Report 2014-120 All Recommendation Responses

Report 2014-120: California Public Utilities Commission: It Needs to Improve the Quality of Its Consumer Complaint Data and the Controls Over Its Information Systems (Release Date: April 2015)

Recommendation for Legislative Action

To ensure that the commission has the information it needs to better report on VoIP-related complaints, the Legislature should give the commission the authority to collect information from providers regarding their VoIP customers and require VoIP providers to furnish this information to the commission.

Description of Legislative Action

Legislation has not been introduced to address this recommendation.

  • Legislative Action Current As-of: January 2016

California State Auditor's Assessment of 6-Month Status: No Action Taken


Recommendation #2 To: Public Utilities Commission

To ensure that policy makers, enforcement officials, and the general public have access to accurate consumer complaint data in CIMS, the branch should update and provide further training to its staff on properly classifying complaints by September 30, 2015.

6-Month Agency Response

Revised all training materials related to coding and classification of complaints. Provided training for all branch staff using revised materials including guides on: general coding, non-jurisdictional coding and VoIP coding.

  • Completion Date: October 2015
  • Response Date: October 2015

California State Auditor's Assessment of 6-Month Status: Fully Implemented


60-Day Agency Response

Branch is in process of reviewing and refreshing all training materials related to coding and classification of complaints.

  • Estimated Completion Date: September 30, 2015
  • Response Date: June 2015

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #3 To: Public Utilities Commission

To ensure that policy makers, enforcement officials, and the general public have access to accurate consumer complaint data in CIMS, the branch should continue to implement its quality management team program component focused on reviewing the categorization of complaints and correcting identified errors.

Annual Follow-Up Agency Response From November 2017

The Branch's Quality Management Team (QMT) program is on-going. As outlined in the response to Recommendation #4, the QMT team's expertise was utilized in 2017 to staff a ongoing project to automate portions of the quality assurance functions within the Consumer Information Management System (CIMS) database. The Branch was not successful in securing approval for personnel classifications better able to perform the higher level analysis necessary to ensure quality management.

  • Estimated Completion Date: 6/30/2018

California State Auditor's Assessment of Annual Follow-Up Status: Pending


Annual Follow-Up Agency Response From October 2016

The Branch's Quality Management Team (QMT) program is on-going. As outlined in CPUC's response to Audit Recommendation #4, CAB's multi-year QMT plan has been updated to reflect progress on improvements to the quality assurance processes as well as automation of those processes. A further component of the QMT plan is to pursue resources and approval for personnel classifications better able to perform the higher level analysis necessary to ensure quality management. The appropriate personnel classification for performing such work is a Public Utilities Regulatory Analyst ranging from level 1 to level 3 depending on the complexity of specific case assignments.

  • Estimated Completion Date: 1/1/2018

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented


1-Year Agency Response

The Branch's quality management team program has established an on-going program. This program was outlined in CPUC's response to Audit Recommendation #4 a multi-year plan is being developed to improve quality assurance processes and increase automation of those processes.

  • Completion Date: April 2016
  • Response Date: April 2016

California State Auditor's Assessment of 1-Year Status: Pending

CPUC staff indicate that its Quality Management Team project plan will be complete in September 2016.

  • Auditee did not substantiate its claim of full implementation

6-Month Agency Response

Branch has enhanced its technological capability with regard to reviewing case attributes in the quality management team (QMT) process. Specifically, branch has enhanced the data query tools in CIMS to allow for systematic retrieval and review of all attribute coding associated with any case record.

  • Estimated Completion Date: Ongoing implementation.
  • Response Date: October 2015

California State Auditor's Assessment of 6-Month Status: Pending


60-Day Agency Response

Branch is continuing ongoing efforts to make its quality management team more effective in ensuring that coding errors are identified and addressed.

  • Estimated Completion Date: Ongoing
  • Response Date: June 2015

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #4 To: Public Utilities Commission

To ensure that policy makers, enforcement officials, and the general public have access to accurate consumer complaint data in CIMS, the branch should develop and implement tools by September 30, 2015, to measure the quality management team program's effectiveness.

Annual Follow-Up Agency Response From November 2017

In 2017, the Branch has secured resources to automate and improve parts of the quality management processes within the CIMS database. Resources include the CPUC's IT Applications Programming and Project Management units as well as a vendor specializing in business analysis. The project was chartered on 11/09/2016 by the CPUC as the "Consumer Information Management System - Audit Response Mitigation for Quality Assurance". The project was approved by the California Department of Technology in a Stage 1 Business Analysis on 01/23/2017. (Public Utilities Commission (8660): 8660-082 CIMS Audit Response Mitigation for Quality Assurance) The project requirements and design phases were approved on 03/17/2017 and 07/05/2017, respectively. The applications development was initiated on 08/14/2017. It is estimated that the project will complete and the automation be in place in mid-2018.

  • Estimated Completion Date: 6/30/2018

California State Auditor's Assessment of Annual Follow-Up Status: Pending


Annual Follow-Up Agency Response From October 2016

The Branch has updated its plan to measure and improve the effectiveness of its quality management team (see attached "CAB Quality Management Team Enhancement Plan"). As described in the plan, the Branch has completed the quality management process analysis described as Phase I. In Phase II, the Branch has begun to analyze baseline measures of its processes. That analysis has been completed for 2013-14 and 2014-15; it is anticipated that the analysis for 2015-16 will be completed in late 2016. Moreover, the Branch is actively pursuing a project to automate and improve parts of the quality management processes (Phases III and IV). As noted in the prior audit status responses, these process improvements will require resources from outside of the Branch, including support from the CPUC's IT unit and the database vendor, as well as additional staffing resources for CAB to ensure optimal quality management. To that end, the Branch's project request to build a database module to automate quality management processes was updated and approved in August 2016. The Branch began work in September 2016 securing funding to use a vendor to create a business analysis for the project. As of September 28, 2016, the Branch received budget approval to move forward with the project. It is anticipated that the project will begin in November 2016, with an estimated duration of six to nine months.

  • Estimated Completion Date: 12/30/2016

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented


1-Year Agency Response

The Branch has created a draft plan to measure and improve the effectiveness of its quality management team. As part of the draft plan, the Branch has begun to analyze baseline measures of its process. The Branch continues to research the feasibility of automating parts of the quality management processes and continues to research ability of its database to create multiple alerts to enable case progress to be better measured. Preliminary findings are the process improvements will require resources from outside of the Branch, including support from CPUC IT and the database vendor.

  • Estimated Completion Date: 4/9/2017
  • Response Date: April 2016

California State Auditor's Assessment of 1-Year Status: Pending


6-Month Agency Response

Branch has analyzed current QMT processes and is researching the feasibility of automating parts of the processes. Preliminary findings are that process improvements will require resources from outside of the branch, including support from CPUC IT and the CIMS database vendor. Current estimates are that IT resources will not be available until early to mid-2016.

  • Estimated Completion Date: Late 2016.
  • Response Date: October 2015

California State Auditor's Assessment of 6-Month Status: Pending


60-Day Agency Response

Branch is working with IT to expand its measurement capabilities in CIMS to assist in quality management team efforts.

  • Estimated Completion Date: September 30, 2015
  • Response Date: June 2015

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #5 To: Public Utilities Commission

To ensure that policy makers, enforcement officials, and the general public have access to accurate consumer complaint data in CIMS, the branch should update by June 30, 2015, its guidance for categorizing complaints to better integrate with the BRM. For example, the guidance should specify that nonjurisdictional complaints should be classified as such.

6-Month Agency Response

With assistance of CPUC Legal Division, branch revised the Non-Jurisdictional Job Aid and consumer assistance letters. Branch also revised the BRM coding guides and integrated into training materials. Branch delivered training to all staff, using revised materials, on the following: general coding, non-jurisdictional coding, and VoIP coding.

  • Completion Date: October 2015
  • Response Date: October 2015

California State Auditor's Assessment of 6-Month Status: Fully Implemented


60-Day Agency Response

Branch has initiated review of the Non-Jurisdictional Job Aid including engaging the Legal Division for guidance. Guidance will be updated by June 30, 2015. Guidance will be integrated into general coding training on or before September 30, 2015.

  • Estimated Completion Date: June 30, 2015
  • Response Date: June 2015

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #6 To: Public Utilities Commission

To ensure that policy makers, enforcement officials, and the general public have access to more complete and meaningful consumer complaints data in CIMS, the branch should, to the fullest extent possible, include the attributes of each complaint in the data it records in CIMS.

Annual Follow-Up Agency Response From October 2016

The Branch is providing a sample data set for the period August 1, 2016 to September 16, 2016 of written telecommunications complaints. This data includes attributes associated with each complaint in CIMS in compliance with Recommendation #6 for the Branch to include attributes, to the fullest extent possible, in each case record. For each case the following information is provided:

- CIMS case number

- Date case was received

- Category

- Primary Subcategory

- Associated Attributes

- Comments

  • Completion Date: September 2016

California State Auditor's Assessment of Annual Follow-Up Status: Fully Implemented

Data provided by CPUC shows a substantial decrease in the percentage of complaints coded without any attribute data, from immediately after it provided training to its staff in late 2015 to late 2016.


1-Year Agency Response

The Branch provided case statistical data to the CA State Auditor on November 19, 2015, and met via phone conference on January 8, 2016, to discuss the recommendation and data that the Branch provided. The Branch has utilized attributes to the fullest extent possible, where appropriate, in complaint case coding. In certain of the Branch's processes, including LifeLine Appeals, attributes do not provide additional benefit in case processing or provide additional information to policy makers, enforcement officials and the general public. The Branch continues to work with relevant stakeholders to ensure the data collected under the current coding scheme is relevant and useful.

  • Completion Date: November 2015
  • Response Date: April 2016

California State Auditor's Assessment of 1-Year Status: Pending

The complaint data that the commission provided in November 2015 does not show an appreciable difference in the percentage of complaints that include attribute data that it coded before the September 2015 training when compared to complaints coded after the training. We will reassess at the next annual review.

  • Auditee did not substantiate its claim of full implementation

6-Month Agency Response

Branch delivered training to all staff, using revised materials, on the following: general coding, non-jurisdictional coding, and VoIP coding. All training modules now contain specific guidance for using attributes and comments.

Branch enhanced its technological capability with regard to coding case attributes and accompanying QMT processes. Specifically, branch has created enhanced data query tools in CIMS to allow for systematic retrieval and review of all attribute coding associated with any case record.

  • Completion Date: October 2015
  • Response Date: October 2015

California State Auditor's Assessment of 6-Month Status: Pending

Our assessment of complaints received by the commission after its September 2015 training revealed that the data do not yet support that the commission is including the attributes of each complaint in the data it records in CIMS. We will reassess in April 2016 at the one-year review.


60-Day Agency Response

Branch is reviewing and refreshing all training materials and Job Aids to reinforce the use of attributes where applicable. Training materials are on schedule to be delivered with general coding training on or before September 30, 2015.

  • Estimated Completion Date: September 30, 2015
  • Response Date: June 2015

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #7 To: Public Utilities Commission

To ensure that branch staff provide the appropriate assistance to consumers with VoIP-related complaints, the branch should, by September 30, 2015, further train its staff on the requirements of the VoIP job aid and on providing correspondence to complainants as its guidelines require.

6-Month Agency Response

With assistance of CPUC Legal Division, branch revised the VoIP Job Aid and consumer letters. Branch also created a "quick resource guide" that presents a graphic overview of VoIP processes for staff to refer to for coding and processing assistance. Branch delivered training to all branch staff, using revised materials, on VoIP coding including enhanced use of attributes and comments.

  • Completion Date: October 2015
  • Response Date: October 2015

California State Auditor's Assessment of 6-Month Status: Fully Implemented


60-Day Agency Response

Branch met with the Communications Division to request their assistance in better identifying VoIP providers. Branch met with the Legal Division for assistance with correspondence to be used for VoIP. Further staff training on the requirements of the VoIP job aid are on schedule to be delivered in parallel with general coding training on or before September 30, 2015.

  • Estimated Completion Date: September 30, 2015
  • Response Date: June 2015

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #8 To: Public Utilities Commission

To ensure that consumers have access to complaint data that will enhance their ability to make informed choices about their telecommunication services, the branch should, by June 30, 2015, create an updated plan that specifies the types of data the branch intends to post online and a timeline for fully implementing that plan.

6-Month Agency Response

Branch updated plan, with appropriate approvals, for data posting online and with a revised schedule.

  • Completion Date: July 2015
  • Response Date: October 2015

California State Auditor's Assessment of 6-Month Status: Fully Implemented


60-Day Agency Response

Branch is in progress of updating data posting plan. Plan is on schedule to be completed with appropriate approvals on or before June 30, 2015.

  • Estimated Completion Date: June 30, 2015
  • Response Date: June 2015

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #9 To: Public Utilities Commission

To ensure that it can assess the value to the public of the complaint data it presents on its website, the branch should create a process for those who view its complaint data to provide feedback to the branch including, if necessary, modifying the survey that it uses to collect feedback on LEP data.

1-Year Agency Response

The Branch worked with the CPUC's web team to establish a link to an expanded survey for feedback for all of the Branch's data including limited-English proficiency data. The link can be found by going to the CPUC homepage http://www.cpuc.ca.gov/default.aspx and scrolling down to section labeled,"How Do I.." and clicking on "Find Consumer Contacts Statistics". On the CAB Consumer Statistics page, in the fourth paragraph, select "Data Feedback Survey" to complete the form. Information from the survey is automatically emailed to the Branch.

  • Completion Date: April 2016
  • Response Date: April 2016

California State Auditor's Assessment of 1-Year Status: Fully Implemented


6-Month Agency Response

CPUC website redesign work is in progress with a projected go-live date before the end of 2015. Feedback solutions are being explored with CPUC web team for all branch data including LEP.

  • Estimated Completion Date: Ongoing implementation.
  • Response Date: October 2015

California State Auditor's Assessment of 6-Month Status: Pending


60-Day Agency Response

Branch has engaged in the CPUC website redesign project and has met with the Executive Division, IT and IT's contractor. Branch is part of the team tasked with updating the CPUC's Consumer Information Center on the website. As part of this effort, Branch is exploring use of social media with web design team as a means for gathering feedback.

  • Estimated Completion Date: Contingent on CPUC Webpage Upgrade
  • Response Date: June 2015

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #10 To: Public Utilities Commission

To ensure that the public can easily locate customer complaint data the branch publishes on its website, the commission should make navigating to its customer complaint data more intuitive and direct.

1-Year Agency Response

CPUC Website design was completed and the new webpages went live on January 11, 2016. Navigation to consumer complaint data can now be completed in one click. All of the Branch's data including consumer contact data regarding complaints and inquiries, limited-English-proficiency contacts data and LifeLine data is consolidated in one webpage at http://cpuc.ca.gov/General.aspx?id=5400. On the CPUC homepage http://cpuc.ca.gov/default.aspx scroll down to the section labeled, "How Do I..." and click on "Find Consumer Contacts Statistics".

  • Completion Date: January 2016
  • Response Date: April 2016

California State Auditor's Assessment of 1-Year Status: Fully Implemented


6-Month Agency Response

CPUC website redesign work is in progress with go-live date before the end of 2015. Navigation solutions are being explored with CPUC web team including designing links to CAB data to enhance the ability to locate the data with one "click" from the homepage.

  • Estimated Completion Date: Ongoing implementation.
  • Response Date: October 2015

California State Auditor's Assessment of 6-Month Status: Pending


60-Day Agency Response

Branch has engaged in the CPUC website redesign project and has met with the Executive Division, IT and IT's contractor. Branch is part of the team tasked with updating the CPUC's Consumer Information Center on the website. As part of this effort, Branch is exploring navigation to its data with the web design team.

  • Estimated Completion Date: Contingent Upon Completion of CPUC Webpage Upgrade
  • Response Date: June 2015

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #11 To: Public Utilities Commission

The commission should ensure that it complies with all policy requirements in SAM Chapter 5300 no later than April 2016.

Annual Follow-Up Agency Response From November 2017

The updated information as of 11/07/17, please attached document

-0 Non-compliant

-17 Partially compliant

-31 Mostly Compliant

-17 Fully Compliant

  • Estimated Completion Date: 6/30/2020

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From October 2016

The Commission continues to work on completion of policy requirements in SAM Chapter 5300. The Commission has been given positions and plans on hiring employees to assist with the development of policies.

  • Estimated Completion Date: 12/30/2018

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented


1-Year Agency Response

CPUC has hired consultants to assist with ensuring compliance of all requirements as stated in SAM Chapter 5300. CPUC has managed to prepare the Information Asset Report and the Information Security Assessment. The Risk Management Plan is due to be complete by April 15th and the Business Continuity Plan is expected on April 30

  • Estimated Completion Date: 5/2016
  • Response Date: April 2016

California State Auditor's Assessment of 1-Year Status: Partially Implemented

When we followed up with the commission to verify its compliance status, we expected, at a minimum, that it would have achieved full compliance with nearly all of SAM Chapter 5300 (security standards). However, we found that the commission significantly overstated its progress toward addressing our recommendation. Although it submitted copies of various information security documents for our review, it was substantially out of compliance with the majority of the security standards. When we questioned the commission about the disconnect between its asserted level of compliance and its actual level of compliance, it explained that it did not fully understand the depth of security standards when it provided the April 2016 status update. However, the commission explained that as a result of our follow up work, it now believes it has a much more clear understanding of the requirements. The commission also cited limited staff resources as a barrier to its ability to achieve full compliance with security standards. According to the commission, it recently received authorization to hire two more individuals to its information security team. As of August 2016, the commission asserted it was actively trying to fill these two positions. Nonetheless, the commission estimates that it will not achieve full compliance with security standards until December 2019.


6-Month Agency Response

As described in response to items 12, 13, and 14, steps are underway at the CPUC to implement changes to address the issues identified by CSA. Once these steps are implemented, the CPUC will fully be able to comply with item #11.

  • Estimated Completion Date: Ongoing implementation.
  • Response Date: October 2015

California State Auditor's Assessment of 6-Month Status: Pending


60-Day Agency Response

As described in response to items 12, 13, and 14, steps are underway at the CPUC to implement changes to address the issues identified by CSA. Once these steps are implemented, the CPUC will fully be able to comply with item #11.

  • Estimated Completion Date: April 2016
  • Response Date: July 2015

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #12 To: Public Utilities Commission

As part of developing, implementing, and maintaining an entitywide information security program, the commission should complete and maintain inventory of all its information assets, specifically categorizing the level of required security of the information assets based on the potential impact that a loss of confidentiality, integrity, or availability of such information would have on its operations and assets.

Annual Follow-Up Agency Response From November 2017

Inventory of information assets inventory and classification attached. CPUC is in the process of deploying Data Loss Prevention solution, that will allow CPUC to protect data at rest and in motion.

  • Estimated Completion Date: 6/30/2018

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From October 2016

The Commission has performed a partial inventory on information assets and plans on fulfilling this requirement with the addition of staff.

  • Estimated Completion Date: 12/30/2018

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented


1-Year Agency Response

CPUC's consultants have completed their entity-wide Information Asset Report.

  • Completion Date: April 2016
  • Response Date: April 2016

California State Auditor's Assessment of 1-Year Status: Partially Implemented

The commission explained that as a result of our follow up work, it reevaluated its progress and now believes it has not fully implemented this recommendation. The commission estimates that it will not achieve full compliance with SAM Chapter 5300 until December 2019.

  • Auditee did not substantiate its claim of full implementation
  • Auditee did not address all aspects of the recommendation

6-Month Agency Response

CPUC has external resources working with CPUC staff and in the process of developing Information Security document along with inventory for information assets.

  • Estimated Completion Date: April 30, 2016
  • Response Date: November 2015

California State Auditor's Assessment of 6-Month Status: Pending


60-Day Agency Response

Plan to allocate resources to complete these tasks during this year.

  • Estimated Completion Date: April 2016
  • Response Date: June 2015

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #13 To: Public Utilities Commission

As part of developing, implementing, and maintaining an entitywide information security program, the commission should develop a risk management and privacy plan and conduct an assessment of risks facing its information assets.

Annual Follow-Up Agency Response From November 2017

CPUC will be undergoing an information security risk assessment in Nov/Dec 2017 conducted by the CA Military Dept. Establishing/implementing a formal risk Mgmt program/process is planned for near future (estimated for 2018)

  • Estimated Completion Date: 6/30/2018

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From October 2016

The Commission continues to work to develop an entity wide risk assessment plan and privacy plan with the addition of staff.

  • Estimated Completion Date: 12/30/2018

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented


1-Year Agency Response

CPUC consultants have been assisting with the risk management plan and it is on track to be finalized by April 15, 2016.

  • Estimated Completion Date: 4/15/2016
  • Response Date: April 2016

California State Auditor's Assessment of 1-Year Status: Partially Implemented

The commission explained that as a result of our follow up work, it reevaluated its progress and now believes it has not fully implemented this recommendation. The commission estimates that it will not achieve full compliance with SAM Chapter 5300 until December 2019.


6-Month Agency Response

CPUC has awarded contract to a vendor and the consultants are working with CPUC staff.

  • Estimated Completion Date: Ongoing implementation.
  • Response Date: October 2015

California State Auditor's Assessment of 6-Month Status: Pending


60-Day Agency Response

RFO released to conduct security assessment, attended privacy training.

  • Estimated Completion Date: April 2016
  • Response Date: June 2015

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #14 To: Public Utilities Commission

As part of developing, implementing, and maintaining an entitywide information security program, the commission should develop, implement, and maintain an information security plan as part of its entitywide information security program.

Annual Follow-Up Agency Response From November 2017

In progress. CPUC have developed a master written Information Security Policy along with 20 sub-policies addressing specific areas as recommended by NIST and CDT, please see attached documents

  • Estimated Completion Date: 6/30/2018

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From October 2016

The Commission continues to work to implement an information security program with the addition of staff.

  • Estimated Completion Date: 12/30/2018

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented


1-Year Agency Response

CPUC has completed the Information Security Assessment and has performed a vulnerability scan and penetration testing to determine areas of risk. Remediation from these scans and the assessment is on-going.

  • Completion Date: April 2016
  • Response Date: April 2016

California State Auditor's Assessment of 1-Year Status: Partially Implemented

The commission explained that as a result of our follow up work, it reevaluated its progress and now believes it has not fully implemented this recommendation. The commission estimates that it will not achieve full compliance with SAM Chapter 5300 until December 2019.

  • Auditee did not substantiate its claim of full implementation
  • Auditee did not address all aspects of the recommendation

6-Month Agency Response

Security plan development is in progress.

  • Estimated Completion Date: Ongoing implementation.
  • Response Date: October 2015

California State Auditor's Assessment of 6-Month Status: Pending


60-Day Agency Response

Security plan development is in progress.

  • Estimated Completion Date: April 2016
  • Response Date: June 2015

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #15 To: Public Utilities Commission

The commission should develop, disseminate, and maintain an incident response plan.

Annual Follow-Up Agency Response From October 2016

The Commission has developed a draft incident plan but continues to work towards a final version.

  • Estimated Completion Date: 1/1/2018

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented


1-Year Agency Response

CPUC has finalized the Incident Response Plan.

  • Completion Date: April 2016
  • Response Date: April 2016

California State Auditor's Assessment of 1-Year Status: Partially Implemented

The commission explained that as a result of our follow up work, it reevaluated its progress and now believes it has not fully implemented this recommendation. The commission estimates that it will not achieve full compliance with SAM Chapter 5300 until December 2019.

  • Auditee did not substantiate its claim of full implementation
  • Auditee did not address all aspects of the recommendation

6-Month Agency Response

Incident response plan development in progress, initial document draft completed and is being reviewed.

  • Estimated Completion Date: Ongoing implementation.
  • Response Date: October 2015

California State Auditor's Assessment of 6-Month Status: Pending


60-Day Agency Response

Incident response plan development in progress.

  • Estimated Completion Date: April 2016
  • Response Date: June 2015

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #16 To: Public Utilities Commission

The commission should revise its existing recovery plan to include a list of applications supporting critical business functions, their maximum acceptable outage time frames, and detailed recovery strategies for each application.

Annual Follow-Up Agency Response From November 2017

Updated technology recovery plan was submitted to CDT Office of Information Security. CPUC is currently in the process of updating this plan to address the infrastructure changes.

  • Estimated Completion Date: 12/31/2017

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From October 2016

The Commission has developed some of the recovery plan and continues to work this to address all of the requirements needed.

  • Estimated Completion Date: 12/30/2018

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented


1-Year Agency Response

CPUC Business Continuity Plan is in draft form and scheduled to be completed April 30th, 2016.

  • Estimated Completion Date: 4/30/2016
  • Response Date: April 2016

California State Auditor's Assessment of 1-Year Status: Partially Implemented

The commission explained that as a result of our follow up work, it reevaluated its progress and now believes it has not fully implemented this recommendation. The commission estimates that it will not achieve full compliance with SAM Chapter 5300 until December 2019.


6-Month Agency Response

Critical business outage time frame and recovery strategies for applications will addressed in the form of Business Continuity plan as a subset of security assessment. The consultants and CPUC staff are meeting with business divisions to collect pertinent information.

  • Estimated Completion Date: Ongoing implementation.
  • Response Date: October 2015

California State Auditor's Assessment of 6-Month Status: Pending


60-Day Agency Response

Critical business outage time frame and recovery strategies for applications will addressed in the form of Business Continuity plan as a subset of security assessment.

  • Estimated Completion Date: April 2016
  • Response Date: June 2015

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #17 To: Public Utilities Commission

The commission should revise its existing recovery plan to include detailed procedures for rebuilding its technology infrastructure at an alternate processing site.

Annual Follow-Up Agency Response From November 2017

CPUC is in the process of revising update Business continuity plan to incorporate the infrastructure changes.

  • Estimated Completion Date: 6/30/2018

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From October 2016

The Commission continues to work to improve the recovery plan with detailed procedures for rebuilding its technology infrastructure.

  • Estimated Completion Date: 12/30/2018

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented


1-Year Agency Response

CPUC Business Continuity Plan is in draft form and scheduled to be completed April 30th, 2016.

  • Estimated Completion Date: 4/30/2016
  • Response Date: April 2016

California State Auditor's Assessment of 1-Year Status: Partially Implemented

The commission explained that as a result of our follow up work, it reevaluated its progress and now believes it has not fully implemented this recommendation. The commission estimates that it will not achieve full compliance with SAM Chapter 5300 until December 2019.


6-Month Agency Response

Recovery plan updates will be addressed in Business continuity plan as a subset of Security assessment. Contract has been awarded and CPUC staff is working with consultants.

  • Estimated Completion Date: Ongoing implementation.
  • Response Date: October 2015

California State Auditor's Assessment of 6-Month Status: Pending


60-Day Agency Response

Recovery plan updates will be addressed in Business continuity plan as a subset of Security assessment (RFO was released).

  • Estimated Completion Date: April 2016
  • Response Date: June 2015

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #18 To: Public Utilities Commission

The commission should conduct regular tests and exercises to assess the sufficiency of the revised recovery plan and refine the plan when necessary.

Annual Follow-Up Agency Response From October 2016

The Commission will develop a plan for testing once the recovery plan is completed.

  • Estimated Completion Date: 12/30/2018

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented


1-Year Agency Response

CPUC Business Continuity Plan is in draft form and scheduled to be completed April 30th, 2016.

  • Estimated Completion Date: 4/30/2016
  • Response Date: April 2016

California State Auditor's Assessment of 1-Year Status: Partially Implemented

The commission explained that as a result of our follow up work, it reevaluated its progress and now believes it has not fully implemented this recommendation. The commission estimates that it will not achieve full compliance with SAM Chapter 5300 until December 2019.


6-Month Agency Response

This will be scheduled after recovery plan is updated.

  • Estimated Completion Date: Ongoing implementation.
  • Response Date: October 2015

California State Auditor's Assessment of 6-Month Status: Pending


60-Day Agency Response

This will be scheduled after recovery plan is updated.

  • Estimated Completion Date: April 2016
  • Response Date: June 2015

California State Auditor's Assessment of 60-Day Status: Pending


Recommendation #19 To: Public Utilities Commission

The commission should ensure that any certifications it submits to CalTech accurately represent its information security environment.

60-Day Agency Response

Modified internal certification process.

  • Completion Date: January 2015
  • Response Date: June 2015

California State Auditor's Assessment of 60-Day Status: Fully Implemented

To address the California State Auditor's recommendation that it ensure that any certifications it submits to California Department of Technology (CalTech) accurately represent its information security environment, the California Public Utilities Commission (CPUC) has created a new policy that modifies its existing internal certification process. The new policy requires all certification documentation submitted to CalTech to be reviewed by a CPUC internal committee consisting of the manager of the Information Technology Unit, the Information Security Officer, and the Chief Information Officer. After the initial review and approval by the committee, the certification documentation will be sent to the Executive Director or designee for final sign off.


All Recommendations in 2014-120

Agency responses received are posted verbatim.


Report type

Report type
















© 2013, California State Auditor | Privacy Policy | Conditions of Use | Download Adobe PDF Reader