Report 2015-611 Recommendation 8 Responses

Report 2015-611: High Risk Update—Information Security: Many State Entities' Information Assets Are Potentially Vulnerable to Attack or Disruption (Release Date: August 2015)

Recommendation #8 To: Technology, California Department of

The technology department should revise its certification form to require reporting entities to submit detailed information about their compliance with the security standards. It should use this information to track and identify trends in the State's overall information security.

Agency Response*

CDT will be replacing the annual certification form with the launch of the new automated compliance reporting system. Additionally, the automated compliance reporting tool will provide analytical and trend information that will allow the state to be more proactive with cyber threats.

A system policy update will be released by December 31, 2016, announcing the new self-certification and compliance reporting process, and directing state entities to use the new automated compliance reporting tool instead of the current paper self-certification form.

Additionally, CDT has engaged an independent consultant to conduct a statewide security program review and to make recommendations for improvement consistent with industry standards and best practices, including recommendations for process and criteria to incentivize entities' compliance with security standards. Work commenced on July 5, 2016, and subsequent recommendations will be provided in November 2016.

  • Response Type†: Annual Follow Up
  • Estimated Completion Date: December 2016
  • Response Date: October 2016

California State Auditor's Assessment of Status: Not Fully Implemented


Agency Response*

CDT will be replacing the annual certification form with the launch of the new automated compliance reporting system. Additionally, the automated compliance reporting tool will provide analytical and trend information that will allow the state to be more proactive with cyber threats.

A system policy update will be released by December 31, 2016 announcing the new self-certification and compliance reporting process, and directing state entities to use the new automated compliance reporting tool instead of the current paper self-certification form.

Additionally, CDT has engaged an independent consultant to conduct a statewide security program review and to make recommendations for improvement consistent with industry standards and best practices, including recommendations for process and criteria to incentivize entities' compliance with security standards. Work commenced July 5, 2016 and subsequent recommendations are to be provided in November 2016.

  • Response Type†: 1-Year
  • Estimated Completion Date: December 2016
  • Response Date: August 2016

California State Auditor's Assessment of Status: Partially Implemented


Agency Response*

In August 2015, the Department of Technology issued Technology Letter 15-03, and two new State Information Management Manual (SIMM) documents, directing state entities on the use of a new Plan of Action and Milestone (PoAM) tool. The instructions (SIMM 5305-B) and tool (SIMM 5305-C) provide a standardized approach for obtaining additional detail about remediation activity. This information, along with information obtained through the formal audits, will be used to track and identify trends in the State's overall information security. These trends will be discussed with the departments on a quarterly basis.

  • Response Type†: 6-Month
  • Completion Date: August 2015
  • Response Date: February 2016

California State Auditor's Assessment of Status: Partially Implemented

As we state in Chapter 2 of the report, the current certification form does not ensure that reporting entities understand the entire scope of the security standards to which they are certifying full compliance. As a result, some reporting entities may not identify—and therefore not report—all of their areas of noncompliance on the new PoAM.


Agency Response*

In August 2015, the Department of Technology issued Technology Letter 15-03, and two new State Information Management Manual (SIMM) documents, directing state entities on the use of a new Plan of Action and Milestone (PoAM) tool. The instructions (SIMM 5305-B) and tool (SIMM 5305-C) provide a standardized approach for obtaining additional detail about remediation activity. This information, along with information obtained through the formal audits, will be used to track and identify trends in the State's overall information security. These trends will be discussed with the departments on a quarterly basis.

  • Response Type†: 60-Day
  • Completion Date: August 2015
  • Response Date: October 2015

California State Auditor's Assessment of Status: Partially Implemented

As we state in Chapter 2 of the report, the current certification form does not ensure that reporting entities understand the entire scope of the security standards to which they are certifying full compliance. As a result, some reporting entities may not identify—and therefore not report—all of their areas of noncompliance on the new PoAM.

  • Auditee did not address all aspects of the recommendation

All Recommendations in 2015-611

†Response Type refers to the interval in which the auditee is providing the State Auditor with their status in implementing recommendations made in an audit report. Auditees must submit a response regarding their progress in implementing recommendations from our reports at three intervals from the release of the report: 60 days, six months, and one year or subsequent to one year.

*Agency responses received after June 2013 are posted verbatim.


Report type

Report type
















© 2013, California State Auditor | Privacy Policy | Conditions of Use | Download Adobe PDF Reader