Report 2021-602 Recommendation 6 Responses
Report 2021-602: State High-Risk Update—Information Security: The California Department of Technology's Inadequate Oversight Limits the States Ability to Ensure Information Security (Release Date: January 2022)
Recommendation #6 To: Technology, California Department of
To ensure that it understands the statewide security status of reporting entities, CDT should utilize the information from the entities' self-assessments of their systems, as well as from the nationwide review, to annually help identify common areas that require improvement across multiple reporting entities.
CDT utilizes data science and has derived a Bayesian model that uses conditional security factors to formulate a priority risk ranking and cyber resiliency of state entities across California. The priority risk ranking compares states averages that are based on technical security controls that are identified through security assessments and vulnerability scanning of systems. To help limit the weight of outliers and biases, CDT utilizes the Nationwide Cybersecurity Review (NCSR) as a confidence interval in its model which additionally allows CDT to identify and determine potential common areas of strengths and weaknesses. By enforcing annual review and updates of the NCSR program, it enables CDT to ensure entities are reviewing and gaining a better understanding of their systems and how they can continuously improve their cyber maturity with the assistance of CDT.
- Completion Date: January 2024
California State Auditor's Assessment of Status: Partially Implemented
Although CDT demonstrated that it is utilizing information from the nationwide review to help identify common areas that require improvement across multiple reporting entities, CDT did not provide evidence that it has also used information from reporting entities' self-assessments of their critical IT systems.
- Auditee did not substantiate its claim of full implementation
- Auditee did not address all aspects of the recommendation
The NCSR reporting information and scoring is now actively reviewed and incorporated into the statewide risk scoring and rankings annually. OIS currently has 119 risk scores for both reporting and non-reporting entities. This year's NCSR survey opens on October 1st and closes on February 28th, 2024. Risk Ratings will be updated with this year's NCSR data as soon as it is available. In addition to working with entities through our Advisory Services efforts, we are working closely with our Critical Services Team and leveraging modernization funds to close gaps and reduce risk across the entities they work with.
- Estimated Completion Date: June 2024
California State Auditor's Assessment of Status: Partially Implemented
Per CDT's response, it does not anticipate fully implementing this recommendation until June 2024.
CDT in the prior response noted the NCSR and additional self-reported activities such as self-assessments have been incorporated into information security program measurement of state entities. CDT has provided additional information and supporting documentation that shows the NCSR is being completed and reveals low ratings across all agencies.
- Completion Date: July 2023
California State Auditor's Assessment of Status: Partially Implemented
CDT did not provide evidence that it has used information from reporting entities' self-assessments of their systems to help identify common areas that require improvement across multiple reporting entities.
- Auditee did not substantiate its claim of full implementation
- Auditee did not address all aspects of the recommendation
The NCSR and additional self-reported activities such as self-assessments have been incorporated into information security program measurement of state entities.
- Completion Date: January 2023
California State Auditor's Assessment of Status: Partially Implemented
Although CDT incorporated information from the nationwide review into its risk analysis process beginning in April 2023, it did not provide evidence that it has used this information to help identify common areas that require improvement across multiple reporting entities.
- Auditee did not substantiate its claim of full implementation
- Auditee did not address all aspects of the recommendation
CDT has now incorporated prior year NCSR scores into its priority risk ranking and will report entity status to the cybersecurity select committee in its confidential Legislative briefings with the Legislature going forward.
- Estimated Completion Date: March 2023
California State Auditor's Assessment of Status: Partially Implemented
Per CDT's response, it will not fully implement this recommendation until March 2023.
CDT is still on target to incorporate prior year NCSR scores and report entity status to the cybersecurity select committee by the required due date in December of 2022.
- Estimated Completion Date: December 2022
California State Auditor's Assessment of Status: Pending
Per CDT's response, it will not fully implement this recommendation until December 2022.
CDT is on target to incorporate prior year NCSR scores and report entity status to the cybersecurity select committee by the required due date in December of 2022.
- Estimated Completion Date: December 2022
California State Auditor's Assessment of Status: Pending
Per CDT's response, it will not fully implement this recommendation until December 2022.
The NCSR reporting information is being reviewed and will be incorporated into statewide risk scoring and ranking calculations annually. Annually the NCSR surveys are submitted by February. CDT will incorporate prior year NCSR scores and report entity status to the cybersecurity select committee by the required due date in December of 2022.
- Estimated Completion Date: December 2022
California State Auditor's Assessment of Status: Pending
Per CDT's response, it will not fully implement this recommendation until December 2022.
All Recommendations in 2021-602
Agency responses received are posted verbatim.