The title of Figure 1 is Five Key Control Areas of Information Security With Which the California Department of Technology Requires Reporting Entities to Comply.
Figure 1, a flowchart illustrating five key control areas of information security with which the California Department of Technology requires reporting entities to comply. The first three control areas, information asset management, risk management, and information security program management, provide the foundation of an information security control structure. The information asset management control area explains that reporting entities should establish and maintain an inventory of their information assets and determine the necessary level of security for each. The chart then flows into the risk management control area, which indicates that reporting entities should identify and consistently evaluate potential risks to their information assets. The chart then flows into the final foundational area, information security program management, in which reporting entities should develop and continually update programs for protecting their information assets from the risks they have identified. To signify that they are part of the information security program management control area, the fourth and fifth control areas flow off of the information security program management box. The fourth control area, information security incident management, explains that reporting entities should develop and document procedures to ensure their ability to promptly respond to, report on, and recover from information security incidents such as malicious cyber attacks. The fifth control area, technology recovery, explains that reporting entities should create detailed plans to recover critical information assets from unanticipated interruptions or disasters such as floods, earthquakes, or fires.
The title of Figure 2 is Reporting Entities’ Levels of Compliance With Select Information Security Control Areas for 2014, According to Their Survey Responses.
Figure 2, a color-coded bar chart that describes reporting entities’ levels of compliance with select information security control areas for 2014, according to their survey responses. The colors in the bar chart each represent a level of compliance with the information security control areas. Green represents “Fully compliant,” in which the reporting entity asserted it was fully compliant with all the requirements in Chapter 5300 of the State Administrative Manual (security standards) for the control area. Yellow represents “Mostly compliant,” in which the reporting entity asserted it had attained nearly full compliance with all of the security standards for the control area. Orange represents “Partially compliant,” in which the reporting entity asserted that it had made measurable progress in complying, but has not addressed all of the security standards for the control area. Red represents “Not compliant,” in which the reporting entity asserted that is had not yet addressed the security standards for the control area. The figure contains five bars with these colors, each bar representing one of the five information security control areas and the related response to our survey from 77 reporting entities detailing their level of compliance with each control area for 2014. The bar representing information asset management control area shows that 28 reporting entities asserted full compliance (green), while 21 asserted that they were mostly compliant, (yellow), 22 asserted that they were partially compliant (orange) and six reported that they were not compliant (red). The bar representing risk management control area shows 25 green, 15 yellow, 30 orange, and 7 red. The bar representing information security program management control area shows 24 green, 24 yellow, 26 orange, and 3 red. The bar representing information security incident management control area shows 28 green, 28 yellow, 20 orange, and one red. The bar representing technology recovery control area shows 23 green, 32 yellow, 21 orange, and one red.