State of California Department of Technology

Aanko completed work on an enterprise-wide business continuity risk and physical vulnerability assessment for the statewide IT system. This assessment was part of a broader state-wide Risk Assessment Framework (RMF) implemented and required of all State of California Information Systems Enterprise Architecture. This framework followed federal guidance for information and information systems under the Federal Information Security Management Act (FISMA), of which the State of California has adopted and implemented under the State Administrative Manual (SAM) and the State Information Management Manual (SIMM).

The purpose of the assessment was to assist the department in making risk-based decisions for business resumption planning as part of the department’s overall Business Resumption Plan. It was also designed to provide a physical-cyber security interface report for the department to understand its full range of physical and cyber security risks to meet Section 11549.3 of the California Government Code requirements

The audit included identification of environmental vulnerabilities and physical security risks, and development of a report of findings and recommended steps for mitigation and prevention. IT Security and Governance were assessed using the NIST risk management framework and NIST risk assessments. Aanko identified gaps detailing the common security controls for the enterprise that were needed, as well as information security and HIPAA privacy requirements.