IE11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Auditor Plans Report Updating State’s Information Security

The California Department of Technology was cited in previous reports by the State Auditor’s Office for its “high risk” security posture.

This story is limited to Industry Insider — California members.
This story is limited to Industry Insider — California members. Login below to read this story or learn about membership.
An earlier version of this article incorrectly stated that the California State Auditor, in an August report, had faulted several state agencies for their handling of information security. The August report cited only the Department of Technology.

The California State Auditor’s Office will publish a report this month focused on efforts by the California Department of Technology (CDT) to improve state agencies’ information security.

The state’s cybersecurity posture has been previously flagged by the Auditor’s Office, most recently in a report in August that cited CDT. The auditor found that the agency’s information security practices posed a “high risk” to the state. That report also noted that the Auditor’s Office first raised the issue of information security in September 2013.

This month’s report will rely on “independently developed and verified information” in assessing information security compliance by state “reporting entities” (those under the governor's direct authority) and “nonreporting entities,” which are those outside the governor’s direct authority such as constitutional offices and the judicial branch.

The coming report will:
  • Review and evaluate the laws, rules and regulations significant to the audit objectives.
  • Evaluate CDT’s oversight of reporting entities’ information security, including its progress in establishing an information security baseline status for reporting entities.
  • Determine whether reporting entities’ compliance with information security standards has improved.
  • Evaluate the measures and guidance CDT has developed to address the increased security risk due to the number of state employees who are now teleworking as a result of the COVID-19 pandemic. For a selection of reporting entities, determine the measures taken to address telework risks and whether they comply with CDT’s guidance and determine whether there has been an increase in reported information security incidents during the pandemic.
  • Determine whether nonreporting entities have improved their compliance with their selected information security standards. Evaluate their efforts to mitigate teleworking risks, and determine whether there has been an increase in information security incidents during the pandemic.
  • Review and assess any other issues that are significant to the audit.

In its August report, the Auditor’s Office explained why it kept CDT on its “high risk” list:

“State entities have not demonstrated adequate progress toward addressing deficiencies in their information system controls,” the Auditor’s Office wrote. “Reporting entities continue to struggle with improving their information security status, as evidenced by their performance on a federally sponsored nationwide information security review. For example, reporting entities have self-reported weaknesses in their information security programs since at least 2018, rating themselves on average slightly below the federally recommended minimum level. Further, reporting entities have remained stagnant in their information security development, as the state’s average scores remained nearly unchanged between 2018 and 2020.”

The auditor added: “Nonreporting entities also need to improve their information security status. Specifically, we surveyed 31 nonreporting entities, and only four reported achieving full compliance with their chosen information security framework and standards. Further, three entities have not even adopted a framework or standards. Consequently, because weaknesses persist in information security controls across all types of state entities, information security remains a high-risk statewide issue.”

The Auditor's Office has not specified a release date for this month’s report.
Dennis Noone is Executive Editor of Industry Insider. He is a career journalist, having worked as a reporter and editor at small-town newspapers and major metropolitan dailies in California, Nevada, Texas and Virginia, including as an editor with USA Today in Washington, D.C. He lives in Northern California.