What happens when an agency does not submit a Risk Management and Privacy Program Certification?

The Office of Information Security (OIS) has enhanced its Risk Management and Privacy Program Certification compliance review process. The Director and Agency Director for the agency will be notified when an agency has failed to meet this reporting requirement.

The OIS is to report to the California Department of Technology any state agency found to be noncompliant with information security program requirements. Noncompliance may impact the agency’s procurement and information technology (IT) project delegated authority. Also, when conducting an IT audit, state and internal auditors will typically review the agency’s documentation to ensure the agency is complying with the State Administrative Manual requirements. Compliance and noncompliant status would be documented in the audit findings.