CybersecurityCalif. state auditor: Many state entities vulnerable to cyberattack, disruption

Cybersecurity audit shows deficiencies // Source: kean.edu

In the past few years, retailers, financial institutions, and government agencies have increasingly fallen victim to cyberattacks. Most recently, in June 2015, the federal Office of Personnel Management (OPM) announced that a cybersecurity intrusion had potentially exposed the personal information of approximately twenty million current and former federal employees and other individuals.

California state auditor says that given the size of California’s economy and the value of its information, the state presents a prime target for similar information security breaches. Its government agencies maintain an extensive range of confidential and sensitive data, including Social Security numbers, health records, and income tax information. If unauthorized parties were to gain access to this information, the costs both to the state and to the individuals involved could be enormous. However, despite the need to safeguard the state’s information systems, the state auditor says that its review found that many state entities have weaknesses in their controls over information security. These weaknesses leave some of the state’s sensitive data vulnerable to unauthorized use, disclosure, or disruption.

The California Department of Technology (CDT; formerly the California Technology Agency, or CTA) is responsible for ensuring that state entities that are under the direct authority of the governor (“reporting entities”) maintain the confidentiality, integrity, and availability of their information systems and protect the privacy of the state’s information. As part of its efforts to protect the state’s information assets, CDT requires reporting entities to comply with the information security and privacy policies, standards, and procedures it prescribes in Chapter 5300 of the State Administrative Manual (“security standards”). However, the auditor says that when his office performed reviews at five reporting entities to determine their compliance with the security standards, the office found deficiencies at each.

Further, 73 of 77 reporting entities fully responding to the auditor’s survey indicated that they had yet to achieve full compliance with the security standards. These reporting entities noted deficiencies in their controls over information asset and risk management, information security program management, information security incident management, and technology recovery. These weaknesses could compromise the information systems the reporting entities use to perform their day-to-day operations.

Despite the pervasiveness and seriousness of the issues the auditor identified, the CDT has failed to take sufficient action to ensure that reporting entities address these deficiencies.