Report 2014-120 Recommendations

To ensure that the commission has the information it needs to better report on VoIP-related complaints, the Legislature should give the commission the authority to collect information from providers regarding their VoIP customers and require VoIP providers to furnish this information to the commission.

To ensure that policy makers, enforcement officials, and the general public have access to accurate consumer complaint data in CIMS, the branch should update and provide further training to its staff on properly classifying complaints by September 30, 2015.

To ensure that policy makers, enforcement officials, and the general public have access to accurate consumer complaint data in CIMS, the branch should continue to implement its quality management team program component focused on reviewing the categorization of complaints and correcting identified errors.

To ensure that policy makers, enforcement officials, and the general public have access to accurate consumer complaint data in CIMS, the branch should develop and implement tools by September 30, 2015, to measure the quality management team program's effectiveness.

To ensure that policy makers, enforcement officials, and the general public have access to accurate consumer complaint data in CIMS, the branch should update by June 30, 2015, its guidance for categorizing complaints to better integrate with the BRM. For example, the guidance should specify that nonjurisdictional complaints should be classified as such.

To ensure that policy makers, enforcement officials, and the general public have access to more complete and meaningful consumer complaints data in CIMS, the branch should, to the fullest extent possible, include the attributes of each complaint in the data it records in CIMS.

To ensure that branch staff provide the appropriate assistance to consumers with VoIP-related complaints, the branch should, by September 30, 2015, further train its staff on the requirements of the VoIP job aid and on providing correspondence to complainants as its guidelines require.

To ensure that consumers have access to complaint data that will enhance their ability to make informed choices about their telecommunication services, the branch should, by June 30, 2015, create an updated plan that specifies the types of data the branch intends to post online and a timeline for fully implementing that plan.

To ensure that it can assess the value to the public of the complaint data it presents on its website, the branch should create a process for those who view its complaint data to provide feedback to the branch including, if necessary, modifying the survey that it uses to collect feedback on LEP data.

To ensure that the public can easily locate customer complaint data the branch publishes on its website, the commission should make navigating to its customer complaint data more intuitive and direct.

The commission should ensure that it complies with all policy requirements in SAM Chapter 5300 no later than April 2016.

As part of developing, implementing, and maintaining an entitywide information security program, the commission should complete and maintain inventory of all its information assets, specifically categorizing the level of required security of the information assets based on the potential impact that a loss of confidentiality, integrity, or availability of such information would have on its operations and assets.

As part of developing, implementing, and maintaining an entitywide information security program, the commission should develop a risk management and privacy plan and conduct an assessment of risks facing its information assets.

As part of developing, implementing, and maintaining an entitywide information security program, the commission should develop, implement, and maintain an information security plan as part of its entitywide information security program.

The commission should develop, disseminate, and maintain an incident response plan.

The commission should revise its existing recovery plan to include a list of applications supporting critical business functions, their maximum acceptable outage time frames, and detailed recovery strategies for each application.

The commission should revise its existing recovery plan to include detailed procedures for rebuilding its technology infrastructure at an alternate processing site.

The commission should conduct regular tests and exercises to assess the sufficiency of the revised recovery plan and refine the plan when necessary.

The commission should ensure that any certifications it submits to CalTech accurately represent its information security environment.