California’s state auditor on Tuesday published a report showing that that the California Department of Technology has been “slow to assess” the information security practices throughout the state, but top cybersecurity officials said the investigation’s limited scope didn’t account for many relevant factors.
Acting State Auditor Michael Tilden wrote that although many state agencies report the status of their information security practices, the technology division doesn’t use much of that information, “which it could use to help inform the overall status of the State’s information security and to identify common areas that require improvement across the State.”
More than 100 agencies and divisions report to the enterprise technology division, but it has yet to “fully assess” the state’s overall security posture, despite having created an “oversight lifecycle” in 2018 that former state Chief Information Security Officer Peter Liebert dubbed “California Cybersecurity Maturity Metrics.”
That initiative proposed using audits and technical assessments to boil each reporting agency’s cybersecurity into a single numerical score, indicating to officials which agencies presented the greatest risks to the state. But “CDT has been slow,” the auditor wrote, only completing 18 of 39 maturity metric scores by last June, three years into the program.
“Despite being aware of shortcomings with its approach, CDT has failed to take proactive steps to expand its capacity to perform the compliance audits, such as hiring more auditors or repurposing existing staff,” the audit read. “[W]hen we evaluated reporting entities’ maturity metrics and self‑reported information, we found that many entities’ information security is below standards. We also found little to suggest improvement over the last several years.”
In his response to the audit, state Chief Information Security Officer Vitaliy Panych disagreed with many of the audit’s findings and pointed out that the ongoing health crisis “quadrupled” the threat landscape. He also said the maturity metrics program, which runs on a four-year cycle, is intended only to assess high-risk entities and that he expects to complete 48 of 52 audits on deadline.
The auditor also found CDT has failed to complete “timely updates” that would ensure its policies align with federal standards on information security and that its security guidance on personal devices used for remote work is “not entirely clear.”
Tilden called for the state legislature to require the state technology division to annually submit a confidential statewide cybersecurity report and stronger reporting requirements for all agencies across the state. He also pushed for CDT to increase its assessment capacity to accelerate the metrics program and use self-reported data to spot areas needing improvement.
But Panych said the auditor failed to recognize many of his department’s efforts related to monitoring and improving the cybersecurity postures of state agencies, including holding cybersecurity workshops, conducting routine comprehensive reviews and that CDT has generally adopted cybersecurity standards, including from the National Institute of Standards and Technology, that are considered best practices, while also deploying new policies to manage threats.
“The pandemic response efforts shifted everyone’s focus, to ensure government operations is conducted in a secure and privacy enabled manner,” Panych wrote. “During the pandemic CDT incorporated Statewide Information Management Manual (SIMM) updates to provide focused guidance to combat immediate threats. CDT has released a number of SIMMs within 3-year audit cycle that are pertinent and up-to-date e.g. cloud security standard (SIMM 5315-B), end point protection standard (SIMM 5355-A), vulnerability management standard (SIMM 5345-A), phishing exercise standard (SIMM 5325-A). In addition, CDT has posted updated maturity metrics (SIMM 5300-C).”