Skip Repetitive Navigation Links
California State Auditor Logo COMMITMENT • INTEGRITY • LEADERSHIP

Gaps in Oversight Contribute to Weaknesses in the State's Information Security
High Risk Update—Information Security

Report Number: 2018-611

Appendix

Scope and Methodology

State law authorizes the State Auditor to establish a program to audit and issue reports with recommendations to improve any state agency or statewide issue that the State Auditor identifies as being at high risk for the potential of waste, fraud, abuse, and mismanagement or that has major challenges associated with its economy, efficiency, or effectiveness. In January 2018, we issued our latest assessment of high‑risk issues that the State and selected agencies face. Because we continue to include information security as a high-risk issue for the State, we performed this audit of nonreporting entities' information security practices. The table below lists the objectives we developed and the methods we used to address them.


AUDIT OBJECTIVE METHOD
1 Review and evaluate the laws, rules, and regulations significant to the audit objectives. Reviewed relevant laws, regulations, and other background materials.
2 Conduct a survey of state entities that may not be under the authority of the technology department.
  • Used the roster of state agencies, departments, boards, constitutional offices and other entities maintained by the Secretary of State's Office to develop a list of 233 potential survey recipients.
  • Removed various entities from our list, including those that were clearly under the authority of the Governor and entities that had responded to our previous information security survey for reporting entities.
  • Surveyed the remaining entities to determine whether they are subject to the technology department's authority, and relied upon their responses for categorizing them as either reporting or nonreporting entities.
  • Using these categorizations, summarized the information security practices of the nonreporting entities we surveyed.
3 For surveyed state entities asserting they are under the authority of the technology department, verify they submitted an information security self-assessment to the technology department. Obtained documentation from the technology department and verified that each entity submitted the required information.
4

For a selection of state entities that indicated that they are not subject to the authority of the technology department, do the following:

  1. Review information security standards adopted by nonreporting entities and determine if they are comparable to the standards adopted by the technology department.
  2. Review nonreporting entities' assessments and determine whether the scope of work performed covers the entirety of their selected standards.
  • Selected 10 nonreporting entities based on various factors from their survey responses, such as the standards they specified, whether they had an independent security assessment, and the time since their most recent assessment, among others.
  • Interviewed staff at each of the selected entities to gain an understanding of its information security practices.
  • Reviewed the information security standards of the selected nonreporting entities and compared their control areas to those found within SAM 5300. We determined that the selected standards were comparable.
  • Obtained and reviewed information security assessments and other documentation from selected entities. Using these documents, we determined whether the information security assessments reviewed each of the key control areas of the nonreporting entities' selected standards. However, we did not determine if nonreporting entities assessed each control within each control area. In addition, we followed up on select high-risk findings identified by the information security assessments to determine whether the nonreporting entity had a process for resolving them.
5 Review and assess any other issues that are significant to the audit. Reviewed the State Leadership Accountability Act (accountability act) reports of our selected nonreporting entities to determine whether they identified information security as a concern. The accountability act requires the Department of Finance to identify state entities that must report biennially to the Legislature on the adequacy of their systems of internal control—which may include information security. Entities are allowed to choose the number and types of risks to include in their reports, which must be made public. Only three of the 10 nonreporting entities we reviewed used these reports to communicate information security issues. In addition, because accountability act reports are public documents, entities would only be able to share limited information about their information security issues without compromising their systems. As a result, we determined that accountability act reports were not specifically designed to provide external oversight of a nonreporting entity's information security posture.

Source: Analysis of information and documentation identified in the column titled Method..







Back to top