Santa Barbara County Grand Jury • 2020-2021 • Agency Response
Response to: CYBER-ATTACKS THREATEN SANTA BARBARA COUNTY

City of Santa Mar Office of the Mayor All-America City and City Council*

Published: June 16, 2020 4 pages
View Original PDF

Findings and Recommendations 8 findings

F1
Ensuring critical cyber security tasks and activities are properly executed on a timely basis requires a designated individual to be accountable and responsible. Response: Agree.
Related Recommendations (1)
R1
That each public entity within Santa Barbara County designate an individual to be accountable and responsible to oversee cyber security. Response: Has been implemented by the City of Santa Maria as of September 2019. The senior systems analyst for Public Safety systems is designated the point of contact for information security.
F2
Most public entities within Santa Barbara County have an inadequate understanding of what communication and electronic systems they use and what data they maintain, and do not fully understand the risks, security issues and costs associated with the destruction of systems or loss of data. Response: Disagree partially. It may be that some public entities have an inadequate understanding of their systems and data but the City is unable to say with certainty that most public entities have an inadequate understanding.
Related Recommendations (1)
R2
That each public entity within Santa Barbara County complete a full inventory of their data, electronic and communication systems and determine the related security risks. Response: Will be implemented by the City of Santa Maria by September 1, 2020. This has been partially implemented already.
F3
Some public entities within Santa Barbara County do not have a written cyber security plan. Response: Agree.
Related Recommendations (1)
R3
That each public entity within Santa Barbara County establish a written cyber security plan. Response: Will be implemented by the City of Santa Maria
F4
Nationally, cyber-attacks on governmental organizations have been successful for many years and are occurring with more frequency and sophistication. Response: Agree.
Related Recommendations (1)
R4
That each public entity within Santa Barbara County take substantial steps to protect data from internal and external attacks or threats. Response: Has been implemented by the City of Santa Maria.
F5
Cyber-attackers use a number of methods to install malicious software on systems including access through backdoors, staff or employee carelessness, and known bugs in software. Response: Agree.
Related Recommendations (4)
R5a
That each public entity within Santa Barbara County install and maintain current antivirus software to detect malware and other threats. Response: Has been implemented by the City of Santa Maria.
R5b
That each public entity within Santa Barbara County install and update all operating software regularly. Response: Will be implemented by the City of Santa Maria. Most workstations have been updated and servers are scheduled to be updated with the infrastructure upgrade project currently in progress.
R5c
That each public entity within Santa Barbara County periodically train employees and then test their cyber security awareness. Response: Has been implemented by the City of Santa Maria.
R5d
That each public entity within Santa Barbara County periodically ensure electronic system-related contractors have been trained for cyber security awareness. Response: Requires further analysis. This activity will be completed
F6
If data is lost or compromised for any reason, including cyber-attack, mechanical failure or error, the most cost effective and expedient way to recover is to have current data backups and a plan to reinstall it. Response: Agree.
Related Recommendations (2)
R6a
That each public entity within Santa Barbara County create and implement a full backup and recovery plan. Response: Will be implemented by the City of Santa Maria. The written plan to support the current practice will be adopted in calendar year 2020.
R6b
That each public entity within Santa Barbara County regularly update and test their backup and recovery plan. Response: Will be implemented by the City of Santa Maria Ŷ
F7
Some public entities within Santa Barbara County do not have any, or adequate, cyber insurance. Response: Agree.
Related Recommendations (1)
R7
That each public entity within Santa Barbara County secure adequate cyber insurance. Has been implemented. The City of Santa Maria purchased cyber liability insurance through ERMAC (Exclusive Risk Management Authority California) Pool in fiscal year 2019-2020.
F8
A cost-effective method to address cyber risks and concerns is to form an information sharing and learning consortium. Response: Agree.
Related Recommendations (1)
R8
That each public entity within Santa Barbara County that is unable to allocate adequate funds for cyber security develop a cybersecurity working group to establish best practices and share costs for education, expertise, and insurance. Response: Requires further analysis to be completed in calendar year 2020. <b>ALICE M. PATINO</b> Mayor

* This report's PDF did not contain easily extractable text and required Optical Character Recognition (OCR) for analysis. There may be minor errors in the extracted findings and recommendations due to OCR limitations with scanned documents.