Marin County Grand Jury • 2024-2025 • Agency Response
Response to: Sea Level Rise: The Water is Upon Us. We Cannot Run – We Cannot Hide

Cyber Preparedness: Are We There Yet?*

Published: July 30, 2024 7 pages
View Original PDF

Findings and Recommendations 6 findings

F1
Contracts for Information Technology, Information Systems, and Cybersecurity services between third-party providers and Marin County governmental agencies should contain a Business Continuity clause, or other language, protecting that agency from a sudden cessation of services provided by the third-party provider. Response: Agree The County of Marin Information Services and Technology (IST) department relies on multiple vendors to provide critical services to County departments that serve the public. Including a Business Continuity clause in vendor contracts will help ensure these services are available in the event of a cyberattack or other disaster impacting vendor systems.
Related Recommendations (1)
R1
Marin agencies should require a current (executed within the last five years), competitively-bid, written contract which includes business continuity language for any third-party Information Technology services they use. This recommendation has not been implemented and will be in the future. The County of Marin Department of Information Services and Technology (IST) will identify standard business continuity language to be included in contracts. Implementation of the language into contracts will be prioritized based on business need and contract renewal dates and may extend beyond the Grand Jury's recommended timeframe.
F2
Marin County municipalities should have current, written contracts with third-party providers of Information Technology, Information Systems, and Cybersecurity services, and should not continue to use those providers' services without a current contract. Response: Agree The County of Marin has written contracts in place to ensure service delivery.
Related Recommendations (1)
R2
The Board of Supervisors should authorize the creation of a new position within the Department of Information Services and Technology for the 2025-2026 fiscal year, with specific responsibilities to assist other County agencies in cybersecurity awareness, training, implementation, and monitoring of cybersecurity systems. This recommendation will not be implemented because it is not warranted or reasonable. Development of a new County position would be infeasible within the Grand Jury's recommended timeframe. County staff met with city and town stakeholders in June 2024 to discuss the recommendations of this Grand Jury report and to determine potential interest in the County providing direct cybersecurity services to Marin municipalities. A few options were County of Marin Response to Grand Jury Findings and Recommendations County of Marin Response to Grand Jury Report Findings and Recommendations "Cyber Preparedness: Are We There Yet?" (May 17, 2024) discussed, including the establishment of a Cybersecurity JPA, direct service contracts, and continuing with existing services through the Marin Security and Privacy Council. Several municipalities reported cybersecurity upgrades and projects already in progress and declined interest in the coming fiscal year. Some others reported potential interest depending on cost. More research and engagement with city and town stakeholders would be required to determine whether this recommendation is warranted, research that will exceed the Grand Jury's identified timeline.
F3
Membership in insurance risk pools provides the benefits of cybersecurity assessments and audits, which highlight cybersecurity deficiencies and make suggestions for improvement. Response: Agree The County of Marin maintains a Cyber insurance policy with AIG and is not part of the Bay Cities JPIA, or any pool, for Cyber insurance. AIG provides support and consulting time regarding any cyber risks. As part of this engagement, an extensive renewal process occurs yearly, in which the County must meet certain standards to maintain coverage. Insurance risk pools for Marin's cities and towns may bring many of the same benefits more cost-effectively than could be achieved individually.
Related Recommendations (1)
R3
The Board of Supervisors should require that the Marin Department of Information Services and Technology evaluate the formation of a Cybersecurity Joint Powers Authority to raise overall cyber preparedness amongst its members, and for the purpose of acquiring and maintaining perimeter defense protection systems for preventing and eliminating ransomware and other more sophisticated cyberattacks. This recommendation will not be implemented because it is not warranted or reasonable. As reported in the response to R2 above, County staff engaged potential municipal stakeholders in June 2024 to discuss the recommendations of this report, including potential interest in a JPA. While a few reported some level of interest dependent upon cost, others expressed that they had initiated local cybersecurity upgrades and projects in their jurisdictions and would not be interested in making any changes in the coming fiscal year. Direct service contracts with some interested agencies are more likely achieve many of the same objectives at less cost than forming a JPA, which requires a formal structure, governance, and operations expense, and the County remains open to such arrangements where viable.
F4
Having a completed, adopted and regularly updated cybersecurity plan helps ensure that all staff within a government agency are working together to optimize that organization's cyber preparedness and security. Response: Agree The County of Marin has a cybersecurity plan in place to help ensure continuity of operations during actual or suspected security incidents, which is reviewed and updated annually.
Related Recommendations (1)
R4
The Board of Supervisors should create two new system-engineering positions to be filled by cybersecurity experts who would be responsible for conducting security risk assessments, providing recommendations and implementing cybersecurity solutions for public agencies in Marin, among their other tasks. This recommendation requires further analysis. Any positions to be added by the County of Marin would be considered in the context of the County's budget capacity and cost-benefit analysis informed by the likelihood and extent of any direct service contracts with potential stakeholder agencies. The creation of any new County positions for this purpose is not likely within the Grand Jury's recommended timeframe.
F5
Joint Powers Authorities in Marin County exist to provide more efficient and cost- effective services to the people of Marin. County of Marin Response to Grand Jury Findings and Recommendations County of Marin Response to Grand Jury Report Findings and Recommendations "Cyber Preparedness: Are We There Yet?" (May 17, 2024) Response: Partially Disagree While we agree that Joint Powers Authorities may provide efficient and cost-effective services, alternative arrangements may provide similar benefits at less cost or complexity. For example, direct service contracts between an agency with more capacity and/or expertise, and other agencies can be used to provide services with a defined scope of work without the formal structure, governance, and operations expense of a JPA.
Related Recommendations (1)
R5
If and when a Joint Powers Authority is created, one of these positions would serve as a County member of the new organization and a liaison with the Chief Information Security Officer. This recommendation will not be implemented because it is not warranted or reasonable. Insofar as direct service contracts with some interested stakeholder agencies are likely to be more cost-effective and provide many of the same benefits as a JPA, defining membership of a JPA is premature. As stated in responses to R2 and R3, there is uncertainty about how many County of Marin Response to Grand Jury Report Findings and Recommendations "Cyber Preparedness: Are We There Yet?" (May 17, 2024) municipalities would wish to join given cybersecurity upgrades and projects in their jurisdictions but the County will remain open to direct service contracts where viable.
F6
The current County Collective Bargaining Agreements prevent the Marin County Department of Information Systems & Technology from unilaterally negotiating managed service agreements (outsourcing work to third parties). Response: Agree Generally speaking, the County cannot unliterally outsource work within a class specification without completion of the parties' meet and confer obligations. Laws that govern labor relations; management; and union rights, terms, and conditions of represented employees, are also covered in collective bargaining agreements (CBAs). RESPONSE TO GRAND JURY RECOMMENDATIONS The Marin County Civil Grand Jury recommends that by December 31, 2024:
Related Recommendations (1)
R6
All Marin municipalities should: a) take all steps necessary to acquire an appropriate .gov or .ca.gov domain; b) formulate and adopt a plan for rolling out a .gov or .ca.gov website and emails by the start of the 2025-2026 Fiscal Year. This recommendation has been implemented. The County of Marin acquired the MarinCounty.gov domain in September 2022, and the conversion of County e-mail to MarinCounty.gov was completed in June 2024. The conversion of the County's web site is in progress and is expected to be complete by June 2025.

* This report's PDF did not contain easily extractable text and required Optical Character Recognition (OCR) for analysis. There may be minor errors in the extracted findings and recommendations due to OCR limitations with scanned documents.