lel - california · 2018-01-08 · administrative manual (sam) 5300 and criminal justice...

STATE OF CALIFORNIA B u d g e t C h a n g e P r o p o s a l - C o v e r S h e e t DF-46 (REV 08/17)

Fiscal Year 2018/19

Business Unit 2100

Depar tment Alcohol ic Beverage Control

Priority No. 3

Budget Request Name

2100-007-BCP-2018-GB

Program

9900100 - ADMIN ISTRAT ION

Subprogram

Budget Request Descript ion Physical and Information Securi ty Policy Operat ion

Budget Request Summary The Depar tment of Alcohol ic Beverage Control requests $533,000 in fiscal year 2018-19 and $146,000 in 2019-20 and ongoing f rom the Alcohol ic Beverage Control Fund (3036) to address physical and information security issues.

Requires Legislat ion

• Yes lEl No

Code Sect ion(s) to be Added/Amended/Repea led

Does this BCP contain information technology (IT) components? ^ Yes • No

If yes, departmental Chief Information Officer must sign.

Depar tment CIO

Jeff Obrecht, Chief Information Off icer

Date

For IT requests, specify the project number, the most recent project approval document (FSR, SPR, S1BA, S2AA, S3SD, S4PRA) , and the approval date.

Project No. Project Approval Document : Approval Date:

If proposal affects another department, does other depar tment concur with proposal? • Yes • No Attach comments of affected department, signed and dated by the department director or designee.

Prepared By Date Rev iewed By Date

Douglas Leone, Chief Information Secur i ty Officer

Randal l Deems, Assistant Director, Administrat ion

Depar tment Director Date Agency Secretary Date

Jacob Appe lsmi th , Director Alexis Podesta, Agency Secretary

D e p a r t m e n t o f F i nance Use O n l y

Addi t ional Review: • Capital Outlay • ITCU • FSCU • OSAE • CALSTARS • Dept. of Technology

PPBA Original Signed By Tiffany Garcia

Date submit ted to the Legislature

BCP Fiscal Detail Sheet BCP Title: Physical and Information Security Policy Operation BR Name: 2100-007-BCP-2018-GB

B u d g e t R e q u e s t S u m m a r y FY18 CY BY BY+1 BY+2 BY+3 BY+4

Operating Expenses and Equipment 5324 - Facilities Operation 0 335 10 10 10 10 5346 - Information Technology 0 198 136 136 136 136

Total Operating Expenses and Equipment $0 $533 $146 $146 $146 $146

Total Budget Request $0 $533 $146 $146 $146 $146

F u n d S u m m a r y Fund Source - State Operations

3036 - Alcohol Beverage Control Fund 0 533 146 146 146 146 Total State Operations Expenditures $0 $533 $146 $146 $146 $146

Total All Funds $0 $533 $146 $146 $146 $146

P r o g r a m S u m m a r y Program Funding

1640010 - Licensing 0 271 74 74 74 74 1640019 - Compliance 0 262 72 72 72 72

Total All Programs $0 $533 $146 $146 $146 $146

A n a l y s i s o f P r o b l e m

A . B u d g e t R e q u e s t S u m m a r y The Department of Alcohol ic Beverage Control (ABC) col lects and stores var ious types of personal ly identif iable information in the course of its operat ions. A breach that compromises that information could be costly to the state and result in a loss of public trust. This proposal improves ABC 's protection against such events by addressing the physical security of district off ices; adding detect ion and monitor ing tools to proactively scan for vulnerabil i t ies and detect intrusions or unusual behavior on the network; expanding the encrypt ion of key data; and properly mit igating the risks related to mobi le devices.

These measures will s t rengthen the var ious layers of ABC's information securi ty defenses, are necessary to address audit f indings, and bring ABC into compl iance with Chapter 5300 of the State Administrat ive Manual (SAM) 5300 and Criminal Justice Information System (CJIS) policy requirements.

A B C requests $533,000 in 2018-19 and $146,000 in 2019-20 and ongoing f rom the Alcohol ic Beverage Control Fund (3036).

B. B a c k g r o u n d / H i s t o r y Overv iew of A B C The A B C is vested with the exclusive authori ty in the state to l icense the manufacture, importat ion, distr ibut ion, and sale of alcohol ic beverages; therefore, all such businesses are reliant on A B C to begin operat ing. License appl icants provide personal ly identif iable information and f inancial information to the A B C when pursuing a l icense.

The ABC's enforcement operat ions conduct investigations and gather evidence for use in criminal cases or corrective act ions when determining adherence to the provisions of the Alcohol ic Beverage Control Act. Evidence must be preserved in accordance with principles of ev idence and to ensure trust in the A B C adjudicat ion processes.

Cal i fornia's economy benefits f rom a trustworthy l icensing and enforcement process; ensur ing a robust hospital i ty industry that is a major contr ibutor to the state's economy, wi th the wine and craft brewery components a lone est imated to contr ibute $58 and $7 billion respectively. A B C promotes a healthy industry by identifying establ ishments not operat ing in good faith to ensure safe and healthy communi t ies.

Responsibi l i t ies of an Information Securi tv Office As per the SAM Chapter 5300, the A B C Information Securi ty Office ( ISO) has the responsibi l i ty of establ ishing an information securi ty program that includes planning, oversight, and coordinat ion of activit ies to effectively manage risk; provide for the protection of information assets; and prevent illegal activity, f raud, waste, and abuse in the use of information assets. The ISO is required to establ ish a governance body to direct the deve lopment of information security plans, policies, s tandards, and other authori tat ive documents .

The scope of activit ies of an ISO and the governance body as def ined by SAM Chapter 5300 includes establ ishing the fol lowing programs: personnel management , information asset management , risk management , privacy program management , incident management , information securi ty and awareness training, business cont inui ty and technology recovery, and conf igurat ion management to ensure the integration of securi ty controls in all systems in use and in deve lopment stages.

SAM Chapter 5300 outl ines policy on privacy and information security and references requirements for state entit ies in the Information Pract ices Act (Civil Code sect ion 1798 - 1798.78); Government Code sect ion 8314, the California Public Records Act (Government Code Sect ion 6250 - 6265), and Government Code section 11549 - 11549.4.

Page 1 of 11


The information security f ramework that SAM Chapter 5300 prescribes is the National Institute of Standards and Techno logy (NIST) Cyber Securi ty Framework (CSF). The f igure below is a high-level depict ion of the responsibi l i t ies of an ISO including the NIST CSF "family" of controls assigned to securi ty l ifecycle process. Each family of controls contains a number of controls prescribed for systems required after each system has been categor ized. These controls apply at an organizat ional level and for each information system an entity owns, in order to protect the organizat ion's data (confidential i ty and integrity) and systems (availabil i ty).

1

9 Recover RP. Recovery Planning IM: tmprovemenis CO: ComfTiunications

P Identify AM: Asset Management BE: Business Environment CV; CcvernancR RA; Risk Assess-^lent RM: Risk Man.igc-rent Strategy

NIST Cyber Security Framework

2 Protect

AC Access Control AT: Awareness Training OS: Data Security IP: Information Protection Processes and Procedures PT: Protective Technology

5 3 0 Respond RP: Response Planning CO: Communications AN: Analysis Ml: Mitigation IM: Improvements

4

n Detect AE: Anomolies and Events CM: Security Continuous Monitoring DP Detection Processes

Page 2 of 11


Recent Audi ts and Assessments

In August of 2015, the California State Auditor found A B C not compl iant with SAM Chapter 5300 requi rements. The State Auditor produced f indings on five specif ic program areas which were:

o SAM Chapter 5305 - Information Securi ty Program

o SAM Chapter 5305.5 - Information Asset Management Program

o SAM Chapter 5305.6 - Risk Management Program

o S A M Chapter 5325 - Business Continuity wi th Technology Recovery Program

o S A M Chapter 5340 - Information Security Incident Response Program

In December of 2016, the California Military Depar tment (CMD) conducted an Independent Security Assessment of the A B C pursuant to the provisions of California Covernment Code sect ion 11549.3. This assessment found specif ic information security policies not present. Addit ional ly, the f indings f rom the technical assessment are considered confidential ; however, in genera l , paint a picture of an ad-hoc level of security. T w o factors had a positive impact on the assessment score. One, technical staff who are famil iar with the requisite security controls have integrated security controls in systems over the years. Two, the systems residing in the California Department of Technology (CDT) data center received a standard level of securi ty at the system layer. The overall assessment score was unacceptable, and the A B C has commit ted to developing an information security program where information assets are identif ied and securi ty controls prescr ibed, val idated and documented .

Resources and Correct ive Act ions The A B C recognized the risks to the l icensing and enforcement operat ions as well as the public, and took correct ive act ions by addressing the lack of ISO resource issues. Until 2016, the information security responsibi l i t ies were assigned to a Staff Information Systems Analyst who also served as the lead for ABC's service desk and had not received any formal risk management or information security training. Under this ar rangement , only an ad hoc level of information securi ty could be provided for the ABC. As a result, the State Audi tor identif ied the lack of effective information security programs for the five areas audi ted.

To address the program deficiencies, temporary resources were obtained in 2016 to initiate the information securi ty programs by writ ing policy and developing budget requests to staff an ISO. Approvals of the Information Secur i ty BCP for 2017-18 and ongoing provided the A B C with a Data Processing Manager III and a Staff Information Systems Analyst for the newly created ISO. The work load metrics in that funding request addressed a mult i-year iterative approach to the initiation of an effective information security program including risk management , information asset management , business continuity and technology recovery, incident management , and information securi ty and awareness training programs.

Risk managemen t as def ined by SAM Chapter 5305.6 is a process of identifying and managing risk through risk assessments at an a) organizat ional, b) mission and business process level, and c) informat ion asset level. The CMD performed an assessment at an information asset level identifying areas of non-compl iance which support a justif ication for several i tems in this request.

Addi t ional request i tems contained in this request have been identif ied by the new ISO staff that performed an organizat ional risk assessment evaluat ing A B C against SAM Chapter 5300.

Internal Organizat ional Risk Assessment Results This proposal is a product of the ISO s ta f fs initial organizat ional risk assessment of the ABC's operat ions in accordance with to SAM Chapter 5300. The organizat ional risk assessment identif ied where personally identif iable information is stored, and the level of protect ion required for that information as per SAM Chapter 5300 and CJIS. The appropriate level of protect ion was not present for the district off ices, shared network, and central database.

Page 3 of 11


The database stores confidential information for l icensing and enforcement and it is critical to protect the system and the information conta ined in the system in order to adequately address risks to the ABC.

As part of l icensing and enforcement operat ions, conf ident ial information is also stored on electronic network shares, as well as in hard copy at the district off ices. The appropriate level of protection is not in place at each district office to ensure that those who are author ized to access the information are the only individuals provided access.

The risk assessment concluded that certain improvements to physical and network security would be a necessary complement to the recently revised organizat ional policy.

R e s o u r c e H i s t o r y Information Secur i ty Program

(Dollars in thousands)

Program Budget 2012-13 2013-14 2014-15 2015-16 2016-17 Authorized Expenditures 0 0 0 0 0 Actual Expenditures 0 0 0 0 53 Revenues 0 0 0 0 0 Authorized Positions 0 0 0 0 0 Filled Positions 0 0 0 0 .33 Vacancies 0 0 0 0 0

W o r k l o a d H i s t o r y Work load Measure 2012-13 2013-14 2014-15 2015-16 2016-17 2017-18

All activities proposed are new

C. s t a t e Leve l C o n s i d e r a t i o n s

The California State Auditor and CMD determined that the A B C has been out of compl iance with SAM Chapter 5300 (Information Secur i ty) and therefore, the CJIS policy. Compl iance, and an effective information security program is imperat ive due to the data created and managed by A B C in carrying out its mission and the confidential i ty of data shared with business partners such as the Department of Just ice, FI$Cal, the State Control ler 's Office, and partner law enforcement agencies. The A B C faces chal lenges due to its d ispersed workforce regarding personnel and identity management and the complex mix of confidential information and ev idence col lected and stored at district off ices. These factors i l luminate how critical it is that the A B C implements an effective information security program that has a comprehensive and proactive coordinat ion with all internal and external partners.

Page 4 of 11


D. J u s t i f i c a t i o n

P r o p o s a l O v e r v i e w Business Problem

(or Issue) P r o p o s e d So lu t i on B u d g e t a r y Requ i remen t

(Funding/Position Authority required)

State Auditor audit, independent securi ty assessment , and internal organizat ional risk assessment have produced f indings which require an investment in systems and services to bring A B C into compl iance with SAM Chapter 5300 and properly protect the information of A B C l icensees and employees.

Procure the systems, services, hardware and software required to bring A B C into compl iance with S A M Chapter 5300.

$533,000 one-t ime in 2018- 19 and $146,000 in 2019- 20 and ongoing

B u s i n e s s Case

Business Problem: In addit ion to the personal ly identif iable information that any department would have regarding its employees, A B C also collects and stores (hard copy and electronical ly) personal ly identif iable information f rom l icensees dur ing the l icensing process and f rom individuals when cited by A B C Agents . Given the vo lume of electronic personal ly identif iable information records easi ly exceeds 100,000, and that the 12'^ annual 2017 Ponemon Cost of a Data Breach Study sponsored by IBM reports the cost for each lost or stolen record containing sensit ive and confidential information is $ 1 4 1 , if the ABC's records were compromised in a data breach, the total cost could exceed $15,000,000 to recover systems, notify individuals, provide credit moni tor ing, bring in forensic teams, and restore operat ions. This cost does not include damage to the ABC's reputat ion.

The fol lowing risks were identif ied by either audit or the internal assessment per formed by the newly formed A B C ISO:

P h y s i c a l S e c u r i t y - Physical security of personally identifiable information, evidence, law enforcement systems, and equipment

At each district office, the A B C collects and stores personal ly identif iable informat ion. Each office also manages law enforcement equipment , and stores evidence. Due to the signif icance of the information, equipment , and evidence stored at each district off ice, and the value of a l icense to distr ibute, or sell a lcohol , the physical securi ty of information, equipment, systems, and personnel is crit ical.

Threa t D e t e c t i o n - Limited ability to detect threats on ABC's network

Rogue Devices - The A B C must shorten the t ime it takes to detect rogue devices connected on the network to ensure adequate protect ion of A B C systems.

Identifying Vulnerabi l i t ies - The A B C must also perform more frequent scans of all hosts in the ABC network to assess the level of vulnerabil i t ies due to security issues f rom either misconf igurat ion or missing patches. System Monitor ing - The A B C must meet standards for cont inuous monitor ing to ensure system compromise is detected as soon as possible to limit or contain the spread of malware.

C o s t o f N o t i f i c a t i o n An internal risk assessment has identif ied the risk of a potentially costly breach notif ication if the securi ty of a system has, or is reasonably bel ieved to have, resulted in unencrypted personal information being acquired by an unauthor ized person. As ment ioned above, the costs related to such a breach are est imated at $141 per record, which could easily result in mil l ions of dol lars of costs for A B C should a major breach occur. Except for data stored on laptops, ABC's data is not encrypted.

Page 5 of 11


L o s s o r B r e a c h o f M o b i l e Dev i ces Mobi le devices are at signif icant risk of being lost or stolen. Wi th the emai l t ransit ion, the A B C must also transit ion to the Enterprise Mobil ity Suite to stay in compl iance with providing protections for mobi le devices with mobi le device management (MDM) . An MOM ensures usage restrictions, conf igurat ion requirements, connect ion requirements, implementat ion gu idance for organizat ion-control led mobi le devices, and the abil ity to render a lost mobi le phone useless. A device in unauthor ized hands could represent a signif icant risk to ABC 's information assets.

U n s t r u c t u r e d Data - managing personal data outside of a database Data stored in fi les and outside of a database is referred to as unstructured data. A signif icant amount of A B C operat ions stores information in electronic fi les in network drives. Data that is not secured within a database can pose signif icant risk as it can easily be moved to parts of the network where unauthor ized access could occur. The A B C must improve protect ions for unstructured data stored on network file servers.

Proposed Solution: The A B C proposes to address the problems outl ined above by implement ing the technology designed to address each problem:

# B u s i n e s s P r o b l e m

P r o p o s e d S o l u t i o n S A M C h a p t e r a n d NIST C o n t r o l D e f i c i e n c y

1 Physical Secur i ty

Improve physical security systems at A B C District off ices.

S A M Chapter 5365 (Physical Security)

NIST PE-2 (Physical and Environmental Protection - Physical Access Control)

NIST PE-3 (Physical and Environmental Protection - Physical Access Control)

2 Rogue Devices

Improve Network Access Control to identi fy/authenticate devices on local and/or wide area networks sooner.

S A M Chapter 5350 (Operat ional Securi ty)

NIST IA-3 Identif ication and Authent icat ion - Device Identif ication and Authent icat ion

3 Identifying Vulnerabi l i t ies

Improve and automate vulnerabil i ty scanning to provide for more f requent scans for vulnerabi l i t ies in hosts including patch levels, funct ions, ports, protocols, services and improperly conf igured systems.

SAM Chapter 5330.1 (Securitv Assessments )

NIST RA-5 (Risk Assessment -Vulnerabi l i ty Scanning)

4 System Monitor ing

Provide for cont inuous monitor ing as per State Administrat ive Manual Chapter 5300.

SAM Chapter 5335 (Information Securi ty Monitor ing)

NIST SI-4 (Information System Monitor ing - System and Information Integrity

5 Cost of Noti f icat ion

Maintain the l icensing database encrypt ion, keys, and identit ies.

SAM Chaoter 5350.1 (Encrvpt ion)

NIST SC-28 (Securi ty and Communicat ions Protection -Protect ion of Information at Rest)

Page 6 of 11


6 Loss or Breach of Mobi le Devices

Purchase and implement the Enterprise Mobil i ty Suite as part of ABC's migrat ion. A B C is planning to ensure the securi ty of its emai l system, mobi le phones, and cloud access through this security suite.

SAM Chaoter 5350.1 (EncrvDtion)

NIST AC-19 (Access Control - Access Control for Mobile Devices)

7 Unstructured Data

Improve protect ions for sensit ive information contained on network file servers.

SAM Chaoter 5305.5 (Information Asset Management )

NIST Soecial Publication 800-60 (Guide for Mapping Types of Information and Information Systems to Securi ty Categor ies)

Wi thout the technology in the chart above, the corresponding audit and assessment f indings cannot be addressed. The confidential information in files (paper and electronic) and system databases will cont inue to be at risk of loss, theft, or unauthor ized disclosure, result ing in potential f inancial and legal impact to the A B C and personal impact to individuals.

All of the technology proposed is implemented and maintained by solut ion providers, except for the database encrypt ion software. Capital izing on the services of solut ion providers minimizes the impact to A B C resources and ensures a consistent implementat ion approach with best practices. The statement of work language in each contract will ensure systems are del ivered and will hold the providers accountable. Th is request is to provide the A B C $533,000 in 2018-19 and $146,000 in 2019-20 and ongoing f rom the Alcohol ic Beverage Control Fund (3036) for the systems, services and technologies identif ied in the chart above.

The chart below i temizes the cost associated with each of the systems listed above.

Item 2018-19 2019-20

Physical Security Improvement $335,000 $10,000 Network Access Control System $42,000 $16,000 Vulnerability Scanning System $11,000 $11,000 Information System Monitoring System $58,000 $54,000 Database Encryption $20,000* $20,000 Enterprise Mobility Management $30,000 $27,000 Data Ciassification System $37,000 $8,000

Total $533,000 $146,000 * Given this solution provides significant mitigation to the risk of a high cost notification process should a breach occur, it was implemented in 2017-18. This request is only for the ongoing cost of the encryption software.

E. O u t c o m e s a n d A c c o u n t a b i l i t y A B C will utilize exist ing resources with minimal impact to obtain the technology and systems outl ined above. The proposed solut ions will provide A B C security intel l igence that will temporar i ly produce an uptick in information security incidents to which exist ing staff will need to respond. This projected ou tcome is identif ied in the chart below.

Page 7 of 11


P ro jec ted O u t c o m e s Workload Measure 2017-18 2018-19 2019-20 2020-21 2021-22 2022-23

Number of Information Security Incident responses from proposed technoiogy solutions (including system recovery)

10 2 2 2 2

Physical Security Improvements 19 0 0 0 0

F. A n a l y s i s o f A l l Feas ib le A l t e r n a t i v e s

Alternat ive 1: Approve this request for funding for the seven information security systems total ing $533,000 in 2018-19 and $146,000 in 2019-20 and ongoing. Pros:

• Improves physical securi ty for employees. • Improves physical securi ty for personal ly identif iable information. • Improves network and host security on the A B C network. • Secures a system database with encrypt ion to mit igate the risk of loss of information. • Secures mobi le devices for A B C when connected to the Enterprise Mobil i ty Management . • Improves security for unstructured data.

Cons: • Requires addit ional funding.

Alternat ive 2: Approve $50,000 in 2018-19 and $50,000 in 2019-20 and ongoing for an information security and privacy liability coverage and privacy notif ication and crisis management expense coverage. Pros:

• Thef t or loss of l icensee information would immediately be covered with funding for resources needed for noti f ication, credit monitor ing services, and funding to restore, update, or replace business assets stored electronically.

Cons: • Reputat ion is not covered by information security and privacy liability coverage and therefore

even if the liability coverage is purchased, A B C l icensees may be unwil l ing to share personal ly identif iable information if the information in the ABC's custody became compromised.

Alternat ive 3: Do nothing Pros:

• Requires no addit ional staffing or funding. Cons:

• Limited compl iance with state policy mandates.

G. I m p l e m e n t a t i o n P lan

All of the technology solut ions requested, except for the database encrypt ion, will be implemented and conf igured by professional services to ensure a successful implementat ion. The database encrypt ion will be per formed by the database administrator in the Information Technology sect ion of the ABC. The physical security improvements will be procured by the Business Services sect ion of the ABC.

Page 8 of 11


# P r o p o s e d S o l u t i o n i m p l e m e n t a t i o n T i m e l i n e

1 Physical Securi ty Improvements (ABC District Off ices)

• 2018 J u l y - A u g u s t > Procurement (Resource: Business Services) > Policy Development (Resource: ISO)

• 2018 September - December > Implementat ion (Resource: Vendor and Supervis ing Agent at each

District Off ice) > Training (Resource: Vendor and Supervis ing Agents)

2 Network Access Control System (I tems 2, 3, and 4 are services provided by the same vendor.)

• 2018 J u l y - S e p t e m b e r > Service Request (Resource: California Depar tment of Technology

and Network Infrastructure) > Policy Development (Resource: ISO)

• 2018 October - November > Implementat ion (Resource: Vendor and Infrastructure Team) > Training (Resource: Vendor, Service Desk, Infrastructure T e a m , ISO) > Rogue Device Procedure Revision ( ISO)

3 Vulnerabi l i ty Scanning System

2018 J u l y - S e p t e m b e r > Service Request (Resource: California Depar tment of Techno logy

and Network Infrastructure) > Policy Development (Resource: ISO)

• 2018 October - November > Implementat ion (Resource: Vendor and Infrastructure T e a m ,

Appl icat ion Development Team) > Training (Resource: Vendor, Infrastructure T e a m , Appl icat ion

Development Team, ISO) S D L C Procedure Revision (Resource: ISO)

4 Cont inuous Monitor ing System

• 2018 J u l y - S e p t e m b e r > Service Request (Resource: California Depar tment of Technology

and Network Infrastructure) > Policy Development (Resource: ISO) 2018 October - November > Implementat ion (Resource: Vendor and Infrastructure Team, ISO) > Training (Resource: Vendor, Infrastructure T e a m , ISO) > Cont inuous Monitor ing Procedure Revision (Resource: ISO)

5 Database Encrypt ion • 2018 July > Ensure Oracle Advanced Securi ty l icensing cont inues. This item has

been procured in 2016-17. This request funds ongoing maintenance costs.

Page 9 of 11


# P r o p o s e d S o l u t i o n I m p l e m e n t a t i o n T i m e l i n e

6 Enterpr ise Mobil i ty Management

• 2018 J u l y - A u g u s t > Procurement (Resource: Information Technology) > Policy Development (Resource: Information Securi ty)

• 2018 September - October > Configurat ion of Securi ty Policy within Enterpr ise Mobil i ty Suite to

secure email and mobi le devices (Resource: Vendor, Infrastructure Team, and Service Desk Team)

> Training (Resource: Vendor, Infrastructure T e a m , and Service Desk Team)

> Mobile Device and Email Procedure Revision ( ISO)

7 Data Classif icat ion System

• 2018 J u l y - A u g u s t > Procurement (Resource: Information Technology) > Policy Development (Resource: Information Securi ty)

• 2018 September - December > Implementat ion and Conf igurat ion (Resource: Vendor, Network

Infrastructure Team, ISO) > Training (Resource: Vendor, Network Infrastructure T e a m , ISO) > Data Classif ication Procedure Revision ( ISO)

H. S u p p l e m e n t a l I n f o r m a t i o n

The chart below contains the software and services identif ied in the proposed solut ion section and a just i f icat ion for the costs associated.

I tem

Physical Secur i tv - A B C District Off ices were surveyed by A B C staff and Business services solicited quotes f rom security vendors to identify the costs.

Network Access Control System - Vendor NAC service provided by service request (SR) to CDT for CALNET3 service contract. This ensures 24/365 coverage on equ ipment owned maintained by the vendor al lowing current staff ing levels by A B C to cont inue.

Vulnerabi l i ty Scanning Sys tem - Vendor VM-Pro service provided by SR to C D T for C A L N E T 3 service contract ensur ing 24/365 coverage on equipment owned and maintained by the vendor al lowing current staffing levels by A B C to cont inue.

Cont inuous Monitor ing System - Vendor Threat Management service provided by SR to C D T for C A L N E T 3 service contract ensur ing 24/365 coverage on equ ipment owned and mainta ined by the vendor al lowing current staff ing levels by A B C to cont inue.

Database Encrvpt ion - T h e advanced security l icensing provides database encrypt ion and access management features.

Enterpr ise Mobil i tv Management - T h e enterprise mobil i ty management service provides securi ty for Enterpr ise Mobil ity Management . A B C will also transit ion emai l services.

2018-19 2019-20

$20,000

$30,000

$335,000 I $10,000

$42,000 $16,000

$ 1 1 , 0 0 0 : $11,000

$58,000 ' $54,000

$20,000

$27,000

Page 10 of 11

Data Classif icat ion System - ABC's shared network drives contain confidential in format ion. A B C obtained three quotes f rom vendors to provide the data $37,000 $8,000 classif icat ion solut ion for unstructured data.

" T o t a l ^ $533,000 • $146,000

I. R e c o m m e n d a t i o n

Approve Alternat ive 1 and provide the A B C $533,000 in 2018-19 and $146,000 in 2019-20 and ongoing f rom the Alcohol ic Beverage Control Fund (3036) for systems, services and equipment to ensure compl iance with State Administrat ive Manual Chapter (SAM) 5300 CJIS policy requirements.

Page 11 of 11

lel - california · 2018-01-08 · administrative manual (sam) 5300 and criminal justice...

Documents