Report Finds California Government IT Security Flaws

California’s state auditor raised alarms Tuesday about information security in some state offices and called for additional oversight and regular assessments.

The report from Auditor Elaine Howle comes amid scrutiny of how companies and governments alike handle the data of customers and citizens and as governments grapple with the threat of hackers who might steal information or shut down computer systems.

Howle’s office surveyed 33 government entities that are not currently required to meet the sort of information security standards mandated for cabinet-level departments and other executive branch agencies. The auditor’s office found what it labeled “high risk deficiencies” at 21 of those entities.

While state agencies in the executive branch of government must typically follow information security standards prescribed by the California Department of Technology, the offices of directly elected officials and other branches like the judiciary do not necessarily have to abide by those same standards. While many do, the report argued most of those are not adequately addressing information security.

“State entities that do not fall under the purview of the technology department need to do more to safeguard the information they collect, maintain, and store,” the report said.

The state auditor’s office did not identify any of the entities included in the survey, but they could include constitutional offices or parts of the judicial branch.

Some of the problems noted in the report seemed to include relatively basic security measures.

The report said one government entity did not change the default password on certain information security systems, posing a significant threat of an attacker gaining unauthorized access to its network.

Another entity failed to apply security updates on its devices, according to the report.

The state auditor’s office also raised concerns that some parts of government are not acting quickly enough to resolve these issues.

“Despite being aware of significant deficiencies in their current information security programs, some … have been slow to address these weaknesses,” the report said.

The review was the only security assessment three of the entities had ever undergone, according to the report, suggesting there could be additional weaknesses of which the entities are unaware.

The state auditor recommended that all entities adopt standards comparable to the information security and privacy policies prescribed by the Department of Technology. The report also recommended government entities report to an Assembly committee about its compliance with those standards.

The report called for entities to undergo a comprehensive information security assessment at least every three years.

California’s auditor previously labeled information security as a high-risk issue for the government of America’s most populous state. The report said the Department of Technology had made progress on the issue.

Lawmakers proposed a similar requirement last year. But the legislation faced opposition from constitutional officers, including the secretary of state, treasurer and controller, who argued it would infringe on the independence of their offices. The bill sputtered in the state Senate.

Assemblyman Ed Chau, a Democrat from Monterey Park and a joint author of the legislation, said he is still supportive of the idea but added that special circumstances in different parts of government should be taken into consideration.

“Bringing consistency across state government in cybersecurity and information security policies is part of an effective strategy in safeguarding against data security threats,” Chau said.

Amy Tong, California’s chief information officer and head of the Department of Technology, said Tuesday that she appreciates the audit’s call for strengthening security at all state agencies. Tong said the department’s security operations center already blocks more than 200 million of what she described as malicious probes aimed at government entities.