In 2015, an audit by California exposing glaring lapses in the state’s cybersecurity readiness quickly galvanized the California legislature and policymakers to take action.
Fast forward to an oversight hearing last week which found, to its credit, the California Department of Technology (CDT) has improved upon its plan to fill those holes by hiring Peter Liebert earlier this year as the state’s new chief information security officer, filling a position that had been vacant for some time. Under this new leadership, California has rolled out 17 major initiatives, the majority of which are on track to be completed by the end of July, as Liebert announced last week during the California legislature’s first oversight hearing of the CDT this year.
The major areas of focus within the 17 initiatives begin with the revamping of State Administrative Manual (SAM) Section 5300 to include additional policy guidance through engagement with key stakeholders, including the recognition of industry best practices. CDT is focused on National Institute of Standards and Technology (NIST) Special Publication 800-53 segmentation planning and creating a formal foundational framework, which ITAPS has supported in several other states across the country. California is also looking to improve its audit tool by creating a template based on NIST 800-53 that state agencies and departments can utilize.
Through the new audit process, CDT will provide a liaison to help agency and department security officials define a plan before an audit takes place, following an agency or department’s self-assessment. The self-assessment is also an attempt to improve upon deficiencies found with CDT’s information security oversight, as it previously failed to verify departments’ self-certifications.
Historically, CDT merely pointed to the SAM and left agencies and departments to their own devices. In 2016, CDT established an information security compliance audit program that verifies whether departments are meeting the standards they have self-certified and to ensure that they have addressed any previously identified security vulnerabilities.
Additionally, CDT is looking to centralize and standardize security awareness training, which is currently spread across government functions and often inadequate. This includes efforts to increase anti-scam awareness and phishing attack recognition. Along with this approach, CDT is looking at NIST 800-53 to create a reporting and performance measurement guide for information security.
Lastly, California intends on rolling out a security operations center located at the state data center to provide additional protection, analysis, and remediation to agencies and departments.
Overall, the IT Alliance for Public Sector (ITAPS) approves of the strides that CDT has made in the last few years and encourages the department to continue pursuing its goal of completing these important initiatives by July. We applaud Gov. Jerry Brown’s (D) proposed budget of $14 million in funding across various departments to strengthen information security and ITAPS hopes to continue to find ways that the technology industry can help in securing California’s information technology systems.