State Administrative Manual (SAM)

CHAPTER 5300 - Information Technology - Office of Information Security

Note: Users May Download the Entire Chapter Here ("Print" or "Notebook" Version)

Introduction 5300 
Arrangement of Chapter 5300.1 
Governing Provisions 5300.2 
Applicability 5300.3 
Definitions 5300.4 
Minimum Security Controls 5300.5 
Information Security Program 5305 
Information Security Program Management 5305.1 
Policy Procedure and Standards Management 5305.2 
Information Security Roles and Responsibilities 5305.3 
PersonnelManagement 5305.4 
Information Asset Management 5305.5 
Risk Management 5305.6 
Risk Assessment 5305.7 
Provisions for Agreements with State and Non-State Entities 5305.8 
Information Security Program Metric 5305.9 
Privacy 5310 
State Entity Privacy Statement and Notice on Collection 5310.1 
Limiting Collection 5310.2 
Limiting Use and Disclosure 5310.3 
Individual Access to Personal Information 5310.4 
Information Integrity 5310.5 
Data Retention and Destruction 5310.6 
Security Safeguards 5310.7 
Information Security Integration 5315 
System and Services Acquisition 5315.1 
System DevelopmentLifecycle 5315.2 
Information Asset Documentation 5315.3 
System Developer Security Testing 5315.4 
Configuration Management 5315.5 
Activate Only Essential Functionality 5315.6 
Software Usage Restrictions 5315.7 
Information Asset Connections 5315.8 
Security Authorization 5315.9 
Training and Awareness for Information Security and Privacy 5320 
Security and Privacy Awareness 5320.1 
Security and Privacy Training 5320.2 
Security and PrivacyTraining Records 5320.3 
Personnel Security 5320.4 
Business Continuity with Technology Recovery 5325 
Technology Recovery Plan 5325.1 
Technology Recovery Training 5325.2 
Technology Recovery Testing 5325.3 
Alternate Storage and Processing Site 5325.4 
Telecommunications Services 5325.5 
Information SystemBackups 5325.6 
Information Security Compliance 5330 
Security Assessments 5330.1 
Compliance Reporting 5330.2 
Information Security Monitoring 5335 
Continuous Monitoring 5335.1 
Auditable Events 5335.2 
Information Security Incident Management 5340 
Incident ResponseTraining 5340.1 
Incident Response Testing 5340.2 
Incident Handling 5340.3 
Incident Reporting 5340.4 
Vulnerability and Threat Management 5345 
Operational Security 5350 
Encryption 5350.1 
Endpoint Defense 5355 
Malicious Code Protection 5355.1 
Security Alerts- Advisories- and Directives 5355.2 
Identity and Access Management 5360 
Remote Access 5360.1 
Wireless Access 5360.2 
Physical Security 5365 
Access ControlFor Output Devices 5365.1 
Media Protection 5365.2 
Media Disposal 5365.3 
Privacy Threshold and Privacy Impact Assessments 5310.8