Report 2014-120 Recommendation 12 Responses
Report 2014-120: California Public Utilities Commission: It Needs to Improve the Quality of Its Consumer Complaint Data and the Controls Over Its Information Systems (Release Date: April 2015)
Recommendation #12 To: Public Utilities Commission
As part of developing, implementing, and maintaining an entitywide information security program, the commission should complete and maintain inventory of all its information assets, specifically categorizing the level of required security of the information assets based on the potential impact that a loss of confidentiality, integrity, or availability of such information would have on its operations and assets.
Annual Follow-Up Agency Response From October 2018
"A combined and updated spreadsheet including all Information assets is attached.
CPUC is in the process of updating Information Asset Risk Report. CPUC is in the process of working with divisions to identify locations for different types of data in order to complete data location inventory. CPUC has deployed DLP and is in the process of configuring the network monitor component of DLP.
- Completion Date: July 2018
California State Auditor's Assessment of Annual Follow-Up Status: Fully Implemented
Annual Follow-Up Agency Response From November 2017
Inventory of information assets inventory and classification attached. CPUC is in the process of deploying Data Loss Prevention solution, that will allow CPUC to protect data at rest and in motion.
- Estimated Completion Date: 6/30/2018
California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented
Annual Follow-Up Agency Response From October 2016
The Commission has performed a partial inventory on information assets and plans on fulfilling this requirement with the addition of staff.
- Estimated Completion Date: 12/30/2018
California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented
1-Year Agency Response
CPUC's consultants have completed their entity-wide Information Asset Report.
- Completion Date: April 2016
- Response Date: April 2016
California State Auditor's Assessment of 1-Year Status: Partially Implemented
The commission explained that as a result of our follow up work, it reevaluated its progress and now believes it has not fully implemented this recommendation. The commission estimates that it will not achieve full compliance with SAM Chapter 5300 until December 2019.
- Auditee did not substantiate its claim of full implementation
- Auditee did not address all aspects of the recommendation
6-Month Agency Response
CPUC has external resources working with CPUC staff and in the process of developing Information Security document along with inventory for information assets.
- Estimated Completion Date: April 30, 2016
- Response Date: November 2015
California State Auditor's Assessment of 6-Month Status: Pending
60-Day Agency Response
Plan to allocate resources to complete these tasks during this year.
- Estimated Completion Date: April 2016
- Response Date: June 2015
California State Auditor's Assessment of 60-Day Status: Pending
Agency responses received are posted verbatim.