Auditor Publishes Follow-Up on VoIP Audit of CPUC

In 2014, the State Auditor’s Office issued 18 recommendations to the California Public Utilities Commission (CPUC) related to data management, infrastructure and security in its Voice over Internet Protocol (VoIP) system.

In the same report, the auditor made just one recommendation to the Legislature: Give the commission the authority to collect information from providers regarding their VoIP customers, and require VoIP providers to furnish this information to the commission.

Of the 18 recommendations that Auditor Elaine M. Howle's agency made to the CPUC, the commission has fully implemented 11. Five have been partially implemented, and two are "pending."

As for the agency's one recommendation to the Legislature: “No action taken,” says the auditor’s update, which was published last week.  

The CPUC said three of the five “partially completed” recommendations now have a target implementation date of October. They are:

• The commission should ensure that it complies with all policy requirements in SAM Chapter 5300.
• The commission should revise its recovery plan to include a list of applications supporting critical business functions, their maximum acceptable outage time frames, and detailed recovery strategies for each application.
• The commission should revise its recovery plan to include detailed procedures for rebuilding its technology infrastructure at an alternate processing site.

The two “partially implemented” items are also in the works, as per the report:

• One recommendation said: “As part of developing, implementing, and maintaining an entity-wide information security program, the commission should develop a risk management and privacy plan and conduct an assessment of risks facing its information assets.” The CPUC’s response in the report: "CPUC has developed Risk Assessment policy and completed internal Risk Assessment Checklist based on CDT (California Department of Technology) template. As per Office of Information Security, CPUC has uploaded mission-critical systems information to California Compliance and Security Incident Reporting System (Cal-CSIRS) for risk assessment.
• “The commission should conduct regular tests and exercises to assess the sufficiency of the revised recovery plan and refine the plan when necessary.” The CPUC replied in October: Successful testing to recover Public Website, Content Server and SharePoint was conducted this year. Since the migration of email to Office 365 is done, CPUC needs to work Microsoft for failover recovery in cloud.”

Techwire has reached out to the CPUC for elaboration and more information about the timing of the planned remedies and will have coverage when that information comes forth.