Connect with us

Hi, what are you looking for?


Management & Strategy

Report Finds California Government IT Security Flaws

California’s state auditor raised alarms Tuesday about information security in some state offices and called for additional oversight and regular assessments.

California’s state auditor raised alarms Tuesday about information security in some state offices and called for additional oversight and regular assessments.

The report from Auditor Elaine Howle comes amid scrutiny of how companies and governments alike handle the data of customers and citizens and as governments grapple with the threat of hackers who might steal information or shut down computer systems.

Howle’s office surveyed 33 government entities that are not currently required to meet the sort of information security standards mandated for cabinet-level departments and other executive branch agencies. The auditor’s office found what it labeled “high risk deficiencies” at 21 of those entities.

While state agencies in the executive branch of government must typically follow information security standards prescribed by the California Department of Technology, the offices of directly elected officials and other branches like the judiciary do not necessarily have to abide by those same standards. While many do, the report argued most of those are not adequately addressing information security.

“State entities that do not fall under the purview of the technology department need to do more to safeguard the information they collect, maintain, and store,” the report said.

The state auditor’s office did not identify any of the entities included in the survey, but they could include constitutional offices or parts of the judicial branch.

Some of the problems noted in the report seemed to include relatively basic security measures.

Advertisement. Scroll to continue reading.

The report said one government entity did not change the default password on certain information security systems, posing a significant threat of an attacker gaining unauthorized access to its network.

Another entity failed to apply security updates on its devices, according to the report.

The state auditor’s office also raised concerns that some parts of government are not acting quickly enough to resolve these issues.

“Despite being aware of significant deficiencies in their current information security programs, some … have been slow to address these weaknesses,” the report said.

The review was the only security assessment three of the entities had ever undergone, according to the report, suggesting there could be additional weaknesses of which the entities are unaware.

The state auditor recommended that all entities adopt standards comparable to the information security and privacy policies prescribed by the Department of Technology. The report also recommended government entities report to an Assembly committee about its compliance with those standards.

The report called for entities to undergo a comprehensive information security assessment at least every three years.

California’s auditor previously labeled information security as a high-risk issue for the government of America’s most populous state. The report said the Department of Technology had made progress on the issue.

Lawmakers proposed a similar requirement last year. But the legislation faced opposition from constitutional officers, including the secretary of state, treasurer and controller, who argued it would infringe on the independence of their offices. The bill sputtered in the state Senate.

Assemblyman Ed Chau, a Democrat from Monterey Park and a joint author of the legislation, said he is still supportive of the idea but added that special circumstances in different parts of government should be taken into consideration.

“Bringing consistency across state government in cybersecurity and information security policies is part of an effective strategy in safeguarding against data security threats,” Chau said.

Amy Tong, California’s chief information officer and head of the Department of Technology, said Tuesday that she appreciates the audit’s call for strengthening security at all state agencies. Tong said the department’s security operations center already blocks more than 200 million of what she described as malicious probes aimed at government entities.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.