Report 2015-611 Recommendation 9 Responses

Report 2015-611: High Risk Update—Information Security: Many State Entities' Information Assets Are Potentially Vulnerable to Attack or Disruption (Release Date: August 2015)

Recommendation #9 To: Technology, California Department of

The technology department should develop policies and procedures to define the process and criteria it will use to incentivize entities' compliance with the security standards.

Annual Follow-Up Agency Response From October 2018

CDT has developed a Cybersecurity Maturity Metrics Program, issued through TL 18-01, and revamped its oversight processes and procedures to include a comprehensive 4-year audit lifecycle. The new and updated programs, processes and procedures incentivize entities to achieve higher levels of program maturity and compliance, through scoring, comparison with peer scoring, and an audit off ramp process. Attached is an overview of the new oversight process and

TL 18-01 is available at:

https://cdt.ca.gov/wp-content/uploads/2018/03/TL-18-01.pdf.

Completed: July 2018

Additionally, during 2018, CDT supported proposed legislation, which failed to pass, that would have clarified which entities are required to comply with statewide cybersecurity policies found in SAM 5300 (https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180AB3193). CDT will continue to make it a priority to clarify existing state statute as it pertains to security compliance.

California State Auditor's Assessment of Annual Follow-Up Status: Fully Implemented

Annual Follow-Up Agency Response From November 2017

CDT is currently drafting internal policies and procedures to define the process and criteria it will use to promote entities' compliance with the security standards. Expected completion date is June 2018.

California State Auditor's Assessment of Annual Follow-Up Status: Pending

Annual Follow-Up Agency Response From October 2016

CDT has engaged an independent consultant to conduct a statewide security program review and to make recommendations for improvement consistent with industry standards and best practices, including recommendations for process and criteria to incentivize entities' compliance with security standards. Work commenced on July 5, 2016, and subsequent recommendations will be provided in November 2016.

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented

1-Year Agency Response

CDT has engaged an independent consultant to conduct a statewide security program review and to make recommendations for improvement consistent with industry standards and best practices, including recommendations for process and criteria to incentivize entities' compliance with security standards. Work commenced July 5, 2016 and subsequent recommendations will be provided in November 2016.

California State Auditor's Assessment of 1-Year Status: Pending

6-Month Agency Response

The Department of Technology continues to assess its current responsibilities and processes for addressing non-compliance and as such, incentivizing compliance. This assessment and corresponding recommendations are to be completed by June 2016. The Department continues to work with departments through its existing training and oversight processes and on-going monitoring of the PoAM.

California State Auditor's Assessment of 6-Month Status: No Action Taken

60-Day Agency Response

The Department of Technology is assessing its current responsibilities and processes for addressing non-compliance and as such, incentivizing compliance. This assessment and corresponding recommendations are to be completed by June 2016. The Department continues to work with departments through its existing training and oversight processes and on-going monitoring of the PoAM.

California State Auditor's Assessment of 60-Day Status: No Action Taken

All Recommendations in 2015-611

Agency responses received are posted verbatim.