Skip Repetitive Navigation Links
California State Auditor Report Number : 2015-611

High Risk Update—Information Security
Many State Entities’ Information Assets Are Potentially Vulnerable to Attack or Disruption

Figure 1

Figure 1, a flowchart that identifies key state entities related to information security that are members of the California Cybersecurity Task Force (task force), as well as depicting the flow of information between the members. At the top of the chart are the logos of the co-chairs of the task force, the California Department of Technology (technology department) and the Governor’s Office of Emergency Services (emergency services). The technology department provides statewide strategic direction and leadership in the protection of California’s information assets. Emergency services coordinates the six state fusion centers, which gather intelligence and share information related to threat analysis. These two organizations share and disseminate information to the other members of the task force, the California Military Department (military department), the California Highway Patrol (highway patrol) and the Office of the Attorney General (attorney general). The military department provides services such as assessments and training to assist state entities in meeting information security requirements through its Computer Network Defense Team. The highway patrol collects information about computer crime incidents and investigates those incidents through its Computer Crimes Investigation Unit. The attorney general investigates and prosecutes multijurisdictional criminal organizations, networks, and groups that perpetrate technology-related crimes through its eCrime Unit. An arrow connecting the technology department and the military department indicates that these departments work together to provide risk assessments to state entities. An arrow connecting the technology department and the highway patrol indicates that these entities work together to respond to, investigate, and track information security incidents. A series of arrows connecting emergency services with the highway patrol and the attorney general indicates that these three entities jointly operate the State’s main fusion center, the State Threat Assessment Center.

Go back to Figure 1

Figure 2

Figure 2, a flowchart illustrating five key control areas of information security with which the California Department of Technology requires reporting entities to comply. The first three control areas, information asset management, risk management, and information security program management, provide the foundation of an information security control structure. The information asset management control area explains that reporting entities should establish and maintain an inventory of their information assets and determine the necessary level of security for each. The chart then flows into the risk management control area, which indicates that reporting entities should identify and consistently evaluate potential risks to their information assets. The chart then flows into the final foundational area, information security program management, in which reporting entities should develop and continually update programs for protecting their information assets from the risks they have identified. To signify that they are part of the information security program management control area, the fourth and fifth control areas flow off of the information security program management box. The fourth control area, information security incident management, explains that reporting entities should develop and document procedures to ensure their ability to promptly respond to, report on, and recover from information security incidents such as malicious cyber attacks. The fifth control area, technology recovery, explains that reporting entities should create detailed plans to recover critical information assets from unanticipated interruptions or disasters such as floods, earthquakes, or fires.

Go back to Figure 2

Figure 3

Figure 3, a color-coded bar chart that describes reporting entities’ levels of compliance with select information security control areas, according to their survey responses. The colors in the bar chart each represent a level of compliance with the information security control areas. Green represents “Fully compliant,” in which the reporting entity asserted it is fully compliant with all the requirements in Chapter 5300 of the State Administrative Manual (security standards) for the control area. Yellow represents “Mostly compliant,” in which the reporting entity asserted it has attained nearly full compliance with all of the security standards for the control area. Orange represents “Partially compliant,” in which the reporting entity asserted that it has made measurable progress in complying, but has not addressed all of the security standards for the control area. Red represents “Not compliant,” in which the reporting entity asserted that is has not yet addressed the security standards for the control area. The figure contains five bars with these colors, each bar representing one of the five information security control areas and the related response to our survey from 77 reporting entities detailing their level of compliance with each control area. The bar representing information asset management control area shows that 28 reporting entities asserted full compliance (green), while 21 asserted that they were mostly compliant, (yellow), 22 asserted that they were partially compliant (orange) and six reported that they were not compliant (red). The bar representing risk management control area shows 25 green, 15 yellow, 30 orange, and 7 red. The bar representing information security program management control area shows 24 green, 24 yellow, 26 orange and 3 red. The bar representing information security incident management control area shows 28 green, 28 yellow, 20 orange, and one red. The bar representing technology recovery control area shows 23 green, 32 yellow, 21 orange, and one red.

 Go back to Figure 3

Figure 4

Figure 4 depicts the current time survey structure for the School-Based Medi-Cal Administrative Activities program (administrative activities program) and describes a proposed revision to that structure.

Figure 4, a bar chart that provides survey responses from 37 of the 41 reporting entities that certified to the California Department of Technology in 2014 that they were in compliance with the information security standards, but disclosed in our survey that they were not fully compliant. Specifically, Figure 4 shows the year in which these 37 reporting entities indicated that they will reach full compliance with the information security standards. The chart shows that six reporting entities expect to achieve full compliance in 2015, eight reporting entities expect to achieve full compliance in 2016, nine reporting entities in 2017, five reporting entities in 2018, one reporting entity in 2019, and eight reporting entities in 2020 or beyond.

 Go back to Figure 4