Report 2021-602 Recommendation 4 Responses

Report 2021-602: State High-Risk Update—Information Security: The California Department of Technology's Inadequate Oversight Limits the States Ability to Ensure Information Security (Release Date: January 2022)

Recommendation #4 To: Technology, California Department of

To ensure that it understands the statewide security status of reporting entities, CDT should increase its capacity to perform timely compliance audits of high-risk entities, which may entail hiring more staff or securing additional contracted audit support. Further, CDT should prioritize calculating maturity metric scores for the nine entities that it has audited but that do not yet have scores because it has not evaluated their privacy controls. CDT should complete these steps by the conclusion of the four-year oversight life cycle in June 2022.

CDT has increased its capacity to perform timely compliance audits of high-risk entities by hiring 3 additional lead auditors, with the hiring of the final auditor occurring in May 2024. Additionally, CDT has evaluated the privacy scores for the 9 entities in question, and by June 2022, successfully calculated maturity metric scores for these entities.

California State Auditor's Assessment of Status: Fully Implemented

CDT has increased its capacity to perform timely compliance audits and calculated maturity metric scores for the nine entities.

To meet the increased audit workload for FY 24/25 and complete the audits left in the Executive Branch, 3 Lead Auditors were hired. Audit engagement letters were sent to 10 Constitutionals and Independents entities, however to date neither one of these entities were interested in receiving an audit by CDT, the risk of not knowing if they are compliant or not is still not being addressed at this time. New auditors are being trained and will be expected to share the full workload by July 24'. The number of full audits scheduled: (20) and check in Audits (13). The Governance team have developed several enforcement strategies to get entities to close and or remediate audit findings, at this time the proposal is still being reviewed / discussed. Strategy: The audit team working with the Governance and Advisory Services team are working on updating the following: SAM, SIMM, etc., to reflect on the two key emerging security threats from Cloud Computing and AI environment(s) and how it may impact the risk in state agencies.

The audit program and audit articles request will also be updated to reflect the updated Cybersecurity Framework (2.0) and is scheduled to be a 14 months' work effort, with the expected date to begin in June 2024 (subject to identifying a project manager & funding). The Governance team is also formalizing an Enforcement and Risk Management Program policy to ensure that entities are prioritizing and remediating risks identified as audit findings. Currently, the enforcement policy is in its final draft after external community feedback. The enforcement policy is being routed to leadership with the aim to publish in summer of 24'. The Risk Management Program policy is still in development.

California State Auditor's Assessment of Status: Partially Implemented

Per CDT's response, it does not anticipate fully implementing this recommendation until July 2025.

The nine entities mentioned in this report have received their final maturity metric scores which included their privacy controls. In addition, the audit team received funding approval to hire 3 additional lead auditors, the additional resources will allow CDT to complete the balance of audits of the Executive Branch by the end of FY 24/25, there were 21 entities left to audit and that involves a full audit for each remaining entity that will satisfy the 107 total entities needed to be audited in the Executive Branch. The detail audit schedule for FY24/25 has been developed and the audit engagement letters will be sent out in January 2024 notifying the entities of the upcoming audits beginning in July 2024. In addition, the audit program team will perform check in audits (8-10) during the FY 24/25 period. The total number of audits that will be completed by the end of FY 24/25 will be 31 audits in full including the balance of entities in the Executive Branch. Lastly, the final security maturity scores will be given to each of these entities but will not be finalized until they receive an ISA from the California Military Department.

California State Auditor's Assessment of Status: Partially Implemented

While CDT successfully demonstrated that it calculated maturity metric scores for the nine entities, it is still working to hire additional auditors to increase its capacity to perform timely compliance audits.

CDT is hopeful and planning for a Unified Integrated Risk Management (UIRM) system to be implemented in the future. If successfully implemented, the UIRM will help automate many processes of the Audit program as well as remediation assistance activities delivered by the Advisory Services program. In addition, OIS has secured 3 additional auditor positions which will increase audit capacity by up to 50%. These positions are in active recruitment at the time of this response.

California State Auditor's Assessment of Status: Partially Implemented

Per CDT's response, it does not anticipate fully implementing this recommendation until December 2024.

Prior response provided on April 25, 2023 - Audit program team has identified 28 entities and will conduct 14 full audits and 14 check in audits in FY 23/24 up from 22 audits. OIS is still working on how to assess those entities that have not been audited or received a military assessment. At this time, self-assessment appears to one option however without proper verification this process may not be the best alternative. The automated solution UIRM is the suggested solution for auditing more entities however we lack the resources necessary at this time in order to move forward.

CDT is also working on hiring two more auditors which would result in an additional 8 entities being audited in each fiscal year.

California State Auditor's Assessment of Status: Partially Implemented

Per CDT's response, it has not fully implemented this recommendation.

Audit program team has identified 28 entities and will conduct 14 full audits and 14 check in audits in FY 23/24 up from 22 audits. OIS is still working on how to assess those entities that have not been audited or received a military assessment. At this time, self assessment appears to one option however without proper verification this process may not be the best alternative. The automated solution UIRM is the suggested solution for auditing more entities however we lack the resources necessary at this time in order to move forward.

California State Auditor's Assessment of Status: Partially Implemented

Per CDT's response, it will not fully implement this recommendation until July 2024.

Final Reports for 48 of the 48 high-risk audits that were scheduled to be completed by the end of the 4-Year Audit Lifecycle have been delivered.

The Privacy focused Audits for the nine (9) referenced entities have been completed and the maturity metric scores issued.

California State Auditor's Assessment of Status: Partially Implemented

CDT only completed 48 of the 52 originally planned audits, and it did not complete all of those audits during the four-year cycle. Further, it has not increased its capacity to perform timely compliance audits.

Final Reports for 48 of the 48 high-risk audits that were scheduled to be completed by the end of the 4-Year Audit Lifecycle have been delivered.

The Privacy focused Audits for the nine (9) referenced entities have been completed and the maturity metric scores issued.

California State Auditor's Assessment of Status: Partially Implemented

Although CDT completed 48 high-risk audits, it did not complete all of the audits during the four-year cycle, and it only completed 48 of the 52 originally planned audits. Further, it has not increased its capacity to perform additional high-risk audits. However, as CDT states in its response, it completed the privacy-focused audits for the nine referenced entities and calculated the maturity metric scores.

Final Reports for 44 of the 48 high-risk audits that were scheduled to be completed by the end of the 4-Year Audit Lifecycle have been delivered. The Final Reports for the last 4 are being reviewed and will be approved and delivered by August 5th.

The Privacy focused Audits for the nine (9) referenced entities have been completed and the maturity metric scores issued. The Audit Reports for these Privacy focused audits will be issued by August 15, 2022.

California State Auditor's Assessment of Status: Partially Implemented

CDT has not increased its capacity to perform timely compliance audits and, per its response, it will not finalize the maturity metric scores until August 2022.

The California Department of Technology (CDT) is on track to complete 48 of the 52 scheduled high-risk audits for FY 2021-22 by the end of June 2022. CDT is exploring capacity options within the administration for the next fiscal year to support advisory and compliance enforcement measures of high-risk entities.

The entities referenced are high risk entities which did not have privacy controls audited after additional privacy controls were added into our audit framework. The nine (9) referenced entities are currently engaged in focused audits to have their privacy controls evaluated and maturity scores updated by June 2022.

California State Auditor's Assessment of Status: Pending

Per CDT's response, it will not implement this recommendation until June 2022.

All Recommendations in 2021-602

Agency responses received are posted verbatim.