📋

Extracted from Consolidated Report

This investigation was originally published as part of a larger consolidated report containing multiple investigations. View the consolidated PDF for the complete document.

Santa Cruz County Grand Jury • 2022-2023

Cyber Threat Preparedness Phishing and Passwords and Ransomware, Oh My!

View PDF View Full Original

⚠️ Translation Notice: This content has been automatically translated. The original English text is the official version. Translation may contain errors.

⚠️ Este contenido ha sido traducido automáticamente. El texto original en inglés es la versión oficial. La traducción puede contener errores.

Findings 23 findings

F1 Page 12

Funds are focused on improving conditions of well-being for community members

F2 Page 12

A hybrid approach is administered to support both broad-based service programs

F3 Page 12

There is good diversity of eligible applicants: Non-profit 501(c)(3) agencies,

F4 Page 12

The program is well coordinated, with County and City staff partnering to review

F5 Page 12

A clear outline of the RFP is available to the applicants, with an understanding of

F6 Page 12

The County and City provides a comprehensive review of the process which

F7 Page 28

The City of Santa Cruz does not have a Cybersecurity Policy, suggesting that

F8 Page 28

The City of Santa Cruz does not have an Incident Response Plan, and this

F9 Page 28

Santa Cruz participates in some information sharing organizations such as the

F10 Page 29

After recently expanding its IT Department, the City of Watsonville has improved

F11 Page 29

The City does not have an individual whose primary responsibility is

F12 Page 29

Watsonville does not have a Cybersecurity Plan that defines security policies,

F13 Page 29

Watsonville does not have an Incident Response Plan that provides detailed

F14 Page 29

Watsonville participates in some regional information sharing forums, but it does

F15 Page 30

Although Scotts Valley’s managed service provider is very knowledgeable and

F16 Page 30

Scotts Valley does not have a current Cybersecurity Plan that defines security

F17 Page 30

Scotts Valley does not have a current Incident Response Plan, which could

F18 Page 30

Scotts Valley does not participate in any cybersecurity information sharing groups

F19 Page 30

With one individual responsible for IT services, Capitola does not allocate

F20 Page 30

The City of Capitola does not have a robust cybersecurity training program, nor

F21 Page 31

The City of Capitola does not have a Cybersecurity Plan to address cybersecurity

F22 Page 31

The City of Capitola does not have an Incident Response Plan, which could

F23 Page 31

Capitola does not participate in any cyber-focused information sharing groups,

Recommendations 24

R1
Page 27

Santa Cruz County should prepare and implement a Cybersecurity Plan by the
R2
Page 27

, the county should revise and expand its Incident Response
R3
Page 27

The County’s information sharing efforts should be expanded to ensure fulsome
R4
Page 28

The City of Santa Cruz should prioritize filling its vacant IT department positions
R5
Page 28

By Fall 2023, Santa Cruz should identify and implement creative approaches to
R6
Page 28

By Fall 2023, the City of Santa Cruz should assign one individual responsible for
R7
Page 28

or sooner, the City of Santa Cruz should develop and
R8
Page 28

or sooner, the City should complete an Incident Response
R9
Page 29

Once the IT Department has adequate staffing and , it should
R10
Page 29

Watsonville should conduct an evaluation of its recently expanded IT
R11
Page 29

Given the size of Watsonville, the City should have a dedicated position for
R12
Page 29

By early 2024 or sooner, Watsonville should prepare and implement a
R13
Page 29

By early 2024 or sooner, Watsonville should prepare and implement an Incident
R14
Page 29

Upon completion of IT structural upgrades and a higher level of cyber maturity,
R15
Page 30

By mid-2023, Scotts Valley should assign a city official as the lead for
R16
Page 30

Working with its IT contractor, by Fall 2023, Scotts Valley should write and
R17
Page 30

By Fall 2023, Scotts Valley should write an Incident Response Plan that clearly
R18
Page 30

Scotts Valley should participate in local, regional, and state cybersecurity
R19
Page 31

By Fall 2023, Capitola should hire a full-time IT Director to replace the IT Director
R20
Page 31

The City should develop a more robust cybersecurity training and phishing
R21
Page 31

Capitola should establish and implement a Cybersecurity Plan by the end of
R22
Page 31

By Fall 2023 Capitola should prepare an Incident Response Plan that provides
R23
Page 31

When appropriately resourced to monitor cyber threats, and ,
R24
Page 31

By mid-2023, Capitola city management should raise the priority it assigns to