2021−2022 San Joaquin County Grand Jury Working Title 1: Working Title 2 (Case No. xx20) San Joaquin County and Its

Published: May 12, 2021 15 pages

Ver PDF original

⚠️ Aviso de traducción: Este contenido ha sido traducido automáticamente. El texto original en inglés es la versión oficial. La traducción puede contener errores.

⚠️ Este contenido ha sido traducido automáticamente. El texto original en inglés es la versión oficial. La traducción puede contener errores.

Findings and Recommendations 32 findings

1 San Joaquin County does not have a formal internal policy concerning payments or procedures in ransomware attacks. This absence of policy could cause confusion, delay and greater loss of security in the event of such an attack.

Related Recommendations (1)

1 By November 1, 2022, the San Joaquin County Board of Supervisors, in conjunction with San Joaquin County ISD, develop, adopt and implement a formal internal policy and procedure for response to a ransomware attack. 2.0 City of Escalon−Discussion The City of Escalon does not have an independent IT department but has a contract agreement with Mid Valley IT to provide all IT services. In the City organization, IT functions report to the Finance and HR Directors. Each employee is given a level of access according to assigned responsibilities within their department. All employees receive information security training specific to their responsibilities as well as general security awareness training. The IT consultant employs an aggressive multi-layered approach to mitigate security threats through software and hardware protection measures. Critical or confidential data is stored in multiple cloud-based locations and systems employing numerous safeguards, including use of multi-factor authentication for access. IT functions are protected with a standby generator and redundant backups in case of a system failure. The generator is tested periodically for functionality. The City of Escalon met all but one of the expectations for adequate cybersecurity. Escalon is by far the smallest city in San Joaquin County, but by using a contracted IT service provider, Escalon is meeting its cybersecurity needs. The City of Escalon does not have a documented Business Continuity Plan.

1 The City of Escalon does not have a documented Business Continuity Plan, leaving the City relatively unprepared to restore essential services in a disruptive event.

Related Recommendations (1)

1 By January 1, 2023, the Escalon City Council, in conjunction with Mid Valley IT, develop, adopt and implement a Business Continuity Plan. 3.0 City of Lathrop−Discussion The City of Lathrop met six of the expectations for the nine elements considered in this investigation. Lathrop’s IT organization includes a Director of Information Technology at the cabinet leadership level, a policy strongly recommended by an IT expert for maximum IT security. Including the Director of IT in frequent, regular meetings with other department heads allows effective communication of IT security needs to all City departments. Expectations for data confidentiality and data security were met. However, use of multi-factor authentication for system access was not universal at the time of this investigation, leaving Lathrop at higher risk of attack. Lathrop provides an unsecured public Wi-Fi network, separate from the City’s secure business network and accessible to any user. Hackers or other bad actors could take advantage of the unsecured network, possibly resulting in compromise of log-in credentials from that network and possibly exposing the City to costly liability suits. Lathrop was in the process of developing and approving a BCP and DPP plan at the time of this investigation. Similarly, the City was updating an internal policy for response to a ransomware attack. At the time of this investigation, Lathrop lacked insurance against losses incurred in a cybersecurity incident.

1 The City of Lathrop does not employ multi-factor authentication universally, leaving City systems more vulnerable to the activities of bad actors.

Related Recommendations (1)

1 By November 1, 2022, the Lathrop City Council, in conjunction with the City’s IT department, develop, adopt and implement a procedure for universal multi-factor authentication for access to City data.

1 The City of Lodi does not have an approved Business Continuity Plan, rendering the City relatively unprepared to restore essential services in a disruptive event.

Related Recommendations (1)

1 By January 1, 2023, the Lodi City Council, in conjunction with the City’s IT division, develop, adopt and implement a Business Continuity Plan. 5.0 City of Manteca−Discussion The City of Manteca met seven of the nine expectations considered in this investigation. Manteca’s Information Technology department is independent in the City’s organization. The department director reports directly to the City Manager and meets weekly with other City department heads. User level of access is determined by position, background and other departmental factors. Employees are trained on a regular basis. The training is mandatory for all employees. Hard drives are encrypted, and a Mobile Device Management tool is used for tablets, laptops and phones. Manteca’s ISD is currently updating its Information Technology Security Policy. This comprehensive policy has not been updated since 2010. Manteca’s Department of Information Technology and Innovation is collaborating with City administration and the City Attorney to update all policies relating to information technology security. Similarly, the City is in the process of bringing both hardware and software systems up to next-generation standards with new firewall, malware, user access, backup systems and applications in place. Employee training is executed through KnowB4, an industry-standard cybersecurity training program which includes phishing and other email compromise testing. Regarding firewalls and switches, roughly 60% still operate off single rather than dual or redundant power supplies. Over the next five years, the City is phasing out older devices as they reach end-of- life.

1 The City of Manteca has an Information Technology Security Policy which has not been updated since 2010, leaving the City relatively unprepared for a cyber event.

Related Recommendations (1)

1 By January 1, 2023, the Manteca City Council, in conjunction with the City’s ISD, develop, approve and implement an updated Information Technology Security Policy.

1 It is unclear in the City of Ripon’s Organization Chart where responsibilities for IT and IT security lie, creating confusion over who is responsible to act in a disruptive event.

Related Recommendations (1)

1 By January 1, 2023, the Ripon City Council develop and make public an updated City Organization chart showing details of the City’s IT functions, including all IT positions.

1 The City of Stockton does not have a formal internal policy concerning payments or procedures in ransomware attacks. This absence of policy could cause confusion, delay and greater loss of security in the event of an attack.

Related Recommendations (1)

1 By November 1, 2022, the Stockton City Council, in conjunction with the City’s IT department, develop, adopt and implement a formal internal policy and procedure for response to a ransomware attack. 8.0 City of Tracy−Discussion The City of Tracy met all expectations for cybersecurity or was in the process of meeting them when surveyed. The City has an Information Technology Division, which is part of the Finance Department. This division supports all departments and functions of the City except water treatment. Data confidentiality and security are guaranteed with industry-leading, next-generation firewalls and network access controls. Data storage, backup and cybersecurity are monitored continually. The IT Manager meets every two weeks with all other City department heads to address IT issues, including cybersecurity. Tracy does not require encryption of thumb drives used on City devices, a requirement that is considered a “best practice” by an expert witness. Tracy does not have either a formal Business Continuity Plan or Disaster Preparedness Plan in place but is in the process of developing both. The BCP was scheduled to be complete in April 2022. Completion date for the DPP was not specified by the City.

1 Lacking a requirement for encryption of thumb drives used on City devices exposes the City of Tracy to potential data theft and contamination.

Related Recommendations (1)

1 By November 1, 2022, the Tracy City Council, in conjunction with the IT division, develop, adopt and implement a policy requiring encryption of thumb drives used on City devices.

F1.1

San Joaquin County does not have a formal internal policy concerning payments or procedures in ransomware attacks. This absence of policy could cause confusion, delay and greater loss of security in the event of such an attack.