Report 2015-611 All Recommendation Responses

Report 2015-611: High Risk Update—Information Security: Many State Entities' Information Assets Are Potentially Vulnerable to Attack or Disruption (Release Date: August 2015)

Recommendation for Legislative Action

To improve reporting entities' level of compliance with the State's security standards, the Legislature should consider mandating that the technology department conduct, or require to be conducted, an independent security assessment of each reporting entity at least every two years. This assessment should include specific recommendations, priorities, and time frames within which the reporting entity must address any deficiencies. If a third party vendor conducts the independent security assessment, it should provide the results to the technology department and the reporting entity.

Description of Legislative Action

Assembly Bill 670 (Chapter 518, Statutes of 2015) requires the Department of Technology to annually require no fewer that 35 state entities to perform an independent security assessment.

California State Auditor's Assessment of Annual Follow-Up Status: Legislation Enacted

Description of Legislative Action

Assembly Bill 670 (Chapter 518, Statutes of 2015) requires the Department of Technology to annually require no fewer that 35 state entities to perform an independent security assessment.

California State Auditor's Assessment of 1-Year Status: Legislation Enacted

Description of Legislative Action

AB 670 (Chapter 518, Statutes of 2015) requires the Department of Technology to conduct, or require to be conducted, no fewer than 35 independent security assessments of state agencies, departments or offices annually.

California State Auditor's Assessment of 6-Month Status: Legislation Enacted

Description of Legislative Action

Assembly Bill 670 (Chapter 518, Statutes of 2015) requires the Department of Technology to conduct, or require to be conducted, no fewer than 35 independent security assessments of state agencies, departments, or offices annually.

California State Auditor's Assessment of 60-Day Status: Legislation Enacted

Recommendation for Legislative Action

To improve reporting entities' level of compliance with the State's security standards, the Legislature should consider authorizing the technology department to require the redirection of a reporting entity's legally available funds, subject to the California Department of Finance's approval, for the remediation of information security weaknesses.

Description of Legislative Action

As of August 25, 2020, the Legislature has not taken action to address this specific recommendation.

California State Auditor's Assessment of Annual Follow-Up Status: No Action Taken

Description of Legislative Action

The Legislature has not taken action to address this specific recommendation.

California State Auditor's Assessment of Annual Follow-Up Status: No Action Taken

Description of Legislative Action

The Legislature has not taken action to address this specific recommendation.

California State Auditor's Assessment of Annual Follow-Up Status: No Action Taken

Description of Legislative Action

Legislation has not been introduced to address this recommendation.

California State Auditor's Assessment of 6-Month Status: No Action Taken

Recommendation #3 To: Technology, California Department of

To assist reporting entities in reaching full compliance with the security standards, the technology department should ensure the consistency and accuracy of its self certification process by developing a self assessment tool by December 2015 that reporting entities can use to determine their level of compliance with the security standards. The technology department should require reporting entities to submit completed self assessments along with their self certifications.

Annual Follow-Up Agency Response From October 2018

CDT has developed and implemented a comprehensive automated statewide self-assessment tool having all necessary information and reporting ability for entities to determine their compliance with security standards. This system is now fully operational and available to all state entities. A statewide notification was sent January 2018 to all entities requiring them to conduct an information system self-assessment of their mission-critical and state-critical applications utilizing this new self-assessment system.

Agencies are using this system operationally, and training for this system is on-going and continually available for new and existing state entity security personnel.

California State Auditor's Assessment of Annual Follow-Up Status: Fully Implemented

Annual Follow-Up Agency Response From November 2017

CDT has developed a three-year audit and assessment cycle. Part of this cycle is a pre-audit education function that is part of the Office of Information Security. CDT has developed and implemented a comprehensive automated statewide self-assessment tool having all necessary information and reporting ability for entities to determine their compliance with security standards.

Currently there are five (5) pilot agencies using this system, and training for this system is on-going.

Expected full use of this new system by all state agencies is

May 2018.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented

Annual Follow-Up Agency Response From October 2016

CDT successfully launched the tool to automate incident reporting, and released Technology Letter 16-05 announcing the new reporting process. CDT has initiated the project to design and configure the Risk Management module by December 31, 2016, and will issue updated instructions via a Technology Letter in December 2016.

This module will integrate self-assessment, compliance reporting, and remediation plans, thereby ensuring the consistency and accuracy of the self-certification process.

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented

1-Year Agency Response

California Department of Technology (CDT) successfully launched the tool to automate incident reporting, and released Technology Letter 16-05 announcing the new reporting process. CDT has initiated the project to design and configure the Risk Management module by December 31, 2016 and will issue updated instructions via a Technology Letter in December 2016.

This module will integrate self-assessment, compliance reporting, and remediation plans, thereby ensuring the consistency and accuracy of the self-certification process.

California State Auditor's Assessment of 1-Year Status: Partially Implemented

6-Month Agency Response

For the January 31, 2016 reporting period departments were directed to complete the recently improved Nationwide Cyber Security Review self-assessment. This self-assessment tool assesses a department's level of security program maturity including their policies, procedures, and technical controls. This online assessment tool has been used by state agencies in the past on a voluntary basis, and was recently enhanced to align with and provide measurement against the National Institute of Standards and Technology (NIST) Cyber Security Framework. Additionally, the Department has acquired a separate tool to automate incident reporting. This tool has optional modules that can be configured to include any state specific standards, and be enabled to fully automate and integrate self-assessment, compliance reporting, incident reporting, remediation plans, and audit data. By December 2016 the self-assessment, compliance reporting and remediation plan features of the newly acquired tool will be enabled to fully automate the reporting and tracking of risk and security compliance for subsequent reporting years.

California State Auditor's Assessment of 6-Month Status: Partially Implemented

60-Day Agency Response

The Department of Technology has directed state entities to use the new self-assessment tool, and is now requiring state entities to submit the results of their self-assessment along with their annual self-certification submissions due January 31st of each year. For the January 31, 2016 reporting period departments have been directed to complete the recently improved Nationwide Cyber Security Review self-assessment. This self-assessment tool assesses a department's level of security program maturity including their policies, procedures, and technical controls. This online assessment tool has been used by state agencies in the past on a voluntary basis, and was recently enhanced to align with and provide measurement against the National Institute of Standards and Technology (NIST) Cyber Security Framework. Additionally, the Department has acquired a separate tool to automate incident reporting. This tool has optional modules that can be enabled to fully automate and integrate self-assessment, compliance reporting, incident reporting, remediation plans, and audit data. The longer-term plan is to enable the compliance reporting and self-assessment features of the newly acquired tool to fully automate the reporting and tracking of security compliance for subsequent reporting years. Corresponding training and the CISO's review of self-certifications is addressed in recommendations #4 and #5 respectively.

California State Auditor's Assessment of 60-Day Status: Partially Implemented

The new self-assessment tool is not based on the State's security standards. Therefore, reporting entities may not understand the entire scope of the security standards to which they are certifying.

Recommendation #4 To: Technology, California Department of

To assist reporting entities in reaching full compliance with the security standards, the technology department should provide more extensive guidance and training to reporting entities regarding the self certification process, including training on how they should use the new self assessment tool.

Annual Follow-Up Agency Response From October 2018

CDT has developed and implemented more extensive guidance and training to reporting entities regarding the self-certification process. Between October and December 2017, CDT staff held 35 hands on, in person training sessions for use of the new self-certification reporting tool.

Additionally, CDT published a comprehensive, step-by-step user guide and has provided access to 40 training videos which are now accessible by reporting entities if requested. The training videos have also been published to a central extranet portal and all designated security staff have been invited to access the central portal.

California State Auditor's Assessment of Annual Follow-Up Status: Fully Implemented

Annual Follow-Up Agency Response From November 2017

CDT has developed a three-year audit and assessment cycle. Part of this cycle is a pre-audit education function that is part of the Office of Information Security. CDT has developed and implemented a comprehensive automated statewide self-assessment tool having all necessary information and reporting ability for entities to determine their compliance with security standards.

Currently there are five (5) pilot agencies using this system, and training for this system is on-going.

Expected full use of this new system by all state agencies is

May 2018.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented

Annual Follow-Up Agency Response From October 2016

Training on the new self-assessment and compliance reporting tool will begin in December 2016 and will be ongoing thereafter. The self-assessment tool will be based on the National Institute of Standards and Technology (NIST) 800-53 standards, which is required to meet the State's security standards. Additionally, training on the new self-assessment and compliance reporting tool will be made available online in January 2017.

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented

1-Year Agency Response

Training on the new self-assessment and compliance reporting tool will begin in December 2016 and will be ongoing thereafter. The self-assessment tool will be based on the National Institute of Standards and Technology (NIST) 800-53 standards, which is required to meet the State's security standards. Additionally, training on the new self-assessment and compliance reporting tool will be made available online in January 2017.

California State Auditor's Assessment of 1-Year Status: Partially Implemented

6-Month Agency Response

For the January 31, 2016 reporting period, online instructions and training workshops for completing the Nationwide Cyber Security Review (NCSR) self-assessment were provided, as well as supplemental in person training and one-on-one guidance as requested. A total of 56 state entities attended the training workshops, and others received one-on-one assistance and guidance as requested. The Department recently acquired a separate tool to automate incident reporting. This tool has optional modules that can be configured to include any state specific standards, and be enabled to fully automate and integrate self-assessment, compliance reporting, incident reporting, remediation plans, and audit data. By December 2016 the self-assessment, compliance reporting and remediation plan features of the newly acquired tool will be enabled to fully automate the reporting and tracking of risk and security compliance for subsequent reporting years. Once the self-assessment, compliance reporting and remediation plan features of the newly acquired tool are implemented, the Department of Technology will provide instruction and updated training on use of the new self-assessment and compliance reporting process. The updated training will also be incorporated into the existing and regularly-provided training courses, and the Department will continue to review its training courses to determine if they should be enhanced, and will continue to provide one-on-one guidance to a reporting entity, upon request.

California State Auditor's Assessment of 6-Month Status: Partially Implemented

60-Day Agency Response

Instructions and training are available online for completing the self-assessment tool. The Department of Technology has begun supplemental in person training. The training is focused on helping departments understand the self-assessment tool and how to effectively complete it. Additionally, the Department will provide on-going training, monitoring the effectiveness of the training, and adjust the training material as warranted.

California State Auditor's Assessment of 60-Day Status: Partially Implemented

Although the technology department has provided training on the self-assessment tool, the tool is not based on the State's security standards. Therefore, reporting entities may not understand the entire scope of the security standards to which they are certifying.

Recommendation #5 To: Technology, California Department of

To assist reporting entities in reaching full compliance with the security standards, the technology department should take the following actions: Develop internal policies and procedures to ensure that it reviews all reporting entities' self assessments and self certifications, including requiring supporting evidence of compliance when feasible.

6-Month Agency Response

The Department of Technology has updated its internal procedures and process to include the review of self-assessment submissions along with the review of annual self-certifications. Staff are using the updated procedures.

California State Auditor's Assessment of 6-Month Status: Fully Implemented

60-Day Agency Response

The Department of Technology is in the process of updating its internal procedures and process to include the review of self-assessment submissions along with the review of annual self-certifications. Staff will be trained to use the new self-assessment procedures prior to the submission of department's annual certification reporting. The annual self-certifications are due each January 31st. Department of Technology will begin using its updated procedures in February 2016.

California State Auditor's Assessment of 60-Day Status: No Action Taken

Recommendation #6 To: Technology, California Department of

To assist reporting entities in reaching full compliance with the security standards, the technology department should take the following actions: Annually follow up on the remediation plans that reporting entities submit.

60-Day Agency Response

In August 2015, the Department of Technology issued Technology Letter 15-03, and two new State Information Management Manual (SIMM) documents, directing state entities on the use of a new Plan of Action and Milestone (PoAM) tool. The instructions (SIMM 5305-B) and tool (SIMM 5305-C) provide a standardized approach to document details about remediation activity. The policy now requires departments to report on their corrective action progress on a quarterly basis. The PoAMs will be reviewed quarterly and departments will be provided feedback to ensure continued progress toward compliance.

California State Auditor's Assessment of 60-Day Status: Fully Implemented

Recommendation #7 To: Technology, California Department of

To provide effective oversight of reporting entities' information security, the technology department should expand on its pilot audit program by developing an ongoing risk based audit program. If the technology department requests additional resources, it should fully support its request.

1-Year Agency Response

CDT's Budget Change Proposal, effective July 1, 2016, to make permanent and expand the audit program to perform risk-based audits was approved by the legislature. CDT has reorganized the Office of Information Security and recruitment efforts to complete staffing the recently expanded audit program, which is currently underway.

Additionally, CDT has engaged an independent consultant to evaluate the statewide information security program and make recommendations for improvement, as well as ensuring the audits validate CDT's information security policies and standards that have been implemented throughout the state as intended. Work commenced on July 5, 2016 and final recommendations are due in November 2016.

California State Auditor's Assessment of 1-Year Status: Fully Implemented

6-Month Agency Response

The Department of Technology continues to explore ways to expand and enhance its pilot audit program upon the pilots' completion in June 2016. The Department has submitted a Budget Change Proposal, as part of the Governor's Budget, to make permanent and expand the audit program to perform risk-based audits. The audits will continue to measure a department's information security program maturity, the effectiveness of its risk management practices, and compliance with State security policies and procedures including but not limited to security governance and strategy, access control, training and awareness of the employees, disaster recovery protocols, and third party data sharing agreements. As the audits are completed, the Department will continue to work with the audited departments to identify lessons learned and recommendations to aid the departments in establishing effective policies, processes and technical controls to ensure compliance.

California State Auditor's Assessment of 6-Month Status: Partially Implemented

60-Day Agency Response

The Department of Technology is exploring ways to expand and enhance its pilot audit program upon the pilots' completion in June 2016. The audits are measuring a department's compliance with State security policies and procedures including but not limited to security governance and strategy, access control, training and awareness of the employees, disaster recovery protocols, and third party data sharing agreements. As the audits are completed, the Department will work with the audited department to identify lessons learned and recommendations to aid the departments in establishing effective policies, processes and technical controls to ensure compliance.

California State Auditor's Assessment of 60-Day Status: No Action Taken

Recommendation #8 To: Technology, California Department of

The technology department should revise its certification form to require reporting entities to submit detailed information about their compliance with the security standards. It should use this information to track and identify trends in the State's overall information security.

Annual Follow-Up Agency Response From October 2018

CDT published the revised version of its certification form in January 2018, under its Policy/Guidelines Memo 2018-0012. One of the central changes to this revision was that they are now required to list risks in their compliance form and the director or lead individual of the department is required to sign it (it may not be delegated).

The data from the entities' certification form is stored in a secured automated system for tracking and reports from the system have been used to conduct trend analyses.

https://cdt.ca.gov/wp-content/uploads/2018/01/PolicyGuidelines_2018-0112_001.pdf

California State Auditor's Assessment of Annual Follow-Up Status: Fully Implemented

Annual Follow-Up Agency Response From November 2017

CDT has developed a three-year audit and assessment cycle. Part of this cycle is a pre-audit education function that is part of the Office of Information Security. CDT has developed and implemented a comprehensive automated statewide self-assessment tool having all necessary information and reporting ability for entities to determine their compliance with security standards.

Currently there are five (5) pilot agencies using this system, and training for this system is on-going.

Expected full use of this new system by all state agencies is

May 2018.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented

Annual Follow-Up Agency Response From October 2016

CDT will be replacing the annual certification form with the launch of the new automated compliance reporting system. Additionally, the automated compliance reporting tool will provide analytical and trend information that will allow the state to be more proactive with cyber threats.

A system policy update will be released by December 31, 2016, announcing the new self-certification and compliance reporting process, and directing state entities to use the new automated compliance reporting tool instead of the current paper self-certification form.

Additionally, CDT has engaged an independent consultant to conduct a statewide security program review and to make recommendations for improvement consistent with industry standards and best practices, including recommendations for process and criteria to incentivize entities' compliance with security standards. Work commenced on July 5, 2016, and subsequent recommendations will be provided in November 2016.

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented

1-Year Agency Response

CDT will be replacing the annual certification form with the launch of the new automated compliance reporting system. Additionally, the automated compliance reporting tool will provide analytical and trend information that will allow the state to be more proactive with cyber threats.

A system policy update will be released by December 31, 2016 announcing the new self-certification and compliance reporting process, and directing state entities to use the new automated compliance reporting tool instead of the current paper self-certification form.

Additionally, CDT has engaged an independent consultant to conduct a statewide security program review and to make recommendations for improvement consistent with industry standards and best practices, including recommendations for process and criteria to incentivize entities' compliance with security standards. Work commenced July 5, 2016 and subsequent recommendations are to be provided in November 2016.

California State Auditor's Assessment of 1-Year Status: Partially Implemented

6-Month Agency Response

In August 2015, the Department of Technology issued Technology Letter 15-03, and two new State Information Management Manual (SIMM) documents, directing state entities on the use of a new Plan of Action and Milestone (PoAM) tool. The instructions (SIMM 5305-B) and tool (SIMM 5305-C) provide a standardized approach for obtaining additional detail about remediation activity. This information, along with information obtained through the formal audits, will be used to track and identify trends in the State's overall information security. These trends will be discussed with the departments on a quarterly basis.

California State Auditor's Assessment of 6-Month Status: Partially Implemented

As we state in Chapter 2 of the report, the current certification form does not ensure that reporting entities understand the entire scope of the security standards to which they are certifying full compliance. As a result, some reporting entities may not identify—and therefore not report—all of their areas of noncompliance on the new PoAM.

60-Day Agency Response

In August 2015, the Department of Technology issued Technology Letter 15-03, and two new State Information Management Manual (SIMM) documents, directing state entities on the use of a new Plan of Action and Milestone (PoAM) tool. The instructions (SIMM 5305-B) and tool (SIMM 5305-C) provide a standardized approach for obtaining additional detail about remediation activity. This information, along with information obtained through the formal audits, will be used to track and identify trends in the State's overall information security. These trends will be discussed with the departments on a quarterly basis.

California State Auditor's Assessment of 60-Day Status: Partially Implemented

As we state in Chapter 2 of the report, the current certification form does not ensure that reporting entities understand the entire scope of the security standards to which they are certifying full compliance. As a result, some reporting entities may not identify—and therefore not report—all of their areas of noncompliance on the new PoAM.

Recommendation #9 To: Technology, California Department of

The technology department should develop policies and procedures to define the process and criteria it will use to incentivize entities' compliance with the security standards.

Annual Follow-Up Agency Response From October 2018

CDT has developed a Cybersecurity Maturity Metrics Program, issued through TL 18-01, and revamped its oversight processes and procedures to include a comprehensive 4-year audit lifecycle. The new and updated programs, processes and procedures incentivize entities to achieve higher levels of program maturity and compliance, through scoring, comparison with peer scoring, and an audit off ramp process. Attached is an overview of the new oversight process and

TL 18-01 is available at:

https://cdt.ca.gov/wp-content/uploads/2018/03/TL-18-01.pdf.

Completed: July 2018

Additionally, during 2018, CDT supported proposed legislation, which failed to pass, that would have clarified which entities are required to comply with statewide cybersecurity policies found in SAM 5300 (https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180AB3193). CDT will continue to make it a priority to clarify existing state statute as it pertains to security compliance.

California State Auditor's Assessment of Annual Follow-Up Status: Fully Implemented

Annual Follow-Up Agency Response From November 2017

CDT is currently drafting internal policies and procedures to define the process and criteria it will use to promote entities' compliance with the security standards. Expected completion date is June 2018.

California State Auditor's Assessment of Annual Follow-Up Status: Pending

Annual Follow-Up Agency Response From October 2016

CDT has engaged an independent consultant to conduct a statewide security program review and to make recommendations for improvement consistent with industry standards and best practices, including recommendations for process and criteria to incentivize entities' compliance with security standards. Work commenced on July 5, 2016, and subsequent recommendations will be provided in November 2016.

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented

1-Year Agency Response

CDT has engaged an independent consultant to conduct a statewide security program review and to make recommendations for improvement consistent with industry standards and best practices, including recommendations for process and criteria to incentivize entities' compliance with security standards. Work commenced July 5, 2016 and subsequent recommendations will be provided in November 2016.

California State Auditor's Assessment of 1-Year Status: Pending

6-Month Agency Response

The Department of Technology continues to assess its current responsibilities and processes for addressing non-compliance and as such, incentivizing compliance. This assessment and corresponding recommendations are to be completed by June 2016. The Department continues to work with departments through its existing training and oversight processes and on-going monitoring of the PoAM.

California State Auditor's Assessment of 6-Month Status: No Action Taken

60-Day Agency Response

The Department of Technology is assessing its current responsibilities and processes for addressing non-compliance and as such, incentivizing compliance. This assessment and corresponding recommendations are to be completed by June 2016. The Department continues to work with departments through its existing training and oversight processes and on-going monitoring of the PoAM.

California State Auditor's Assessment of 60-Day Status: No Action Taken

Recommendation #10 To: Technology, California Department of

To improve the clarity of the security standards, the technology department should perform regular outreach to all reporting entities to gain their perspectives, identify any unclear or inconsistent security standards, and revise them as appropriate.

Annual Follow-Up Agency Response From October 2018

Since February 2017, CDT has been performing regular outreach and identifying any unclear/inconsistent security standards. CDT published a comprehensive update to SAM/SIMM in January 2018, and continues to perform regular outreach and updates.

https://cdt.ca.gov/wp-content/uploads/2018/01/PolicyGuidelines_2018-0112_001.pdf

California State Auditor's Assessment of Annual Follow-Up Status: Fully Implemented

Annual Follow-Up Agency Response From November 2017

Since February 2017, CDT has been performing regular outreach and identifying any unclear/inconsistent security standards. Revisions to the State Administrative Manual are expected July 2018.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented

Annual Follow-Up Agency Response From October 2016

In addition to continued outreach through its governance and oversight processes, the CDT's Customer Delivery Division now performs regular outreach with departments to gain their perspectives on all areas of the department, including lack of understanding with policies/standards issued by the department.

CDT has also developed and published additional guidance to assist entities with better understanding and implementation of state policies and standards requirements. This guidance tool aligns policies and standards with operational lines of business within an organization, thereby providing functional business areas guidance on the policies and standards that directly pertain to their core responsibilities.

Additionally, CDT has engaged an independent consultant to conduct a statewide security program review and to make recommendations for improvement consistent with industry standards and best practices, including recommendations for process and criteria to incentivize entities' compliance with security standards. Work commenced on July 5, 2016, and subsequent recommendations are to be provided in November 2016.

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented

1-Year Agency Response

In addition to continued outreach through its governance and oversight processes, the CDT's Customer Delivery Division now performs regular outreach with departments to gain their perspectives on all areas of the department, including lack of understanding with policies/standards issued by the department.

CDT has also developed and published additional guidance to assist entities with better understanding and implementation of state policies and standards requirements. This guidance tool aligns policies and standards with operational lines of business within an organization, thereby providing functional business areas guidance on the policies and standards that directly pertain to their core responsibilities.

Additionally, CDT has engaged an independent consultant to conduct a statewide security program review and to make recommendations for improvement consistent with industry standards and best practices, including recommendations for process and criteria to incentivize entities' compliance with security standards. Work commenced July 5, 2016, and subsequent recommendations are to be provided in November 2016.

California State Auditor's Assessment of 1-Year Status: Partially Implemented

6-Month Agency Response

The Department of Technology continues to solicit input from state entities through its policy and security and privacy governance meetings, training and communications through oversight processes. The Department will now be reviewing PoAM submissions and providing feedback to departments on a quarterly basis to ensure continued progress toward compliance. The Department of Technology is also researching the feasibility and piloting of tools for employing alternative methods of outreach to departments. Additionally, through the course of self-assessments, audits and on-going training, the Department will identify issues, lessons learned, and discuss recommendations, as well as modify policy and training material as warranted.

California State Auditor's Assessment of 6-Month Status: Partially Implemented

60-Day Agency Response

The Department of Technology continues to solicit input from state entities through its policy and security and privacy governance meetings, training and communications through oversight processes. The Department will now be reviewing PoAM submissions and providing feedback to departments on a quarterly basis to ensure continued progress toward compliance. The Department of Technology is also researching the feasibility and piloting of tools for employing alternative methods of outreach to departments. Additionally, through the course of self-assessments, audits and on-going training, the Department will identify issues, lessons learned, and discuss recommendations, as well as modify policy and training material as warranted.

California State Auditor's Assessment of 60-Day Status: Partially Implemented

Recommendation #11 To: Technology, California Department of

To improve the clarity of the security standards, the technology department should develop and regularly provide detailed training on the requirements of the security standards and on best practices for achieving compliance. It should provide these trainings in a variety of locations and formats, including webinars.

Annual Follow-Up Agency Response From November 2017

CDT has developed a three-year audit and assessment cycle. Part of this cycle is a pre-audit education function that is part of the Office of Information Security. The detailed training provided from the pre-audit education function are held at various locations and formats, including webinars.

California State Auditor's Assessment of Annual Follow-Up Status: Fully Implemented

The technology department has developed various information security trainings and has made trainings available through online videos and webinars.

Annual Follow-Up Agency Response From October 2016

CDT has enhanced its Basic Training curricula to include more extensive training on risk management, assessment, and Corrective Action Plan reporting requirements. CDT is now offering one-on-one training on the newly implemented automated incident reporting system for those reporting designees that are not able to travel to Sacramento for training. CDT has added role-based security courses to its Training Center Catalog and integrated the NIST standards into the existing Software Development Life Cycle curricula, and continues to promote awareness and use of general and role-based security courses offered for free, such as the Multi-State Information Sharing and Analysis Center, FedVTELive, and SANS Institute training programs. Many of these free training programs are offered in online and recorded webcast formats, so that students may access at any time.

In addition, CDT will be recording its Basic Information Security Office training in November 2016, and will make the training available online.

Furthermore, CDT continues to research and look for feasible alternative training platforms and methods for delivery of its current in-person classes.

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented

1-Year Agency Response

CDT has enhanced its Basic Training curricula to include more extensive training on risk management, assessment, and Corrective Action Plan reporting requirements. CDT is now offering one-on-one training on the new recently implemented automated incident reporting system for those reporting designees that are not able to travel to Sacramento for training. CDT has added role-based security courses to its Training Center Catalog and integrated the NIST standards into the existing Software Development Life Cycle curricula, and continues to promote awareness and use of general and role-based security courses offered for free such as the Multi-State Information Sharing and Analysis Center, FedVTELive, and SANS Institute training programs. Many of these free training programs are offered in online and recorded webcast formats, so that learners may access at any time.

Additionally, CDT will be recording its Basic ISO training in August 2016, and will make the training available online.

Furthermore, CDT continues to research and look for feasible alternative training platforms and methods for delivery of its current in-person classes.

California State Auditor's Assessment of 1-Year Status: Partially Implemented

6-Month Agency Response

The Department of Technology continues to provide in-person training to department Information Security Officers (ISOs), Chief Information Officers, and other information technology staff. Additionally, the Department has been researching the feasibility and piloting of tools for the delivery of alternative training methods. The Department has revised and improved existing training curriculum and continues to update training as warranted. By March 2016, the Department will have enhanced its ISO Basic Training course to include training on the self-assessment and PoAM reporting requirements, and by June 2016 the Department will have added at least two role-based security course offerings to its Training Center catalog, and will have integrated security into existing course curriculum. These trainings will be provided on an on-going basis.

California State Auditor's Assessment of 6-Month Status: Partially Implemented

60-Day Agency Response

The Department of Technology continues to provide in-person training to department Information Security Officers (ISOs), Chief Information Officers, and other information technology staff. Additionally, the Department has been researching the feasibility and piloting of tools for the delivery of alternative training methods. The Department has revised and improved existing training curriculum and continues to update training as warranted. By March 2016, the Department will have enhanced its ISO Basic Training course to include training on the self-assessment and PoAM reporting requirements, and by June 2016 the Department will have added at least two role-based security course offerings to its Training Center catalog, and will have integrated security into existing course curriculum. These trainings will be provided on an on-going basis.

California State Auditor's Assessment of 60-Day Status: Partially Implemented

All Recommendations in 2015-611

Agency responses received are posted verbatim.