Report 2015-611 Recommendation 4 Responses

Report 2015-611: High Risk Update—Information Security: Many State Entities' Information Assets Are Potentially Vulnerable to Attack or Disruption (Release Date: August 2015)

Recommendation #4 To: Technology, California Department of

To assist reporting entities in reaching full compliance with the security standards, the technology department should provide more extensive guidance and training to reporting entities regarding the self certification process, including training on how they should use the new self assessment tool.

Annual Follow-Up Agency Response From November 2017

CDT has developed a three-year audit and assessment cycle. Part of this cycle is a pre-audit education function that is part of the Office of Information Security. CDT has developed and implemented a comprehensive automated statewide self-assessment tool having all necessary information and reporting ability for entities to determine their compliance with security standards.

Currently there are five (5) pilot agencies using this system, and training for this system is on-going.

Expected full use of this new system by all state agencies is

May 2018.

  • Estimated Completion Date: May 2018

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From October 2016

Training on the new self-assessment and compliance reporting tool will begin in December 2016 and will be ongoing thereafter. The self-assessment tool will be based on the National Institute of Standards and Technology (NIST) 800-53 standards, which is required to meet the State's security standards. Additionally, training on the new self-assessment and compliance reporting tool will be made available online in January 2017.

  • Estimated Completion Date: January 2017

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented


1-Year Agency Response

Training on the new self-assessment and compliance reporting tool will begin in December 2016 and will be ongoing thereafter. The self-assessment tool will be based on the National Institute of Standards and Technology (NIST) 800-53 standards, which is required to meet the State's security standards. Additionally, training on the new self-assessment and compliance reporting tool will be made available online in January 2017.

  • Estimated Completion Date: January 2017
  • Response Date: August 2016

California State Auditor's Assessment of 1-Year Status: Partially Implemented


6-Month Agency Response

For the January 31, 2016 reporting period, online instructions and training workshops for completing the Nationwide Cyber Security Review (NCSR) self-assessment were provided, as well as supplemental in person training and one-on-one guidance as requested. A total of 56 state entities attended the training workshops, and others received one-on-one assistance and guidance as requested. The Department recently acquired a separate tool to automate incident reporting. This tool has optional modules that can be configured to include any state specific standards, and be enabled to fully automate and integrate self-assessment, compliance reporting, incident reporting, remediation plans, and audit data. By December 2016 the self-assessment, compliance reporting and remediation plan features of the newly acquired tool will be enabled to fully automate the reporting and tracking of risk and security compliance for subsequent reporting years. Once the self-assessment, compliance reporting and remediation plan features of the newly acquired tool are implemented, the Department of Technology will provide instruction and updated training on use of the new self-assessment and compliance reporting process. The updated training will also be incorporated into the existing and regularly-provided training courses, and the Department will continue to review its training courses to determine if they should be enhanced, and will continue to provide one-on-one guidance to a reporting entity, upon request.

  • Estimated Completion Date: January 2017
  • Response Date: February 2016

California State Auditor's Assessment of 6-Month Status: Partially Implemented


60-Day Agency Response

Instructions and training are available online for completing the self-assessment tool. The Department of Technology has begun supplemental in person training. The training is focused on helping departments understand the self-assessment tool and how to effectively complete it. Additionally, the Department will provide on-going training, monitoring the effectiveness of the training, and adjust the training material as warranted.

  • Completion Date: October 2015
  • Response Date: October 2015

California State Auditor's Assessment of 60-Day Status: Partially Implemented

Although the technology department has provided training on the self-assessment tool, the tool is not based on the State's security standards. Therefore, reporting entities may not understand the entire scope of the security standards to which they are certifying.

  • Auditee did not substantiate its claim of full implementation

All Recommendations in 2015-611

Agency responses received are posted verbatim.


Report type

Report type
















© 2013, California State Auditor | Privacy Policy | Conditions of Use | Download Adobe PDF Reader