The Chancellor’s Office Digital Innovation & Infrastructure Technology Assistance Program Team (DII TAP Team) conducted four successful Triennial Cybersecurity Review pilots between November 2022 and January 2023. This effort was intended to improve security across the system and is connected to Assembly Bill 178, which provides on-going funds to help address local- and system-level disparities in information technology (IT) and security infrastructure..
The Triennial Review includes two deliverables: the security review report covers operational aspects such as knowledge and documentation according to the same CIS framework encountered in the recent self-assessment, while the penetration testing report covers technical security controls with a heavy focus on ransomware defense.
A penetration test is an extensive term that covers everything from a multi-hundred-page vulnerability scan report to a focused red team action emulating a threat actor. The Penetration Test Report provided to CCCs:
- Includes a walkthrough of the major components of a ransomware attack concerning the discovered weaknesses and strengths of the district
- Includes relevant, proven, and actionable security findings broken into an immediate, one-year, and three-year roadmap
- Includes security hardening guidance from the Chancellor’s Office around accounts and passwords
- Does not include ‘fluff’ findings like weak certificate encryption or theoretical attacks with no known way in which an attacker could exploit them
- Does not include hundreds of pages of vulnerability scanning results from an automated tool
Based on self-assessment results and district history, the 25 first-round participant districts have been contacted for the 2023 pentesting and triennial review, with 21 already confirmed. The Chancellor’s Office is currently discussing when the second-round Triennial Review testing will begin.
Also, due to request and interest, the Chancellor’s Office DII TAP Team is now beginning to consolidate the 13 pages of account hardening guidance, included in the Penetration Testing Report, for a stand-alone release to all districts soon.