State of California
California Department of Technology
Office of Information Security
Designation Letter
SIMM 5330-A
January 2018
REVISION HISTORY
REVISION / DATE OF RELEASE / OWNER / SUMMARY OF CHANGESInitial Release / August 2012 / California Office of Information Security
Minor Update / September 2013 / California Information Security Office (CISO) / SIMM number change, change “agency” to “state entity”, and change references to other related SIMM documents
Minor Update / January 2018 / Office of Information Security (OIS) / Office name change;
Designation Letter: item #1, clarification on SIMM signing authority; item #2, addition of the AIO and AISO, correction of the functions supported titles; parent/child entity relationship definition; addition of contact information of the Secretary/Director
Attachment A: correction of SIMM forms that designees are authorized to sign
Attachment B: correction of page title; removal of pager number
Attachment C: clarification on organizational chart submission instructions and attachment of sample org chart;
Attachment D: revised instructions;inclusion of parent/child entity relationship; corrections to SIMM reference numbers
Office of Information Security
Designation Letter
SIMM 5330-AJanuary 2018
DATE:TO: / Office of Information Security, California Department of Technology
Attn: Security Compliance Reporting
P.O. Box 1810, Mail Stop Y- 01
Rancho Cordova, CA 95741
FROM:
Org Code – As identified in the Uniform Codes Manual / Name of State Entity
SUBJECT: Designation Letter
I, the undersigned, hereby certify that I am the Secretary/Director (or equivalent head of the state entity) for the above referenced state entity. In compliance with the requirements set forth in State Policy (State Administrative Manual Chapter 5300), I have made the following designations to ensure the fulfillment of security and privacy requirements for this state entity:
- Secretary/Director’s Signature Authority Designee(s) as authorized by me in Attachment A. These are executive level individual(s) authorized to sign specified security and privacy compliance related documents on my behalf. Note: Secretary/Director may no longer designate staff to sign Information Security & Privacy Program Compliance Certification (SIMM 5330-B), which must be signed by Secretary/Director.
- Secretary/Director’s Designee(s) as identified by me in Attachment B to include the Agency Chief Information Officer (AIO/ACIO), Agency Information Security Officer (AISO), Chief Information Officer (CIO), Information Security Officer (ISO), Technology Recovery Coordinator, Privacy Officer/Coordinator, and their back-ups.
I hereby further certify that the organizational chart for this state entity is included herein as Attachment C and it reflects our organization’s alignment with Government Code Section 11546.1(c) (e.g., ISO reports to the CIO within our organization).
I hereby further certify that this state entity meets the Parent/Child entity relationship (definition provided in Attachment D); provides and/or receives partial or full support for the CIO Designation, ISO Designation, Technology Recovery Management, Incident Management, Privacy Program Management, and/or Security & Risk Management functions; or is fully self-sufficient (as identified and provided for in Attachment D).
For additional information about this submission please contact:
at / or
Name / Telephone Number / Email
Signature and contact information of the Secretary/Director (or equivalent head of the state entity):
Printed Name of Entity Head / Signature of Entity Head / Date
Address of Entity Head / Telephone Number / Email
ATTACHMENT A — SECRETARY/DIRECTOR’S SIGNATURE AUTHORITY DESIGNEE(S)
SELECT ONE OF THE BELOW OPTIONS:No individuals have been authorized to sign on my behalf.
I have authorized the following individual(s) to sign security related documents on my behalf,
as specified below:
Designee Name: / Authorized to sign the following on my behalf
(check all that apply):
Title: / Designation Letter (SIMM 5330-A)
Note: Designee may only sign 5330-A updates within this reporting period.
Classification: / Technology Recovery Program Compliance Certification(SIMM 5325-B).
Telephone Number:
Email Address:
Designee Signature:
Designee Name: / Authorized to sign the following on my behalf
(check all that apply):
Title: / Designation Letter (SIMM 5330-A)
Note: Designee may only sign 5330-A updates within this reporting period.
Classification: / Technology Recovery Program Compliance Certification(SIMM 5325-B).
Telephone Number:
Email Address:
Designee Signature:
Designee Name: / Authorized to sign the following on my behalf
(check all that apply):
Title: / Designation Letter (SIMM 5330-A)
Note: Designee may only sign 5330-A updates within this reporting period.
Classification: / Technology Recovery Program Compliance Certification(SIMM 5325-B).
Telephone Number:
Email Address:
Designee Signature:
Make additional copies of this worksheet as needed to complete the submission.
Office of Information Security1
Designation Letter
SIMM 5330-AJanuary 2018
ATTACHMENT B — SECRETARY/DIRECTOR’S PRIMARYand BACK-UP DESIGNEES
Primary Designations / Chief InformationOfficer / Information Security Officer / Technology Recovery Coordinator / Privacy Program Coordinator
Name
Classification
Business Address
IMS Code
Telephone Number
Mobile Phone Number
Facsimile Number
Email Address
Back-up Designations / Chief Information
Officer (back-up) / Information Security Officer (back-up) / Technology Recovery Coordinator (back-up) / Privacy Program Coordinator (back-up)
Name
Classification
Business Address
IMS Code
Telephone Number
Mobile Phone Number
Facsimile Number
Email Address
IMPORTANT — If this agency is or reports to a Cabinet-level Agency within the Executive Branch, complete the following:
Cabinet-level Designations / Agency Chief Information Officer / Agency Information Security OfficerName
Classification
Business Address
IMS Code
Telephone Number
Mobile Phone Number
Facsimile Number
Email Address
ATTACHMENT C — ORGANIZATIONAL CHART
Attach the entity's official organizational chart,which displays the CIO/ISO reporting structure,as signed by the Director and approved byCalHR. OIS uses this information to, among other things, validate compliance with Government Code Section 11546.1(c)(see example below).
ATTACHMENT D (Part 1)
PARENT/CHILD RELATIONSHIP (MUST SELECT ONE OF THE BELOW OPTIONS):
This section is to identify if your state entity is considered a “Child” entity or a“Parent” entity.
To be considered a “Child”,your state entity must meet ALL of the below criteria:
- The child entityDOES NOT have a separate Active Directory from the parent;
- The child entity DOES NOT have a separate information security policy boundary from the parent; and
- The child entity is ENTIRELY CONTAINED within the Parent/Host security boundary.
Based on the above criteria, this state entity DOES DOES NOT meet the requirements to be considered a “Child” or “Parent” entity ina Parent/Child relationship. If your entity DOES meet the requirements to be considered a “Child” or “Parent” entity, complete the following:
PARENT ENTITY NAME / ORG CODE / CHILD ENTITY NAME / ORG CODESUPPORTED ROLES AND FUNCTIONS (MUST SELECT ONE OF THE BELOW OPTIONS):
This section is to identify if your state entity receives support fromorprovides support to another state entity andto what extent the support is given. This information is applicable to ALL state entities, whether or not they are considered a “Child” and/or “Parent” entity.
Select one of the below options (if your entity receives or provides support, follow the instructions on Attachment D, Parts 2 and/or 3):
This state entity PROVIDES SUPPORT and agrees to fully or partially support functions consisting of one or more of the areas selected in the “Functions Supported” section of Attachment D – Part 2. In conjunction with the functions that are being supported, the state entity providing support agrees to be responsible for the selected areas within the “Compliance and Certification Supported” section. If this option is selected, follow instructions and complete Attachment D (Part 2).
This state entity RECEIVES SUPPORT for functions consisting of one or more of theareas selected in the “Functions Supported” section. In conjunction with the functions that are being supported, the state entity receiving support acknowledges that the state entity providing support will be responsible for the selected areas within the “Compliance and Certification Supported” section. If this option is selected, follow instructions and complete Attachment D (Part 3).
This state entity DOES NOT RECEIVE or PROVIDE SUPPORT to any other state entities.
ATTACHMENT D (Part 2) -PARTIAL OR FULLY SUPPORTED ROLES AND FUNCTIONSPROVIDED TO ANOTHER ENTITY
This state entity PROVIDES SUPPORT to the below listed state entityand agrees to fully or partially support functions consisting of one or more of the following areas selected in the “Functions Supported” section. If partially supported, clearly define functions supported in the additional space below.
In conjunction with the functions that are being supported, the state entity PROVIDING SUPPORT agrees to be responsible for the selected areas within the “Compliance and Certification Supported” section.
State EntityReceiving SupportName / Org CodeAs identified in the Uniform Codes Manual / Roles & Functions Supported
(Check all that apply)
Partial Full
Support Support / Compliance and Certification Supported
(Check all that apply)
CIO Designation
ISO Designation
Technology Recovery Coordinator
Privacy Program Coordinator
Technology Recovery Management
Incident Management
Privacy Program Management
Security & Risk Management / Technology Recovery Program
Compliance Certification (SIMM 5325-B)
Designation Letter (SIMM 5330-A)
Information Security & Privacy Program
Compliance Certification (SIMM 5330-B)
Cal-CSIRS Information Security Incident
Report (SIMM 5340-B)
CIO Designation
ISO Designation
Technology Recovery Coordinator
Privacy Program Coordinator
Technology Recovery Management
Incident Management
Privacy Program Management
Security & Risk Management / Technology Recovery Program
Compliance Certification (SIMM 5325-B)
Designation Letter (SIMM 5330-A)
Information Security & Privacy Program
Compliance Certification (SIMM 5330-B)
Cal-CSIRS Information Security Incident
Report (SIMM 5340-B)
If partially supported, describe functions supported:
Make additional copies of the designee worksheets as needed to complete the submission.
ATTACHMENT D (Part 3) - PARTIAL OR FULLY SUPPORTED ROLES AND FUNCTIONS RECEIVED FROM ANOTHER ENTITY
This state entity RECEIVES SUPPORTfrom the below listed state entityfor functions consisting of one or more of the
following areas selected in the “Functions Supported” section.If partially supported, clearly define functions supported in the additionalspace below.
In conjunction with the functions that are being supported, the state entity RECEIVING SUPPORTacknowledges that the state entity providing support will be responsible for the selected areas within the “Compliance and Certification Supported” section.
State Entity Providing Support Name / Org CodeAs identified in the Uniform Codes Manual / Roles & Functions Supported
(Check all that apply)
Partial Full
Support Support / Compliance and Certification Supported
(Check all that apply)
CIO Designation
ISO Designation
Technology Recovery Coordinator
Privacy Program Coordinator
Technology Recovery Management
Incident Management
Privacy Program Management
Security & Risk Management / Technology Recovery Program
Compliance Certification (SIMM 5325-B)
Designation Letter (SIMM 5330-A)
Information Security & Privacy Program
Compliance Certification (SIMM 5330-B)
Cal-CSIRS Information Security Incident
Report (SIMM 5340-B)
If partially supported, describe functions supported:
I, the undersigned, hereby certify that I am the Secretary/Director (or equivalent head of the state entity) of the which is receiving support. I acknowledge that I have agreed to the above listed functions, compliance, and certification to be supported by the following state entity, . Additionally, I understand that I must communicate with the entity providing support to ensure that we continue to have a full understanding of the current status of the security and risk management strategy in place to protect our information and information systems, and to allow us to make informed judgments and decisions about the risk for our state entity.
For additional information about this submission please contact:at / or
Name / Telephone Number / Email
Printed Name of Entity Head / Signature of Entity Head / Date
Office of Information Security1
Designation Letter
SIMM 5330-AJanuary 2018