You probably don’t know the name Elaine Howle. She’s the California State Auditor, and in that role she has a lot more impact than many higher profile offices. Occasionally the State Auditor’s work makes prime time news – as it did last summer when it found that the Department of Corrections had overpaid more than $4 million for construction work, and that for almost two years a senior Caltrans engineer failed to notice an employee regularly taking off to play golf in the afternoon.
But even when it’s not making prime time news, the Auditor’s Office works full-time, issuing on average one report a week on everything from how well the foster care system is protecting children in its care to evaluating the accuracy of state data.
Last month the Auditor published a report on California’s data security; a critical concern, since state agencies store a huge amount of data – personal, public safety, financial – and their data centers fend off thousands of hacking attempts every month, according to the Auditor’s report. The news isn’t good.
After surveying 101 state agencies reporting directly to the governor – agencies that self-certified compliance with state standards – and conducting in-depth reviews of five of them, the Auditor found that fewer than 30 percent of these agencies were in full compliance with state standards. It also found that the California Department of Technology hasn’t ensured that agencies comply with security standards.
Thirty-seven of 41 agencies that self-certified to the technology department that they were in compliance with 2014 security standards, told the Auditor they hadn’t actually achieved it in 2014. Yet the state technology department wasn’t aware of this. In fact, it would take about 20 years for the department’s pilot information security compliance audit program to review the hundreds of agencies it oversees. More than half of the agencies that answered the Auditor’s survey said the technology department’s guidance for security standard compliance “was insufficient.”
Even when the Department of Technology knew that agencies weren’t compliant, the Auditor reported, its oversight of their security and privacy controls “was ineffective.” Despite the fact that forty percent of the agencies reported in 2014 that they weren’t fully compliant, the department didn’t have a standard for following up on this. Twenty-two of the agencies responding to the Auditor’s survey said they didn’t expect to reach full compliance until 2018 or later, and 13 expected to be out of compliance until at least 2020.
The actions the Auditor recommended include statutory requirements for independent security assessments of state agencies every two years.
You can find the California State Auditor’s reports at www.bsa.ca.gov. You can also subscribe to be notified when new reports are published. The Auditor’s whistleblower hotline is (800) 952-5665.