Marin County Grand Jury • 2024-2025 • Agency Response
Response to: Cyberattacks: A Growing Threat to Marin Government

City of Novato California July 16, 2020*

Published: July 16, 2020 7 pages
View Original PDF

Findings and Recommendations 7 findings

F3
Transparency is lacking regarding cybersecurity because past breaches have not been publicly disclosed, and city and town councils have not facilitated public discussion of cybersecurity issues. Response: Agree The City will develop a mechanism and policy that clarifies public reporting of breaches.
No recommendations for this finding
F4
Most elected officials in Marin's cities and towns are not sufficiently engaged in ensuring robust cybersecurity policies and procedures are in place. Response: Disagree The Novato City Council has supported, through its annual budget, IT services and infrastructure that address cybersecurity measures and would be supportive of further actions in this area. In addition, the City has regularly made the maintenance and upgrade of cybersecurity practices a part of the City's annual goals and objectives. Over the past several years, the City Council and City Manager have received periodic updates on the status of the City's cybersecurity goals and programs. These updates include past, ongoing, in-progress, and upcoming efforts regarding security for network infrastructure, desktop, mobile devices, users, internal processes, and disaster recovery. They also include information about known attempted ransomware attacks.
Related Recommendations (1)
R4
Starting in fiscal year 2020–2021, the county board of supervisors and the city and town councils should request their managers report, at least annually, regarding their cybersecurity profile and any measures being taken to improve it. Response: This recommendation has been implemented. Historically, the City of Novato's Information Technology Division has provided periodic reports to the City Manager and the City Council on current cybersecurity risk and threat assessments and actions underway by City staff to combat these threats. City staff will continue to provide these reports at the request of the City Council and City Manager on a periodic basis.
F5
County and municipal officials and managers have been generally unaware of breaches that have occurred outside their own agencies in Marin and therefore have not felt the need to collaborate on measures to improve cybersecurity. Response: Disagree partially The City of Novato has not consistently been made aware of breaches outside of our agency, however issues of cybersecurity have been discussed by the Marin Managers Association
Related Recommendations (1)
R5
Starting in fiscal year 2020–2021, the county, cities, and towns should convene periodic discussions, at least annually, in a public forum such as a board or council meeting, regarding the importance of good cybersecurity practices for our government, residents, and other organizations. Response: Agree. City of Novato employees, elected officials, and anyone with access to the City network are required to participate in regular cybersecurity training and receive email updates to current and trending security threats. The City periodically sends out public communications about known scams and prevention measures. The City will continue to explore additional means for educating the public about cybersecurity. Starting in October 2020, the County of Marin will host an NCSAM event that is open to members of the public to facilitate a discussion on cybersecurity. As a member of the recently formed Marin Information Security Collaboration (MISC), Novato will help promote this event to our residents and organizations.
F6
Municipalities have been lax in following FBI guidance that cybersecurity breaches be reported to federal law enforcement Response: Disagree The City of Novato maintains Department of Justice compliant network connectivity to serve our Police Department and have a process for reporting breaches to federal authorities.
Related Recommendations (1)
R6
The county and each city and town should adopt a policy to report to federal law enforcement any cybersecurity intrusion that results in financial fraud or unauthorized disclosure of information and make that intrusion public. Response: This recommendation has not yet been implemented but will be implemented in the future. Were the City of Novato to become victim to any of the above attacks, staff would work closely with all law enforcement personnel, including federal law enforcement, as required to properly respond to the threat. While we have a process for reporting breaches, we are updating the documentation and determining whether a policy is required beyond existing procedures that are consistent with the above recommendation. The County of Marin has access to existing security policy templates that have been developed in collaboration with the California Counties Information Services Director's Association (CCISDA) Information Security Council (ISC). These templates will be shared with the members of the recently formed Marin Information Security Collaboration (MISC) and will be considered for updates to the City of Novato's own security policies.
F7
Marin's cities and towns have not made a concerted effort to standardize around a common set of best practices with respect to cybersecurity. Response: Agree We agree that more can be done to share cybersecurity best practices. While the strategy and approach to cybersecurity in Marin cities and towns have not been standardized amongst all jurisdictions, most of the cities and towns utilizing the MIDAS network share the network security protocols in place for MIDAS and a number of cities and towns have relied on a common service provider to implement local network security solutions through Marin IT. The City of Novato will work with the recently formed Marin Information Security Collaboration (MISC) between Marin County regional agencies to develop and share best practices for cybersecurity.
Related Recommendations (1)
R7
of the date of this report, cities and towns should implement the first four practices described in the Best Practices section of this report, regarding mandatory user training, email flagging and filtering, password management, and backup. Response: This recommendation has been implemented. The City of Novato currently follows the first six practices described in this report. Network security is currently managed by the City's staff who monitors and responds to threats, provides network backups, and manages cybersecurity training. Staff is required to participate in annual security training including email updates on current threats, phishing simulations, regular password changes. We also have measures in place for email flagging, spam filtering, and regular backups of City files and servers. Mobile device management has been implemented throughout the organization. We have started requiring multi-factor authentication for City staff who have access to City Financial system, networks and documents, and plan to have this rolled out to all users in the next few months.
F8
The Marin County Council of Mayors & Councilmembers has not made cybersecurity a priority, which has minimized the awareness and engagement of elected officials in cybersecurity matters. Response: Disagree partially While the Marin County Council of Mayors & Councilmembers have not made cybersecurity a focus over other pressing regional issues, the Novato City Council has made cybersecurity a priority through the City's annual budget and strategic plan. For the past several years, the City Manager and Council have been briefed on the status of our security program, long-term projects, and actions-to-date related to the security of the City's network.
Related Recommendations (1)
R8
In fiscal year 2020-2021, cities and towns should complete an analysis of the feasibility of implementing the remainder of the practices described in the Best Practices section of this report. Response: This recommendation has been implemented. The City of Novato is committed to protecting information and data from external threats. Some measures require more funding than is currently available however we are actively working to implement the remaining best practices.
F9
The Marin Managers Association has not done enough to facilitate the sharing of cybersecurity information and resources among its members. Response: Disagree December 2019, the City of San Rafael made a presentation to the Marin Managers Association about a recent overhaul of their IT service delivery model (including cybersecurity). Their presentation included a consultant they hired to conduct an assessment of their service model and the president of the company who manages their cybersecurity. GRAND JURY RECOMMENDATIONS AND RESPONSES:
Related Recommendations (1)
R9
In fiscal year 2020–2021, cities and towns should, through the Marin Managers Association, complete an analysis of the feasibility of contracting with a cybersecurity expert to be available to cities and towns on a shared basis, in order to raise the overall level of cybersecurity in Marin's cities and towns. Response: This recommendation requires further analysis. This recommendation has not yet been implemented but will be implemented in the future. The City of Novato City Manager will work with the Marin Managers Association to add the consideration of hiring a cybersecurity firm to the list of potential shared services that is currently in development. y ř

* This report's PDF did not contain easily extractable text and required Optical Character Recognition (OCR) for analysis. There may be minor errors in the extracted findings and recommendations due to OCR limitations with scanned documents.