Report 2014-120 Recommendation 13 Responses

Report 2014-120: California Public Utilities Commission: It Needs to Improve the Quality of Its Consumer Complaint Data and the Controls Over Its Information Systems (Release Date: April 2015)

Recommendation #13 To: Public Utilities Commission

As part of developing, implementing, and maintaining an entitywide information security program, the commission should develop a risk management and privacy plan and conduct an assessment of risks facing its information assets.

Annual Follow-Up Agency Response From November 2020

Since 2018, ITSD has participated in regular, ongoing enterprise risk assessments facilitated by the Commission's Risk and Compliance Branch, where ITSD reviews the risks facing its information assets. In addition, the IT Risk and Governance committee, established in 08/2020, meets quarterly to review information security risks and the status of remediation efforts. The Commission's Information Privacy and Security Plan was updated in 2019.

California State Auditor's Assessment of Annual Follow-Up Status: Fully Implemented


Annual Follow-Up Agency Response From October 2019

Partially Implemented

Risk Assessment checklist completed annually starting 2018.Information Privacy and Security Plan updated. Risk Assessment and IT Governance committee established and scheduled to meet quarterly.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From October 2018

"CPUC has developed Risk assessment policy and completed internal Risk Assessment Checklist based on CDT template.

As per Office of Information Security, CPUC has uploaded mission critical systems information to CalCSIRS for risk assessment.

"

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented

Although CPUC has developed a Risk Assessment Policy, it has not yet conducted an assessment of its risks.


Annual Follow-Up Agency Response From November 2017

CPUC will be undergoing an information security risk assessment in Nov/Dec 2017 conducted by the CA Military Dept. Establishing/implementing a formal risk Mgmt program/process is planned for near future (estimated for 2018)

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From October 2016

The Commission continues to work to develop an entity wide risk assessment plan and privacy plan with the addition of staff.

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented


1-Year Agency Response

CPUC consultants have been assisting with the risk management plan and it is on track to be finalized by April 15, 2016.

California State Auditor's Assessment of 1-Year Status: Partially Implemented

The commission explained that as a result of our follow up work, it reevaluated its progress and now believes it has not fully implemented this recommendation. The commission estimates that it will not achieve full compliance with SAM Chapter 5300 until December 2019.


6-Month Agency Response

CPUC has awarded contract to a vendor and the consultants are working with CPUC staff.

California State Auditor's Assessment of 6-Month Status: Pending


60-Day Agency Response

RFO released to conduct security assessment, attended privacy training.

California State Auditor's Assessment of 60-Day Status: Pending


All Recommendations in 2014-120

Agency responses received are posted verbatim.