• State Auditor Report Blasts State of California CyberSecurity Performance

    August 25th, 2015 by admin Categories: Blogs Tags: , , , , ,

    State of California data and other information assets are potentially vulnerable to attack or disruption according to a new State Auditor report released today. Almost 95% of departments which underwent the Auditor’s scrutiny were not in full compliance with State’s information security standards, and dozens would not be until 2018 or even 2020.

    The State Auditor’s cover letter to the Governor and leaders of the state legislature read in part:

    If unauthorized parties were to gainaccess to the State’s information systems, the costs both to the State and to the individuals involved could be enormous [Bold italics: TLTV].

    When we performed compliance reviews at five reporting entities, we found deficiencies at each. Further, 73 of 77 reporting entities responding to our survey indicated that they had not achieved full compliance with information security standards. In fact, 22  respondents stated that they did not expect to reach full compliance with the information security standards until 2018 or later, with 13 indicating that they would be out of compliance until at least 2020.

    Ouch…

    HIGHLIGHTS

    Our audit of the California Department of Technology’s (technology department) oversight of the State’s information security highlighted the following:

    • The technology department has not ensured that reporting entities comply with the State’s information security standards.
      • Many reporting entities do not have sufficient information security controls—we found deficiencies at each of the five reporting entities we reviewed, and most reporting entities that responded to our survey indicated that they had yet to achieve full compliance with the security standards.
      • It was unaware that many reporting entities had not complied with these standards—37 of the 41 reporting entities that self-certified to the technology department that they were in compliance with the security standards in 2014, indicated in our survey that they had not actually achieved full compliance in 2014.
    • Although it recently developed a pilot information security compliance audit program, at its current pace it would take the technology department roughly 20 years to audit all reporting entities.
    • Even when it knew that entities were not compliant with security standards, the technology department’s oversight of their information security and privacy controls was ineffective.
      • Forty percent of the reporting entities certified in 2014 that they were not fully compliant, yet the technology department had not established a process to perform follow-up activities with these entities.
      • More than half of the entities that responded to our survey indicated that the technology department’s guidance for complying with security standards was insufficient.

    Full 75 page report here. A must read for every state CIO/CISO.

    Plus this from TLTV June 17, 2015- quod erat demonstrandum.

    Fed’s Digital Pearl Harbor Demands Appropriate State of California Action

    Anonymous Commenting is Welcome. To have your name or website appear with your comment, fill out the form below. All Comments are moderated to prevent spam. Thanks for joining in the discussion!