Grading california it industry-inspired program takes root health benefits of apple cider vinegar with mother

The california department of technology (CDT) announced this week that it has created a program to test and assess state government departments’ cybersecurity defenses and then grade them periodically — the first state in the nation to devise such a matrix.

The initiative is an outgrowth of the CDT’s emphasis, as outlined in last year’s “vision 2020” report, to measure performance through objective metrics — “apples to apples,” as peter liebert explains it. Liebert is the state’s chief information security officer and director of the office of information security, and in an interview thursday with techwire, he discussed the program and its intent.

“this is not designed to name and shame,” he said. “this is designed to provide a tool (to understand) where they are and where they want to go” in terms of cybersecurity.


RELATED south carolina launches statewide cyber workforce initiative as personal hacks prevail, citizens learn legal options are limited to better protect themselves, universities partner on cybersecurity

didn’t want

For months, the CDT’s office of information security (OIS) and other state IT leaders have been devising ways to assess and grade each department’s cyberdefenses — the ability to resist phishing attacks, for example. Chief information officers and agency information officers helped craft the formulas used to assess cyber hygiene. Departments will be given a grade ranging from 0 on the low end to 4 on the high end.

State departments will be audited and their cyberdefenses graded on an ongoing basis “to establish a baseline for maturity,” he said, defining maturity as “where you are in the implementation of the information security program.”

Liebert noted that different departments face different threat levels — some are bigger targets because of the nature of the data they handle.

“we’re not saying this is an end-all and be-all,” liebert said. “fantastic programs can be very mature, but just by the nature of (their) business … (risk) still feeds into the equation.“this designed but this helps.”

The california cybersecurity maturity metrics is the outcome of dozens of workshops involving state information security officers (isos) and cios. In all, lieber said, representatives of about 40 entities contributed to the final product. Significant input came from the “core four” departments that oversee cybersecurity and cybercrime in california: the california cyber security integration center (cal-CSIC), part of the state office of emergency services; the california highway patrol, which oversees cybercrime enforcement; the california military department; and the CDT.

“we looked at industry best practices,” liebert said. “we didn’t want to make this an ivory tower approach.” the final outcome is a transparent, open source policy that “draws highly” from the national institute of standards and technology’s (NIST) cyber framework.

“private-sector programs are proprietary,” he noted.“this designed “we wanted to make sure it was tailored to california. We wanted to retain it and control what we do. It’s open source; it has to be transparent.” he said the policy and its specifics would be made available online to state employees so they fully understand the criteria and the schedule of assessments, which will occur on a rolling timetable, continually being updated as each department gathers new data.

“we only get partial data each year, so as audits are being done, they’re collecting data. As soon as the final report data is back, we update and provide the metric back. The idea is that each year, a portion is updated. … The next year, the audit group comes out and tests and pulls new metrics. We didn’t want to just score and then walk away. … We want to really pay attention to folks that are not progressing” in the metrics from year to year.

The program will be explained in depth for state IT workers in a series of workshops this spring.Liebert said liebert said attendance is “highly encouraged, and I think we’ll have a packed house, so to speak.”

Departments’ grades will be shared internally with department leaders, but security assessments, audit findings and scores will not be made public, liebert said.