Report 2014-120 Recommendation 11 Responses
Report 2014-120: California Public Utilities Commission: It Needs to Improve the Quality of Its Consumer Complaint Data and the Controls Over Its Information Systems (Release Date: April 2015)
Recommendation #11 To: Public Utilities Commission
The commission should ensure that it complies with all policy requirements in SAM Chapter 5300 no later than April 2016.
Annual Follow-Up Agency Response From October 2021
The California Public Utilities Commission (CPUC) continues to work on addressing SAM 5300 compliance requirements.
- Estimated Completion Date: 12/31/2022
California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented
Annual Follow-Up Agency Response From November 2020
The Commission continues to work on addressing SAM 5300 compliance requirements.
- Estimated Completion Date: 12/31/2021
California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented
Annual Follow-Up Agency Response From October 2019
Partially Implemented, this information was updated 10/11/2019
0 Non-compliant
11- Partially compliant
32 - Mostly compliant
21- Fully compliant
Estimated completion date: Dec 2020
- Estimated Completion Date: 12/31/2020
California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented
Annual Follow-Up Agency Response From October 2018
The updated SAM 5300 Compliance spreadsheet as of 10/02/18 is attached with 16 Fully Compliant, 29 Mostly Compliant and 19 Partially Compliant.
- Estimated Completion Date: 10/2019
California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented
Annual Follow-Up Agency Response From November 2017
The updated information as of 11/07/17, please attached document
-0 Non-compliant
-17 Partially compliant
-31 Mostly Compliant
-17 Fully Compliant
- Estimated Completion Date: 6/30/2020
California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented
Annual Follow-Up Agency Response From October 2016
The Commission continues to work on completion of policy requirements in SAM Chapter 5300. The Commission has been given positions and plans on hiring employees to assist with the development of policies.
- Estimated Completion Date: 12/30/2018
California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented
1-Year Agency Response
CPUC has hired consultants to assist with ensuring compliance of all requirements as stated in SAM Chapter 5300. CPUC has managed to prepare the Information Asset Report and the Information Security Assessment. The Risk Management Plan is due to be complete by April 15th and the Business Continuity Plan is expected on April 30
- Estimated Completion Date: 5/2016
- Response Date: April 2016
California State Auditor's Assessment of 1-Year Status: Partially Implemented
When we followed up with the commission to verify its compliance status, we expected, at a minimum, that it would have achieved full compliance with nearly all of SAM Chapter 5300 (security standards). However, we found that the commission significantly overstated its progress toward addressing our recommendation. Although it submitted copies of various information security documents for our review, it was substantially out of compliance with the majority of the security standards. When we questioned the commission about the disconnect between its asserted level of compliance and its actual level of compliance, it explained that it did not fully understand the depth of security standards when it provided the April 2016 status update. However, the commission explained that as a result of our follow up work, it now believes it has a much more clear understanding of the requirements. The commission also cited limited staff resources as a barrier to its ability to achieve full compliance with security standards. According to the commission, it recently received authorization to hire two more individuals to its information security team. As of August 2016, the commission asserted it was actively trying to fill these two positions. Nonetheless, the commission estimates that it will not achieve full compliance with security standards until December 2019.
6-Month Agency Response
As described in response to items 12, 13, and 14, steps are underway at the CPUC to implement changes to address the issues identified by CSA. Once these steps are implemented, the CPUC will fully be able to comply with item #11.
- Estimated Completion Date: Ongoing implementation.
- Response Date: October 2015
California State Auditor's Assessment of 6-Month Status: Pending
60-Day Agency Response
As described in response to items 12, 13, and 14, steps are underway at the CPUC to implement changes to address the issues identified by CSA. Once these steps are implemented, the CPUC will fully be able to comply with item #11.
- Estimated Completion Date: April 2016
- Response Date: July 2015
California State Auditor's Assessment of 60-Day Status: Pending
All Recommendations in 2014-120
Agency responses received are posted verbatim.