Report 2015-611 Recommendation 10 Responses
Report 2015-611: High Risk Update—Information Security: Many State Entities' Information Assets Are Potentially Vulnerable to Attack or Disruption (Release Date: August 2015)
Recommendation #10 To: Technology, California Department of
To improve the clarity of the security standards, the technology department should perform regular outreach to all reporting entities to gain their perspectives, identify any unclear or inconsistent security standards, and revise them as appropriate.
Annual Follow-Up Agency Response From October 2018
Since February 2017, CDT has been performing regular outreach and identifying any unclear/inconsistent security standards. CDT published a comprehensive update to SAM/SIMM in January 2018, and continues to perform regular outreach and updates.
https://cdt.ca.gov/wp-content/uploads/2018/01/PolicyGuidelines_2018-0112_001.pdf
- Completion Date: January 2018
California State Auditor's Assessment of Annual Follow-Up Status: Fully Implemented
Annual Follow-Up Agency Response From November 2017
Since February 2017, CDT has been performing regular outreach and identifying any unclear/inconsistent security standards. Revisions to the State Administrative Manual are expected July 2018.
- Estimated Completion Date: July 2018
California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented
Annual Follow-Up Agency Response From October 2016
In addition to continued outreach through its governance and oversight processes, the CDT's Customer Delivery Division now performs regular outreach with departments to gain their perspectives on all areas of the department, including lack of understanding with policies/standards issued by the department.
CDT has also developed and published additional guidance to assist entities with better understanding and implementation of state policies and standards requirements. This guidance tool aligns policies and standards with operational lines of business within an organization, thereby providing functional business areas guidance on the policies and standards that directly pertain to their core responsibilities.
Additionally, CDT has engaged an independent consultant to conduct a statewide security program review and to make recommendations for improvement consistent with industry standards and best practices, including recommendations for process and criteria to incentivize entities' compliance with security standards. Work commenced on July 5, 2016, and subsequent recommendations are to be provided in November 2016.
- Estimated Completion Date: December 2016
California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented
1-Year Agency Response
In addition to continued outreach through its governance and oversight processes, the CDT's Customer Delivery Division now performs regular outreach with departments to gain their perspectives on all areas of the department, including lack of understanding with policies/standards issued by the department.
CDT has also developed and published additional guidance to assist entities with better understanding and implementation of state policies and standards requirements. This guidance tool aligns policies and standards with operational lines of business within an organization, thereby providing functional business areas guidance on the policies and standards that directly pertain to their core responsibilities.
Additionally, CDT has engaged an independent consultant to conduct a statewide security program review and to make recommendations for improvement consistent with industry standards and best practices, including recommendations for process and criteria to incentivize entities' compliance with security standards. Work commenced July 5, 2016, and subsequent recommendations are to be provided in November 2016.
- Estimated Completion Date: December 2016
- Response Date: August 2016
California State Auditor's Assessment of 1-Year Status: Partially Implemented
6-Month Agency Response
The Department of Technology continues to solicit input from state entities through its policy and security and privacy governance meetings, training and communications through oversight processes. The Department will now be reviewing PoAM submissions and providing feedback to departments on a quarterly basis to ensure continued progress toward compliance. The Department of Technology is also researching the feasibility and piloting of tools for employing alternative methods of outreach to departments. Additionally, through the course of self-assessments, audits and on-going training, the Department will identify issues, lessons learned, and discuss recommendations, as well as modify policy and training material as warranted.
- Estimated Completion Date: December 2016
- Response Date: February 2016
California State Auditor's Assessment of 6-Month Status: Partially Implemented
60-Day Agency Response
The Department of Technology continues to solicit input from state entities through its policy and security and privacy governance meetings, training and communications through oversight processes. The Department will now be reviewing PoAM submissions and providing feedback to departments on a quarterly basis to ensure continued progress toward compliance. The Department of Technology is also researching the feasibility and piloting of tools for employing alternative methods of outreach to departments. Additionally, through the course of self-assessments, audits and on-going training, the Department will identify issues, lessons learned, and discuss recommendations, as well as modify policy and training material as warranted.
- Estimated Completion Date: December 2016
- Response Date: October 2015
California State Auditor's Assessment of 60-Day Status: Partially Implemented
All Recommendations in 2015-611
Agency responses received are posted verbatim.