Audit: California Agencies Vulnerable to IT Security Breach
"Our review found that many state entities have weaknesses in their controls over information security. These weaknesses leave some of the state's sensitive data vulnerable to unauthorized use, disclosure, or disruption," Auditor Elaine Howle wrote in the report.
She notes that the state is a prime target for information security breaches as government agencies keep extensive amounts of confidential data. Many agencies also have not sufficiently planned for interruptions or disasters, she found.
In June, the federal Office of Personnel Management announced a major hack that exposed personal information of about 20 million current and former federal employees and job applicants.
"Given the size of California's economy and the value of its information, if unauthorized parties were to gain access to this information, the costs both to the state and to the individuals involved could be enormous," Howle wrote.
California likely also is not alone in its security gaps, with some states faring worse and some better, said Tim Erlin, a director of security and IT risk strategist for Portland, Ore.-based security firm Tripwire.
"Government has a much more robust audit process that's public," Erlin said. "You never get a report like this from a Fortune 500 company unless something bad has already happened."
The auditor's report said the agency in charge of ensuring compliance with IT standards, the Department of Technology, has failed to ensure agencies are complying; a voluntary "self-certification" of compliance was confusing and poorly worded, she wrote, leading many agencies to report that they were complying when they were not. She also criticized the department for its slowness in auditing agencies.
"At its current pace, it would take the technology department roughly 20 years to audit all reporting entities," she wrote.
Erlin called the auditing time -- three months for a small entity and 10 to 20 months for a large entity -- "pretty exceptional."
"Could they do more with actually implementing information security controls with some of the budget that they have spent on auditing?" he asked.
The Department of Technology said in a written response to the audit that it is committed to improving oversight and to "improving the state's overall information security posture."
The department has already taken steps to better train staff on compliance reporting, updated its forms and is updating its internal procedures, Secretary Maribel Batjer wrote. A spokeswoman for the department declined to answer further questions about the findings.
"We need to start prioritizing security. The government has a vast amount of critical information, a vast amount of personal information and it's our responsibility to protect it," said Assemblywoman Jacqui Irwin, D-Thousand Oaks, chairwoman of the Assembly Select Committee on Cybersecurity.
Her bill, AB670, would require all California state agencies to evaluate their networks for cyber-threats at least every two years. It is pending in a Senate committee.
Irwin said agencies have the funding for security assessments in their budgets but have not made them a priority.
To protect the state's security, the auditor's office left the names of agencies that responded anonymous.
But it reported several major departments that did not comply with the auditor's request, including the California Air Resources Board, the Department of Forestry and Fire Protection, Department of General Services, California State Teachers' Retirement System and the Public Employees' Retirement System.
Tuesday's report is the latest blow to the technology department, which has a history of failed and over-budget IT projects. Howle found in a March audit that the agency lacks guidance for stopping or fixing troubled projects, many of which come in over budget and past deadlines, and suffers a high turnover of staff that hinders its work.
She said the state spent almost $1 billion for seven projects that were terminated or suspended.