Score: +7 (7/1/0)

Mono County Grand Jury • 2025-2026

Investigation Report Mono County Cybersecurity Preparedness

Published: March 01, 2025 8 pages

Ver PDF original

⚠️ Aviso de traducción: Este contenido ha sido traducido automáticamente. El texto original en inglés es la versión oficial. La traducción puede contener errores.

⚠️ Este contenido ha sido traducido automáticamente. El texto original en inglés es la versión oficial. La traducción puede contener errores.

Findings and Recommendations 7 findings

The County regards Cyber Security preparedness as a high priority by taking positive actions to continuously improve its maturity posture resulting in a lower risk of cyber security incidents.

Related Recommendations (1)

The Grand Jury commends the Information Technology department for their ongoing efforts on cybersecurity preparedness.

The Payment Card Industry (PCI) self-assessment questionnaire (SAQ) process inadequately involves IT resulting in a lack of IT awareness of the PCI Compliance process and errors on attestation reporting.

Related Recommendations (1)

The grand jury recommends the Board of Supervisors instruct the Director of Finance and Director of IT to document and put into practice a cooperative process for completing the annual PCI Compliance assessment. Recommendation to be completed by 08/01/2025.

The lack of immutable backups results in increased risk of disruption to important County operations due to a ransomware attack.

Related Recommendations (1)

The grand jury recommends the Board of Supervisors instruct the Director of Finance and Director of IT to determine the correct PCI SAQ form(s) to be used in the County’s next annual PCI Compliance assessment and attestation. Recommendation to be completed by 08/01/2025.

Computing devices, no longer supported by the vendor, are present in the environment resulting in an increased risk of cybersecurity vulnerabilities and attacks.

Related Recommendations (1)

The grand jury recommends the Board of Supervisors instruct the Director of IT to document a plan to implement immutable backups for operationally critical data. Plan to be documented by 9/01/2025.

The lack of consistent periodic external penetration testing and vulnerability scans results in unknown potential exploits which increases the risk of cybersecurity incidents.

Related Recommendations (1)

The grand jury recommends the Board of Supervisors instruct the Director of IT to define a sustainable annual process to remove or replace unsupported computing devices from the environment. Recommendation to be completed by 08/01/2025. 7

Important Cyber Security projects and initiatives have not begun or are lagging due to insufficient staffing.

Related Recommendations (1)

The grand jury recommends the Board of Supervisors instruct the Director of IT to define a sustainable process to conduct periodic external penetration tests and vulnerability scans. Recommendation to be completed by 09/01/2025.

Quarterly cyber security training is taking place with noteworthy results. However, there’s a lack of visibility to compliance measurements among County executives.

Related Recommendations (1)

The grand jury recommends the Board of Supervisors instruct the Director of IT to assess the staffing and capacity demands needed to reasonably support Information Technology’s Cyber Security roadmap for the purpose of submitting such staffing in its next fiscal year budget. Recommendation to be completed by 10/01/2025.

Additional Recommendations 1

These recommendations are not explicitly linked to specific findings.

R8

The grand jury recommends the Board of Supervisors instruct the Director of IT to implement a process for providing the Board of Supervisors a quarterly report on employee compliance to cybersecurity training. Recommendation to be completed by 10/01/2025.

Agency Responses 1

Government agencies' official responses to this report's findings and recommendations. Click on a response to see the structured breakdown.

County Counsel OFFICE OF THE Telephone

June 10, 2025 • 8 pages • 12 responses • Score: +7 (+7, 1, 0) View Details ▾

PDF

12 responses to findings and recommendations

Response: Disagree Partially Score: 0

The Board agrees in part and disagrees in part with this finding. Mono County IT itself does not store or process customer credit cards, and as a result has not been involved in PCI. Departments that receive credit card payments do so via 3rd party vendors. As such, payment systems decisions are determined by Finance, managed by the departments that use them, and should go through a contract, technical, and security review process by IT. Nonetheless, Mono County IT can be equipped to better assist departments in managing their obligations with respect to PCI. Implementation of F2: The Board wi...

Response: Unknown

Score: 0

The Board agrees in part and disagrees in part with this recommendation. Implementation of R2: IT will train staff to be aware of PCI and SAQ requirements in order to better assist other county departments. IT will work with Finance to identify the correct SAQ form to be used during the self-assessment process and will partner with Finance and other departments responsible for processing customer credit cards to complete the SAQ and will provide input where appropriate. Implementation Timeline for R2: The Board expects training and collaboration with Finance in Fiscal Year 25-26. Page 4 of 7 ...

The lack of immutable backups results in increased risk of disruption to important County operations due to a ransomware attack.

Response: Agree Score: +1

The Board agrees with this finding. The Board recognizes and takes seriously the importance of reliable accessible backups. The Board acknowledges that there are always ways to improve the backup technology that we use beyond what is required. Implementation of F3: The Board will direct IT to research available and practical immutable backups and the possible implementation strategies for Mono County's needs. In doing so, IT will seek input from and collaboration with departments to identify their most critical systems that require Page 1 of 7 immutable backups. IT will also work to develop a...

Response: Will Implement

Score: +1

The Board agrees in part and disagrees in part with this recommendation. Other departments that are responsible for processing consumer credit card information should also be involved in the process to identify the correct SAQ together with IT and Finance. Implementation of R3: IT will work with Finance to identify the correct SAQ form to be used during the selfassessment process. Implementation Timeline for R3: IT will complete this recommendation before the close of Fiscal Year 25-26. R4: The grand jury recommends the Board of Supervisors instruct the Director of IT to document a plan to imp...

Computing devices, no longer supported by the vendor, are present in the environment resulting in an increased risk of cybersecurity vulnerabilities and attacks.

Response: Agree Score: +1

The Board agrees with this finding. IT acknowledges that there are pieces of equipment that are past their End-Of-Life (EOL) still operating in our environment. Currently we operate under a Technology Refresh/Internal Service Fund (ISF) that was established in 2014. The ISF was meant to ensure that equipment, including desktop devices, servers, and storage) could be replaced in an efficient fashion as that equipment reached its EOL. The ISF was designed to guarantee adequate funding for those replacements. Each department contributes to the fund annually in accordance with the number of employ...

The grand jury recommends the Board of Supervisors instruct the Director of IT to document a plan to implement immutable backups for operationally critical data. Plan to be documented by 9/01/2025.

Response: Unknown

Score: 0

The Board agrees with this recommendation. Implementation of R4: IT will research available and practical immutable backups and the possible implementation strategies for Mono County's needs. In doing so, IT will seek input from and collaboration with departments to identify their most critical systems that require immutable backups. IT will also work to develop a procedure for the implementation of immutable backups that then meets departmental needs. The Board expects to review as part of a future budget process that includes resources to support a plan for immutable backups.. Implementation...

The lack of consistent periodic external penetration testing and vulnerability scans results in unknown potential exploits which increases the risk of cybersecurity incidents.

Response: Agree Score: +1

The Board agrees with this finding. IT recognizes and takes seriously the importance of identifying and understanding potential points of vulnerability to cyberattack. The environment is currently monitored by a 24/7 Security Operations Center and activity is monitored by IT staff. Potential risks are researched and IT staff take the necessary steps to mitigate those risks. Additional security exercises and testing are beneficial ways of protecting the environment. Implementation of F5: The Board will encourage IT will explore additional penetration testing strategies and vendor relationships....

Response: Unknown

Score: 0

The Board agrees with this recommendation. Page 5 of 7 Implementation of R5: As budget has not always been adequate to replace all end of life and end of sale equipment, IT will update its procedures and monitor the costs of replacement equipment to make the ISF more effective going forward. The Board will review any additional personnel resources, such as another Network Specialist position, during future budget processes and allocation adjustments so that IT can meet schedules for removal and installation of equipment on an annual basis moving forward. Implementation Timeline for R5: IT wil...

Important Cyber Security projects and initiatives have not begun or are lagging due to insufficient staffing.

Response: Agree Score: +1

The Board agrees with this finding. Mono County takes cybersecurity seriously and fosters a culture of cybersecurity awareness. While cybersecurity is ultimately the primary responsibility of each individual user in the environment, IT creates and implements policies to encourage a culture of individual concern and responsibility for maintaining cybersecurity. However, IT is currently in the process of staffing up following a series of departures. Implementation of F6: In March 2025, IT hired a Chief Information Security Officer. IT will work with Human Resources to develop a job description, ...

Response: Will Implement

Score: +1

The Board agrees with this recommendation. Implementation of R6: IT will explore additional penetration testing strategies and vendor relationships and can set a schedule in the context of those relationships for periodic testing. Implementation Timeline for R6: As penetration testing requires currently unallocated resources, the Board expects to review requests in the Fiscal Year 25-26 budget process and that IT will implement strategies within that timeframe. R7: The grand jury recommends the Board of Supervisors instruct the Director of IT to assess the staffing and capacity demands needed ...

Quarterly cyber security training is taking place with noteworthy results. However, there’s a lack of visibility to compliance measurements among County executives.

Response: Agree Score: +1

The Board agrees with this finding. Historically results of quarterly compliance trainings have not been brought to the Board of Supervisors. Some compliance issues also have not been brought to the Board because discussion of those items in open session may present security concerns. Implementation of F7: The Board of Supervisors will direct Mono County IT to create a standing quarterly agenda item to report out to the Board of Supervisors the results of training. IT will make recommendations to and take direction from the Board on the level of detail and information to be included in those r...

Response: Unknown

Score: 0

The Board agrees with this recommendation. Implementation of R7: The Board will direct IT to assess its staffing needs following a series of departures this year. IT will also work to create an allocation and job description for a Cyber Security Analyst to add to the IT team and other personnel resources required by these Recommendations. Page 6 of 7 Implementation Timeline for R7: IT will include all required personnel-related budget requests in its Fiscal Year 26-27 proposals. R8: The grand jury recommends the Board of Supervisors instruct the Director of IT to implement a process for provi...

No Responses Found 2

Government entities assigned to respond to this report. No response documents have been linked in our database.

County of Mono Agency

Mono County Board of Supervisors Elected County Office