Report 2014-120 Recommendation 11 Responses

Report 2014-120: California Public Utilities Commission: It Needs to Improve the Quality of Its Consumer Complaint Data and the Controls Over Its Information Systems (Release Date: April 2015)

Recommendation #11 To: Public Utilities Commission

The commission should ensure that it complies with all policy requirements in SAM Chapter 5300 no later than April 2016.

Annual Follow-Up Agency Response From October 2021

The California Public Utilities Commission (CPUC) continues to work on addressing SAM 5300 compliance requirements.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented

Annual Follow-Up Agency Response From November 2020

The Commission continues to work on addressing SAM 5300 compliance requirements.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented

Annual Follow-Up Agency Response From October 2019

Partially Implemented, this information was updated 10/11/2019

0 Non-compliant

11- Partially compliant

32 - Mostly compliant

21- Fully compliant

Estimated completion date: Dec 2020

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented

Annual Follow-Up Agency Response From October 2018

The updated SAM 5300 Compliance spreadsheet as of 10/02/18 is attached with 16 Fully Compliant, 29 Mostly Compliant and 19 Partially Compliant.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented

Annual Follow-Up Agency Response From November 2017

The updated information as of 11/07/17, please attached document

-0 Non-compliant

-17 Partially compliant

-31 Mostly Compliant

-17 Fully Compliant

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented

Annual Follow-Up Agency Response From October 2016

The Commission continues to work on completion of policy requirements in SAM Chapter 5300. The Commission has been given positions and plans on hiring employees to assist with the development of policies.

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented

1-Year Agency Response

CPUC has hired consultants to assist with ensuring compliance of all requirements as stated in SAM Chapter 5300. CPUC has managed to prepare the Information Asset Report and the Information Security Assessment. The Risk Management Plan is due to be complete by April 15th and the Business Continuity Plan is expected on April 30

California State Auditor's Assessment of 1-Year Status: Partially Implemented

When we followed up with the commission to verify its compliance status, we expected, at a minimum, that it would have achieved full compliance with nearly all of SAM Chapter 5300 (security standards). However, we found that the commission significantly overstated its progress toward addressing our recommendation. Although it submitted copies of various information security documents for our review, it was substantially out of compliance with the majority of the security standards. When we questioned the commission about the disconnect between its asserted level of compliance and its actual level of compliance, it explained that it did not fully understand the depth of security standards when it provided the April 2016 status update. However, the commission explained that as a result of our follow up work, it now believes it has a much more clear understanding of the requirements. The commission also cited limited staff resources as a barrier to its ability to achieve full compliance with security standards. According to the commission, it recently received authorization to hire two more individuals to its information security team. As of August 2016, the commission asserted it was actively trying to fill these two positions. Nonetheless, the commission estimates that it will not achieve full compliance with security standards until December 2019.

6-Month Agency Response

As described in response to items 12, 13, and 14, steps are underway at the CPUC to implement changes to address the issues identified by CSA. Once these steps are implemented, the CPUC will fully be able to comply with item #11.

California State Auditor's Assessment of 6-Month Status: Pending

60-Day Agency Response

As described in response to items 12, 13, and 14, steps are underway at the CPUC to implement changes to address the issues identified by CSA. Once these steps are implemented, the CPUC will fully be able to comply with item #11.

California State Auditor's Assessment of 60-Day Status: Pending

All Recommendations in 2014-120

Agency responses received are posted verbatim.