review and updating of the risk management strategy. 3. Documented information security program plan. 4. Information Security Program Key Performance Indicators (KPIs).

Governance— Entity demonstrates a comprehensive strategy for managing cybersecurity risk and has a documented and approved information security program plan.

SAM 5305.1 SAM 5305.6 SAM 5305.9 SIMM 5305-A

NIST PM-1 NIST PM-6 NIST PM-9

ID.GV-2

ID.GV-2

Information security roles & responsibilities are coordinated and aligned with internal roles and external partners.

1. Policy that establishes a security awareness program that includes: • training to all information system users • defines the frequency of the training • addresses role-based training • collects records in a timely manner • maintains training records

Governance— establish a comprehensive enterprise security awareness and training policy for all users of IT.

SAM 5320 NIST AT-1 NIST PM-1 NIST PM-2 NIST PM-13 NIST PS-7 NIST 800-16

ID.GV-PRV-1 ID.GV-PRV-1 Privacy Impact Assessment (PIA) and Privacy Threshold Analysis (PTA)

1. Provide proof or documentation of policy establishing a process to perform PIAs for systems, programs and other activities that pose a privacy risk. 2. Provide list(s) of completed and current projects, and be prepared to provide proof of PTA for all selected projects and PIA where applicable. (NOTE: Auditor will request samples of PTAs and PIAs during fieldwork). For completed projects requiring a PIA, provide documentation or confirmation that PIA findings were mitigated by completion of the project. (NOTE: Auditor will request samples during fieldwork). 3. Provide proof or documentation of State Entity’s risk management strategy (e.g., POAM, record of risk register, and risk governance meeting decisions) showing that PIAs with findings are included in strategy. 4. Provide proof or documentation of a process for review and revision at least annually of the PIA Policy.

Governance— establish an enterprise policy and direct the development and maintenance of an organizational Privacy Program that defines the overall Privacy Program as it explicitly describes the applicability of privacy policy to enterprise business processes and ensures the compliance with the CA Information Practices Act.

SAM 5305.6 SAM 5330.2 SIMM 5305-A

NIST AR-2(b) NIST SA-3(b) NIST 800-53 Appendix J AR-1(f)

ID.GV-PRV-2 ID.GV-PRV-2 Privacy Policy Statement

1. Copy of the privacy policy from the Entity’s website (link is supposed to be found on home page) and a date it was acquired. 2. Provide proof or documentation that indicates the Chief Privacy Officer (CPO) or Privacy Program Coordinator (PPC) approved the privacy policy. 3. Provide proof or documentation that indicates the Entity’s legal counsel has been consulted on the approval of privacy policy. 4. Provide proof or documentation of a policy and processes for revision at least annually of the Privacy Policy Statement.


Government Code Section 11015.5 Government Code Section 11019.9 SAM 5300.2 SAM 5310.1 SIMM 5310-A

NIST 800-53 Appendix J AR-1(f) Appendix J TR-1




Statute or

SAM

§5300

Controls

NIST CONTROLS

ID.GV-PRV-3 ID.GV-PRV-3

Privacy Systems Inventory

1. Provide proof or documentation of records inventory for all systems (paper and electronic) that contain personal information.

NOTE: These articles are being collected for the SRG Privacy Program

Compliance Review.


SAM 1612 SAM 5315.3 SAM 5315.3

NIST SE-1

ID.GV-PRV-4 ID.GV-PRV-4

Privacy Notice on Collection

1. Provide proof or documentation of notice on collection for each instance of personal information collection.


Compliance Review. SRG will request samples during its compliance review.


Civil Code Section 1798.17 SAM 5310.1 SIMM 5310-A

NIST 800-53 Appendix J TR-1 Appendix J TR-3(b)

ID.GV-PRV-5 ID.GV-PRV-5 Privacy Program

1. Provide proof or documentation of Entity heads direction to establish a privacy program. 2. Provide proof or documentation that the CPO or PPC is carrying out the duties associated with confirming Entity compliance (e.g., duty statement and is point of contact for privacy complaints and record of handled complaints, meeting agendas and minutes for reviews with business areas and project teams, documentation for internal auditor or independent third party reviews, etc.).


Compliance Review.


Civil Code Section 1798.22 SAM 5305.3 SAM 5310 SIMM 5305-A SIMM 5330-A

NIST 800-53 Appendix J AR-1(a) through (j)

ID.AM-1 ID.AM-1

Physical devices and systems within the Entity are inventoried

1. Policy for physical device Information system inventory records. 2. Procedures for physical device Information system inventory records. 3. Physical device inventory records that include identifying elements such as operating system, asset number etc. 4. Timely collection of records. 5. Evidence of physical device inventory review by designated organizational officials.

Asset Management— addresses all inventory of systems, components, hardware, such as servers, workstations, routers, firewalls.

SAM 5305.5 SIMM 5305-A

NIST CM-8




Statute or

SAM

§5300

Controls

NIST CONTROLS

ID.AM-2 ID.AM-2

Software platforms and applications within the Entity are inventoried.

1. Policy, which address information system software/application component inventory. 2. Procedures, which address information system software/application component inventory. 3. Software and application inventory records. 4. Name(s) of application blacklisting or whitelisting techniques used. 5. Evidence of software and application inventory review by designated organizational officials.

Asset Management— addresses inventory of all software and applications, such as operating systems, user applications, cloud, etc.

SAM 5305.5 SAM 5355 SIMM 5305-A

NIST CM-7 NIST CM-8

ID.AM-5

ID.AM-5 Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value

1. Policy addressing system categorization and data classification. 2. Procedures addressing system categorization and data classification. 3. Inventory of all information systems and programs. 4. Documented system categorization for systems that have been categorized. 5. Document pertaining to the systems re-categorization, if contained in a different document.

Asset Management —establish enterprise policy and practices for data classification.

SAM 5305.5 SAM 5305.6 SIMM 5305-A

NIST PL-2 (a4) FIPS 199

ID.BE-5 ID.BE-5 Resilience requirements to support delivery of critical services are established.

1. Technical Recovery Plan (TRP) testing/exercise documentation including after action reports and lessons learned from testing.

Business Environment —annual testing exercise documentation, including policies, procedures, results of contingency exercises, lessons learned and corrective actions planning/status. (Documentation of who, how, what, when)

SAM 5325.3 SIMM 5325-A

NIST CP-4 NIST CP-4(1)

ID.RA-1 ID.RA-1 Asset vulnerabilities are identified and documented

1. Vulnerability management program and procedures 2. Listing of vulnerability scanning tools and techniques. 3. Evidence flaws and configuration issues are identified. 4. Evidence vulnerability impact is measured. 5. Vulnerability management workflow from identification to remediation.

Risk Assessment— Entity has a comprehensive vulnerability management program.

SAM 5305.1 SAM 5345

NIST RA-5




Statute or

SAM

§5300

Controls

NIST CONTROLS

PR.AC-1 PR.AC-1 Identities and credentials are managed for authorized devices and users.

1. Access control policy, which includes how identities/users are managed. 2. Access control procedures, which includes how identities/users are managed. 3. Procedures addressing access control for portable and mobile devices. 4. Account management procedures including account termination. 5. Procedures and evidence of an Identity and Access Management (automated) solution for enterprise accounts, if any.

Access Control —comprehensive, documented enterprise access management and provisioning strategy.

SAM 5360 NIST AC-1 NIST AC-2

PR.AC-2 PR.AC-2 Physical access to assets is managed and protected.

1. Physical security policy and procedures. 2. Review and approval of access list and authorization credentials. 3. Removal process for separated employees/contractors. 4. Social Engineering Tests

Access Control— physical security policy enforcement.

SAM 5365 NIST PE-1 NIST PE-3

PR.AC-3 PR.AC-3 Remote access is managed.

1. Remote access policy 2. Remote access procedures 3. Documentation of implemented remote access technical solution

Access Control— remote access policy enforcement.

SAM 5360 SAM 5360.1

NIST AC-1 NIST AC-17 NIST IA-2

PR.AC-5 PR.AC-5

Network integrity is protected, incorporating network segregation where appropriate.

1. Network and systems documented diagrams (technical schematics) showing interfaces with ingress and egress points, DMZ, and internal network segmentation. 2. Documented risk assessment for a risk-based network design.

Access Control —technical enforcement of security layers.

SAM 5350 NIST SC-7 NIST CM-7

PR.DS-1A PR.DS-1A Data-at-rest is protected. (portable and mobile devices)

1. Encryption policy for portable and mobile devices. 2. Encryption policy that defines mobile devices for which full device encryption is required. 3. Documented process for cryptographic key management, which encompasses the entire lifecycle of cryptographic keys. 4. Evidence showing Encryption technology is FIPS 140-2 validated.

Data Security— protecting confidential and sensitive data at rest.

SAM 5350.1 NIST SC-12 NIST AC-19(5) NIST SC-28 FIPS 140-2




Statute or

SAM

§5300

Controls

NIST CONTROLS

PR.DS-1B PR.DS-1B Data-at-rest is protected. (databases and non- mobile devices)

1. Encryption policy for database / non-mobile. 2. Inventory of all data on sensitive and confidential databases and non- mobile assets. 3. Documented process for cryptographic key management, which encompasses the entire lifecycle of cryptographic keys. 4. Evidence showing Encryption technology is FIPS 140-2 validated.

Data Security —protecting confidential and sensitive data at rest.

SAM 5350.1 NIST SC-12 FIPS 140-2

PR.DS-2 PR.DS-2 Data-in-transit is protected.

1. Encryption policy that covers data in transit for the internal network, internet- facing applications and applications outside the network boundary. 2. Policy outlines encryption standards used.

Data Security—protecting confidential and sensitive data in transit.

SAM 5350.1 NIST SC-8 NIST 800-141

PR.AT-1

PR.AT-1 All users are informed and trained and privileged users understand roles & responsibilities. PR.AT-2 Privileged users understand roles & responsibilities

1. Evidence of general and role-based security and privacy awareness training. 2. Listing of completed security awareness training. 3. Proof training has been administered within 30 days of onboarding.

Awareness and Training—comprehensive security and awareness training program with regular and periodic training for all users of IT including privileged users.

SAM 5320 SAM 5320.3

NIST AT-1

DE.AE-3 DE.AE-3

Event data are aggregated and correlated from multiple sources and sensors.

1. Audit and accountability policy. 2. Audit and accountability procedures. 3. Policy defines what event and log information will be collected and at what frequency. 4. Demonstrate event logging, review and analysis capability.

Anomalies and Events —deploy organization specific event analysis capabilities for critical infrastructure environments.

SAM 5535.2 NIST AU-1 NIST AU-02 NIST AU-03 NIST AU-06 NIST AU-06(4)

DE.CM-1

DE.CM-1

The network is monitored to detect potential cybersecurity events. DE.CM-4 Malicious code is detected DE.CM-8 Vulnerability scans are performed

1. Demonstrate how firewalls and intrusion detection/prevention (IDS/IPS) are used in the environment. 2. Documented network defense architecture diagram that depicts security related defense technology such as IDS/IPS. 3. Evidence that demonstrates network level alerts are tied to the incident management system. 4. Procedures for how IDS/IPS systems are tuned for the environment.

Continuous Monitoring —establish enterprise policy and practices for establishing connections with the IT infrastructure that includes identification and definition of connection types used throughout the enterprise.

SAM 5340 SIMM 5340-A

NIST SI-4 NIST IR-4(1) NIST SC-7




Statute or

SAM

§5300

Controls

NIST CONTROLS

DE.DP-1

DE.DP-1

Roles and responsibilities for detection are well defined to ensure accountability. DE.DP-3 Detection processes are tested. DE.DP-4 Event detection information is communicated to appropriate parties.

1. Documented communication plan, which includes escalation criteria with clear thresholds for communication to best inform decisions with the appropriate authorities. 2. Documented roles and responsibilities for detection capabilities. 3. Organization's schedule of incident response tests, the results of recent incident response tests, and documented processes and procedures requiring tests of anomalous activity controls.

Detection Processes —exposure and instruction detection and prevention capability.

SAM 5330.2 SAM 5340 SAM 5340.4 SIMM 5340-A

NIST AT-3 NIST SI-4(9)

PR.IP-1

PR.IP-1

A baseline configuration of information technology/ industrial control systems is created and maintained.

1. Policy for configuration baselines. 2. Evidence of documented configuration baselines for workstations, servers, network devices and mobile devices.

Information Protection Processes and Procedures— establish enterprise policy that directs the development and maintenance of organization-specific platform development standards, processes, and procedures.

SAM 5315.5 NIST CM-2

PR.IP-3 PR.IP-3 Configuration change control processes are in place.

1. Configuration management policy, procedures addressing information, Configuration management plan, or other relevant documents. 2. System configuration change control policy and procedures. 3. Retain Change control records for the audit period. Note: Auditor will request sample during fieldwork.

Information Protection Processes and Procedures— establish a comprehensive change management process, workflow and database.

SAM 5315.5 NIST CM-1 NIST CM-2

PR.IP-5

PR.IP-5 Policy and regulations regarding the physical operation environment for organizational assets are met.

1. Physical and environmental controls policy. 2. Proof of alerts for physical and environmental controls like humidity, power, temperature, etc. 3. Evaluation of controls with identified gaps.

Information Protection Processes and Procedures— evaluate and enforce existing physical security policies and practices through monitoring and audit reporting.

SAM 5365 NIST PE-1

RC.RP-1

RC.RP-1

Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events.

1. Current Business Impact Assessment (BIA) or California Office of Emergency Services (OES) Continuity Plan Evaluation Checklist. 2. The resulting plan(s)* that include RPOs and RTOs a. *Types of plans: Business Continuity Plan (BCP), Continuity of Operations Plan (COOP), Crisis communications Plan, Critical Infrastructure Plan (CIP), Cyber Incident Response Plan, Disaster recovery Plan (DRP), information System Contingency Plan (ISCP), Occupant Emergency Plan (OEP) 3. Evidence that the BIA process is recurring and informs the plan and vice versa.

Recovery Planning—comprehensive technology recovery planning.

SAM 5325 SAM 5325.1 SAM 5345 SIMM 5325-B

NIST CP-2 NIST 800-34



Statute or

SAM

§5300

Controls

NIST CONTROLS

RS.RP/CO-1

RS.RP-1 Response plan is executed during or after an event. RS.CO-1

Personnel know their roles and order of operations when a response is needed. RS.CO-2 Events are reported consistent with established criteria

1. Incident response plan documentation. 2. Documented incident response plan and reports discovered incidents via Cal-

CSIRS. 3. Incident response training including staff roles and responsibilities.

Response Planning—Entity has policy, processes and training in place for incident

response.

SAM 5340 SAM 5341.1

NIST IR-1 NIST IR-2 NIST IR-8

RS.AN-1 RS.AN-1 Notifications from detection systems are investigated.

1. Organization incident response policy and procedures. 2. Documented investigations with a post-incident report.

3. Evidence of tracking of all security events including non-reportable incidents. 4. Trend analysis documentation for 12 month cycle.

Analysis— establish repeatable and consistent enterprise policy, processes, and practices for security incident response and

management.

SAM 5340 NIST IR-1

1. Security planning policy; procedures addressing security plan development and implementation; procedures addressing security plan reviews and updates;

enterprise architecture documentation; security plan for the information system; records of security plan reviews and updates; other relevant documents or records.

System Security Plan —the objective of system security planning is to improve protection of information system resources. All mission critical systems have some level of sensitivity and require protection as part of good management practice. The protection of a system must be documented in a system security plan.

SAM 5315 NIST SP 800-18

SSP-1 SSP-1

System Security Plan for all critical systems.





Statute or

SAM

§5300

Controls

NIST CONTROLS

ISP-1 ISP-1

Entity has information security and related policies.

Administrative 1. Security planning policy and procedures. 2. Security awareness and training policy and procedures. 3. Contingency planning policy and procedures. 4. Risk assessment policy and procedures. 5. System and services acquisition policy and procedures. 6. Security assessment and authorization policy and procedure. 7. Audit and accountability policy and procedures. 8. Acceptable use (rules of behavior) and disclosure policies and procedures including: - Display of system use notification message or security banner. - Email use, retention, forward and auto-response agents and etiquette. - Internet use, browsing, downloads and etiquette - Social media technologies

Information Security Policy and Procedures —please see the Document Request column

for a minimum set of required policies and procedures to support information security program goals and objectives:

SAM 5305 SIMM 5305-A.

NIST PL-1

ISP-1 (Cont'd)

Continued—Entity has information security and related policies.

Operational and Technical 1. Access control policy and procedures. 2. Identification and authentication policy and procedures. 3. Technology upgrade policy. 4. Security patches and security upgrade policy 5. Firewall configuration policy 6. Server configuration policy. 7. Server hardening policy. 8. Software management and software licensing policy. 9. Peer-to-peer technology policy. 10. Encryption policy requiring encryption or approved compensating security control(s). 11. Remote access policy 12. Data download policy 13. System and communications protection policy and procedures. 14. Incident response policy and procedures, which must align with SIMM 5340-A and SIMM 5340-C. 15. Media protection policy and procedures. 16. Physical and environmental protection policies and procedures. 17. Data destruction policy and procedures.

SAM 5305 SIMM 5305-A

NIST PL-1


Documents

InformationSecurity RequestSubmittal Requirements · 3. Provide proof or documentation of State Entity’s risk management strategy (e.g., POAM, record of risk register, and risk