SACRAMENTO, CA – California State Auditor Elaine Howle published a report this week entitled, “Gaps in Oversight Contribute to Weakness in the State’s Information Security.” The report is the third in a series of reports updating policymakers on the “high risk” status of California state government’s information security programs.
“The results of this audit specifically investigating ‘non-reporting’ entities is proof that these offices require external oversight to prioritize securing their networks,” said Assemblymember Jacqui Irwin. “The Legislature must step in and ensure that information security standards are adopted by Constitutional Officers and other independent offices within state government. The time of ignoring our vulnerabilities to cyber-attacks passed long ago, and it’s time all of state government is on the same page about cybersecurity.”
Previous reports have focused on state entities that report directly to the Governor, and have measured improvements by these “reporting” entities and the California Department of Technology. Assemblymember Irwin successfully passed legislation over the past four years that led to those improvements, including requiring independent security assessments, information security cost reporting, and technology recovery plan updates.
The report focuses on state entities that do not report directly to the Governor; these “non-reporting” entities are Constitutional Officers and other independently elected or appointed boards. The Auditor found that “most of the non-reporting agencies do not have an external oversight framework that would require them to assess their information security regularly,” and that “most of the 33 non-reporting entities [the Auditor] surveyed are not adequately addressing information security.”
Assemblymember Irwin, Chair of the Assembly Select Committee on Cybersecurity and Co-Chair of the National Conference of State Legislatures Task Force on Cybersecurity, has for the past two years focused on the gap in oversight the state has with these “non-reporting” entities.
Last year she authored the unsuccessful AB 3193 (2018) with her colleagues assemblymembers Chau and Obernolte, to include “non-reporting” entities within the state’s existing information security oversight framework. She re-introduced the same bill language in AB 1242 this legislative session, but the bill was held in the Assembly Appropriation Committee.
Assemblymember Irwin is committed to addressing the gap in oversight identified by the Auditor, and agrees with the Auditor’s recommendation that oversight will result in better outcomes by “non-reporting” entities, securing critical infrastructure and Californians’ sensitive information being held by these important offices, departments, and agencies. She will work with her colleagues to ensure that the Auditors three-part recommendation to the Legislature is passed into law.