Report 2015-611 Recommendation 10 Responses

Report 2015-611: High Risk Update—Information Security: Many State Entities' Information Assets Are Potentially Vulnerable to Attack or Disruption (Release Date: August 2015)

Recommendation #10 To: Technology, California Department of

To improve the clarity of the security standards, the technology department should perform regular outreach to all reporting entities to gain their perspectives, identify any unclear or inconsistent security standards, and revise them as appropriate.

Agency Response*

In addition to continued outreach through its governance and oversight processes, the CDT's Customer Delivery Division now performs regular outreach with departments to gain their perspectives on all areas of the department, including lack of understanding with policies/standards issued by the department.

CDT has also developed and published additional guidance to assist entities with better understanding and implementation of state policies and standards requirements. This guidance tool aligns policies and standards with operational lines of business within an organization, thereby providing functional business areas guidance on the policies and standards that directly pertain to their core responsibilities.

Additionally, CDT has engaged an independent consultant to conduct a statewide security program review and to make recommendations for improvement consistent with industry standards and best practices, including recommendations for process and criteria to incentivize entities' compliance with security standards. Work commenced on July 5, 2016, and subsequent recommendations are to be provided in November 2016.

  • Response Type†: Annual Follow Up
  • Estimated Completion Date: December 2016
  • Response Date: October 2016

California State Auditor's Assessment of Status: Not Fully Implemented


Agency Response*

In addition to continued outreach through its governance and oversight processes, the CDT's Customer Delivery Division now performs regular outreach with departments to gain their perspectives on all areas of the department, including lack of understanding with policies/standards issued by the department.

CDT has also developed and published additional guidance to assist entities with better understanding and implementation of state policies and standards requirements. This guidance tool aligns policies and standards with operational lines of business within an organization, thereby providing functional business areas guidance on the policies and standards that directly pertain to their core responsibilities.

Additionally, CDT has engaged an independent consultant to conduct a statewide security program review and to make recommendations for improvement consistent with industry standards and best practices, including recommendations for process and criteria to incentivize entities' compliance with security standards. Work commenced July 5, 2016, and subsequent recommendations are to be provided in November 2016.

  • Response Type†: 1-Year
  • Estimated Completion Date: December 2016
  • Response Date: August 2016

California State Auditor's Assessment of Status: Partially Implemented


Agency Response*

The Department of Technology continues to solicit input from state entities through its policy and security and privacy governance meetings, training and communications through oversight processes. The Department will now be reviewing PoAM submissions and providing feedback to departments on a quarterly basis to ensure continued progress toward compliance. The Department of Technology is also researching the feasibility and piloting of tools for employing alternative methods of outreach to departments. Additionally, through the course of self-assessments, audits and on-going training, the Department will identify issues, lessons learned, and discuss recommendations, as well as modify policy and training material as warranted.

  • Response Type†: 6-Month
  • Estimated Completion Date: December 2016
  • Response Date: February 2016

California State Auditor's Assessment of Status: Partially Implemented


Agency Response*

The Department of Technology continues to solicit input from state entities through its policy and security and privacy governance meetings, training and communications through oversight processes. The Department will now be reviewing PoAM submissions and providing feedback to departments on a quarterly basis to ensure continued progress toward compliance. The Department of Technology is also researching the feasibility and piloting of tools for employing alternative methods of outreach to departments. Additionally, through the course of self-assessments, audits and on-going training, the Department will identify issues, lessons learned, and discuss recommendations, as well as modify policy and training material as warranted.

  • Response Type†: 60-Day
  • Estimated Completion Date: December 2016
  • Response Date: October 2015

California State Auditor's Assessment of Status: Partially Implemented


All Recommendations in 2015-611

†Response Type refers to the interval in which the auditee is providing the State Auditor with their status in implementing recommendations made in an audit report. Auditees must submit a response regarding their progress in implementing recommendations from our reports at three intervals from the release of the report: 60 days, six months, and one year or subsequent to one year.

*Agency responses received after June 2013 are posted verbatim.


Report type

Report type
















© 2013, California State Auditor | Privacy Policy | Conditions of Use | Download Adobe PDF Reader