Report 2014-120 Recommendation 16 Responses

Report 2014-120: California Public Utilities Commission: It Needs to Improve the Quality of Its Consumer Complaint Data and the Controls Over Its Information Systems (Release Date: April 2015)

Recommendation #16 To: Public Utilities Commission

The commission should revise its existing recovery plan to include a list of applications supporting critical business functions, their maximum acceptable outage time frames, and detailed recovery strategies for each application.

Annual Follow-Up Agency Response From October 2021

The California Public Utilities Commission (CPUC) is in the process of conducting a Business Impact Analysis (BIA) to identify Mission Essential Functions (MEF). Determination of MEFs will outline Mission Critical Systems along with Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). Appropriate recovery plans will be updated from the results of the BIA.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented

Annual Follow-Up Agency Response From November 2020

The California Public Utilities Commission (CPUC) is in the process of relocating information systems resources to California Department of Technology data center. Once migration is complete, CPUC will develop recovery plans to support critical business functions.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented

Annual Follow-Up Agency Response From October 2019

Partially Implemented

Technology Recovery Plan updated as the latest template from CDT submitted to CDT, Jan 2019. Technology recovery plan testing for two mission critical systems completed.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented

Annual Follow-Up Agency Response From October 2018

CPUC is in the process to update technology recovery plans as per new template from Office of Information Security to include separate information system recovery plans for mission critical systems -due date January 31st 2019.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented

Annual Follow-Up Agency Response From November 2017

Updated technology recovery plan was submitted to CDT Office of Information Security. CPUC is currently in the process of updating this plan to address the infrastructure changes.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented

Annual Follow-Up Agency Response From October 2016

The Commission has developed some of the recovery plan and continues to work this to address all of the requirements needed.

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented

1-Year Agency Response

CPUC Business Continuity Plan is in draft form and scheduled to be completed April 30th, 2016.

California State Auditor's Assessment of 1-Year Status: Partially Implemented

The commission explained that as a result of our follow up work, it reevaluated its progress and now believes it has not fully implemented this recommendation. The commission estimates that it will not achieve full compliance with SAM Chapter 5300 until December 2019.

6-Month Agency Response

Critical business outage time frame and recovery strategies for applications will addressed in the form of Business Continuity plan as a subset of security assessment. The consultants and CPUC staff are meeting with business divisions to collect pertinent information.

California State Auditor's Assessment of 6-Month Status: Pending

60-Day Agency Response

Critical business outage time frame and recovery strategies for applications will addressed in the form of Business Continuity plan as a subset of security assessment.

California State Auditor's Assessment of 60-Day Status: Pending

All Recommendations in 2014-120

Agency responses received are posted verbatim.