California Judicial Council lacks sufficent information system controls — audit
SACRAMENTO, Calif. —The California Judicial Council still does not have a strong set of controls over its information systems, despite warnings about security weaknesses from two years ago, according to a new report from the state auditor’s office.
As the policymaking body for the state’s court systems, the Judicial Council is responsible for ensuring access to information between different courts across the state. The new report, released earlier this month, commends the council for its work to reform its procurement systems, but determined that the Judicial Council has “still not resolved prevalent weaknesses in the general controls over its information system,” according to State Auditor Elaine Howle in the report’s introductory letter.
The persistent weaknesses found in the council’s information could contribute to potential exploitation of data associated with procurement — including financial data, court case management records and human resources data, the report concluded.
“The two information systems whose general controls we reviewed contain the data that the Judicial Council uses for its day-to-day operations. The weaknesses we identified continue to compromise the security and availability of these information systems,” the report said.
The council did adopt a framework for information system controls after the last audit, but had not fully implemented the controls that were needed to address the remaining weaknesses. The council also did not provide a projected date for full implementation of those controls, according to the report.
Council officials attributed part of the problem to a lack of funding. After the last report, the council requested funding from the state government to address the information system weaknesses, though the funding was not approved. The Judicial Council’s chief administrative officer stated that without additional funding, he could not determine when the Judicial Council will fully implement the controls, the report noted.
The auditors, however, questioned whether or not the Judicial Council could use other available resources to address the information technology issues and raised concerns about ongoing risks. “The Judicial Council’s prolonged implementation of information system controls and the pervasive weaknesses in the existing controls continues to expose the security and availability of its information systems to compromise,” the report said.
The audit concluded that the Judicial Council should develop a corrective action plan by February 2016, and fully implement the neglected framework of information system controls by June 2016. The council should also regularly communicate and provide guidance with the different levels of courts across the state to assist in their efforts to improve information system controls.
The Judicial Council, in comments appended to the audit report, acknowledged the lack of implementation on their information system controls framework — which they adopted in 2014 — and again noted the lack of funding to continue the implementation. The auditor’s office, in a response to those comments, wrote that it was rejecting the notion that the council needed more funding.
“We question the lack of urgency with which the Judicial Council is approaching this problem,” the report said.
StateScoop’s Jake Williams contributed to this report from Washington, D.C.