Report 2014-120 All Recommendation Responses

Report 2014-120: California Public Utilities Commission: It Needs to Improve the Quality of Its Consumer Complaint Data and the Controls Over Its Information Systems (Release Date: April 2015)

Recommendation for Legislative Action

To ensure that the commission has the information it needs to better report on VoIP-related complaints, the Legislature should give the commission the authority to collect information from providers regarding their VoIP customers and require VoIP providers to furnish this information to the commission.

Description of Legislative Action

The Legislature has not taken action to address this specific recommendation.

California State Auditor's Assessment of Annual Follow-Up Status: No Action Taken


Description of Legislative Action

Legislation has not been introduced to address this specific recommendation.

California State Auditor's Assessment of Annual Follow-Up Status: No Action Taken


Description of Legislative Action

Legislation has not been introduced to address this recommendation.

California State Auditor's Assessment of 6-Month Status: No Action Taken


Recommendation #2 To: Public Utilities Commission

To ensure that policy makers, enforcement officials, and the general public have access to accurate consumer complaint data in CIMS, the branch should update and provide further training to its staff on properly classifying complaints by September 30, 2015.

6-Month Agency Response

Revised all training materials related to coding and classification of complaints. Provided training for all branch staff using revised materials including guides on: general coding, non-jurisdictional coding and VoIP coding.

California State Auditor's Assessment of 6-Month Status: Fully Implemented


60-Day Agency Response

Branch is in process of reviewing and refreshing all training materials related to coding and classification of complaints.

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #3 To: Public Utilities Commission

To ensure that policy makers, enforcement officials, and the general public have access to accurate consumer complaint data in CIMS, the branch should continue to implement its quality management team program component focused on reviewing the categorization of complaints and correcting identified errors.

Annual Follow-Up Agency Response From October 2021

CPUC has established a Quality Assurance team for training staff and call monitoring to ensure accurate consumer complaint data. The Consumer Affairs Branch produce Quarterly reports regarding consumer complaints that are published on the CPUC's public web site.

California State Auditor's Assessment of Annual Follow-Up Status: Pending

CPUC has not demonstrated that it has addressed this recommendation. Specifically, it has not provided us with sufficient information to show how it reviews the team's categorization of complaints or the team's correction of identified errors.


Annual Follow-Up Agency Response From November 2020

Due to the loss of IT Resources assigned to higher priority CPUC projects, the timeline for completion has changed. Currently, development progress is at 90% complete. In order to complete the implementation of this recommendation, CPUC needs to finish the CIMS-QA Reports, Testing (unit testing, test scripts, and User Acceptance Testing (UAT)), Training, and User Guide.

California State Auditor's Assessment of Annual Follow-Up Status: Pending


Annual Follow-Up Agency Response From October 2019

Updated 10/14/19 - Partially Implemented.

Due to the loss of IT Resources being assigned to higher priority CPUC projects, the timeline for completion has slipped. New IT Resources are being assigned to the project. A learning curve will be there for these new IT Resources. Development progress is at 57% currently. Remaining is finishing up the programming for the CIMS-QA code, Reports, Testing, UA

California State Auditor's Assessment of Annual Follow-Up Status: Pending


Annual Follow-Up Agency Response From October 2018

Although the project requirements and design phases were completed in 2017, the lack of IT resources in 2018 resulted in significant delays in automating and improving CIMS quality management processes. Specifically, the CPUC's IT Applications Programming staff only made limited progress in application development between January 2018 and July 2018 as staff resources were reassigned to higher priority CPUC projects. In addition, IT Project Management staff was replaced with new staff in June 2018. As a result of the delays, the contract for vendor resources also expired and the Branch is in the process of securing new vendor resources to complete technical manuals once project development and testing are complete. In August 2018, IT began shifting some IT Applications Program resouces back to the Branch's project and correspondingly estimates that the project will be complete and the automation be in place in July 2019. As of September 30, 2018, the project is on track to meet July 2019 completion.

California State Auditor's Assessment of Annual Follow-Up Status: Pending


Annual Follow-Up Agency Response From November 2017

The Branch's Quality Management Team (QMT) program is on-going. As outlined in the response to Recommendation #4, the QMT team's expertise was utilized in 2017 to staff a ongoing project to automate portions of the quality assurance functions within the Consumer Information Management System (CIMS) database. The Branch was not successful in securing approval for personnel classifications better able to perform the higher level analysis necessary to ensure quality management.

California State Auditor's Assessment of Annual Follow-Up Status: Pending


Annual Follow-Up Agency Response From October 2016

The Branch's Quality Management Team (QMT) program is on-going. As outlined in CPUC's response to Audit Recommendation #4, CAB's multi-year QMT plan has been updated to reflect progress on improvements to the quality assurance processes as well as automation of those processes. A further component of the QMT plan is to pursue resources and approval for personnel classifications better able to perform the higher level analysis necessary to ensure quality management. The appropriate personnel classification for performing such work is a Public Utilities Regulatory Analyst ranging from level 1 to level 3 depending on the complexity of specific case assignments.

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented


1-Year Agency Response

The Branch's quality management team program has established an on-going program. This program was outlined in CPUC's response to Audit Recommendation #4 a multi-year plan is being developed to improve quality assurance processes and increase automation of those processes.

California State Auditor's Assessment of 1-Year Status: Pending

CPUC staff indicate that its Quality Management Team project plan will be complete in September 2016.


6-Month Agency Response

Branch has enhanced its technological capability with regard to reviewing case attributes in the quality management team (QMT) process. Specifically, branch has enhanced the data query tools in CIMS to allow for systematic retrieval and review of all attribute coding associated with any case record.

California State Auditor's Assessment of 6-Month Status: Pending


60-Day Agency Response

Branch is continuing ongoing efforts to make its quality management team more effective in ensuring that coding errors are identified and addressed.

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #4 To: Public Utilities Commission

To ensure that policy makers, enforcement officials, and the general public have access to accurate consumer complaint data in CIMS, the branch should develop and implement tools by September 30, 2015, to measure the quality management team program's effectiveness.

Annual Follow-Up Agency Response From October 2021

The Quality Management Team (QMT) supervisor produces a QMT report every two weeks that identifies the most common errors when processing a written complaint case. The QMT reports are also used to facilitate discussions at team meetings to ensure consistency. The Quality Management Team (QMT) is comprised of Consumer Affairs Representatives that ensure accuracy by performing a review of the coding (e.g., categorizing and attributes) for all written cases. Additionally, a Quality Assurance Unit (QAU) was established that currently focuses on internal unit training and overseeing the call monitoring quality program. The QAU also uses the QMT reports to facilitate internal trainings as needed.

California State Auditor's Assessment of Annual Follow-Up Status: Pending

CPUC provided data addressing complaints for a two-week period that were reviewed by QMT supervisors, but it did not demonstrate how it was measuring the degree to which these reviews improved the quality of data collection over time. CPUC indicated that it has a quality assurance project underway that will produce automated reporting of the QMT's efforts and effectiveness. It expects to implement the project in the second quarter of 2022.


Annual Follow-Up Agency Response From November 2020

Due to the loss of IT Resources assigned to higher priority CPUC projects, the timeline for completion has changed. Currently, development progress is at 90% complete. In order to complete the implementation of this recommendation, CPUC needs to finish the CIMS-QA Reports, Testing (unit testing, test scripts, and User Acceptance Testing (UAT)), Training, and User Guide.

California State Auditor's Assessment of Annual Follow-Up Status: Pending


Annual Follow-Up Agency Response From October 2019

Updated 10/14/19 - Partially Implemented.

Due to the loss of IT Resources being assigned to higher priority CPUC projects, the timeline for completion has slipped. New IT Resources are being assigned to the project. A learning curve will be there for these new IT Resources. Development progress is at 57% currently. Remaining is finishing up the programming for the CIMS-QA code, Reports, Testing, UAT.

California State Auditor's Assessment of Annual Follow-Up Status: Pending


Annual Follow-Up Agency Response From October 2018

Although the project requirements and design phases were completed in 2017, the lack of IT resources in 2018 resulted in significant delays in automating and improving CIMS quality management processes. Specifically, the CPUC's IT Applications Programming staff only made limited progress in application development between January 2018 and July 2018 as staff resources were reassigned to higher priority CPUC projects. In addition, IT Project Management staff was replaced with new staff in June 2018. As a result of the delays, the contract for vendor resources also expired and the Branch is in the process of securing new vendor resources to complete technical manuals once project development and testing are complete. In August 2018, IT began shifting some IT Applications Program resouces back to the Branch's project and correspondingly estimates that the project will be complete and the automation be in place in July 2019. As of September 30, 2018, the project is on track to meet July 2019 completion.

California State Auditor's Assessment of Annual Follow-Up Status: Pending


Annual Follow-Up Agency Response From November 2017

In 2017, the Branch has secured resources to automate and improve parts of the quality management processes within the CIMS database. Resources include the CPUC's IT Applications Programming and Project Management units as well as a vendor specializing in business analysis. The project was chartered on 11/09/2016 by the CPUC as the "Consumer Information Management System - Audit Response Mitigation for Quality Assurance". The project was approved by the California Department of Technology in a Stage 1 Business Analysis on 01/23/2017. (Public Utilities Commission (8660): 8660-082 CIMS Audit Response Mitigation for Quality Assurance) The project requirements and design phases were approved on 03/17/2017 and 07/05/2017, respectively. The applications development was initiated on 08/14/2017. It is estimated that the project will complete and the automation be in place in mid-2018.

California State Auditor's Assessment of Annual Follow-Up Status: Pending


Annual Follow-Up Agency Response From October 2016

The Branch has updated its plan to measure and improve the effectiveness of its quality management team (see attached "CAB Quality Management Team Enhancement Plan"). As described in the plan, the Branch has completed the quality management process analysis described as Phase I. In Phase II, the Branch has begun to analyze baseline measures of its processes. That analysis has been completed for 2013-14 and 2014-15; it is anticipated that the analysis for 2015-16 will be completed in late 2016. Moreover, the Branch is actively pursuing a project to automate and improve parts of the quality management processes (Phases III and IV). As noted in the prior audit status responses, these process improvements will require resources from outside of the Branch, including support from the CPUC's IT unit and the database vendor, as well as additional staffing resources for CAB to ensure optimal quality management. To that end, the Branch's project request to build a database module to automate quality management processes was updated and approved in August 2016. The Branch began work in September 2016 securing funding to use a vendor to create a business analysis for the project. As of September 28, 2016, the Branch received budget approval to move forward with the project. It is anticipated that the project will begin in November 2016, with an estimated duration of six to nine months.

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented


1-Year Agency Response

The Branch has created a draft plan to measure and improve the effectiveness of its quality management team. As part of the draft plan, the Branch has begun to analyze baseline measures of its process. The Branch continues to research the feasibility of automating parts of the quality management processes and continues to research ability of its database to create multiple alerts to enable case progress to be better measured. Preliminary findings are the process improvements will require resources from outside of the Branch, including support from CPUC IT and the database vendor.

California State Auditor's Assessment of 1-Year Status: Pending


6-Month Agency Response

Branch has analyzed current QMT processes and is researching the feasibility of automating parts of the processes. Preliminary findings are that process improvements will require resources from outside of the branch, including support from CPUC IT and the CIMS database vendor. Current estimates are that IT resources will not be available until early to mid-2016.

California State Auditor's Assessment of 6-Month Status: Pending


60-Day Agency Response

Branch is working with IT to expand its measurement capabilities in CIMS to assist in quality management team efforts.

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #5 To: Public Utilities Commission

To ensure that policy makers, enforcement officials, and the general public have access to accurate consumer complaint data in CIMS, the branch should update by June 30, 2015, its guidance for categorizing complaints to better integrate with the BRM. For example, the guidance should specify that nonjurisdictional complaints should be classified as such.

6-Month Agency Response

With assistance of CPUC Legal Division, branch revised the Non-Jurisdictional Job Aid and consumer assistance letters. Branch also revised the BRM coding guides and integrated into training materials. Branch delivered training to all staff, using revised materials, on the following: general coding, non-jurisdictional coding, and VoIP coding.

California State Auditor's Assessment of 6-Month Status: Fully Implemented


60-Day Agency Response

Branch has initiated review of the Non-Jurisdictional Job Aid including engaging the Legal Division for guidance. Guidance will be updated by June 30, 2015. Guidance will be integrated into general coding training on or before September 30, 2015.

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #6 To: Public Utilities Commission

To ensure that policy makers, enforcement officials, and the general public have access to more complete and meaningful consumer complaints data in CIMS, the branch should, to the fullest extent possible, include the attributes of each complaint in the data it records in CIMS.

Annual Follow-Up Agency Response From October 2016

The Branch is providing a sample data set for the period August 1, 2016 to September 16, 2016 of written telecommunications complaints. This data includes attributes associated with each complaint in CIMS in compliance with Recommendation #6 for the Branch to include attributes, to the fullest extent possible, in each case record. For each case the following information is provided:

- CIMS case number

- Date case was received

- Category

- Primary Subcategory

- Associated Attributes

- Comments

California State Auditor's Assessment of Annual Follow-Up Status: Fully Implemented

Data provided by CPUC shows a substantial decrease in the percentage of complaints coded without any attribute data, from immediately after it provided training to its staff in late 2015 to late 2016.


1-Year Agency Response

The Branch provided case statistical data to the CA State Auditor on November 19, 2015, and met via phone conference on January 8, 2016, to discuss the recommendation and data that the Branch provided. The Branch has utilized attributes to the fullest extent possible, where appropriate, in complaint case coding. In certain of the Branch's processes, including LifeLine Appeals, attributes do not provide additional benefit in case processing or provide additional information to policy makers, enforcement officials and the general public. The Branch continues to work with relevant stakeholders to ensure the data collected under the current coding scheme is relevant and useful.

California State Auditor's Assessment of 1-Year Status: Pending

The complaint data that the commission provided in November 2015 does not show an appreciable difference in the percentage of complaints that include attribute data that it coded before the September 2015 training when compared to complaints coded after the training. We will reassess at the next annual review.


6-Month Agency Response

Branch delivered training to all staff, using revised materials, on the following: general coding, non-jurisdictional coding, and VoIP coding. All training modules now contain specific guidance for using attributes and comments.

Branch enhanced its technological capability with regard to coding case attributes and accompanying QMT processes. Specifically, branch has created enhanced data query tools in CIMS to allow for systematic retrieval and review of all attribute coding associated with any case record.

California State Auditor's Assessment of 6-Month Status: Pending

Our assessment of complaints received by the commission after its September 2015 training revealed that the data do not yet support that the commission is including the attributes of each complaint in the data it records in CIMS. We will reassess in April 2016 at the one-year review.


60-Day Agency Response

Branch is reviewing and refreshing all training materials and Job Aids to reinforce the use of attributes where applicable. Training materials are on schedule to be delivered with general coding training on or before September 30, 2015.

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #7 To: Public Utilities Commission

To ensure that branch staff provide the appropriate assistance to consumers with VoIP-related complaints, the branch should, by September 30, 2015, further train its staff on the requirements of the VoIP job aid and on providing correspondence to complainants as its guidelines require.

6-Month Agency Response

With assistance of CPUC Legal Division, branch revised the VoIP Job Aid and consumer letters. Branch also created a "quick resource guide" that presents a graphic overview of VoIP processes for staff to refer to for coding and processing assistance. Branch delivered training to all branch staff, using revised materials, on VoIP coding including enhanced use of attributes and comments.

California State Auditor's Assessment of 6-Month Status: Fully Implemented


60-Day Agency Response

Branch met with the Communications Division to request their assistance in better identifying VoIP providers. Branch met with the Legal Division for assistance with correspondence to be used for VoIP. Further staff training on the requirements of the VoIP job aid are on schedule to be delivered in parallel with general coding training on or before September 30, 2015.

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #8 To: Public Utilities Commission

To ensure that consumers have access to complaint data that will enhance their ability to make informed choices about their telecommunication services, the branch should, by June 30, 2015, create an updated plan that specifies the types of data the branch intends to post online and a timeline for fully implementing that plan.

6-Month Agency Response

Branch updated plan, with appropriate approvals, for data posting online and with a revised schedule.

California State Auditor's Assessment of 6-Month Status: Fully Implemented


60-Day Agency Response

Branch is in progress of updating data posting plan. Plan is on schedule to be completed with appropriate approvals on or before June 30, 2015.

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #9 To: Public Utilities Commission

To ensure that it can assess the value to the public of the complaint data it presents on its website, the branch should create a process for those who view its complaint data to provide feedback to the branch including, if necessary, modifying the survey that it uses to collect feedback on LEP data.

1-Year Agency Response

The Branch worked with the CPUC's web team to establish a link to an expanded survey for feedback for all of the Branch's data including limited-English proficiency data. The link can be found by going to the CPUC homepage http://www.cpuc.ca.gov/default.aspx and scrolling down to section labeled,"How Do I.." and clicking on "Find Consumer Contacts Statistics". On the CAB Consumer Statistics page, in the fourth paragraph, select "Data Feedback Survey" to complete the form. Information from the survey is automatically emailed to the Branch.

California State Auditor's Assessment of 1-Year Status: Fully Implemented


6-Month Agency Response

CPUC website redesign work is in progress with a projected go-live date before the end of 2015. Feedback solutions are being explored with CPUC web team for all branch data including LEP.

California State Auditor's Assessment of 6-Month Status: Pending


60-Day Agency Response

Branch has engaged in the CPUC website redesign project and has met with the Executive Division, IT and IT's contractor. Branch is part of the team tasked with updating the CPUC's Consumer Information Center on the website. As part of this effort, Branch is exploring use of social media with web design team as a means for gathering feedback.

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #10 To: Public Utilities Commission

To ensure that the public can easily locate customer complaint data the branch publishes on its website, the commission should make navigating to its customer complaint data more intuitive and direct.

1-Year Agency Response

CPUC Website design was completed and the new webpages went live on January 11, 2016. Navigation to consumer complaint data can now be completed in one click. All of the Branch's data including consumer contact data regarding complaints and inquiries, limited-English-proficiency contacts data and LifeLine data is consolidated in one webpage at http://cpuc.ca.gov/General.aspx?id=5400. On the CPUC homepage http://cpuc.ca.gov/default.aspx scroll down to the section labeled, "How Do I..." and click on "Find Consumer Contacts Statistics".

California State Auditor's Assessment of 1-Year Status: Fully Implemented


6-Month Agency Response

CPUC website redesign work is in progress with go-live date before the end of 2015. Navigation solutions are being explored with CPUC web team including designing links to CAB data to enhance the ability to locate the data with one "click" from the homepage.

California State Auditor's Assessment of 6-Month Status: Pending


60-Day Agency Response

Branch has engaged in the CPUC website redesign project and has met with the Executive Division, IT and IT's contractor. Branch is part of the team tasked with updating the CPUC's Consumer Information Center on the website. As part of this effort, Branch is exploring navigation to its data with the web design team.

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #11 To: Public Utilities Commission

The commission should ensure that it complies with all policy requirements in SAM Chapter 5300 no later than April 2016.

Annual Follow-Up Agency Response From October 2021

The California Public Utilities Commission (CPUC) continues to work on addressing SAM 5300 compliance requirements.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From November 2020

The Commission continues to work on addressing SAM 5300 compliance requirements.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From October 2019

Partially Implemented, this information was updated 10/11/2019

0 Non-compliant

11- Partially compliant

32 - Mostly compliant

21- Fully compliant

Estimated completion date: Dec 2020

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From October 2018

The updated SAM 5300 Compliance spreadsheet as of 10/02/18 is attached with 16 Fully Compliant, 29 Mostly Compliant and 19 Partially Compliant.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From November 2017

The updated information as of 11/07/17, please attached document

-0 Non-compliant

-17 Partially compliant

-31 Mostly Compliant

-17 Fully Compliant

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From October 2016

The Commission continues to work on completion of policy requirements in SAM Chapter 5300. The Commission has been given positions and plans on hiring employees to assist with the development of policies.

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented


1-Year Agency Response

CPUC has hired consultants to assist with ensuring compliance of all requirements as stated in SAM Chapter 5300. CPUC has managed to prepare the Information Asset Report and the Information Security Assessment. The Risk Management Plan is due to be complete by April 15th and the Business Continuity Plan is expected on April 30

California State Auditor's Assessment of 1-Year Status: Partially Implemented

When we followed up with the commission to verify its compliance status, we expected, at a minimum, that it would have achieved full compliance with nearly all of SAM Chapter 5300 (security standards). However, we found that the commission significantly overstated its progress toward addressing our recommendation. Although it submitted copies of various information security documents for our review, it was substantially out of compliance with the majority of the security standards. When we questioned the commission about the disconnect between its asserted level of compliance and its actual level of compliance, it explained that it did not fully understand the depth of security standards when it provided the April 2016 status update. However, the commission explained that as a result of our follow up work, it now believes it has a much more clear understanding of the requirements. The commission also cited limited staff resources as a barrier to its ability to achieve full compliance with security standards. According to the commission, it recently received authorization to hire two more individuals to its information security team. As of August 2016, the commission asserted it was actively trying to fill these two positions. Nonetheless, the commission estimates that it will not achieve full compliance with security standards until December 2019.


6-Month Agency Response

As described in response to items 12, 13, and 14, steps are underway at the CPUC to implement changes to address the issues identified by CSA. Once these steps are implemented, the CPUC will fully be able to comply with item #11.

California State Auditor's Assessment of 6-Month Status: Pending


60-Day Agency Response

As described in response to items 12, 13, and 14, steps are underway at the CPUC to implement changes to address the issues identified by CSA. Once these steps are implemented, the CPUC will fully be able to comply with item #11.

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #12 To: Public Utilities Commission

As part of developing, implementing, and maintaining an entitywide information security program, the commission should complete and maintain inventory of all its information assets, specifically categorizing the level of required security of the information assets based on the potential impact that a loss of confidentiality, integrity, or availability of such information would have on its operations and assets.

Annual Follow-Up Agency Response From October 2018

"A combined and updated spreadsheet including all Information assets is attached.

CPUC is in the process of updating Information Asset Risk Report. CPUC is in the process of working with divisions to identify locations for different types of data in order to complete data location inventory. CPUC has deployed DLP and is in the process of configuring the network monitor component of DLP.

"

California State Auditor's Assessment of Annual Follow-Up Status: Fully Implemented


Annual Follow-Up Agency Response From November 2017

Inventory of information assets inventory and classification attached. CPUC is in the process of deploying Data Loss Prevention solution, that will allow CPUC to protect data at rest and in motion.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From October 2016

The Commission has performed a partial inventory on information assets and plans on fulfilling this requirement with the addition of staff.

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented


1-Year Agency Response

CPUC's consultants have completed their entity-wide Information Asset Report.

California State Auditor's Assessment of 1-Year Status: Partially Implemented

The commission explained that as a result of our follow up work, it reevaluated its progress and now believes it has not fully implemented this recommendation. The commission estimates that it will not achieve full compliance with SAM Chapter 5300 until December 2019.


6-Month Agency Response

CPUC has external resources working with CPUC staff and in the process of developing Information Security document along with inventory for information assets.

California State Auditor's Assessment of 6-Month Status: Pending


60-Day Agency Response

Plan to allocate resources to complete these tasks during this year.

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #13 To: Public Utilities Commission

As part of developing, implementing, and maintaining an entitywide information security program, the commission should develop a risk management and privacy plan and conduct an assessment of risks facing its information assets.

Annual Follow-Up Agency Response From November 2020

Since 2018, ITSD has participated in regular, ongoing enterprise risk assessments facilitated by the Commission's Risk and Compliance Branch, where ITSD reviews the risks facing its information assets. In addition, the IT Risk and Governance committee, established in 08/2020, meets quarterly to review information security risks and the status of remediation efforts. The Commission's Information Privacy and Security Plan was updated in 2019.

California State Auditor's Assessment of Annual Follow-Up Status: Fully Implemented


Annual Follow-Up Agency Response From October 2019

Partially Implemented

Risk Assessment checklist completed annually starting 2018.Information Privacy and Security Plan updated. Risk Assessment and IT Governance committee established and scheduled to meet quarterly.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From October 2018

"CPUC has developed Risk assessment policy and completed internal Risk Assessment Checklist based on CDT template.

As per Office of Information Security, CPUC has uploaded mission critical systems information to CalCSIRS for risk assessment.

"

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented

Although CPUC has developed a Risk Assessment Policy, it has not yet conducted an assessment of its risks.


Annual Follow-Up Agency Response From November 2017

CPUC will be undergoing an information security risk assessment in Nov/Dec 2017 conducted by the CA Military Dept. Establishing/implementing a formal risk Mgmt program/process is planned for near future (estimated for 2018)

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From October 2016

The Commission continues to work to develop an entity wide risk assessment plan and privacy plan with the addition of staff.

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented


1-Year Agency Response

CPUC consultants have been assisting with the risk management plan and it is on track to be finalized by April 15, 2016.

California State Auditor's Assessment of 1-Year Status: Partially Implemented

The commission explained that as a result of our follow up work, it reevaluated its progress and now believes it has not fully implemented this recommendation. The commission estimates that it will not achieve full compliance with SAM Chapter 5300 until December 2019.


6-Month Agency Response

CPUC has awarded contract to a vendor and the consultants are working with CPUC staff.

California State Auditor's Assessment of 6-Month Status: Pending


60-Day Agency Response

RFO released to conduct security assessment, attended privacy training.

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #14 To: Public Utilities Commission

As part of developing, implementing, and maintaining an entitywide information security program, the commission should develop, implement, and maintain an information security plan as part of its entitywide information security program.

Annual Follow-Up Agency Response From October 2018

Information security plan is complete please see-attached copy. Information Security Policies are updated as per OIS templates.

California State Auditor's Assessment of Annual Follow-Up Status: Fully Implemented


Annual Follow-Up Agency Response From November 2017

In progress. CPUC have developed a master written Information Security Policy along with 20 sub-policies addressing specific areas as recommended by NIST and CDT, please see attached documents

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From October 2016

The Commission continues to work to implement an information security program with the addition of staff.

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented


1-Year Agency Response

CPUC has completed the Information Security Assessment and has performed a vulnerability scan and penetration testing to determine areas of risk. Remediation from these scans and the assessment is on-going.

California State Auditor's Assessment of 1-Year Status: Partially Implemented

The commission explained that as a result of our follow up work, it reevaluated its progress and now believes it has not fully implemented this recommendation. The commission estimates that it will not achieve full compliance with SAM Chapter 5300 until December 2019.


6-Month Agency Response

Security plan development is in progress.

California State Auditor's Assessment of 6-Month Status: Pending


60-Day Agency Response

Security plan development is in progress.

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #15 To: Public Utilities Commission

The commission should develop, disseminate, and maintain an incident response plan.

Annual Follow-Up Agency Response From November 2017

Completed and updated earlier this year

California State Auditor's Assessment of Annual Follow-Up Status: Fully Implemented


Annual Follow-Up Agency Response From October 2016

The Commission has developed a draft incident plan but continues to work towards a final version.

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented


1-Year Agency Response

CPUC has finalized the Incident Response Plan.

California State Auditor's Assessment of 1-Year Status: Partially Implemented

The commission explained that as a result of our follow up work, it reevaluated its progress and now believes it has not fully implemented this recommendation. The commission estimates that it will not achieve full compliance with SAM Chapter 5300 until December 2019.


6-Month Agency Response

Incident response plan development in progress, initial document draft completed and is being reviewed.

California State Auditor's Assessment of 6-Month Status: Pending


60-Day Agency Response

Incident response plan development in progress.

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #16 To: Public Utilities Commission

The commission should revise its existing recovery plan to include a list of applications supporting critical business functions, their maximum acceptable outage time frames, and detailed recovery strategies for each application.

Annual Follow-Up Agency Response From October 2021

The California Public Utilities Commission (CPUC) is in the process of conducting a Business Impact Analysis (BIA) to identify Mission Essential Functions (MEF). Determination of MEFs will outline Mission Critical Systems along with Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). Appropriate recovery plans will be updated from the results of the BIA.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From November 2020

The California Public Utilities Commission (CPUC) is in the process of relocating information systems resources to California Department of Technology data center. Once migration is complete, CPUC will develop recovery plans to support critical business functions.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From October 2019

Partially Implemented

Technology Recovery Plan updated as the latest template from CDT submitted to CDT, Jan 2019. Technology recovery plan testing for two mission critical systems completed.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From October 2018

CPUC is in the process to update technology recovery plans as per new template from Office of Information Security to include separate information system recovery plans for mission critical systems -due date January 31st 2019.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From November 2017

Updated technology recovery plan was submitted to CDT Office of Information Security. CPUC is currently in the process of updating this plan to address the infrastructure changes.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From October 2016

The Commission has developed some of the recovery plan and continues to work this to address all of the requirements needed.

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented


1-Year Agency Response

CPUC Business Continuity Plan is in draft form and scheduled to be completed April 30th, 2016.

California State Auditor's Assessment of 1-Year Status: Partially Implemented

The commission explained that as a result of our follow up work, it reevaluated its progress and now believes it has not fully implemented this recommendation. The commission estimates that it will not achieve full compliance with SAM Chapter 5300 until December 2019.


6-Month Agency Response

Critical business outage time frame and recovery strategies for applications will addressed in the form of Business Continuity plan as a subset of security assessment. The consultants and CPUC staff are meeting with business divisions to collect pertinent information.

California State Auditor's Assessment of 6-Month Status: Pending


60-Day Agency Response

Critical business outage time frame and recovery strategies for applications will addressed in the form of Business Continuity plan as a subset of security assessment.

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #17 To: Public Utilities Commission

The commission should revise its existing recovery plan to include detailed procedures for rebuilding its technology infrastructure at an alternate processing site.

Annual Follow-Up Agency Response From October 2021

The California Public Utilities Commission (CPUC) has completed migration of all systems to Gold Camp Data Center using new updated hardware, including storage and servers. CPUC has updated Data backup recovery solution which provides complete backup coverage of all systems data. CPUC is also in the process of conducting business impact analysis (BIA) and upon completion this will provide the guidance for an alternate processing site.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From November 2020

The California Public Utilities Commission (CPUC) is in the process of relocating Information System resources to California Department of Technology data center. Once the migration of these systems is complete, CPUC will revise existing plans and procedures along with identifying alternate processing sites as needed.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From October 2019

Updated 10/14/19 - Partially Implemented

Business continuity plan and TRP updated, email failover is managed thru CDT contract with Microsoft. New ISRP's developed and tested for Public Facing Websites and Remote Access. Content Server ISRP and testing on hold pending current OS and Software version upgrades and procurement of additional hosting resources estimated completion June 2020. Oracle Application Portal ISRP and testing on hold pending completion of migration from SF data-center to Gold Camp and procurement of additional hosting resources estimated completion December 2020.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From October 2018

CPUC is in the process of updating business continuity plan tentative completion Jan 2019.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From November 2017

CPUC is in the process of revising update Business continuity plan to incorporate the infrastructure changes.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From October 2016

The Commission continues to work to improve the recovery plan with detailed procedures for rebuilding its technology infrastructure.

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented


1-Year Agency Response

CPUC Business Continuity Plan is in draft form and scheduled to be completed April 30th, 2016.

California State Auditor's Assessment of 1-Year Status: Partially Implemented

The commission explained that as a result of our follow up work, it reevaluated its progress and now believes it has not fully implemented this recommendation. The commission estimates that it will not achieve full compliance with SAM Chapter 5300 until December 2019.


6-Month Agency Response

Recovery plan updates will be addressed in Business continuity plan as a subset of Security assessment. Contract has been awarded and CPUC staff is working with consultants.

California State Auditor's Assessment of 6-Month Status: Pending


60-Day Agency Response

Recovery plan updates will be addressed in Business continuity plan as a subset of Security assessment (RFO was released).

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #18 To: Public Utilities Commission

The commission should conduct regular tests and exercises to assess the sufficiency of the revised recovery plan and refine the plan when necessary.

Annual Follow-Up Agency Response From October 2021

The California Public Utilities Commission (CPUC) has migrated all systems to Gold Camp Data Center using new updated hardware including, storage and servers. Business Impact Analysis (BIA) is in progress to identify Mission Essential Functions (MEF). Determination of MEFs will outline Mission Critical Systems. Once Mission Essential Systems are identified CPUC will update Technology recovery plans and will develop process to test effectiveness of technology recovery plans.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From November 2020

The California Public Utilities Commission (CPUC) is in the process of relocating Information system resources to California Department of Technology data center, once this move is completed CPUC will update technology recovery plan and schedule exercises to test the effectiveness of the updated plans.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From October 2019

Update: 10/14/19 - Partially Implemented

Failover testing for the public website was successfully completed on 7/21/2019 and for the remote access is tested monthly during monthly Preventative Maintenance. Content Server failover testing to be completed by 6/30/2020 and Oracle Application Portal failover testing to be completed by 12/31/2020

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From October 2018

"Successful testing to recover Public Website, Content Server and SharePoint was conducted this year.

Since the migration of email to Office 365 is done, CPUC needs to work Microsoft for failover recovery in cloud.

"

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented

In its response to Recommendations 16 and 17, CPUC stated that it is continuing to develop a revised recovery plan. Although CPUC asserts that it has performed testing to recover its website, server, and SharePoint, it cannot fully test its recovery plan until it finalizes the plan.


Annual Follow-Up Agency Response From November 2017

CPUC public web site recovery to alternate site was successfully tested. Email environment is in the process to be migrated to Office 365.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented

The CPUC has tested only a portion of its recovery plan.


Annual Follow-Up Agency Response From October 2016

The Commission will develop a plan for testing once the recovery plan is completed.

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented


1-Year Agency Response

CPUC Business Continuity Plan is in draft form and scheduled to be completed April 30th, 2016.

California State Auditor's Assessment of 1-Year Status: Partially Implemented

The commission explained that as a result of our follow up work, it reevaluated its progress and now believes it has not fully implemented this recommendation. The commission estimates that it will not achieve full compliance with SAM Chapter 5300 until December 2019.


6-Month Agency Response

This will be scheduled after recovery plan is updated.

California State Auditor's Assessment of 6-Month Status: Pending


60-Day Agency Response

This will be scheduled after recovery plan is updated.

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #19 To: Public Utilities Commission

The commission should ensure that any certifications it submits to CalTech accurately represent its information security environment.

60-Day Agency Response

Modified internal certification process.

California State Auditor's Assessment of 60-Day Status: Fully Implemented

To address the California State Auditor's recommendation that it ensure that any certifications it submits to California Department of Technology (CalTech) accurately represent its information security environment, the California Public Utilities Commission (CPUC) has created a new policy that modifies its existing internal certification process. The new policy requires all certification documentation submitted to CalTech to be reviewed by a CPUC internal committee consisting of the manager of the Information Technology Unit, the Information Security Officer, and the Chief Information Officer. After the initial review and approval by the committee, the certification documentation will be sent to the Executive Director or designee for final sign off.


All Recommendations in 2014-120

Agency responses received are posted verbatim.