Score: +10 (10/6/0)

Ventura County Grand Jury • 2019-2020

Cybersecurity Strategies for Cities in Ventura County

Published: April 17, 2020 38 pages

View Original PDF

⚠️ Translation Notice: This content has been automatically translated. The original English text is the official version. Translation may contain errors.

⚠️ Este contenido ha sido traducido automáticamente. El texto original en inglés es la versión oficial. La traducción puede contener errores.

Findings and Recommendations 31 findings

F01

Attackers often target small organizations and cities that have few resources to defend themselves. (Ref-02, Ref-03)

No recommendations for this finding

F02

Cities are aware of the threat of cyberattacks and, to a varying degree, take active measures to reduce the risk in accordance with the Cybersecurity Framework. (Ref-14)

No recommendations for this finding

F03

On March 13, 2020, the California Cyber Security Integration Center issued a cybersecurity advisory titled Teleworking Quick Reference Guide. The guide highlights some security concerns and best practices end-users and network administrators should consider when implementing a teleworking program. (App-01)

No recommendations for this finding

F04

Not all Cities are implementing the teleworking best practices recommended by the California Cyber Security Integration Center. (Ref-16) (App-01)

No recommendations for this finding

F05

City managers and IT personnel provide ongoing cyber safety training and encourage personnel to take advantage of that training. Cybersecurity Strategies for Cities in Ventura County 5 Collaboration within the County

No recommendations for this finding

F06

The Ventura County Executive Office created an informal network of City IT managers, thereby collectively elevating the level of the Cities’ IT performance.

No recommendations for this finding

F07

City managers and IT personnel meet with their counterparts from other Cities on a regular basis to collaborate regarding cyberattacks. City Web Addresses (URLs)

No recommendations for this finding

F08

The California Department of Technology and the National League of Cities recommend using .gov domain names and secure internet protocols. (App-01)

No recommendations for this finding

F09

Nine out of ten Cities use HTTPS (Hypertext Transfer Protocol Secure). Two out of ten Cities have .gov domain names. (App-03) Cybersecurity Resources

No recommendations for this finding

F10

Cybersecurity and Infrastructure Agency  The Department of Homeland Security (DHS) designated the Cybersecurity and Infrastructure Agency (CISA) to be the lead federal department to provide cybersecurity assistance to State, Local, Tribal and Territorial (SLTTs) government organizations. (App-02)  CISA provides SLTTs with a “one-stop shop” of free services for cyber risk assessments, cybersecurity evaluations, incident assistance coordination, cyber exercises/training and recommended best practices. (App-02)

No recommendations for this finding

F11

Only one City uses any of the free CISA resources. That City uses only one of the available resources.

Related Recommendations (2)

R03

The Grand Jury recommends Cities utilize free federal and federally aligned cybersecurity services as set forth in

R04

The Grand Jury recommends Cities’ IT staff subscribe to CISA updates online. (C-03)

F12

Among its many services, CISA operates the Protective Security Advisor (PSA) Program. PSAs are DHS-trained critical infrastructure protection and vulnerability mitigation subject matter experts. Upon request, these experts provide free cybersecurity advice and assistance to SLTTs. (App-02)

No recommendations for this finding

F13

Nine of the 10 Cities maintain their cyber infrastructure through the use of internal staff and/or hiring vendors, in each case without taking advantage of CISA assistance.

Related Recommendations (2)

R03

The Grand Jury recommends Cities utilize free federal and federally aligned cybersecurity services as set forth in

R04

The Grand Jury recommends Cities’ IT staff subscribe to CISA updates online. (C-03)

F14

By using just one free CISA service, the remaining City saved at least $1,000 per month over five years. That City was not aware of the other available free CISA services. Cybersecurity Strategies for Cities in Ventura County

Related Recommendations (1)

R05

The Grand Jury recommends Cities take advantage of discounted services and cooperative purchasing programs whenever possible. (C-03)

F15

The DHS designated the nonprofit member driven Multi-State Information Sharing & Analysis Center (MS-ISAC) as its partner for sharing cybersecurity information with the SLTT governments. (App-02)

No recommendations for this finding

F16

MISAC also provides some fee-based cybersecurity services. (App-02)

No recommendations for this finding

F17

While all IT managers for the Cities are members of MISAC, less than half are members of MS-ISAC. Furthermore, only three Cities’ IT personnel attended the MISAC 2019 Annual Conference. (Ref-17)

Related Recommendations (1)

Multi-State Information Sharing & Analysis Center (MS-ISAC) membership. Joining MS-ISAC is free to municipal government IT operations. GovLaunch A national free, private platform for any verified employees of local government https://govlaunch.com/ to share details of their projects or initiatives. It is a website where local governments can find out what technology their peers are turning to and how they’re using it. Cybersecurity Strategies for Cities in Ventura County 25 Cybersecurity Resources Source Service FedVTE FedVTE is a free, online, on-demand cybersecurity training system managed niccs.us-cert.gov/training/federal- by DHS that is available to SLTT virtual-training-environment-fedvte government personnel. It contains more than 800 hours of training on topics such as ethical hacking, surveillance, risk management and malware analysis. Resource benefits include:  Diverse courses – The program offers more than 300 demonstrations and 3,000 related materials, including online lectures and hands-on virtual labs. • Certification offerings – Offerings include Network +, Security +, Certified Information Systems Security Professional (CISSP), Windows Operating System Security and Certified Ethical Hacker. • Experienced instructors – All courses are taught by experienced cybersecurity subject matter experts. CIS CyberMarket CIS's collaborative purchasing program that serves SLTT organizations, not-for- https://www.cisecurity.org/services/cis- profit entities, and public health and cybermarket/ education institutions to improve cybersecurity through cost-effective group procurement. The objective of the CIS CyberMarket is to combine the purchasing power of governmental and nonprofit sectors to help participants improve their cybersecurity environment at a lower cost than they would have been able to attain on their own. Cybersecurity Strategies for Cities in Ventura County Cybersecurity Resources Source Service General Services Administration Allows SLTTs to purchase IT and security products and services offered Cooperative Purchasing Program through GSA’s negotiated contracts. The https://www.gsa.gov/technology/techno advantage for eligible users of the GSA logy-products-services/it-security Cooperative Purchasing Program is that vendor services and products can be https://www.gsa.gov/buying- procured at the lowest possible price selling/purchasing-programs/gsa- with the assurance that contractors are schedules/schedule-buyers/state-and- qualified to sell to the federal local-governments/cooperative- government. purchasing FedRAMP Moderate A U.S. government program that establishes a standardized approach for https://www.fedramp.gov/ validating that cloud services are https://cdt.ca.gov/wp- secure. FedRAMP offers independent, content/uploads/2019/01/2018-Annual- third-party validation of a cloud Report_FINAL_accessible.pdf, p. 12 provider’s security posture and a standardized approach to security https://cdt.ca.gov/wp- assessments, authorization and content/uploads/2019/09/TA_18-05.pdf continuous monitoring for cloud products and services. It is administered by the states. Available to all California cities and counties. This single state contract provides cloud services to government customers at discounted prices of up to 9.5%, with additional volume discounts available for select providers. Service providers include Amazon, Microsoft and IBM. California’s Cybersecurity Task Force While not currently providing direct cybersecurity support to California’s https://www.caloes.ca.gov/cal-oes- cities, this task force may be a future divisions/cybersecurity-task-force/task- resource. force-subcommittees Cybersecurity Strategies for Cities in Ventura County 27 Cybersecurity Resources Source Service The National Science Foundation Administers the Federal SFS program which is an effective recruiting tool for https://www.sfs.opm.gov/ SLTTs. Upon graduation, scholarship recipients are required to work as cybersecurity professionals for a period equal to the length of their scholarship. The CyberCorps scholarship assists in funding the typical costs incurred by full-time students while attending a participating institution, including tuition and education and related fees. The scholarships are funded through grants awarded by the National Science Foundation in partnership with DHS and the Federal Office of Personnel Management (OPM). City hiring Managers and Human Resources Consultants interested in recruiting from the SFS program can gain access to this candidate pool by contacting the program office at sfs@opm.gov. Cybersecurity Strategies for Cities in Ventura County This page intentionally left blank Cybersecurity Strategies for Cities in Ventura County 29

F18

Representatives from MS-ISAC provided information on available Federal cybersecurity resources at the 2019 MISAC conference. (Ref-18)

No recommendations for this finding

F19

More than 90 California cities hold memberships in MS-ISAC; two Cities in the County are members. (Ref-19)

Related Recommendations (1)

F20

Of those Cities that use servers, hybrid cloud and cloud platforms, few take advantage of the cost-saving FedRAMP Moderate program to contract with cloud providers. (App-02) Partnerships with Local Educational Institutions

No recommendations for this finding

F21

Some Cities partner with local educational institutions to develop internship opportunities and create a talent pool for cybersecurity or information technology. Those that do employ cybersecurity interns reported positive experiences and personnel cost savings.

Related Recommendations (1)

R06

The Grand Jury recommends Cities develop personnel cost-saving opportunities and create a cybersecurity talent pool by recruiting interns or graduating students using: (C-04)  The Scholarships for Service program described in Appendix 02  Local education institutions (high school, community college, private college and state university) Cybersecurity Strategies for Cities in Ventura County 9

F22

Three County higher educational institutions offer cybersecurity and internship programs:  California Lutheran University (Ref-20)  California State University Channel Islands (Ref-21, Ref-22)  Moorpark College (Ref-23) Information Technology Department Staffing

No recommendations for this finding

F23

Some Cities have difficulty recruiting and retaining IT staff. Salaries and benefits for City IT staff are not competitive with the private sector. Cybersecurity Liability Insurance

Related Recommendations (1)

R06

F24

All Cities have cybersecurity liability insurance through the California Joint Powers Insurance Authority or other insurers.

No recommendations for this finding

F25

In addition to recommending cyber liability insurance for cities, the MISAC Security committee encourages MISAC members require their IT vendors have cyber liability insurance. (Ref-24) Cybersecurity Strategies for Cities in Ventura County 7 City Budgets for Information Technology Services

No recommendations for this finding

F26

In reviews of budget documents, the Grand Jury found that five Cities have Information Services/Technology Departments line items in their adopted budgets. No City has a publicly viewable budget line item specifically for cybersecurity. (App-03)

Related Recommendations (1)

R08

The Grand Jury recommends Cities clearly identify expenses for their Information Services (Technology) Departments in their approved budgets. (C-06)

F27

Two of the Cities anticipate spending over $5 million on information services in the upcoming budget year. (App-03) Cyber Incident Response and Disaster Recovery Plans

No recommendations for this finding

F28

In 2018, a major provider of cybersecurity policies conducted a survey of public and private-sector respondents. In that survey 91% of respondents were confident their companies had implemented best practices to avoid a cyber event. Yet, 55% admitted not completing a cyber-risk assessment, 62% had not developed a business continuity plan and 63% had not completed a cyber-risk assessment on vendors who have access to their data. (Ref-25)

Related Recommendations (1)

R09

The Grand Jury recommends Cities develop and test cyber incident response, recovery and business continuity plans. (C-07)

F29

Not all Cities have comprehensive cyber incident response, recovery and business continuity plans. Vendor Management

Related Recommendations (2)

R07

The Grand Jury recommends Cities maintain good vendor management by: (C-03, C-05)  Obtaining CISA assistance to conduct risk management assessments on all third-party vendors that have access to any confidential data or that interact with City networks and systems  Requiring all vendors provide cybersecurity documentation. As part of their ongoing third-party due diligence, Cities should evaluate vendors for compliance and risk on an annual basis  Requiring IT vendors obtain cybersecurity insurance.

R09

The Grand Jury recommends Cities develop and test cyber incident response, recovery and business continuity plans. (C-07)

F30

Business and Intellectual Property Attorney Lisa M. Thompson advised in August 2019 that cities should defend against cybersecurity threats by conducting risk management assessments on all third-party vendors that have access to confidential data and interact with municipal networks and systems. In addition, she stated that cities should require all vendors provide security documentation. (Ref-26)

No recommendations for this finding

F31

Most Cities do not manage the cyber risk of third-party vendors. Conclusions C-01. While the Grand Jury recognizes each City is taking steps to implement cybersecurity and to defend against cyberattacks, it concludes there is no perfect solution to cybersecurity or defense against cyberattacks. (FA-01, FA-02, FA-03, FA-04, FA-05, FA-06, FA-07) C-02. The Grand Jury concluded eight Cities are currently using suboptimal web addresses for their websites. (FA-08, FA-09) C-03. The Grand Jury concluded generally Cities are not utilizing free federal and discounted federally aligned resources available to Cities to bolster their cybersecurity defenses. (FA-10, FA-11, FA-12, FA-13, FA-14,

Related Recommendations (1)

R07

Additional Recommendations 1

These recommendations are not explicitly linked to specific findings.

R11

The Grand Jury recommends Cities develop a written plan for implementation of R-01 through R-10 prior to December 31, 2020. Responses Responses Required From: City Council, City of Camarillo (C-01, C-02, C-03, C-04, C-05, C-06, C-07, C-08) (R-01, R-02, R-03, R-04, R-05, R-06, R-07, R-08, R-09, R-10, R-11) City Council, City of Fillmore (C-01, C-02, C-03, C-04, C-05, C-06, C-07, C-08) (R-01, R-02, R-03, R-04, R-05, R-06, R-07, R-08, R-09, R-10, R-11) City Council, City of Moorpark (C-01, C-02, C-03, C-04, C-05, C-06, C-07, C-08) (R-01, R-02, R-03, R-04, R-05, R-06, R-07, R-08, R-09, R-10, R-11) City Council, City of Ojai (C-01, C-02, C-03, C-04, C-05, C-06, C-07, C-08) (R-01, R-02, R-03, R-04, R-05, R-06, R-07, R-08, R-09, R-10, R-11) City Council, City of Oxnard (C-01, C-02, C-03, C-04, C-05, C-06, C-07, C-08) (R-01, R-02, R-03, R-04, R-05, R-06, R-07, R-08, R-09, R-10, R-11) City Council, City of Port Hueneme (C-01, C-02, C-03, C-04, C-05, C-06, C-07, C-08) (R-01, R-02, R-03, R-04, R-05, R-06, R-07, R-08, R-09, R-10, R-11) City Council, City of Santa Paula (C-01, C-02, C-03, C-04, C-05, C-06, C-07, C-08) (R-01, R-02, R-03, R-04, R-05, R-06, R-07, R-08, R-09, R-10, R-11) 10 Cybersecurity Strategies for Cities in Ventura County City Council, City of Simi Valley (C-01, C-02, C-03, C-04, C-05, C-06, C-07, C-08) (R-01, R-02, R-03, R-04, R-05, R-06, R-07, R-08, R-09, R-10, R-11) City Council, City of Thousand Oaks (C-01, C-02, C-03, C-04, C-05, C-06, C-07, C-08) (R-01, R-02, R-03, R-04, R-05, R-06, R-07, R-08, R-09, R-10, R-11) City Council, City of Ventura (C-01, C-02, C-03, C-04, C-05, C-06, C-07, C-08) (R-01, R-02, R-03, R-04, R-05, R-06, R-07, R-08, R-09, R-10, R-11) References Ref-01. Shi, Flemming. Threat Spotlight: Government Ransomware Attacks. Barracuda blog, August 28, 2019 https://blog.barracuda.com/2019/08/28/threat-spotlight-government- ransomware-attacks/ Accessed April 7, 2020 Ref-02. McGalliard, Tad. How Local Governments Can Prevent Cyberattacks. New York Times, March 30, 2018 https://www.nytimes.com/2018/03/30/opinion/local-government- cyberattack.html Accessed April 7, 2020 Ref-03. Nelson, Sarah. Report: Local Gov Cyberattacks Reach Critical Level. Government Technology, December 18, 2019 https://www.govtech.com/security/Report-Local-Gov-Cyberattacks- Reach-Critical-Level.html Accessed April 7, 2020 Ref-04. Kim, Allen. In the last 10 months, 140 local governments, police stations and hospitals have been held hostage by ransomware attacks. CNN, October 8, 2019 https://www.cnn.com/2019/10/08/business/ransomware-attacks- trnd/index.html Accessed April 7, 2020 Ref-05. Patterson, Dan. Four U.S. cities attacked by ransomware this month. CBS News, December 17, 2019 https://www.cbsnews.com/news/ransomware-attack-pensacola- florida-4-u-s-cities-attacked-by-ransomware-this-month-2019-12-17/ Accessed April 15, 2020 Ref-06. Ng, Alfred. Ransomware froze more cities in 2019. Next year is a toss- up. CNET, December 5, 2019 https://www.cnet.com/news/ransomware-devastated-cities-in-2019- officials-hope-to-stop-a-repeat-in-2020/ Accessed April 15, 2020 Cybersecurity Strategies for Cities in Ventura County 11 Ref-07. Freed, Benjamin. Ransomware Attacks Map chronicles a growing threat. Statescoop, October 22, 2019 https://statescoop.com/ransomware-attacks-map-state-local- government/ Accessed April 15, 2020 Ref-08. Whitnall, Becca. City’s online payment system falls victim to hackers. Thousand Oaks Acorn, November 8, 2018 https://www.toacorn.com/articles/citys-online-payment-system-falls- victim-to-hackers/ Accessed April 15, 2020 Ref-09. CISA. Security Tip (ST08-001) Using Caution with USB Drives. November 15, 2019 https://www.us-cert.gov/ncas/tips/ST08-001 Accessed April 15, 2020 Ref-10. Lohrmann, Dan. 2019: The Year Ransomware Targeted State & Local Governments. Government Technology, December 23, 2019 https://www.govtech.com/blogs/lohrmann-on-cybersecurity/2019-the- year-ransomware-targeted-state--local-governments.html Accessed April 15, 2020 Ref-11. Ropek, Lucas. Pensacola Hires Deloitte to Investigate Extent of Cyberattack. Government Technology, December 19, 2019 https://www.govtech.com/security/Pensacola-Hires-Deloitte-to- Investigate-Extent-of-Cyberattack.html Accessed April 15, 2020 Ref-12. Ikeda, Scott. Ransomware Attacks Are Causing Cyber Insurance Rates to Go Through the Roof; Premiums up as Much as 25 Percent. CPO Magazine, February 10, 2020 https://www.cpomagazine.com/cyber-security/ransomware-attacks- are-causing-cyber-insurance-rates-to-go-through-the-roof-premiums- up-as-much-as-25-percent/ Accessed April 15, 2020 Ref-13. IBM. IBM Security Study: Taxpayers Oppose Local Governments Paying Hackers in Ransomware Attacks. September 5, 2019 https://newsroom.ibm.com/2019-09-05-IBM-Security-Study- Taxpayers-Oppose-Local-Governments-Paying-Hackers-in- Ransomware-Attacks Accessed April 15, 2020 12 Cybersecurity Strategies for Cities in Ventura County Ref-14. U.S. Department of Commerce, National Institute of Standards and Technology. Cybersecurity Framework, The Five Functions https://www.nist.gov/cyberframework/online-learning/five-functions Accessed April 17, 2020 Ref-15. California Public Records Act Government Code Section 6254.19 http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sec tionNum=6254.19&lawCode=GOV Accessed April 17, 2020 Ref-16. California Cyber Security Integration Center. CYBERSECURITY ADVISORY Teleworking Quick Reference Guide. March 13, 2020 https://www.caloes.ca.gov/LawEnforcementSite/Documents/Cal- CSIC_Advisory_Teleworking%20Guidance.pdf Accessed April 17, 2020 Ref-17. Registration List. 2019 MISAC Annual Conference https://www.misac.org/events/RSVPlist.aspx?id=1243109 Accessed April 17, 2020 Ref-18. Vendors. 2019 MISAC Annual Conference https://www.misac.org/page/VendorConfInfo2019 Accessed April 17, 2020 Ref-19. CIS. MS-ISAC Local Governments https://www.cisecurity.org/partners-local-government/ Accessed April 17, 2020 Ref-20. California Lutheran University. Cal Lutheran starts cybersecurity program. September 20,2019 https://www.callutheran.edu/news/story.html?id=13865#story Accessed April 17, 2020 Ref-21. California State University Channel Islands. Computer Science Program - BS Information Technology https://compsci.csuci.edu/degrees/bsit.htm Accessed April 17, 2020 Ref-22. California State University Channel Islands. Computer Science Program - Internships https://compsci.csuci.edu/resources/internships.htm Accessed April 17, 2020 Ref-23. Moorpark College. Computer Science Curriculum https://www.moorparkcollege.edu/faculty-and-staff/curriculum- committee/course-outlines-of-record/computer-science-curriculum Accessed April 17, 2020 Cybersecurity Strategies for Cities in Ventura County 13 Ref-24. MISAC. MISAC’s New Security Committee Up and Running. July 6, 2018 https://www.misac.org/news/407088/MISACs-New-Security- Committee-Up-and-Running.htm Accessed April 17, 2020 Ref-25. Newcome, Tod. Cyber Insurance Evolves to Meet the Ransomware Threat. Government Technology, October/November 2019 https://www.govtech.com/security/Cyberinsurance-Evolves-to-Meet- the-Ransomware-Threat.html Accessed April 17, 2020 Ref-26. Thompson, Lisa. Cybersecurity Best Practices for Municipalities. New Hampshire Municipal Association, August 2019 https://www.nhmunicipal.org/town-city-article/cybersecurity-best- practices-municipalities Accessed April 7, 2020 14 Cybersecurity Strategies for Cities in Ventura County Glossary TERM DEFINITION Attacker Any individual or organization who attempts to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset. Big Data A field that treats ways to analyze, systematically extract information from or otherwise deal with data sets that are too large or complex to be dealt with by traditional data-processing application software. Bitcoin(s) A decentralized digital currency without a central bank or single administrator that can be sent from user to user on the peer-to-peer bitcoin network without the need for intermediaries. CIS Center for Internet Security CISA Cybersecurity and Infrastructure Security Agency Cities The 10 incorporated cities in the County County Ventura County Cyberattack Any type of offensive maneuver that targets computer information systems, infrastructures, computer networks, or personal computer devices. Cybersecurity The protection of computer systems and networks from the theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide. DHS Department of Homeland Security Encrypt The process of encoding a message or information in such a way that only authorized parties can access it and those who are not authorized cannot. FedRAMP The Federal Risk and Authorization Management Program. A U.S. government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. FedRAMP The California administered FedRAMP Moderate Cybersecurity Strategies for Cities in Ventura County 15 Grand Jury 2019-2020 Ventura County Grand Jury HTTPS Hypertext Transfer Protocol Secure IT The use of computers to store, retrieve, transmit and (Information manipulate data information. Typically used within the Technology) context of business operations as opposed to personal or entertainment technologies. All hardware, software and peripheral equipment operated by a limited group of users, as in “IT Department.” Malware Any software intentionally designed to cause damage to a computer, server, client, or computer network. By contrast, software that causes unintentional harm due to some deficiency is typically described as a software bug. A wide variety of malware exists, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, and scareware. MISAC The Municipal Information Systems Association of California MS-ISAC Multi State Information Sharing and Analysis Center NIST National Institute for Standards and Technology (U.S. Department of Commerce) NSF National Science Foundation (administers SFS) Server A computer that provides data to other computers. SFS CyberCorps Scholarships for Service SLTT State, Local, Tribal and Territorial Governments; includes special districts (e.g. Libraries, airports, water districts, harbors, etc.) USB Drive A data storage device that includes flash memory with an integrated USB interface. It is typically removable and rewritable. URL Colloquially termed a “web address,” is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it. A URL (Uniform Resource Locator) is a specific type of Uniform Resource Identifier (URI), although many people use the two terms interchangeably. Cybersecurity Strategies for Cities in Ventura County Appendices A Compilation of Best Practices from Authoritative Sources Cybersecurity Resources City Budgets Federal Government Cybersecurity Recommendations for SLTTs State of the Art Platforms and Tools Cybersecurity Strategies for Cities in Ventura County 17

Conclusions 2

CL1 Page 10

C-01. While the Grand Jury recognizes each City is taking steps to implement cybersecurity and to defend against cyberattacks, it concludes there is no perfect solution to cybersecurity or defense against cyberattacks. (FA-01, FA-02, FA-03, FA-04, FA-05, FA-06, FA-07) C-02. The Grand Jury concluded eight Cities are currently using suboptimal web addresses for their websites. (FA-08, FA-09) C-03. The Grand Jury concluded generally Cities are not utilizing free federal and discounted federally aligned resources available to Cities to bolster their cybersecurity defenses. (FA-10, FA-11, FA-12, FA-13, FA-14, FA-15, FA-16, FA-17, FA-18, FA-19, FA-20) 8 Cybersecurity Strategies for Cities in Ventura County
CL2 Page 11

C-04. The Grand Jury concluded cybersecurity staffing could be improved with more effective recruiting and staff retention practices. (FA-21, FA-22, FA-23) C-05. The Grand Jury concluded Cities should manage cyber risks associated with vendors by requiring they provide annual documentation regarding cybersecurity insurance and cybersecurity practices. (FA-24, FA-25, FA-30, FA-31) C-06. The Grand Jury concluded some Cities do not clearly identify expenditures regarding information technology or cybersecurity in their budgets. (FA-26, FA-27) C-07. The Grand Jury concluded all Cities would benefit from comprehensive cyber incident response, recovery and business continuity plans. (FA-28, FA-29) C-08. The Grand Jury concluded some Cities are not following the recommended best practices for teleworking published by California Cyber Security Integration Center (FA-03, FA-04)

Agency Responses 12

Government agencies' official responses to this report's findings and recommendations. Click on a response to see the structured breakdown.

City of Ojai

August 25, 2020 • 8 pages • 1 response • Score: +1 (+1, 0, 0) View Details ▾

PDF

1 response to findings and recommendations

R03

The Grand Jury recommends Cities utilize free federal and federally aligned cybersecurity services as set forth in

Response: Will Implement

Score: +1

The Grand Jury recommends Cities utilize free federal and federally aligned cybersecurity services as set forth in Appendix 02 to supplement internal staff and/or replace vendor services whenever possible. CITY COUNCIL RESPONSE TO RECOMMENDATION R-03 The City agrees with recommendation R-03. The city IT staff will familiarize themselves with the services set forth in Appendix 02 and take advantage of as much cost savings as feasible. GRAND JURY RECOMMENDATION R-04 The Grand Jury recommends Cities' IT staff subscribe to CISA updates online. CITY COUNCIL RESPONSE TO RECOMMENDATION R-04 The City ...

City of Ojai

July 22, 2020 • 3 pages View Details ▾

PDF

City of Port Hueneme

October 19, 2020 • 4 pages • 11 responses View Details ▾

PDF

11 responses to findings and recommendations

R01

The Grand Jury recommends Cities establish secure web addresses through the use of HTTPS or other such protocols. (C-02)

Response: Unknown

Score: 0

By default, the City of Port Hueneme uses HTTPS (Hypertext Transfer Protocol Secure) for all internal and external web sites. If an end user browses to an HTTP address, the communication is automatically switched to HTTPS, or terminated. This practice began in December, 2018. Recommendation R-02. The Grand Jury recommends Cities establish trustworthy web addresses by following the California Department of Technology domain name taxonomy guidance. (C-02)

R02

The Grand Jury recommends Cities establish trustworthy web addresses by following the California Department of Technology domain name taxonomy guidance. (C-02)

Response: Unknown

Score: 0

During the establishment of the City's web presence in approximately 2002, the City followed what were the current naming conventions for government entities, and maintain that naming convention today. The use of California Department of Technology domain name taxonomy guidance seems to provide limited additional security for the public, and results in a significant amount of work to effect the change. Such a change would also negatively impact the existing public communication established over the years using the current naming convention. City will investigate costs and impacts associated wi...

R03

The Grand Jury recommends Cities utilize free federal and federally aligned cybersecurity services as set forth in

Response: Unknown

Score: 0

Port Hueneme has taken advantage of the external penetration testing services provided by CISA since December, 2019. The City has requested additional services to include targeted phishing exploits/training, but has not yet been provided that service. Staff recently joined MS_IASC, applying for IP and Domain-name filtering services. MS_IASC's offer of targeted phishing is being reviewed for implementation. Recommendation R-04. The Grand Jury recommends Cities' IT staff subscribe to CISA updates online. (C-03)

R04

The Grand Jury recommends Cities’ IT staff subscribe to CISA updates online. (C-03)

Response: Unknown

Score: 0

Port Hueneme IT have received weekly vulnerability updates from US- CERT since approximately 2015. In December, 2019 the City began utilizing services from The addition of IP and Domain filtering from MS_IASC in July, 2020 further CISA. increases the layers of protection utilized. Recommendation R-05. The Grand Jury recommends Cities take advantage of discounted services and cooperative purchasing programs whenever possible. (C-03)

R05

The Grand Jury recommends Cities take advantage of discounted services and cooperative purchasing programs whenever possible. (C-03)

Response: Unknown

Score: 0

The City of Port Hueneme leverages cooperative purchase agreements whenever possible. The City of Port Hueneme will review cooperative service offerings the next time services are needed to replace, upgrade, or supplement existing cybersecurity measures. The current major provider of network services has an established relationship and understanding of the network architecture, which is a valuable asset that must be considered in determining if change for the sole sake of saving initial purchase price is valid. Recommendation R-06. The Grand Jury recommends Cities develop personnel costsaving...

R06

Response: Unknown

Score: 0

Utilizing temporary interns as the basis for a cybersecurity talent pool introduces a high level of potential risk on a critical system. This provides an unknown level of risk each time an intern leaves, as critical information and passwords leave the control of City staff. The level of work to ensure no unauthorized access can be attained needs to be carefully weighed against the value of personnel cost-saving opportunities from intern assistance. Staff currently administering changes to the City's network security have established career dedication to the City, and have extended experience w...

R07

Response: Unknown

Score: 0

a. Further analysis is required. The City has a concern that Cybersecurity and Infrastructure Agency (CISA) risk management assessments on all third-party vendors may adversely impact the timing of the award and project execution. A better understanding of the CISA risk management assessment process and response is required. The City agrees we should require all vendors provide cybersecurity documentation and evaluate vendors for compliance on an annual basis. Financial audits typically include a requirement to provide such documentation on major systems that store Personally Identifiable In...

R08

The Grand Jury recommends Cities clearly identify expenses for their Information Services (Technology) Departments in their approved budgets. (C-06)

Response: Unknown

Score: 0

Budget appropriations for the City's Information Technology function currently serve as the predominate portion of the City's General Government cost center. The City will undertake a project to restructure the City budget in a way that isolates IT costs from other city expenses. The City seeks to implement this change as part of the development of the next municipal budget, which is expected to be adopted prior to July 1, 2021. If it is determined that such a change impacts that City's existing Cost Allocation Plan (CAP), the project will be delayed until such time as the next CAP is performe...

R09

The Grand Jury recommends Cities develop and test cyber incident response, recovery and business continuity plans. (C-07)

Response: Unknown

Score: 0

The City is in the midst of selecting a candidate to perform an IT Master Plan. The City anticipates that direction and funding for Business Continuity planning will be a recommendation of the IT Master Plan. Timeline: The IT Master Plan completion is anticipated for May, 2021. Recommendation R-10. The Grand Jury recommends Cities implement the best practices for teleworking as published by the California Cyber Security Integration Center. (C-08)

R10

The Grand Jury recommends Cities implement the best practices for teleworking as published by the California Cyber Security Integration Center. (C-08)

Response: Unknown

Score: 0

City staff who need to telework are issued laptop resources. All laptops have been configured by IT department to assure anti-virus and operating system updates. Connection to internal network resources are accomplished with VPN software to encrypt traffic between endpoints. Personal devices are not approved for use in telework except in unique cases. These cases require the use of secure desktop sharing applications. Security of City-provided cell phones has not been addressed. Cell phone are used for email connectivity only. Recommendation R-11. The Grand Jury recommends Cities develop a wri...

R11

The Grand Jury recommends Cities develop a written plan for implementation of R-01 through R-10 prior to December 31, 2020. Responses Responses Required From: City Council, City of Camarillo (C-01, C-02, C-03, C-04, C-05, C-06, C-07, C-08) (R-01, R-02, R-03, R-04, R-05, R-06, R-07, R-08, R-09, R-10, R-11) City Council, City of Fillmore (C-01, C-02, C-03, C-04, C-05, C-06, C-07, C-08) (R-01, R-02, R-03, R-04, R-05, R-06, R-07, R-08, R-09, R-10, R-11) City Council, City of Moorpark (C-01, C-02, C-...

Response: Unknown

Score: 0

The City will develop formal written plans for each recommendation that requires further action. Timeline: prior to December 31, 2020.

City of Port Hueneme

May 21, 2020 • 3 pages • 2 responses • Score: +1 (+1, 1, 0) View Details ▾

PDF

2 responses to findings and recommendations

F03

Response: Agree Score: +1

Recommendations numbered . ____ have been implemented. (Attach a summary describing the implemented actions and date completed.) Recommendations number _____ have not yet been implemented, but will be • implemented in the future. (Attach a time frame for the implementation.) Recommendations numbered ______ require further analysis. Recommendations numbered • _____ will not be implemented because they are not warranted or are not reasonable. oura D. Alexander Date: June 15, 2020 Signed: Number of pages attached: ____________________________________ City of Port Hueneme Administration June 15, ...

R03

The Grand Jury recommends Cities utilize free federal and federally aligned cybersecurity services as set forth in

Response: Requires Analysis

Score: 0

City of Simi Valley

July 27, 2020 • 3 pages • 11 responses • Score: 0 (+0, 1, 0) View Details ▾

PDF

11 responses to findings and recommendations

R01

The Grand Jury recommends Cities establish secure web addresses through the use of HTTPS or other such protocols. (C-02)

Response: Unknown

Score: 0

By default the City of Simi Valley uses HTTPS (Hypertext Transfer Protocol Secure) for all internal and external web sites. This practice began in 2010. Recommendation R-02. The Grand Jury recommends Cities establish trustworthy web addresses by following the California Department of Technology domain name taxonomy guidance. (C-02)

R02

The Grand Jury recommends Cities establish trustworthy web addresses by following the California Department of Technology domain name taxonomy guidance. (C-02)

Response: Unknown

Score: 0

Some cities are using a second level domain of ca.gov for their domain name, the City registered simivalley.ca.gov. Simivalley.org is the City's primary domain and is a trustworthy web address. This domain is administered by the IS staff using Network Solutions as the top level domain provider. Registration fees for simivalley.org are $100 for five years. The City can register simivalley.gov through the United States General Services Administration (GSA), registration fees are $2,000.00 for five years. Historically the City has not budgeted for this expense. Our analysis concluded the GSA will...

R03

The Grand Jury recommends Cities utilize free federal and federally aligned cybersecurity services as set forth in

Response: Unknown

Score: 0

The City uses free cybersecurity services and tools from the federal government and is expanding the number of tools we take advantage of. This practice began in 2018. Recommendation R-04. The Grand Jury recommends Cities' IT staff subscribe to CISA updates online. (C-03)

R04

The Grand Jury recommends Cities’ IT staff subscribe to CISA updates online. (C-03)

Response: Unknown

Score: 0

Staff members with Cyber Security responsibilities currently subscribe to CISA updates. This practice began in 2017. Recommendation R-05. The Grand Jury recommends Cities take advantage of discounted services and cooperative purchasing programs whenever possible. (C-03)

R05

The Grand Jury recommends Cities take advantage of discounted services and cooperative purchasing programs whenever possible. (C-03)

Response: Unknown

Score: 0

The City of Simi Valley leverages cooperative purchase agreements whenever possible. This practice began in 2010. Recommendation R-06. The Grand Jury recommends Cities develop personnel costsaving opportunities and create a cybersecurity talent pool by recruiting interns or graduating students using: (C-04)  The Scholarships for Service program described in Appendix 02  Local education institutions (high school, community college, private college and state university)

R06

Response: Implemented

Score: 0

The City entered into an MOU with VCCCD for internships in February 2020. The City registered as an agency official at the National Science Foundation (SFS) to gain access to the IA candidate pool. We will consider candidates from this pool when a position opens up that requires cyber security skills. Timeline: Agency registration has been completed as of July of 2020, hiring will occur as funding permits. DocuSign Envelope ID: 93377B03-70C4-459D-802F-0F003CB7AD04 Recommendation R-07. The Grand Jury recommends Cities maintain good vendor management by: (C-03, C-05) a. Obtaining CISA assistanc...

R07

Response: Unknown

Score: 0

a. Further analysis is required. The City has a concern that projects may be delayed if CISA conducts risk management assessments on all third-party vendors that have access to any confidential data and that interact with City networks and systems. A better understanding of the CISA risk management assessment process and response is required. Timeline: August 2020. b. The City agrees we should require all vendors to provide cybersecurity documentation and evaluate vendors for compliance on an annual basis. c. The City agrees we should require all IT vendors obtain cybersecurity insurance. Reco...

R08

The Grand Jury recommends Cities clearly identify expenses for their Information Services (Technology) Departments in their approved budgets. (C-06)

Response: Unknown

Score: 0

The City of Simi Valley identifies expense for information technology services within their approved budget. This practice began in 2004. Recommendation R-09. The Grand Jury recommends Cities develop and test cyber incident response, recovery and business continuity plans. (C-07)

R09

The Grand Jury recommends Cities develop and test cyber incident response, recovery and business continuity plans. (C-07)

Response: Unknown

Score: 0

The City will create cyber incident response, recovery and business continuity plans and testing procedures. Timeline: prior to June 30, 2021. Recommendation R-10. The Grand Jury recommends Cities implement the best practices for teleworking as published by the California Cyber Security Integration Center. (C-08)

R10

The Grand Jury recommends Cities implement the best practices for teleworking as published by the California Cyber Security Integration Center. (C-08)

Response: Unknown

Score: 0

The City has initiated best practices into our telecommuting guidelines and policies. Timeline: This practice began in July 2020. Recommendation R-11. The Grand Jury recommends Cities develop a written plan for implementation of R-01 through R-10 prior to December 31, 2020

R11

Response: Unknown

Score: 0

The City will develop formal written plans for each recommendation. Timeline: prior to December 31, 2020.

City of Simi Valley

April 08, 2020 • 2 pages • 1 response View Details ▾

PDF

1 response to findings and recommendations

R01

The Grand Jury recommends Cities establish secure web addresses through the use of HTTPS or other such protocols. (C-02)

Response: Unknown

Score: 0

The City's Police Department is currently part of the Bureau of Justice Human Trafficking Task Force. The next meeting, scheduled for August 11, 2020, will be focused on developing the Ventura County Human Trafficking Protocol. Simi Valley Police will contribute to the development of that protocol. The Department will work with our County law enforcement partners to implement the conclusions in C-03 and C-04 of the Grand Jury's Report. Currently, the City's massage ordinance has been effective in dealing with the problem at those illicit businesses operating in Simi Valley.

City of Thousand Oaks

June 23, 2020 • 6 pages View Details ▾

PDF

Oxnard Union High School District

August 18, 2020 • 5 pages • 1 response View Details ▾

PDF

1 response to findings and recommendations

R03

The Grand Jury recommends Cities utilize free federal and federally aligned cybersecurity services as set forth in

Response: Unknown

Score: 0

, EC 51939(c) only requires that, "an alternative educational activity shall be made available to pupils whose parents or guardians have requested that they not receive the instruction or participate in the test, questionnaire, or survey." The law does not provide any detail or indicate what specific content the alternative educational activity must provide. Therefore, requiring charter schools to provide an alternative educational activity that includes instruction in "negotiation and refusal skills to assist pupils in overcoming peer pressure and using effective decision-making skills to avo...

City of Moorpark

September 14, 2020 • 6 pages • 11 responses View Details ▾

PDF

11 responses to findings and recommendations

R01

The Grand Jury recommends Cities establish secure web addresses through the use of HTTPS or other such protocols. (C-02)

Response: Unknown

Score: 0

The City of Moorpark uses HTTPS (Hypertext Transfer Protocol Secure) for all internal and external web sites. This practice began prior to 2011. Recommendation R-02. The Grand Jury recommends Cities establish trustworthy web addresses by following the California Department of Technology domain name taxonomy guidance. (C-02) City

R02

The Grand Jury recommends Cities establish trustworthy web addresses by following the California Department of Technology domain name taxonomy guidance. (C-02)

Response: Unknown

Score: 0

The City of Moorpark uses a .gov domain name and has registered https://www.moorparkca.gov/ through the dotgov.gov registry. This practice began in 2011. Recommendation R-03. The Grand Jury recommends Cities utilize free federal and federally aligned cybersecurity services as set forth in Appendix 02 to supplement internal staff and/or replace vendor services whenever possible. (C-03) City

R03

The Grand Jury recommends Cities utilize free federal and federally aligned cybersecurity services as set forth in

Response: Unknown

Score: 0

The City of Moorpark uses free cybersecurity tools and will expand on the tools and offerings as recommended. Timeline: December 31, 2020. Recommendation R-04. The Grand Jury recommends Cities' IT staff subscribe to CISA updates online. (C-03) City

R04

The Grand Jury recommends Cities’ IT staff subscribe to CISA updates online. (C-03)

Response: Unknown

Score: 0

The City of Moorpark Information System staff currently subscribes to CISA updates. This practice began in 2008. Recommendation R-05. The Grand Jury recommends Cities take advantage of discounted services and cooperative purchasing programs whenever possible. (C-03)

R05

The Grand Jury recommends Cities take advantage of discounted services and cooperative purchasing programs whenever possible. (C-03)

Response: Unknown

Score: 0

The City of Moorpark leverages cooperative purchase agreements whenever possible. This practice began prior to 1999. Recommendation R-06. The Grand Jury recommends Cities develop personnel costsaving opportunities and create a cybersecurity talent pool by recruiting interns or graduating students using: (C-04) The Scholarships for Service program described in Appendix 02 · Local education institutions (high school, community college, private college and state university) City

R06

Response: Unknown

Score: 0

The City of Moorpark began the process to accept internships from the Ventura County Community College District and will consider a candidate when a position opens up that requires cybersecurity skills. This practice began in February 2020. Recommendation R-07. The Grand Jury recommends Cities maintain good vendor management by: (C-03, C-05) a. Obtaining CISA assistance to conduct risk management assessments on all third-party vendors that have access to any confidential data or that interact with City networks and systems b. Requiring all vendors provide cybersecurity documentation. As part o...

R07

Response: Unknown

Score: 0

The City of Moorpark agrees with this recommendation and will explore CISA assistance in risk management of IT vendors and begin reviewing on an annual basis. The City already requires all IT service vendors to obtain cybersecurity insurance. The practice began prior to 2018. Recommendation R-08. The Grand Jury recommends Cities clearly identify expenses for their Information Services (Technology) Departments in their approved budgets. (C 06) City

R08

The Grand Jury recommends Cities clearly identify expenses for their Information Services (Technology) Departments in their approved budgets. (C-06)

Response: Unknown

Score: 0

The City of Moorpark identifies expenses for Information Services in the approved budget and uses an ERP Financial Software to track and record expenditures. Recommendation R-09. The Grand Jury recommends Cities develop and test cyber incident response, recovery and business continuity plans. (C-07) City

R09

The Grand Jury recommends Cities develop and test cyber incident response, recovery and business continuity plans. (C-07)

Response: Unknown

Score: 0

The City of Moorpark will develop and test a cyberincident response. Timeline: December 31, 2020. Recovery and business continuity plan are currently tested on a regular and ongoing-basis. Recommendation R-10. The Grand Jury recommends Cities implement the best practices for teleworking as published by the California Cyber Security Integration Center. (C-08) City

R10

The Grand Jury recommends Cities implement the best practices for teleworking as published by the California Cyber Security Integration Center. (C-08)

Response: Unknown

Score: 0

The City of Moorpark has initiated best practices into our telecommuting agreement and guidelines. This practice began in April 2020. Recommendation R-11. The Grand Jury recommends Cities develop a written plan for implementation of R-01 through R-10 prior to December 31, 2020. City

R11

Response: Unknown

Score: 0

. The City of Moorpark agrees with this recommendation and will develop a written plan for any of the recommended items that are not already in place. Timeline: December 31, 2020.

City of Santa Paula

August 15, 2020 • 6 pages • 7 responses • Score: +4 (+4, 2, 0) View Details ▾

PDF

7 responses to findings and recommendations

R01

The Grand Jury recommends Cities establish secure web addresses through the use of HTTPS or other such protocols. (C-02)

Response: Implemented

Score: 0

R-01 has been implemented.

R04

The Grand Jury recommends Cities’ IT staff subscribe to CISA updates online. (C-03)

Response: Will Implement

Score: +1

R-04 will be implemented.

R06

Response: Implemented

Score: 0

R-06 has been implemented.

R07

Response: Will Implement

Score: +1

R-07 will be implemented.

R09

The Grand Jury recommends Cities develop and test cyber incident response, recovery and business continuity plans. (C-07)

Response: Will Implement

Score: +1

R-09 will be implemented as budgetary constraints allow.

R10

The Grand Jury recommends Cities implement the best practices for teleworking as published by the California Cyber Security Integration Center. (C-08)

Response: Unknown

Score: 0

R-10 has been and will continue to be implemented.

R11

Response: Will Implement

Score: +1

R-11 will be implemented in the future.

City of Oxnard

August 06, 2020 • 8 pages • 6 responses • Score: +4 (+4, 2, 0) View Details ▾

PDF

6 responses to findings and recommendations

R01

The Grand Jury recommends Cities establish secure web addresses through the use of HTTPS or other such protocols. (C-02)

Response: Requires Analysis

Score: 0

Attachment - Example of Secure Web-Site Protocols (HTTPS). Two examples provided. R-02 Response - The City agrees generally with C-02 and R-02, but this will require further analysis in the coming year. R-03 Attachment - Email verifying Federal Cybersecurity program signup and a screenshot of the program. R-04 Attachment - Email verifying subscription to Cybersecurity Infrastructure Security Agency. • R-05 Response - The City leverages discounted services and cooperative purchasing programs whenever possible. R-06 Attachment - Signed MOU with VCCCD for internships. R-07 Attachment...

R02

The Grand Jury recommends Cities establish trustworthy web addresses by following the California Department of Technology domain name taxonomy guidance. (C-02)

Response: Requires Analysis

Score: 0

Response - The City agrees generally with C-02 and R-02, but this will require further analysis in the coming year. R-03 Attachment - Email verifying Federal Cybersecurity program signup and a screenshot of the program. R-04 Attachment - Email verifying subscription to Cybersecurity Infrastructure Security Agency. • R-05 Response - The City leverages discounted services and cooperative purchasing programs whenever possible. R-06 Attachment - Signed MOU with VCCCD for internships. R-07 Attachment and Response - NIST (National Institute of Standards and Technology) compliant Cybersec...

R03

The Grand Jury recommends Cities utilize free federal and federally aligned cybersecurity services as set forth in

Response: Will Implement

Score: +1

Attachment - Email verifying Federal Cybersecurity program signup and a screenshot of the program. R-04 Attachment - Email verifying subscription to Cybersecurity Infrastructure Security Agency. • R-05 Response - The City leverages discounted services and cooperative purchasing programs whenever possible. R-06 Attachment - Signed MOU with VCCCD for internships. R-07 Attachment and Response - NIST (National Institute of Standards and Technology) compliant Cybersecurity Framework for CentralSquare Enterprise Resource Planning system (Attachment). CISA (Cybersecurity and Infrastructure ...

R04

The Grand Jury recommends Cities’ IT staff subscribe to CISA updates online. (C-03)

Response: Will Implement

Score: +1

Attachment - Email verifying subscription to Cybersecurity Infrastructure Security Agency. • R-05 Response - The City leverages discounted services and cooperative purchasing programs whenever possible. R-06 Attachment - Signed MOU with VCCCD for internships. R-07 Attachment and Response - NIST (National Institute of Standards and Technology) compliant Cybersecurity Framework for CentralSquare Enterprise Resource Planning system (Attachment). CISA (Cybersecurity and Infrastructure Security Agency) assistance in progress. The City does require cyber liability insurance for our technolog...

R09

The Grand Jury recommends Cities develop and test cyber incident response, recovery and business continuity plans. (C-07)

Response: Will Implement

Score: +1

R-09 will be implemented by September 1, 2020.

R11

Response: Will Implement

Score: +1

R-11 will be implemented by December 31, 2020).

City of Camarillo

July 24, 2020 • 6 pages • 11 responses View Details ▾

PDF

11 responses to findings and recommendations

R01

The Grand Jury recommends Cities establish secure web addresses through the use of HTTPS or other such protocols. (C-02)

Response: Unknown

Score: 0

We agree with recommendation R-01. This recommendation has already been implemented. We use the HTTPS protocol across all City webpages, payment portals, and web addresses. R-02. "The Grand Jury recommends Cities establish trustworthy web addresses by following the California Department of Technology domain name taxonomy guidance. (C-02)" City Response: As stated above, we mostly agree with recommendation R-02. This conclusion does not necessarily make the website more secure but can assist in validating our web address to the public. We already use HTTPS to secure our websites and payment por...

R02

The Grand Jury recommends Cities establish trustworthy web addresses by following the California Department of Technology domain name taxonomy guidance. (C-02)

Response: Unknown

Score: 0

As stated above, we mostly agree with recommendation R-02. This conclusion does not necessarily make the website more secure but can assist in validating our web address to the public. We already use HTTPS to secure our websites and payment portals. We will consider adding the .gov domain as an option as part of our upcoming website redesign. R-03. "The Grand Jury recommends Cities utilize free federal and federally aligned cybersecurity services as set forth in Appendix 02 to supplement internal staff and/or replace vendor services whenever possible. (C-03)" City Response: We agree with concl...

R03

The Grand Jury recommends Cities utilize free federal and federally aligned cybersecurity services as set forth in

Response: Unknown

Score: 0

We agree with conclusion R-03. We already utilize several of the listed resources and are exploring additional services not currently used. R-04. "The Grand Jury recommends Cities' IT staff subscribe to CISA updates online. <math>(C-03)</math>" City Response: We agree with recommendation R-04. This recommendation has already been implemented. We currently receive the CISA technology updates and alerts. R-05. "The Grand Jury recommends Cities take advantage of discounted services and cooperative purchasing programs whenever possible. (C-03)" Page 4 of 5 City Response: We agree with recommendat...

R04

The Grand Jury recommends Cities’ IT staff subscribe to CISA updates online. (C-03)

Response: Unknown

Score: 0

We agree with recommendation R-04. This recommendation has already been implemented. We currently receive the CISA technology updates and alerts. R-05. "The Grand Jury recommends Cities take advantage of discounted services and cooperative purchasing programs whenever possible. (C-03)" Page 4 of 5 City Response: We agree with recommendation R-05. We already take advantage of cooperative purchasing programs whenever possible, per our City Purchasing Policy. We will continue to find ways to take advantage of available discounted services. R-06. "The Grand Jury recommends Cities develop personne...

R05

The Grand Jury recommends Cities take advantage of discounted services and cooperative purchasing programs whenever possible. (C-03)

Response: Unknown

Score: 0

We agree with recommendation R-05. We already take advantage of cooperative purchasing programs whenever possible, per our City Purchasing Policy. We will continue to find ways to take advantage of available discounted services. R-06. "The Grand Jury recommends Cities develop personnel cost-saving opportunities and create a cybersecurity talent pool by recruiting interns or graduating students using: (C-04) The Scholarships for Service program described in Appendix 02 · Local educational institutions (high school, community college, private college and state university)" City Response: We ag...

R06

Response: Unknown

Score: 0

We agree with recommendation R-06. We will explore opportunities offered through the Scholarships for Service program and consider recruiting interns from County higher education internship programs when opportunities arise. R-07. "The Grand Jury recommends Cities maintain good vendor management by: (C- 03, C-05) Obtaining CISA assistance to conduct risk management assessments on all third-party vendors that have access to any confidential data or that interact with City networks and systems Requiring all vendors provide cybersecurity documentation. As part of their ongoing third-party due...

R07

Response: Unknown

Score: 0

We agree with recommendation R-07. This recommendation has already been implemented. The City will explore CISA assistance in risk management of their vendors and begin reviewing on an annual basis. We currently require cybersecurity insurance from our IT vendors. R-08. "The Grand Jury recommends Cities clearly identify expenses for their Information Services (Technology) Departments in their approved budgets. (C-06)" City Response: We agree with recommendation R-08. This recommendation has already been implemented. We currently identify all Information Services expenditures separately in our ...

R08

The Grand Jury recommends Cities clearly identify expenses for their Information Services (Technology) Departments in their approved budgets. (C-06)

Response: Unknown

Score: 0

We agree with recommendation R-08. This recommendation has already been implemented. We currently identify all Information Services expenditures separately in our budget. R-09. "The Grand Jury recommends Cities develop and test cyber incident response, recovery and business continuity plans. (C-07)" Page 5 of 5 City Response: We agree with recommendation R-09. This recommendation has already been implemented. We regularly update and maintain a disaster response plan which addresses cyber incident response, recovery, and business continuity plans. R-10. "The Grand Jury recommends Cities implem...

R09

The Grand Jury recommends Cities develop and test cyber incident response, recovery and business continuity plans. (C-07)

Response: Unknown

Score: 0

We agree with recommendation R-09. This recommendation has already been implemented. We regularly update and maintain a disaster response plan which addresses cyber incident response, recovery, and business continuity plans. R-10. "The Grand Jury recommends Cities implement the best practices for teleworking as published by the California Security Integration Center. (C-08)" City Response: We agree with recommendation R-10. This recommendation has already been implemented. To maintain business continuity during the recent COVID-19 outbreak, we began implementing teleworking with select staff w...

R10

The Grand Jury recommends Cities implement the best practices for teleworking as published by the California Cyber Security Integration Center. (C-08)

Response: Unknown

Score: 0

We agree with recommendation R-10. This recommendation has already been implemented. To maintain business continuity during the recent COVID-19 outbreak, we began implementing teleworking with select staff while following the best practices as recommended by the California Cyber Security Integration Center. R-11. "The Grand Jury recommends Cities develop a plan for implementation of R-01 through R-10 prior to December 31, 2020." City Response: We agree with recommendation R-11. We will begin working on a written plan to comply with the December 31, 2020 date. The City has made cybersecurity an...

R11

Response: Unknown

Score: 0

We agree with recommendation R-11. We will begin working on a written plan to comply with the December 31, 2020 date. The City has made cybersecurity an increased focus in recent years. All city staff are required to attend annual cybersecurity training. IS staff regularly send out updates and alerts on the latest phishing and ransomware attacks. IS staff attend annual information technology conferences, various webinars and attend vendor demos on the latest trends and applications in cybersecurity. SUMMARY The City of Camarillo wishes to thank the Grand Jury for its time. Date: July 27, 2020 ...

No Responses Found 2

Government entities assigned to respond to this report. No response documents have been linked in our database.

Fillmore City

San Buenaventura City