Report 2021-602 Recommendation 4 Responses
Report 2021-602: State High-Risk Update—Information Security: The California Department of Technology's Inadequate Oversight Limits the States Ability to Ensure Information Security (Release Date: January 2022)
Recommendation #4 To: Technology, California Department of
To ensure that it understands the statewide security status of reporting entities, CDT should increase its capacity to perform timely compliance audits of high-risk entities, which may entail hiring more staff or securing additional contracted audit support. Further, CDT should prioritize calculating maturity metric scores for the nine entities that it has audited but that do not yet have scores because it has not evaluated their privacy controls. CDT should complete these steps by the conclusion of the four-year oversight life cycle in June 2022.
The nine entities mentioned in this report have received their final maturity metric scores which included their privacy controls. In addition, the audit team received funding approval to hire 3 additional lead auditors, the additional resources will allow CDT to complete the balance of audits of the Executive Branch by the end of FY 24/25, there were 21 entities left to audit and that involves a full audit for each remaining entity that will satisfy the 107 total entities needed to be audited in the Executive Branch. The detail audit schedule for FY24/25 has been developed and the audit engagement letters will be sent out in January 2024 notifying the entities of the upcoming audits beginning in July 2024. In addition, the audit program team will perform check in audits (8-10) during the FY 24/25 period. The total number of audits that will be completed by the end of FY 24/25 will be 31 audits in full including the balance of entities in the Executive Branch. Lastly, the final security maturity scores will be given to each of these entities but will not be finalized until they receive an ISA from the California Military Department.
- Completion Date: January 2024
California State Auditor's Assessment of Status: Partially Implemented
While CDT successfully demonstrated that it calculated maturity metric scores for the nine entities, it is still working to hire additional auditors to increase its capacity to perform timely compliance audits.
- Auditee did not substantiate its claim of full implementation
- Auditee did not address all aspects of the recommendation
CDT is hopeful and planning for a Unified Integrated Risk Management (UIRM) system to be implemented in the future. If successfully implemented, the UIRM will help automate many processes of the Audit program as well as remediation assistance activities delivered by the Advisory Services program. In addition, OIS has secured 3 additional auditor positions which will increase audit capacity by up to 50%. These positions are in active recruitment at the time of this response.
- Estimated Completion Date: December 2024
California State Auditor's Assessment of Status: Partially Implemented
Per CDT's response, it does not anticipate fully implementing this recommendation until December 2024.
Prior response provided on April 25, 2023 - Audit program team has identified 28 entities and will conduct 14 full audits and 14 check in audits in FY 23/24 up from 22 audits. OIS is still working on how to assess those entities that have not been audited or received a military assessment. At this time, self-assessment appears to one option however without proper verification this process may not be the best alternative. The automated solution UIRM is the suggested solution for auditing more entities however we lack the resources necessary at this time in order to move forward.
CDT is also working on hiring two more auditors which would result in an additional 8 entities being audited in each fiscal year.
- Estimated Completion Date: TBD
California State Auditor's Assessment of Status: Partially Implemented
Per CDT's response, it has not fully implemented this recommendation.
Audit program team has identified 28 entities and will conduct 14 full audits and 14 check in audits in FY 23/24 up from 22 audits. OIS is still working on how to assess those entities that have not been audited or received a military assessment. At this time, self assessment appears to one option however without proper verification this process may not be the best alternative. The automated solution UIRM is the suggested solution for auditing more entities however we lack the resources necessary at this time in order to move forward.
- Estimated Completion Date: July 2024
California State Auditor's Assessment of Status: Partially Implemented
Per CDT's response, it will not fully implement this recommendation until July 2024.
Final Reports for 48 of the 48 high-risk audits that were scheduled to be completed by the end of the 4-Year Audit Lifecycle have been delivered.
The Privacy focused Audits for the nine (9) referenced entities have been completed and the maturity metric scores issued.
- Estimated Completion Date: June 2023
California State Auditor's Assessment of Status: Partially Implemented
CDT only completed 48 of the 52 originally planned audits, and it did not complete all of those audits during the four-year cycle. Further, it has not increased its capacity to perform timely compliance audits.
Final Reports for 48 of the 48 high-risk audits that were scheduled to be completed by the end of the 4-Year Audit Lifecycle have been delivered.
The Privacy focused Audits for the nine (9) referenced entities have been completed and the maturity metric scores issued.
- Completion Date: September 2022
California State Auditor's Assessment of Status: Partially Implemented
Although CDT completed 48 high-risk audits, it did not complete all of the audits during the four-year cycle, and it only completed 48 of the 52 originally planned audits. Further, it has not increased its capacity to perform additional high-risk audits. However, as CDT states in its response, it completed the privacy-focused audits for the nine referenced entities and calculated the maturity metric scores.
- Auditee did not substantiate its claim of full implementation
- Auditee did not address all aspects of the recommendation
Final Reports for 44 of the 48 high-risk audits that were scheduled to be completed by the end of the 4-Year Audit Lifecycle have been delivered. The Final Reports for the last 4 are being reviewed and will be approved and delivered by August 5th.
The Privacy focused Audits for the nine (9) referenced entities have been completed and the maturity metric scores issued. The Audit Reports for these Privacy focused audits will be issued by August 15, 2022.
- Completion Date: August 2022
California State Auditor's Assessment of Status: Partially Implemented
CDT has not increased its capacity to perform timely compliance audits and, per its response, it will not finalize the maturity metric scores until August 2022.
- Auditee did not substantiate its claim of full implementation
- Auditee did not address all aspects of the recommendation
The California Department of Technology (CDT) is on track to complete 48 of the 52 scheduled high-risk audits for FY 2021-22 by the end of June 2022. CDT is exploring capacity options within the administration for the next fiscal year to support advisory and compliance enforcement measures of high-risk entities.
The entities referenced are high risk entities which did not have privacy controls audited after additional privacy controls were added into our audit framework. The nine (9) referenced entities are currently engaged in focused audits to have their privacy controls evaluated and maturity scores updated by June 2022.
- Estimated Completion Date: June 2022
California State Auditor's Assessment of Status: Pending
Per CDT's response, it will not implement this recommendation until June 2022.
All Recommendations in 2021-602
Agency responses received are posted verbatim.