California OCIO Case Study
Public Sector Case Study
To improve security in California’s IT infrastructure, the Office of the State Chief Information
Officer
(OCIO) issued a new policy that includes employee remote access security standards for working
from home
or off-site. The policy also requires that state agencies complete a compliance form.
The policy was issued to help state agencies develop secure remote access for employees and
minimize
security risks. The corresponding standard highlights important measures that IT agencies must
adopt to
certify their remote access programs. It includes controls related to the use of up-to-date
operating system
software and security software for every remote connection.
The standard also requires that all computing equipment connected to the state’s IT infrastructure
network for
remote access purposes be state-owned and securely configured. Remote access users can only
connect
through secure encrypted channels—virtual private networks—authorized by agency
management. The
security measures also apply to paper files and mobile devices like personal digital assistants
(PDAs).
According to the information policy letter, agency heads must comply with the following:
• Make sure authorized users permitted to use remote access are trained for their roles and
responsibilities,
security risks, and the requirements in the standard
• Adopt and implement the requirements in the standard and certifying their agency’s compliance
• Annually complete and submit the Agency Telework and Remote Access Security Compliance
Certification form to the Office of Information Security
California was among the first governments in the country to establish enterprise-wide policies
for remote
access, joining states such as Virginia and Arizona, and the federal government.