State of California

California Department of Technology

Office of Information Security

Information Security and Privacy Program Compliance Certification

SIMM 5330-B

March 2019

REVISION HISTORY

REVISION	DATE OF RELEASE	OWNER	SUMMARY OF CHANGES
Initial Release	December 2012	California Office of Information Security
Minor Update	September 2013	California Information Security Office (CISO)	SIMM number change, change "agency" to "state entity", and change references to other related SIMM documents
Minor Update	August 2015	CISO	Changed reference to "remediation plan" to Plan of Action and Milestone (POAM).
Update	January 2018	Office of Information Security(OIS)	Form name change; office name/address change; modified for alignment with Cal-CSIRS online compliance reporting launch; addition of acknowledgment responsibilities; addition of SAFE submission instructions; removal of designee signing authorization; inclusion of Government Code 6254.19.
Minor Update	July 2018	OIS	Corrected "and/or" to "and" in enclosure statement.
Minor Update	March 2019	OIS	Added Confidential Statement

DATE: TO:

Office of Information Security,
California Department of Technology
Attn: Security Compliance Reporting
P.O. Box 1810, Mail Stop Y- 01
Rancho Cordova, CA 95741

FROM:

Org Code - As identified in the Uniform Codes Manual

SUBJECT:

Information Security and Privacy Program Compliance Certification

As specified in Government Code Section 11549.3 and State Administrative Manual (SAM) Section 5300.2, "the state entity shall comply with the information security and privacy policies, standards and procedures issued by the Office of Information Security (OIS) and ensure compliance with all security and privacy laws, regulations, rules and standards specific to and governing the administration of its programs and ensure implementation of the requisite entity specific policy, procedures, practices and controls."

As the state entity head or the acting state entity head,

I certify that I have directed the completion of the required information security and privacy program compliance reporting and associated risk response activities for each of our state and mission critical information technology systems.

I further certify, as follows:

I have ensured a standing governance body has been established to direct the development and ongoing maintenance of the entity's information security and privacy programs and address identified risk.
I acknowledge that our state entity must be compliant in association with SAM 5300.2 and recognize that all deficiencies and/or high risk areas that must be addressed are identified in the enclosed copy of the confidential¹ High Risk Findings Report².
I have met with and been fully briefed by our entity's standing governance body on the status of our entity's information security and privacy program compliance, including but not limited to all findings as represented in our entity's Plan of Action and Milestones (POAM) (SIMM 5305-C) and the confidential High Risk Findings Report.
I fully understand the potential impacts of all risk findings not being addressed in an appropriate and timely manner.

Pursuant to Government Code 6254.19, this information security record is confidential and is exempt from public disclosure. Securely send the entire form and all enclosures to the OIS using the Secure Automated File Exchange (SAFE) system.

High Risk Findings Report must include ALL High Risk and Very High Risk findings.

For questions or additional information about this submission please contact:

at or

Signature of the Secretary/Director (or equivalent head of the state entity):

Printed Name of Entity Head Signature of Entity Head Date

Enclosure: Confidential High Risk Findings Report and POAM

Securely send this entire form and all enclosures to the OIS using the Secure Automated File Exchange (SAFE) system.

Contact OIS for assistance and/or instructions on access to the SAFE system at (916) 445-5239 or at Security@state.ca.gov.