State agencies vulnerable to technology breach
September 2, 2015
Just because it boasts Silicon Valley, it turns out the state of California isn’t as technologically advanced as we thought.
An Aug. 25 report released by the California State Auditor found that as many as 73 state government agencies are not in full compliance with the information technology standards and it leaves them vulnerable to a breach.
According to the report, the non-compliance could lead to sensitive information being accessed like Social Security numbers, income tax information as well as healthcare information. The offending agencies were not named specifically in fear that the announcement could spark a potential attack, which is common protocol for the agency on protecting their systems.
The Bay Area Council is a public policy advocacy organization and according to Rufus Jeffris, Vice President of Communications, “Implementation of the state’s technology platform has come under criticism recently.”
Jeffris said that while his organization does advocate for cyber security, they are not experts on the topic and the standards set by the state are the determining factor in how the corrections are implemented and collected.
The audit focused on five specific agencies, which were not named but all were found not to be in full compliance with the technology standards.
Auditor Elaine M. Howle also issued a survey to 77 state agencies in which 73 responded and indicated that they had not achieved full compliance with information security standards. 22 respondents stated that they did not expect to reach full compliance with the information security standards until 2018 or later and 13 more indicated they would be out of compliance until at least 2020, according to the report.
“The California Department of Technology (technology department) is responsible for ensuring that state entities that are under the direct authority of the governor maintain the confidentiality, integrity, and availability of their information systems and protect the privacy of the State’s information,” according to the report by Howle.
She also noted that Chapter 5300 of the State Administrative Manual, which is specific in regards to the security standards, and require government agencies to use programs that ensure electronic information and technology is kept private.
Further, Howle said in the audit that most of the offending agencies did not even know they were out of compliance until the time of the inquiry.
According to the 2014 Federal Information Security Modernization Act, there are three security objectives for information and information systems that must be adhered to by all state agencies:
“Confidentiality: Preserving authorized restrictions to protect personal privacy and proprietary information. Integrity: Guarding against improper modification or destruction. Availability: Ensuring timely and reliable access.”
John Hunt is the Public Sector Principal at PricewaterhouseCoopers professional service firm, which has three Bay Area offices. Hunt said that most entities deal with cyber security through their technology team, but this is a mistake. According to Hunt, cyber security needs to be addressed at all levels of an organization to ensure privacy.
According to Howle’s report, there will be several new deadlines put in place for these agencies, which they will be required to show how they are making steps toward compliance. The first of those dates is set for the end of this year. The report also gave several detailed accounts of what the violating entities need to do to be compliant with the standards.
The cyber breach and leak trend has been on the rise and earlier this year hackers released emails from Sony executives as well as other documents from the business.
Most recently the website Ashley Madison had its information breached where hackers posted all of the members information on several public websites.