Report 2022-114 Recommendation 11 Responses

Report 2022-114: California Department of Technology: Weaknesses in Strategic Planning, Information Security, and Project Oversight Limit the State's Management of Information Technology (Release Date: April 2023)

Recommendation #11 To: Technology, California Department of

To expand its knowledge of threats to the State's information security and more effectively leverage the State's resources for threat monitoring, CDT should perform increased outreach with reporting entities. Specifically, CDT should learn what reporting entities are currently doing for monitoring and alerting other agencies of cybersecurity threats and educate them about its no-cost threat monitoring service.

1-Year Agency Response

Since the last update, OIS has increased its SOCaaS adoption by 45%, and is currently at 74 customers up from 51. At this point, all reporting entities have been made aware of or educated on the OIS offering. Most remaining entities that have not taken advantage of SOCaaS state that funding remains the main obstacle. Note: Costs to entities only involve the ingestion and storage of log data and is nominal for small departments. This can be more significant for larger organizations, but is a small fraction of the cost to stand up their own full-blown SOC.

California State Auditor's Assessment of 1-Year Status: Partially Implemented

Although CDT continues to make progress, it does not anticipate fully implementing this recommendation until December 2024.

6-Month Agency Response

There are six state entities verified to have existing mature SOCs that perform 24x7 monitoring and alerting and are out of scope for our services at this time. Regarding all others, OIS has surveyed departments regarding their security programs. At least 132 departments have completed these surveys providing insight into their security solutions, reporting, and compliance. These survey results have provided insight into how organizations manage essential security solutions. We continue to proactively reach out to state entities to discuss our monitoring service. Since the last update we have increased enrollment from 18 to 51. Since the last update, we have also provided introductory presentations for over 60 organizations interested in learning more about how the service works and how to onboard. We recently published a major update to CDT's SOCaaS website to provide more thorough and detailed information about our SOCaaS monitoring service.

Additionally, please see the attached (excel spreadsheet) document which lists our P0 or outreach meetings with customers where we describe our service. The spreadsheet also has email communications where we still have the date.

The chart below shows the significant increase in customers in the past 10 months:

SOCaaS Customers - Jan. 2022 to Oct. 2023

Total Depts 2022 Cust's Current Cust's % Increase

159 18 51 21%

Reporting 106 15 32 113.33%

Non-Reporting 5 0 1 N/A

Independent 26 1 7 113.33%

Constitutionals 9 0 1 N/A

Un-affiliated 6 1 3 200.00%

Non-State 7 1 7 600.00%

California State Auditor's Assessment of 6-Month Status: Partially Implemented

CDT has made some progress, but has not fully implemented this recommendation.

60-Day Agency Response

During the next year CDT will implement a plan with processes and events to perform increased interaction with State reporting entities. CDT will increase its efforts to alert State entities/agencies of cybersecurity threats and educate these same entities about its no-cost threat monitoring service during this same time period. CDT has plans to increase its outreach with State reporting entities. The Office of Information Security will continue to hold online meetings and training to assist entities with threat monitoring.

In addition, CDT's Office of Information Security has a team that meets with reporting entities and works side by side to ensure best practices are used for monitoring cybersecurity threats. CDT also educates the entities about its no-cost threat monitoring service. CDT will continue to promote the continuous monitoring Security Operations Service monthly at the Security Advisory Committee meetings. In addition, progress reports on detection effectiveness are being provided to the departmental ISOs. To date, 25 entities have been onboarded in an optimized state, with an additional 20 that are sending internal security logs and are currently being optimized.

California State Auditor's Assessment of 60-Day Status: Pending

All Recommendations in 2022-114

Agency responses received are posted verbatim.