Skip Repetitive Navigation Links
California State Auditor Report Number : 2015-611

High Risk Update- Information Security
Many States Entities' Information Assets Are Potentially Vulnerable to Attack or Disruption

Summary

HIGHLIGHTS

Our audit of the California Department of Technology’s (technology department) oversight of the State’s information security highlighted the following:

Results in Brief

In the past few years, retailers, financial institutions, and government agencies have increasingly fallen victim to cyber attacks. Most recently, in June 2015 the federal Office of Personnel Management announced that a cybersecurity intrusion had potentially exposed the personal information of approximately 20 million current and former federal employees and other individuals. Given the size of California’s economy and the value of its information, the State presents a prime target for similar information security breaches. Its government agencies maintain an extensive range of confidential and sensitive data, including Social Security numbers, health records, and income tax information. If unauthorized parties were to gain access to this information, the costs both to the State and to the individuals involved could be enormous. However, despite the need to safeguard the State’s information systems, our review found that many state entities have weaknesses in their controls over information security. These weaknesses leave some of the State’s sensitive data vulnerable to unauthorized use, disclosure, or disruption.

The California Department of Technology (technology department) is responsible for ensuring that state entities that are under the direct authority of the governor (reporting entities) maintain the confidentiality, integrity, and availability of their information systems and protect the privacy of the State’s information. As part of its efforts to protect the State’s information assets, the technology department requires reporting entities to comply with the information security and privacy policies, standards, and procedures it prescribes in Chapter 5300 of the State Administrative Manual (security standards). However, when we performed reviews at five reporting entities to determine their compliance with the security standards, we found deficiencies at each. Further, 73 of 77 reporting entities fully responding to our survey indicated that they had yet to achieve full compliance with the security standards. These reporting entities noted deficiencies in their controls over information asset and risk management, information security program management, information security incident management, and technology recovery. These weaknesses could compromise the information systems the reporting entities use to perform their day-to-day operations.

Despite the pervasiveness and seriousness of the issues we identified, the technology department has failed to take sufficient action to ensure that reporting entities address these deficiencies. In fact, until our audit, it was not aware that many reporting entities had not complied with its requirements. To determine whether reporting entities have met the security standards, the technology department relies on a self-certification form it developed that the reporting entities must submit each year. However, the poor design of this form may have contributed to many reporting entities incorrectly reporting that they were in full compliance with the security standards when they were not. Specifically, we received complete survey responses from 41 reporting entities that self-certified to the technology department that they were in compliance with all of the security standards in 2014. However, when these 41 reporting entities responded to our detailed survey questions related to specific security standards, 37 indicated that they had not achieved full compliance in 2014. In fact, eight reporting entities indicated that they would not achieve full compliance until at least 2020. Because of the nature of its self-certification process, the technology department was unaware of vulnerabilities in these reporting entities’ information security controls; thus, it did nothing to help remediate those deficiencies. Although the technology department recently developed a pilot information security compliance audit program to validate the implementation of security controls, at its current rate of four auditors completing eight audits every year and a half, it would take the technology department roughly 20 years to audit all reporting entities. By implementing more frequent, targeted information security assessments in addition to periodic comprehensive audits, the technology department could acquire a more timely understanding of the level of security that reporting entities have established for their high-risk areas.

Further, even when the technology department has known that reporting entities were not compliant with security standards, it failed to provide effective oversight of their information security and privacy controls. Although more than 40 percent of reporting entities certified in 2014 that they had yet to comply with all of the security standards, the technology department had not established a process for performing follow-up activities with these reporting entities, even if the entities had certified their noncompliance for a number of consecutive years. In addition, more than half of the reporting entities that responded to our survey indicated that the technology department had not provided sufficient guidance to assist them in complying with all of the security standards. For example, more than one-third of survey respondents indicated that they did not understand all of the requirements in the security standards, which may impede their ability to comply. Respondents explained that the security standards can be difficult to understand, in part because the requirements are unclear or reference a number of other documents. These survey responses suggest that the technology department needs to provide additional outreach and guidance to ensure that reporting entities understand the State’s security standards.

Finally, a significant number of entities—such as constitutional offices and those in the judicial branch—are not currently subject to the technology department’s security standards or oversight. The original high-risk issue that prompted this audit was the technology department’s oversight of the information security controls that reporting entities had implemented over their information systems. However, given the significant findings that we explain in this report and the pervasiveness of the information security issues that we identified in previous reports, we intend to assess the information security risks associated with nonreporting entities and, depending on the results, consider broadening our high-risk issue in the future to include information security controls for all state entities, including those that do not report to the technology department.

As a result of the outstanding weaknesses in reporting entities’ information system controls and the technology department’s failure to provide effective oversight and assist noncompliant entities in meeting the security standards, we determined that some of the State’s information, and its critical information systems, are potentially vulnerable and continue to pose an area of significant risk to the State.

Recommendations

Legislature

To improve reporting entities’ level of compliance with the State’s security standards, the Legislature should consider enacting the following statutory changes:

Technology Department

To assist reporting entities in reaching full compliance with the security standards, the technology department should take the following actions:

To provide effective oversight of reporting entities’ information security, the technology department should expand on its pilot audit program by developing an ongoing risk-based audit program. If the technology department requests additional resources, it should fully support its request.

To improve the clarity of the security standards, the technology department should take the following actions:

Reporting Entities

The five reporting entities that we reviewed should promptly identify all areas in which they are noncompliant with the security standards and develop a detailed remediation plan that includes time frames and milestones to reach full compliance.

Agency Comments

The technology department and reporting entities generally agreed with our conclusions and recommendations.



Back to top