NOV 18 2024 By: T. Cutts, Deputy Cybersecurity in SAN Diego School Districts*

Additional Recommendations 2

These recommendations are not explicitly linked to specific findings.

• R8
  Cybersecurity Lead, updated annually to reflect the changing threat landscape by the beginning of the 2025-2026 school year.
• R9
  SDCOE receives and reviews school district annual reports on the state of cybersecurity. Dudley, Renee, and Daniel Golden. "The Ransomware Hunting Team: A Band of Misfits' Improbable Crusade to Save the World from Cybercrime." Farrar, Straus and Giroux. 2022. Office of Educational Technology, "K-12 Digital Infrastructure Brief: Defensible & Resilient" (February 8, 2023). https://tech.ed.gov/files/2023/08/DOEd-Report 20230804 -508c.pdf p6. The Chicago Council on Global Affairs. "Americans Recognize Cyber Threats, but Are Divided on Best Response" (June 7, 2022) https://globalaffairs.org/commentary-and-analysis/blogs/americans-recognize-cyber- threats-are-divided-best-response 4 Pew Research Center. "What the Public Knows About Cybersecurity" (March 22, 2017). https://www.pewresearch.org/internet/2017/03/22/what-the-public-knows-about-cybersecurity/ 5 Fast Company. "The growing threat of AI in social engineering: How business can mitigate risks" (April 8, 2024) https://www.fastcompany.com/91088574/the-growing-threat-of-ai-in-social-engineering-how-business-can- mitigate-risks 6 Cybersecurity & Infrastructure Security Agency. "Cross-Sector Cybersecurity Performance Goals". https://www.cisa.gov/cross-sector-cybersecurity-performance-goals 7 Center for Internet Security. "CIS Critical Security Controls" https://www.cisecurity.org/controls 8 SchoolSafety.gov, "Cybersecurity Action Steps for the K-12 Community" (October 2022). https://www.schoolsafety.gov/sites/default/files/2022-10/Cybersecurity Action Steps for the K-12 Community SchoolSafety.gov Infographic October 2022.pdf 9 See notes 6, 7, and 8. Wikipedia. "Chief Information Security Officer." https://en.wikipedia.org/wiki/ Chief information security officer 11 San Diego County Office of Education, Technology Services. https://www.sdcoe.net/administrative- services/technology 12 San Diego County Office of Education. https://www.sdcoe.net/administrative-services/technology/cybersecurity 13 San Diego County Office of Education, Cybersecurity. "Multi-Factor Authentication Workbook" (October 2022). https://resources.finalsite.net/images/v1666803502/sdcoenet/vhozlhoh3k1bzhksf0aa/MFAWorkbookOct2022.pdf 14 17 CFR §229.106 Cybersecurity (2023). https://www.ecfr.gov/current/title-17/chapter-II/part-229/subpart- 229.100/section-229.106#p-229.106(b) 15 California State Education Code § 49076.7 (1976). https://leginfo.legislature.ca.gov/faces/ codes displaySection.xhtml?sectionNum=49076.7&lawCode=EDC 16 Schroeder, Lauryn. "San Diego Unified students' medical data compromised in October cybersecurity breach, school district says." San Diego Union-Tribune. (May 19, 2023). https://www.sandiegouniontribune.com/news/education/story/2023-05-19/student-medical-data-compromised-san- diego-unified-cybersecurity-breach 17 Sweetwater Union High School District, Data Security Notice. Accessed April 16, 2024. https://www.sweetwaterschools.org/data-security/ REQUIREMENTS AND INSTRUCTIONS The California Penal Code §933(c) requires any public agency which the Grand Jury has reviewed, and about which it has issued a final report, to comment to the Presiding Judge of the Superior Court on the findings and recommendations pertaining to matters under the control of the agency. Such comment shall be made no later than 90 days after the Grand Jury publishes its report (filed with the Clerk of the Court); except that in the case of a report containing findings and recommendations pertaining to a department or agency headed by an elected County official (e.g. District Attorney, Sheriff, etc.), such comment shall be made to the Presiding Judge with an information copy sent to the Board of Supervisors. Furthermore, California Penal Code §933.05(a), (b), (c), details, as follows, the manner in which such comment(s) are to be made: (a) As to each grand jury finding, the responding person or entity shall indicate one of the following: (1) The respondent agrees with the finding (2) The respondent disagrees wholly or partially with the finding; in which case the response shall specify the portion of the finding that is disputed and shall include an explanation of the reasons therefor. (b) As to each grand jury recommendation, the responding person or entity shall report one of the following actions: (1) The recommendation has been implemented, with a summary regarding the implemented action. (2) The recommendation has not yet been implemented but will be implemented in the future, with a time frame for implementation. (3) The recommendation requires further analysis, with an explanation and the scope and parameters of an analysis or study, and a time frame for the matter to be prepared for discussion by the officer or head of the agency or department being investigated or reviewed, including the governing body of the public agency when applicable. This time frame shall not exceed six months from the date of publication of the grand jury report. (4) The recommendation will not be implemented because it is not warranted or is not reasonable, with an explanation therefor. (c) If a finding or recommendation of the grand jury addresses budgetary or personnel matters of a county agency or department headed by an elected officer, both the agency or department head and the Board of Supervisors shall respond if requested by the grand jury, but the response of the Board of Supervisors shall address only those budgetary or personnel matters over which it has some decision-making authority. The response of the elected agency or department head shall address all aspects of the findings or recommendations affecting his or her agency or department. Comments to the Presiding Judge of the Superior Court in compliance with the Penal Code 933.05 are required from the: Required Responding Agency