Report 2015-611 Recommendation 8 Responses

Report 2015-611: High Risk Update—Information Security: Many State Entities' Information Assets Are Potentially Vulnerable to Attack or Disruption (Release Date: August 2015)

Recommendation #8 To: Technology, California Department of

The technology department should revise its certification form to require reporting entities to submit detailed information about their compliance with the security standards. It should use this information to track and identify trends in the State's overall information security.

Annual Follow-Up Agency Response From October 2018

CDT published the revised version of its certification form in January 2018, under its Policy/Guidelines Memo 2018-0012. One of the central changes to this revision was that they are now required to list risks in their compliance form and the director or lead individual of the department is required to sign it (it may not be delegated).

The data from the entities' certification form is stored in a secured automated system for tracking and reports from the system have been used to conduct trend analyses.

https://cdt.ca.gov/wp-content/uploads/2018/01/PolicyGuidelines_2018-0112_001.pdf

Completion Date: January 2018

California State Auditor's Assessment of Annual Follow-Up Status: Fully Implemented

Annual Follow-Up Agency Response From November 2017

CDT has developed a three-year audit and assessment cycle. Part of this cycle is a pre-audit education function that is part of the Office of Information Security. CDT has developed and implemented a comprehensive automated statewide self-assessment tool having all necessary information and reporting ability for entities to determine their compliance with security standards.

Currently there are five (5) pilot agencies using this system, and training for this system is on-going.

Expected full use of this new system by all state agencies is

May 2018.

Estimated Completion Date: May 2018

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented

Annual Follow-Up Agency Response From October 2016

CDT will be replacing the annual certification form with the launch of the new automated compliance reporting system. Additionally, the automated compliance reporting tool will provide analytical and trend information that will allow the state to be more proactive with cyber threats.

A system policy update will be released by December 31, 2016, announcing the new self-certification and compliance reporting process, and directing state entities to use the new automated compliance reporting tool instead of the current paper self-certification form.

Additionally, CDT has engaged an independent consultant to conduct a statewide security program review and to make recommendations for improvement consistent with industry standards and best practices, including recommendations for process and criteria to incentivize entities' compliance with security standards. Work commenced on July 5, 2016, and subsequent recommendations will be provided in November 2016.

Estimated Completion Date: December 2016

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented

1-Year Agency Response

A system policy update will be released by December 31, 2016 announcing the new self-certification and compliance reporting process, and directing state entities to use the new automated compliance reporting tool instead of the current paper self-certification form.

Additionally, CDT has engaged an independent consultant to conduct a statewide security program review and to make recommendations for improvement consistent with industry standards and best practices, including recommendations for process and criteria to incentivize entities' compliance with security standards. Work commenced July 5, 2016 and subsequent recommendations are to be provided in November 2016.

Estimated Completion Date: December 2016
Response Date: August 2016

California State Auditor's Assessment of 1-Year Status: Partially Implemented

6-Month Agency Response

In August 2015, the Department of Technology issued Technology Letter 15-03, and two new State Information Management Manual (SIMM) documents, directing state entities on the use of a new Plan of Action and Milestone (PoAM) tool. The instructions (SIMM 5305-B) and tool (SIMM 5305-C) provide a standardized approach for obtaining additional detail about remediation activity. This information, along with information obtained through the formal audits, will be used to track and identify trends in the State's overall information security. These trends will be discussed with the departments on a quarterly basis.

Completion Date: August 2015
Response Date: February 2016

California State Auditor's Assessment of 6-Month Status: Partially Implemented

As we state in Chapter 2 of the report, the current certification form does not ensure that reporting entities understand the entire scope of the security standards to which they are certifying full compliance. As a result, some reporting entities may not identify—and therefore not report—all of their areas of noncompliance on the new PoAM.

60-Day Agency Response

Completion Date: August 2015
Response Date: October 2015

California State Auditor's Assessment of 60-Day Status: Partially Implemented

Auditee did not address all aspects of the recommendation

All Recommendations in 2015-611

Agency responses received are posted verbatim.