|Budget Issue:||Pilot to determine value of stronger auditing effort by OIS to validate IT security compliance.|
|Program:||Department of Technology|
|Finding or Recommendation:||We recommend approval with modifications of the Governor’s proposal for $684,000 to fund five limited-term positions for a two-year pilot project within OIS to audit state departments' compliance with state and federal IT security policies.|
Department of Technology (CalTech). The CalTech—previously the California Technology Agency—is the state’s central information technology (IT) organization. It has lead responsibility for approval and oversight of state IT projects, providing data center and telecommunications services, managing IT procurement, and establishing and enforcing IT plans and policies, including information security policy.
Office of Information Security (OIS). The OIS—an office within CalTech—is statutorily responsible for (1) developing and maintaining state information security polices and standards and (2) providing technology direction to agencies and departments to ensure the confidentiality, integrity, and availability of state systems and applications, and ensuring the protection of state information. The technology security standards, which OIS establishes and monitors compliance for, are largely consolidated within Chapter 5300 of the State Administrative Manual (SAM), which contains statewide policy on various issues, including IT. Chapter 5300 of SAM sets standards for a variety of IT security issues, including risk management, recovery planning, telecommunications, privacy, encryption, data retention, and remote access. (In addition to ensuring their compliance with information security policies and standards issued by OIS, state entities are also required to ensure compliance with all state laws and regulations concerning information security and privacy that apply to their programs. Some of these laws are overarching and apply to most state entities, while others are more program-specific.)
Although SAM is a principal tool used by the state to consolidate state IT security standards, some departments must also comply with specific federal privacy and security standards. For example, the federal Health Insurance Portability and Accountability Act establishes standards to protect the privacy of protected health information and impacts many departments including the Department of Health Care Services, while the Internal Revenue Service sets its own security guidelines for tax information that impacts the Board of Equalization and the Franchise Tax Board.
State and federal IT policies are in place to protect the state’s critical IT infrastructure and information assets from loss, theft, and misuse. To ensure compliance with information security policies and standards, OIS is authorized to conduct independent compliance audits of agencies and departments. The cost of these audits is borne by the agency or department being audited.
A recent analysis by the State Auditor found that OIS performs limited reviews of compliance with IT security standards. Instead of auditing compliance, the Auditor notes that OIS reviews self-certification documents from agencies and departments to ensure that they are filled out completely and may follow up with agencies or departments that have not submitted the required documentation. Although OIS acknowledges its authority to independently verify compliance (audit) or require agencies and departments to contract for audits, the office indicates it does not have sufficient resources to conduct or monitor IT security compliance audits.
In light of the Auditor’s findings, the Governor’s budget proposes a pilot project that would allow OIS to determine the value of a stronger security oversight (audit) effort to validate compliance. The Governor’s budget proposes $684,000 to fund five limited-term positions for a two-year pilot project within OIS. The pilot project would audit state departments’ compliance with mandated state and federal IT security policies. The audits would assess IT security compliance of eight departments that range in size. The pilot selection criteria will include, but may not be limited to, the following criteria.
It is expected that the first six months of the pilot would be spent hiring and preparing for the audits—selecting participating departments and developing audit methodology—and the remaining one and one-half years will be spent auditing and analyzing the results. The OIS will partner with the Office of Audits and Evaluation—an office of the Department of Finance—to leverage their expertise in establishing the audit protocols and methodology.
The audits would be paid for through a cost-recovery model, where audited agencies and departments would be responsible for the cost of being audited. The proposal includes associated trailer bill language intended to clarify CalTech’s ability to recover audit costs. Specifically, budget trailer bill language would authorize CalTech to collect payments from agencies and departments for services provided. In contrast, current law authorizes CalTech to recover costs only for requested services, which would appear to restrict CalTech’s ability to recover costs when it required the audit.
Self-Certification Without Independent Verification Is a Risky Approach. Although OIS is responsible for ensuring IT security compliance, it has not proactively ensured compliance through the use of its auditing authority. Its reliance on self-certification is risky as departments may knowingly or unknowingly fail to comply with IT security standards. We note that the State Auditor found in its review of two departments significant IT security deficiencies in areas departments had self-certified as fully complying with IT security policies and standards. Given OIS’s lack of independent verification, it is reasonable to suspect other—self-certifying—agencies and departments also exhibit deficiencies in IT security compliance.
Failure to comply with state and federal IT security standards enhances the risk of IT incidents. The cost associated with IT security incidents can be significant. The cost includes the direct cost of correcting an incident—investigation, mitigation, notification of affected parties, and repair of the system—but also intangible costs. State security incidents can erode the public’s trust and jeopardize the state’s ability to carry out critical functions. For example, food assistance benefits may be issued incorrectly or delayed, doctors may lose access to patient records, California Highway Patrol officers may not have information on the individual driving the car pulled over, and unemployment benefits may be issued incorrectly or delayed. Self-certification does not ensure compliance, but rather potentially compromises the state’s ability to protect vital information and provide continuity of state services.
Audit Methodology Undeveloped. The Governor’s proposal does not specify which security standards will be audited. Given the breadth of Chapter 5300 and the complexity created by the existence of other state and federal standards, it appears unlikely that OIS audits will assess compliance with all relevant state and federal IT security standards. It appears more likely that OIS will audit a subset of priority standards. Yet the Governor’s proposal does not indicate which subset of standards would be audited. If audited issues will be prioritized, the proposal also fails to indicate how standards will be prioritized in the pilot. The pilot also is silent on how the administration will respond to the noncompliance of audited departments. Depending on the volume and complexity of noncompliance, achieving compliance can be time-intensive and costly.
Pilot Lacks Evaluation Criteria. The Governor’s pilot proposal, as submitted to the Legislature, lacks an evaluation component. Evaluating the effectiveness of the pilot is a critical precursor to implementing a statewide approach for ensuring IT security compliance. The pilot would only assess compliance of a limited number of departments on a one-time basis. In order to fully protect the state’s vital information assets, auditing must be done systematically and on an ongoing basis. Evaluating the pilot would help inform how to scale up the state’s auditing capacity so that OIS fulfills its statutory responsibility to ensure IT security compliance.
We recommend approval with modifications of the Governor’s proposal for $684,000 to fund five limited-term positions for a two-year pilot project within OIS to audit state departments' compliance with state and federal IT security policies. The pilot will help the state to more accurately assess the extent of noncompliance, thereby informing the state’s decision making regarding establishing an effective enforcement approach to reduce its IT security risk. Given the limited resources budgeted for the pilot, it is appropriate that resources are prioritized as proposed---through the audit selection criteria---towards agencies and departments with the most critical information assets. However, to fully realize the benefits of the pilot, we recommend the Legislature direct CalTech during budget hearings to address the following issues and make associated modifications to the pilot.
The Legislature should also direct CalTech to submit a report to the Legislature after the pilot concludes that highlights compliance challenges faced by the audited departments and includes recommendations as to how agencies and departments could more effectively be brought into compliance. We also recommend the Legislature approve the proposed trailer bill language, as it will facilitate OIS’s ability to recover costs associated with the audits, as audits are usually not currently requested by departments.