In today's rapidly changing regulatory environment, California state government agencies rely heavily on technology to deliver vital services to their citizens. From managing public records to responding to Freedom of Information Act (FOIA) requests to administering social programs, secure and efficient data management is vital for agencies and citizens. However, this continuing technology reliance creates an apparent vulnerability – huge, growing data stores of highly sensitive data that are a target for cybertheft, ransomware, and extortionware. The potential risks of not adopting California Trusted System solutions are significant, including the loss of public trust, legal implications, and regulatory issues.

Another complicating factor for agency records storage and management is that California agencies are choosing to eliminate their paper records due to a lack of storage space, budget constraints, ongoing manual document search issues, and lengthening response times. Agencies are now looking for more accurate and faster search results based on the automation offered with electronic document storage and management. 

The California Trusted System Requirement

The California Trusted System program helps address potential issues related to the digitization of agency records with documented and tested data security practices and procedures for all agency-sensitive data.  It establishes a framework for California government agencies to select and implement secure information systems that comply with stringent data security standards.

In this blog, we’ll explore:

1. The compelling need for California Trusted System compliance

2. The benefits the program offers

3. The steps agencies can take to achieve compliance

In addition, a California Trusted System confirms that agency electronically stored information (ESI) is, in fact, an authentic “copy of record” of the original document or information. 

Given the relative speed and ease of manipulating today’s electronic records, a California Trusted System is crucial for ensuring official records are original copies, i.e., non-alterable or disposable.

At a minimum, all California agencies are responsible for ensuring their official records are captured, secured, and unchanged. This responsibility is also a requirement with litigation/eDiscovery and FOIA requests. For example, all electronic documents placed on legal hold and eventually turned over to opposing counsel must be certified as the original (when the hold was placed) to serve as evidence and not trigger a spoliation ruling. Compliance with the California Trusted System program is the key to meeting these obligations. 

The Urgent Need for California Trusted Systems to Battle Cyber Attacks

California government agencies continue to face an unrelenting onslaught of quickly evolving cyber threats. Malicious actors constantly seek to exploit system vulnerabilities to steal sensitive data, disrupt operations, and/or extract ransom payments.

Recent data breaches targeting government agencies have highlighted the devastating consequences of inadequate agency cybersecurity measures. For example, in 2021, a ransomware attack negatively impacted Los Angeles County's computer systems, disrupting access to essential services and causing millions of dollars in damages.

Beyond the immediate financial losses, employee productivity impacts, and agency service levels, cyberattacks erode public trust in the government's ability to safeguard their sensitive information. California citizens entrust government agencies with their sensitive personal data, from social security and driver’s license numbers to medical records and financial history to enable better services. A data breach can expose this sensitive information, leading to identity theft, financial fraud, and, in some cases, physical harm. The California Trusted Systems program is essential in mitigating these risks by establishing a documented and rigorous security baseline for California agency IT systems.

However, compliance with California Trusted System standards goes beyond protecting individual agencies with specific solutions. It fosters secure data exchange and collaboration between different government entities. This interoperability allows for a more consistent and efficient delivery of public services.

Imagine a scenario where a citizen seeking social benefits is potentially forced to verify their identity with multiple unrelated agencies repeatedly. A California Trusted System environment facilitates secure data sharing between these agencies and their systems, streamlining the process for citizens and ensuring standardized citizen PII across government agencies.

Benefits of California Trusted System Compliance

Agencies fully embracing California Trusted System compliance presents a multitude of benefits for California agencies. The most fundamental but essential benefit is a significantly enhanced security posture. Implementing a vetted and secure IT system bolsters an agency's defenses against cyberattacks, minimizing vulnerabilities and protecting sensitive citizen data. Finally, when an agency stores its digital compliance data in a California Trusted System, it can eliminate the original paper copy to help reduce on and off-site document storage requirements.

California Trusted System compliance requirements

The California Trusted Systems program requires:

1. An agency maintains at least two separate copies of an electronic resource/data file
   

2. Use proper hardware/software and media storage techniques to prevent unauthorized additions, modifications, or deletions of digital data
   

3. Store at least one copy of a document in a separate and secure location - this requires that at least one of the copies of a stored electronic document or record be written in a way that does not permit any unauthorized alterations or deletions and is stored and preserved in a separate and safe location/data center – in other words in an encrypted format and stored on immutable or WORM media in two separate locations

4. The system withstands independent audits to ensure document integrity and compliance

Establishing a compliant, trusted system should not rest solely on a given agency’s records manager. In fact, it requires support from an agency’s upper management, legal counsel, and the IT department. It also requires an organization to create and document policies and procedures that provide appropriate electronic record handling and processing as well as training for all employees.

Vendor requirements

Pre-vetted vendors within the California Trusted System program undergo rigorous security assessments, ensuring they meet stringent security standards. This reduces the risk of agencies purchasing non-compliant systems and eliminates the need for agencies to conduct their own time-consuming and costly solution evaluations.

California Trusted System compliance can also lead to streamlined procurement processes for government agencies. With a pre-approved list of vendors with pre-vetted solution offerings, agencies can procure known compliant solutions much faster than traditional methods of system purchases. This relieves the agency from initiating a time-consuming and expensive proof of concept (POC), evaluating the results, and selecting vendors on a case-by-case basis. This expedited process allows agencies to focus on their core missions without getting bogged down in lengthy procurement procedures.

Furthermore, achieving California Trusted System compliance can ultimately translate to measurable cost savings for government agencies. The long-term benefits of trusted systems adoption accumulate due to standardized and proven effective security processes, reduced risk of data breaches (and their associated financial and legal penalties), and potentially lower cyber liability insurance premiums. Consistency and efficiency in data security practices contribute to overall system trust and cost optimization.

The benefits associated with trusted systems extend beyond the walls of government agencies. Citizens can expect faster response times, streamlined processes, more accurate data retrieval, and a more seamless and productive experience when interacting with different California government agencies.

The most significant potential benefit of trusted system adoption is the enhanced public trust that the program fosters. Government agencies build public confidence and assure citizens that their personal information is protected by demonstrating a commitment to data security. This fosters a positive relationship between the public and the government, where citizens feel more confident entrusting their data to essential government services.

The Road to California Trusted System Compliance: A Step-by-Step Guide

While the benefits are substantial, achieving California Trusted System compliance requires a systematic approach by the agency. Key steps include:

1. The Initial Assessment: This first step involves thoroughly assessing an agency's existing IT infrastructure, data security posture, and the types and sensitivity of the collected data. This assessment will identify the security gaps and vulnerabilities in the current systems. In this stage, agencies should also define their specific needs and determine the type of California Trusted System that best aligns with their data security requirements.

2. System Implementation: The next step is system implementation - once the agency has selected a vendor and solution. This involves working with the chosen vendor to configure the system according to the agency's specific needs and security policies.

3. Ongoing Monitoring and Maintenance: California Trusted System compliance is not a one-and-done process. It requires continuous monitoring and maintenance to ensure ongoing security. This includes:

• Regularly updating the system(s) with the latest approved security patches

• Conducting annual vulnerability assessments

• Educating agency security and IT personnel on the latest cyber-attack-vectors 

• And implementing robust intrusion detection and prevention systems, including employee threats. Additionally, agencies must create documented and tested processes for incident response and recovery to recognize and address any potential security breaches swiftly

Navigating the Roadblocks: Challenges and Support

The adoption of compliant California Trusted System solutions may not be without challenges. Agencies may face budgetary constraints or lack the necessary in-house expertise. Fortunately, there are resources available to assist with the process. The California Department of Technology (CDT) provides information and guidance for agencies seeking California Trusted System compliance. The CDT offers online resources, training programs, and a list of certified vendors and systems.

Embracing a Culture of Data Security and Trust

California Trusted System compliance is not just an agency regulatory requirement but a critical step toward building a robust and resilient government IT infrastructure. By prioritizing security and data survivability, agencies can safeguard sensitive information, foster collaboration, and, ultimately, strengthen public trust. The benefits for California citizens, government employees, and the overall efficiency of public services are measurable and undeniable.

In today's ever-evolving cyber threat landscape, achieving and maintaining California Trusted System compliance is not a luxury but an imperative for California agencies. By prioritizing data security and embracing a culture of proactive cyber defense, government agencies can ensure the continued integrity, confidentiality, and availability of the data entrusted to them.

For all state and city agencies, taking steps toward California Trusted System compliance should be a top priority. By leveraging available state resources and other agency experiences and collaborating with trusted partners/vendors, agencies can successfully and cost-effectively navigate this process and realize its benefits quickly. The security of state and city citizen data, the accompanying citizen trust, and the efficiency of agency services depend on it.

The restorVault California Trusted System Data Storage/Management Platform

The restorVault trusted storage cloud archive and data virtualization platform was explicitly designed around the California Trusted System requirements. The restorVault solution addresses the following criteria: 

• As previously stated, the first requirement for Trusted System certification is that an agency be able to maintain at least two separate copies of an electronic resource/data file. – Each file (and its individual hashed fingerprint) is stored in two separate vaults on the restorVault cloud infrastructure, and each file copy is stored in a completely different data center for redundancy.

• The second requirement is that the agency utilize proper hardware/software and media storage techniques to prevent unauthorized data additions, modifications, or deletions. The restorVault solution stores all data in the restorVault cloud and be encrypted AND stored on immutable/WORM storage tiers to ensure “copy of record” status. In reality, encrypting sensitive data in the restorVault cloud ensures sensitive data cannot be stolen and used for nefarious purposes. Additionally, immutable storage ensures that the newer forms of ransomware cannot corrupt or delete your data – which would force you into paying a ransom.

• Third, agencies must store at least one copy of each document/file in a separate and secure location, with at least one copy in an unalterable format, i.e., immutable or WORM storage. As stated above, the restorVault platforms enable the storage of each data file in two separate data center locations in an encrypted state.

• And lastly, the system must withstand independent audits to ensure document integrity. restorVault has a proven track record of providing our platform to many California state and city agencies with ongoing audits and compliance.

Additional restorVault data integrity capabilities include:

• Digital fingerprinting – Each time a file is saved, a unique fingerprint is generated using an MD5 or SHA1 hash of its contents and metadata, so history and file contents cannot be altered after the fact.

• Serial Numbers – Each file is assigned a serial number to ensure no files are missing or have been tampered with.

• Secure Time – The system time clock is secured using a global, redundant, authenticated time source (Stratum Level I hardware time sources).

• Data Encryption – 256 AES data encryption is provided in transit and at rest.

• Data Verification – All stored files are re-verified every 90 days against their fingerprints, repaired using the second copy if necessary, and retained per customer-defined policies.

Contact us today to learn which California agencies have already adopted the restorVault California Trusted Systems data storage platform.