Information Security Program Audit
The California Office of Information Security (OIS) plays a critical role in ensuring the State’s Information Technology (IT) infrastructure is capable of delivering vital services in a secure, reliable, and trustworthy manner.
The mission of the Information Security Program Audit (ISPA) team is to provide expertise to evaluate compliance with state security and privacy policies, by validating security systems, procedures and practices are in place and working as intended.
Information security audits are authorized pursuant to Government Code Section, 11549.3 (d).
- Engagement with a trusted team of professional information security auditors.
- Confidential examinations, interviews and testing based on federal and state security standards.
- Provide independent assurance that critical assets and citizen data are protected.
- Audit reports contain compliance information that is customized to the agency audit scope.
Information Security Audit Overview
The audits are organized into twelve domains that have been compiled using adopted industry and state standards (NIST Special Publication 800-53 (PDF) and SAM 5300 ). These standards align with current state policy requirements.
Prior to an audit, documentation is sent to prepare the entity for the audit. This includes an Articles Request-AR. The completed AR documents are to be sent to the auditor prior to the audit interviews. The Audit Control Guide gives the entity a preview of the twelve domains and allows the entity to prepare for the audit.
The audit is kicked off with an engagement meeting. The meeting allows the entity to meet the lead auditors, who present an overview of the audit process. After the meeting, interviews with subject matter experts are scheduled by the audit team. Testing and validation are completed and work papers are written. With these work papers, findings are documented and sent to the entity in a weekly status report for review.
Upon completion of the interviews and testing, a draft report is written, encompassing all information gathered during the audit. This report is sent to the entity for review. The entity has an opportunity to address any issue identified during the audit and provide evidence to the contrary. Once all issues are settled, a final report is sent to the entity.
Need more information? Please contact the California Office Information Security at (916) 445-5239 to learn about Information Security Program Audit services.
This service is classified as a Current Service.
What can an audit do for our organization?
What is a compliance audit?
What does the ISPA Team do?
• Notification to the entity an audit will be performed
• Receipt of engagement package by entity
• Dates for audit to be conducted are confirmed
• Preliminary articles are gathered and reviewed
• Engagement (entrance) conference is held
• Technical kickoff is held
• Field work (discovery, interviews, testing)
• Draft Audit Report is compiled by lead auditor
• Exit conference call is conducted
• Final Report issued
How often can I expect an ISA audit?
• An AB 670 Security Assessment (performed by Dept. of the Military) has not been scheduled for the current year
• An ISPA has not been performed by CISO in the last 2 years
• A department is not selected if they do not have any “mission critical” applications
Selections are subject to approval by the Government Operations Agency.
Can we get a copy of the audit criteria in advance?
Effective with the Enacted 2021-22 State Budget, the cost of the Information Security Program Audit is now covered by the General Fund. It is no longer necessary to submit a Service Request.