The California State Auditor’s Office will publish a report this month focused on efforts by the California Department of Technology (CDT) to improve state agencies’ information security.
The state’s cybersecurity posture has been previously flagged by the Auditor’s Office, most recently in a report in August that cited CDT. The auditor found that the agency’s information security practices posed a “high risk” to the state. That report also noted that the Auditor’s Office first raised the issue of information security in September 2013.
This month’s report will rely on “independently developed and verified information” in assessing information security compliance by state “reporting entities” (those under the governor's direct authority) and “nonreporting entities,” which are those outside the governor’s direct authority such as constitutional offices and the judicial branch.
The coming report will:
- Review and evaluate the laws, rules and regulations significant to the audit objectives.
- Evaluate CDT’s oversight of reporting entities’ information security, including its progress in establishing an information security baseline status for reporting entities.
- Determine whether reporting entities’ compliance with information security standards has improved.
- Evaluate the measures and guidance CDT has developed to address the increased security risk due to the number of state employees who are now teleworking as a result of the COVID-19 pandemic. For a selection of reporting entities, determine the measures taken to address telework risks and whether they comply with CDT’s guidance and determine whether there has been an increase in reported information security incidents during the pandemic.
- Determine whether nonreporting entities have improved their compliance with their selected information security standards. Evaluate their efforts to mitigate teleworking risks, and determine whether there has been an increase in information security incidents during the pandemic.
- Review and assess any other issues that are significant to the audit.
In its August report, the Auditor’s Office explained why it kept CDT on its “high risk” list:
“State entities have not demonstrated adequate progress toward addressing deficiencies in their information system controls,” the Auditor’s Office wrote. “Reporting entities continue to struggle with improving their information security status, as evidenced by their performance on a federally sponsored nationwide information security review. For example, reporting entities have self-reported weaknesses in their information security programs since at least 2018, rating themselves on average slightly below the federally recommended minimum level. Further, reporting entities have remained stagnant in their information security development, as the state’s average scores remained nearly unchanged between 2018 and 2020.”
The auditor added: “Nonreporting entities also need to improve their information security status. Specifically, we surveyed 31 nonreporting entities, and only four reported achieving full compliance with their chosen information security framework and standards. Further, three entities have not even adopted a framework or standards. Consequently, because weaknesses persist in information security controls across all types of state entities, information security remains a high-risk statewide issue.”
The Auditor's Office has not specified a release date for this month’s report.