Audit Results
Nonreporting Entities Have Weaknesses in Their Information Security
Numerous weaknesses exist in the information security practices of many of the nonreporting state agencies that we surveyed and reviewed.
We surveyed 33 nonreporting entities from around the State and reviewed 10 of them in detail. To protect the State's information assets, we are not disclosing the names of the entities that we surveyed or reviewed. Instead, we assigned each of these entities a letter that we use throughout the report.
For example, 24 of the 33 nonreporting entities we surveyed indicated that they were only partially compliant with their selected information security standards. In addition, while those 24 had obtained information security assessments to identify deficiencies, some lack a framework to help them resolve the deficiencies. Moreover, because many of the assessments were limited in scope, we are concerned that nonreporting entities may be unaware of additional weaknesses in their information security.
Many Nonreporting Entities Identified Deficiencies in Their Information Security Programs
Our survey of nonreporting entities indicated that most of them are not adequately addressing information security. Twenty-nine of the 33 nonreporting entities we surveyed had obtained an information security assessment, and 24 learned they were only partially compliant with their selected standard, as shown in Figure 3. Of the remaining five nonreporting entities that conducted assessments, two were fully compliant and three were mostly compliant with their selected standard. The remaining four nonreporting entities had not performed an assessment, and in fact, three of them currently have no plans to proceed with an assessment. Without performing information security assessments, entities are likely unaware of whether their controls are implemented correctly and operating as intended.
The assessments of 21 nonreporting entities that were partially compliant with their selected standards identified high-risk deficiencies in their information security. Although the definition of high risk may vary among the information security standards used in performing a security assessment, risk is often calculated by considering threats or vulnerabilities and their associated impacts and likelihood of occurrence. For example, one entity failed to apply security updates to some of its devices, which poses the threat that known vulnerabilities in these devices could be exploited. Although nonreporting entities with partial compliance had high-risk deficiencies in various areas, the most common area was information security program management, that is, developing and maintaining an organizationwide program to protect information assets from identified risks. Findings within this area further highlight the weaknesses in the information security programs of nonreporting entities.
Figure 3
Entities' Compliance With Their Selected Standards
Source: Analysis of survey responses.
Some Nonreporting Entities Have Failed to Resolve Known Deficiencies
Despite being aware of significant deficiencies in their current information security programs, some nonreporting entities have been slow to address these weaknesses. Although two of the 24 nonreporting entities with partial compliance asserted that they had resolved the high-risk deficiencies identified in their most recent assessment, 11 entities stated that they would need another three years to resolve the deficiencies. In addition, when we followed up with a selection of the nonreporting entities, we found that some did not have an adequate process or time frame for resolving their deficiencies.
Some of the nonreporting entities we reviewed have failed to implement effective processes for prioritizing and tracking their remediation efforts. The technology department requires reporting entities to develop a plan of action and milestones for all security compliance deficiencies and for all significant information security risks that they cannot immediately address. Reporting entities use the plan of action and milestones to communicate details about remediating each deficiency to the technology department. Reporting entities are also typically required to provide quarterly updates to the technology department on their progress toward completion of the plans. However, because nonreporting entities are not subject to this requirement, some have chosen a more informal process for addressing their deficiencies.
For example, in December 2017, the military department identified 16 findings at Entity A. One of these findings noted that Entity A failed to change the default password for certain information security systems, which poses a significant threat of an attacker gaining unauthorized access to its network. Although the military department identified five top areas of significant concern for Entity A to address, as of March 2019; Entity A had not fully addressed any of those areas. Moreover, as of April 2019, nearly 16 months after Entity A received its independent information security assessment, it had yet to determine the scope, schedule, funding, and staffing required to implement the remediation strategy for some of its findings. By failing to identify a remediation strategy and by failing to perform a timely assessment of its resource needs to implement the strategy, Entity A risks further delays in resolving its outstanding deficiencies.
Another entity we reviewed has not adequately documented a plan for remediating its existing findings. Specifically, although Entity C has outstanding deficiencies dating back to 2013, as of April 2019, it had yet to develop a formal document for prioritizing and tracking the remediation of each of those deficiencies. Rather, Entity C shared with us various PowerPoint presentations it had delivered to its information technology executive committee to give its members an overall update on the status of each finding. However, these presentations do not consistently provide key details such as who is responsible for tracking each deficiency, the strategy for resolving the deficiency, and the target date for completion. Without a process for tracking their status, some of Entity C's deficiencies have remained outstanding for nearly six years. By not implementing timely remediation activities to address known weaknesses in their information security programs, nonreporting entities are failing to fully protect their information assets.
Many Nonreporting Entities Are Not Fully Assessing the Status of Their Information Security
The majority of nonreporting entities we reviewed have not taken steps to develop and document a comprehensive understanding of their information security status. This lack of understanding limits their assurance that they are properly protecting their information assets against unauthorized access, use, disclosure, disruption, modification, or destruction. For example, one of the 10 entities we reviewed has not adopted an information security standard and has never obtained an information security assessment. In addition, five of the 10 have only partially assessed their compliance with their selected information security standards. Although their previous assessments identified information security problems, none of these five entities have a plan or timeline for how they will routinely assess their compliance with the entirety of their standards. Until nonreporting entities ensure that they have achieved compliance with their selected information security standards, weaknesses in their controls may compromise the confidentiality, integrity, and availability of the information systems they use to carry out their day-to-day operations.
Although nonreporting entities are not required to follow the information security and privacy policies, standards, and procedures the technology department prescribes, nine of the 10 nonreporting entities we reviewed asserted that they relied upon various information security standards—which we found to be comparable to the technology department's standards—when developing their information security and privacy policies, plans, and procedures. However, as shown in Table 1, only six of the nonreporting entities had formally adopted the standards. Adopting standards facilitates a more consistent, comparable, and repeatable approach for securing state assets. Moreover, it creates a foundation from which standardized assessment methods and procedures may be used to measure security effectiveness.
We found that formally adopting information security standards correlated with more robust compliance reviews. Specifically, only four of the nonreporting entities we reviewed had fully assessed their compliance, and all four had formally adopted their selected information security standards. Accordingly, we conclude that adopting standards and performing comprehensive security assessments is a best practice for measuring the effectiveness of an information security program. In contrast, Entity D has neither adopted an information security standard nor performed any formal assessment of its information security status. Rather, it relies solely upon the professional judgment of its information technology manager to ensure the security of its information. Without an information security standard or comprehensive assessment of the standards, entities cannot ensure that they are effectively managing risk; providing for the protection of information assets; and preventing illegal activity, fraud, waste, and abuse in the use of their information assets.
Regardless of whether they have formally adopted information security standards, nine of the 10 nonreporting entities we reviewed indicated that they had performed a self-assessment or contracted with an independent entity to at least partially assess their compliance with their selected standards, as shown in Table 1. However, five of these assessments were limited in scope, and thus there may be additional existing weaknesses that nonreporting entities have yet to identify.
Entity | Which standard did the entity use to develop its information security policies and procedures? | Did the entity formally adopt its selected standards? | How much of its selected standard has this entity assessed in the last three years? |
---|---|---|---|
A | SAM 5300 | NO X |
Partial ▲ |
B | NIST 800-53 and SAM 5300 | NO X |
Partial ▲* |
C | NIST 800-53 and SAM 5300 | NO X |
Partial ▲ |
D | No standard selected | NO X |
NONE X |
E | ISO/IEC 27000 family | YES ✔ |
ALL ✔ |
F | NIST 800-53 and SAM 5300 | ✔ | Partial ▲ |
G | NIST 800-53 and SAM 5300 | YES ✔ |
Partial ▲ |
H | ISO/IEC 27000 family | YES ✔ |
ALL ✔ |
I | ISO/IEC 27000 family | YES ✔ |
ALL ✔ |
J | ISO/IEC 27000 family, NIST 800-53, and SAM 5300 | YES ✔ |
ALL ✔ |
Source: Analysis of survey responses and documents obtained from the entities above.
✔ = yes / all
X = No / none
▲ = Partial
* In response to our audit, Entity B decided to evaluate its compliance with the remaining requirements that its military department assessment did not cover.
Four of the 10 nonreporting entities we reviewed opted to participate in independent security assessments through the military department. As we mention in the Introduction, state law permits the military department to perform these independent security assessments, which provide a technical evaluation of a state entity's network and selected web applications to identify security vulnerabilities and provide concrete, implementable actions to reduce the possibility of damaging security breaches. The independent security assessments use a limited set of technical controls based on NIST 800-53 and SAM 5300, as selected by the technology department. Consequently, the military department assessment is not designed to evaluate the entity against the entirety of the information security standards it has selected. For example, the military department's assessment criteria do not address the control area of technology recovery. As discussed in Figure 2, technology recovery is the process of creating detailed plans for recovering critical information systems from unanticipated interruptions or disasters. Therefore, the military department assessment may not detect all of the weaknesses that exist in an entity's information security program.
During its review of the four nonreporting entities, the military department identified overall compliance scores ranging from a low of 47 percent to a high of 66 percent for the select requirements it evaluated. The military department also assessed the effectiveness of one entity's program for applying software security updates and concluded that its system security weaknesses were at extreme risk of known exploitation. Although these assessments demonstrate that there is room for improvement, there may be additional areas of noncompliance because the military department assessments look at only a portion of the required standards. For example, for three of the nonreporting entities we reviewed, the military department assessment is the only security assessment they have completed. Consequently, these three entities may have additional information security weaknesses of which they are currently unaware.
The four nonreporting entities that assessed all of their selected standards generally expect to receive security assessments every two to three years, while the six nonreporting entities that did not fully assess their security controls have not adequately planned for future assessments. For example, they do not have a written plan that specifies how they will fully assess their compliance with the requirements, such as who will perform the assessment, which requirements will be included in each assessment, and how frequently each requirement will be assessed. In July 2018, the military department performed an assessment of Entity B, which resulted in an overall compliance score of 59 percent and 13 findings of deficiency. We followed up with Entity B to see whether it had assessed its compliance with any of the information security controls that were not included in the military department assessment, and Entity B replied that it had not done so. However, in response to our audit, it decided to perform an internal assessment of the remaining controls and concluded that it was only 51 percent compliant with those controls. In the absence of robust compliance assessments, nonreporting entities lack assurance that their information security controls are implemented correctly, are operating as intended, and are meeting the security requirements.
Most Nonreporting Entities We Reviewed Lack an External Oversight Framework
The nonreporting entities we reviewed were typically responsible for establishing their own information security programs. As we discuss in the Introduction, state law does not apply the technology department's policies and procedures for information security to nonreporting entities. Specifically, state law requires reporting entities to comply with SAM 5300, which in turn requires them to obtain various assessments and to annually certify compliance with SAM 5300. However, nonreporting entities are not subject to these requirements. Nevertheless, Entity D could not demonstrate that it had ever performed a formal assessment of its information security status. Entity D asserted that it had adopted IT security policies, procedures, and methods consistent with generally accepted industry standards. However, it has not developed information security policies or procedures that can guide its information technology department on how to configure or assess its information systems. In addition, we noted that Entity B did not fully assess its selected information security standards until after we started our audit, which resulted in it identifying additional risks. Without assessing their compliance with security standards, nonreporting entities are likely unaware of the full extent of their information security weaknesses.
Most of the nonreporting entities we reviewed asserted that they did not have an external oversight framework that would require them to assess their information security regularly. However, we noted that those few nonreporting entities that were subject to such a requirement typically assessed more of their selected information security standards than those that had no such requirement. Specifically, three of the four reviewed entities that fully assessed their selected standards were also subject to an oversight framework that required them to assess their information security regularly. We also noted that some nonreporting entities with requirements to perform assessments generally established processes for following up on past findings. For example, Entity E is required to regularly obtain a comprehensive, external security assessment. We found that Entity E's information security assessments covered the entirety of its selected standards, and it asserts that it has resolved all of the issues identified by those assessments. In contrast, Entity A asserted that it does not have external oversight, and it has yet to fully resolve the top five areas of concern that the military department identified in 2017. Without the accountability that external oversight provides, nonreporting entities may be less likely to resolve information security issues in a timely manner.
These examples demonstrate the value of establishing an oversight framework for nonreporting entities. However, several nonreporting entities have previously expressed concern that reporting to the technology department would jeopardize their independence; therefore, the Legislature may be better positioned to oversee nonreporting entities. It could amend state law to provide a confidential mechanism for these entities to share highly sensitive information about their information security status.
Recommendations
To strengthen the information security practices of nonreporting entities, the Legislature should amend state law to do the following:
- Require all nonreporting entities to adopt information security standards comparable to SAM 5300.
- Require all nonreporting entities to obtain or perform comprehensive information security assessments no less frequently than every three years to determine compliance with the entirety of their adopted information security standards.
- Require all nonreporting entities to confidentially submit certifications of their compliance with their adopted standards to the Assembly Privacy and Consumer Protection Committee and, if applicable, to confidentially submit corrective action plans to address any outstanding deficiencies.
We conducted this audit under the authority vested in the California State Auditor by Government Code 8543 et seq. and according to generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives specified in the Scope and Methodology section of the report. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
Respectfully submitted,
ELAINE M. HOWLE, CPA
California State Auditor
Date: July 16, 2019