grandjury Scotts Valley Response - Cyber Threat Preparedness Thu, Aug 3, 2023 at 9:14

Although Scotts Valley’s managed service provider is very knowledgeable and capable of providing cybersecurity services, there is no single city official with cybersecurity oversight, potentially leading to a poor understanding of the threats and an inadequate response to a cyber attack. __ AGREE __ PARTIALLY DISAGREE _X_ DISAGREE Response explanation (required for a response other than Agree): We agree that the Scotts Valley managed service provider is very knowledgeable and capable of providing cybersecurity services. In addition, the Administrative Services Director overseas the City’s managed services provider contract including cybersecurity services. The Administrative Services Director and City Manager meet at least monthly with the managed service provider where reports of phishing, cyber incidents and training statistics are reviewed and discussed. In the event of an immediate threat or incident, there is immediate communication between the managed service provider, City Manager, and Administrative Services Director. The City Manager and Administrative Services Director have an appropriate understanding of the potential cybersecurity threats and the managed service provider ensures the City has the tools in place to respond to a cyber attack. Therefore we disagree that our organizational structure as the potential to lead to a poor understanding or inadequate response to a cyber attack.

Scotts Valley does not have a current Cybersecurity Plan that defines security policies, procedures, and controls required to protect its networks and devices, potentially increasing the risks of vulnerabilities. _X_ AGREE __ PARTIALLY DISAGREE __ DISAGREE Response explanation (required for a response other than Agree):

Scotts Valley does not have a current Incident Response Plan, which could exacerbate the effects of a cyber incident such as increase the time a network is unavailable or raise the potential financial costs of a resolution. __ AGREE _X_ PARTIALLY DISAGREE __ DISAGREE Response explanation (required for a response other than Agree): Although the City does not have a written Incident Response Plan, we have reporting channels in place in the event of a cyber incident and access to a cybersecurity response consultant via our risk management insurance pool who is under contract to provide cybersecurity incident response and maintains plans accordingly.

Scotts Valley does not participate in any cybersecurity information sharing groups to enhance best practices, rather they depend on their contractor to stay informed, which makes the City last to know of critical cyber threats. __ AGREE _X_ PARTIALLY DISAGREE __ DISAGREE Response explanation (required for a response other than Agree): Via the City’s insurance pool, MBASIA, cybersecurity information is shared among the 10 city members and our contracted risk management consultants. In addition, our managed service provider stays informed of the cybersecurity environment and alerts the City of potential threats. The City’s relationship with a contracted managed service provider does not make the City any less informed or more vulnerable. In fact the team we are served by is more informed and provides a broader skillset, knowledge base and faster response times than we could expect if the contract was replaced by 1-2 City staff. That being said, there are always more opportunities for information sharing and collaboration which the City, via it’s managed service provider, will pursue.