Report 2015-611 Recommendation 7 Responses

Report 2015-611: High Risk Update—Information Security: Many State Entities' Information Assets Are Potentially Vulnerable to Attack or Disruption (Release Date: August 2015)

Recommendation #7 To: Technology, California Department of

To provide effective oversight of reporting entities' information security, the technology department should expand on its pilot audit program by developing an ongoing risk based audit program. If the technology department requests additional resources, it should fully support its request.

1-Year Agency Response

CDT's Budget Change Proposal, effective July 1, 2016, to make permanent and expand the audit program to perform risk-based audits was approved by the legislature. CDT has reorganized the Office of Information Security and recruitment efforts to complete staffing the recently expanded audit program, which is currently underway.

Additionally, CDT has engaged an independent consultant to evaluate the statewide information security program and make recommendations for improvement, as well as ensuring the audits validate CDT's information security policies and standards that have been implemented throughout the state as intended. Work commenced on July 5, 2016 and final recommendations are due in November 2016.

California State Auditor's Assessment of 1-Year Status: Fully Implemented

6-Month Agency Response

The Department of Technology continues to explore ways to expand and enhance its pilot audit program upon the pilots' completion in June 2016. The Department has submitted a Budget Change Proposal, as part of the Governor's Budget, to make permanent and expand the audit program to perform risk-based audits. The audits will continue to measure a department's information security program maturity, the effectiveness of its risk management practices, and compliance with State security policies and procedures including but not limited to security governance and strategy, access control, training and awareness of the employees, disaster recovery protocols, and third party data sharing agreements. As the audits are completed, the Department will continue to work with the audited departments to identify lessons learned and recommendations to aid the departments in establishing effective policies, processes and technical controls to ensure compliance.

California State Auditor's Assessment of 6-Month Status: Partially Implemented

60-Day Agency Response

The Department of Technology is exploring ways to expand and enhance its pilot audit program upon the pilots' completion in June 2016. The audits are measuring a department's compliance with State security policies and procedures including but not limited to security governance and strategy, access control, training and awareness of the employees, disaster recovery protocols, and third party data sharing agreements. As the audits are completed, the Department will work with the audited department to identify lessons learned and recommendations to aid the departments in establishing effective policies, processes and technical controls to ensure compliance.

California State Auditor's Assessment of 60-Day Status: No Action Taken

All Recommendations in 2015-611

Agency responses received are posted verbatim.