Report 2018-611 Recommendations
When an audit is completed and a report is issued, auditees must provide the State Auditor with information and periodic reports regarding their progress in implementing the reportís recommendations. For audits conducted under the State High Risk Audit Program, these periodic reports are due every 90 days from the issue date of the report until such time as the State Auditor directs the auditee otherwise, according to title 2, section 61024 of the California Code of Regulations. Additionally, Senate Bill 1452 (Chapter 452, Statutes of 2006), requires auditees who have not implemented recommendations after one year, to report to us and to the Legislature why they have not implemented them or to state when they intend to implement them. Below, is a listing of each recommendation the State Auditor made in the report referenced and a link to the most recent response from the auditee addressing their progress in implementing the recommendation and the State Auditor's assessment of auditee's response based on our review of the supporting documentation.
Recommendations in Report 2018-611: Gaps in Oversight Contribute to Weaknesses in the State's Information Security (Release Date: July 2019)
|Recommendations to Legislature|
To strengthen the information security practices of nonreporting entities, the Legislature should amend state law to require all nonreporting entities to adopt information security standards comparable to SAM 5300.
To strengthen the information security practices of nonreporting entities, the Legislature should amend state law to require all nonreporting entities to obtain or perform comprehensive information security assessments no less frequently than every three years to determine compliance with the entirety of their adopted information security standards.
To strengthen the information security practices of nonreporting entities, the Legislature should amend state law to require all nonreporting entities to confidentially submit certifications of their compliance with their adopted standards to the Assembly Privacy and Consumer Protection Committee and, if applicable, to confidentially submit corrective action plans to address any outstanding deficiencies.