CALIFORNIA CDCR
Department Operations Manual
Search the official CDCR operations manual — 6,509 sections covering every aspect of California's correctional system. A resource for families, advocates, and legal professionals.
Source: CDCR 2024 DOM (PDF) · Updated January 1, 2024
755 results in Chapter 4 — Audits
Clear search
Policy The Director, Enterprise Information Services (EIS) and Executive Managem
41010.1 Policy The Director, Enterprise Information Services (EIS) and Executive Management of the California Department of Corrections and Rehabilitation (CDCR) recognize Information Technology (IT) as an indispensable tool of modern government. Therefore, it is the policy of the Director to support and promote the departmental use of innovative information technologies in order ...
41010.1 Policy The Director, Enterprise Information Services (EIS) and Executive Management of the California Department of Corrections and Rehabilitation (CDCR) recognize Information Technology (IT) as an indispensable tool of modern government. Therefore, it is the policy of the Director to support and promote the departmental use of innovative information technologies in order to increase worker productivity, improve departmental services, and strengthen the overall effectiveness of management, while saving money and reducing the overall cost of government. The definitions and acronyms contained here ensure the consistent use of IT definitions and acronyms throughout the Department Operations Manual (DOM) Chapter 4 – Information Technology. 41010.2
Purpose The purpose of the Department’s IT Definitions and Acronyms policy is t
41010.2 Purpose The purpose of the Department’s IT Definitions and Acronyms policy is to ensure that proven management methods for the guidance and control of planning, acquisition, development, operation, maintenance, and evaluation of information management applications are established in a manner that provides for the most efficient, effective, and economical use of the Department's resou...
41010.2 Purpose The purpose of the Department’s IT Definitions and Acronyms policy is to ensure that proven management methods for the guidance and control of planning, acquisition, development, operation, maintenance, and evaluation of information management applications are established in a manner that provides for the most efficient, effective, and economical use of the Department's resources for IT. 41010.3
Definitions -A- Access Ability and means to communicate with or otherwise inte
41010.3 Definitions -A- Access Ability and means to communicate with or otherwise interact with a system, to use system resources to handle information, to gain knowledge of the information the system contains, or to control system components and functions. Access Authorization The granting of permission to execute a set of operations in a computer system. Access Control ...
41010.3 Definitions -A- Access Ability and means to communicate with or otherwise interact with a system, to use system resources to handle information, to gain knowledge of the information the system contains, or to control system components and functions. Access Authorization The granting of permission to execute a set of operations in a computer system. Access Control The process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., federal buildings, military establishments, and border crossing entrances). Access Management Group A group that is responsible for access permissions granted to CDCR’s Information Assets, including the CDCR Network, and departmental applications and databases. Accountability The state of being liable, responsible and answerable. AISO Agency Information Security Office - Provides information security recommendations, guidance, and authority. AMS Application Maintenance and Support - Provides IT business application development, maintenance and support services spanning across all CDCR divisions, including adult and juvenile offenders, parole operations, and administration. Application Disaster Recovery Plan A plan devised to process a computer application (application) after is has been distrupted for some period of time. Asset Anything (tangible or intangible) that has value to CDCR. Authentication Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. To access most technology services you must provide such proof of identity. In private and public computer networks (including the Internet), authentication is commonly used by requiring login passwords or passphrases; knowledge of such is assumed to guarantee that the user is authentic. Thus, when you are asked to “ authenticate ” to a system, it usually means that you enter your username and/or password for that system. Authorization In computing systems, authorization is the process of determining which permissions a person or system is supposed to have. In multi-user computing systems, a system administrator defines which users are allowed access to the system, as well as the level of privileges they are eligible to access (e.g., access to file directories, hours of access, amount of allocated storage space). Authorization can be seen as both the preliminary setting of permissions by a system administrator, and the actual checking of the permission values when a user obtains access. Authorization is usually preceded by authentication. Availability Assurance that the systems responsible for delivering, storing and processing information are accessible when needed, by those who need them. -B- Back-up A process by which data is copied in some form so as to be available and used if the original data from which it originated is lost, destroyed or corrupted. BIS Business Information System - A fully implemented automated business management system that creates, tracks, and reports all of the Department ’ s business transactions. Blog A web site containing frequent publications of personal thoughts and web links, coined from the words weblog, maintained for the purpose of commentary, or other material such as graphics or video. BPH Board of Parole Hearings - Conducts parole consideration; rescission, parole, revocation, and parole progress hearings for adult inmates and parolees. Business Continuity Management Program An ongoing governance process supported by senior management and resourced to ensure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and plans, and ensure continuity of products/services through exercising, rehearsal, testing, training, and maintenance. Business Continuity Plan (BCP) A plan that documents arrangements and procedures that enable an organization to respond to an event that lasts for an unacceptable period of time and return to performing its critical business functions after an interruption. -C- CALPIA California Prison Industry Authority - A State-operated agency that provides productive work assignments for offenders in California ’ s adult correctional institutions. CALPIA operates more than 60 service, manufacturing, and agricultural industries at prisons throughout California. CAS Corrections Application Solutions - Develops and maintains applications and systems used by divisions and programs throughout CDCR to support statewide offender, parole, and juvenile operations. CCHCS California Correctional Health Care Services - A department under federal receivership responsible for providing constitutionally adequate medical care to patient-inmates of the CDCR within a delivery system the state can successfully manage and sustain. CDCR Network The system of telecommunication devices, workstations, servers, and peripherals used to provide inter- and intra-facility connectivity that enable CDCR employees to access information assets and electronic communications. The CDCR Network is managed by the CDCR Enterprise Information Services (EIS) division and the Office of Technology Services (OTech). Chain E-mail or Letter E-mail sent to successive people. Typically the email contains directions for the recipient to forward the email to multiple people. The contents usually contain promises of good luck for the recipient or money if the directions are followed. Classification The assignment of information, including a document, to a category on the basis of its sensitivity concerning disclosure, modification, or destruction. Client (User) The individual or organization that utilizes a product. Community Transition Program (CTP) CTP obtains and utilizes information about offenders in order to develop and implement effective and specific reentry plans that maximize a parolee ’s opportunity to successfully reintegrate into the community. Component A component is defined in SAM § 5013 as any individually identified piece of hardware, such as the mainframe, tape drive, disk drive, power supply unit, controller, punch, reader, printer, modem, CRT, keyboard, remote device, and the like. Computer Contaminant Any set of computer instructions that, outside the intent and without the permission of the owner of such information, is designed to modify, damage, or destroy a computer, system, or network, or to record or transmit information within a computer, system, or network. Such contaminants include, but are not limited to, the group of self-replicating or self-propagating computer instructions commonly termed viruses, Trojans, and worms which are designed to affect computer programs or data, consume computer resources, modify, destroy, record or transmit data, or otherwise usurp the normal operation of the computer, system, or network. Computer Network Any system that provides communication among one or more computer systems and input/output devices including, but not limited to, display terminals and printers connected by telecommunication facilities. Computer Program or Software A set of instructions, or statements or related data, that when executed in actual or modified form cause a computer, system, or network to perform specified functions. Computer Security The technological safeguards and managerial procedures that can be applied to computer hardware, programs, data, and facilities to ensure the availability, integrity, and confidentiality of computer-based resources. This can also include assurance that intended functions are performed as planned. Computer Services Includes, but is not limited to, computer time, data processing, storage functions, other uses of a computer, system, or network. Computer System A device or collection of devices, including support devices but excluding calculators that are not programmable and not capable of being used in conjunction with external files, one or more of which contains computer programs, electronic instructions, input data, and output data, and which performs functions including, but not limited to, logic, arithmetic, data storage and retrieval, communication, and control. Computer-Based Tools Software or computer programs that improve or enable a user’s ability to configure and manage IT components. Confidential Information Information maintained by State agencies that is exempt from disclosure under provisions of the California Public Records Act (PRA) (GC § 6250 et seq.) or other applicable state or federal laws. All inmate, parolee, ward, and employee information that has not been explicitly defined as public information in §3261.2 of Title 15 should be treated as Confidential Information. Confidentiality Assurance that information is shared only among authorized persons or organizations. Breaches of confidentiality can occur when data is not handled in a manner adequate to safeguard the confidentiality of the information concerned. Such disclosure can take place by word of mouth, by printing, copying, e-mailing or creating other data. The classification of the information should determine its confidentiality and the appropriate safeguards. Correctional Offender Management Profiling for Alternative Sanctions (COMPAS) Enables CDCR to perform needs assessments and follow adult offenders from their intake at the reception centers through the completion of their parole supervision requirements. Cost Thresholds Cost thresholds are the set dollar amounts assigned to agencies based on their size and past experiences with Department delegations can be found at: http://www.cio.ca.gov/Contact_Us/staff_assignments.html CPAT California Parole Apprehension Team – Enhances public safety through parole intervention and parolee-at-large apprehension. Critical Application An application that is so important to the Department that its loss or unavailability is unacceptable. With a critical application, even short-term unavailability of the information provided by the application would have a significant negative impact on the health and safety of the public or Department employees, the fiscal or legal integrity of operations, or the continuation of essential programs. CTA California Technology Agency – State of California’s IT control agency. Custodian of Information An employee or organizational unit (such as a data center or information processing facility) acting as caretaker of an automated file or database. -D- DART Desktop Advanced Research Team – Provides system level operational support of all end-point devices. Data A representation of facts, concepts, or instructions in a formalized manner suitable for communication, interpretation, or processing by humans or by automated means. Data Classification Data Classification is the conscious decision to assign a level of sensitivity to data as it is being created, amended, enhanced, sorted, or transmitted. The classification of the data should then determine the extent to which the data needs to be controlled/secured and is indicative of its value in terms of Business Assets. The classification of data and documents is essential to differentiate between that which is of little (if any) value, and that which is highly sensitive and confidential. The classification of data helps determine what baseline security controls are appropriate. Data Processing Equipment Computers, network components, and other devices that facilitate, enable, or depend upon data communications. Network devices such as, but not limited to, routers, hubs, wires, and servers are data processing equipment. Data Processing Systems A system, including computer systems and associated personnel, that performs input, processing, storage, output, and control functions to accomplish a sequence of operations on data. Data Security Protecting data from unauthorized access, modification, destruction, or disclosure. Data Transmission The conveying of data from one functional unit to one or more additional functional units through the transmission of signals by wire, radio, light beam, or any other electromagnetic means. DEC Disability Effective Communications System – An IT program created and maintained by EIS that ensures that inmate and parolee due process rights are recognized by identifying and accommodating their disabilities and effective communication special needs. Decentralized Applications Systems that run on more than one computer in geographically separated locations. The term also refers to systems that are not supported by a single organization, such as EIS. Defect A variance from specifications/standards or an attribute/function not contained in the software requirements specifications. Denial of Service An attack that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources. Deputy Director Operations Responsible for all aspects of EIS’s day -to-day operations. Development Activities or costs associated with the analysis, design, programming, staff training, data conversion, acquisition, and implementation of new IT applications. Disaster Recovery Operation The act of recovering from the effects of a disaster or disruption to a computer facility, and the preplanned restoration of facility capabilities. Disaster A human or natural occurrence causing destruction and distress, after which a business is deemed unable to function. Disaster Recovery The ability of an organization to respond to a disaster or an interruption in services by implementing a disaster recovery plan to stabilize and restore the organization’s critical functions. DRP Disaster Recovery Plan – The management approved document that defines the resources, actions, tasks and data required to manage the technology recovery effort. Usually refers to the technology recovery effort. This is a component of the Business Continuity Plan. Documentation Information about how specific applications are constructed, maintained, and used. It includes, but is not limited to, system and program design specifications, record formats, report layouts, program source and object code, job control language specifications, run instructions, key entry instructions, and data definitions. DRD Tracker Discharge Review State Tracker – Creates a calendar-based event driven solution which allows field agents and case records staff to determine when a parolee is due for a Discharge Review. -E- E-mail Written communication transmitted electronically using computers connected to network(s). Today ’ s email systems are based on a store- and-forward model. Email servers accept, forward, deliver and store messages. Neither the users nor their computers are required to be online simultaneously; they need connect only briefly, typically to an email server , for as long as it takes to send or receive messages. EdCATS Education Classroom Attendance Tracking System – Allows teachers to log academic and vocational classroom hours and track milestones achieved by students while attending those classes. EIS Enterprise Information Services – A division of CDCR responsible for the enterprise-wide execution of all IT systems and services. Electronic Data Processing (EDP) Equipment EDP equipment is defined as: • Central processing units and all related features and peripheral units, including processor storage, console devices, channel devices, etc. • Minicomputers, microcomputers, personal computers, and all peripheral units associated with such computers. • Special purpose systems including word processing, magnetic ink character recognition, optical character recognition, photocomposition, typesetting, and electronic bookkeeping. • Communications devices used for data transmission such as modems, data sets, multiplexors, concentrators, switches, local area networks, private branch exchanges, network control equipment, and microwave or satellite communications systems. • Input-output (peripheral) units (off-line or on-line) including: terminals, card readers, optical character readers, magnetic tape units, mass storage devices, card punches, printers, computer output to microfilm converters, video display units, data entry devices, FAXs, teleprinters, plotters, or any device used as a terminal to a computer, and control units for such devices. Encryption Data encryption is a means of scrambling or ciphering the data so that it can be read only by the recipient – the person(s) holding the ‘key’ – a password of some sort. Without the ‘key,’ the ciphered data cannot be opened and read. Enterprise Architecture (EA) The CDCR unit responsible for managing CDCR’s enterprise architecture program, a strategic practice for maintaining the IT architecture portfolio to facilitate more informed and effective IT decisionmaking, both strategically and operationally. This includes, but is not limited to, the Business, Application, Information/Data, Technical, and Security Architecture domains. eOMIS Electronic Offender Management Information System – A real-time application that increases the availability of accurate and complete offender information so CDCR can more efficiently manage inmates. ERMS Electronic Records Management System – A document management system that provides a digitally scanned and uploaded central records repository. EWACS Enterprise Web and Collaboration Solutions – Provides web application development, operational support, and end user support for the enterprise. Develops public and internal facing web and client-based applications that meet various business needs. -F- Failure Inability of a product or service to perform its required functions within previously established limits. FIS Field Information System – Documents all contacts by parole agents with juvenile offenders. Forwarded E-mail E-mail resent from an internal network to an outside point, whether internal or external to CDCR. -G- Guideline A description that clarifies what should be done and how to achieve the objectives set out in policies. -H- Handheld Computer Synonym for Personal Digital Assistant. Hardening A defense strategy to protect against attacks by removing vulnerable and unnecessary services, patching security holes, and securing access controls. Hardware The physical equipment or machinery (computers, terminals, printers, disc drives, etc.) used in IT systems. HAWI Holds and Warrants Interface – Easily accesses parolee information to automate the issuance of holds and warrants. High Risk Confidential Information (HRCI) Non-public information that if disclosed could result in a significant harm (including financial, legal, risk to life and safety or reputational damage) to the CDCR or individual(s). Examples of HRCI include, but are not limited to, information such as the following: • Personally identifiable information such as person’s name in conjunction with the person’s Social Security Number, credit or debit card information, individual financial account, driver’s license number, state ID number, passport number, or a name in conjunction with biometric information; • Personal health information such as any information about health status, provisions of health care, or payment for health care information as protected under HIPAA; • Correctional Offender Record Information • Information that if disclosed would “reveal vulnerabilities to, or otherwise increase, the potential for an attack on an IT system of a public agency.” Examples include, but are not limited to, firewall and router configurations, server names, IP addresses, and other system configuration details; • Any documentation of information which contains information or data within any Gang Database. • Records of investigations, intelligence information, or security procedures. This includes, but is not limited to, information identifying confidential informants. -I- Information Assets All categories of information existing in any form, including electronic or hard copy that is stored, used, or created by CDCR and have value to the organization. Information Governance The process of official enterprise-level decision making for CDCR information standards to ensure the effective, efficient, and secure use of CDCR information. This includes officially making and adopting Data Classification decisions for CDCR information. Information Integrity The condition in which information or programs are preserved for their intended purpose, including the accuracy and completeness of information systems and the data maintenance within those systems. Information Owner Group(s) or person(s) responsible for individual and/or collective decision-making regarding specific CDCR Information Assets. This includes decision-making regarding the appropriate use, access, controls, and Data Classifications for those Information Assets. Information Processing The systematic performance of operations upon data such as handling, merging, sorting, and computing; synonymous with data processing systems. Information Security The protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities. Information exists in many forms: printed or written on paper, stored electronically, transmitted by post or electronic means, on films, and spoken. Information Security Incident An information security incident is indicated by a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security. Information Security Standards and Guidelines (ISSG) Compilation of the standards and guidelines comprising CDCR’s program to ensure the protection and security of information asssets. Information Technology All computerized and auxiliary automated information handling, including: Systems design and analysis; conversion of data; computer programming; information storage and retrieval; voice, video, and data communications; requisite system controls; simulation; and, all related interactions between people and machines. Input-Output Unit/Device The equipment used to communicate with a computer; commonly termed I/O (Input/Output). Instant Message (IM) A type of communications service that enables a user to exchange text messages in real time among two or more individuals logged into a particular instant messaging system from a computer workstation. Integrity As it pertains to data, is the assurance that the information is authentic and complete. Ensuring that information can be relied upon to be sufficiently accurate for its purpose. The integrity is not only whether the data is correct, but also whether it can be trusted and relied upon. Internet The World Wide Web (WWW), consisting of a network of networks. Intranet A term that refers to a closed network of networks. In the context of CDCR, it refers to the web portal used for hosting information and documents for internal CDCR users only. IS Infrastructure Services – Creates, maintains, and supports all enterprise data activity necessary to facilitate CDCR ’ s current and future business needs as well as provide ongoing operations, production implementation, and control in a secure manner. ISC Information Security Coordinator – Each entity ’ s ISC is responsible for ensuring that applicable CDCR IT security policies and procedures are followed. IT CSFO IT Customer Service and Field Operations – Provides quality service, guidance and direction to customers in order to support their business needs by implementing cost-effective, innovative technologies and adopting operational IT best practices and standards. ITPSP IT Policy and Strategic Planning – Drives enterprise IT planning efforts necessary to support the Agency ’ s mission and future investments while ensuring compliance with national, State and local mandates. -J- - K- -L- Law Enforcement Automated Data System (LEADS) Parole LEADS is a web-based computer system that provides local California law enforcement agencies with information on CDCR parolees. Life Cycle The anticipated length of time that the IT system or application can be expected to be efficient and cost-effective and can continue to meet the agency ’ s programmatic requirements; synonymous with operational life of a system. LINX Link Investigation and Network Cross-Reference – Centralized web-based application that contains inmate gang affiliations and validation for adult offenders. Local Area Network A Local Area Network (LAN) is a computer network consisting of telecommunications devices such as routers, hubs, switches, firewalls, and computers such as workstations, servers, and peripheral devices. LSTS Lifer Scheduling and Tracking System – Supports the inmates sentenced to life parole suitability hearing process. -M- Mainframe Refers to large computers typically housed in a data center environment and running legacy systems. Mainframe computers have security components, such as Resource Access Management Systems, integrated into the operating system and can support many hundreds of users simultaneously. Malicious Software Malicious software, or malware, is any set of computer instructions that, outside the intent and without the permission of the owner of such information, is designed to modify, damage, or destroy a computer, system, or network, or to record or transmit information within a computer, system, or network. Such contaminants include, but are not limited to, the group of self-replicating or self-propagating computer instructions commonly termed viruses. Trojan Horses and worms are designed to affect computer programs or data, consume computer resources, modify, destroy, record, or transmit data, or otherwise usurp the normal operation of the computer, computer system, or computer network. Malware includes computer viruses, computer worms, Trojan Horses, most root kits, spyware, dishonest adware and other malicious or unwanted software. MDO Mentally Disorder Offender – Database that tracks MDO holds, creates hearing schedules, generates confirmation letters for evaluators and attorneys, and tracks MDO cases. Mission-Critical Applications Applications defined by CDCR that support business activities or processes that cannot be interrupted or unavailable for the Recovery Time Objective (RTO) defined by the agency without significantly jeopardizing the organization. -N- Need-to-Know Refers to a person having both a legitimate right and a reason to obtain information. NIST National Institute of Standards and Technology – A measurement standards laboratory which is a non-regulatory agency. NIST promotes innovation and industrial competitiveness by advancing measurement science, standards, and technology. -O- OBITS Offender Based Information Tracking System – Mission critical master record for all juvenile offender activity that feeds information into multiple systems. One-Time Costs Costs occurring only once that are associated with the analysis, design, programming, staff training, data conversion, acquisition, and implementation of new IT applications. Operational Life See Life Cycle. Operations Activities or costs associated with the continued use of IT applications. Operations include personnel associated with computer operations, including network operations, job control, scheduling, and key entry. It also includes the costs of computer time and other resources needed for processing. See SAM Section 4819.2. OTech Office of Technology Services – Provides IT services to many state, county, federal and local government entities throughout California. Owner of Information See Information Owner. -P- PACATS Parolee Automated Cash Assistance Tracking System – Tracks cash assistance provided to parolees throughout the state, separated by assistance type. PAL Trax Parolee At Large Tracking System – Tracks CPAT agent caseloads. Parole-LEADS See Law Enforcement Automated Data System. Personal Digital Assistant (PDA) Palm-sized computer that syncs with a computer workstation and allows users to refer to information from the workstation without having to print it out. Schedules, e-mails, documents, and spreadsheets as well as reference material such as dictionaries and phone lists can be stored and accessed as needed on the device. PDAs often are capable of wireless connectivity with LANs and the Internet. Personally Identifiable Information Personally Identifiable Information (PII) is the manifestation of an individual’s first name or first initial and last name, in combination with one or more of the following: • Social Security Number; • Driver’s license number; • State issued ID card; • Credit or debit card number in combination with any required security code or password that could permit access to an individual’s financial account; • Medical information, history, mental or physical condition, treatment or diagnosis by a health care professional; • Health information, policy number or subscriber ID, unique identifier, or any information in an application and claims history, including any appeals records. Physical Security The measures designed to safeguard personnel; to prevent unauthorized access to equipment, installations, material, and documents; and to safeguard them against unauthorized access, damage, and theft. Post Implementation Evaluation Report (PIER) The review of a computer, computer system, or computer network that has been in operation for at least six months and no longer than two years for the purpose of matching the requirements of the system against what has been produced so as to ensure that stated requirements have been met. Policy Overall intention and direction as formally expressed by management. PPPMA Policy/Planning, Project Management and Acquisitions is the EIS unit responsible for EA, PPRM, QPAC, and ITPSP. PPRM Portfolio, Project and Resource Management is the EIS unit that improves the management of IT investments by utilizing project and portfolio managements tools; incorporating proven methodologies; and following best practice disciplines to assist in the identification, ranking, and justification of investments and the implementation of funded projects. PRAS Parole Restitution Application System – Tracks original court ordered restitution payments and balances. Privacy The right of individuals and organizations to control the collection, storage, and dissemination of information about themselves. Process The work activities that produce products, including the efforts of people and equipment. Product The output of a process, including the goods and services produced by individuals and the organization. Production Application A computer-based process that stores, manipulates, or reports departmental information. Program In the IT field, a program is the set of instructions by which a computer operates to accomplish a specific task. Program Application Manager Department supervisory and management staff responsible for managing or supervising employees ’ use of an automated file or database. Programming Detailed design encompassing the actual development and writing of program units or modules. Project A planned sequence of tasks to respond to a problem or opportunity; an activity with a beginning and an end and containing a set of resources. Proprietary Software Software packages which are developed by independent vendors and marketed to users. Protected Health Information Individually identifiable information in electronic or physical form created, received, or maintained by health care organizations such as health care payers, providers, plans, and contractors. State laws require special precautions to protect from unauthorized use, access or disclosure. Protected Personal Information Information that identifies or describes an individual and must be protected from inappropriate access, use, or disclosure as defined in applicable state and federal laws. Protecting Sensitive Information Typically means providing for one or more of the following: • Confidentiality – Disclosure of the information must be restricted to designated parties. • Integrity – The information must be protected from errors or unauthorized modification. • Availability – The information must be available within some given timeframe (i.e., protected against destruction). (NIST Computer System Laboratory CSL Bulletin 92-11.) Public Information Information maintained by State agencies that is not exempt from disclosure under the provisions of state or federal laws. Public Information is open to inspection by any person during normal business hours (PRA § 6253(a)). -Q- QPAC Quality Project Authority and Compliance – Staff in EIS that advocates for CDCR’s IT projects to Control Agencies for the purpose of securing project authority and funding approval, as well as the project’s successful completion. Quality The extent to which a product meets the expectations and requirements of the user. Quality Assurance (QA) (1) A staff function designed to support line management in performing the Quality Control function. As such, QA identifies the processes (both good and bad) which affect quality, and is used to advise management of such effects. A management decision may then be necessary to ensure that QC techniques are implemented and maintained; and, (2) The function that uses measurement and analysis to continually improve processing, procedures, and standards so that management can be reasonably assured of their staff following such methods, procedures, and standards, as well as staff’ s ability to produce products which meet specified requirements. Quality Control (QC) (1) The collection of activities to ensure that defects are neither made nor implemented. While QA monitors the processes involved in the production cycle, QC is an integral part of work and is the responsibility of each employee; and, (2) A line function used to measure quality associated with specific products or services. QC is the responsibility of each IT area, and it is the function responsible for the quality of the work being done within a specific area or for a specific project. -R- Recovery Point Objective (RPO) The maximum amount of data loss an organization can sustain during an event. Recovery Time Objective (RTO) The period of time within which systems, applications, or functions must be recovered after an outage (e.g. one business day). RTOs are used as the basis for the development of recovery strategies, and as a determinant as to whether or not to implement the recovery strategies during a disaster situation. Requirement The specification(s) for satisfying a user need is associated with a standard by which the satisfaction of that need can be measured. Resource Access Management Facility An application within IBM-based computer systems that reviews logons, passwords, and permissions before permitting access to information. Risk In the context of information systems, the likelihood or probability that a loss of information assets or breach of security will occur. Risk Analysis The process of identifying the vulnerabilities and threats to an organization by assessing the critical functions necessary for an organization to continue business operations, and defining the controls in place to reduce organization exposure and evaluating the cost for such controls. Risk Assessment Overall process of risk analysis and risk evaluation. Risk Evaluation The process of comparing the estimated risk against given risk criteria to determine the significance of the risk. Risk Management The process of coordinating activities to direct and control the organization with regard to risk. -S- Sensitive Information Information maintained by State agencies that requires special precautions to protect it from unauthorized use, access, disclosure, modification, loss, or deletion. Sensitive information may be either Public or Confidential. It is information that requires a higher than normal assurance of accuracy and completeness. The key factor for Sensitive Information is that of integrity. Typically, Sensitive Information includes records of financial transactions and regulatory actions. Smartphone A cellular telephone with built-in applications and Internet access. Smartphones provide digital voice service as well as text messaging, e- mail, Web browsing, still and video cameras, MP3 players, video viewing and often video calling. In addition to their built-in functions, smartphones can run a myriad of applications, turning the once single- minded cellphone into a mobile computer. Software Programs, procedures, rules, and any associated documentation pertaining to the operation of a system. (Contrast with hardware.) Spam Unauthorized and/or unsolicited electronic mass mailings. Stakeholder A person, group, organization, member, or system who affects or can be affected by an organization’s or system’s actions. -T- Threat The potential cause of an unwanted incident, which may result in harm to a system or organization. -U- Unauthorized Disclosure The intentional or unintentional disclosure of confidential information to people inside and/or outside the CDCR who do not have authorization predicated on a “need to know” basis. Unit Testing Testing performed on a single, stand-alone module or unit of code. User Identification (ID) The logon name an individual user to access a computer or network system. User of Information An individual having specific limited authority from the owner of information to view, change, add to, disseminate, or delete such information. -V- Validation The process of comparing a product in any stage of its development with specified requirements to determine whether the correct product is being produced. Virus Small but insidious piece of programming code that attacks computer and network systems through contaminated (infected) data files, introduced into a system via email, portable storage media or the Internet. The code attaches itself to the target computer ’s operating system or other programs, and may automatically replicate itself to spread to other computers or networks. Vulnerability A weakness of an asset or group of assets that can be exploited by one or more threats. -W- Wide Area Network (WAN) Two or more LANs connected together. A communications network that uses devices over telephone lines, fiber-optics, satellite dishes, or radio waves to span a larger geographic area that can be covered by a LAN. Wireless Referring to communications transmitted without wires, such as radio, microwave, or infrared. Workstation Any device commonly called a microcomputer, personal computer, or terminal used for processing, storing, or sending information. Worm A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself. WWW An abbreviation for World Wide Web. See Internet . -X- -Y- -Z- 41010.4
Revisions The Director of EIS, or designee, shall be responsible for ensuring th
41010.4 Revisions The Director of EIS, or designee, shall be responsible for ensuring that the contents of this Article are kept current and accurate. 41010.5...
41010.4 Revisions The Director of EIS, or designee, shall be responsible for ensuring that the contents of this Article are kept current and accurate. 41010.5
References GC §§ 6250 - 6265, and 11702 (a) Title 15 § 3261
41010.5 References GC §§ 6250 - 6265, and 11702 (a) Title 15 § 3261.2 SAM §§ 4819.2, 5013, 5320.5 DOM §§ 52070.22, 52070.24...
41010.5 References GC §§ 6250 - 6265, and 11702 (a) Title 15 § 3261.2 SAM §§ 4819.2, 5013, 5320.5 DOM §§ 52070.22, 52070.24
Health Insurance Portability and Accountability Act (HIPAA) of 1996 PC §§ 13100-
52070.24 Health Insurance Portability and Accountability Act (HIPAA) of 1996 PC §§ 13100- 13104...
52070.24 Health Insurance Portability and Accountability Act (HIPAA) of 1996 PC §§ 13100- 13104
PRA § 6254
13104 PRA § 6254.19 PRA § 6254 (f) California Senate Bill 1386 Confidentiality of Medical Information Act, California Civil Code § 56 et seq. Patients' Access to Health Records Act California Health and Safety Code §§ 123100-123149.5 A RTICLE 2 — EDP R ESPONSIBILITY Effective December 22, 1992 41020.1...
13104 PRA § 6254.19 PRA § 6254 (f) California Senate Bill 1386 Confidentiality of Medical Information Act, California Civil Code § 56 et seq. Patients' Access to Health Records Act California Health and Safety Code §§ 123100-123149.5 A RTICLE 2 — EDP R ESPONSIBILITY Effective December 22, 1992 41020.1
Policy The Department’ s executive management is responsible for t
41020.1 Policy The Department’ s executive management is responsible for the establishment of departmental policy pertaining to the use of information technology, the prioritization of departmental resources, and strategic planning and leadership to seek out opportunities for employing information technology towar d achievement of the Department’ s ...
41020.1 Policy The Department’ s executive management is responsible for the establishment of departmental policy pertaining to the use of information technology, the prioritization of departmental resources, and strategic planning and leadership to seek out opportunities for employing information technology towar d achievement of the Department’ s mission, goals, and objectives. Department executive leadership is responsible for ensuring that information technology is used within the guidelines contained in this manual section and those established by other control agencies. 41020.2
Purpose The purpose of this policy is to ensure that departmental resources and
41020.2 Purpose The purpose of this policy is to ensure that departmental resources and information technology are used optimally in achieving the Department ’ s mission, goals, and objectives. Additionally, this policy assures that uses of information technology follow the guidelines established internally by CDC management and externally by State control agencies. 41020.3...
41020.2 Purpose The purpose of this policy is to ensure that departmental resources and information technology are used optimally in achieving the Department ’ s mission, goals, and objectives. Additionally, this policy assures that uses of information technology follow the guidelines established internally by CDC management and externally by State control agencies. 41020.3
Management Information Systems Committee Revised October 6, 1993 The MIS Commit
41020.3 Management Information Systems Committee Revised October 6, 1993 The MIS Committee shall: • Provide executive leadership in the development of EDP projects and policy. • Enforce compliance of the project approval process with the Department ’ s Strategic Plan. • Prioritize EDP projects in terms of their importance to the Department ’ s Strategic Pla...
41020.3 Management Information Systems Committee Revised October 6, 1993 The MIS Committee shall: • Provide executive leadership in the development of EDP projects and policy. • Enforce compliance of the project approval process with the Department ’ s Strategic Plan. • Prioritize EDP projects in terms of their importance to the Department ’ s Strategic Plan. • Review and enforce policy and procedures in support of EDP projects. • As individual committee members, serve as liaisons with their respective end user communities to promote, coordinate, and facilitate automation efforts, and to ensure effective communication regarding EDP-related issues throughout all levels of the Department. • Educate management in the advantages of automation, new EDP-related technical innovations, and methods to maximize the efficiency and benefits of automation, and to minimize EDP development and operating costs. • Provide review and approval of all information technology procurements not covered under the approved Workgroup Computing Policy. • Provide ongoing review of CDC-approved EDP projects, terminating those projects which are no longer consistent with the Department ’ s Strategic Plan. Note that the MIS Committee does not make any decisions on funding of ITS projects. The committee only recommends the prioritization of these projects. See DOM 43020.4, Information Management Annual Plan, for additional information about the role and responsibilities of the MIS Committee. 41020.3.1
MIS Committee Composition The MIS Committee is comprised of the following voting
41020.3.1 MIS Committee Composition The MIS Committee is comprised of the following voting staff: • The Chief Deputy Director (Chairperson). • Three representatives from ASD. • Three representatives from EC&ISD. • Five representatives from Institutions Division. • Three representatives from P&CSD. • One representative from P&CD. • One representative from CalPIA....
41020.3.1 MIS Committee Composition The MIS Committee is comprised of the following voting staff: • The Chief Deputy Director (Chairperson). • Three representatives from ASD. • Three representatives from EC&ISD. • Five representatives from Institutions Division. • Three representatives from P&CSD. • One representative from P&CD. • One representative from CalPIA. These representatives shall be appointed for an indeterminate period. In the absence of the Chief Deputy Director, the Deputy Director of ASD shall chair MIS Committee meetings. The committee shall meet on a quarterly basis and more often as needed. MIS Committee meetings are generally open to all wishing to attend. 41020.4
Responsibility MIS-SU Revised October 6, 1993 MIS-SU provides functional suppor
41020.4 Responsibility MIS-SU Revised October 6, 1993 MIS-SU provides functional support to the MIS Committee. The MIS-SU ’ s responsibilities include: (1) coordinating MIS Committee meeting agendas; (2) coordinating the review of proposed ITS and to furnish recommendations for MIS Committee review; (3) preparing annual updates for the Cabinet on all CDC automation efforts for the current ...
41020.4 Responsibility MIS-SU Revised October 6, 1993 MIS-SU provides functional support to the MIS Committee. The MIS-SU ’ s responsibilities include: (1) coordinating MIS Committee meeting agendas; (2) coordinating the review of proposed ITS and to furnish recommendations for MIS Committee review; (3) preparing annual updates for the Cabinet on all CDC automation efforts for the current year and on strategic planning for the coming year; (4) developing, coordinating, and participating in presentations for the committee that address current technical innovations; (5) coordinating the review of ITS concepts to ensure compliance and consonance with the budget cycle; (6) recording the actions and decisions of the MIS Committee for distribution to appropriate departmental staff; and, (7) conducting special projects as assigned by the committee. Departmental Workgroup Computing Coordinator The Workgroup Computing Coordinator ’ s responsibilities include: (1)ensuring that workgroup computing hardware and software requests comply with departmental and control agency policy requirements; (2)preparing the appropriate certification documents for workgroup computing procurements; (3) providing assistance in the completion of workgroup computing requests; (4) maintaining the departmental Workgroup Computing Policy and Modem Policy, as well as related equipment request forms for distribution to departmental staff; (5) overseeing the personal computer Post Implementation Evaluation Report (PIER) process; (6) maintaining the departmental personal computer equipment inventory; and (7) maintaining a record of all personal computer procurements, including those justified through the use of an FSR, a CDC Internal Summary Fact Sheet, or the approved Workgroup Computing Policy. Department Information Security Officer The CDC Information Security Officer (ISO) is assigned management responsibility for overseeing and administering the Centralized Information Security Program and is charged with the responsibility of assuring the Department's compliance with the SAM 4840, Security and Risk Management; 4989.7, Security of Personal Computer Systems; and 20013, EDP Audit Requirements. This program encompasses all automated ITS for which CDC has administrative responsibility. It includes the procedures, guidelines, and safeguards that are required to protect data, confidentiality, and privacy rights and ensures the integrity, audibility, and controllability of these ITS. All new policies and revisions of existing policy relating to automated information security will emanate from this office. ISD It is the responsibility of ISD to establish and maintain the departmental EDP strategic planning process and to oversee the development of all departmental EDP policies, including assurance that such policies meet control agency guidelines. ISD is also responsible for ensuring that such considerations as compatibility and connectivity of all proposed automated projects are taken into consideration in the project approval process. ISD is responsible for the development, maintenance, operation, and support of all departmental PC applications except Institutions Division projects, and for all automated systems requiring control agency oversight unless specifically delegated to another unit by the MIS Committee. Under the User Project Management concept, the User Manager is responsible for all project reporting to control agencies, the user division, and the MIS Committee. ISD provides technical management and staff who work as team members accountable to the User Manager on the project and to ISD on technical issues (e.g., project schedules). ISD is also responsible for tracking all projects approved by the MIS Committee, and ensuring that all projects comply with State reporting requirements. All project reporting to control agencies shall be coordinated through ISD, which shall maintain correspondence files on control agency reporting. ISD shall report directly to the appropriate Division (User Manager Concept) associated with each EDP Project, and to the MIS Committee on all approved projects. ISD is responsible for the security of information technology facilities, and for software and equipment used in automated information processing at all sites under ISD custodial responsibility. ISD also maintains the CDC Operational Recovery Plan for these systems. ISD provides functional support and assistance on all facility automated systems (except personal computers) to facility AISAs. ISD is also responsible for ensuring compliance with State audit requirements relating to the integrity of information assets. This includes systems auditing under ISD ’ s custodial realm of responsibility through participation in the departmental Peer, and PFAB ’ s auditing processes. ISD is responsible for establishment of the Department ’ s overall automation infrastructure and the successful use of automation within the Department. ISD consists of five major areas: Application Development and Maintenance Section, Technology Support Section, Project Initiation Unit, CMIS Section, and the Data Center Section. Technology Support Section The Technology Support Section provides support services to ISD in the following areas: personnel, recruitment, staff training, budgeting, procurement, interagency agreements and contract management, quality programs, space planning, and general office support. This section also provides support services to all branches of the EC&ISD for personnel, recruitment, and training. Project Initiation Unit The role of the Project Initiation Unit (PIU) is to provide guidance and assistance to CDC staff in starting new information technology projects. This includes providing guidance in the development of project concept proposals, feasibility studies, and other documentation required to obtain approval of an information system project. The PIU is responsible for tracking all approved projects and ensuring that all projects comply with State reporting requirements. Functional support, assistance and direction is provided to the ISAs on all system related issues by the Applications Systems Section. Data Center Section The Data Center manages maintenance and support functions with the best available tools in order to increase the time that ITS are available to the users/owners. This section of ISD is responsible for the continuous operation and reliability of computer hardware, database systems software, the systems' databases, and communications networks, as well as the security of departmental ITS. As part of the Data Center, the Network Services Unit and the Hardware/Telecommunications Unit provide data communications services and support to ISD and to other functional units as needed, ensure that standard approved practices are adhered to within the Department, and provide and promote the use of consulting resources to the Department when developing new systems or planning changes to existing data facilities. CMIS Section The role of the CMIS Section is to develop a single automated offender information system which satisfies the needs of all users of CDC ’ s offender information and serves as the hardware/software platform for all future systems development for the Department. Using state-of-the-art analysis techniques and project management tools, the CMIS Section is committed to providing the Department with an offender information system that meets the needs of the user community. OISB OISB has been designated the Department ’ s primary provider of summary statistical information about inmates and parolees. The OISB responds to special information requests, compiles statistical reports, and prepares legislative estimates and population projections. The OISB is responsible also for coordinating the timely, accurate, and consistent coding and entry of data, and performs data integrity QC functions for OBIS and for classification, incident, and other major computerized inmate and parolee databases. Estimates and Statistical Analysis Section The Estimates and Statistical Analysis Section is the primary source of summary statistical information on inmates and parolees under the jurisdiction of the Department. This section ensures that the Department has accurate data upon which to base program planning and direction. It also compiles and analyzes information for special projects, court cases, special task forces or programs, and prepares periodic statistical reports about inmates and parolees used in budget planning, legislative responses, and audits. The section prepares all departmental projections of future facility and parole populations, including inmate classification levels, and all population estimates of the impact of proposed legislation, ballot initiatives, and administrative policy changes. It also reviews such information to be disseminated by other branches and divisions outside of the Department. TSS TSS coordinates the timely, accurate, and consistent coding and entry of data, and performs data integrity QC functions for major computerized inmate and parolee ITS. This section provides support to the MIS Committee to facilitate the development and automation of ITS, and conducts regular audits in the field and in Headquarters to maintain the accuracy and integrity of data. The section also provides necessary training for facility and parole region OBIS operators. Business and Contract Services BSS BSS is responsible for the preparation of purchase documents for all EDP equipment and data-related items that are obtained through Headquarters. BSS shall ensure that all requests submitted for purchase are complete and that the necessary documentation, such as certifications or FSRs, is included. BSS is the departmental contact with the DGS, Office of Procurement, for all EDP procurement. Contract Services The Department's Contract Services Section shall supervise contracts entered into by the Department in a manner which: • Conserves the financial interests of the State. • Prevents, so far as possible, any thriftless acts by employees of the Department. • Avoids thriftless expenditures. The Contract Services Section assists departmental staff in the development of EDP contract requests, bids, and contracts to achieve program objectives within the legal and regulatory constraints of the State, and to ensure compliance with all departmental policies and procedures. Warden/Regional Administrators Each Warden and RPA is ultimately responsible for the security and utilization of all automated systems and data bases in the respective facility or region. This includes the integrity and accuracy of data entered and the physical security of the data, hardware, and the system itself. Facility/Parole AISA/Regional AISA Under the direction of the Warden or designee, or Regional Administrator or designee, the facility or region AISA is responsible for the coordination of automated systems issues for the facility. This position acts as the primary contact for Headquarters on automation-related issues, including PC, the DDPS, and all other automated system concerns. This position is responsible for coordination of staff training on PC applications and systems, justification and acquisition of PC equipment through use of PC, policy, local automated system application support, inmate access to computers, on-site user assistance, information system security, and QC oversight and audit coordination for all databases located in the area of assignment. Facility/Regional Information Security Coordinators Facility/regional Information Security Coordinators (ISC), in accordance with State and departmental security policies, are responsible to the Warden/RPA for overseeing policy and procedures on information security access at each facility. The ISC shall work in coordination with the ISAs and the Department ’ s Information Security Officer. Departmental Managers/Supervisors All managers and supervisors assigned supervision of a function automated by DDPS are responsible for: • Preserving the security and integrity of the Department ’ s information assets and managing the associated risks. • Ongoing auditing to verify the accuracy and integrity of the data entered by subordinate staff. • Ensuring that program staff and other users of the DDPS information are aware of and comply with information security policy and procedures. End Users of EDP Users are ultimately responsible for: • The accuracy and integrity of the data they enter into any departmental application. • Complying with all applicable laws, regulations, and administrative policies, as well as with any additional security policies and procedures established by the Department. • Notifying their manager/supervisor of any actual or attempted violations of security policies, practices, or procedures. 41020.5
Revisions The Chief, ISD, or designee shall be responsible for ensuring that the
41020.5 Revisions The Chief, ISD, or designee shall be responsible for ensuring that the contents of this article are kept current and accurate. 41020.6...
41020.5 Revisions The Chief, ISD, or designee shall be responsible for ensuring that the contents of this article are kept current and accurate. 41020.6
References DOM §§ 43030 and 43020
41020.6 References DOM §§ 43030 and 43020.4. A RTICLE 3 — U NASSIGNED A RTICLE 4 — G ENERAL I NFORMATION AND P OLICY Revised October 17, 1994 42010.1...
41020.6 References DOM §§ 43030 and 43020.4. A RTICLE 3 — U NASSIGNED A RTICLE 4 — G ENERAL I NFORMATION AND P OLICY Revised October 17, 1994 42010.1
Policy It is the policy of the Department to create and maintain an annual ITS p
42010.1 Policy It is the policy of the Department to create and maintain an annual ITS plan. This plan, prepared by ISD (see DOM 43010.3, Information Management Planning, Responsibilities) and approved by the MIS Committee, shall be the primary basis for structuring the use of ITS in CDC. The annual departmental ITS plan shall, at a minimum, contain strategy for the use of: • State data...
42010.1 Policy It is the policy of the Department to create and maintain an annual ITS plan. This plan, prepared by ISD (see DOM 43010.3, Information Management Planning, Responsibilities) and approved by the MIS Committee, shall be the primary basis for structuring the use of ITS in CDC. The annual departmental ITS plan shall, at a minimum, contain strategy for the use of: • State data centers for departmental critical systems. • Distributed systems for departmental critical systems. • Microcomputers for departmental critical systems. • Departmental telecommunications and networking systems. • Facility PBXs for data. • Local area networks. • Modems. 42010.2
Purpose The purpose of this policy is to disseminate the framework for the decis
42010.2 Purpose The purpose of this policy is to disseminate the framework for the decision-making process used by the Department in deciding to apply automated solutions to the Department ’ s operations, accounting, and communications problems. 42010.3...
42010.2 Purpose The purpose of this policy is to disseminate the framework for the decision-making process used by the Department in deciding to apply automated solutions to the Department ’ s operations, accounting, and communications problems. 42010.3
ITS Selection Criteria It is the intent of the Department to employ the followin
42010.3 ITS Selection Criteria It is the intent of the Department to employ the following factors when deciding whether to use CDC ITS resources to develop, design, and implement a critical departmental information system: • The priority of the ITS request (see DOM 43000). • The relationship to the Department ’ s goals and objectives. • The extent to which the application is cr...
42010.3 ITS Selection Criteria It is the intent of the Department to employ the following factors when deciding whether to use CDC ITS resources to develop, design, and implement a critical departmental information system: • The priority of the ITS request (see DOM 43000). • The relationship to the Department ’ s goals and objectives. • The extent to which the application is critical to accomplishment of the Department ’ s goals and objectives. • The risk analysis report (see DOM 49000). • The results of a pilot project. The Department ’ s strategies for use of such technologies shall be utilized to determine the design of the approved information system and the choice of hardware, software, and communication. 42010.4
ITS Selection Process The Department ’ s vehicle for selection of technological
42010.4 ITS Selection Process The Department ’ s vehicle for selection of technological alternatives is the FSR. When preparing an FSR, the above selection criteria shall be utilized as a basis. When automation is determined to be the approach to solving a business problem, the Department shall choose the automated system which best accomplishes the tasks involved. The Depa...
42010.4 ITS Selection Process The Department ’ s vehicle for selection of technological alternatives is the FSR. When preparing an FSR, the above selection criteria shall be utilized as a basis. When automation is determined to be the approach to solving a business problem, the Department shall choose the automated system which best accomplishes the tasks involved. The Department currently maintains a multi-tiered automation platform that offers a wide spectrum of hardware/software choices and which provides several databases accessible to applications for data sharing. A significant feature of automated systems is the ability to share data. Benefits of data sharing include the saving of valuable input time and, in many cases, may solve cost justification problems by reducing or redirecting data input time and associated personnel years. There are many automation platforms available for expansion in the Department. However, there are also many elements listed in the selection criteria that lead to the appropriate solution. Regardless of the business problem, selection criteria, or platform (hardware/software) involved, State policy requires that the FSR shall show a cost reduction, a viable cost avoidance, increased revenue, operational necessity, or be the result of a legislative mandate before approval of the concept can become a funded project. In many instances, the FSR may have a concurrently associated pilot project to provide specific performance, cost, and technological justification for the continuance of the project. 42010.5
ITS Pilot Projects Pilot projects are scaled down versions of an overall project
42010.5 ITS Pilot Projects Pilot projects are scaled down versions of an overall project. They are intended to provide information on cost savings/avoidance, technology use, or performance of bench marking in order to justify implementation of the full project. A pilot project is a subset of the overall project and is subject to the same approval process as the full project. Many projects ...
42010.5 ITS Pilot Projects Pilot projects are scaled down versions of an overall project. They are intended to provide information on cost savings/avoidance, technology use, or performance of bench marking in order to justify implementation of the full project. A pilot project is a subset of the overall project and is subject to the same approval process as the full project. Many projects are approved through the Office of Information Technology (OIT) and the FSR process contingent upon pilot justification of the project. The typical contents of a Pilot Implementation and Evaluation Plan include the sections and contents described below: Program Performance Improvements This section defines the programmatic functions to be included in the pilot. It should include a description of the current processes, a description of the new processes, and a plan that includes quantified measurements for evaluating before-and-after program performance. Physical and Technical Characteristics This section describes the physical and technical characteristics of the pilot. It shall include descriptions of sites, equipment, software, and telecommunications as well as any other technical resources that are needed to complete the pilot. Information Requirements This section defines the informational processing requirements of the pilot. It should include definitions of data inputs (source, type, volume, timing, media, files, edits, etc.), processes (response times, interfaces, security, etc.), and outputs (reports and displays). Security Requirements This section addresses the process to be used to determine the potential problems and risks, the controls necessary to safeguard the information hardware and software of the pilot, and the fully-implemented system. Typically, a risk analysis as described in DOM 49030 shall supply the necessary information. The completion of this requirement is especially important since necessary security controls can often increase the required budget. Financial Requirements This section contains an estimate of all costs associated with the pilot phase of the project. Project accounting shall be defined so that actual pilot costs and benefits can be compared against estimates, and then used as a basis to refine full implementation estimates. Operational Recovery Requirement This section addresses the process to be used to determine the operational recovery requirements. A pilot project shall have an operational recovery plan just for the pilot, and shall address the issue of operational recovery of the proposed fully- implemented system. Often, operational recovery processes add to the overall cost of the project. All critical departmental systems shall have an operational recovery plan as part of their implementation (see DOM 44000). Management Plan This section contains a pilot management plan. The plan shall include: • Pilot responsibilities. • Pilot schedule. • Pilot reporting and review. Any special requirements shall be identified such as training, conversion, or impact on existing operations. At the end of the pilot and before continuing with the project, a Post Implementation Evaluation Report (PIER) shall be completed and submitted to either the departmental MIS Committee or OIT for review. The pilot PIER shall contain an assessment of programmatic performance during the pilot. The results of the pilot PIER shall be used to re-evaluate the analysis completed for the original feasibility study and, if necessary, be used to make changes to the project FSR. Once the pilot PIER is approved and any necessary changes are made to the original FSR, the pilot PIER shall be reviewed and the project may be initiated upon its approval. 42010.6
Determining Priorities on ITS Requests One of the criteria for project selection
42010.6 Determining Priorities on ITS Requests One of the criteria for project selection is the priority of the ITS request. To assist in decision-making, the following schema shall be utilized when assigning a priority to a particular request for information system resources: If multiple requests exist with the same priority, each division submitting requests shall determine the order of furth...
42010.6 Determining Priorities on ITS Requests One of the criteria for project selection is the priority of the ITS request. To assist in decision-making, the following schema shall be utilized when assigning a priority to a particular request for information system resources: If multiple requests exist with the same priority, each division submitting requests shall determine the order of further prioritization. For example, if there are four priority 3.1 requests then these four requests should be renumbered as 3.1.1, 3.1.2, 3.1.3, and 3.1.4 in order of further priority. The following is a description of several different levels of priorities. These priorities can be thought of as an initial rationale for assignment of ITS design, development, and maintenance resources. Each prospective project shall be assigned one of the following priorities prior to its presentation before the MIS Committee: Priority 1 • This priority level is exclusive to the maintenance of computer programs that have been designed, implemented, and installed. Resources used in this area are for the purpose of keeping existing computer-based systems functional. This priority includes routine maintenance. Any changes to production systems requiring more than 32 person -hours shall not be considered as maintenance, but as a new request which must be justified. Priority 2 • Those resource requirements over which the Department has little control. Responses to legislative action, requests from the Governor or the agency, and requests from local law enforcement for critical information are all examples of projects that are Priority 2. Priority 3 • An ITS request shall be Priority 3 if the implementation of the proposed computer-based system will result in a measurable benefit to the Department. Most requests for information system resources fall within this area. 42010.7