Report 2015-302 Recommendation 2 Responses

Report 2015-302: Judicial Branch Procurement: Although the Judicial Council Needs to Strengthen Controls Over Its Information Systems, Its Procurement Practices Generally Comply With Applicable Requirements (Release Date: December 2015)

Recommendation #2 To: Judicial Council of California

The Judicial Council should develop a corrective action plan by February 29, 2016 to address the recommendation from our December 2013 audit report related to the controls over its information systems. The corrective action plan should include prioritizing the tasks, resources, primary and alternative funding sources, and milestones for all of the actions required to fully implement its framework of information system controls by June 2016. Further, the Judicial Council should continue to provide guidance and routinely follow up with the superior courts to assist with their effort to make the necessary improvements to their information system controls.

Annual Follow-Up Agency Response From October 2018

Efforts to finalize the current revision cycle of the Judicial Branch framework of information systems controls are nearing completion; since the previous update, the revised framework has been reviewed by the Information Technology Advisory Committee (ITAC) at their August 27 meeting, and the Judicial Council Technology Committee (JCTC) at their September 15 and October 15 meetings. The enclosed attachment includes various agendas from these open meetings that demonstrate the judicial branch's continued focus on this topic. The revised framework is currently on the agenda for the Judicial Council's November 29 meeting where a vote for ratification is scheduled to occur. The Judicial Council's information security controls and related framework are by nature confidential documents, but the State Auditor is welcome to review them at any time by visiting the Judicial Council's offices. Finally, Judicial Council IT staff are preparing updates to its internal policy manual and disaster recovery plan with completion anticipated by November 2018.

California State Auditor's Assessment of Annual Follow-Up Status: Fully Implemented

We visited the Judicial Council's offices and reviewed the documents referred to in the Judicial Council's response. Based on this review, we believe the Judicial Council has created and continues to update the framework of information system controls we recommended. Further, the Judicial Council appears to be regularly providing guidance to the superior courts related to their information system controls. Consequently, we consider this recommendation fully implemented.

Annual Follow-Up Agency Response From July 2017

Work to perform a periodic review and update of the Judicial Branch framework of information security controls is currently underway, and we expect to complete this project by January 2018. In compliance with the framework, an IT operational risk assessment has been kicked off for fiscal year 17-18 using an independent third party. Additionally, focus on disaster recovery and contingency planning continues, with a review and refresh of the Judicial Council's internal disaster recovery plan underway and with a proposed disaster recovery framework developed and published to court CIOs for review and feedback, as well. Further, although we issued a solicitation to retain a specialist that could address the subject of data classification, we received no responses. As a result, the Judicial Council is looking at alternate means to accomplish this objective. Also underway is a periodic review and update of the Judicial Council's internal information technology policy manual. We anticipate completing this project by January 2018. Finally, we are continuing our recruiting efforts to fill the previously approved information technology security resources.

California State Auditor's Assessment of Annual Follow-Up Status: Pending

1-Year Agency Response

The Judicial Council of California (Judicial Council) has expanded remediation efforts to include an active focus on resources and staffing. This includes the appointment of a new Chief Information Officer in November 2016, and a new Chief Administrative Officer in December 2016, the latter of which is responsible for oversight of the Information Technology Office. Additionally, the Judicial Council Information Technology Office has established the internal management structure to accommodate the creation of an information security unit, and is now ready to recruit for the positions authorized in the budget change proposal (BCP) approved by the Governor in June. Outreach to the trial courts continues with a current focus on disaster recovery, and with the assistance of the Los Angeles Superior Court, the launch of an initiative to establish an information technology security community among court IT professionals. The intent in establishing this community is to raise visibility and awareness, and to improve communications at the branch level. During this period, the Judicial Council network infrastructure upgrades defined in the BCP have been implemented, and the annual disaster recovery test of the California Courts Technology Center was successfully completed.

California State Auditor's Assessment of 1-Year Status: Pending

6-Month Agency Response

A corrective action plan was completed and submitted on the February 29 due date. This corrective action plan addressed the necessary information security areas and various components including a risk assessment and programs to address security incident responses, disaster recovery, and data classification. As noted in previous responses, a BCP that was submitted to provide funding for key components of the plan has been included in the Governor's budget that was submitted to the legislature receiving an affirmative vote in the Senate Budget Subcommittee Hearing on May 5, 2016. Once the final budget is approved that includes the funding, a review and assessment of the plan components and timeline will occur.

Judicial Council staff continues to collaborate on information security activities with court IT managers, the Court Executive Advisory Committee, and Trial Court Presiding Judges Advisory Committee as well as judicial council information technology committees. Additionally, information security resources continue to be placed on the Judicial Resource Network extranet.

California State Auditor's Assessment of 6-Month Status: Partially Implemented

The Judicial Council has apparently made some progress in implementing this recommendation. However, as indicated in its response, the Judicial Council will reassess its corrective action plan based on the approved budget.

60-Day Agency Response

Development of the corrective action plan is underway, and will be completed by the February 29 due date. Currently, the BCP that was submitted to provide funding for key components of the plan has been included in the Governor's budget that was submitted to the legislature, however contingencies are still being reviewed and considered in the event that the funding is not approved in the final budget. The Judicial Council continues to be actively involved with trial court efforts to adopt and implement a standardized framework of information systems controls. Working in partnership with the Judicial Council, a working group of court IT managers developed a security framework implementation guide which was reviewed in the December 2015 meeting of the Judicial Council, ratified for use, and subsequently presented to all trial court presiding judges and court executive officers at their joint statewide business meeting in January 2016. In addition the Judicial Council has updated the Judicial Resource Network extranet to include a new section on information technology security, which contains our standardized security framework template and the newly released implementation guide. This resource will continue to grow and evolve as efforts in this area continue.

California State Auditor's Assessment of 60-Day Status: Pending

All Recommendations in 2015-302

Agency responses received are posted verbatim.