📋
Extraído del Informe Consolidado
Esta investigación fue publicada originalmente como parte de un informe consolidado más amplio que contiene múltiples investigaciones. Consulte el PDF consolidado para ver el documento completo.
Santa Cruz County Grand Jury
• 2023-2024
HAS NOT YET Been Implemented but Will BE in the Future –
⚠️ Aviso de traducción: Este contenido ha sido traducido automáticamente. El texto original en inglés es la versión oficial. La traducción puede contener errores.
⚠️ Este contenido ha sido traducido automáticamente. El texto original en inglés es la versión oficial. La traducción puede contener errores.
Findings and Recommendations 23 findings
F1
Funds are focused on improving conditions of well-being for community members experiencing the greatest challenges and barriers in the County.
Related Recommendations (1)
R1
Santa Cruz County should prepare and implement a Cybersecurity Plan , ensuring that city officials and all staff are well aware of the plan details, their responsibilities, and associated policies. (F1)
F2
A hybrid approach is administered to support both broad-based service programs and smaller “Targeted Impact” models.
Related Recommendations (1)
R2
, the county should revise and expand its Incident Response Plan to clearly delineate the steps it will take in response to a cyber attack, the responsibilities of identified officials, and the coordination required with state and federal officials for each type and level of cyber attack. A detailed plan is a requirement for continuity of county operations in a cyber incident. (F2)
F3
There is good diversity of eligible applicants: Non-profit 501(c)(3) agencies, federally recognized tribal entities, and public education agencies.
Related Recommendations (1)
R3
The County’s information sharing efforts should be expanded to ensure fulsome information sharing across all government entities in the county, specifically Santa Cruz, Watsonville, Scotts Valley, and Capitola, A simple schedule of monthly meetings would permit regular sharing of possible threats, TTPs seen across the county, and information learned from outside organizations such as the Cal-CSIC. (F3) Cyber Threat Preparedness published May 18, 2023 42 Santa Cruz County Civil Grand Jury
F4
The program is well coordinated, with County and City staff partnering to review and award for all tiers. The City focused their funding on programs serving primarily City residents.
Related Recommendations (1)
R4
The City of Santa Cruz should prioritize filling its vacant IT department positions by Fall 2023. The IT Department and the Human Resources (HR) Department should revise its position requirements, compensation packages, and recruiting priorities to enable the City to attract qualified personnel to these positions. (F4)
F5
A clear outline of the RFP is available to the applicants, with an understanding of the awards process and the tier level they fall under.
Related Recommendations (1)
R5
By Fall 2023, Santa Cruz should identify and implement creative approaches to hiring and retention so they can maintain a fully staffed IT Department despite the competition with surrounding counties. The City should investigate potential partnerships with one or more of the 18 California colleges and universities with National Centers of Academic Excellence in Cybersecurity. (F5)
F6
The County and City provides a comprehensive review of the process which allows the applicants an opportunity to ask questions of clarity if needed. Commendations C1. The CORE program is commended for being unbiased. Applicants for Small, Medium, and Large tiers are asked to select an “equity dimension” (i.e., race, ethnicity, age, gender, sexual orientation, etc.) that best describes how equity is defined in the proposed project or program. Since the Targeted Impact tier is focused on racial equity, a question is included in that specific application on any additional equity dimensions the proposal will address. It is not required to focus on an additional dimension, and it will not be scored. This aspect provides a very even playing field for all applicants applying and there is no room for any bias in the process. C2. The CORE program is commended for accommodating applicants of diverse size equitably. All applicants are encouraged to be as specific as possible when articulating their activities, populations served, and program outcomes. Details on activities (strategies) are relevant in the Small tier while higher tier applications are to emphasize outcomes. This allows inclusion no matter what size your organization and focuses on the central objective of helping the broader community with the most impactful services. C3. Since funding is awarded at the same amount for each year of the 3-year grant term, applicants are able to consider how this may impact the services throughout the 3-year term. CORE does a good job of ensuring that the services being funded remain intact and the impacted communities receive the needed support throughout the duration of the funded programs. We could not find any evidence of mishandling of the funds or programs being removed within this 3-year period. CORE published May 18, 2023 2022-2023 Consolidated Final Report with Responses 7 Invited Responses Respond Within/ Respondent Findings Recommendations Respond By Director of Human Services 90 Days
Related Recommendations (1)
R6
By Fall 2023, the City of Santa Cruz should assign one individual responsible for cybersecurity. Adoption of a managed service provider arrangement will boost its security posture, although it does not eliminate the need for a dedicated security lead within the City’s IT Department. (F6)
F7
The City of Santa Cruz does not have a Cybersecurity Policy, suggesting that preparations to mitigate a cyber attack are inadequate and not widely shared.
Related Recommendations (1)
R7
or sooner, the City of Santa Cruz should develop and implement a Cybersecurity Plan that encompasses all aspects of information security. (F7)
F8
The City of Santa Cruz does not have an Incident Response Plan, and this absence indicates that the City will be challenged in responding to a cyber attack, especially a ransomware attack.
Related Recommendations (1)
R8
or sooner, the City should complete an Incident Response Plan with sufficient detail for city officials to use as a step-by-step guide in the event of a cyber incident. (F8) Cyber Threat Preparedness published May 18, 2023 2022-2023 Consolidated Final Report with Responses 43
F9
Santa Cruz participates in some information sharing organizations such as the California Municipal Information Services Association (MISAC), yet it has minimal collaboration within the county and the other cities, forfeiting opportunities to share best practices and understand threats.
Related Recommendations (1)
R9
Once the IT Department has adequate staffing and , it should expand its participation in local and state information sharing groups to maintain current knowledge of the threat environment and emerging technologies. (F9)
F10
After recently expanding its IT Department, the City of Watsonville has improved its IT functions although it does not yet allocate sufficient resources to cybersecurity.
Related Recommendations (1)
R10
Watsonville should conduct an evaluation of its recently expanded IT Department, critical IT upgrades, and the status of cybersecurity measures Based on this assessment, the City should allocate existing or newly identified resources to ensure cybersecurity is adequately addressed going forward. (F10)
F11
The City does not have an individual whose primary responsibility is cybersecurity for the city networks, leaving cybersecurity oversight to the IT Director–along with a multitude of other IT responsibilities–and lowering the priority for cybersecurity measures.
Related Recommendations (1)
R11
Given the size of Watsonville, the City should have a dedicated position for cybersecurity , to ensure adherence to best practices, mitigation of potential threats, and education of city staff and leadership. (F11)
F12
Watsonville does not have a Cybersecurity Plan that defines security policies, procedures, and controls required to protect its networks and devices, a situation that increases the risks of vulnerabilities.
Related Recommendations (1)
R12
By early 2024 or sooner, Watsonville should prepare and implement a Cybersecurity Plan that addresses all of the best practices for strong cyber hygiene. (F12)
F13
Watsonville does not have an Incident Response Plan that provides detailed information on how to respond to an attack, suggesting the City would not be able to respond rapidly and effectively to a cyber attack.
Related Recommendations (1)
R13
By early 2024 or sooner, Watsonville should prepare and implement an Incident Response Plan with sufficient detail to serve as a guide in the event of a cyber attack. (F13)
F14
Watsonville participates in some regional information sharing forums, but it does not have the resources to expand its participation or tap into state-level information sharing, thus forfeiting valuable best practices and cyber threat information.
Related Recommendations (1)
R14
Upon completion of IT structural upgrades and a higher level of cyber maturity, and , Watsonville should participate in local, regional, and state information sharing initiatives. (F14) Cyber Threat Preparedness published May 18, 2023 44 Santa Cruz County Civil Grand Jury
F15
Although Scotts Valley’s managed service provider is very knowledgeable and capable of providing cybersecurity services, there is no single city official with cybersecurity oversight, potentially leading to a poor understanding of the threats and an inadequate response to a cyber attack.
Related Recommendations (1)
R15
By mid-2023, Scotts Valley should assign a city official as the lead for cybersecurity for the city. This individual should oversee the contractor’s performance in cybersecurity and ensure city leaders are well informed on emerging threats, cybersecurity challenges, and information provided from regional and state entities. (F15)
F16
Scotts Valley does not have a current Cybersecurity Plan that defines security policies, procedures, and controls required to protect its networks and devices, potentially increasing the risks of vulnerabilities.
Related Recommendations (1)
R16
Working with its IT contractor, by Fall 2023, Scotts Valley should write and implement a Cybersecurity Plan that is shared with all city officials to demonstrate comprehensive security measures and executive-level cyber threat awareness. (F16)
F17
Scotts Valley does not have a current Incident Response Plan, which could exacerbate the effects of a cyber incident such as increase the time a network is unavailable or raise the potential financial costs of a resolution.
Related Recommendations (1)
R17
By Fall 2023, Scotts Valley should write an Incident Response Plan that clearly delineates the steps it will take in response to a cyber attack, the responsibilities of identified officials, and the coordination required with state and federal officials for each type and level of cyber attack. (F17)
F18
Scotts Valley does not participate in any cybersecurity information sharing groups to enhance best practices, rather they depend on their contractor to stay informed, which makes the City last to know of critical cyber threats.
Related Recommendations (1)
R18
Scotts Valley should participate in local, regional, and state cybersecurity organizations for information sharing (F18)
F19
With one individual responsible for IT services, Capitola does not allocate sufficient resources to cybersecurity, a status that could lead to poor cyber knowledge and unnecessary vulnerabilities.
Related Recommendations (2)
R19
By Fall 2023, Capitola should hire a full-time IT Director to replace the IT Director who departed in mid-2022. The IT Director should oversee and expand IT services, including those of the consulting company, and lead cybersecurity initiatives. (F19)
R24
By mid-2023, Capitola city management should raise the priority it assigns to cybersecurity and demonstrate a recognition of their role in ensuring the security of the City’s information networks.(F19–F23)
F20
The City of Capitola does not have a robust cybersecurity training program, nor does it conduct phishing tests or routinely remind employees to adhere to cybersecurity measures during potential periods of increased threats. Cyber Threat Preparedness published May 18, 2023 2022-2023 Consolidated Final Report with Responses 45
Related Recommendations (2)
R20
The City should develop a more robust cybersecurity training and phishing testing program for all employees by Fall 2023 or earlier. (F20)
R24
By mid-2023, Capitola city management should raise the priority it assigns to cybersecurity and demonstrate a recognition of their role in ensuring the security of the City’s information networks.(F19–F23)
F21
The City of Capitola does not have a Cybersecurity Plan to address cybersecurity measures city wide, suggesting the city is not adequately mitigating the potential impact of cyber incidents.
Related Recommendations (2)
R21
Capitola should establish and implement a Cybersecurity Plan Several resources exist to provide a foundation or templates for these plans including NIST Guidelines, CISA resources, and Cal-CSIC guidance. (F21)
R24
By mid-2023, Capitola city management should raise the priority it assigns to cybersecurity and demonstrate a recognition of their role in ensuring the security of the City’s information networks.(F19–F23)
F22
The City of Capitola does not have an Incident Response Plan, which could exacerbate the effects of a cyber incident such as increase the time a network is unavailable or raise the potential financial costs of a resolution.
Related Recommendations (2)
R22
By Fall 2023 Capitola should prepare an Incident Response Plan that provides detailed guidance for a city response to a cyber attack. (F22)
R24
By mid-2023, Capitola city management should raise the priority it assigns to cybersecurity and demonstrate a recognition of their role in ensuring the security of the City’s information networks.(F19–F23)
F23
Capitola does not participate in any cyber-focused information sharing groups, nor does it take advantage of state and federal resources designed to assist small cities with mitigating cyber attacks, thereby forfeiting opportunities to learn best practices and raise their cyber awareness.
Related Recommendations (2)
R23
When appropriately resourced to monitor cyber threats, and , Capitola should participate in regional cybersecurity information sharing groups, to gain valuable information to best protect the City. (F23)
R24
By mid-2023, Capitola city management should raise the priority it assigns to cybersecurity and demonstrate a recognition of their role in ensuring the security of the City’s information networks.(F19–F23)