Summary

Audit Highlights . . .

Our high risk audit regarding nonreporting entities' compliance with security standards revealed the following:

» State entities that do not fall under the purview of the technology department need to do more to safeguard the information they collect, maintain, and store.

Of the 33 nonreporting entities surveyed, 29 obtained an information security assessment to evaluate their compliance with the security standards they selected.
Twenty‑four nonreporting entities were only partially compliant and nearly all had high-risk deficiencies.

» Nonreporting entities may be unaware of other information security weaknesses because many of them relied upon assessments that were limited in scope.

Five of the 10 nonreporting entities we reviewed had assessed only a portion of their selected security standards, and one had neither adopted any security standards nor performed any assessments.

» Some nonreporting entities are subject to an oversight framework that requires them to assess their information security regularly.

Three of the four nonreporting entities that fully assessed their selected standards were subject to such oversight, leading us to conclude that external oversight improves a state entity's information security status.

Results in Brief

Gaps in oversight weaken the State's efforts to keep its information secure. Although we previously found that the California Department of Technology (technology department) has made progress in its oversight since our initial 2013 assessment, and the state entities subject to its oversight have increased their compliance with established standards, state entities that do not fall under the purview of the technology department need to do more to safeguard the information they collect, maintain, and store. State law generally requires state entities within the executive branch under the Governor's direct authority (reporting entities) to comply with information security and privacy policies that the technology department prescribes. However, state law does not apply the technology department's policies and procedures to entities that fall outside of that authority (nonreporting entities).

We surveyed 33 nonreporting entities from around the State and reviewed 10 of them in detail. Most of the 33 surveyed entities asserted that they had selected one or more standards to use in developing their information security policies. In addition, 29 of the 33 entities said they performed a self-assessment or contracted with an independent assessor to evaluate their compliance with the specific standards they selected. However, 24 of the assessments concluded that the respective entities were only partially compliant. In addition, 21 of those assessments identified high-risk deficiencies.

The nonreporting entities we surveyed may be unaware of additional information security weaknesses because many of them relied upon information security assessments that were limited in scope. For example, five of the 10 nonreporting entities we reviewed had assessed only a portion of their selected security standards, which limits their ability to identify potential vulnerabilities, and one had neither adopted any security standards nor performed any assessments. Although nonreporting entities are not subject to the technology department's policies and procedures, some are subject to an oversight framework that requires them to assess their information security regularly. This was the case for three of the four entities that had fully assessed their selected standards, leading us to conclude that external oversight improves a state entity's information security status. At the same time, nonreporting entities without external oversight that fail to routinely assess their level of compliance with adopted security standards and then fail to address identified deficiencies are placing some of the State's sensitive data at risk of unauthorized use, disclosure, or disruption.

Recommendations

To strengthen the information security practices of nonreporting entities, the Legislature should amend state law to do the following:

Require all nonreporting entities to adopt information security standards comparable to the information security and privacy policies prescribed by the technology department.
Require all nonreporting entities to obtain or perform comprehensive information security assessments no less frequently than every three years to determine compliance with the entirety of their adopted information security standards.
Require all nonreporting entities to confidentially submit certifications of their compliance with their adopted standards to the Assembly Privacy and Consumer Protection Committee and, if applicable, to confidentially submit corrective action plans to address any outstanding deficiencies.