Wednesday, 26 August 2015

State Agencies Aren’t Complying with Cybersecurity Standards

SACRAMENTO — Dozens of state agencies have not fully complied with security standards designed to protect Social Security numbers, health records, income tax information and other sensitive data from hackers, according to a report released Tuesday by Auditor Elaine Howle.

The audit found that 37 executive branch agencies that told the Department of Technology they had met security requirements had not actually done so. In fact, eight of those agencies won’t finish all the necessary tasks until 2020, the report said.

The troubling findings were included in a 75-page “high risk update” that Howle submitted to lawmakers. The audit, which does not identify reviewed agencies by name, raised questions about the technology department’s oversight in light of high-profile breaches elsewhere that have exposed confidential records maintained by public agencies.

“If unauthorized parties were to gain access to the state’s information systems, the costs both to the state and to the individuals involved could be enormous,” Howle wrote to the governor and lawmakers.

In a response to the audit, Department of Technology Director Carlos Ramos wrote that he agreed with most of Howle’s recommendations.

“The department has a strong commitment to improving its existing oversight activities and to improving the state’s overall information security posture,” Ramos wrote.

The state agencies that were scrutinized frequently cited a lack of resources and competing priorities as reasons for not completing various required tasks, such as maintaining an inventory of their digital records and developing procedures for responding to a cyberattack or recovering from a disaster.

Compounding the problem, the report said, is a technology department that allowed agencies to self-certify their compliance with security standards without requiring any documentation. The department does have an audit program, but it is so small and slow moving that “it would take the technology department roughly 20 years to audit all of the 114 reporting entities,” the audit concluded.

The report recommends that the Legislature require each state agency to be assessed at least once every two years for its data-protection efforts. The technology department must also offer more guidance and training to agencies while beefing up its audit program and demanding proof of compliance, Howle wrote.

The report noted that a number of departments run by constitutional officers, such as the Secretary of State’s office, as well as the judicial branch are not subject to the technology department’s oversight. In a separate review released in December 2013, the auditor identified “significant deficiencies” in how the Administrative Office of the Courts and trial courts protected their information systems.

Howle said she plans to study the security risks associated with government agencies that don’t fall under the technology department’s purview and to consider expanding the high-risk watch to include them.

View the original content and more from this author here:  http://ift.tt/1MT828i



from cyber security caucus http://ift.tt/1Ifh3k6
via IFTTT

No comments:

Post a Comment