Orange County’s Digital Data:

Additional Recommendations 6

These recommendations are not explicitly linked to specific findings.

• R9
  OCIT should implement cybersecurity training and professional certification of all county IT analysts having cybersecurity as a part of their job responsibilities by 7/1/2018.
• R10
  OCIT should establish audit and test procedures to periodically, but no less than every two years, gauge the effectiveness of training and other cybersecurity measures by 7/1/2018.
• R11
  The county should establish separate budget line items for cybersecurity expenses and capital investments for the 2018-2019 budget.
• R12
  The county should implement the use of regional cooperative agreements for the acquisition of all cybersecurity related products and services by 7/1/2018.
• R13
  The county should review and update IT job classifications and salary levels to reflect the current job market by 6/30/18. R. 14. The county should develop a succession plan covering cybersecurity-critical positions by 6/30/18 to provide for continuity of these positions. R. 15. Procedures for updating and patching all county software and systems that have been established by OCIT for the shared services program should be made mandatory for all county departments and agencies that report to the CEO, and recommended for all other county government entities by 6/30/18. R 16. OCIT should draft and implement standardized procedures for mandatory use of full disk encryption and remote find/wipe capabilities for countywide mobile devices by 7/1/2018. R. 17. OCIT should establish standardized procedures for IT’s examination and removal of all sensitive information on county digital devices, prior to their removal from county premises through transfer, sale, scrap or reuse by 12/31/17. R. 18. OCIT should establish standardized procedures for conducting periodic cybersecurity vulnerability and penetration testing by 12/31/19. REQUIRED RESPONSES The California Penal Code §933 requires the governing body of any public agency which the Grand Jury has reviewed, and about which it has issued a final report, to comment to the Presiding Judge of the Superior Court on the findings and recommendations pertaining to matters under the control of the governing body. Such comment shall be made no later than 90 days after the Grand Jury publishes its report (filed with the Clerk of the Court). Additionally, in the case of a report containing findings and recommendations pertaining to a department or agency headed by an elected County official (e.g. DA, Sheriff, etc.), such elected County official shall comment on the findings and recommendations pertaining to the matters under that elected official’s control to the Presiding Judge with an information copy sent to the Board of Supervisors. Furthermore, California Penal Code Section §933.05 (a), (b), (c), details, as follows, the manner in which such comment(s) are to be made: (a) As to each Grand Jury finding, the responding person or entity shall indicate one of the following: (1) The respondent agrees with the finding (2) The respondent disagrees wholly or partially with the finding, in which case the response shall specify the portion of the finding that is disputed and shall include an explanation of the reasons therefore. (b) As to each Grand Jury recommendation, the responding person or entity shall report one of the following actions: (1) The recommendation has been implemented, with a summary regarding the implemented action. (2) The recommendation has not yet been implemented, but will be implemented in the future, with a time frame for implementation. (3) The recommendation requires further analysis, with an explanation and the scope and parameters of an analysis or study, and a time frame for the matter to be prepared for discussion by the officer or head of the agency or department being investigated or reviewed, including the governing body of the public agency when applicable. This time frame shall not exceed six months from the date of publication of the Grand Jury report. (4) The recommendation will not be implemented because it is not warranted or is not reasonable, with an explanation therefore. (c) If a finding or recommendation of the Grand Jury addresses budgetary or personnel matters of a county agency or department headed by an elected officer, both the agency or department head and the Board of Supervisors shall respond if requested by the Grand Jury, but the response of the Board of Supervisors shall address only those budgetary /or personnel matters over which it has some decision making authority. The response of the elected agency or department head shall address all aspects of the findings or recommendations affecting his or her agency or department. Comments to the Presiding Judge of the Superior Court in compliance with Penal Code section §933.05 are required from: Responses Required: Orange County Board of Supervisors (Findings F.1. – F.8.; Recommendations R.1 - 18.). Responses Requested: County Executive Office (Findings F.1. – F.8.; Recommendations R.1., R.3., R.7., R.8.,
• R16
  OCIT should draft and implement standardized procedures for mandatory use of full disk encryption and remote find/wipe capabilities for countywide mobile devices by 7/1/2018. R. 17. OCIT should establish standardized procedures for IT’s examination and removal of all sensitive information on county digital devices, prior to their removal from county premises through transfer, sale, scrap or reuse by 12/31/17. R. 18. OCIT should establish standardized procedures for conducting periodic cybersecurity vulnerability and penetration testing by 12/31/19. REQUIRED RESPONSES The California Penal Code §933 requires the governing body of any public agency which the Grand Jury has reviewed, and about which it has issued a final report, to comment to the Presiding Judge of the Superior Court on the findings and recommendations pertaining to matters under the control of the governing body. Such comment shall be made no later than 90 days after the Grand Jury publishes its report (filed with the Clerk of the Court). Additionally, in the case of a report containing findings and recommendations pertaining to a department or agency headed by an elected County official (e.g. DA, Sheriff, etc.), such elected County official shall comment on the findings and recommendations pertaining to the matters under that elected official’s control to the Presiding Judge with an information copy sent to the Board of Supervisors. Furthermore, California Penal Code Section §933.05 (a), (b), (c), details, as follows, the manner in which such comment(s) are to be made: (a) As to each Grand Jury finding, the responding person or entity shall indicate one of the following: (1) The respondent agrees with the finding (2) The respondent disagrees wholly or partially with the finding, in which case the response shall specify the portion of the finding that is disputed and shall include an explanation of the reasons therefore. (b) As to each Grand Jury recommendation, the responding person or entity shall report one of the following actions: (1) The recommendation has been implemented, with a summary regarding the implemented action. (2) The recommendation has not yet been implemented, but will be implemented in the future, with a time frame for implementation. (3) The recommendation requires further analysis, with an explanation and the scope and parameters of an analysis or study, and a time frame for the matter to be prepared for discussion by the officer or head of the agency or department being investigated or reviewed, including the governing body of the public agency when applicable. This time frame shall not exceed six months from the date of publication of the Grand Jury report. (4) The recommendation will not be implemented because it is not warranted or is not reasonable, with an explanation therefore. (c) If a finding or recommendation of the Grand Jury addresses budgetary or personnel matters of a county agency or department headed by an elected officer, both the agency or department head and the Board of Supervisors shall respond if requested by the Grand Jury, but the response of the Board of Supervisors shall address only those budgetary /or personnel matters over which it has some decision making authority. The response of the elected agency or department head shall address all aspects of the findings or recommendations affecting his or her agency or department. Comments to the Presiding Judge of the Superior Court in compliance with Penal Code section §933.05 are required from: Responses Required: Orange County Board of Supervisors (Findings F.1. – F.8.; Recommendations R.1 - 18.). Responses Requested: County Executive Office (Findings F.1. – F.8.; Recommendations R.1., R.3., R.7., R.8., R.11., R.12., R.13., R.14., R.15.). Orange County Information Technology (Findings F.1. – F.8.; Recommendations R.2., R.4., R.5., R.6., R.9., R.10., R.15., R.16., R.17., R.18.). REFERENCES Akamai. (2016). State of the Internet Security Q3 2016 Report. Akamai. Chuang, E. (2017). It's Not You, It's Your Vendor: The Hidden Doorway to Phishing Attacks. Legaltech news, p. 2. Retrieved 5 1, 2017, from http://www.legaltechnews.com/id=1202784938919/Its-Not-You-Its-Your-Vendor-The- Hidden-Doorway-to-Phishing- Attacks?kw=It%27s%20Not%20You%2C%20It%27s%20Your%20Vendor:%20The%20 Hidden%20Doorway%20to%20Phishing%20Attacks&et=editorial&bu=Law%20Technol ogy%20News& Grimes, R. A. (2017). 9 new hacks coming to get you. CSO Online, p. 9. Retrieved 2 21, 2017, from http://www.csoonline.com/article/3171741/security/9-new-hacks-coming-to-get- you.html?idg_eid=c35b9224fe3bb5b632c1e442a73c4ba4&email_SHA1_lc=fa902d91c1a ebeb660bfe968f17cf604cb88c00b&utm_source=Sailthru&utm_medium=email&utm_ca mpaign=CSO%20Update%202017-02-2 ISO - ANSI. (2010). The Financial Management of Cyber Risk. New York: Internet Security Alliance (ISA)/American National Standards Institute (ANSI). Retrieved 2 21, 2017, from https://share.ansi.org/khdoc/Financial+Management+of+Cyber+Risk.pdf Kaspersky. (2015). The Threats From Within: How educating your employees on cybersecurity can protect your company. Kaspersky Lab. Retrieved 2 17, 2017, from usa.kapersky.com Masunga, S. (2017). Target settles with states over breach. Los Angeles Times. Retrieved May 24, 2017 Microsoft. (2016). Intelligent Security: Using Machine Learning to Help Detect Advanced Cyber Attacks. Microsoft Corporation. Retrieved 2 2, 2017, from https://www.microsoft.com/en- us/security/intelligence?&WT.srch=1&WT.mc_id=AID__SEM_Ta9wKfnh National Association of Corporate Directors. (2017). Cyber-Risk Oversight. Washington, D.C., USA: National Association of corpoprate Directors. Retrieved 2 23, 2017, from https://www.nacdonline.org/cyber NIST. (2012). Computer Security Incident Handling Guide - Special Publication 800-61. National Institute of Standards and Technology, Computer Security, Information Technology Laboratory. Gathersberg: National Institute of Standards and Technology. Retrieved 1 30, 2017, from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf NIST. (2013). Glossary of Key Information Security Terms. (R. Kisswel, Ed.) Retrieved 1 19, 2017, from National Institute of Standards and Technology: http://dx.doi.org/10.6028/NIST.IR.7298r2 NIST. (2016). Small Business Information Security: The Fundamentals. Gaithersburg: National Institute of Standards and Technology Applied Cybersecurity Division, Information Technology Laboratory. Retrieved 1 30, 2017, from https://doi.org/10.6028/NIST.IR.7621rl Orange County Information Technology. (2017). Implementing a Shared Services Strategy for Information Technology. Santa Ana: OCIT. Retrieved 5 13, 2017, from http://cams.ocgov.com/Web_Publisher/Agenda01_24_2017_files/images/O00316- 001666A.PDF Phishlabs. (2017). 2017 Phishing Trends & Intelligence Report: Hacking the Human. Charleston: ECrime Management Strategies, Inc. Retrieved 2 27, 2017, from https://pages.phishlabs.com/rs/130-BFB- 942/images/2017%20PhishLabs%20Phishing%20and%20Threat%20Intelligence%20Rep ort.pdf?mkt_tok=eyJpIjoiWkdVeFpESTRNek0xTm1GaCIsInQiOiJNdFhhR1pvcUVmb XdXaDhrMWE5KzVvV25qRDRodzFKdnlsK3NyeGVZWWNkYTN0SDErR2pWVG81 YTJ1Tzdvc05zOH Plante Moran. (2014). Enterprise Resource System Security Audit Report (Phase 3.0, 4.0 and 5.0 Combined). Cerritos: Plante Moran. Ponemon Institute. (2016). 2016 Cost of Data Breach Study. Ponemon Institute. Privacy Rights Clearinghouse. (2017). Chronology of Data Breaches. Retrieved from Privacy Rights Clearninghouse: https://www.privacyrights.org/data-breaches PwC. (2016). Key findings from the Global State of Information Security 2017. PwC. Retrieved 2 17, 2017, from http://www.pwc.com/gx/en/issues/cyber-security/information-security- survey/assets/gsiss-report-cybersecurity-privacy-possibilities.pdf SANS Institute. (2017). Cyber Security Trends: Aiming Ahead of the Target to Increase Security in 2017. Bethesda: SANS Institute. Retrieved May 12, 2017, from https://www.sans.org/reading-room/whitepapers/analyst/cyber-security-trends-aiming- target-increase-security-2017-37702 Straight, J. (2017). Key Cyber Trends Dominating the Early 2017 Discourse. Retrieved 3 6, 2017, from Legaltech News: http://www.legaltechnews.com/id=1202780585472/5-Key- Cyber-Trends-Dominating-the-Early-2017- Discourse?kw=5%20Key%20Cyber%20Trends%20Dominating%20the%20Early%2020 17%20Discourse&et=editorial&bu=Law%20Technology%20News&cn=20170306&src= EMC-Email&pt=Daily%20Ale Symantec. (2016). Internet Security Threat Report. Symantec. Retrieved 1 20, 2017 U.S. Department of Justice. (2015). Best Practices for Victim Response and Reporting of Cyber Incidents. Cybersecurity Unit, Computer Crime and Intellectual Property Section, Criminal Division. U.S. Department of Justice. Retrieved 1 30, 2017, from https://www.justice.gov/sites/default/files/criminal- ccips/legacy/2015/04/30/04272015reporting-cyber-incidents-final.pdf Verizon. (2016). 2016 Data Breach Investigations Report. Verizon. APPENDICES