July 16, 2019
2018-611
The Governor of California
President pro Tempore of the Senate
Speaker of the Assembly
State Capitol
Sacramento, California 95814
Dear Governor and Legislative Leaders:
This report presents the results of our high risk audit regarding weaknesses in the State's information security. While we previously found that the California Department of Technology (technology department) has made strides toward improving its oversight, and the state entities it oversees have increased their compliance with established security standards, state entities that fall outside the technology department's purview need to do more to safeguard the information they collect, maintain, and store. State law generally requires state entities within the executive branch that are under the Governor's direct authority (reporting entities) to comply with the information security and privacy policies that the technology department prescribes and to annually report to the technology department on their compliance. However, state law does not apply the technology department's policies and procedures to entities that fall outside of that authority (nonreporting entities), such as constitutional offices and those in the judicial branch. Consequently, gaps in oversight have contributed to weaknesses in nonreporting entities' information security statuses.
We surveyed 33 nonreporting entities from around the State and reviewed 10 of them in detail. Twenty‑nine of the 33 obtained an information security assessment to evaluate their compliance with the specific security standards they selected, 24 learned that they were only partially compliant, and 21 identified high-risk deficiencies. Further, nonreporting entities may be unaware of other information security weaknesses because many of them have relied upon assessments that were limited in scope. For example, five of the 10 nonreporting entities we reviewed had assessed only a portion of their selected standards, and one had neither adopted any standards nor performed any assessments.
Although nonreporting entities are not subject to the technology department's policies and procedures, some are subject to an oversight framework that requires them to assess their information security regularly. This was the case for three of the four entities that had fully assessed their selected standards, leading us to conclude that external oversight improves a state entity's information security status. Accordingly, we recommend that the Legislature amend state law to require all nonreporting entities to obtain or perform comprehensive information security assessments at least every three years and to confidentially submit certifications of their compliance to the Legislature.
Respectfully submitted,
ELAINE M. HOWLE, CPA
California State Auditor