Report 2021-602 Recommendation 6 Responses

Report 2021-602: State High-Risk Update—Information Security: The California Department of Technology's Inadequate Oversight Limits the States Ability to Ensure Information Security (Release Date: January 2022)

Recommendation #6 To: Technology, California Department of

To ensure that it understands the statewide security status of reporting entities, CDT should utilize the information from the entities' self-assessments of their systems, as well as from the nationwide review, to annually help identify common areas that require improvement across multiple reporting entities.

The national review (annual NCSR survey), this data is utilized in deriving a risk ranking for each Entity. Additionally, the last NCSR survey that just completed in February 2024 was analyzed to identify patterns. The following areas are being analyzed:

- Agency average at the control and sub-control level to assess each Agency's status.

- Entity scores for each sub-control to identity which Entity has outliers and which control consistently score low.

Office of Information Security (OIS) did an assessment on all self-certificated system security plans (SSPs) and OIS wanted to increase reporting goals of the self-assessments. OIS has partnered with the Critical Services and Modernization team at CDT to be able to develop a streamline procedure that will help gather and inventory more critical systems throughout the State more effectively, and in a phased and systematic approach, to gather data more intuitively. OIS has and will continually communicate to entities of reporting requirements to ensure it gathers and identifies common areas of improvement.

California State Auditor's Assessment of Status: Partially Implemented

Per CDT's response, it does not anticipate fully implementing this recommendation until December 2024.

CDT utilizes the national NCSR self-assessment survey scores in its Risk Rankings model. Also, the NCSR survey summary results are shared with the various teams in OIS to provide insight on the Entity and Agency and identify areas for improvement.

Right now, it is an ad hoc process where its sparsely, and only in certain circumstances, used to check the accuracy of the reported critical systems of an entity and ensure that it matches their Technology Recovery Plan. We are finally out of the phase where we were to understand what data we can compile from the Cal-CSIRS self-assessment and how we can best utilize it to provide meaningful insight and guidance.

Our long-term goal, which we hope to have established by Fall, is to use the data to:

- Log the results in the Risk Profile.

- Compare how many assessments are done vs how many are in the TRP coversheet for assets listed.

- Write narratives around TRP assets and missing Risk Assessment's (RA).

- Map out gaps from those RA's for the entire state based on the data that we have, although it's minimal, it will show what controls people do not have in place for critical TRP systems.

CDT is emphasizing that the initial intake of critical systems in Cal-CSIRS started in the winter of 2022 and with the change of SRG management and the hiring of the whole Risk Team in the Fall of 2023, it is only recently when this initiative that has been started.

California State Auditor's Assessment of Status: Partially Implemented

Per CDT's response, it does not anticipate fully implementing this recommendation until January 2025.

CDT utilizes data science and has derived a Bayesian model that uses conditional security factors to formulate a priority risk ranking and cyber resiliency of state entities across California. The priority risk ranking compares states averages that are based on technical security controls that are identified through security assessments and vulnerability scanning of systems. To help limit the weight of outliers and biases, CDT utilizes the Nationwide Cybersecurity Review (NCSR) as a confidence interval in its model which additionally allows CDT to identify and determine potential common areas of strengths and weaknesses. By enforcing annual review and updates of the NCSR program, it enables CDT to ensure entities are reviewing and gaining a better understanding of their systems and how they can continuously improve their cyber maturity with the assistance of CDT.

California State Auditor's Assessment of Status: Partially Implemented

Although CDT demonstrated that it is utilizing information from the nationwide review to help identify common areas that require improvement across multiple reporting entities, CDT did not provide evidence that it has also used information from reporting entities' self-assessments of their critical IT systems.

The NCSR reporting information and scoring is now actively reviewed and incorporated into the statewide risk scoring and rankings annually. OIS currently has 119 risk scores for both reporting and non-reporting entities. This year's NCSR survey opens on October 1st and closes on February 28th, 2024. Risk Ratings will be updated with this year's NCSR data as soon as it is available. In addition to working with entities through our Advisory Services efforts, we are working closely with our Critical Services Team and leveraging modernization funds to close gaps and reduce risk across the entities they work with.

California State Auditor's Assessment of Status: Partially Implemented

Per CDT's response, it does not anticipate fully implementing this recommendation until June 2024.

CDT in the prior response noted the NCSR and additional self-reported activities such as self-assessments have been incorporated into information security program measurement of state entities. CDT has provided additional information and supporting documentation that shows the NCSR is being completed and reveals low ratings across all agencies.

California State Auditor's Assessment of Status: Partially Implemented

CDT did not provide evidence that it has used information from reporting entities' self-assessments of their systems to help identify common areas that require improvement across multiple reporting entities.

The NCSR and additional self-reported activities such as self-assessments have been incorporated into information security program measurement of state entities.

California State Auditor's Assessment of Status: Partially Implemented

Although CDT incorporated information from the nationwide review into its risk analysis process beginning in April 2023, it did not provide evidence that it has used this information to help identify common areas that require improvement across multiple reporting entities.

CDT has now incorporated prior year NCSR scores into its priority risk ranking and will report entity status to the cybersecurity select committee in its confidential Legislative briefings with the Legislature going forward.

California State Auditor's Assessment of Status: Partially Implemented

Per CDT's response, it will not fully implement this recommendation until March 2023.

CDT is still on target to incorporate prior year NCSR scores and report entity status to the cybersecurity select committee by the required due date in December of 2022.

California State Auditor's Assessment of Status: Pending

Per CDT's response, it will not fully implement this recommendation until December 2022.

CDT is on target to incorporate prior year NCSR scores and report entity status to the cybersecurity select committee by the required due date in December of 2022.

California State Auditor's Assessment of Status: Pending

Per CDT's response, it will not fully implement this recommendation until December 2022.

The NCSR reporting information is being reviewed and will be incorporated into statewide risk scoring and ranking calculations annually. Annually the NCSR surveys are submitted by February. CDT will incorporate prior year NCSR scores and report entity status to the cybersecurity select committee by the required due date in December of 2022.

California State Auditor's Assessment of Status: Pending

Per CDT's response, it will not fully implement this recommendation until December 2022.

All Recommendations in 2021-602

Agency responses received are posted verbatim.