The California Department of Technology said Tuesday it has updated management guidelines to comply with legislation that Gov. Jerry Brown signed in 2016 requiring all state entities to report their annual costs for information security.
State agencies and departments must now report information security costs by Feb. 1 of each year, in addition to previously required data such as IT and telecommunications spending.
The information security cost reporting must include "expenditure of federal grant funds for information security purposes, including, but not limited to, personnel, for the immediately preceding fiscal year and current fiscal year, showing current expenses and projected expenses for the current fiscal year," an update to the State Administrative Manual (SAM) says.
The passage of AB 2623, which mandates the new spending data, came as the California Department and several other departments requested more funding for cybersecurity activities.
"Lack of oversight makes it challenging to address vulnerabilities, and it makes it difficult to identify where departments might be overspending or where additional resources might be needed and how our investment as a state compares to other large companies or other states,” the bill's co-author, former Assemblyman Rich Gordon, D-Menlo Park, told a legislative panel in May 2016.
Co-author Jacqui Irwin, D-Thousand Oaks, said the requests for increased funding and staff show the need for standardized budget reporting.
“Without knowing how much we are currently spending, there is no way for the Legislature to consider how effective the new spending is and how the security needs of one state department compare to another,” Irwin told the panel last year.
The new reporting guidance is outlined in the Statewide Information Management Manual (SIMM) and the State Administrative Manual.
With reporting from Techwire's Samantha Young.
