Skip Repetitive Navigation Links

Gaps in Oversight Contribute to Weaknesses in the State's Information Security
High Risk Update—Information Security

Report Number: 2018-611


Audit Highlights . . .

Our high risk audit regarding nonreporting entities' compliance with security standards revealed the following:

Results in Brief

Gaps in oversight weaken the State's efforts to keep its information secure. Although we previously found that the California Department of Technology (technology department) has made progress in its oversight since our initial 2013 assessment, and the state entities subject to its oversight have increased their compliance with established standards, state entities that do not fall under the purview of the technology department need to do more to safeguard the information they collect, maintain, and store. State law generally requires state entities within the executive branch under the Governor's direct authority (reporting entities) to comply with information security and privacy policies that the technology department prescribes. However, state law does not apply the technology department's policies and procedures to entities that fall outside of that authority (nonreporting entities).

We surveyed 33 nonreporting entities from around the State and reviewed 10 of them in detail. Most of the 33 surveyed entities asserted that they had selected one or more standards to use in developing their information security policies. In addition, 29 of the 33 entities said they performed a self-assessment or contracted with an independent assessor to evaluate their compliance with the specific standards they selected. However, 24 of the assessments concluded that the respective entities were only partially compliant. In addition, 21 of those assessments identified high-risk deficiencies.

The nonreporting entities we surveyed may be unaware of additional information security weaknesses because many of them relied upon information security assessments that were limited in scope. For example, five of the 10 nonreporting entities we reviewed had assessed only a portion of their selected security standards, which limits their ability to identify potential vulnerabilities, and one had neither adopted any security standards nor performed any assessments. Although nonreporting entities are not subject to the technology department's policies and procedures, some are subject to an oversight framework that requires them to assess their information security regularly. This was the case for three of the four entities that had fully assessed their selected standards, leading us to conclude that external oversight improves a state entity's information security status. At the same time, nonreporting entities without external oversight that fail to routinely assess their level of compliance with adopted security standards and then fail to address identified deficiencies are placing some of the State's sensitive data at risk of unauthorized use, disclosure, or disruption.


To strengthen the information security practices of nonreporting entities, the Legislature should amend state law to do the following:

Back to top