Report on Auditor’s Plans Updating State Information Security
This story is limited to Techwire Insider members.
This story is limited to Techwire Insider members. Log in below to read this story or learn more about membership.
The California State Auditor’s Office will release a report this month focusing on the efforts of the California Department of Technology (CDT) to improve the information security of state agencies.
The state’s cybersecurity stance has been previously pointed out by the auditor’s office, most recently in an August report that cited the CDT as well as the California Department of Corrections and Rehabilitation, the California Department of Health. Care Services, the California Department of Public Health, and the California State Teachers’ Retirement System. The auditor found that these five agencies pose a “high risk” to the state because of their information security practices. This report also noted that the Office of the Auditor had first raised the issue of information security in September 2013.
This month’s report will use “independently developed and verified information” to assess information security compliance by state “reporting entities” (those under the jurisdiction of the direct authority of the governor) and “non-reporting entities”, which are those not under the direct authority of the governor, such as constitutional offices. and the judiciary.
The next report:
- Examine and assess the laws, rules and regulations important to the objectives of the audit.
- To assess CDT’s oversight of the information security of reporting entities, including its progress in establishing an information security benchmark status for reporting entities.
- Determine if reporting entities’ compliance with information security standards has improved.
- Assess the measures and directions CDT has developed to address the increased security risk due to the number of state employees who are now telecommuting due to the COVID-19 pandemic. For a selection of reporting entities, determine the measures taken to address the risks of teleworking and whether they are in line with CDT guidelines and determine whether there has been an increase in information security incidents reported during the reporting period. pandemic.
- Determine whether non-reporting entities have improved their compliance with selected information security standards. Evaluate their efforts to mitigate risks associated with teleworking and determine if there has been an increase in information security incidents during the pandemic.
- Review and assess any other significant issues for the audit.
In its August report, the Auditor’s Office explained why it kept CDT on its “high risk” list:
“State entities have not shown sufficient progress in addressing deficiencies in their information system controls,” the auditor’s office wrote. “Reporting entities continue to struggle to improve their information security status, as evidenced by their performance in a nationwide information security review sponsored by the federal government. For example, reporting entities have themselves reported weaknesses in their information security programs since at least 2018, ranking on average slightly below the minimum recommended by the federal government. In addition, reporting entities have remained stagnant in their development of information security, as the state’s average scores remained almost unchanged between 2018 and 2020. ”
The auditor added, “Non-reporting entities also need to improve their information security status. Specifically, we interviewed 31 non-reporting entities, and only four reported full compliance with the selected information security framework and standards. In addition, three entities have not even adopted a framework or standards. Therefore, as weaknesses persist in information security controls across all types of state entities, information security remains a high risk statewide issue.
The Auditor’s office did not specify a release date for this month’s report.