Report 2015-611 Recommendation 11 Responses

Report 2015-611: High Risk Update—Information Security: Many State Entities' Information Assets Are Potentially Vulnerable to Attack or Disruption (Release Date: August 2015)

Recommendation #11 To: Technology, California Department of

To improve the clarity of the security standards, the technology department should develop and regularly provide detailed training on the requirements of the security standards and on best practices for achieving compliance. It should provide these trainings in a variety of locations and formats, including webinars.

Annual Follow-Up Agency Response From November 2017

CDT has developed a three-year audit and assessment cycle. Part of this cycle is a pre-audit education function that is part of the Office of Information Security. The detailed training provided from the pre-audit education function are held at various locations and formats, including webinars.

California State Auditor's Assessment of Annual Follow-Up Status: Fully Implemented

The technology department has developed various information security trainings and has made trainings available through online videos and webinars.


Annual Follow-Up Agency Response From October 2016

CDT has enhanced its Basic Training curricula to include more extensive training on risk management, assessment, and Corrective Action Plan reporting requirements. CDT is now offering one-on-one training on the newly implemented automated incident reporting system for those reporting designees that are not able to travel to Sacramento for training. CDT has added role-based security courses to its Training Center Catalog and integrated the NIST standards into the existing Software Development Life Cycle curricula, and continues to promote awareness and use of general and role-based security courses offered for free, such as the Multi-State Information Sharing and Analysis Center, FedVTELive, and SANS Institute training programs. Many of these free training programs are offered in online and recorded webcast formats, so that students may access at any time.

In addition, CDT will be recording its Basic Information Security Office training in November 2016, and will make the training available online.

Furthermore, CDT continues to research and look for feasible alternative training platforms and methods for delivery of its current in-person classes.

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented


1-Year Agency Response

CDT has enhanced its Basic Training curricula to include more extensive training on risk management, assessment, and Corrective Action Plan reporting requirements. CDT is now offering one-on-one training on the new recently implemented automated incident reporting system for those reporting designees that are not able to travel to Sacramento for training. CDT has added role-based security courses to its Training Center Catalog and integrated the NIST standards into the existing Software Development Life Cycle curricula, and continues to promote awareness and use of general and role-based security courses offered for free such as the Multi-State Information Sharing and Analysis Center, FedVTELive, and SANS Institute training programs. Many of these free training programs are offered in online and recorded webcast formats, so that learners may access at any time.

Additionally, CDT will be recording its Basic ISO training in August 2016, and will make the training available online.

Furthermore, CDT continues to research and look for feasible alternative training platforms and methods for delivery of its current in-person classes.

California State Auditor's Assessment of 1-Year Status: Partially Implemented


6-Month Agency Response

The Department of Technology continues to provide in-person training to department Information Security Officers (ISOs), Chief Information Officers, and other information technology staff. Additionally, the Department has been researching the feasibility and piloting of tools for the delivery of alternative training methods. The Department has revised and improved existing training curriculum and continues to update training as warranted. By March 2016, the Department will have enhanced its ISO Basic Training course to include training on the self-assessment and PoAM reporting requirements, and by June 2016 the Department will have added at least two role-based security course offerings to its Training Center catalog, and will have integrated security into existing course curriculum. These trainings will be provided on an on-going basis.

California State Auditor's Assessment of 6-Month Status: Partially Implemented


60-Day Agency Response

The Department of Technology continues to provide in-person training to department Information Security Officers (ISOs), Chief Information Officers, and other information technology staff. Additionally, the Department has been researching the feasibility and piloting of tools for the delivery of alternative training methods. The Department has revised and improved existing training curriculum and continues to update training as warranted. By March 2016, the Department will have enhanced its ISO Basic Training course to include training on the self-assessment and PoAM reporting requirements, and by June 2016 the Department will have added at least two role-based security course offerings to its Training Center catalog, and will have integrated security into existing course curriculum. These trainings will be provided on an on-going basis.

California State Auditor's Assessment of 60-Day Status: Partially Implemented


All Recommendations in 2015-611

Agency responses received are posted verbatim.