Santa Barbara County Grand Jury • 2020-2021 • Agency Response
Response to: CYBER-ATTACKS THREATEN SANTA BARBARA COUNTY

Response to the Grand Jury Report: Cyber-Attacks Threaten Santa Barbara County

Published: June 08, 2020 4 pages
View Original PDF

Findings and Recommendations 8 findings

F1
Ensuring critical cyber security tasks and activities are properly executed on a timely basis requires a designated individual to be accountable and responsible. The City agrees with the finding.
Related Recommendations (1)
R1
That each public entity within Santa Barbara County designate an individual to be accountable and responsible to oversee cyber security. This recommendation has been implemented. The City transitioned Information Technology services to an Information Technology management firm in fiscal year 2019-20. The City Manager is ultimately responsible for oversight of cyber security in partnership with the specialized firm of experts. The CEO of the company is responsible for communication, strategic management, and addressing of any immediate needs or concerns. The Information Technology firm provides with staff to who specialize specifically in cybersecurity. DocuSign Envelope ID: 70FA1C07-661A-47EE-8750-D3C5B053DC0A
F2
Most public entities within Santa Barbara County have an inadequate understanding of what communication and electronic systems they use and what data they maintain, and do not fully understand the risks, security issues and costs associated with the destruction of systems or loss of data. The City disagrees partially with the finding. The City can only speak to its own situation.
Related Recommendations (1)
R2
That each public entity within Santa Barbara County complete a full inventory of their data electronic and communication systems and determine the related security risks. This recommendation will be implemented in fiscal year 2020-21. The City is undertaking this work as a part of the new contract for IT services.
F3
Some public entities within Santa Barbara County do not have a written cyber security plan. The City agrees with the finding.
Related Recommendations (1)
R3
That each public entity within Santa Barbara County establish a written cyber security plan. The recommendation is being implemented and will be completed in fiscal year 2020-21.
F4
Nationally, cyber-attacks on governmental organizations have been successful for many years and are occurring with more frequency and sophistication. The City agrees with the finding.
Related Recommendations (1)
R4
That each public entity within Santa Barbara County take substantial steps to protect data from internal and external attacks or threats. The recommendation will be implemented. The City already has cyber-security systems and procedures in place but in the 2020-21 fiscal year will undertake work to, in part, make substantial improvement to its cyber-security systems and procedures. DocuSign Envelope ID: 70FA1C07-661A-47EE-8750-D3C5B053DC0A
F5
Cyber-attackers use a number of methods to install malicious software on systems including access through backdoors, staff or employee carelessness, and known bugs in software. The City agrees with the finding.
Related Recommendations (4)
R5a
That each public entity within Santa Barbara County install and maintain current antivirus software to detect malware and other threats. The City has implemented this recommendation. The City has current industry standard Anti- virus software and firewall.
R5b
That each public entity within Santa Barbara County install and update all operating software regularly. The recommendation has been implemented. The City installs system updates on a regular basis.
R5c
That each public entity within Santa Barbara County periodically train employees and then test their cyber security awareness. The City is implementing this recommendation. The City will utilize cyber security awareness protocols and training tools.
R5d
That each public entity within Santa Barbara County periodically ensure electronic system-related contractors have been trained for cyber security awareness. The City is implementing this recommendation for the City. The City's IT contractor will perform cyber security training.
F6
If data is lost or compromised for any reason, including cyber-attack, mechanical failure or error, the most cost effective and expedient way to recover is to have current data backups and a plan to reinstall it. The City agrees with the finding.
Related Recommendations (2)
R6a
That each public entity within Santa Barbara County create and implement a full backup and recovery plan. DocuSign Envelope ID: 70FA1C07-661A-47EE-8750-D3C5B053DC0A The City has implemented this recommendation. The City has implemented onsite and offsite backup systems.
R6b
That each public entity within Santa Barbara County regularly update and test their backup and recovery plan. The City regularly updates and tests the backup system.
F7
Some public entities within Santa Barbara County do not have any, or adequate, cyber insurance. The City disagrees with the finding as it pertains to the City.
Related Recommendations (1)
R7
That each public entity within Santa Barbara County secure adequate cyber insurance. The City will review its insurance coverage to ensure adequate Cybersecurity coverage.
F8
A cost-effective method to address cyber risks and concerns is to form an information sharing and learning consortium. The City agrees with the finding.
Related Recommendations (1)
R8
That each public entity within Santa Barbara County that is unable to allocate adequate funds for cyber security develop a cybersecurity working group to establish best practices and share costs for education, expertise, and insurance. The City has implemented in part implemented this recommendation. The City feels that the City’s IT management firm provides with adequate resources for cyber security measures described in this report. However, the City will explore and is supportive of joining a cybersecurity working group. Once again, thank you for the opportunity to respond to the Report. Yours, Mayor Ryan Touissaint Cc: The Honorable Judge Michael J. Carrozza