San Joaquin County Grand Jury
• 2021-2022
• Agency Response
The City of Lathrop does not employ multi- factor authentication universally, leaving City systems more vulnerable to*
⚠️ Aviso de traducción: Este contenido ha sido traducido automáticamente. El texto original en inglés es la versión oficial. La traducción puede contener errores.
⚠️ Este contenido ha sido traducido automáticamente. El texto original en inglés es la versión oficial. La traducción puede contener errores.
Findings and Recommendations 1 findings
F3
2 and Recommendation R3.2 because by definition, publicly available Wi-Fi is inherently "unsecured", although this designation is a misnomer because it eludes to an idea that publicly available Wi-Fi can either be secured or unsecured, and that unsecured is less "safe" or more "risky" than secured. Neither are the case. An "unsecured network" only means that such Wi-Fi is publicly available for anyone to use. Wi-Fi networks, either secured or unsecured, cannot merge end-users between those networks. Secured and unsecured networks, and the end-users utilizing either, remain completely isolated from one another; it would be unfeasible for someone with access to only an unsecured Wi-Fi network to also have the ability to gain access to a separate, secured Wi-Fi network. The commonly perpetuated idea of "risk" associated with the use of an unsecured Wi-Fi network incorrectly shapes such "risk" as something that happens upon an end-user regardless of their use of the unsecured Wi-Fi network, when in reality, risk can develop and potentially increases the more limited an end-user's understanding of how their digital presence on the internet affects their vulnerability and security. End-users should be encouraged to utilize personal checks and balances to verify the Wi-Fi networks they choose to connect to are verifiable and reputable, that their presence on the internet is not made easily available to be tracked by others, and that they are visiting legitimate websites, in order to further maintain security of their personal data and information. Publicly available Wi-Fi is a critical asset to cities around the country. Publicly available Wi-Fi provides the public the opportunity to connect to critical and important information equitably and provides a consistent source of access to such information, promoting economic inclusion within the community. The City of Lathrop currently hosts an unsecured public Wi-Fi network entitled "City of Lathrop Guest Cloud 1" and end-users who connect to this network to access the internet must agree to the terms and conditions of its use, and which the public is only able to remain connected to for time increments of thirty (30) minute, between 7am and 7pm, seven (7) days per week. Grand Jury Finding F3.3: "The City of Lathrop does not have an approved Business Continuity Plan, rendering the City relatively unprepared to restore essential services in a disruptive event." Grand Jury Recommendation R3.3: "By January 1, 2023, the Lathrop City Council, in conjunction with the City's IT department, develop, adopt and implement a Business Continuity Plan." City Council Response: The City of Lathrop has an unwritten Business Continuity Plan but not a written one. The City of Lathrop City Council agrees with Grand Jury Finding F3.3 and Recommendation R3.3 and documentation is anticipated to be complete by January of 2023. Grand Jury Finding F3.4: "The City of Lathrop does not have a formal internal policy or procedure to address ransomware attacks. This absence of policy could cause confusion, delay and greater loss of security in the event of such an attack," Grand Jury Recommendation R3.4: "By November 1, 2022, the Lathrop City Council, in conjunction with the City's IT department, develop, adopt and implement a formal internal policy and procedure for a ransomware attack." City Council Response: The City of Lathrop has an unwritten, internal procedure to address ransomware attacks and, in addition to such, has hired a consultant whom will assist the City in development and implementation of a formal written policy for procedures to address ransomware attacks. The City of Lathrop City Council agrees with Grand Jury Finding F3.4 and Recommendation R3.4 and anticipates documentation will be complete by January of 2023. Grand Jury Finding F3.5: "The City of Lathrop does not have an insurance policy covering financial losses from a cyberattack, possibly exposing City financial resources." Grand Jury Recommendation R3.5: "By January 1, 2023, the Lathrop City Council, in conjunction with the City's IT department, obtain an insurance policy to mitigate fiscal impact resulting from cyberattack or other critical information system loss." City Council Response: The City of Lathrop City Council partially agrees with Grand Jury Finding F3.5 and Recommendation R3.5 and would like to further clarify that staff confirmed that the City of Lathrop does in fact have cybersecurity insurance coverage, and is currently in discussions with Risk Management to enhance said coverage. Respectfully submitted, Salvador V. Navarrete City Attorney SVN/trb Cc: Trisa Martinez at [email protected]
Related Recommendations (1)
R3
4 and anticipates documentation will be complete by January of 2023. Grand Jury Finding F3.5: "The City of Lathrop does not have an insurance policy covering financial losses from a cyberattack, possibly exposing City financial resources." Grand Jury Recommendation R3.5: "By January 1, 2023, the Lathrop City Council, in conjunction with the City's IT department, obtain an insurance policy to mitigate fiscal impact resulting from cyberattack or other critical information system loss." City Council Response: The City of Lathrop City Council partially agrees with Grand Jury Finding F3.5 and Recommendation R3.5 and would like to further clarify that staff confirmed that the City of Lathrop does in fact have cybersecurity insurance coverage, and is currently in discussions with Risk Management to enhance said coverage. Respectfully submitted, Salvador V. Navarrete City Attorney SVN/trb Cc: Trisa Martinez at [email protected]
* This report's PDF did not contain easily extractable text and required Optical Character Recognition (OCR) for analysis. There may be minor errors in the extracted findings and recommendations due to OCR limitations with scanned documents.