Report 2021-602 Recommendations
When an audit is completed and a report is issued, auditees must provide the State Auditor with information and periodic reports regarding their progress in implementing the reportís recommendations. For audits conducted under the State High Risk Audit Program, these periodic reports are due every 90 days from the issue date of the report until such time as the State Auditor directs the auditee otherwise, according to title 2, section 61024 of the California Code of Regulations. Additionally, Senate Bill 1452 (Chapter 452, Statutes of 2006), requires auditees who have not implemented recommendations after one year, to report to us and to the Legislature why they have not implemented them or to state when they intend to implement them. Below, is a listing of each recommendation the State Auditor made in the report referenced and a link to the most recent response from the auditee addressing their progress in implementing the recommendation and the State Auditor's assessment of auditee's response based on our review of the supporting documentation.
Recommendations in Report 2021-602: State High-Risk Update—Information Security: The California Department of Technology's Inadequate Oversight Limits the States Ability to Ensure Information Security (Release Date: January 2022)
|Recommendations to Legislature|
To strengthen the information security practices of reporting entities, the Legislature should amend state law to require that CDT confidentially submit an annual statewide information security status report, including the maturity metric scores it has calculated and the results of the nationwide review, to the appropriate legislative committees no later than December 2022. This status report should include CDT's plan for assisting reporting entities in improving their information security.
|Legislation Proposed But Not Enacted|
To strengthen the information security practices of nonreporting entities, the Legislature should amend state law to require each nonreporting entity to adopt information security standards comparable to SAM 5300 and to provide a confidential, annual status update on its compliance with its adopted information security standards to legislative leadership, including the president pro tempore of the California State Senate, the speaker of the California State Assembly, and minority leaders in both houses. It should also require each nonreporting entity to perform or obtain an audit of its information security no less frequently than every three years.
To strengthen the information security practices of nonreporting entities, the Legislature should amend state law to require nonreporting entities that allow employees to telework to develop telework policies and training comparable to those CDT requires.
|No Action Taken|
|Recommendations to Technology, California Department of|
To ensure that it understands the statewide security status of reporting entities, CDT should increase its capacity to perform timely compliance audits of high-risk entities, which may entail hiring more staff or securing additional contracted audit support. Further, CDT should prioritize calculating maturity metric scores for the nine entities that it has audited but that do not yet have scores because it has not evaluated their privacy controls. CDT should complete these steps by the conclusion of the four-year oversight life cycle in June 2022.
Until it is able to conduct timely, objective audits of reporting entities, CDT should provide additional guidance to them by April 2022 on what constitutes a critical IT system and follow up annually to ensure that they complete the required self-assessments of those systems.
To ensure that it understands the statewide security status of reporting entities, CDT should utilize the information from the entities' self-assessments of their systems, as well as from the nationwide review, to annually help identify common areas that require improvement across multiple reporting entities.
To help ensure that reporting entities are aware of new federal information security standards that are intended to strengthen their security and privacy governance, CDT should complete the necessary updates to SAM 5300 and SIMM by June 2022.
To help reporting entities ensure that their teleworking employees are taking appropriate security precautions, CDT should clarify guidance by February 2022 to require all employees using personal devices for state business to implement baseline security measures.