Sensitive data of California residents including, social security numbers, health records, and income tax information is at risk of unauthorized use, disclosure, or disruption, an audit by the California State Auditor's Office found.
Based on surveys from 77 of the 101 agencies monitored under the California Department of Technology, the agency responsible for monitoring state agencies to ensure they meet security requirements, the auditor's office found that 73 agencies were not in compliance and 35 of those didn't expect to be in full compliance until at least 2018.
The High Risk Update— Information Security report released Wednesday revealed that 41 of the responding agencies had previously reported to the Department of Technology that they were in full compliance while the remaining 36 had said they were not.
“A big concern of mine was that many of these agencies had been reporting that they were in compliance for years” through self-reporting but might not have been, California State Auditor Elaine Howle told SCMagazine.com.
Howle said that the survey from her office queried agencies as to whether they met the state guidelines set for agency tech departments. And, the auditor's survey posed more detailed questions and included a notice that Howle's office might follow up.
The auditor expressed dismay that the tech department hadn't followed up with the 36 respondents who had previously reported that they weren't in compliance.
Howle said that while she feels it is a shared responsibility between the reporting agencies and the Department of Technology to ensure the security of information, it is primarily the tech department's responsibility to ensure the agencies are in compliance with state standards.
“They‘re the agency that is responsible for providing guidance for the IT professionals that work in state departments,” Howle said.
The report stated the technology department had been unaware of many of vulnerabilities in entities due to self-certification forms that agencies are issued by the department to evaluate their own security. The forms were criticized as being difficult to interpret which enabled several agencies to report they were in full compliance when they actually weren't. The report also criticized the tech department for not taking better measures to ensure the accuracy of these reports.
Several agencies lacked controls over information asset and risk management, information security program management, information security incident management, and technology recovery, according to the Auditor's report. Agencies that responded to the auditor's survey cited a lack of resources and competing priorities as challenges to achieving compliance. Other challenges cited were staff shortages, inadequate budgets, and a lack of technical expertise.
The auditor's office proposed several recommendations to bring the agencies into compliance. One proposed legislation to require the tech department or a third party to perform security assessments that include details on any deficiencies that reporting entity must address. Another recommendation proposed legislation to authorize funds for the remediation of existing vulnerabilities.
Carlos Ramos, director of the Department of Technology, in a response sent to Howle's office wrote that his department agreed with all of the auditor's recommendations and pledged to shore up oversight.
“The Department has a strong commitment to improving its existing oversight activities and to improving the state's overall information security posture,” the tech department's response said. “The Department will continue to work with reporting entities to achieve full compliance with all security standards.”