Report 2015-611 Recommendations

When an audit is completed and a report is issued, auditees must provide the State Auditor with information regarding their progress in implementing recommendations from our reports at three intervals from the release of the report: 60 days, six months, and one year. Additionally, Senate Bill 1452 (Chapter 452, Statutes of 2006), requires auditees who have not implemented recommendations after one year, to report to us and to the Legislature why they have not implemented them or to state when they intend to implement them. Below, is a listing of each recommendation the State Auditor made in the report referenced and a link to the most recent response from the auditee addressing their progress in implementing the recommendation and the State Auditor's assessment of auditee's response based on our review of the supporting documentation.

In an effort to protect the State's information assets, we have chosen not to publicly disclose the names of reporting entities we reviewed. As a result, we are using a confidential process to follow up on our recommendations to these entities.

Recommendations in Report 2015-611: High Risk Update—Information Security: Many State Entities' Information Assets Are Potentially Vulnerable to Attack or Disruption (Release Date: August 2015)

:
Recommendations to Legislature
Number Recommendation Status
1

To improve reporting entities' level of compliance with the State's security standards, the Legislature should consider mandating that the technology department conduct, or require to be conducted, an independent security assessment of each reporting entity at least every two years. This assessment should include specific recommendations, priorities, and time frames within which the reporting entity must address any deficiencies. If a third party vendor conducts the independent security assessment, it should provide the results to the technology department and the reporting entity.

Legislation Enacted
2

To improve reporting entities' level of compliance with the State's security standards, the Legislature should consider authorizing the technology department to require the redirection of a reporting entity's legally available funds, subject to the California Department of Finance's approval, for the remediation of information security weaknesses.

No Action Taken
Recommendations to Technology, California Department of
Number Recommendation Status
3

To assist reporting entities in reaching full compliance with the security standards, the technology department should ensure the consistency and accuracy of its self certification process by developing a self assessment tool by December 2015 that reporting entities can use to determine their level of compliance with the security standards. The technology department should require reporting entities to submit completed self assessments along with their self certifications.

Fully Implemented
4

To assist reporting entities in reaching full compliance with the security standards, the technology department should provide more extensive guidance and training to reporting entities regarding the self certification process, including training on how they should use the new self assessment tool.

Fully Implemented
5

To assist reporting entities in reaching full compliance with the security standards, the technology department should take the following actions: Develop internal policies and procedures to ensure that it reviews all reporting entities' self assessments and self certifications, including requiring supporting evidence of compliance when feasible.

Fully Implemented
6

To assist reporting entities in reaching full compliance with the security standards, the technology department should take the following actions: Annually follow up on the remediation plans that reporting entities submit.

Fully Implemented
7

To provide effective oversight of reporting entities' information security, the technology department should expand on its pilot audit program by developing an ongoing risk based audit program. If the technology department requests additional resources, it should fully support its request.

Fully Implemented
8

The technology department should revise its certification form to require reporting entities to submit detailed information about their compliance with the security standards. It should use this information to track and identify trends in the State's overall information security.

Fully Implemented
9

The technology department should develop policies and procedures to define the process and criteria it will use to incentivize entities' compliance with the security standards.

Fully Implemented
10

To improve the clarity of the security standards, the technology department should perform regular outreach to all reporting entities to gain their perspectives, identify any unclear or inconsistent security standards, and revise them as appropriate.

Fully Implemented
11

To improve the clarity of the security standards, the technology department should develop and regularly provide detailed training on the requirements of the security standards and on best practices for achieving compliance. It should provide these trainings in a variety of locations and formats, including webinars.

Fully Implemented


Print all recommendations and responses.