California's information security office is developing a streamlined list of security objectives for state agencies and departments that's intended to address high-risk issues.
State officials believe the approximately 30 objectives will help put the state's computer systems onto a common baseline and standardize the controls.
Scott MacDonald, the state's acting chief information security officer, said the policy "simplification" is one of the security office's priorities.
"I think one of the most challenging things we had to deal with was really trying to conform to the policy," MacDonald said during an Oct. 17 vendor forum in Rancho Cordova. In the past there has been a focus on the National Institute of Standards and Technology (NIST) cybersecurity framework, he said. "The requirement really was to evaluate your systems based upon NIST — all your mission-critical systems and your risk management program. And I think as many of us know, there are several hundred controls within the NIST framework."
MacDonald acknowledged he experienced how challenging conforming to those controls was when he was an Agency Information Security Officer for the California Department of Corrections and Rehabilitation the past six years. Some of the NIST controls are confusing and others are subject to interpretation, he said.
"So what we've done is step back a little bit and [ask] how do we make that more achievable and measurable," MacDonald said.
The proposed 30 objectives are divided into five categories: identify, protect, detect, respond and recover. MacDonald said the objectives will soon be vetted and finalized, and there's nothing preventing more from being added later.
The readiness and resiliency of California's computer systems has been in the spotlight the past 12 months. The Legislature passed a raft of new bills on cybersecurity this year, and the state has launched a cybersecurity integration center alongside California's primary fusion center.
