Transcription
STATE OF CALIFORNIABudget Change Proposal - Cover SheetDF-46 (REV 09/19)Budget Change Proposal - Cover SheetFiscal Year: 2020-21Business Unit: 4300Department: Developmental ServicesPriority Number: 4Budget Request Name: 4300-004-BCP-2020-GBProgram: 4149001 – Program AdministrationSubprogram: Click or tap here to enter text.Budget Request Description: Information Security OfficeBudget Request Summary: The Department of Developmental Services (Department)requests 0.3 million ( 0.2 million General Fund [GF]), and two (2.0) InformationTechnology Specialist I positions to support workload related to the highest assessedinformation security and cybersecurity vulnerabilities.Requires Legislation: Yes NoCode Section(s) to be Added/Amended/Repealed: Click or tap here to enter text.Does this BCP contain information technology (IT) components? Yes NoIf yes, departmental Chief Information Officer must sign.Department CIO Name: Mike Sakamoto, Deputy DirectorDepartment CIO Signature:Signed On Date: Click or tap here to enter text.For IT requests, specify the project number, the most recent project approval document(FSR, SPR, S1BA, S2AA, S3SD, S4PRA), and the approval date.
Project Number: Click or tap here to enter text.Project Approval Document: Click or tap here to enter text.Approval Date: Click or tap here to enter text.If proposal affects another department, does other department concur with proposal? Yes NoAttach comments of affected department, signed and dated by the department directoror designee.Prepared By: Bryan JohnsonDate: Click or tap here to enter text.Reviewed By: John DoyleDate: Click or tap here to enter text.Department Director: Nancy BargmannDate: Click or tap here to enter text.Agency Secretary: Mark Ghaly MD, MPHDate: Click or tap here to enter text.Department of Finance Use OnlyAdditional Reviews: Capital Outlay: Department of Technology: ITCU: PPBA: Brent HouserDate submitted to the Legislature: January 10, 2020FSCU: OSAE:
A.Budget Request SummaryThe Department requests 0.3 million ( 0.2 million GF) and two (2.0) InformationTechnology Specialist I (ITS I) positions to address the highest information security andcybersecurity vulnerabilities.B.Background/HistoryCalifornia statutes and regulations place a responsibility on state agencies to protect theinformation contained in varied networks, databases, and applications. According to theState Administrative Manual (SAM) Section 5300, each state entity is responsible forestablishing an information security program to effectively manage risk, provideprotection of information assets and prevent illegal activity, fraud, waste, and abuse.Safeguarding these threats requires a robust and sophisticated information securityprogram and consistent improvements to cybersecurity defenses.In 2019, the California Department of Technology (CDT) released a draft of California’sCybersecurity Plan referred to as Cal-SECURE, which provides a baseline for technicalcyber capabilities that are prioritized according to risk and identified the process tomeasure, manage and improve the State’s cybersecurity maturity over time. This planprovides the framework and guidance necessary for effective decision-making for theState to address critical gaps in its cybersecurity capabilities, and provide a roadmap forimplementing and maintaining required security capabilities, the Department began theprocess of strategically addressing the implementation of Cal-SECURE’s framework toeffectively manage and monitor DDS’ information security program to safeguard dataand meet its security goals.Additionally, Federal compliance standards identify DDS as a ‘Health InsurancePortability and Accountability Act (HIPAA) - Covered Entity’ and the Information SecurityOffice (ISO) is responsible for providing security and compliance oversight forapproximately 200 systems utilized by diverse divisions within the Department andleveraged by the regional center system throughout the 58 counties. A breach of anydepartment data facilitated through phishing emails, end-points, un-remediated systemvulnerabilities, and or simple exposure to unauthorized recipients could potentially costthe State millions of dollars in Civil Money Penalties (CMP), levied by the Office of CivilRights (OCR) upon investigation.In the past twelve months, the Department has undergone an increasing number ofmandated State and Federal engagements to audit and assess the Department’sinformation security, privacy, and risk management programs. The events listed beloware a sampling of those engagements:
05/2018 – California Military Department (CDM) – (Information Security Assessment) 09/2018 – California Office of Health Information Integrity (Security / PrivacyCompliance Review) 10/2018 - Federal: Office of Civil Rights – Investigation of O Street Breach (a Top 5breach in 2018) 11/2018 - CDT – (Information Security Audit) 03/2019 - California State Auditor - (FI Cal Audit) 04/2019 - CDT – notified the Department of another mandated assessment in2019-20. 12/2019 – Office of Civil Rights – announced intent to investigate events surroundingaround a compromised email account at one of our department’s business associates(BA)As referenced above, with a significant increase in the number of audits andassessments imposed by state mandates and federal compliance, the Department’sISO has not been able to make significant progress against several known anddocumented risks. These risks are documented, some since 2015, in DDS SIMM 5305B Plan of Actions Milestones (POAM) that is submitted to CDT quarterly, and utilized byCDT to establish a departmental risk and maturity score for the Governor’s office (note:due to the sensitivity of information in the POAM, it is only shared with CDT, thedepartment Directorate, CIO, and ISO). CDT currently considers DDS a high-riskdepartment.Resource HistoryDollars in thousandsProgram BudgetAuthorized ExpendituresActual ExpendituresRevenuesAuthorized PositionsFilled PositionsVacanciesC.2014-15 4,556 4,038N/A60.050.39.72015-16 4,641 4,330N/A61.053.47.62016-17 4,791 4,901N/A65.058.46.62017-18 5,608 5,180N/A69.060.58.52018-19 5,718 5,699N/A67.063.23.8State Level ConsiderationsThe Department receives and processes large amounts of sensitive data, to includeconsumer health care information. The State of California would be legally liable in theevent of data loss and/or a security breach within the Department. In part, this proposalaims to meet legislative requirements, state regulations, SAM 5300 and Cal-SECUREby mitigating cybersecurity risks and addressing vulnerabilities in the Department’sinformation technology security to reduce the potential for more wide spread IT securityvulnerabilities.
This proposal supports the California Health and Human Services Agency StrategicPriorities to Build a Healthy California for All, Integrate Health and Human Services, andImprove the Lives of California’s Most Vulnerable, by enhancing trusted partnerships insecured data sharing, increasing compliancy and protection of data. Approval of thisrequest will allow the Department to provide the necessary information securityresources and program activities to enable the protection of DDS’ information systemswhich are critical to achieving our mission to “protect consumers’ health care rights andensure a stable health care delivery system”.This proposal is consistent with the following: California’s Five Year Cybersecurity Strategic Plan 2019-2023 Governor’s Executive Order B-34-15, California Cybersecurity Integration Center,directing all state departments and agencies to ensure compliance with existinginformation security and privacy policies, promote awareness of information securitystandards with their workforce, and assisting the California Governor's Office ofEmergency Services and the California Cybersecurity Integration Center withimplementation of the Executive Order. California Government Code 8586.5 (AB-1306): "All state departments and agenciesshall ensure compliance with existing information security and privacy policies,promote awareness of information security standards with their workforce, and assistthe California Governor's Office of Emergency Services and the CaliforniaCybersecurity Integration Center." California Government Code 11549.3 requiring all state entities to comply with theinformation security and privacy policies, standards and procedures, issued by theCalifornia Office of Information Security and Office of Privacy Protection. California State Administrative Manual 5300 that directs all state entities to develop,implement and maintain an Information Security Program Plan. State of California Information Technology Plan Goal 4- Secured InformationObjective 4.1 o Protect sensitive data through robust security and privacy programs. CDT’s “Vision 2020: California Technology Strategic Plan” (2017-2020):o Goal 1, Priority 5, Create One Digital Government - Increase Customer satisfactionthrough improved responsiveness, efficiency, and effectiveness of governmentservices; Accelerate the adoption of common technology platforms and services.o Goal 2, Priority 4, Ensure Secure Delivery – Advance the maturity of informationsecurity across California government; Improve and invest in security capabilities toprotect mission critical systems and data. California’s Five Year Draft Cybersecurity Strategic Plan 2019-2023 (Cal-SECURE).
D.JustificationThe role of the Department’s ISO continues to evolve, becoming a critical component tosecuring mission critical applications and technical infrastructure.Constant changes in the cybersecurity threat scape create risk for the Department. Thevolume of work required by the ISO to monitor, alert, respond, and maintain evidence ofcompliance has significantly increased. The increased and ongoing maintenance andconfiguration to support existing systems; adapting to changing threats; and themandated implementation of new software technologies to improve cybersecuritycapabilities has outpaced the growth of the ISO. Furthermore, the technical complexityof these systems and mandated controls continues to increase, requiring a higherdegree of technical skill and specialization to maintain system environments. At thecurrent pace, the existing ISO infrastructure will not be able to effectively support theconfidentiality, integrity, and availability of department data in the future.The recent audits, assessments, and reviews have identified the areas of greatest riskto the Department’s information security and cybersecurity, these areas include:1. Email Threat Protection (SIMM 5315 – Email Threat Protection)2. Multi-Factor Authentication (SIMM 5315 – Email Threat Protection)3. Anti-Malware Protection (SIMM 5355 – End-Point-Protection)4. Patch Management (CMD Assessment)5. Asset Management (CDT Audit)6. Log Management (CMD Assessment)7. Data Loss Protections (SIMM 5315 – Email Threat Protection)To remain in compliance and ensure that new systems are appropriately designed,patched, and secured the Department follows the System Development Lifecycle(SDLC) standard for the creation of new applications in accordance with national andfederal standards.The Federal Information Processing Standard (FIPS) and the National Institute ofStandards and Technology (NIST 800-53) have been adopted by California and are thestandards by which the California Office of Information Security (OIS) assesses andaudits departments and render findings.Information System Security Plans (ISSP) are the tool that the Department uses for theongoing documentation of all systems, new or old, regarding security and compliance.ISSP’s are considered part of the Department’s asset management process anddocument the current security posture of each application. The regular and consistentreview of all systems, required annually, are part of system asset management.Privacy Impact Assessments (PIA), as of November 2019, under SIMM 5310-C are nowrequired of all department systems. PIA’s are similar in nature to the Department’s
ISSP program but focus on the Privacy of systems instead of Security. The collection ofPIA information is similar in nature to the Department’s existing ISSP’s but with adifferent focus.The proposed resources will help address risk identified in recent audits, assessments,and reviews and are aligned with the CDT Draft Cybersecurity Strategic Plan.2.0 Information Technology Specialist I:The network security position is needed to address the implementation andconfiguration related to Email Threat Protection and Multi-Factor Authentication (SIMM5315), End-Point Protection (SIMM 5355), Log Management, and Patch Management.The risk and compliance specialist position will address information security and riskcompliance activities and projects. This position works to support risk managementthrough the software development life cycle, ensuring that department assets (e.g. 200 documented systems) are classified according to FIPS and NIST standards and thatassets are managed and consistently reviewed. The position performs regular riskassessments through the development and maintenance of Information SystemSecurity Plans, a standardize methodology used to identify instances of noncompliance, against the constant change in policies, standards, and regulations, forremediation. The position will also oversee the completion of external audits,compliance reporting, and the training of department staff on compliance and riskstandards. Based on the current staffing levels, the Department will not be able toadequately execute required security initiatives to address its information security andprivacy risks without additional staff. Failure to meet these mandates and regulationsmay result in regulatory non-compliance and civil money penalties for failure to complywith the Health Insurance Portability and Accountability Act.E.Outcomes and AccountabilityThe proposed resources will help address risk identified in recent audits, assessments,and reviews and are aligned with the CDT Draft Cybersecurity Strategic Plan. With theapproval of the network security position, the Department will be able to address thecritical network asset vulnerabilities, the position will consistently monitor and evaluateexisting vulnerabilities and threats to fulfill the requirements identified under assetmanagement and risks to end points. The desired outcome will be to reduce potentialbreaches and increase the managing of information security and privacy.Approval of the risk and compliance specialist, the Department will be able to manageand resolve the highest assessed risks identified and be compliant with existing policy.The Department will validate system logs and assets and gain valuable insights intosystem vulnerabilities from consistent review.
F.Analysis of All Feasible AlternativesAlternative 1: Approve 0.3 million ( 0.2 million GF), and two (2.0) ITS I positions.Pros: Increases the Department’s ability to perform essential information security andprivacy functions,including activities required by the State and Federal governments. Reduces risk that essential services will be unavailable. Supports internal staff development opportunities. Promotes continuity of information through knowledge transfer from state staff to statestaff. Reduces the risk of non-compliance with federal, state, and California Health andHuman Services Agency (CHHS) and CDT mandates.Cons: General Fund costs.Alternative 2: Do not approve increased staffing.Pros: No General Fund costs.Cons: Increases the risk of non-compliance with federal, state, CHHS and CDT mandates. Potential loss of delegated authority resulting from non-compliance. Potential civil and criminal penalties, including financial penalties for non-compliance. Loss of access to data to support the Department’s programs and mission fornon-compliance. Increase risk that essential IT services and support are unavailable, negativelyimpacting the neediest adults and children of California. The Department may have to rely on costly contracting services for informationsecurity, risking violation of Government Code Section 19130 regarding contractingout services. The Department may not be able to effectively restrict system access to authorizedusers without formally established identity and access management processes andprocedures with supporting technology enablement. Potential introduction of vulnerabilities into the Department’s computing environmentand increase the future cost of managing information security and privacy. The Department may not be able to fully comply with the SAM requirement forperforming risk assessments outlined in section 5305.7. The Department may not be able to protect the personal information of consumers
and may be subject to regulatory non-compliance. The Department may not be able to verify security measures are in place andfunctioning properly prior to an audit.Alternative 3: Augment staffing with contracted services.Pros: Easier to develop program using qualified professional services not constrained bycompetitive talent market.Cons: General Fund expenditure increase required for the contracting services. Reliance on costly contracting services risks violation of Government Code Section19130 regarding contracting out services. Federal restrictions on contractor access for certain Departmental programs. The State procurement process will not yield the correct IT resources needed. Does not support internal staff development opportunities leading to potentialresource needs that could remain unfilled due to a competitive job market. Does not promote continuity of information through knowledge transfer to state staff.G.Implementation PlanIf approved, the Department will develop recruitment packages of new state staff, to beready for posting based on requirements released with each new CDT SIMM policybeginning July 1, 2020. Staff will receive training within the first sixty (60) days on-thejob, with knowledge transfer from current staff within the first six-months. The intentionis ISO will be staffed and providing IT security support to the Department. TheDepartment will develop an internal implementation plan with clear deliverables anddeadlines.H.Supplemental InformationAttachment A is the workload justification for two (2.0) IT Specialist I positions: NetworkSecurity Specialist, IT Specialist I - Risk and Compliance Specialist, IT Specialist I tosupport department compliance with new mandates (e.g. SIMM) issued by CDT in 2018and 2019, existing high-risk findings.Attachment B is the Information Security Org Chart.
I.RecommendationThe Department recommends Alternative 1 – Approve 0.3 million ( 0.2 million GF) tofund two (2.0) ITS I positions to support workload related to the highest assessed risks.
BCP Fiscal Detail SheetBCP Title: Information Security OfficeBR Name: 4300-004-BCP-2020-GBBudget Request SummaryPersonal ServicesPersonal earBY 1BY 2BY 3BY 4Positions - Permanent0.02.02.02.02.02.0Total Positions0.02.02.02.02.02.00161161161161161 0 161 161 161 161 16108888888888 0 249 249 249 249 249Salaries and WagesEarnings - PermanentTotal Salaries and WagesTotal Staff BenefitsTotal Personal Services
Operating Expenses and EquipmentOperating Expenses and YearBY 1BY 2BY 3BY 45301 - General Expense0444445302 - Printing0222225304 - Communications0222225306 - Postage0222225320 - Travel: In-State0666665322 - Training0222225324 - Facilities Operation016161616165346 - Information Technology01010101010 0 44 44 44 44 44Total Operating Expenses and EquipmentTotal Budget RequestTotal Budget RequestTotal Budget arBY 1BY 2BY 3BY 4 0 293 293 293 293 293
Fund SummaryFund SourceFund rBY 1BY 2BY 3BY 4State Operations - 0001 - General Fund02342342342342340995 - Reimbursements05959595959Total State Operations Expenditures 0 293 293 293 293 293Total All Funds 0 293 293 293 293 293Program SummaryProgram FundingProgram Funding4149001 - Program AdministrationTotal All earBY 1BY 2BY 3BY 40293293293293293 0 293 293 293 293 293
Personal Services urrentYearBudgetYearBY 1BY 2BY 3BY 41402 - Info Tech Spec I (Eff. 07-01-2020)0.02.02.02.02.02.0Total Positions0.02.02.02.02.02.0Salaries and WagesSalaries and Wages1402 - Info Tech Spec I (Eff. 07-01-2020)Total Salaries and BY 1BY 2BY 3BY 40161161161161161 0 161 161 161 161 161
Staff BenefitsStaff earBY 1BY 2BY 3BY 45150350 - Health Insurance010101010105150500 - OASDI012121212125150600 - Retirement - General050505050505150820 - Other Post-Employment Benefits (OPEB)Employer Contributions0222225150900 - Staff Benefits - Other01414141414 0 88 88 88 88 88Total Staff BenefitsTotal Personal ServicesTotal Personal ServicesTotal Personal earBY 1BY 2BY 3BY 4 0 249 249 249 249 249
IT Security Office BCPAttachment A–Organizational ChartInformation Security Office (ISO) is led by the Chief Information Security Officer, IT Manager Iand reports directly to the ITD Deputy Director / CIO as required by the State in support of theInformation Security, Risk, and Privacy Programs. This chart reflects the both the existingcurrent positions (green) and the proposed positions (blue).
Information Security Office BCPAttachment B –Workload AnalysisInformation Technology Specialist I (ITS-I)Network Security SpecialistReview and prioritize critical patches for the Enterprise networkenvironment based on published Common Vulnerabilities andExposures (CVE) updates.Maintain, configure and support integration between departmentcloud providers and Enterprise SIEM (e.g. Log Management)solution. Review and coordinate change management requests toensure continuity of log data for department systems.AnnualFTEHours200300Maintain, configure and support integration between thedepartments Email Service Provider (Microsoft O365) andEnterprise SIEM (e.g. Log Management) solution. Review andcoordinate change management requests to ensure continuity oflog data for department systems.Monitor and maintain real-time asset inventory and vulnerabilityprofile for network connected systems.200Provide support and oversight for vulnerability events (e.g. isolate,remediate, remove) to restore operation functionality in cooperationwith network teams for impacted systems and devices.200Maintain and configure Enterprise data loss prevention (DLP) toquarantine and prevent the unprotected transmission of critical dataunder state guidelines.Maintain real-time system application reports to ensure compliancewith approved enterprise applications and current CVE risk reports.200Monitor, quarantine, and remediate inbound traffic to preventmalware from impacting enterprise systems.100Implement, configure and maintain integration with Enterprise EndPoint-Protection system and existing perimeter defense (e.g.firewalls).Monitor and review system image change management requests(e.g. servers, and desktops), for compliance with state standardsand minimum vulnerability scores.Information Technology Specialist I (ITS-I) - Total:20010020010018001.0
Information Technology Specialist I (ITS-I)Risk and Compliance SpecialistResponsible for tracking and supporting risk compliance andremediation activities associated with documented deficiencies.AnnualHours180Oversee the successful completion of external audits, supporting thecollection of required artifacts related to risk assessments, complianceaudits, and breach investigations.This position supports risk management through the software developmentlife cycle (SDLC), ensuring that department assets (e.g. 200 documentedsystems) are classified according to FIPS and NIST standards and that theseassets are consistently reviewed per policy.360Maintains and updates department’s Plan of Actions and Milestones(POAM) reflect the current identified department risks in compliancewith State guidelines.Manages and maintains the policy risk exceptions process andcoordinates approval and updates with relevant stakeholders.360This position maintains and updates internal standards and developsprocesses to integrate the collection of this data with existing riskmanagement procedures to maintain state complianceReviews and documents change to system configurations, to ensuresystems remain in compliance with State and Federal standards.180Information Technology Specialist I (ITS-I) - Total:1800FTE3601801801.0
5315), End-Point Protection (SIMM 5355), Log Management, and Patch Management. The risk and compliance specialist position will address information security and risk compliance activities and projects. This position works to support risk management through the software development life cycle, ensuring that department assets (e.g. 200
![Change Management Process For [Project Name] - West Virginia](/img/32/change-20management-20process-2003-2022-202012.jpg)
