Marin County Grand Jury
• 2024-2025
• Agency Response
Response to:
Cyberattacks: A Growing Threat to Marin Government
The Town of Corte Madera Lucy Dilworth, Foreperson Marin County California Marin County Civil Grand Jury*
⚠️ Translation Notice: This content has been automatically translated. The original English text is the official version. Translation may contain errors.
⚠️ Este contenido ha sido traducido automáticamente. El texto original en inglés es la versión oficial. La traducción puede contener errores.
Findings and Recommendations 8 findings
F3
Transparency is lacking regarding cybersecurity because past breaches have not been publicly disclosed, and city and town councils have not facilitated public discussion of cybersecurity issues. Agree. The Town of Corte Madera has not experienced a security breach that would require public disclosure. But the Town will facilitate a public discussion on cybersecurity attacks and issues.
No recommendations for this finding
F4
Most elected officials in Marin's cities and towns are not sufficiently engaged in ensuring robust cybersecurity policies and procedures are in place. Disagree partially. This is a general statement concerning "most" elected officials in Marin cities and towns. The Town of Corte Madera will not comment on the findings asserting practices of other cities and towns. Therefore, the Town cannot agree with the portions of the finding concerning other municipalities. The Town Council at its 2020 priority setting workshop discussed cybersecurity concerns and made this issue a top priority for the upcoming 2020/2021 workplan.
Related Recommendations (1)
R4
Starting in fiscal year 2020–2021, the county board of supervisors and the city and town councils should request their managers report, at least annually, regarding their cybersecurity profile and any measures being taken to improve it. This recommendation will be implemented in the future. The Town of Corte Madera is in the process of implementing a Technology Master Plan and will report progress in implementing the plan (including cybersecurity measures) as part of the FY 2020-2021 Town Council workplan. This report will include an annual report recommendation.
F5
County and municipal officials and managers have been generally unaware of breaches that have occurred outside their own agencies in Marin and therefore have not felt the need to collaborate on measures to improve cybersecurity. Disagree partially. The Town of Corte Madera has not consistently been made aware of breaches outside of our agency. However, issues of cybersecurity have been discussed by the Marin Managers Association.
Related Recommendations (1)
R5
Starting in fiscal year 2020–2021, the county, cities, and towns should convene periodic discussions, at least annually, in a public forum such as a board or council meeting, regarding the importance of good cybersecurity practices for our government, residents, and other organizations. This recommendation will be implemented in the future. Starting in October 2020, the County of Marin will host an NCSAM event that is open to members of the public to facilitate a discussion on cybersecurity. As a member of the recently formed Marin Information Security Collaboration (MISC), Corte Madera will help promote this event to our residents and organizations.
F6
Municipalities have been lax in following FBI guidance that cybersecurity breaches be reported to federal law enforcement. Disagree. The Town of Corte Madera has not experienced a cybersecurity breach that would have been required to be reported to federal law enforcement. The Town will not comment on findings concerning other cities and towns. Therefore, the Town of Corte Madera cannot agree with the portions of the finding concerning other municipalities.
Related Recommendations (1)
R6
The county and each city and town should adopt a policy to report to federal law enforcement any cybersecurity intrusion that results in financial fraud or unauthorized disclosure of information and make that intrusion public. This recommendation will be implemented in the future. The Town of Corte Madera has not had any recent cybersecurity breaches, financial fraud, or unauthorized disclosure of information that have required the reporting to federal law enforcement. If the Town were to become victim to any of the above attacks staff would work closely with all law enforcement personnel, including federal law enforcement, as required to properly respond to the threat. The County of Marin has access to existing security policy templates that have been developed in collaboration with the California Counties Information Services Directors Association (CCISDA) Information Security Council (ISC). These templates will be shared with the members of the recently formed Marin Information Security Collaboration (MISC) and will be considered for updates to the Town's own security policies.
F7
Marin's cities and towns have not made a concerted effort to standardize around a common set of best practices with respect to cybersecurity. Agree. The Town of Corte Madera agrees more can be done to share cybersecurity best practices. While the strategy and approach to cybersecurity in Marin cities and towns have not been standardized amongst all jurisdictions. The Town will work with the recently formed Marin Information Security Collaboration (MISC) between Marin County regional agencies to develop and share best practices for cybersecurity.
Related Recommendations (1)
R7
of the date of this report, cities and towns should implement the first four practices described in the Best Practices section of this report, regarding mandatory user training, email flagging and filtering, password management, and backup. These Recommendations have been implemented: Daily backup, email flagging and filtering, Employee training and password management, employees receive routine training and examples of recent phishing attempts and fraudulent emails. Best practices regarding sending sensitive information is routinely discussed at staff meetings and all hands employee meetings. Password management, including two-factor authentication, is used for some programs. The Town of Corte Madera under the FY 2020/2021 workplan is discussing additional staff training and formalized password management practices with its IT services provider of this report. This may require further analysis or be implemented immediately once discussed.
F8
The Marin County Council of Mayors & Councilmembers has not made cybersecurity a priority, which has minimized the awareness and engagement of elected officials in cybersecurity matters. Agree. However, individual Councils and/or Councilmembers may be aware and engaged in cybersecurity. The Town of Corte Madera will not comment on the findings asserting practices of other cities and towns. Therefore, the Town cannot agree with the portions of the finding concerning other municipalities. The Town Council has made cybersecurity a priority for the 2020/2021 workplan and is committed to working with the Marin County Council of Mayors & Councilmembers to do same.
Related Recommendations (1)
R8
In fiscal year 2020–2021, cities and towns should complete an analysis of the feasibility of implementing the remainder of the practices described in the Best Practices section of this report. These recommendations have been implemented: Automated malware detection and removal, firewalls, and monitoring systems. These recommendations have been partially implemented and require further analysis: Use of expert resources and hardware and patching, management of mobile devices, documentation, vulnerability assessments. Staff is working with the Town's IT Consultant to implement these practices as part of the Town Council FY 2020/2021 workplan.
F9
The Marin Managers Association has not done enough to facilitate the sharing of cybersecurity information and resources among its members. Disagree. In December 2019, the City of San Rafael made a presentation to the Marin Managers Association about a recent overhaul of IT service delivery model, including cybersecurity. Their presentation included a consultant they hired to conduct an assessment of their service model and the president of the company who manages their cybersecurity.
Related Recommendations (1)
R9
In fiscal year 2020–2021, cities and towns should, through the Marin Managers Association, complete an analysis of the feasibility of contracting with a cybersecurity expert to be available to cities and towns on a shared basis, in order to raise the overall level of cybersecurity in Marin's cities and towns. This recommendation will be implemented in the future. The Corte Madera Town Manager will work with the Marin Managers Association to add the consideration of hiring a cybersecurity firm to the list of potential shared services that is currently in development. Date: 8/18/20 Signed:_ Eli Beckman, Mayor
F10
Various low-cost best practices exist that could, if implemented, significantly improve the cybersecurity posture of Marin's cities and towns. Agree.
No recommendations for this finding
* This report's PDF did not contain easily extractable text and required Optical Character Recognition (OCR) for analysis. There may be minor errors in the extracted findings and recommendations due to OCR limitations with scanned documents.