Santa Barbara County Grand Jury • 2020-2021 • Agency Response
Response to: CYBER-ATTACKS THREATEN SANTA BARBARA COUNTY

Santa Barbara, Ca*

Published: June 17, 2020 5 pages
View Original PDF

Findings and Recommendations 8 findings

F1
Ensuring critical cyber security tasks and activities are properly executed on a timely basis requires a designated individual to be accountable and responsible. <b>Recommendation 1</b> That each public entity within Santa Barbara County designate an individual to be accountable and responsible to oversee cyber security. City of Santa Barbara Response Agree: this recommendation has been implemented. Since 2014, the City's Infrastructure Supervisor has been the primary individual responsible to oversee cyber security.
Related Recommendations (1)
R1
Page 1
That each public entity within Santa Barbara County designate an individual to be accountable and responsible to oversee cyber security. City of Santa Barbara Response Agree: this recommendation has been implemented. Since 2014, the City’s Infrastructure Supervisor has been the primary individual responsible to oversee cyber security.
F2
Most public entities within Santa Barbara County have an inadequate understanding of what communication and electronic systems they use and what data they maintain, and do not fully understand the risks, security issues and costs associated with the destruction of systems or loss of data.
Related Recommendations (1)
R2
That each public entity within Santa Barbara County complete a full inventory of their data, electronic and communication systems and determine the related security risks. City of Santa Barbara Response Disagree Wholly (that this finding applies to the City of Santa Barbara): this recommendation has been partially implemented. State law mandates that all public agencies publish and annually update an Enterprise Systems Catalog on the agency's Please consider the environment before printing this letter. Santa Barbara County Grand Jury and Judge Michael J. Carrozzo City of Santa Barbara Response to Grand Jury Report Titled, Cyber-Attacks Threaten Santa Barbara County June 17, 2020 website. By complying with this mandate, the City does maintain an inventory of its electronic and communication systems pursuant to State law. The City does not however maintain a separate inventory of its data.
F3
Some public entities within Santa Barbara County do not have a written cyber security plan.
Related Recommendations (1)
R3
That each public entity within Santa Barbara County establish a written cyber security plan. City of Santa Barbara Response Disagree Wholly (that this finding applies to the City of Santa Barbara): this recommendation has been implemented. The City has in place, written Standard Operating Procedures for handling cyber security incidents.
F4
Nationally, cyber-attacks on governmental organizations have been successful for many years and are occurring with more frequency and sophistication.
Related Recommendations (1)
R4
That each public entity within Santa Barbara County take substantial steps to protect data from internal and external attacks or threats. City of Santa Barbara Response Disagree Wholly (that this finding applies to the City of Santa Barbara): this recommendation has been implemented. The City has maintained a robust cybersecurity program for many years through the use of industry-standard firewall(s), and monitoring of the firewall by staff and third parties, staff training on cyber threats, and third-party penetration testing to identify and mitigate potential weaknesses.
F5
Cyber-attackers use a number of methods to install malicious software on systems including access through backdoors, staff or employee carelessness, and known bugs in software.
Related Recommendations (4)
R5a
That each public entity within Santa Barbara County install and maintain current antivirus software to detect malware and other threats. City of Santa Barbara Response Agree: this recommendation has been implemented. The City has installed and maintained industry-standard anti-virus/malware software for approximately twenty-five (25) years. Updates and patches are installed regularly. Santa Barbara County Grand Jury and Judge Michael J. Carrozzo City of Santa Barbara Response to Grand Jury Report Titled, Cyber-Attacks Threaten Santa Barbara County June 17, 2020 <b>Recommendation 5b</b> That each public entity within Santa Barbara County install and update all operating software regularly. City of Santa Barbara Response Agree: this recommendation has been implemented. For at least fifteen (15) years, Information Technology staff routinely update and patch all operating system software on a routine basis, generally monthly or quarterly.
R5b
Page 3
That each public entity within Santa Barbara County install and update all operating software regularly. City of Santa Barbara Response Agree: this recommendation has been implemented. For at least fifteen (15) years, Information Technology staff routinely update and patch all operating system software on a routine basis, generally monthly or quarterly.
R5c
That each public entity within Santa Barbara County periodically train employees and then test their cyber security awareness. City of Santa Barbara Response Agree: this recommendation has been implemented. The City has fully followed this recommendation since 2018 with the implementation of a cybersecurity training program for City staff. Beyond formal training, the City also tests employee knowledge of common cybersecurity threats, such as email phishing schemes and sends the results of these tests to employees to further reinforce best practices.
R5d
That each public entity within Santa Barbara County periodically ensure electronic system-related contractors have been trained for cyber security awareness. City of Santa Barbara Response Agree: This recommendation will be implemented by having vendors certify that they have completed a cyber security awareness program with relevant contractors as part of the vendor account renewal process.
F6
If data is lost or compromised for any reason, including cyber-attack, mechanical failure or error, the most cost effective and expedient way to recover is to have current data backups and a plan to reinstall it. <b>Recommendation 6a</b> That each public entity within Santa Barbara County create and implement a full backup and recovery plan. City of Santa Barbara Response Agree: this recommendation has been implemented. The City has followed this
Related Recommendations (2)
R6a
Page 3
That each public entity within Santa Barbara County create and implement a full backup and recovery plan. City of Santa Barbara Response Agree: this recommendation has been implemented. The City has followed this recommendation for many years through the use and maintenance of a robust, redundant backup system. Santa Barbara County Grand Jury and Judge Michael J. Carrozzo City of Santa Barbara Response to Grand Jury Report Titled, Cyber-Attacks Threaten Santa Barbara County June 17, 2020
R6b
That each public entity within Santa Barbara County regularly update and test their backup and recovery plan. City of Santa Barbara Response Agree: this recommendation has been implemented. The City routinely evaluates and updates its backup and recovery systems. Moreover, the City employs a multi-layer backup system that essentially provides "back up of backups."
F7
Some public entities within Santa Barbara County do not have any, or adequate, cyber insurance. <b>Recommendation 7</b> That each public entity within Santa Barbara County secure adequate cyber insurance. City of Santa Barbara Response Disagree Wholly (that this finding applies to the City of Santa Barbara): this
Related Recommendations (1)
R7
Page 4
That each public entity within Santa Barbara County secure adequate cyber insurance. City of Santa Barbara Response Disagree Wholly (that this finding applies to the City of Santa Barbara): this recommendation has been implemented. The City has maintained cyber insurance since 2010.
F8
A cost-effective method to address cyber risks and concerns is to form an information sharing and learning consortium.
Related Recommendations (1)
R8
That each public entity within Santa Barbara County that is unable to allocate adequate funds for cyber security develop a cybersecurity working group to establish best practices and share costs for education, expertise, and insurance. City of Santa Barbara Response Disagree Wholly (that this finding applies to the City of Santa Barbara): this recommendation has been implemented. The City allocates funding for cybersecurity infrastructure, monitoring, testing, and employee training in its annual budget. Moreover, the City is a member of the Multi-State Information Sharing and Analysis Center (MS- ISAC) consortium offered to all state, local, and tribal territories by the Cybersecurity and Infrastructure Security Agency (CISA) division of Homeland Security since 2017. Thank you for the opportunity to respond to the Grand Jury report and for your consideration of this response. Santa Barbara County Grand Jury and Judge Michael J. Carrozzo City of Santa Barbara Response to Grand Jury Report Titled, Cyber-Attacks Threaten Santa Barbara County June 17, 2020

* This report's PDF did not contain easily extractable text and required Optical Character Recognition (OCR) for analysis. There may be minor errors in the extracted findings and recommendations due to OCR limitations with scanned documents.