A new report from the California State Auditor has found the California Department of Technology (CDT) lacking in its oversight levels of the state’s information security.
“This report revealed that CDT has been slow to assess the information security status of reporting entities and has not proactively expanded its capacity to do so,” Michael S. Tilden, acting state auditor, said in an email response to the Northern California Record. “The information CDT has obtained shows that many reporting entities’ information security is below standards and has not improved over the last several years.
“Similarly, among nonreporting entities, few are fully compliant with their chosen information security standards, and some have not yet even adopted such a standard or framework.”
Tilden noted that with state departments becoming increasingly reliant on remote work, IT security is critical to safeguarding California’s information assets.
“Many state entities would need to effectively cease their operations in the absence of key computer systems,” Tilden said. “And security breaches put our residents at risk not only from a privacy standpoint, but also the costs and damage that the state could incur in the event that hackers accessed these systems.”
Because the auditor’s office doesn’t have enforcement authority, it is up to the state, including CDT, to review the findings and work to find solutions.
The CDT report, which was released Jan. 18, has several recommendations to both the Legislature and CDT to help strengthen California’s information security practices. Although not binding, the Legislature may implement those recommendations or take whatever other action it feels is warranted, Tilden said.
“We track the status of every audited agency’s implementation of our recommendations and post on our website periodic updates so that stakeholders can track their status,” Tilden said. “Our office will continue to evaluate whether information security should remain on our state high-risk list.”
The auditor’s office also has a process following the issuance of any state high-risk audit report.
“Each audited state agency must periodically update our office, describing the actions the agency has taken or intends to take to implement each of the state auditor's recommendations,” Tilden said. “For our state high-risk work, those updates are due to us every 90 days after the state high-risk audit report is issued, unless the state auditor informs the audited state agency that further reporting regarding a particular recommendation no longer is required.
“We can also ask that an audited state agency provide evidence to support any information or analysis it has provided to us regarding its actions or intended actions to implement a recommendation. After we have had an opportunity to review and evaluate the responses and supporting evidence, we will update our website so that our readers can continue to track the status.”
Tilden noted that California's information security as a whole has been part of its state high-risk list for nearly a decade.
“And our office regularly follows up on this important issue," Tilden said. "Figure 7 in our recent report (2021-602) shows a history of our high-risk reports addressing information security. The California State Auditor’s Office first identified IT issues as an area of statewide concern in 2013 (2013-601).
"The state auditor’s unique authority permits our office to create a state high risk list (State High Risk List 2021-601) and, as resources permit, to audit those entities with responsibility for addressing those issues (State High Risk Reports).”