Santa Cruz County Grand Jury
• 2025-2026
Honoring Commitments to the Public Looking Back at 2022-2023 Civil Grand Jury Recommendations and Actions Taken by
⚠️ Aviso de traducción: Este contenido ha sido traducido automáticamente. El texto original en inglés es la versión oficial. La traducción puede contener errores.
⚠️ Este contenido ha sido traducido automáticamente. El texto original en inglés es la versión oficial. La traducción puede contener errores.
Findings and Recommendations 7 findings
F1
The City of Watsonville does not have an Incident Response Plan. Funds have been identified in the city IT budget, and a vendor has been selected. In April 2025, the kickoff for this project begins. Items covered in the project are an incident response plan, playbooks, training, and cybersecurity scenarios that test the incident response plan. Envisioning the Future of Our Jails
Related Recommendations (1)
R1
The City of Watsonville should develop a formal Incident Response Plan with sufficient detail to serve as a guide in the event of a cyber attack. They should complete the plan by October 31, 2025. (F1) Envisioning the Future of Our Jails
F2
The Blaine Street Women’s Jail was reopened May 19, 2023. Incarcerated persons earn the privilege to move from the Main Jail to this minimum security women’s facility.
No recommendations for this finding
F3
The “S” unit of Rountree detention center was re-opened in March 2025.
No recommendations for this finding
F4
The County issued a Request for Proposal for a needs assessment and received two proposals. The County states that due to cost they will not complete the Needs Assessment for the Jail. Code Compliance Division - Out of Compliance
Related Recommendations (2)
R2
In the next budget cycle, the County of Santa Cruz Board of Supervisors should include the funds to complete the Needs Assessment for the jails. The goal of this assessment is to determine the most effective use of the three jails and any modifications to existing facilities needed to house the expected jail population into the future. The Needs Assessment for the Jails should be completed by October 31, 2026. (F4) Code Compliance Division - Out of Compliance
R4
“The policies and procedures manuals for the Planning Department and Code Compliance Department should be completely reviewed, updated as prescribed in the policy and procedures manual, and digitized. Each section should be dated, and all future revisions should include date markings for any changes. This process should be completed ” IN PROGRESS 🔁 Expected completion in 2026 The Code Compliance Manual was reviewed and fully revised for clarity in June 2024. It is available online.[58] In 2022-23, the Planning Department and Public Works Department were integrated to form the Community Development and Infrastructure Department. Since combining these departments, “an effort has been underway to review the policies and procedures of both departments in order to update and create a single set applicable to the whole department. Due to multiple reviews, including reviews by Personnel and the Union, (the county expects) this effort to take another year before it is ready for distribution.”[59] _______________________________________________________________
F5
The Code Compliance Policies and Procedures Manual was reviewed and fully revised for clarity in June 2024. It is available online.
Related Recommendations (1)
R5
“By Fall 2023, Santa Cruz should identify and implement creative approaches to hiring and retention so they can maintain a fully staffed IT Department despite the competition with surrounding counties. The City should investigate potential partnerships with one or more of the 18 California colleges and universities with National Centers of Academic Excellence in Cybersecurity.” DONE ✅ The City of Santa Cruz has implemented innovative hiring and retention strategies, resulting in IT vacancy rates consistently remaining between 0% and 5% since Fall 2023. They are conducting targeted outreach through professional networks such as the Municipal Information Systems Association of California (MISAC), while also supporting internship and mentorship programs to develop local talent and strengthen career pipelines.[18] [19] _______________________________________________________________
F6
There is no evidence that the Policies and Procedures Manual for the Planning Department is updated and available online.
Related Recommendations (2)
R3
The recently formed Community Development and Infrastructure Department (CDI) should review the policies and procedures of both the Public Works and Planning Departments and create a single set applicable to the whole CDI. Each section should be dated, and all future revisions should include date markings for any changes. This set of policies and procedures should be completed by the CDI and posted online by April 30, 2026. (F6, F7)
R6
“By Fall 2023, the City of Santa Cruz should assign one individual responsible for cybersecurity. Adoption of a managed service provider arrangement will boost its security posture, although it does not eliminate the need for a dedicated security lead within the City's IT Department.” DONE ✅ The City of Santa Cruz has expanded its IT Department staff from 23 to 26 full-time positions, including the addition of a Cybersecurity IT Manager. This senior-level management role is responsible for developing, enhancing, and overseeing the City's cybersecurity initiatives, significantly strengthening its overall security posture.[18] [19] _______________________________________________________________
F7
In 2022-23, the Planning Department and Public Works Department were integrated to form the Community Development and Infrastructure Department. Since combining these departments, there is an effort underway to create a single set of policies and procedures, applicable to the whole department.
Related Recommendations (2)
R3
The recently formed Community Development and Infrastructure Department (CDI) should review the policies and procedures of both the Public Works and Planning Departments and create a single set applicable to the whole CDI. Each section should be dated, and all future revisions should include date markings for any changes. This set of policies and procedures should be completed by the CDI and posted online by April 30, 2026. (F6, F7)
R7
“ or sooner, the City of Santa Cruz should develop and implement a Cybersecurity Plan that encompasses all aspects of information security.” DONE ✅ The City of Santa Cruz has developed and published a comprehensive Cybersecurity Plan, detailing all aspects of information security. This plan is reviewed and updated annually by the Cybersecurity IT Manager to ensure continued effectiveness and alignment with best practices.[18]
Additional Recommendations 11
These recommendations are not explicitly linked to specific findings.
-
R8“ or sooner, the City should complete an Incident Response Plan with sufficient detail for city officials to use as a step-by-step guide in the event of a cyber incident.” DONE ✅ The City of Santa Cruz has successfully created and published a detailed Cybersecurity Incident Response Plan. The plan outlines the designated Incident Response Team and their roles/responsibilities, a step-by-step guide for handling cyber incidents, and annual reviews and updates led by the Cybersecurity IT Manager to ensure ongoing relevance and alignment with best practices.[18] C) 2023 Recommendations for the City of Watsonville
-
R10“Watsonville should conduct an evaluation of its recently expanded IT Department, critical IT upgrades, and the status of cybersecurity measures Based on this assessment, the City should allocate existing or newly identified resources to ensure cybersecurity is adequately addressed going forward.” DONE ✅ The City did an evaluation of its IT Department, approved a position reclassification, and hired staff to focus on cybersecurity as a major job function. All cyber issues in Watsonville are handled by their IT Department, which reports directly to the City Manager. Additionally, in December 2024 the city hired a Deputy City Manager who works closely with the IT Department.[20] [21] [22] [23] _______________________________________________________________
-
R11“Given the size of Watsonville, the City should have a dedicated position for cybersecurity , to ensure adherence to best practices, mitigation of potential threats, and education of city staff and leadership.” DONE ✅ A position reclassification was approved and staff have been hired to focus on cybersecurity as a major job function. The IT Department has a dedicated position, Cybersecurity IT Analyst, who reports directly to the IT Director. In adhering to best practices, the approach taken by the IT Department is that cybersecurity is an ongoing program.[23] [24] [25]
-
R12“By early 2024 or sooner, Watsonville should prepare and implement a Cybersecurity Plan that addresses all of the best practices for strong cyber hygiene.” DONE ✅ The City of Watsonville worked with other local agencies and the County and created a Cybersecurity Plan in September 2023.[23] [26] [27]
-
R13“By early 2024 or sooner, Watsonville should prepare and implement an Incident Response Plan with sufficient detail to serve as a guide in the event of a cyber attack.” IN PROGRESS 🔜 Expected completion in 2025 The City of Watsonville applied for and was awarded a State and Local Government Cybersecurity grant. This is a federal grant, and the funding status is unknown at this time. However, funds have been identified in the city’s IT budget, and a vendor has been selected. The project kickoff begins in April 2025, and includes an incident response plan, playbooks, and training. A training exercise will be conducted where the participants engage in a simulated, discussion-based activity that tests the incident response plan. Team members discuss their roles and responses to a simulated emergency or crisis to identify gaps in plans and procedures. The Incident Response Plan should be completed in the summer of 2025.[4] [23] [28] [29] [30] [31] [32] _______________________________________________________________
-
R14“Upon completion of IT structural upgrades and a higher level of cyber maturity, and , Watsonville should participate in local, regional, and state information sharing initiatives.” DONE ✅ Along with participation in the Northern California Regional Intelligence Center (NCRIC) and Multi-State Information Sharing & Analysis Center (MS-ISAC), the City subscribes to California Cybersecurity Integration Center (Cal-CSIC) information sharing. The City of Watsonville IT Department is involved and participates regularly in the Cybersecurity Consortium, led by the ISD of Santa Cruz County. Watsonville’s IT Director meets regularly with the CISO of the County.[23] [33] [34] [35] [36] D) 2023 Recommendations for the City of Scotts Valley
-
R16“Working with its IT contractor, by Fall 2023, Scotts Valley should write and implement a Cybersecurity Plan that is shared with all city officials to demonstrate comprehensive security measures and executive-level cyber threat awareness.” DONE ✅ In September 2023, the City of Scotts Valley created a Cyber/Information Security Plan. This plan is intended to be updated as new cybersecurity threats and advancements progress.[37] [38]
-
R17“By Fall 2023, Scotts Valley should write an Incident Response Plan that clearly delineates the steps it will take in response to a cyber attack, the responsibilities of identified officials, and the coordination required with state and federal officials for each type and level of cyber attack.” DONE ✅ In November 2023, the City of Scotts Valley created a very detailed Cyber Incident Response Plan. This plan establishes City-Wide cyber incident response capability including the formation of the City of Scotts Valley Cyber-Incident ResponseTeam (CIRT). The document details the specifics outlined in the recommendation along with contact information for the CIRT, Cyber Best Practices, and Guidelines to Follow for various types of incidents.[38] [39] _______________________________________________________________
-
R18“Scotts Valley should participate in local, regional, and state cybersecurity organizations for information sharing ” DONE ✅ The City of Scotts Valley participates regularly in the regional Cybersecurity Consortium. The CISO of the County, who leads the Consortium, is part of CCISDA, a very strong IT coalition within the state of California. The City of Scotts Valley and participants of the Consortium benefit from leveraging CCISDA’s collective experiences and a robust level of information sharing.[8] [15] [16] [40] [41] E) 2023 Recommendations for the City of Capitola
-
R21“Capitola should establish and implement a Cybersecurity Plan Several resources exist to provide a foundation or templates for these plans including NIST Guidelines, CISA resources, and Cal-CSIC guidance.” DONE ✅ The City of Capitola issued a Cybersecurity Plan in September 2023.[42] [43] _______________________________________________________________
-
R22“By Fall 2023 Capitola should prepare an Incident Response Plan that provides detailed guidance for a city response to a cyber attack.” DONE ✅ The City of Capitola issued an Incident Response Plan in 2023 and updated the plan as recently as October 2024.[44] 2. Envisioning the Future of Our Jails Santa Cruz County is a compassionate community. The Prior Jury published a report challenging the Sheriff’s Department to improve the treatment and safety of jail inmates living with mental illness and to develop innovative and effective post-release reentry programs. The question was posed, “In the real world, with the funding constraints in this County, what is the best solution to both the aging Main Jail and to the distressingly high recidivism rate?” The Current Jury followed up on the 2023 Recommendations and evaluated the actions taken and determined current dispositions. 2023 Recommendations
Conclusions 1
-
CL1We have evaluated the outstanding progress made by our local government towards improving operations. When the agencies accept the recommendations, follow through and meet their expressed commitments, our community benefits from increased government transparency and accountability. 2025 Findings, Recommendations, and Commendations
Commendations 1
-
CM1C1. The Santa Cruz County Civil Grand Jury commends our County CISO for regularly attending the semi-annual conference of CCISDA (California County Information Services Directors Association). The frequent exchange of information and the comparison of experiences between counties is very helpful. In addition to leading the Consortium, the CISO also now leads an internal group involving IT, the Sheriff’s office, District Attorney, Human Services, and other offices as needed. C2. The City of Santa Cruz remains committed to strengthening its cybersecurity resilience framework and continuously improving its workforce strategies and response capabilities. The Santa Cruz County Civil Grand Jury commends the City of Santa Cruz for protecting the community by prioritizing its Information Technology Department including hiring a Cybersecurity IT Manager. We also commend the City of Santa Cruz for successfully creating a comprehensive Cybersecurity Plan. C3. The Santa Cruz County Civil Grand Jury commends the City of Scotts Valley for protecting the local community by hiring a local Scotts Valley firm for administering its Cybersecurity framework and response capabilities. Honoring Commitments published June 17, 2025 Page 17 of 24 C4. The Santa Cruz County Civil Grand Jury commends the Sheriff's Office for the services provided to the women at Blaine Street since reopening in 2023. Blaine Street is the minimum security women’s facility in Santa Cruz. Earning the privilege to move from the Main Jail to Blaine Street gives the women a sense of self-worth and pride in their accomplishments. They are appreciative of the vast services offered at Blaine Street and take advantage of these programs to better themselves. The evidence of support for one another as women is a result of the incredible staff, and the programs and services offered. C5. The Santa Cruz Civil Grand Jury commends the Sheriff’s Office for recognizing the need for a dedicated dental clinic and dental services at the Rountree facility location. The benefits are indeed significant for all involved. C6. The Santa Cruz County Civil Grand Jury commends the Public Defender’s Office for providing funding for holistic care. C7. The Santa Cruz County Grand Jury commends the Santa Cruz County’s Behavioral Health Division for effectively improving access to care, and promoting the mental well-being of our community. C8. The Santa Cruz County Civil Grand Jury commends County Behavioral Health for providing 24/7/365 mobile crisis response services. Also notable, as part of the Crisis Now Innovation Project, Behavioral Health is conducting ongoing evaluation of current services. The goal is to identify gaps in the crisis continuum of care and develop recommendations to address those gaps.