📋
Extracted from Consolidated Report
This investigation was originally published as part of a larger consolidated report containing multiple investigations. View the consolidated PDF for the complete document.
⚠️ Translation Notice: This content has been automatically translated. The original English text is the official version. Translation may contain errors.
⚠️ Este contenido ha sido traducido automáticamente. El texto original en inglés es la versión oficial. La traducción puede contener errores.
Findings and Recommendations 23 findings
F1
Page 49
Santa Cruz County does not have a Cybersecurity Plan, and the absence of a current plan that defines security policies, procedures, and controls required to protect its networks and devices increases the risk of vulnerabilities.
Related Recommendations (1)
R1
Page 49
Santa Cruz County should prepare and implement a Cybersecurity Plan , ensuring that city officials and all staff are well aware of the plan details, their responsibilities, and associated policies. (F1)
F2
Page 49
Santa Cruz County does not have a sufficiently detailed Incident Response Plan, indicating they would not be prepared to respond rapidly and effectively in the event of a cyber incident.
Related Recommendations (1)
R2
Page 49
, the county should revise and expand its Incident Response Plan to clearly delineate the steps it will take in response to a cyber attack, the responsibilities of identified officials, and the coordination required with state and federal officials for each type and level of cyber attack. A detailed plan is a requirement for continuity of county operations in a cyber incident. (F2)
F3
Page 49
Santa Cruz County participates in multiple information sharing groups at regional and state levels, although it has only minimal interaction with the cities across Santa Cruz County, degrading their ability to fully understand regional vulnerabilities.
Related Recommendations (1)
R3
Page 49
The County’s information sharing efforts should be expanded to ensure fulsome information sharing across all government entities in the county, specifically Santa Cruz, Watsonville, Scotts Valley, and Capitola, A simple schedule of monthly meetings would permit regular sharing of possible threats, TTPs seen across the county, and information learned from outside organizations such as the Cal-CSIC. (F3) Cyber Threat Preparedness published May 18, 2023 42 Santa Cruz County Civil Grand Jury
F4
Page 50
The City of Santa Cruz seems to have an adequate IT Department structure; however, in late 2022, 40 percent of its positions remained vacant, leaving them inadequately staffed to mitigate and respond to cyber attacks.
Related Recommendations (1)
R4
Page 50
The City of Santa Cruz should prioritize filling its vacant IT department positions by Fall 2023. The IT Department and the Human Resources (HR) Department should revise its position requirements, compensation packages, and recruiting priorities to enable the City to attract qualified personnel to these positions. (F4)
F5
Page 50
Inadequate staffing and high attrition has led to overworked staff and raises the risk of cyber vulnerabilities across its networks.
Related Recommendations (1)
R5
Page 50
By Fall 2023, Santa Cruz should identify and implement creative approaches to hiring and retention so they can maintain a fully staffed IT Department despite the competition with surrounding counties. The City should investigate potential partnerships with one or more of the 18 California colleges and universities with National Centers of Academic Excellence in Cybersecurity. (F5)
F6
Page 50
The City does not have an individual dedicated as the lead for cyber security, which could lead to inadequate preparation for and response to a cyber attack.
Related Recommendations (1)
R6
Page 50
By Fall 2023, the City of Santa Cruz should assign one individual responsible for cybersecurity. Adoption of a managed service provider arrangement will boost its security posture, although it does not eliminate the need for a dedicated security lead within the City’s IT Department. (F6)
F7
Page 50
The City of Santa Cruz does not have a Cybersecurity Policy, suggesting that preparations to mitigate a cyber attack are inadequate and not widely shared.
Related Recommendations (1)
R7
Page 50
or sooner, the City of Santa Cruz should develop and implement a Cybersecurity Plan that encompasses all aspects of information security. (F7)
F8
Page 50
The City of Santa Cruz does not have an Incident Response Plan, and this absence indicates that the City will be challenged in responding to a cyber attack, especially a ransomware attack.
Related Recommendations (1)
R8
Page 50
or sooner, the City should complete an Incident Response Plan with sufficient detail for city officials to use as a step-by-step guide in the event of a cyber incident. (F8) Cyber Threat Preparedness published May 18, 2023 2022-2023 Consolidated Final Report with Responses 43
F9
Page 50
Santa Cruz participates in some information sharing organizations such as the California Municipal Information Services Association (MISAC), yet it has minimal collaboration within the county and the other cities, forfeiting opportunities to share best practices and understand threats.
Related Recommendations (1)
R9
Page 51
Once the IT Department has adequate staffing and , it should expand its participation in local and state information sharing groups to maintain current knowledge of the threat environment and emerging technologies. (F9)
F10
Page 51
After recently expanding its IT Department, the City of Watsonville has improved its IT functions although it does not yet allocate sufficient resources to cybersecurity.
Related Recommendations (1)
R10
Page 51
Watsonville should conduct an evaluation of its recently expanded IT Department, critical IT upgrades, and the status of cybersecurity measures Based on this assessment, the City should allocate existing or newly identified resources to ensure cybersecurity is adequately addressed going forward. (F10)
F11
Page 51
The City does not have an individual whose primary responsibility is cybersecurity for the city networks, leaving cybersecurity oversight to the IT Director–along with a multitude of other IT responsibilities–and lowering the priority for cybersecurity measures.
Related Recommendations (1)
R11
Page 51
Given the size of Watsonville, the City should have a dedicated position for cybersecurity , to ensure adherence to best practices, mitigation of potential threats, and education of city staff and leadership. (F11)
F12
Page 51
Watsonville does not have a Cybersecurity Plan that defines security policies, procedures, and controls required to protect its networks and devices, a situation that increases the risks of vulnerabilities.
Related Recommendations (1)
R12
Page 51
By early 2024 or sooner, Watsonville should prepare and implement a Cybersecurity Plan that addresses all of the best practices for strong cyber hygiene. (F12)
F13
Page 51
Watsonville does not have an Incident Response Plan that provides detailed information on how to respond to an attack, suggesting the City would not be able to respond rapidly and effectively to a cyber attack.
Related Recommendations (1)
R13
Page 51
By early 2024 or sooner, Watsonville should prepare and implement an Incident Response Plan with sufficient detail to serve as a guide in the event of a cyber attack. (F13)
F14
Page 51
Watsonville participates in some regional information sharing forums, but it does not have the resources to expand its participation or tap into state-level information sharing, thus forfeiting valuable best practices and cyber threat information.
Related Recommendations (1)
R14
Page 51
Upon completion of IT structural upgrades and a higher level of cyber maturity, and , Watsonville should participate in local, regional, and state information sharing initiatives. (F14) Cyber Threat Preparedness published May 18, 2023 44 Santa Cruz County Civil Grand Jury
F15
Page 52
Although Scotts Valley’s managed service provider is very knowledgeable and capable of providing cybersecurity services, there is no single city official with cybersecurity oversight, potentially leading to a poor understanding of the threats and an inadequate response to a cyber attack.
Related Recommendations (1)
R15
Page 52
By mid-2023, Scotts Valley should assign a city official as the lead for cybersecurity for the city. This individual should oversee the contractor’s performance in cybersecurity and ensure city leaders are well informed on emerging threats, cybersecurity challenges, and information provided from regional and state entities. (F15)
F16
Page 52
Scotts Valley does not have a current Cybersecurity Plan that defines security policies, procedures, and controls required to protect its networks and devices, potentially increasing the risks of vulnerabilities.
Related Recommendations (1)
R16
Page 52
Working with its IT contractor, by Fall 2023, Scotts Valley should write and implement a Cybersecurity Plan that is shared with all city officials to demonstrate comprehensive security measures and executive-level cyber threat awareness. (F16)
F17
Page 52
Scotts Valley does not have a current Incident Response Plan, which could exacerbate the effects of a cyber incident such as increase the time a network is unavailable or raise the potential financial costs of a resolution.
Related Recommendations (1)
R17
Page 52
By Fall 2023, Scotts Valley should write an Incident Response Plan that clearly delineates the steps it will take in response to a cyber attack, the responsibilities of identified officials, and the coordination required with state and federal officials for each type and level of cyber attack. (F17)
F18
Page 52
Scotts Valley does not participate in any cybersecurity information sharing groups to enhance best practices, rather they depend on their contractor to stay informed, which makes the City last to know of critical cyber threats.
Related Recommendations (1)
R18
Page 52
Scotts Valley should participate in local, regional, and state cybersecurity organizations for information sharing (F18)
F19
Page 52
With one individual responsible for IT services, Capitola does not allocate sufficient resources to cybersecurity, a status that could lead to poor cyber knowledge and unnecessary vulnerabilities.
Related Recommendations (2)
R19
Page 53
By Fall 2023, Capitola should hire a full-time IT Director to replace the IT Director who departed in mid-2022. The IT Director should oversee and expand IT services, including those of the consulting company, and lead cybersecurity initiatives. (F19)
R24
Page 53
By mid-2023, Capitola city management should raise the priority it assigns to cybersecurity and demonstrate a recognition of their role in ensuring the security of the City’s information networks.(F19–F23)
F20
Page 52
The City of Capitola does not have a robust cybersecurity training program, nor does it conduct phishing tests or routinely remind employees to adhere to cybersecurity measures during potential periods of increased threats. Cyber Threat Preparedness published May 18, 2023 2022-2023 Consolidated Final Report with Responses 45
Related Recommendations (2)
R20
Page 53
The City should develop a more robust cybersecurity training and phishing testing program for all employees by Fall 2023 or earlier. (F20)
R24
Page 53
By mid-2023, Capitola city management should raise the priority it assigns to cybersecurity and demonstrate a recognition of their role in ensuring the security of the City’s information networks.(F19–F23)
F21
Page 53
The City of Capitola does not have a Cybersecurity Plan to address cybersecurity measures city wide, suggesting the city is not adequately mitigating the potential impact of cyber incidents.
Related Recommendations (2)
R21
Page 53
Capitola should establish and implement a Cybersecurity Plan Several resources exist to provide a foundation or templates for these plans including NIST Guidelines, CISA resources, and Cal-CSIC guidance. (F21)
R24
Page 53
By mid-2023, Capitola city management should raise the priority it assigns to cybersecurity and demonstrate a recognition of their role in ensuring the security of the City’s information networks.(F19–F23)
F22
Page 53
The City of Capitola does not have an Incident Response Plan, which could exacerbate the effects of a cyber incident such as increase the time a network is unavailable or raise the potential financial costs of a resolution.
Related Recommendations (2)
R22
Page 53
By Fall 2023 Capitola should prepare an Incident Response Plan that provides detailed guidance for a city response to a cyber attack. (F22)
R24
Page 53
By mid-2023, Capitola city management should raise the priority it assigns to cybersecurity and demonstrate a recognition of their role in ensuring the security of the City’s information networks.(F19–F23)
F23
Page 53
Capitola does not participate in any cyber-focused information sharing groups, nor does it take advantage of state and federal resources designed to assist small cities with mitigating cyber attacks, thereby forfeiting opportunities to learn best practices and raise their cyber awareness.
Related Recommendations (2)
R23
Page 53
When appropriately resourced to monitor cyber threats, and , Capitola should participate in regional cybersecurity information sharing groups, to gain valuable information to best protect the City. (F23)
R24
Page 53
By mid-2023, Capitola city management should raise the priority it assigns to cybersecurity and demonstrate a recognition of their role in ensuring the security of the City’s information networks.(F19–F23)