2021-602 Audit Scope and Objectives
State High Risk - Information Security
The audit by the California State Auditor will provide independently developed and verified information related to the California Department of Technology's (CDT) efforts to improve the information security of the state entities under the Governor's direct authority (reporting entities). It will also evaluate whether state entities that fall outside of the Governor's direct authority (nonreporting entities), such as constitutional offices and those in the judicial branch, have improved their compliance with their selected information security standards.
- Review and evaluate the laws, rules, and regulations significant to the audit objectives.
- Evaluate CDT's oversight of reporting entities' information security, including its progress in establishing an information security baseline status for reporting entities.
- Determine whether reporting entities' compliance with information security standards has improved.
- Evaluate the measures and guidance CDT has developed to address the increased security risk due to the number of state employees who are now teleworking as a result of the COVID-19 pandemic. For a selection of reporting entities, determine the measures taken to address telework risks and whether they comply with CDT's guidance. Finally, determine whether there has been an increase in reported information security incidents during the pandemic.
- Determine if nonreporting entities have improved their compliance with their selected information security standards. Evaluate their efforts to mitigate teleworking risks, and determine whether there has been an increase in information security incidents during the pandemic.
- Review and assess any other issues that are significant to the audit.