Response to the Audit
Use the following links to jump directly to the Response you would like to view:
California Department of TechnologyEntity A
Entity B
Entity C
Entity D
Entity E
Response From the California Government Operations Agency, on behalf of the California Department of Technology
Date: July 30, 2015
To: Elaine M. Howle, State Auditor
From: Marybel Batjer, Secretary
Subject: California State Auditor's Report 2015-611 - High Risk—California Department of Technology Oversight
Pursuant to the above audit report, enclosed are the California Department of Technology's comments pertaining to the results of the audit.
The Government Operations Agency would like to thank the California State Auditor for its comprehensive review. The results provide us with the opportunity to better serve our clients and protect the public.
Enclosure
CALIFORNIA DEPARTMENT OF TECHNOLOGY
MEMORANDUM
DATE: July 30, 2015
TO: Marybel Batjer, Secretary
Government Operations Agency
FROM: Carlos Ramos, Director
California Department of Technology
SUBJECT: RESPONSE TO CALIFORNIA STATE AUDITOR'S REPORT NO. 2015-611
Thank you for the opportunity to respond to the draft California State Auditor's (State Auditor) Report No. 2015-611 on High Risk-Department of Technology Oversight. The following responses address the State Auditor's recommendations regarding the Department of Technology's (Department) operations.
OVERVIEW OF THE REPORT
Information security is essential to protecting state information assets. The Department has a strong commitment to improving its existing oversight activities and to improving the state's overall information security posture. The Department will continue to work with reporting entities to achieve full compliance with all security standards.
RECOMMENDATIONS
Recommendation #1:
To assist reporting entities in reaching full compliance with the security standards, the department should take the following action:
- Ensure the consistency and accuracy of its self-certification process by developing a self-assessment tool by December 2015 that reporting entities can use to determine their level of compliance with the security standards. The department should require reporting entities to submit completed self-assessments along with their self-certifications.
Department Response #1:
The Department agrees with this recommendation.
The Department's online Risk Assessment Toolkit that is provided for the benefit of reporting entities includes a self-assessment tool, but the Department will review and further strengthen that self-assessment reporting tool by December 2015, in order to better assist reporting entities with reaching full compliance with security standards. The Department will require reporting entities to submit self-assessments along with their self-certification.
Recommendation #2:
To assist reporting entities in reaching full compliance with the security standards, the department should take the following action:
- Provide more extensive guidance and training to reporting entities regarding the self-certification process, including training on how they should use the new self-assessment tool.
Department Response #2:
The Department agrees with this recommendation.
The Department will provide training on the self-assessment tool that will be developed by December 2015, and will incorporate that topic in its existing and regularly-provided training courses. On a quarterly basis, the Department provides a two-day training course that covers, among other requirements, the self-certification process. As additional information is received as a result of the Department's audits of reporting entities (i.e. the pilot program), the Department will review its training courses to determine whether they can be enhanced to better assist reporting entities in complying with the security standards. The Department will also continue to be available to provide one-on-one guidance and instruction to a reporting entity upon its request.
Recommendation #3:
To assist reporting entities in reaching full compliance with the security standards, the department should take the following action:
- Develop internal policies and procedures to ensure it reviews all self-assessments and self-certifications, including requiring supporting evidence of compliance when feasible.
Department Response #3:
The Department agrees with this recommendation.
The Department will update its existing internal procedures and processes that address the review of self-certifications, in order to incorporate the review of all self-assessments. Those procedures and processes will require, when determined necessary and feasible, that reporting entities provide evidence of reported compliance.
Recommendation #4:
To assist reporting entities in reaching full compliance with the security standards, the department should take the following action:
- Annually, follow up on the remediation plans that reporting entities submit.
Department Response #4:
The Department agrees with this recommendation.
The Department will follow-up annually with reporting entities on the status of their remediation plan completion. The Department will also update its existing process and procedures for the review of remediation plans to include annual follow-up.
Recommendation #5:
To provide effective oversight of reporting entities' information security, the department should expand on its pilot audit program by developing an on-going risk-based audit program. If the department requests additional resources from state lawmakers, then it should fully support its request.
Department Response #5:
The Department agrees with this recommendation.
In recognition of the need to validate reporting entities' self-reported compliance status, the Department developed an information security compliance audit program (pilot program). Since authorization of the pilot program in July 2014, the Department has recruited and trained four Certified Information System Security Auditors, has developed the program and had the program and methodology evaluated by an independent audit organization, and is currently engaged in five security compliance audits. At the conclusion of the pilot phase in June 30, 2016, the Department will report on its overall findings, lessons learned, and recommendations for continuation of the audit program.
Recommendation #6:
The department should revise its certification form to require reporting entities to submit detailed information about their compliance with the security standards. It should use this information to track and identify trends in the State's overall information security.
Department Response #6:
The Department agrees with this recommendation.
The Department currently requires reporting entities to submit remediation plans when reporting that they are not fully compliant. The Department had already identified this as a concern and has developed a standardized reporting format that will require more detailed information about remediation activities. The draft policy and updated reporting format was provided to the State Auditor during their review, and will be published in August 2015. The Department will use this information to track and identify trends in the state's overall information security.
Recommendation #7:
The department should develop policies and procedures to define the process and criteria it will use to incentivize entities' compliance with the security standards.
Department Response #7:
The Department agrees in part with this recommendation, and will review and update its internal procedures.
The Department currently employs a number of mechanisms to work with Departments to address compliance issues and to improve cybersecurity. The ultimate objective of the department's security and privacy policies is to ensure that state systems and data are secure, reliable and available to meet the operational needs of reporting entities. These mechanisms include but are not limited to, an enhanced set of security and privacy policies, guidelines and resources, training and education, vulnerability assessments conducted by the Department of Military's Computer Network Defense team and, more recently, the Department's security compliance audits.
A risk management methodology and approach are used to evaluate each situation on a case-by-case basis, and the evaluation criteria includes, but is not limited to gaining a solid understanding about the level of risk (potential impacts) associated with the specific area(s) of non-compliance, and the reasons behind the non-compliance.
Leveraging more severe consequences (as opposed to all other mechanisms employed) must be carefully evaluated against the level of risk to an entity's ability to operate and must be employed judiciously, as these actions can have a significant adverse impact on a reporting entity's ability to operate, could jeopardize state programs, and severely impact the people served by those programs.
Recommendation #8:
To improve the clarity of the security standards, the department should take the following action:
- Perform regular outreach to all reporting entities to gain their perspectives, and identify any unclear or inconsistent security standards, and revise the security standards as appropriate.
Department Response #8:
The Department agrees with this recommendation.
The Department agrees that regular outreach to reporting entities is important to ensure adequate understanding of the state's security standards. Although the Department currently has a vigorous outreach program, it will review that program to determine whether and how it could be enhanced, once the results are obtained from the Department's pilot audit program. The Department's existing outreach efforts include, but are not limited to, Chairing bi-monthly Information Technology, Security and Privacy Governance meetings where reporting entities have an opportunity to share their perspective and concerns, these governing committees conduct outreach, and when additional guidance needs are identified through this outreach, working groups are formed to develop additional templates, tools and guidance material to further aid reporting entities with clarity of requirements and compliance. Further, the Department has a standing Policy Steering Committee meeting which provides another opportunity for reporting entities to share their perspective and concerns, specifically related to policy and standards.
Recommendation #9:
To improve the clarity of the security standards, the department should take the following action:
- Develop and regularly provide detailed training on the requirements of the security standards and on best practices for achieving compliance. It should provide these trainings in a variety of locations and formats, including webinars.
Department Response #9:
The Department agrees with this recommendation.
The Department agrees that training is important to ensure adequate understanding of the state's security standards and best practices for achieving compliance. The Department has recently expanded its training program, which has received positive attendee feedback. The Department will continue to review the training program to determine whether and how training could be further enhanced. The Department's existing training efforts include, but are not limited to, facilitated training provided by trainers from the National Institute of Standards and Technology (NIST) on Federal Information Processing Standards (FIPS) and NIST standards specifically referenced in its policies to better ensure state agencies understand what is expected and how to achieve compliance, and on a quarterly basis training that covers security standards requirements and best practices for achieving compliance through a combination of in class lecture and practical exercises to reinforce learning concepts and application when attendees return to their organizations.
Response From Entity A
July 30, 2015
Elaine M. Howle,CPA, State Auditor
California State Auditor
SUBJECT: RESPONSE TO CALIFORNIA STATE AUDITOR'S REPORT NO. 2015-611
Thank you for the opportunity to respond to the draft California State Auditor's (State Auditor) Report No. 2015-611, High Risk Update-Information Security. The following response addresses the State Auditor's recommendation to the entity.
RECOMMENDATION
RECOMMENDATION TO ENTITY A:
Entity A should identify all areas in which it is noncompliant with the security standards, develop a detailed remediation plan that includes timeframes and milestones, and ensure full compliance by August 2016.
Entity A Response:
Entity A has already identified which areas it is not fully in compliance and has completed a plan with estimated completion dates ranging from June 2015 to December 2017. Entity A provided the plan to the State Auditor on June 11, 2015, and is implementing according to the plan. Entity A's plan was developed with consideration of compliance activities occurring prior to the audit as well as operational and other entity activities.
/s/
Director
Entity A
Response From Entity B
Response to California State Auditor Draft Report Entitled: High Risk Update – Information Security, Many State Entities’ Information Assets are Potentially Vulnerable to Attack or Disruption, Report 2015-61
Finding:
State entities have poor controls over their information systems, putting some of the State’s most sensitive information at risk.
Recommendation:
Entity B should promptly identify all areas in which they are non-compliant with the security standards, develop detailed remediation plan that includes timeframes and milestones, and ensure full compliance by January 2016.
Response:
Entity B agrees with the recommendation.
Entity B will identify and correct all non-compliant areas, including those cited in the report. The weaknesses in information asset management will be addressed by enhancing the existing asset management process, performing additional data collection, and updates to documentation. Weaknesses in information security incident management will be addressed by updates to the Incident Response Plan, and implementing testing procedures. Weaknesses in Technology Recovery will be addressed by collection of additional information, and an update to the Technology Recovery Plan. The estimated date of completion of all actions is by January 31, 2016.
Response From Entity C
Elaine M. Howle, CPA, State Auditor
California State Auditor
[ redacted text * ] Entity C* has reviewed the draft report as provided by your office and are in agreement with your findings. In response, [ redacted text * ] Entity C* is fully engaged in developing a plan of corrective action to close the gaps identified by your office and bring [ redacted text * ] Entity C* into full compliance within the required timeframe.
Response From Entity D
[ redacted text * ]
July 30, 2015
Elaine M. Howle, CPA
California State Auditor
621 Capitol Mall, Suite 1200
Sacramento, California 95814
Dear Ms. Howle:
I have received the redacted draft copies of your report High Risk Update - Information Security (2015-611).
I have discussed the report with the leadership of Entity D and they concur with the report's findings and recommendation. Entity D will take the necessary steps to develop the required policies and procedures and related work plan associated with ensuring compliance with SAM 5300 by August 2016.
Thank you for the opportunity to review this report.
Sincerely,
[ redacted text * ]
Response From Entity E
[ redacted text * ]
Date: July 30, 2015
To: Elaine M. Howle, CPA
California State Auditor
Subject: Information Security Audit Response for Entity E
The [ redacted text * ] thanks the State Auditor for the opportunity to have [ redacted text * ] our [ redacted text * ] information security posture reviewed and audited related to SAM 5300.
The State Auditor's findings and recommendations highlight areas that need attention in order to mitigate potential risk to the [ redacted text * ] "Entity E" in the High Risk Update-Information Security report.
The [ redacted text * ] Agency and the department Entity E concurs with the audit findings and agree with the proposed recommendations. Entity E has met with the State Auditors and fully understand the specific areas that need to be addressed in order to be in full compliance with security standards. The Auditors were able to identify differences in Entity E perception of Chapter 5300 of the State Administrative Manual requirements and interpretations.
Entity E concurs with the report findings and recommendation. The following page contains the entity's responses to the items listed in the report.
[ redacted text * ]
Entity "E" Responses to State Audit Information Security Findings and Recommendation
Audit Finding | Audit Recommendation | Entity E Response | Entity E Action(s) |
---|---|---|---|
Entity E Level of compliance with select Information Security Control Areas | Entity should promptly identify all areas in which they are noncompliant with the security standards and develop a detailed plan includes timeframes and milestones to reach full compliance by August 2016. | Agree | A. Conduct a full Security Risk Assessment utilizing a third-party to perform the assessment. Targeted completion: 12/31/2015 B. Based on Risk Assessment finding/gaps develop Correction Action Plan. Target completion: 1/31/2016 C. Complete Correction Action Plan items by August 2016 |
Entity E had significant weaknesses in the risk management program | See Audit recommendation above | Agree | A. Complete initial third-party Risk Assessment (see above) B. Development and strengthen Entity's Information Security risk Assessment program. Target completion August 2016 C. Perform required Risk Assessments and take required actions based on findings. |
Comments
CALIFORNIA STATE AUDITOR’S COMMENTS ON THE RESPONSE FROM THE CALIFORNIA DEPARTMENT OF TECHNOLOGY
To provide clarity and perspective, we are commenting on the California Department of Technology’s (technology department) response to our audit. The numbers below correspond to the numbers we have placed in the margin of the technology department’s response.
Although the technology department agrees with our recommendation, it does not clearly identify what new actions it will take to implement our recommendation. Rather, the technology department provides a description of its current pilot information security compliance audit program (pilot audit program), and that it will report on this pilot audit program after June 2016. Therefore, we look forward to the technology department’s 60‑day response where we anticipate it will more clearly specify how it will implement our recommendation.
The technology department indicates it intends to revise the remediation plan reporting format, but it does not address our recommendation to revise its Risk Management and Privacy Program Compliance Certification (certification form). As we state in Chapter 2, the current certification form does not ensure that reporting entities understand the entire scope of the security standards to which they are certifying full compliance. Reporting entities that believe they are in compliance will not only fail to identify the need to improve their information security, but they will not submit plans to remediate their deficiencies. Therefore, the remediation plan information the technology department intends to use to track and identify trends may not fully capture, nor accurately represent, all of the reporting entities’ security deficiencies.
Although the technology department asserts in its response that it uses a risk management methodology and approach to evaluate each situation on a case‑by‑case basis, it does not have documented policies or procedures defining its methodology. Consequently, as we state in Chapter 2, the technology department may not be considering information security uniformly across all of the new information technology projects it reviews.
The technology department misrepresents our recommendation. We do not recommend the technology department leverage more severe consequences without proper consideration. Rather, as stated in Chapter 2, we recommend the technology department develop fully documented policies and procedures to define the process and criteria it will use to incentivize reporting entities’ compliance with the security standards.
Despite the technology department’s assertion that it has a vigorous outreach program, as we stated in Chapter 2, more than one‑third of survey participants stated the security standards are unclear. Further, the technology department asserts that it intends to wait until it obtains the results of its eight pilot program audits, which are scheduled to conclude in June 2016, before it reviews its outreach program. However, until the technology department reaches out to all reporting entities to gain their perspectives, identifies the unclear or inconsistent security standards, and revises the security standards as appropriate, the reporting entities will continue to face challenges in implementing the appropriate controls to safeguard the State’s information systems and the information they contain.
Although the technology department agrees with our recommendation, it does not clearly identify what new actions it will take related to its training program to address our recommendation. As discussed in Chapter 2, more than half of the survey respondents asserted that the technology department’s guidance and training were insufficient. Consequently, we look forward to the technology department’s 60‑day response when we anticipate it will provide further detail about its plans to improve the training program.
CALIFORNIA STATE AUDITOR’S COMMENT ON THE RESPONSE FROM ENTITY A
To provide clarity and perspective, we are commenting on Entity A’s response to our audit. The number below corresponds to the number we have placed in the margin of Entity A’s response.
Entity A asserts that it has already identified areas of noncompliance with the security standards in a plan provided to us on June 11, 2015. However, through our subsequent control review we discovered additional areas of noncompliance not included in this plan. To reach full compliance, Entity A should identify all areas in which it is noncompliant with Chapter 5300 of the State Administrative Manual (security standards). Further, because implementing appropriate security measures and controls is critical to ensuring the State’s ability to protect its information assets, Entity A should prioritize its full implementation of the security standards by August 2016.
CALIFORNIA STATE AUDITOR’S COMMENT ON THE RESPONSE FROM ENTITY C
To provide clarity and perspective, we are commenting on Entity C’s response to our audit. The number below corresponds to the number we have placed in the margin of Entity C’s response.
As we state in Chapter 1, our control reviews focused only on select information security controls. As a result, Entity C’s information security controls may have additional deficiencies that we did not identify. To reach full compliance, Entity C should identify all areas in which it is noncompliant with Chapter 5300 of the State Administrative Manual and remediate all such weaknesses by August 2016.
CALIFORNIA STATE AUDITOR’S COMMENT ON THE RESPONSE FROM ENTITY E
To provide clarity and perspective, we are commenting on Entity E’s response to our audit. The number below corresponds to the number we have placed in the margin of Entity E’s response.
As we state in Chapter 1, our control reviews focused only on select information security controls. As a result, Entity E’s information security controls may have additional deficiencies that we did not identify. To reach full compliance, Entity E should identify all areas in which it is noncompliant with Chapter 5300 of the State Administrative Manual and remediate all weakness by August 2016.
* In an effort to protect the State’s information assets, we have chosen not to publicly disclose the names of the reporting entities that we reviewed. As a result, we redacted information that may identify the reporting entity.