Santa Barbara County Grand Jury • 2020-2021 • Agency Response
Response to: CYBER-ATTACKS THREATEN SANTA BARBARA COUNTY

City of Carpinteria,*

Published: June 08, 2020 4 pages
View Original PDF

Findings and Recommendations 8 findings

F1
Ensuring critical cyber security tasks and activities are properly executed on a timely basis requires a designated individual to be accountable and responsible. The City agrees with the finding.
Related Recommendations (1)
R1
That each public entity within Santa Barbara County designate an individual to be accountable and responsible to oversee cyber security. This recommendation will be implemented in fiscal year 2020-21. The City's Administrative Services Director's responsibilities include overseeing the City's Management Information Services function and agreement for Information Technologies (IT) services. The City will be establishing a new or amended agreement for IT services that better describes cyber-security activities and responsibilities to be carried out by contractor consistent with this recommendation.
F2
Most public entities within Santa Barbara County have an inadequate understanding of what communication and electronic systems they use and what data they maintain, and do not fully understand the risks, security issues and costs associated with the destruction of systems or loss of data. Grand Jury Response June 8, 2020 The City disagrees partially with the finding. The City can only speak to its own situation.
Related Recommendations (1)
R2
That each public entity within Santa Barbara County complete a full inventory of their data electronic and communication systems and determine the related security risks. This recommendation will be implemented in fiscal year 2020-21. The City will undertake this work as a part of an amendment contract for IT services.
F3
Some public entities within Santa Barbara County do not have a written cyber security plan. The City agrees with the finding.
Related Recommendations (1)
R3
That each public entity within Santa Barbara County establish a written cyber security plan. The recommendation will be implemented through the City's agreement for IT services in the 2020-21 fiscal year.
F4
Nationally, cyber-attacks on governmental organizations have been successful for many years and are occurring with more frequency and sophistication. The City agrees with the finding.
Related Recommendations (1)
R4
That each public entity within Santa Barbara County take substantial steps to protect data from internal and external attacks or threats. The recommendation will be implemented. The City already has cyber-security systems and procedures in place but in the 2020-21 fiscal year will undertake work to, in part, make substantial improvement to its cyber-security systems and procedures.
F5
Cyber-attackers use a number of methods to install malicious software on systems including access through backdoors, staff or employee carelessness, and known bugs in software. The City agrees with the finding.
Related Recommendations (4)
R5a
That each public entity within Santa Barbara County install and maintain current antivirus software to detect malware and other threats. Grand Jury Response June 8, 2020 The City has implemented this recommendation. Anti-virus software is deployed and current in the network. The City also maintains subscription-based security scanning at the network perimeter in the firewall.
R5b
That each public entity within Santa Barbara Gounty install and update all operating software regularly. The recommendation has been implemented. The City of Carpinteria installs system updates on a regular basis.
R5c
That each public entity within Santa Barbara Gounty periodically train employees and then test their cyber security awareness. The City has implemented this recommendation for the City. The City of Carpinteria utilizes cyber security awareness protocols and training tools.
R5d
That each public entity within Santa Barbara County periodically ensure electronic system-related contractors have been trained for cyber security awareness. The City has implemented this recommendation for the City. The City's lT contractor perform cyber security training.
F6
If data is lost or compromised for any reason, including cyber-attack, mechanical failure or error, the most cost effective and expedient way to recover is to have current data backups and a plan to reinstall it. The City agrees with the finding.
Related Recommendations (2)
R6a
That each public entity within Santa Barbara Gounty create and implement a full backup and recovery plan. The City has implemented this recommendation. The City of Carpinteria has implemented onsite and offsite backup systems.
R6b
That each public entity within Santa Barbara Gounty regularly update and test their backup and recovery plan. This recommendation has The City of Carpinteria regularly updates and tests the backup system. Grand Jury Response June 8, 2020
F7
Some public entities within Santa Barbara County do not have any, or adequate, cyber insurance. The City disagrees with the finding as it pertains to the City.
Related Recommendations (1)
R7
That each public entity within Santa Barbara County secure adequate cyber insurance. This recommendation has been implemented. The City has adequate cyber insurance through the California Joint Powers Insurance Authority's Cyber Liability Program.
F8
A cost-effective method to address cyber risks and concerns is to form an information sharing and learning consortium. The City agrees with the finding.
Related Recommendations (1)
R8
That each public entity within Santa Barbara County that is unable to allocate adequate funds for cyber security develop a cybersecurity working group to establish best practices and share costs for education, expertise, and insurance. The recommendation will be implemented for the City. As a part of the work previously described for the 2020-21 fiscal year, the City will explore joining a cybersecurity working group; however, the City feels that it can currently allocate adequate resources for the cyber security measures described in this report. Once again, thank you for the opportunity to respond to the Report. Yours, Wade T. Nomura Mayor Cc: The Honorable Judge Michael J. Carrozzo . . . . . . . . . . . . . . . . . . . .

* This report's PDF did not contain easily extractable text and required Optical Character Recognition (OCR) for analysis. There may be minor errors in the extracted findings and recommendations due to OCR limitations with scanned documents.