Contra Costa County Grand Jury • 2020-2021 • Agency Response
Response to: Cyber Attack Preparedness in Contra Costa County

Recommendation(s):*

Published: February 08, 2022 6 pages
View Original PDF

Findings and Recommendations 11 findings

F1
County IT Departments are chronically understaffed.
Related Recommendations (1)
R1
The Board of Supervisors direct the County Chief Information Officer by December 2022 to create a talent pool within Department of Information Technology (DoIT) that includes cyber security experts to relieve chronic staffing shortages in all Information Technology departments.
F2
Obsolete equipment poses a vulnerability threat to County Information Technology Security.
Related Recommendations (1)
R2
The Board of Supervisors direct the County Administrator by June 2022 to require all Information Technology departments to forbid use of personal devices on and with County computers (e.g., personal thumb drives).
F3
Some County Information Technology Departments do not have time to conduct software and hardware updates, and vulnerability scans which are critical for cyber security because of understaffing.
Related Recommendations (1)
R3
The Board of Supervisors direct the County Administrator by June 2022 to require the installation of software on all County computers that can scan for threats and viruses on any device attached to them.
F4
Some County departments with small Information Technology staffs do not have specialized cyber security personnel.
Related Recommendations (1)
R4
The Board of Supervisors direct the County Administrator by June 2022 to authorize DoIT to require system vulnerability testing on all County computer systems. {\it R4\ response}. \ The {\it respondent\ agrees\ with\ this\ recommendation}. The Chief Information Officer, Chief Information Security Officer, and Information Technology Executive Advisory Committee will work with County Administrator to adopt policy that requires this control. Vulnerability testing is, and will continue to be, conducted on a risk basis. This is in alignment with the County's Information Security Strategy.
F5
Cyber security training is performed on an inconsistent basis in some County departments.
Related Recommendations (1)
R5
The Board of Supervisors direct the County Administrator by June 2022 to require all county employees to complete annual cyber security awareness training.
F6
County employees and contractors use personal storage devices (e.g., flash drives) on County computers.
Related Recommendations (1)
R6
The Board of Supervisors direct the County Administrator by June 2022 to have DolT ensure mandatory updates are performed on all systems for all software applications.
F7
The use of personal devices makes County computers vulnerable to denial of service, data breaches or other cyber-attacks.
Related Recommendations (1)
R7
The Board of Supervisors direct the County Administrator by December 2022 to have all County departments identify and replace obsolete Information Technology hardware.
F8
Information Technology expenditures and budgets in County departments are not transparently reported so it is difficult to identify redundant and duplicative Information Technology expenditures.
Related Recommendations (1)
R8
The Board of Supervisors direct the County Administrator by June 2022 to require County departments \ to \ identify \ their \ planned \ IT \ spending \ in \ their \ overall \ budgets \ for \ transparency.
F9
Decentralized Information Technology structures increase vulnerability to cyber-attacks.
No recommendations for this finding
F10
The County's Information Technology structure is decentralized.
No recommendations for this finding
F11
Based on interviews, Contra Costa County is at a disadvantage to hire Information Technology staff with cyber security expertise due to increased compensation and perks offered by some private enterprises.
No recommendations for this finding

* This report's PDF did not contain easily extractable text and required Optical Character Recognition (OCR) for analysis. There may be minor errors in the extracted findings and recommendations due to OCR limitations with scanned documents.