Grand Jury Non-compliant response received Moss, Julia Fri, Sep 15, 2023 at 1:18 Pm

With one individual responsible for IT services, Capitola does not allocate sufficient resources to cybersecurity, a status that could lead to poor cyber knowledge and unnecessary vulnerabilities. __ AGREE __ PARTIALLY DISAGREE _X_ DISAGREE Response explanation (required for a response other than Agree): The City of Capitola allocates sufficient resources to cybersecurity. The City employs an Information Systems Specialist in the City Manager Department and holds a contract with Exceedio for 24-hour technical support, analysis, and security.

The City of Capitola does not have a robust cybersecurity training program, nor does it conduct phishing tests or routinely remind employees to adhere to cybersecurity measures during potential periods of increased threats. __ AGREE X__ PARTIALLY DISAGREE __ DISAGREE Response explanation (required for a response other than Agree): The City is currently working to address the need for robust employee cybersecurity training. At present, the following is in place: 1. Capitola Police Department mandates twice-annual security awareness training for their IT, Captain & Chief, Officers, and Records Staff, as well as Public Works staff, the Volunteers in Policing (VIPs), and cleaning staff. 2. All City employees are required to complete “Email and Messaging Safety” training on an annual basis. The City is developing new additions to the training plan, such as: 1. The City’s Information Systems Specialist is developing regular phishing tests to be sent to all employees on a rolling basis, with further help and training available to those employees who ‘fail’ phishing tests. 2. The City’s Information Systems Specialist is implementing mandatory cyber security training as a part of New Employee Onboarding that must be completed prior to new employees’ gaining access to the City’s network, shared files, internet, and email.

The City of Capitola does not have a Cybersecurity Plan to address cybersecurity measures city wide, suggesting the city is not adequately mitigating the potential impact of cyber incidents. __ AGREE __ PARTIALLY DISAGREE _X_ DISAGREE Response explanation (required for a response other than Agree): Capitola Police Department has adopted Policy Section 806.11 regarding Information Technology and Cybersecurity. The City has a functioning cybersecurity plan that addresses security concerns and outlines a response plan to a security breach. Staff is also working with the Santa Cruz County Cyber Security Consortium to draft a more comprehensive Cybersecurity Plan template that can be modified for each jurisdiction.

The City of Capitola does not have an Incident Response Plan, which could exacerbate the effects of a cyber incident such as increase the time a network is unavailable or raise the potential financial costs of a resolution. __ AGREE __ PARTIALLY DISAGREE _X_ DISAGREE Response explanation (required for a response other than Agree): The City has a Cyber Attack Response plan in place. The plan is modified and updated annually by the Information Systems Specialist.

Capitola does not participate in any cyber-focused information sharing groups, nor does it take advantage of state and federal resources designed to assist small cities with mitigating cyber attacks, thereby forfeiting opportunities to learn best practices and raise their cyber awareness. __ AGREE __ PARTIALLY DISAGREE _X_ DISAGREE Response explanation (required for a response other than Agree): The City’s Information Systems Specialist participates in: 1. Cyber threat meetings sponsored by Alverez Technology Group 2. NCRIS.ca.gov Regional Information Center meetings regarding cyber threats 3. MISAC.org 4. Santa Cruz County Cyber Security Consortium