Forms and Tools

These resources provide a centralized location for easy access to mandated forms.  It also provides state agencies a collection of tools to assist in meeting requirements and in building effective information security programs.


The forms state agencies must complete to be in compliance with the State Administrative Manual (SAM).


Recommended resources to assist state agencies in complying with requirements and in building effective information security programs.


Security Incident Report

The Report is due to the California Office of Information Security (Office) when an information security incident occurs. See SAM Section 5340.

California Compliance and Security Incident Reporting System (CAL-CSIRS) 5340-B
Requirements to Respond to Incidents Involving a Breach of Personal Information (pdf) 5340-C
Instructions and Format for Cal-CSIRS Designee Information (Excel)
Security Breach Reporting and Notification Templates

Designation Letter

The Letter provides our office with an agency contact for Information Security Officers and Technology Recovery Coordinators. It is due by January 31st of each year or within 10 business days if changes occur. See SAM Section 5330.2

Designation Letter (doc) 5330-A

Technology Recovery Documentation

Agencies must file this Certification every year. Use of the Cross Reference Worksheet is optional if the TRP submission follows the SIMM 5325B format. See SAM 5325.1.

Technology Recovery Program Certification (doc) 5325-B
Technology Recovery Plan Instructions (pdf) 5325-A

Risk Management and Privacy Program Compliance Certification

The signed Certification acknowledges that each state agency is in compliance with policy governing risk management and privacy requirements as defined in SAM Section 5330, Government Code Section 11019.9, and the Information Practices Act (Civil Code Section 1798 et seq.). The Certification is due by January 31st of each year.

Risk Management and Privacy Program Compliance Certification (doc) 5330-B
Privacy Statement and Notices Standard (pdf) 5310-A

Telework and Remote Security Standard

This standard applies to telework and remote access users who have access to California State IT infrastructure and information assets through public networks. In addition to telework users, this standard is applicable to security, system, and network engineers and administrators, as well as computer security program managers who are responsible for the technical aspects of preparing, operating, and securing remote access solutions and telework client devices, and state entity heads and program managers responsible for the overall security of information assets within their agencies.

Telework and Remote Security Standard
Remote Access Agreement 5360-B


Other Resources

Cal OES Training Division
Cal OES Exercise Program


Guidelines and Tools

Information Technology Security Program Guideline

This Guideline can be a valuable tool in assisting state agencies to implement, or those who seek to improve, their information security programs. The Guideline's components provide a framework that enables secure communications and appropriate protection of information resources within the State of California government.

Information Security Program Guide for State Agencies (pdf) April 2008

Risk Assessment Toolkit

These are tools for agencies to use in identifying information security risks and to help mitigate the issues.


Training and Awareness

Self Training Manual and Guidelines for Protecting Privacy in State Government March 2007
Awareness Materials Various

The California Information Security (Office) web site contains links to other sites that are not owned or controlled by us. The information provided at these sites does not reflect the views of this Office or indicate an endorsement of a particular company or product. Please be aware that our Office is not responsible for the security and privacy practices of such other sites.

Last Updated: Friday, November 18, 2016