The audit designated two “non-reporting entities” fully compliant — but found four to have “no information security assessment. It considered 24 entities, the majority, to be “partially compliant” with standards. But 21 agencies were found to have “high-risk deficiencies,” Auditor Elaine M. Howle said in a letter to Gov. Gavin Newsom and legislators that accompanied the audit. A representative of the Auditor’s Office has not yet responded to Techwire; however, it’s likely the entities were not fully described as a security measure. Individual responses from entities, or agencies — a common feature in audits — were also not a part of the audit. This article may be updated. Among the takeaways:
• The California Department of Technology (CDT) “has made progress” since the auditor’s first such assessment in 2013. Agencies under CDT’s oversight, or reporting entities — essentially, those in the executive branch, under the governor’s direct authority — have increased compliance with set standards. But those outside CDT’s oversight, including the 33 non-reporting entities surveyed, “need to do more to safeguard the information they collect, maintain and store.” Entities surveyed in the audit were part of a list of 233 possible survey recipients developed from a “roster of state agencies, departments, boards, constitutional offices and other entities maintained by the Secretary of State’s Office.”
In a comment to Techwire provided by email, CDT Director Amy Tong emphasized the need to strengthen security and safeguard personal information.
“The California Department of Technology appreciates that the California State Auditor’s report calls for strengthening the security and privacy practices of all state entities. Our Security Operations Center blocks 200-plus million malicious probes daily that target government entities. It is imperative that we protect the personal information of the citizens of this state as much as possible,” Tong said.
• Among the 21 entities found to have high-risk deficiencies, some were partially compliant with standards — but were still deficient. The definition of “high risk” may vary depending on the standards used in a security assessment, but “risk is often calculated by considering threats or vulnerabilities and their associated impacts and likelihood of occurrence.”
As an example, the audit indicated one entity “failed to apply security updates” to some devices, creating a threat that known device vulnerabilities “could be exploited.” The most common area of deficiency was in information security program management.
• Of the four entities that had not performed an assessment, three “currently have” no plans to do one, the audit said, pointing out that without an assessment, the units are “likely unaware” whether controls are correctly installed and operating. The audit described “some” non-reporting entities as being slow to address weaknesses, noting 11 indicated they’d need three years to resolve issues.
• The audit recommended all non-reporting entities adopt information security standards similar to those in Chapter 5300 of the State Administrative Manual — with which reporting entities comply. It also recommended non-reporting entities do “comprehensive” information security assessments at least every three years to find out whether they’re compliant with adopted standards; and confidentially submit compliance certifications to the Assembly Privacy and Consumer Protection Committee along with corrective action plans if applicable.
