September 3, 2015

California State Auditor Report Reveals Weaknesses In Golden State’s Information Systems

King & Spalding

+ Follow Contact

Send

Embed

Elaine M. Howle, the California State Auditor (“CSA”), released a report on August 25, 2015 on the results of her office’s audit of controls in the state’s information systems. The results of the audit generally were grim, with the CSA stating that “despite the need to safeguard the state’s information systems, our review found that many state entities have weaknesses in their controls over information security. According to the report, these weaknesses leave some of the state’s sensitive data vulnerable to unauthorized use, disclosure, or disruption.” The report points out that California’s government agencies store various types of sensitive and confidential information, including Social Security numbers and health records.

The audit states that the California Department of Technology (“CDT”) must ensure that government entities protect the integrity of their information systems and maintain the privacy of state information. Pursuant to this mandate, the CDT requires state entities under the direct authority of the governor (“reporting entities”) to adhere to the information security standards and procedures outlined in Chapter 5300 of the State Administrative Manual (“security standards”).When the CSA reviewed five reporting entities for compliance with these standards, however, it found “deficiencies at each” and, furthermore, that “73 of 77 reporting entities fully responding to [the CSA’s] survey indicated that they had yet to achieve full compliance with the security standards.”

The CSA’s review focused on five data security control areas with which the CDT requires compliance from reporting entities: risk management, information asset management, information security program management, technology recovery, and information security incident management. The audit found that “for each of the five control areas, at least 49 of the 77 survey respondents stated that they had yet to achieve full compliance with the security standards,” and the CSA concluded that “the weaknesses . . . identified could compromise the confidentiality, integrity, and availability of the information systems these reporting entities currently use to perform their day-to-day operations.”

By way of example, with respect to information asset management, the audit highlights the importance for reporting entities of identifying and analyzing information assets. The CSA’s review found that “many reporting entities have not developed comprehensive inventories of their information assets that consistently address each of the elements the security standards require,” and “28 of the 77 survey respondents stated that they had not complied or had only partially complied with the security standards for inventorying information assets.” The audit points out that proper controls should ensure that entities identify owners of information assets who, in turn, can authorize access to information according to users’ access needs. However, insufficient controls in this space may create serious data security problems, as “[a]llowing access by too many users defeats the purpose of access controls and can unnecessarily provide opportunities for fraud, sabotage, and inappropriate disclosures, depending on the sensitivity of the resources involved.”

It was not all doom and gloom with respect to the CDT, however; the audit notes that the CDT recently established a pilot audit program focused on information security compliance with the goal of validating “the implementation and operation of minimum baseline security controls articulated in state policy and standards for eight reporting entities.”

The audit also includes a series of recommendations to the state legislature and the CDT related to its findings. With respect to the legislature, the CSA states that it should consider statutory amendments that “[m]andate that the [CDT] conduct, or require to be conducted, an independent security assessment of each reporting entity at least every two years,” and “[t]his assessment should include specific recommendations, priorities, and time frames within which the reporting entity must address any deficiencies.” To the CDT, the CSA recommends ensuring “the consistency and accuracy of its self-certification process by developing a self-assessment tool by December 2015 that reporting entities can use to determine their level of compliance with the security standards” and, further, that the CDT “should require reporting entities to submit completed self-assessments along with their self-certifications.”

Reporter, Kyle Sheahen, New York, NY, +1 212 556 2234, ksheahen@kslaw.com.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Written by:

King & Spalding

Contact + Follow

less

Published In:

Audit Reports

+ Follow

Confidential Information

+ Follow

Cyber Threats

+ Follow

Cybersecurity

+ Follow

Data Privacy

+ Follow

Data Protection

+ Follow

Data Security

+ Follow

Electronic Medical Records

+ Follow

IT Systems

+ Follow

Personally Identifiable Information

+ Follow

Risk Management

+ Follow

Security Controls

+ Follow

State Agencies

+ Follow

Consumer Protection

+ Follow

Privacy

+ Follow

Science, Computers & Technology

+ Follow

less

King & Spalding on:

California State Auditor Report Reveals Weaknesses In Golden State’s Information Systems

Related Posts

Latest Posts

Written by:

Published In:

King & Spalding on:

"My best business intelligence, in one easy email…"