Report finds California government IT security flaws
SACRAMENTO, Calif. (AP) — California’s state auditor raised alarms Tuesday about information security in some state offices and called for additional oversight and regular assessments.
The report from Auditor Elaine Howle comes amid scrutiny of how companies and governments alike handle the data of customers and citizens and as governments grapple with the threat of hackers who might steal information or shut down computer systems.
Howle’s office surveyed 33 government entities that are not currently required to meet the sort of information security standards mandated for cabinet-level departments and other executive branch agencies. The auditor’s office found what it labeled “high risk deficiencies” at 21 of those entities.
While state agencies in the executive branch of government must typically follow information security standards prescribed by the California Department of Technology, the offices of directly elected officials and other branches like the judiciary do not necessarily have to abide by those same standards. While many do, the report argued most of those are not adequately addressing information security.
“State entities that do not fall under the purview of the technology department need to do more to safeguard the information they collect, maintain, and store,” the report said.
The state auditor’s office did not identify any of the entities included in the survey, but they could include constitutional offices or parts of the judicial branch.
Some of the problems noted in the report seemed to include relatively basic security measures.
The report said one government entity did not change the default password on certain information security systems, posing a significant threat of an attacker gaining unauthorized access to its network.
Another entity failed to apply security updates on its devices, according to the report.
The state auditor’s office also raised concerns that some parts of government are not acting quickly enough to resolve these issues.
“Despite being aware of significant deficiencies in their current information security programs, some ... have been slow to address these weaknesses,” the report said.
The review was the only security assessment three of the entities had ever undergone, according to the report, suggesting there could be additional weaknesses of which the entities are unaware.