Report 2015-611 Recommendation 10 Responses

Report 2015-611: High Risk Update—Information Security: Many State Entities' Information Assets Are Potentially Vulnerable to Attack or Disruption (Release Date: August 2015)

Recommendation #10 To: Technology, California Department of

To improve the clarity of the security standards, the technology department should perform regular outreach to all reporting entities to gain their perspectives, identify any unclear or inconsistent security standards, and revise them as appropriate.

Annual Follow-Up Agency Response From October 2018

Since February 2017, CDT has been performing regular outreach and identifying any unclear/inconsistent security standards. CDT published a comprehensive update to SAM/SIMM in January 2018, and continues to perform regular outreach and updates.

https://cdt.ca.gov/wp-content/uploads/2018/01/PolicyGuidelines_2018-0112_001.pdf

California State Auditor's Assessment of Annual Follow-Up Status: Fully Implemented


Annual Follow-Up Agency Response From November 2017

Since February 2017, CDT has been performing regular outreach and identifying any unclear/inconsistent security standards. Revisions to the State Administrative Manual are expected July 2018.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From October 2016

In addition to continued outreach through its governance and oversight processes, the CDT's Customer Delivery Division now performs regular outreach with departments to gain their perspectives on all areas of the department, including lack of understanding with policies/standards issued by the department.

CDT has also developed and published additional guidance to assist entities with better understanding and implementation of state policies and standards requirements. This guidance tool aligns policies and standards with operational lines of business within an organization, thereby providing functional business areas guidance on the policies and standards that directly pertain to their core responsibilities.

Additionally, CDT has engaged an independent consultant to conduct a statewide security program review and to make recommendations for improvement consistent with industry standards and best practices, including recommendations for process and criteria to incentivize entities' compliance with security standards. Work commenced on July 5, 2016, and subsequent recommendations are to be provided in November 2016.

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented


1-Year Agency Response

In addition to continued outreach through its governance and oversight processes, the CDT's Customer Delivery Division now performs regular outreach with departments to gain their perspectives on all areas of the department, including lack of understanding with policies/standards issued by the department.

CDT has also developed and published additional guidance to assist entities with better understanding and implementation of state policies and standards requirements. This guidance tool aligns policies and standards with operational lines of business within an organization, thereby providing functional business areas guidance on the policies and standards that directly pertain to their core responsibilities.

Additionally, CDT has engaged an independent consultant to conduct a statewide security program review and to make recommendations for improvement consistent with industry standards and best practices, including recommendations for process and criteria to incentivize entities' compliance with security standards. Work commenced July 5, 2016, and subsequent recommendations are to be provided in November 2016.

California State Auditor's Assessment of 1-Year Status: Partially Implemented


6-Month Agency Response

The Department of Technology continues to solicit input from state entities through its policy and security and privacy governance meetings, training and communications through oversight processes. The Department will now be reviewing PoAM submissions and providing feedback to departments on a quarterly basis to ensure continued progress toward compliance. The Department of Technology is also researching the feasibility and piloting of tools for employing alternative methods of outreach to departments. Additionally, through the course of self-assessments, audits and on-going training, the Department will identify issues, lessons learned, and discuss recommendations, as well as modify policy and training material as warranted.

California State Auditor's Assessment of 6-Month Status: Partially Implemented


60-Day Agency Response

The Department of Technology continues to solicit input from state entities through its policy and security and privacy governance meetings, training and communications through oversight processes. The Department will now be reviewing PoAM submissions and providing feedback to departments on a quarterly basis to ensure continued progress toward compliance. The Department of Technology is also researching the feasibility and piloting of tools for employing alternative methods of outreach to departments. Additionally, through the course of self-assessments, audits and on-going training, the Department will identify issues, lessons learned, and discuss recommendations, as well as modify policy and training material as warranted.

California State Auditor's Assessment of 60-Day Status: Partially Implemented


All Recommendations in 2015-611

Agency responses received are posted verbatim.