Report 2015-611 Summary - August 2015
High Risk Update—Information Security:
Many State Entities' Information Assets Are Potentially Vulnerable to Attack or Disruption
Our audit of the California Department of Technology's (technology department) oversight of the State's information security highlighted the following:
- The technology department has not ensured that reporting entities comply with the State's information security standards.
- Many reporting entities do not have sufficient information security controls—we found deficiencies at each of the five reporting entities we reviewed, and most reporting entities that responded to our survey indicated that they had yet to achieve full compliance with the security standards.
- It was unaware that many reporting entities had not complied with these standards—37 of the 41 reporting entities that self-certified to the technology department that they were in compliance with the security standards in 2014, indicated in our survey that they had not actually achieved full compliance in 2014.
- Although it recently developed a pilot information security compliance audit program, at its current pace it would take the technology department roughly 20 years to audit all reporting entities.
- Even when it knew that entities were not compliant with security standards, the technology department's oversight of their information security and privacy controls was ineffective.
- Forty percent of the reporting entities certified in 2014 that they were not fully compliant, yet the technology department had not established a process to perform follow-up activities with these entities.
- More than half of the entities that responded to our survey indicated that the technology department's guidance for complying with security standards was insufficient.
Results in Brief
In the past few years, retailers, financial institutions, and government agencies have increasingly fallen victim to cyber attacks. Most recently, in June 2015 the federal Office of Personnel Management announced that a cybersecurity intrusion had potentially exposed the personal information of approximately 20 million current and former federal employees and other individuals. Given the size of California's economy and the value of its information, the State presents a prime target for similar information security breaches. Its government agencies maintain an extensive range of confidential and sensitive data, including Social Security numbers, health records, and income tax information. If unauthorized parties were to gain access to this information, the costs both to the State and to the individuals involved could be enormous. However, despite the need to safeguard the State's information systems, our review found that many state entities have weaknesses in their controls over information security. These weaknesses leave some of the State's sensitive data vulnerable to unauthorized use, disclosure, or disruption.
The California Department of Technology (technology department) is responsible for ensuring that state entities that are under the direct authority of the governor (reporting entities) maintain the confidentiality, integrity, and availability of their information systems and protect the privacy of the State's information. As part of its efforts to protect the State's information assets, the technology department requires reporting entities to comply with the information security and privacy policies, standards, and procedures it prescribes in Chapter 5300 of the State Administrative Manual (security standards). However, when we performed reviews at five reporting entities to determine their compliance with the security standards, we found deficiencies at each. Further, 73 of 77 reporting entities fully responding to our survey indicated that they had yet to achieve full compliance with the security standards. These reporting entities noted deficiencies in their controls over information asset and risk management, information security program management, information security incident management, and technology recovery. These weaknesses could compromise the information systems the reporting entities use to perform their day-to-day operations.
Despite the pervasiveness and seriousness of the issues we identified, the technology department has failed to take sufficient action to ensure that reporting entities address these deficiencies. In fact, until our audit, it was not aware that many reporting entities had not complied with its requirements. To determine whether reporting entities have met the security standards, the technology department relies on a self-certification form it developed that the reporting entities must submit each year. However, the poor design of this form may have contributed to many reporting entities incorrectly reporting that they were in full compliance with the security standards when they were not. Specifically, we received complete survey responses from 41 reporting entities that self-certified to the technology department that they were in compliance with all of the security standards in 2014. However, when these 41 reporting entities responded to our detailed survey questions related to specific security standards, 37 indicated that they had not achieved full compliance in 2014. In fact, eight reporting entities indicated that they would not achieve full compliance until at least 2020. Because of the nature of its self-certification process, the technology department was unaware of vulnerabilities in these reporting entities' information security controls; thus, it did nothing to help remediate those deficiencies. Although the technology department recently developed a pilot information security compliance audit program to validate the implementation of security controls, at its current rate of four auditors completing eight audits every year and a half, it would take the technology department roughly 20 years to audit all reporting entities. By implementing more frequent, targeted information security assessments in addition to periodic comprehensive audits, the technology department could acquire a more timely understanding of the level of security that reporting entities have established for their high-risk areas.
Further, even when the technology department has known that reporting entities were not compliant with security standards, it failed to provide effective oversight of their information security and privacy controls. Although more than 40 percent of reporting entities certified in 2014 that they had yet to comply with all of the security standards, the technology department had not established a process for performing follow-up activities with these reporting entities, even if the entities had certified their noncompliance for a number of consecutive years. In addition, more than half of the reporting entities that responded to our survey indicated that the technology department had not provided sufficient guidance to assist them in complying with all of the security standards. For example, more than one-third of survey respondents indicated that they did not understand all of the requirements in the security standards, which may impede their ability to comply. Respondents explained that the security standards can be difficult to understand, in part because the requirements are unclear or reference a number of other documents. These survey responses suggest that the technology department needs to provide additional outreach and guidance to ensure that reporting entities understand the State's security standards.
Finally, a significant number of entities—such as constitutional offices and those in the judicial branch—are not currently subject to the technology department's security standards or oversight. The original high-risk issue that prompted this audit was the technology department's oversight of the information security controls that reporting entities had implemented over their information systems. However, given the significant findings that we explain in this report and the pervasiveness of the information security issues that we identified in previous reports, we intend to assess the information security risks associated with nonreporting entities and, depending on the results, consider broadening our high-risk issue in the future to include information security controls for all state entities, including those that do not report to the technology department.
As a result of the outstanding weaknesses in reporting entities' information system controls and the technology department's failure to provide effective oversight and assist noncompliant entities in meeting the security standards, we determined that some of the State's information, and its critical information systems, are potentially vulnerable and continue to pose an area of significant risk to the State.
To improve reporting entities' level of compliance with the State's security standards, the Legislature should consider enacting the following statutory changes:
- Mandate that the technology department conduct, or require to be conducted, an independent security assessment of each reporting entity at least every two years. This assessment should include specific recommendations, priorities, and time frames within which the reporting entity must address any deficiencies. If a third-party vendor conducts the independent security assessment, it should provide the results to the technology department and the reporting entity.
- Authorize the technology department to require the redirection of a reporting entity's legally available funds, subject to the California Department of Finance's approval, for the remediation of information security weaknesses.
To assist reporting entities in reaching full compliance with the security standards, the technology department should take the following actions:
- Ensure the consistency and accuracy of its self-certification process by developing a self-assessment tool by December 2015 that reporting entities can use to determine their level of compliance with the security standards. The technology department should require reporting entities to submit completed self-assessments along with their self-certifications.
- Provide more extensive guidance and training to reporting entities regarding the self-certification process, including training on how they should use the new self-assessment tool.
- Develop internal policies and procedures to ensure that it reviews all reporting entities' self-assessments and self-certifications, including requiring supporting evidence of compliance when feasible.
- Annually follow up on the remediation plans that reporting entities submit.
To provide effective oversight of reporting entities' information security, the technology department should expand on its pilot audit program by developing an ongoing risk-based audit program. If the technology department requests additional resources, it should fully support its request.
To improve the clarity of the security standards, the technology department should take the following actions:
- Perform regular outreach to all reporting entities to gain their perspectives, identify any unclear or inconsistent security standards, and revise them as appropriate.
- Develop and regularly provide detailed training on the requirements of the security standards and on best practices for achieving compliance. It should provide these trainings in a variety of locations and formats, including webinars.
The five reporting entities that we reviewed should promptly identify all areas in which they are noncompliant with the security standards and develop a detailed remediation plan that includes time frames and milestones to reach full compliance.
The technology department and reporting entities generally agreed with our conclusions and recommendations.