Report 2014-120 Recommendation 14 Responses
Report 2014-120: California Public Utilities Commission: It Needs to Improve the Quality of Its Consumer Complaint Data and the Controls Over Its Information Systems (Release Date: April 2015)
Recommendation #14 To: Public Utilities Commission
As part of developing, implementing, and maintaining an entitywide information security program, the commission should develop, implement, and maintain an information security plan as part of its entitywide information security program.
Annual Follow-Up Agency Response From October 2018
Information security plan is complete please see-attached copy. Information Security Policies are updated as per OIS templates.
- Completion Date: July 2018
California State Auditor's Assessment of Annual Follow-Up Status: Fully Implemented
Annual Follow-Up Agency Response From November 2017
In progress. CPUC have developed a master written Information Security Policy along with 20 sub-policies addressing specific areas as recommended by NIST and CDT, please see attached documents
- Estimated Completion Date: 6/30/2018
California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented
Annual Follow-Up Agency Response From October 2016
The Commission continues to work to implement an information security program with the addition of staff.
- Estimated Completion Date: 12/30/2018
California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented
1-Year Agency Response
CPUC has completed the Information Security Assessment and has performed a vulnerability scan and penetration testing to determine areas of risk. Remediation from these scans and the assessment is on-going.
- Completion Date: April 2016
- Response Date: April 2016
California State Auditor's Assessment of 1-Year Status: Partially Implemented
The commission explained that as a result of our follow up work, it reevaluated its progress and now believes it has not fully implemented this recommendation. The commission estimates that it will not achieve full compliance with SAM Chapter 5300 until December 2019.
- Auditee did not substantiate its claim of full implementation
- Auditee did not address all aspects of the recommendation
6-Month Agency Response
Security plan development is in progress.
- Estimated Completion Date: Ongoing implementation.
- Response Date: October 2015
California State Auditor's Assessment of 6-Month Status: Pending
60-Day Agency Response
Security plan development is in progress.
- Estimated Completion Date: April 2016
- Response Date: June 2015
California State Auditor's Assessment of 60-Day Status: Pending
All Recommendations in 2014-120
Agency responses received are posted verbatim.