Photo courtesy: Google Images

Establishes Strong Foundation for Securing the Most Sensitive Information Systems

 By Chris Wangsaporn

Sacramento – Assemblywoman Ling Ling Chang (R-Diamond Bar) announced that her legislation to put California’s troubled cyber security system back on track was approved by the Assembly Privacy & Consumer Protection Committee. On the heels of a troubling audit of the state’s cyber security program, AB 1881 will ensure the state’s Chief Information Officer (CIO) establishes minimum security controls for state departments and agencies. California is vulnerable to thousands of hacking attempts per month but has a porous information security operation.

“Without proper security controls in place, it’s akin to leaving your front door unlocked at night,” said Assemblywoman Chang. “It doesn’t matter if we have state-of-the-art technology or firewalls in place if you lack proper policies to keep data secure.”

AB 1881 will require the State Chief Information Officer (CIO) to develop baseline security controls (minimum security requirements) for all state agencies and departments.  The CIO would further be required to report on compliance to the Legislature.  Security controls are procedures — sometimes performed by people rather than IT systems — that reduce the risk of security vulnerabilities such as password procedures, personnel access, or data disposal.

In 2015, the California state auditor outlined an extensive assessment of the Department of Technology’s oversight of California’s State’s information security operations.  The results of the audit painted an alarming picture of California’s cyber security system and practices. For example, 95% of surveyed departments and agencies stated they are not fully in compliance with existing state security standards.   And shortly after a recent committee hearing on cyber security discussing the audit, a top cyber security official stepped down.

“The state is falling short on some of the most basic aspects of cyber security,” said Chang.  “There really shouldn’t be an information security program in place without developed security controls.”

State government is responsible for securing highly sensitive information of its citizens. From social security numbers and medical records, to the integrity of wastewater treatment plants, state government’s information systems ensure our privacy as well as the reliability of critical infrastructure and resources.