Can I skip having an information security program in place in California? What are the requirements?

To answer your question, no, you cannot skip having an information security program in place in California. The California Government Code mandates that all state entities must implement an information security program ^[1.1].

The requirements for the information security program include, but are not limited to, the creation, updating, and publishing of information security and privacy policies, standards, and procedures for state agencies in the State Administrative Manual. State entities must also comply with the information security and privacy policies, standards, and procedures issued by the Office of Information Security ^[1.2].

Additionally, state agencies that are not subject to subdivision (b) must adopt and implement information security and privacy policies, standards, and procedures that adhere to the National Institute of Standards and Technology (NIST) Special Publication 800-53, Revision 5, Security and Privacy Controls for Federal Information Systems and Organizations, and its successor publications, as well as perform a comprehensive, independent security assessment every two years ^[1.1].

It is important to note that individuals seeking approval as a Computer Security Auditor in California must meet certain criteria, including having at least two years of experience in the evaluation and analysis of Internet security design and in conducting security testing procedures, and specific experience performing Internet penetration studies ^[2.1].

Therefore, it is crucial to comply with the information security program requirements in California to avoid any legal consequences.

Source(s):

• [1.1] Section 11549.3 - Office of Information Security
• [2.1] Computer Security Auditor Application Procedure.
• [1.2] Section 11549.1 - Office of Information Security

Jurisdiction

California

• Privacy