Report 2015-611 Recommendation 3 Responses

Report 2015-611: High Risk Update—Information Security: Many State Entities' Information Assets Are Potentially Vulnerable to Attack or Disruption (Release Date: August 2015)

Recommendation #3 To: Technology, California Department of

To assist reporting entities in reaching full compliance with the security standards, the technology department should ensure the consistency and accuracy of its self certification process by developing a self assessment tool by December 2015 that reporting entities can use to determine their level of compliance with the security standards. The technology department should require reporting entities to submit completed self assessments along with their self certifications.

Annual Follow-Up Agency Response From October 2018

CDT has developed and implemented a comprehensive automated statewide self-assessment tool having all necessary information and reporting ability for entities to determine their compliance with security standards. This system is now fully operational and available to all state entities. A statewide notification was sent January 2018 to all entities requiring them to conduct an information system self-assessment of their mission-critical and state-critical applications utilizing this new self-assessment system.

Agencies are using this system operationally, and training for this system is on-going and continually available for new and existing state entity security personnel.

California State Auditor's Assessment of Annual Follow-Up Status: Fully Implemented

Annual Follow-Up Agency Response From November 2017

CDT has developed a three-year audit and assessment cycle. Part of this cycle is a pre-audit education function that is part of the Office of Information Security. CDT has developed and implemented a comprehensive automated statewide self-assessment tool having all necessary information and reporting ability for entities to determine their compliance with security standards.

Currently there are five (5) pilot agencies using this system, and training for this system is on-going.

Expected full use of this new system by all state agencies is

May 2018.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented

Annual Follow-Up Agency Response From October 2016

CDT successfully launched the tool to automate incident reporting, and released Technology Letter 16-05 announcing the new reporting process. CDT has initiated the project to design and configure the Risk Management module by December 31, 2016, and will issue updated instructions via a Technology Letter in December 2016.

This module will integrate self-assessment, compliance reporting, and remediation plans, thereby ensuring the consistency and accuracy of the self-certification process.

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented

1-Year Agency Response

California Department of Technology (CDT) successfully launched the tool to automate incident reporting, and released Technology Letter 16-05 announcing the new reporting process. CDT has initiated the project to design and configure the Risk Management module by December 31, 2016 and will issue updated instructions via a Technology Letter in December 2016.

This module will integrate self-assessment, compliance reporting, and remediation plans, thereby ensuring the consistency and accuracy of the self-certification process.

California State Auditor's Assessment of 1-Year Status: Partially Implemented

6-Month Agency Response

For the January 31, 2016 reporting period departments were directed to complete the recently improved Nationwide Cyber Security Review self-assessment. This self-assessment tool assesses a department's level of security program maturity including their policies, procedures, and technical controls. This online assessment tool has been used by state agencies in the past on a voluntary basis, and was recently enhanced to align with and provide measurement against the National Institute of Standards and Technology (NIST) Cyber Security Framework. Additionally, the Department has acquired a separate tool to automate incident reporting. This tool has optional modules that can be configured to include any state specific standards, and be enabled to fully automate and integrate self-assessment, compliance reporting, incident reporting, remediation plans, and audit data. By December 2016 the self-assessment, compliance reporting and remediation plan features of the newly acquired tool will be enabled to fully automate the reporting and tracking of risk and security compliance for subsequent reporting years.

California State Auditor's Assessment of 6-Month Status: Partially Implemented

60-Day Agency Response

The Department of Technology has directed state entities to use the new self-assessment tool, and is now requiring state entities to submit the results of their self-assessment along with their annual self-certification submissions due January 31st of each year. For the January 31, 2016 reporting period departments have been directed to complete the recently improved Nationwide Cyber Security Review self-assessment. This self-assessment tool assesses a department's level of security program maturity including their policies, procedures, and technical controls. This online assessment tool has been used by state agencies in the past on a voluntary basis, and was recently enhanced to align with and provide measurement against the National Institute of Standards and Technology (NIST) Cyber Security Framework. Additionally, the Department has acquired a separate tool to automate incident reporting. This tool has optional modules that can be enabled to fully automate and integrate self-assessment, compliance reporting, incident reporting, remediation plans, and audit data. The longer-term plan is to enable the compliance reporting and self-assessment features of the newly acquired tool to fully automate the reporting and tracking of security compliance for subsequent reporting years. Corresponding training and the CISO's review of self-certifications is addressed in recommendations #4 and #5 respectively.

California State Auditor's Assessment of 60-Day Status: Partially Implemented

The new self-assessment tool is not based on the State's security standards. Therefore, reporting entities may not understand the entire scope of the security standards to which they are certifying.

All Recommendations in 2015-611

Agency responses received are posted verbatim.