Report 2014-120 Recommendation 12 Responses

Report 2014-120: California Public Utilities Commission: It Needs to Improve the Quality of Its Consumer Complaint Data and the Controls Over Its Information Systems (Release Date: April 2015)

Recommendation #12 To: Public Utilities Commission

As part of developing, implementing, and maintaining an entitywide information security program, the commission should complete and maintain inventory of all its information assets, specifically categorizing the level of required security of the information assets based on the potential impact that a loss of confidentiality, integrity, or availability of such information would have on its operations and assets.

Agency Response*

Inventory of information assets inventory and classification attached. CPUC is in the process of deploying Data Loss Prevention solution, that will allow CPUC to protect data at rest and in motion.

  • Response Type†: Annual Follow Up
  • Estimated Completion Date: 6/30/2018
  • Response Date: November 2017

California State Auditor's Assessment of Status: Partially Implemented


Agency Response*

The Commission has performed a partial inventory on information assets and plans on fulfilling this requirement with the addition of staff.

  • Response Type†: Annual Follow Up
  • Estimated Completion Date: 12/30/2018
  • Response Date: October 2016

California State Auditor's Assessment of Status: Not Fully Implemented


Agency Response*

CPUC's consultants have completed their entity-wide Information Asset Report.

  • Response Type†: 1-Year
  • Completion Date: April 2016
  • Response Date: April 2016

California State Auditor's Assessment of Status: Partially Implemented

The commission explained that as a result of our follow up work, it reevaluated its progress and now believes it has not fully implemented this recommendation. The commission estimates that it will not achieve full compliance with SAM Chapter 5300 until December 2019.

  • Auditee did not substantiate its claim of full implementation
  • Auditee did not address all aspects of the recommendation

Agency Response*

CPUC has external resources working with CPUC staff and in the process of developing Information Security document along with inventory for information assets.

  • Response Type†: 6-Month
  • Estimated Completion Date: April 30, 2016
  • Response Date: November 2015

California State Auditor's Assessment of Status: Pending


Agency Response*

Plan to allocate resources to complete these tasks during this year.

  • Response Type†: 60-Day
  • Estimated Completion Date: April 2016
  • Response Date: June 2015

California State Auditor's Assessment of Status: Pending


All Recommendations in 2014-120

†Response Type refers to the interval in which the auditee is providing the State Auditor with their status in implementing recommendations made in an audit report. Auditees must submit a response regarding their progress in implementing recommendations from our reports at three intervals from the release of the report: 60 days, six months, and one year or subsequent to one year.

*Agency responses received after June 2013 are posted verbatim.


Report type

Report type
















© 2013, California State Auditor | Privacy Policy | Conditions of Use | Download Adobe PDF Reader