California’s state databanks, stuffed with Social Security numbers, medical records, tax return data and other sensitive information, are so poorly guarded that a new audit warns that they are “vulnerable to unauthorized use, disclosure or disruption.”
The harsh assessment, which named only the Department of Technology and left others anonymous for security reasons, coincides with pending legislation that would require more stringent state IT security evaluations. The topic has growing political currency in the Internet era, with attacks ranging from the Ashley Madison user database to federal government systems putting a harsh focus on the issue of IT security.
The report also delivers another blow to the Technology Department, which has overseen several expensive and embarrassing IT debacles in the last few years.
State Auditor Elaine Howle noted that 73 of the 77 state departments that responded to a security standards survey said that they were not in compliance. Most have “have not planned for interruptions or disasters” and five departments audited more closely all had “security deficiencies.”
Several departments did not respond to the auditor’s request for information, including Cal Fire, CalPERS and CalSTRS.
Auditors also criticized the security self-assessment form that state agencies, departments, bureaus, offices and commissions file with the Department of Technology. The form is so flawed that it “may have contributed to many reporting entities incorrectly reporting that they were in full compliance with the security standards when they were not,” auditors wrote after finding 37 of 41 departments fell short although they had reported otherwise.
Furthermore, security oversight by the Department of Technology is so poor that until the audit, technology officials were not aware that many state agencies had not met security requirements, auditors reported. On occasions when it did know, the department allowed some weaknesses to continue for years.
For example, 18 state departments self-reported security deficiencies or did not file security self-assessment forms for at least five years, auditors reported. “Thirty of 38 survey respondents that certified noncompliance in 2014 indicated that they submitted remediation plans but only four stated that the Technology Department followed up on those plans.”
Moreover, 23 departments indicated they wouldn’t be in compliance until 2017 and eight said they wouldn’t meet security standards until 2020 – or later.
More than one-third of state IT officials surveyed “indicated that they did not understand all of the requirements in the security standards, which may impede their ability to comply,” according to the audit.
Department of Technology officials say that they have launched a pilot program to more closely monitor security compliance, but “at its current rate of four auditors completing eight audits every year and a half,” Howle’s report notes, it would take roughly 20 years to audit every system in state government.
All the audited departments agreed with the auditor’s recommendations to, among other things, develop plans to comply with security standards.
The audit also recommends the Legislature require the technology department improve the tools for self-reporting, encourage compliance, make security standards more clear and reach out to state agencies to “gain their perspective, make improvements and develop training.”
Another recommendation mirrors Assembly Bill 670, written by Assemblywoman Jacqui Irwin, D-Thousand Oaks. The measure, pending in the Senate Appropriations Committee, would require the Department of Technology to conduct independent security assessments of every state agency at least once every two years.
Making the requirement a state law would cost from $825,000 to $2.6 million annually, Gov. Jerry Brown’s Department of Finance estimated. The department came out against the bill last month, warning that it would increase costs and create “confusing reporting arrangements.”