Orange County's Digital Data: Is It Protected From Cyber Attack?*

Orange County government entities are prime cyber targets, under constant cyber attack, and both public and private information held by these entities are not adequately protected. Disagrees partially with this finding. Orange County is no more a target than Response: other government agencies. Government agencies are continuously targeted for various reasons such as hacktivism and cyber crime. It is not correct to say the information is not adequately protected. Information systems are protected and monitored. Orange County has a robust Cyber Security Deterrence Program. Continuous improvement in this area is being addressed by way of county wide cyber security assessments and the establishment of a County Cyber Security Joint Task Force (CSJTF). The CSJTF was established to standardize security controls and methodologies across all County departments.

The county is subject to many types of cyber attacks but phishing currently represents the highest risk to the county's sensitive information. Agrees with this finding. Response:

Some county cyber attacks come through third-party vendors, who may not always be sufficiently protected. Agrees with this finding. Third party vendors are now vetted for their security Response: protocols during the procurement cycle and when third party vendors "enter" the County's network, they are subject to County standards.

The county has taken a number of steps to safeguard its digital data and systems against cyber attack, but there are a number of actions generally recognized as cybersecurity best practices that still need to be implemented. Partially disagrees with this finding. As mentioned earlier, cybersecurity Response: measures are ever evolving; which best practices the County will choose to implement will be based on County-specific evaluations. The Board of Supervisors has authorized a dedicated team to lead county security planning, deployment and recovery. The County adheres to best practice both in the commercial and government space and continues to evaluate changes to our protocols as new measures are available.

County financial records do not separate out cybersecurity as a line item, making it hard to determine what resources are being allocated in the area and therefore what additional funds are needed. Disagrees with this finding. OCIT maintains an Enterprise Security budget which Response: is meant to cover cyber security management, maintenance, assessment, incident response, and new initiatives.

Cooperation among county agencies is currently limited due to organizational and cultural issues including the visibility of available centralized OCIT cybersecurity support, the inward focus of county agencies and the fact that the influence of the BOS to compel collaboration is largely limited to county agencies with appointed heads that report to the county CEO and, to a lesser degree, the county agencies with elected heads. Respondent disagrees with this finding. The CJSTF represents a major shift in Response: this culture as it is made up of representatives from all County departments, including elected and appointed departments. Additionally, both elected and non-elected department heads sit on the IT Executive Council – a Board of Supervisors-approved IT governance body. OCIT Enterprise Security has seen an increased interest over the past 18 months in sharing information and improved collaboration in the areas of mitigating risks of cyber threats and responding to cyber security incidents. Departmental leadership understands the County is stronger when all departments collaborate to reduce the risks associated with cyber threats as evidenced by the participation on the CSJTF and the IT Executive Council.

OCIT has an effective team in place for addressing cybersecurity deficiencies, but it is only in the formative stages of implementing centralized standards and best practices for cybersecurity. Outside OCIT's control, county government agencies are taking advantage of the county's cybersecurity initiatives to different degrees. Agrees with this finding. Response:

IT employees across county government are largely untrained and uncertified in cybersecurity, especially at the agency level. Staffing for cybersecurity is challenging due to outdated county cybersecurity job classifications and salary levels, as well as lengthy county hiring processes, particularly for those agencies requiring extensive background checks. Disagrees partially with this finding. Some departments do provide security Response: specific training such as the County's Health Care Agency. OCIT Enterprise Security is addressing this issue, by increasing the IT security training budget from $30,000 to $50,000 annually. With respect to non-IT employees, the County implemented mandatory online Cyber Security Awareness Training (CSAT) in January of 2017. Since implementation, over 90% of County employees have competed the online CSAT. The CISO agrees with the finding that it is challenging to hire cyber security professionals for the reasons stated in this finding. RECOMMENDATIONS AND RESPONSES: