Appendix
CALLIFORNIA STATE AUDITOR’S SURVEY OF REPORTING ENTITIES THAT REPORTED THEIR LEVELS OF COMPLIANCE WITH SECURITY STANDARDS IN 2014 TO THE CALIFORNIA DEPARTMENT OF TECHNOLOGY
We surveyed 101 state entities under the direct authority of the governor (reporting entities) that certified their levels of compliance with the requirements in Chapter 5300 of the State Administrative Manual (security standards) to the California Department of Technology (technology department) in 2014.11 In an effort to protect the State’s information assets, we have chosen not to publicly disclose the names of the reporting entities that we surveyed; instead, we assigned each reporting entity a number. In tables A.1 and A.2, we summarize 77 survey respondents’ self-reported levels of compliance with 17 security standards that we placed into the following categories: information asset management, risk management, information security program management, information security incident management, and technology recovery. We grouped the remaining 47 security standards into the category of Other Information Security Requirements. In addition, tables A.1 and A.2 identify the types of information each reporting entity collects, stores, or maintains. Table A.1 focuses on the 41 survey respondents who completed our survey and reported to the technology department in 2014 that they were fully compliant with the security standards. Table A.2 focuses on the 36 survey respondents who completed our survey and reported to the technology department in 2014 that they were not fully compliant with the security standards. Four additional reporting entities partially responded to our survey answering some questions, but did not identify their specific levels of compliance with each of the 64 sections of the security standards. Thus, we excluded these four reporting entities from the tables. We list the remaining 20 state entities that did not respond to our information security survey in Table A.3.
Table A.1
Survey Responses From Entities that Reported Full Compliance With the California Department of Technology’s Security Standards in 2014
| Collects, Stores, or Maintains | Compliance Levels the Reporting Entities Identified in Our Survey | Reporting Entity | Personal Information or Health Information Protected by Law* | Confidential Financial Data* | Other Sensitive Data* | Information Asset Management | Risk Management | Information Security Program Management | Information Security Incident Management | Technology Recovery | Other Information Security Requirements |
|---|---|---|---|---|---|---|---|---|---|
| 01 | |||||||||
| 02 | Yes | Yes | Yes | ||||||
| 03 | |||||||||
| 04 | Yes | ||||||||
| 05 | Yes | Yes | Yes | ||||||
| 06 | |||||||||
| 07 | |||||||||
| 08 | Yes | ||||||||
| 09 | Yes | Yes | |||||||
| 10 | |||||||||
| 11 | Yes | ||||||||
| 12 | Yes | ||||||||
| 13 | Yes | ||||||||
| 14 | Yes | ||||||||
| 15 | Yes | Yes | |||||||
| 16 | Yes | Yes | |||||||
| 17 | Yes | ||||||||
| 18 | Yes | Yes | |||||||
| 19 | Yes | Yes | |||||||
| 20 | Yes | ||||||||
| 21 | Yes | ||||||||
| 22 | Yes | ||||||||
| 23 | Yes | Yes | Yes | ||||||
| 24 | |||||||||
| 25 | Yes | ||||||||
| 26 | Yes | ||||||||
| 27 | Yes | Yes | |||||||
| 28 | Yes | ||||||||
| 29 | Yes | Yes | Yes | ||||||
| 30 | Yes | Yes | Yes | ||||||
| 31 | |||||||||
| 32 | Yes | Yes | |||||||
| 33 | Yes | ||||||||
| 34 | Yes | Yes | Yes | ||||||
| 35 | Yes | Yes | Yes | ||||||
| 36 | Yes | ||||||||
| 37 | Yes | ||||||||
| 38 | Yes | Yes | |||||||
| 39 | Yes | Yes | |||||||
| 40 | |||||||||
| 41 | Yes |
Source: California State Auditor’s analysis of survey responses from 41 reporting entities certifying full compliance to the California Department of Technology in 2014.
* For entries in this column that do not contain the value “Yes”, the reporting entity asserted in its response to our survey that it did not collect, store, or maintain this type of data.
Green = Fully compliant: The reporting entity asserted it is fully compliant with all the requirements in Chapter 5300 of the State Administrative Manual (security standards) for the control area.
Yellow = Mostly compliant: The reporting entity asserted it has attained nearly full compliance with all of the security standards for the control area.
Orange = Partially compliant: The reporting entity asserted it has made measurable progress in complying, but has not addressed all of the security standards for the control area.
Red = Not compliant: The reporting entity asserted it has not yet addressed the security standards for the control area.
Table A.2
Survey Responses From Entities That Reported Noncompliance With the California Department of Technology’s Security Standards in 2014
| Collects, Stores, or Maintains | Compliance Levels the Reporting Entities Identified in Our Survey | Reporting Entity | Personal Information or Health Information Protected by Law* | Confidential Financial Data* | Other Sensitive Data* | Information Asset Management | Risk Management | Information Security Program Management | Information Security Incident Management | Technology Recovery | Other Information Security Requirements |
|---|---|---|---|---|---|---|---|---|---|
| 42 | Yes | ||||||||
| 43 | Yes | ||||||||
| 44 | |||||||||
| 45 | Yes | ||||||||
| 46 | Yes | ||||||||
| 47 | Yes | Yes | Yes | ||||||
| 48 | Yes | Yes | |||||||
| 49 | Yes | Yes | |||||||
| 50 | Yes | ||||||||
| 51 | Yes | Yes | Yes | ||||||
| 52 | Yes | ||||||||
| 53 | Yes | Yes | |||||||
| 54 | Yes | ||||||||
| 55 | Yes | Yes | |||||||
| 56 | Yes | ||||||||
| 57 | Yes | Yes | |||||||
| 58 | Yes | ||||||||
| 59 | Yes | ||||||||
| 60 | Yes | ||||||||
| 61 | Yes | ||||||||
| 62 | Yes | Yes | |||||||
| 63 | Yes | Yes | Yes | ||||||
| 64 | Yes | ||||||||
| 65 | Yes | Yes | |||||||
| 66 | Yes | Yes | |||||||
| 67 | Yes | Yes | |||||||
| 68 | Yes | Yes | Yes | ||||||
| 69 | Yes | Yes | |||||||
| 70 | Yes | Yes | |||||||
| 71 | Yes | ||||||||
| 72 | Yes | Yes | |||||||
| 73 | Yes | Yes | |||||||
| 74 | Yes | Yes | |||||||
| 75 | Yes | Yes | Yes | ||||||
| 77 | Yes | Yes |
Source: California State Auditor’s analysis of survey responses from 36 reporting entities certifying noncompliance to the California Department of Technology in 2014.
For entries in this column that do not contain the value “Yes”, the reporting entity asserted in its response to our survey that it did not collect, store, or maintain this type of data.
Green = Fully compliant: The reporting entity asserted it is fully compliant with all the requirements in Chapter 5300 of the State Administrative Manual (security standards) for the control area.
Yellow = Mostly compliant: The reporting entity asserted it has attained nearly full compliance with all of the security standards for the control area.
Orange = Partially compliant: The reporting entity asserted it has made measurable progress in complying, but has not addressed all of the security standards for the control area.
Red = Not compliant: The reporting entity has not yet addressed the security standards for the control area.
Table A.3
Entities That Submitted Certifications to the California Department of Technology in 2014 but Did Not Respond to Our Information Security Survey
| Entities |
|---|
| Baldwin Hills Conservancy |
| California Air Resources Board |
| California Department of Aging |
| California Department of Forestry and Fire Protection |
| California Department of General Services |
| California Department of Resources Recycling and Recovery |
| California Exposition and State Fair |
| California State Teachers’ Retirement System |
| Coachella Valley Mountains Conservancy |
| Delta Protection Commission |
| Native American Heritage Commission |
| Office of Administrative Law |
| Office of the Inspector General |
| Office of the State Public Defender |
| Public Employees’ Retirement System |
| Public Employment Relations Board |
| Sacramento-San Joaquin Delta Conservancy |
| San Diego River Conservancy |
| San Gabriel and Lower Los Angeles Rivers and Mountains Conservancy |
| Tahoe Regional Planning Agency |
Footnotes
11 The 101 reporting entities we surveyed included entities that state law requires to report to the technology department each year, as well as some entities that voluntarily reported to the technology department in 2014. Go back to text