This recommendation has been superseded by a recommendation from a subsequent report. See 2015-302 #2.
The AOC should implement all of the best practices related to general and business process application controls as outlined in the U.S. Government Accountability Office's Federal Information System Controls Audit Manual no later than December 31, 2014, thereby strengthening and continuously monitoring the effectiveness of the controls over its information systems. In addition, the AOC should immediately begin implementing improvements to its controls over access to its information systems and place these improvements into effect by February 2014. Finally, the AOC should provide guidance and routinely follow up with the superior courts—requiring updates every six months until all identified issues are corrected—to ensure that they make the necessary improvements to their general and business process application controls.
The Judicial Council of California (Judicial Council) was able to secure the Governor's approval for $3.1 million in additional funding during fiscal year 2016-17 to strengthen information technology security and disaster recovery programs, with additional ongoing funding of $1.9 million in subsequent years. This funding will result in the implementation of user access auditing tools at the courts, the establishment of annual information system risk assessments, and the implementation of a formalized information technology security plan. The BCP also provides funding for three full time employees to support the IT security and disaster recovery programs within the Judicial Council. The Judicial Council anticipates having additional information on an anticipated timeline in our next annual update.
In June 2014, the Judicial Council (formerly the AOC) adopted a framework of information systems controls that was based on the industry standards. Federal Information System Controls Audit Manual (FISCAM) control activities. Subsequent to the adoption of this framework, a number of efforts were initiated to facilitate its implementation: (1) a risk management overview in Sept. 2014; (2) an IT operational risk assessment was conducted to determine areas where the development of policies and procedures were required and a presentation of the findings will occur in Dec.2014; (3) a consolidated policies and procedures manual has been drafted and is currently being reviewed by IT Office staff prior to its release and publication expected in the third quarter of this fiscal year. While implementation of best practices as demonstrated above will continue, full implementation of all of the practices will require resources and time. It is expected that substantive compliance will be completed in 2015 but further work to be compliant in all areas may be necessary and additional funding will be requested. Budget Change Proposals (BCP's) may be prepared to request funding to implement some of the more complex tasks and to be able to address all of the issues. The JC may submit the BCP for its activities in Jan. 2015. As noted in our prior response, access changes are controlled through an automated process and issues in audits are periodically followed-up. Periodically guidance has been provided through posting of audit reports on the California Courts web site, issuance of systemic issues in audit reports advisory committees and issuance of guidance to trial courts such as the Jan. 31, 2014 memorandum to superior court CEO's, HR officers, and information officers. JC staff also continues to contact courts with audit reports issued during the last two years concerning the status of incomplete items. Status reports will be prepared periodically.
The Information Systems Controls Framework (ISCF) for the Administrative Office of the Courts (AOC) has been approved for the AOC by the AOCs Executive Office on June 12, 2014. This framework incorporates industry standards and best practices and the document has been provided to the California State Auditor. Implementation is in progress.
At the August meeting of the Judicial Council the Strategic and Tactical Plans for Technology for the Judicial Branch recently developed by the Judicial Council Technology Committee (JCTC) are expected to be approved. The AOC ISCF aligns with the plans to be approved by the Judicial Council. The California State Auditor has been sent the letter sent to trial court presiding judges and court executives concerning this under the signatures of the chairs of the JCTC, Trial Court Presiding Judges Advisory Committee, and the Court Executives Advisory Committee. (estimated completion December 2014)
The AOC has moved from a manual process for recording access to the implementation of an automated overlay process (May 2014) to record all access changes.
Audit Services of the AOC continues to contact courts on a periodic basis concerning the status of incomplete items. Audit Services reports status of contact process to the Chief of Staff. (Feb. 2014 and on-going)
This is a multi-part recommendation with different target/completion dates.
1. A draft framework for information systems policies for the AOC has been prepared with a draft action plan for implementation at the AOC and encompasses FISCAM, ISO, and other industry guidance relating to best practices. This draft framework will also be utilized in the governance and compliance model for the superior courts and will be submitted for final approval to the Judicial Council at its June 2014 meeting. Dec. 2014
2. The AOC has implemented a manual process whereby anyone who is separated or terminated will be taken off of the network on the day they leave (physically leave not when vacation etc. run out) and a screen copy of the Active Directory (AD) entry is made and placed in file to provide documentation supporting this action. Individuals who change positions will have their access reviewed and approved without copying another individuals access allowances. Feb. 2014
3. Internal Audit Services has contacted courts with audit reports issued during the last two years concerning the status of incomplete items and requested status of incomplete issues for any issues not reported subsequently as completed. Follow up will also be done periodically on each finalized audit report going forward.
Status reports will be prepared every six months and forwarded to the AOCs Executive Office for open issues from audit reports finalized.
Agency responses received are posted verbatim.