Report 2015-611 Recommendation 4 Responses
Report 2015-611: High Risk Update—Information Security: Many State Entities' Information Assets Are Potentially Vulnerable to Attack or Disruption (Release Date: August 2015)
Recommendation #4 To: Technology, California Department of
To assist reporting entities in reaching full compliance with the security standards, the technology department should provide more extensive guidance and training to reporting entities regarding the self certification process, including training on how they should use the new self assessment tool.
Annual Follow-Up Agency Response From October 2018
CDT has developed and implemented more extensive guidance and training to reporting entities regarding the self-certification process. Between October and December 2017, CDT staff held 35 hands on, in person training sessions for use of the new self-certification reporting tool.
Additionally, CDT published a comprehensive, step-by-step user guide and has provided access to 40 training videos which are now accessible by reporting entities if requested. The training videos have also been published to a central extranet portal and all designated security staff have been invited to access the central portal.
- Completion Date: October 2018
California State Auditor's Assessment of Annual Follow-Up Status: Fully Implemented
Annual Follow-Up Agency Response From November 2017
CDT has developed a three-year audit and assessment cycle. Part of this cycle is a pre-audit education function that is part of the Office of Information Security. CDT has developed and implemented a comprehensive automated statewide self-assessment tool having all necessary information and reporting ability for entities to determine their compliance with security standards.
Currently there are five (5) pilot agencies using this system, and training for this system is on-going.
Expected full use of this new system by all state agencies is
May 2018.
- Estimated Completion Date: May 2018
California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented
Annual Follow-Up Agency Response From October 2016
Training on the new self-assessment and compliance reporting tool will begin in December 2016 and will be ongoing thereafter. The self-assessment tool will be based on the National Institute of Standards and Technology (NIST) 800-53 standards, which is required to meet the State's security standards. Additionally, training on the new self-assessment and compliance reporting tool will be made available online in January 2017.
- Estimated Completion Date: January 2017
California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented
1-Year Agency Response
Training on the new self-assessment and compliance reporting tool will begin in December 2016 and will be ongoing thereafter. The self-assessment tool will be based on the National Institute of Standards and Technology (NIST) 800-53 standards, which is required to meet the State's security standards. Additionally, training on the new self-assessment and compliance reporting tool will be made available online in January 2017.
- Estimated Completion Date: January 2017
- Response Date: August 2016
California State Auditor's Assessment of 1-Year Status: Partially Implemented
6-Month Agency Response
For the January 31, 2016 reporting period, online instructions and training workshops for completing the Nationwide Cyber Security Review (NCSR) self-assessment were provided, as well as supplemental in person training and one-on-one guidance as requested. A total of 56 state entities attended the training workshops, and others received one-on-one assistance and guidance as requested. The Department recently acquired a separate tool to automate incident reporting. This tool has optional modules that can be configured to include any state specific standards, and be enabled to fully automate and integrate self-assessment, compliance reporting, incident reporting, remediation plans, and audit data. By December 2016 the self-assessment, compliance reporting and remediation plan features of the newly acquired tool will be enabled to fully automate the reporting and tracking of risk and security compliance for subsequent reporting years. Once the self-assessment, compliance reporting and remediation plan features of the newly acquired tool are implemented, the Department of Technology will provide instruction and updated training on use of the new self-assessment and compliance reporting process. The updated training will also be incorporated into the existing and regularly-provided training courses, and the Department will continue to review its training courses to determine if they should be enhanced, and will continue to provide one-on-one guidance to a reporting entity, upon request.
- Estimated Completion Date: January 2017
- Response Date: February 2016
California State Auditor's Assessment of 6-Month Status: Partially Implemented
60-Day Agency Response
Instructions and training are available online for completing the self-assessment tool. The Department of Technology has begun supplemental in person training. The training is focused on helping departments understand the self-assessment tool and how to effectively complete it. Additionally, the Department will provide on-going training, monitoring the effectiveness of the training, and adjust the training material as warranted.
- Completion Date: October 2015
- Response Date: October 2015
California State Auditor's Assessment of 60-Day Status: Partially Implemented
Although the technology department has provided training on the self-assessment tool, the tool is not based on the State's security standards. Therefore, reporting entities may not understand the entire scope of the security standards to which they are certifying.
- Auditee did not substantiate its claim of full implementation
All Recommendations in 2015-611
Agency responses received are posted verbatim.