The state of California is in the process of rolling out a self-assessment tool that agencies and departments can use to analyze their information security program.
During a legislative hearing earlier this month, state Chief Information Security Officer Peter Liebert told lawmakers the creation of the self-assessment tool was one recommendation within a 2015 report from the California State Auditor that examined the state government's cybersecurity readiness.
"The idea is to provide not just a way for us to get self-assessment results back, but also to provide a tool for departments and agencies to keep track of their information security program," Liebert said.
The state wants the self-assessment tool to become a continuous and evolving platform. So far, Liebert said that staff have dedicated hundreds of hours of testing and configuration of this self-assessment tool, and they're developing training curriculum for it.
Historically, state agencies and departments have had to report their compliance with California's cybersecurity administrative baseline by hand through a series of paper forms, a process Liebert said was "extremely cumbersome."
The revamped tool will be about 300 questions, which revolve around 30 different security controls and objective areas.
The automation of self-assessments could be a practical measure. The state plans to complete 11 audits of high-risk departments during 2016-17 two-year window. Also in 2016, California completed a total of 47 independent security assessments — a snapshot in time of a department's networks to provide an in-depth look at vulnerabilities, as Liebert described them. Fifty-nine more of those are slated in 2017. The assessments are done by a team at the California Military Department or another qualified third party.
California wants to roll all that data — from the self-assessments, third-party assessments and audits — into an overall "cybersecurity maturity metric" that the state's Information Security Office, as the oversight body, could score agencies and departments on.
These are just a few of the 17 major initiatives Liebert said he and his team are working on, many of which are planned to be implemented by 2017. Other include the launch of Security Operations Center to centralize services where appropriate, reformulated training for department-level information security officers, the creation of more training offerings for the state workforce, and making changes to the auditing process and standardized templates.
