Skip Repetitive Navigation Links
California State Auditor Report Number : 2015-611

High Risk Update- Information Security
Many States Entities' Information Assets Are Potentially Vulnerable to Attack or Disruption


Appendix

CALLIFORNIA STATE AUDITOR’S SURVEY OF REPORTING ENTITIES THAT REPORTED THEIR LEVELS OF COMPLIANCE WITH SECURITY STANDARDS IN 2014 TO THE CALIFORNIA DEPARTMENT OF TECHNOLOGY

We surveyed 101 state entities under the direct authority of the governor (reporting entities) that certified their levels of compliance with the requirements in Chapter 5300 of the State Administrative Manual (security standards) to the California Department of Technology (technology department) in 2014.11 In an effort to protect the State’s information assets, we have chosen not to publicly disclose the names of the reporting entities that we surveyed; instead, we assigned each reporting entity a number. In tables A.1 and A.2, we summarize 77 survey respondents’ self-reported levels of compliance with 17 security standards that we placed into the following categories: information asset management, risk management, information security program management, information security incident management, and technology recovery. We grouped the remaining 47 security standards into the category of Other Information Security Requirements. In addition, tables A.1 and A.2 identify the types of information each reporting entity collects, stores, or maintains. Table A.1 focuses on the 41 survey respondents who completed our survey and reported to the technology department in 2014 that they were fully compliant with the security standards. Table A.2 focuses on the 36 survey respondents who completed our survey and reported to the technology department in 2014 that they were not fully compliant with the security standards. Four additional reporting entities partially responded to our survey answering some questions, but did not identify their specific levels of compliance with each of the 64 sections of the security standards. Thus, we excluded these four reporting entities from the tables. We list the remaining 20 state entities that did not respond to our information security survey in Table A.3.



Table A.1

Survey Responses From Entities that Reported Full Compliance With the California Department of Technology’s Security Standards in 2014

Collects, Stores, or Maintains Compliance Levels the Reporting Entities Identified in Our Survey
Reporting Entity Personal Information or Health Information Protected by Law* Confidential Financial Data* Other Sensitive Data* Information Asset Management Risk Management Information Security Program Management Information Security Incident Management Technology Recovery Other Information Security Requirements
01                  
02 Yes Yes Yes            
03                  
04 Yes                
05 Yes Yes Yes            
06                  
07                  
08 Yes                
09 Yes   Yes            
10                  
11     Yes            
12 Yes                
13 Yes                
14 Yes                
15 Yes Yes              
16 Yes   Yes            
17 Yes                
18 Yes Yes              
19 Yes   Yes            
20 Yes                
21     Yes            
22 Yes                
23 Yes Yes Yes            
24                  
25     Yes            
26     Yes            
27 Yes   Yes            
28 Yes                
29 Yes Yes Yes            
30 Yes Yes Yes            
31                  
32 Yes   Yes            
33 Yes                
34 Yes Yes Yes            
35 Yes Yes Yes            
36 Yes                
37 Yes                
38 Yes Yes              
39 Yes   Yes            
40                  
41 Yes                

Source: California State Auditor’s analysis of survey responses from 41 reporting entities certifying full compliance to the California Department of Technology in 2014.

* For entries in this column that do not contain the value “Yes”, the reporting entity asserted in its response to our survey that it did not collect, store, or maintain this type of data.

Green = Fully compliant: The reporting entity asserted it is fully compliant with all the requirements in Chapter 5300 of the State Administrative Manual (security standards) for the control area.

Yellow = Mostly compliant: The reporting entity asserted it has attained nearly full compliance with all of the security standards for the control area.

Orange = Partially compliant: The reporting entity asserted it has made measurable progress in complying, but has not addressed all of the security standards for the control area.

Red = Not compliant: The reporting entity asserted it has not yet addressed the security standards for the control area.



Table A.2

Survey Responses From Entities That Reported Noncompliance With the California Department of Technology’s Security Standards in 2014

Collects, Stores, or Maintains Compliance Levels the Reporting Entities Identified in Our Survey
Reporting Entity Personal Information or Health Information Protected by Law* Confidential Financial Data* Other Sensitive Data* Information Asset Management Risk Management Information Security Program Management Information Security Incident Management Technology Recovery Other Information Security Requirements
42     Yes            
43 Yes                
44                  
45 Yes                
46 Yes                
47 Yes Yes Yes            
48 Yes   Yes            
49 Yes   Yes            
50 Yes                
51 Yes Yes Yes            
52     Yes            
53 Yes Yes              
54 Yes                
55 Yes   Yes            
56 Yes                
57 Yes Yes              
58 Yes                
59     Yes            
60 Yes                
61 Yes                
62 Yes   Yes            
63 Yes Yes Yes            
64 Yes                
65 Yes Yes              
66 Yes Yes              
67 Yes Yes              
68 Yes Yes Yes            
69 Yes Yes              
70 Yes   Yes            
71     Yes            
72 Yes Yes              
73 Yes Yes              
74 Yes   Yes            
75 Yes Yes Yes            
77 Yes   Yes            

Source: California State Auditor’s analysis of survey responses from 36 reporting entities certifying noncompliance to the California Department of Technology in 2014.

For entries in this column that do not contain the value “Yes”, the reporting entity asserted in its response to our survey that it did not collect, store, or maintain this type of data.

Green = Fully compliant: The reporting entity asserted it is fully compliant with all the requirements in Chapter 5300 of the State Administrative Manual (security standards) for the control area.

Yellow = Mostly compliant: The reporting entity asserted it has attained nearly full compliance with all of the security standards for the control area.

Orange = Partially compliant: The reporting entity asserted it has made measurable progress in complying, but has not addressed all of the security standards for the control area.

Red = Not compliant: The reporting entity has not yet addressed the security standards for the control area.



Table A.3

Entities That Submitted Certifications to the California Department of Technology in 2014 but Did Not Respond to Our Information Security Survey

Entities
Baldwin Hills Conservancy
California Air Resources Board
California Department of Aging
California Department of Forestry and Fire Protection
California Department of General Services
California Department of Resources Recycling and Recovery
California Exposition and State Fair
California State Teachers’ Retirement System
Coachella Valley Mountains Conservancy
Delta Protection Commission
Native American Heritage Commission
Office of Administrative Law
Office of the Inspector General
Office of the State Public Defender
Public Employees’ Retirement System
Public Employment Relations Board
Sacramento-San Joaquin Delta Conservancy
San Diego River Conservancy
San Gabriel and Lower Los Angeles Rivers and Mountains Conservancy
Tahoe Regional Planning Agency



Footnotes

11 The 101 reporting entities we surveyed included entities that state law requires to report to the technology department each year, as well as some entities that voluntarily reported to the technology department in 2014. Go back to text

Back to top