Marin County Grand Jury • 2024-2025 • Agency Response
Response to: Cyberattacks: A Growing Threat to Marin Government

City of Belvedere*

Published: August 10, 2020 5 pages
View Original PDF

Findings and Recommendations 8 findings

F3
Transparency is lacking regarding cybersecurity because past breaches have not been publicly disclosed, and city and town councils have not facilitated public discussion of cybersecurity issues. Response – Agree
No recommendations for this finding
F4
Most elected officials in Marin's cities and towns are not sufficiently engaged in ensuring robust cybersecurity policies and procedures are in place. Response - Disagree Partially. The City cannot comment on the level of engagement of elected officials on this issue throughout Marin; in Belvedere, we will facilitate Councilmember engagement through the commitment to an annual review (see response to R4).
Related Recommendations (1)
R4
Starting in fiscal year 2020/2021, the county board of supervisors and the city and town councils should request their managers report, at least annually, regarding their cybersecurity profile and any measures being taken to improve it. Response - This recommendation will be implemented. An annual report to Council will be agendized.
F5
County and municipal officials and managers have been generally unaware of breaches that have occurred outside their own agencies in Marin and therefore have not felt the need to collaborate on measures to improve cybersecurity. Response - Disagree Partially. While municipal managers may not be fully aware of security breaches experienced by other jurisdictions, the Marin Managers Association (MMA) has discussed on several occasions potential cyber-related improvements.
Related Recommendations (1)
R5
Starting in fiscal year 2020/2021, the county, cities, and towns should convene periodic discussions, at least annually, in a public forum such as a board or council meeting, regarding the importance of good cybersecurity practices for our government, residents, and other organizations. Response - This recommendation will be implemented. The City will assist in county-wide education efforts and will also endeavor to educate its residents on these important issues.
F6
Municipalities have been lax in following FBI guidance that cybersecurity breaches be reported to federal law enforcement. Response -- Disagree Partially. It is difficult to respond to this finding, given the City's lack of knowledge as regards FBI reporting by other jurisdictions.
Related Recommendations (1)
R6
The county and each city and town should adopt a policy to report to federal law enforcement any cybersecurity intrusion that results in financial fraud or unauthorized disclosure of information and make that intrusion public. Response – This recommendation will be implemented.
F7
Marin's cities and towns have not made a concerted effort to standardize around a common set of best practices with respect to cybersecurity. Response - Disagree Partially. Most of Marin's cities and towns participate in the MIDAS network, which includes security protocols. That said, more can certainly be done to coordinate and integrate cybersecurity approaches throughout the County.
Related Recommendations (1)
R7
of the date of this report, cities and towns should implement the first four practices described in the Best Practices section of this report, regarding mandatory user training, email flagging and filtering, password management, and backup. Response - These recommendations will be implemented in full as soon as feasible. Several have or are now being implemented.
F8
The Marin County Council of Mayors & Councilmembers has not made cybersecurity a priority, which has minimized the awareness and engagement of elected officials in cybersecurity matters. Response - Disagree Partially. The MCCMC has prioritized other significant policy issues, such as pension reform, economic recovery, housing, etc. The City of Belvedere cannot comment on the level of involvement of elected officials from other jurisdictions in cybersecurity discussions.
Related Recommendations (1)
R8
In fiscal year 2020-2021, cities and towns should complete an analysis of the feasibility of implementing the remainder of the practices described in the Best Practices section of this report. Response – Such an analysis will be developed in fiscal year 2020-2021.
F9
The Marin Managers Association has not done enough to facilitate the sharing of cybersecurity information and resources among its members. Response - Disagree Partially. While more information sharing among city and town managers would be advantageous, the Marin Managers Association has discussed this issue on numerous occasions, including most recently in December 2019.
Related Recommendations (1)
R9
In fiscal year 2020-2021, cities and towns should, through the Marin Managers Association, complete an analysis of the feasibility of contracting with a cybersecurity expert to be available to cities and towns on a shared basis, in order to raise the overall level of cybersecurity in Marin's cities and towns. Response – The City Manager, as a member of the Marin Managers Association, will support a discussion as to the feasibility of contracting with a cybersecurity specialist that could be made available to participating cities and towns. Sincerely, Craig Middleton City Manager 1 ...
F10
Various low-cost best practices exist that could, if implemented, significantly improve the cybersecurity posture of Marin's cities and towns. Response – Agree.
No recommendations for this finding

* This report's PDF did not contain easily extractable text and required Optical Character Recognition (OCR) for analysis. There may be minor errors in the extracted findings and recommendations due to OCR limitations with scanned documents.