Report 2021-602 Recommendation 5 Responses
Report 2021-602: State High-Risk Update—Information Security: The California Department of Technology's Inadequate Oversight Limits the States Ability to Ensure Information Security (Release Date: January 2022)
Recommendation #5 To: Technology, California Department of
Until it is able to conduct timely, objective audits of reporting entities, CDT should provide additional guidance to them by April 2022 on what constitutes a critical IT system and follow up annually to ensure that they complete the required self-assessments of those systems.
CDT continues to direct entity completion of the self-assessment of critical systems in Cal-CSIRS. Since its October 2022 update, CDT has conducted additional demonstration sessions with an opportunity for Q&A and individual entity one-on one guidance sessions as requested to further support entity completion. AISOs have been provided with reports of status for the non-compliant entities within their purview and have been asked to direct their entity's compliance. Additionally, CDT is working on a non-compliance enforcement standard which will outline specific consequences for various non-compliance scenarios.
- Estimated Completion Date: April 2023
California State Auditor's Assessment of Status: Partially Implemented
Per CDT's response, it will not fully implement this recommendation until April 2023.
CDT is adopting a three-pronged approach to ensure entity compliance - i. CDT has set a deadline of October 31, 2022, to entities to complete the self-assessment in the Cal-CSIRS; ii. CDT is partnering with the AIOs and AISOs to direct their entity's compliance; iii. CDT is relying on state entity's acknowledgement that cybersecurity is a joint responsibility.
CDT continues to direct entity completion of the self-assessment of critical systems in Cal-CSIRS. Since its July 2022 update, CDT has conducted seven walkthrough demonstration sessions* with an opportunity for Q&A to further support entity completion and over 20 individual entity one-on one guidance sessions as requested to assist state entities with meeting the October 31 deadline.
Schedule of Walkthrough Demonstration Sessions
Date Time Link to Register
8/5/22 12:00-1:00 PM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22548
8/9/22 4:00-5:00 PM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22549
8/12/22 10:00-11:00 AM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22550
8/16/22 3:30-4:30 PM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22551
8/30/22 3:00-4:00 PM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22552
9/13/22 4:00-5:00 PM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22558
9/15/22 1:00-2:00 PM https://resources.technology.ca.gov/Calendar/viewnew.asp?id=22559
- Estimated Completion Date: November 2022
California State Auditor's Assessment of Status: Partially Implemented
Per CDT's response, it has made some progress, but it has not yet fully implemented this recommendation.
CDT is adopting a three-pronged approach to ensure entity compliance - i. CDT has set a deadline of October 31, 2022 to entities to complete the self-assessment in the Cal-CSIRS; ii. CDT is partnering with the AIOs and AISOs to direct their entity's compliance; iii. CDT is relying on state entity's acknowledgement that cybersecurity is a joint responsibility.
- Estimated Completion Date: December 2022
California State Auditor's Assessment of Status: Partially Implemented
Per CDT's response, it will not fully implement this recommendation until December 2022.
CDT has engaged with the Information Technology (IT) community and provided guidance on the definition of critical system on December 15, 2021, and March 30, 2022. CDT is engaged with the Governor's Office of Emergency Services' Critical Infrastructure Protection and Planning and Preparedness Branches to provide additional ongoing guidance on the critical system definition. CDT has made joint presentations to the IT community on December 15, 2021, and March 30, 2022. The presentation and guidance materials have been published on the OIS Agency.net- (Extranet) accessible to designated AIOs, AISOs, CIOs, ISOs, Privacy Program Coordinators, Technology Recovery Coordinators and their designated back-ups and staff.
State entities are already aware of the requirement to complete the self-assessment in the Cal-CSIRS. Taking into consideration various reporting deadlines and associated workload on state entities, CDT will follow-up with these entities to ensure completion of the self-assessment pursuant to the Information Security Compliance Reporting Schedule SIMM 5330-C (ca.gov).
- Estimated Completion Date: December 2022
California State Auditor's Assessment of Status: Partially Implemented
CDT provided documentation of the guidance it presented and the training video available to IT personnel regarding the definition of critical systems.
All Recommendations in 2021-602
Agency responses received are posted verbatim.
