The California Department of Technology (CDT) is pushing back strongly against a new report from the California State Auditor (CSA) that finds the California CIO’s office has provided inadequate oversight of the state’s information security status.
While the CSA cited several other areas of concern in a report issued last week, the statement charging the CDT with inadequate oversight is the most critical portion of the report as it signifies that CDT is falling down on the job.
The CDT is fully and formally rejecting that claim.
While the state auditor has long been one of the most respected government entities in California – and also a frequent critic of the state’s IT management – perhaps in this case the CDT may have a point.
The auditor’s report finds that the CDT had yet to establish an overall statewide information security status for the state’s 108 departments under the jurisdiction of the governor’s executive branch.
The auditor claimed that CDT was slow to complete compliance audits, in fact completing only half of the department valuations it should have completed in fiscal years 2020-2021. However, those planned 39 audits were scheduled two years ago as part of a three-year plan to assess all 109 departments – and before serious consideration was given to the level of risks those 39 departments represented.
CSA estimated that it would take CDT 12 years to audit 108 entities at its current pace.
However, state Chief Information Security Officer (CISO) Vitaliy Panych, in his formal response included at the end of the audit report, strongly disagreed. He wrote that the estimate of such a long period is wholly “inaccurate and irrelevant…The intent was never to audit all 108 entities. CDT has always focused on high-risk entities rather than a specific number of entities.”
It seems to me perhaps that the state auditor has placed too much emphasis on the number of security compliance audits performed, and in the process has disregarded the state’s legitimate strategy to prioritize auditing departments based upon risk involved. Departments with little or no confidential information should not be afforded the same level of assessment as a department loaded with private, personal data. In other words, the state’s departments of health or revenue deserve far more scrutiny than, say, the state yachting commission.
As Panych explained, “The four-year cycle is specifically intended and designed to assess high-risk departments running the most critical and impactful services. Low-risk entities are excluded from the four-year compliance audit cycle.” In fact, CDT does monitors low-risk entities through other mechanisms including periodic independent security assessments, and tracking and remediation through its plan of action and milestone (POAM) process.
The CDT process is spelled out in its CalSecure policy roadmap and is followed to determine the list of high-risk entities to be audited. “It is based on an algorithm to determine entity impact to the citizens of the state and other factors,” according to Panych.
It is important to note that the plan for 52 audits over a four-year cycle was a self-imposed target based on factors considered four years ago. “We are currently on target to complete 48 audits even under the circumstances of the pandemic and reprioritization of compliance audits. This is a 92% success rate,” Panych wrote.
What’s more, the four entities not audited have specifically claimed to be exempt from CDT’s information security oversight authority for this cycle.
Panych acknowledges the fact that the state must further invest in additional measures to be resilient against threats going forward. “The pandemic has upended the conventional standards for evaluating cybersecurity metrics. The threat landscape has evolved from the traditional cybersecurity breaches such as DDOS attacks to sophisticated ransomware attacks and identity theft. CDT is in process of revaluating the metrics in the context of the cybersecurity ecosystem as it exists today,” he said.
Finally, newspapers around the country have been full of stories about the data breaches, ransom incidents and similar security instances involving many states and hundreds of local government entities over the last few years. However, the state of California – so frequently the source of criticism for poor IT management – has not been identified in these stories.
That’s not to say such incidents have not occurred. As the saying goes, “There are two kinds of organizations. Those that have been hacked and know it. And those that have been hacked and don’t know it.”
Regardless, when it comes to IT in California state government, very little remains under the radar for long. Perhaps they are doing something right these days, at least when it comes to security.