Calif. state auditor: Many state entities vulnerable to cyberattack, disruption

In fact, until the audit, CDT was not aware that many reporting entities had not complied with its requirements. To determine whether reporting entities have met the security standards, the CDT relies on a self-certification form it developed that the reporting entities must submit each year. The auditor says, however, that the poor design of this form may have contributed to many reporting entities incorrectly reporting that they were in full compliance with the security standards when they were not. Specifically, the auditor received complete survey responses from forty-one reporting entities that self-certified to the CDT that they were in compliance with all of the security standards in 2014. However, when these forty-one reporting entities responded to the auditor’s detailed survey questions related to specific security standards, thirty-seven indicated that they had not achieved full compliance in 2014. In fact, eight reporting entities indicated that they would not achieve full compliance until at least 2020. Because of the nature of its self-certification process, the CDT was unaware of vulnerabilities in these reporting entities’ information security controls; thus, it did nothing to help remediate those deficiencies. Although the CDT recently developed a pilot information security compliance audit program to validate the implementation of security controls, at its current rate of four auditors completing eight audits every year and a half, it would take the CDT roughly twenty years to audit all reporting entities. The auditor notes that by implementing more frequent, targeted information security assessments in addition to periodic comprehensive audits, the CDT could acquire a more timely understanding of the level of security that reporting entities have established for their high-risk areas.

Further, the auditor says, even when the CDT has known that reporting entities were not compliant with security standards, it failed to provide effective oversight of their information security and privacy controls. Although more than 40 percent of reporting entities certified in 2014 that they had yet to comply with all of the security standards, the technology department had not established a process for performing follow-up activities with these reporting entities, even if the entities had certified their noncompliance for a number of consecutive years. In addition, more than half of the reporting entities that responded to the auditor’s survey indicated that the CDT had not provided sufficient guidance to assist them in complying with all of the security standards.

For example, more than one-third of survey respondents indicated that they did not understand all of the requirements in the security standards, which may impede their ability to comply. Respondents explained that the security standards can be difficult to understand, in part because the requirements are unclear or reference a number of other documents. These survey responses suggest that the CDT needs to provide additional outreach and guidance to ensure that reporting entities understand the state’s security standards.

Finally, the state auditor says that a significant number of entities — such as constitutional offices and those in the judicial branch — are not currently subject to the CDT’s security standards or oversight.

The original high-risk issue that prompted this audit was the technology department’s oversight of the information security controls that reporting entities had implemented over their information systems. However, given the significant findings that the auditor explains in his report and the pervasiveness of the information security issues that the auditor identified in previous reports, the auditor’s office says it intends to assess the information security risks associated with nonreporting entities and, depending on the results, consider broadening our high-risk issue in the future to include information security controls for all state entities, including those that do not report to the CDT.

“As a result of the outstanding weaknesses in reporting entities’ information system controls,” the auditor writes, and the CDT’s “failure to provide effective oversight and assist noncompliant entities in meeting the security standards, [the auditor] determined that some of the state’s information, and its critical information systems, are potentially vulnerable and continue to pose an area of significant risk to the state.”

Recommendations
Legislature
The auditor says that to improve reporting entities’ level of compliance with the state’s security standards, the legislature should consider enacting the following statutory changes:

  • Mandate that the CDT conduct, or require to be conducted, an independent security assessment of each reporting entity at least every two years. This assessment should include specific recommendations, priorities, and time frames within which the reporting entity must address any deficiencies. If a third-party vendor conducts the independent security assessment, it should provide the results to the technology department and the reporting entity.
  • Authorize the technology department to require the redirection of a reporting entity’s legally available funds, subject to the California Department of Finance’s approval, for the remediation of information security weaknesses.

Department of Technology (CDT)
To assist reporting entities in reaching full compliance with the security standards, the CDT should take the following actions:

  • Ensure the consistency and accuracy of its self-certification process by developing a self-assessment tool by December 2015 that reporting entities can use to determine their level of compliance with the security standards. The technology department should require reporting entities to submit completed self-assessments along with their self-certifications.
  • Provide more extensive guidance and training to reporting entities regarding the self-certification process, including training on how they should use the new self-assessment tool.
  • Develop internal policies and procedures to ensure that it reviews all reporting entities’ self-assessments and self-certifications, including requiring supporting evidence of compliance when feasible.
  • Annually follow up on the remediation plans that reporting entities submit.

To provide effective oversight of reporting entities’ information security, the CDT should expand on its pilot audit program by developing an ongoing risk-based audit program. If the CDT requests additional resources, it should fully support its request.

  • To improve the clarity of the security standards, the CDT should take the following actions:
  • Perform regular outreach to all reporting entities to gain their perspectives, identify any unclear or inconsistent security standards, and revise them as appropriate.
  • Develop and regularly provide detailed training on the requirements of the security standards and on best practices for achieving compliance. It should provide these trainings in a variety of locations and formats, including webinars.

The auditor notes that the five reporting entities that his office reviewed should promptly identify all areas in which they are noncompliant with the security standards and develop a detailed remediation plan that includes time frames and milestones to reach full compliance.

“The technology department and reporting entities generally agreed with our conclusions and recommendations,” the auditor says.