Information Security Program Audit
The California Information Security Office (CISO) plays a critical role in ensuring the State’s Information Technology (IT) infrastructure is capable of delivering vital services in a secure, reliable, and trustworthy manner.
The mission of the Information Security Program Audit team is to provide expertise to evaluate compliance and risk with state security and privacy policies, by validating security systems, procedures and practices are in place and working as intended.
Information security program audits are authorized pursuant to Government Code Section, 11549.3 (d).
- Engagement with a trusted team of professional information security auditors.
- Confidential examinations, interviews and testing based on federal and state security standards.
- Provide independent assurance that critical assets and citizen data are protected.
- Audit reports contain compliance information that is customized to the agency audit scope.
Information Security Audit Program Overview
The audit program is organized into twelve domains that have been compiled using adopted industry and state standards (NIST Special Publication 800-53 (PDF) and SAM 5300 ). These standards align with current state policy requirements.
Prior to an audit beginning, documentation is sent to prepare the entity for the audit. This includes a Preliminary Articles Request-PAR (PDF) and an Audit Control Guide (DOC). The PAR documents are required to be sent to the auditor prior to beginning audit interviews. The Audit Control Guide gives the entity a preview of the twelve domains and allows the entity to prepare for the audit.
The audit is kicked off with an engagement meeting. The engagement meeting allows the entity to meet the lead auditors, who present an overview of the program. After the engagement meeting, interviews are scheduled and conducted with appropriate subject matter experts by the audit team. Additionally, testing and validation is completed and work papers are written. With these work papers, findings are documented and sent to the entity in a weekly status report for review.
Upon completion of the interviews and testing, a draft report is written, encompassing all information gathered and documented in during the audit. This report is sent to the entity for review and gives the entity an opportunity to address any issues that may have arisen and provide evidence to the contrary. Once all issues are settled, a final report is sent to the entity.
Need more information? Please contact the California Information Security Office at (916) 445-5239 to learn about Information Security Program Audit services.
This service is classified as a Current Service.
Subscriptions to this service are available and can be referenced in the CDT Rate Schedule.
|Service Code||Service Description||Unit of Measurement||Rate||Group||Comment(s)|
|G2xx-ISPA||Consulting for Level 1 (DPM IV)||Hour||$150.00||Information Security Program Audit||This is a general consulting rate|
|G3xx-ISPA||Consulting for Level 2 (DPM III, DPM II, SSS III, SSS II and Sr. ISA)||Hour||$130.00||Information Security Program Audit||This is a general consulting rate|
|G648||Travel and Materials||Variable||Pass-through||Information Security Program Audit|
|H101||Small Organization Audit (Audit Maximum)||Per Audit||$60,000.00||Information Security Program Audit|
|H102||Medium Organization Audit (Audit Maximum)||Per Audit||$100,000.00||Information Security Program Audit|
|H103||Large Organization Audit (Audit Maximum)||Per Audit||$200,000.00||Information Security Program Audit|
Services are billed directly through the customer’s monthly invoice and payment for these services is processed via direct transfer.
To request an Information Security Program Audit, please submit a Professional Services Remedy Service Request. Order Service Now
What can an audit do for our organization?
What is a compliance audit?
What does the Information Security Program Audit Team do?
• Notification to the entity an audit will be performed
• Receipt of engagement package by entity
• Dates for audit to be conducted are confirmed
• Preliminary articles are gathered and reviewed
• Engagement (entrance) conference is held
• Technical kickoff is held (if needed)
• Field work (discovery, interviews, testing)
• Draft Audit Report is compiled by lead auditor
• Exit conference is conducted
• Final Report issued
How often can I expect an ISPA audit?
• AB 670 Security Assessment (performed by Dept. of the Military) has not been scheduled for this year
• An ISPA has not been performed by CISO in the last 2 years
• A department is not selected if they do not have any “mission critical” applications
Selections are subject to approval by the Government Operations Agency.