The July 16 report from the State Auditor’s Office scrutinized 33 “non-reporting entities” selected from a list of state agencies, departments, boards and constitutional offices. It found 24 to be “partially compliant” with standards — but discovered 21 entities with “high-risk deficiencies.” Non-reporting entities are those outside the California Department of Technology’s (CDT) oversight.
Assemblymember Jacqui Irwin, who has tried during the past two legislative sessions to have non-reporting entities included in the state’s information security oversight framework, said in a news release that the audit’s results are “proof that these offices require external oversight to prioritize securing their networks.” Her Assembly Bill 3193 in 2018 was unsuccessful, and AB 1242 this legislative session was held in the Assembly Appropriations Committee.
“We want to make sure that the state has done what it needs to do to really protect itself against these cyberattacks,” the Thousand Oaks Democrat told Techwire. “We’ve all heard the stories and we don’t want any big, catastrophic breach to happen in the state of California, which means we need to be prepared.” Among the takeaways:
• Like the State Auditor’s Office, Irwin praised CDT’s work in making a difference “in how vulnerable the different reporting agencies are.” CDT has done its own audits and established a procedure to assess the maturity of agency controls and cybersecurity, said Irwin, who is chair of the Assembly Select Committee on Cybersecurity and co-chair of the National Conference of State Legislatures Task Force on Cybersecurity. She's also a member of the bipartisan California Legislative Technology and Innovation Caucus.
“When you look at the work that [former state Chief Information Security Officer] Peter [Liebert] and [state CIO] Amy [Tong] have done over the last few years with their maturity metrics, yes, they’re definitely moving in the right direction,” Irwin said.
• Non-reporting entities, however, need legislative oversight, the assemblymember said, emphasizing that despite it being late in the legislative year, cybersecurity “really can’t wait for a full session.”
Departments like the California Secretary of State’s Office may have “very robust controls,” but without similar oversight over non-reporting entities, it’s difficult to know what they’re doing, she said, adding she’s hopeful the entities will improve their compliance levels as a result of the audit.
• Irwin declined to say specifically where she’d like to see non-reporting entities head in terms of improving their security levels. But she said those entities need to look at their own internal workings to assess the maturity of their security systems and make consistent use of “some sort of maturity metric.” Entities, she added, should also determine where the Legislature could best allocate funding to enable changes.
• The extent to which updates are needed, however, may depend in part on what types of information an entity or agency is holding — with those handling personally identifiable information possibly needing to do more than those that do not. This, Irwin said, makes it “not a simple answer.”
