“We believe that the State continues to face nine high-risk issues including aging and deteriorating water infrastructure, information technology oversight, access and affordability in higher education, and workforce and succession planning,” says the report from State Auditor Elaine M. Howle.
“Oversight of the State’s Information Technology (IT) and information security continues to challenge the State with 26 medium and high criticality IT projects under development and persistent deficiencies in information system controls,” says the report, issued Thursday. “Given that the State has experienced considerable challenges in successfully implementing IT projects, we will continue to monitor the Technology Department’s oversight of IT projects.”
Questions about California state government’s IT oversight have been raised in previous auditor reports:
“In our September 2013 report, we determined that the State’s oversight of IT projects was a high‑risk issue because of the high costs of certain projects and the failure of others. Additionally, in our March 2015 update report ... we highlighted challenges resulting from the inability of the Technology Department to effectively provide IT project oversight.”
Since that 2015 report, in an effort to bolster project planning and reduce the likelihood of project challenges and failures, the CDT in 2016 adopted the Project Approval Lifecycle (PAL) process. The report cautions that PAL — “still in its infancy” — must be given time to work.
“Although PAL may improve IT project implementation, the State may not realize the benefits of the new approval process for several years,” the report says. “Moreover, the Legislative Analyst identified some trade‑offs with PAL. For example, because PAL requires more robust planning and detailed analysis upfront, the process will likely take longer for agencies to complete and will require more resources. The Legislative Analyst also cautioned that because PAL is relatively new, the length of the process is uncertain.”
Additional oversight challenges are due to some state departments’ use of outdated, patched-together “legacy” systems; the auditor’s report cites the Secretary of State’s Office and the State Controller’s Office as among these. Both offices have begun planning or working on consolidated, updated systems.
In the area of information security, the audit report points out that the CDT can’t fix the problems alone.
The department “only has oversight authority for information security over state entities that report directly to the Governor, and many other state entities are not subject to its security standards or oversight. The information security practices of state entities outside the purview of the Technology Department may warrant further investigation in the future.”
The auditor’s report also notes that “more than 90 percent of the participants in our information security survey reported that they have yet to achieve full compliance with state information security standards.”
The auditor’s report notes the CDT’s response to the overall report:
“The Technology Department highlighted in its response the significant improvement that PAL represents and stated that it is committed to improving upon this process and partnering with state agencies to promote success in the delivery of their IT projects. The Technology Department added that it is committed to ensuring the confidentiality, integrity, and availability of state data by continuing to improve its oversight program, and listed a number of actions it is taking to do so.”
CDT spokesman Bryce Brown told Techwire today that the agency has no comment other than the responses it submitted to the auditor.
