Printed from BusinessInsurance.com

Auditor seeks crackdown on California government cyber security

Posted On: Aug. 28, 2015 12:00 AM CST

California lawmakers should require the state department of technology to conduct a security assessment of each state entity under the direct authority of the government at least every two years and “to authorize it to redirect funds if available to remediate information security weakness,” the California State Auditor has recommended in a report.

The recommendation came after 73 of 77 state entities responding to a survey conducted by the auditor indicated that they had not yet achieved full compliance with security standards.

“These reporting entities noted deficiencies in their controls over information asset and risk management, information security program management, information security incident management, and technology recovery,” the state auditor said Tuesday in “High Risk Update — Information Security.”

“These weaknesses could compromise the information systems the reporting entities use to perform their day-to-day operations,” according to the report.

The report criticized the state technology department for failing to take appropriate measures “to ensure that reporting entities address these deficiencies. In fact, until our audit, it was not aware that many reporting entities had not complied with its requirements. To determine whether reporting entities have met the security standards, the technology department relies on a self-certification form it developed that the reporting entities must submit each year. However, the poor design of this form may have contributed to many reporting entities incorrectly reporting that they were in full compliance with the security standards when they were not.”