Hide Transcript Show Transcript

STATE IS AT HIGH RISK. BRANDI: THIS NEWLY RELEASED 24-PAGE REPORT BY THE CALIFORNIA STATE AUDITOR FINDS SOME OF YOUR PERSONAL INFORMATION MAY NOT BE PROTECTED. >> YOUR INFORMATION IS VULNERABLE IF SOMEONE, WHOEVER IS CAPTURING THAT INFORMATION ISN’T MAKING SURE IT’S SECURE. BRANDI: IN THIS CASE, THE POTENTIAL CULPRIT, SEVERAL CALIFORNIA STATE ENTITIES. AUDIT SPOKESWOMAN MARGARITA FERNANDEZ WON’T SAY WHICH OFFICES OR DEPARTMENTS WERE EXAMINED FOR THE REPORT, BUT SAYS THOSE IN THE JUDICIAL BRANCH OF GOVERNMENT AND CONSTITUTIONAL OFFICES WERE INCLUDED. >> WE WANT TO MAKE SURE THAT THE INFORMATION IS PROTECTED. IF WE TELL YOU EXACTLY WHERE WE BELIEVE IT MAY BE VULNERABLE, IT COULD LEAVE IT OPEN TO SOMEONE HACKING A SYSTEM. BRANDI: THE 33 OFFICES SURVEYED FOR THE REPORT ARE CONSIDERED NON-REPORTING ENTITIES BECAUSE THEY DON’T FALL UNDER THE GOVERNOR’S OFFICE AND THUS THEY’RE NOT SUBJECT TO GUIDELINES FROM THE CALIFORNIA DEPARTMENT OF TECHNOLOGY. >> MOSTLY WE WERE LOOKING AT, ARE THEY COMPLYING WITH STANDARDS? WHAT ARE THEY COMPLYING WITH? BRANDI: THE AUDIT FINDS THE ENTITIES HAVE WEAKNESSES IN INFORMATION SECURITY, SOME HAVE IDENTIFIED DEFICIENCIES IN SECURITY PROGRAMS BUT FAILED TO RESOLVE THEM, OTHERS ARE NOT FULLY ASSESSING SECURITY STATUS, AND ACROSS THE BOARD THEY LACK EXTERNAL OVERSIGHT. >> IF YOU HAVEN’T CONDUCTED AN ASSESSMENT OR REVIEW OF YOUR OWN INFORMATION SECURITY OF YOUR ASSETS, THE SECURITY CONTROLS, THE GENERAL CONTROLS, THEN YOU REALLY DON’T HAVE AN IDEA OF WHERE YOU’RE VULNERABLE. BRANDI: FERNANDEZ SAYS THERE’S A RESPONSIBILITY TO PROTECT ALL INFORMATION COLLECTED. THAT’S WHY THE STATE AUDITOR RECOMMENDS THE LAW BE CHANGED TO REQUIRE INFORMATION SECURITY STANDARDS, SECURITY ASSESSMENTS DONE EVERY THREE YEARS, AND CONFIDENTIAL CERTIFICATION SUBMISSION SHOWING COMPLIANCE WITH THE NEW STANDARDS. >> THERE’S ALWAYS GOING TO BE SOME RISKS, BUT THE MORE WE MINIMIZE THOSE RISKS, THE BETTER POSITION WE ARE AT PROTECT

Advertisement Report finds California government IT security flaws Share Shares Copy Link Copy

California's state auditor raised alarms Tuesday about information security in some state offices and called for additional oversight and regular assessments.The report from Auditor Elaine Howle comes amid scrutiny of how companies and governments alike handle the data of customers and citizens and as governments grapple with the threat of hackers who might steal information or shut down computer systems.Howle's office surveyed 33 government entities that are not currently required to meet the sort of information security standards mandated for cabinet-level departments and other executive branch agencies. The auditor's office found what it labeled "high risk deficiencies" at 21 of those entities.While state agencies in the executive branch of government must typically follow information security standards prescribed by the California Department of Technology, the offices of directly elected officials and other branches like the judiciary do not necessarily have to abide by those same standards. While many do, the report argued most of those are not adequately addressing information security."State entities that do not fall under the purview of the technology department need to do more to safeguard the information they collect, maintain, and store," the report said.The state auditor's office did not identify any of the entities included in the survey, but they could include constitutional offices or parts of the judicial branch.Some of the problems noted in the report seemed to include relatively basic security measures.The report said one government entity did not change the default password on certain information security systems, posing a significant threat of an attacker gaining unauthorized access to its network.Another entity failed to apply security updates on its devices, according to the report.The state auditor's office also raised concerns that some parts of government are not acting quickly enough to resolve these issues."Despite being aware of significant deficiencies in their current information security programs, some ... have been slow to address these weaknesses," the report said.The review was the only security assessment three of the entities had ever undergone, according to the report, suggesting there could be additional weaknesses of which the entities are unaware.The state auditor recommended that all entities adopt standards comparable to the information security and privacy policies prescribed by the Department of Technology. The report also recommended government entities report to an Assembly committee about its compliance with those standards.The report called for entities to undergo a comprehensive information security assessment at least every three years.California's auditor previously labeled information security as a high-risk issue for the government of America's most populous state. The report said the Department of Technology had made progress on the issue.Lawmakers proposed a similar requirement last year. But the legislation faced opposition from constitutional officers, including the secretary of state, treasurer and controller, who argued it would infringe on the independence of their offices. The bill sputtered in the state Senate.Assemblyman Ed Chau, a Democrat from Monterey Park and a joint author of the legislation, said he is still supportive of the idea but added that special circumstances in different parts of government should be taken into consideration."Bringing consistency across state government in cybersecurity and information security policies is part of an effective strategy in safeguarding against data security threats," Chau said.Amy Tong, California's chief information officer and head of the Department of Technology, said Tuesday that she appreciates the audit's call for strengthening security at all state agencies. Tong said the department's security operations center already blocks more than 200 million of what she described as malicious probes aimed at government entities.