Skip Repetitive Navigation Links
California State Auditor Logo COMMITMENT • INTEGRITY • LEADERSHIP

Gaps in Oversight Contribute to Weaknesses in the State's Information Security
High Risk Update—Information Security

Report Number: 2018-611

Figure 1
Information Security Standards

Figure 1 is a series of three outline map images that demonstrate the applicability of the information security standards most commonly used by the 33 nonreporting entities we surveyed. The three outline map images consist of the following: a map of the world, a map of the continental United States of America, and a map of California. Specifically, the world map represents the International Organization for Standardization/International Electrotechnical Commission 27000 family of standards, which are generic information security requirements intended to be applicable to all organizations, regardless of type, size, or nature. The map of the United States of America represents NIST 800-53. NIST 800-53 contains the federal government's information security standards, which may also be adopted by nonfederal entities. Finally, the map of California represents the information security standards prescribed by the California Department of Technology in SAM 5300. California adopted NIST 800-53 as minimum information security control requirements and adopted additional standards that are maintained in the Statewide Information Management Manual. Only state entities within the executive branch that are under the Governor's direct authority are required to follow these standards.

Go back to Figure 1

Figure 2
Five Key Control Areas of Information Security Standards

Figure 2 is a flow chart that describes the five key control areas required in the information security standards. The five key control areas are as follows: information asset management, risk management, information security program management, information security incident management, and technology recovery. The first three control areas sequentially form the foundation of an information security structure and require an entity to first identify the assets it needs to protect, then identify its risks to those assets, and finally develop a plan to protect the assets against the risks. Specifically, the first control area—information asset management—is the process of establishing and maintaining an inventory of information assets and determining the necessary level of security for each. The second control area is risk management, which is the process of identifying and consistently evaluating potential risks to information assets. The third control area is information security program management, which is the process of developing and continually updating programs for protecting information assets from the identified risks. Once an entity establishes the foundation of its information security control structure, it can proceed with implementing the fourth and fifth key control areas. Specifically, the fourth control area is information security incident management, which is the process of developing and documenting procedures to ensure the ability to promptly respond to, report on, and recover from information security incidents, such as malicious cyberattacks. Finally, the fifth control area is technology recovery, which is the process of creating detailed plans for recovering critical information assets from unanticipated interruptions or disasters, such as floods, earthquakes, or fires.

Go back to Figure 2

Figure 3
Entities' Compliance With Their Selected Standards

Figure 3 is a donut chart for the 33 nonreporting entities we surveyed that presents a summary of their self-reported level of compliance with their selected information security standards. Each nonreporting entity reported one of the following four levels of compliance: partially compliant, mostly compliant, fully compliant, or no information security assessment. Specifically, the majority of entities—24 of the 33—indicated that they were partially compliant with their selected standards, which means they made measurable progress in complying but did not address all requirements. Three entities indicated that they were mostly compliant with their selected standards, which means they attained nearly full compliance with all requirements. Two entities indicated that they were fully compliant with their selected standards, which means they complied with all requirements. Finally, the four entities in the no information security assessment category indicated that they had not obtained or performed an information security assessment.

Go back to Figure 3