Marin County Grand Jury
• 2024-2025
• Agency Response
Response to:
Cyberattacks: A Growing Threat to Marin Government
Mrafa the City with a July 16, 2024 The Honorable Mark Talamantes, Presiding Judge, Marin County Superior Court*
⚠️ Translation Notice: This content has been automatically translated. The original English text is the official version. Translation may contain errors.
⚠️ Este contenido ha sido traducido automáticamente. El texto original en inglés es la versión oficial. La traducción puede contener errores.
Findings and Recommendations 6 findings
F1
Contracts for Information Technology, Information Systems, and Cybersecurity services between third-party providers and Marin County governmental agencies should contain a Business Continuity clause, or other language, protecting that agency from a sudden cessation of services provided by the third-party provider. Response: Agree Utilizing a managed service provider for IT services requires an understanding that continuity of public services is critical for public safety and the maintenance of daily operations. Any cessation of agreements between an agency and IT provider should include thoughtful transition of responsibility to ensure services are not disrupted for the public. The City currently contracts with Xantrion Inc. for IT services and that agreement includes language confirming Xantrion's responsibilities during a cybersecurity incident and an agreement to provide sufficient efforts and cooperation to ensure an orderly and efficient transition of services to another service provider.
Related Recommendations (1)
R1
Marin agencies should require a current (executed within the last five years), competitively-bid, written contract which includes business continuity language for any third-party Information Technology services they use. The City has implemented this recommendation. The current agreement with the City of San Rafael and Xantrion Inc. includes language confirming Xantrion's responsibility and support in the case of a security incident and an agreement to provide sufficient efforts and cooperation to ensure an orderly and efficient transition of Services to Client or another service provider in the case of a termination of convenience. In addition, the City of San Rafael and Digital Service Team are developing a disaster recovery plan and policy that outlines roles, responsibilities, and procedures to ensure IT business continuity in the case of a disaster. The disaster recovery plan and plan and policy will be completed no later than October 2024. We will include language referring to business continuity and disaster recovery as part of the renewal of our agreement with Xantrion.
F2
Marin County municipalities should have current, written contracts with third-party providers of Information Technology, Information Systems, and Cybersecurity services, and should not continue to use those providers' services without a current contract. Response: Agree Cities and Counties rely upon IT services to maintain daily operations. Contracts are critical to protect Cities and Counties from risks and liabilities that may occur as part of the management of critical IT infrastructure. As noted in Finding 1, the City has a current agreement with Xantrion for IT services.
No recommendations for this finding
F3
Membership in insurance risk pools provides the benefits of cybersecurity assessments and audits, which highlight cybersecurity deficiencies and make suggestions for improvement. Response: Agree A potential cybersecurity attack could cost a municipality millions of dollars to remediate. Insurance risk pools help to mitigate the overall potential cost impact on a City to recover from an attack. The City participates in California Joint Powers Risk Management Association (CJPRMA) and cyber insurance coverage is a part of this membership. The pool also provides training around cybersecurity. Additionally, CJPRMA has suggested language to use in contracts to provide the City the best Cyber coverage when using third-party vendors. City of San Rafael Response to Grand Jury Findings and Recommendations SAN RAFA City of San Rafael Response to Grand Jury Report Findings and Recommendations "Cyber Preparedness: Are We There Yet?" May 17, 2024
No recommendations for this finding
F4
Having a completed, adopted and regularly updated cybersecurity plan helps ensure that all staff within a government agency are working together to optimize that organization's cyber preparedness and security. Response: Agree The City includes cybersecurity as part of its core IT service delivery model and annual work plan. These efforts include security for network infrastructure, desktops, mobile devices, users, internal processes, and disaster recovery. For example, this year, the City is developing a disaster recovery plan and policy that outlines roles, responsibilities, and procedures to ensure IT business continuity in the case of a disaster. Examples of how cybersecurity has been integrated into the City's IT service delivery and risk mitigation strategy include, but are not limited to: Requiring that anyone with access to the City network participate in regular cybersecurity • training, receive email updates on current and trending security threats, and regularly update their passwords. Using a managed service provider, Xantrion Inc. to monitor and respond to threats, provide network backups, and manage cybersecurity training. Requiring staff to participate in annual security training, including email updates on current threats, phishing simulations, and regular password changes. Using measures for email flagging, spam filtering, and regular backups of City files and servers. Requiring multi-factor authentication for City staff with access to City networks and documents. Central management of IT infrastructure equipment to ensure that all equipment is properly configured and maintained. Ensuring that Digital Service staff are engaged in the procurement and risk assessment • of new applications. Conducting ongoing firewall and network server maintenance. Maintaining Department of Justice-compliant network connectivity to serve our Police . Department and reporting any known breaches to federal authorities. Participating in Digital Marin and the Marin Information Security Collaborative (MISC) to share best practices around cybersecurity. Maintaining cyber insurance coverage through participation with CJPRMA. Deployment of Mobile Device Management (MDM) for public safety devices. Adoption of a Disaster Recovery Environment for rapid recovery of any compromised data following a cybersecurity incident or disaster. Deployment of a Security Information and Event Management (SIEM) system to help combat cyber threats by providing key threat-detection capabilities, real-time reporting, compliance tools, and long-term log analysis.
No recommendations for this finding
F5
Joint Powers Authorities in Marin County exist to provide more efficient and cost- effective services to the people of Marin. Response: Agree City of San Rafael Response to Grand Jury Findings and Recommendations H RAF City of San Rafael Response to Grand Jury Report Findings and Recommendations "Cyber Preparedness: Are We There Yet?" May 17, 2024 Marin County jurisdictions have relied on JPAs to develop shared services that benefit residents of the County. Smaller towns in Marin County generally have less resources dedicated to IT and cybersecurity and may benefit from a resource that provides mutual support for cybersecurity.
No recommendations for this finding
F6
The current County Collective Bargaining Agreements prevent the Marin County Department of Information Systems & Technology from unilaterally negotiating managed service agreements (outsourcing work to third parties). Response: Partially Disagree It is not within the City of San Rafael's realm of responsibility to agree or disagree with this finding. The County's collective bargaining agreements are the responsibility of the County of Marin. RESPONSE TO GRAND JURY RECOMMENDATIONS
Related Recommendations (1)
R6
(a) All Marin municipalities should: a) take all steps necessary to acquire an appropriate .gov or .ca.gov domain. The City will implement this recommendation On October 8, 2023, the California Assembly passed AB1637 which requires municipalities to move .gov or .ca.gov domains no later than 2029. The City of San Rafael will acquire a domain name and will migrate to the .gov domain prior to the 2029 deadline.
* This report's PDF did not contain easily extractable text and required Optical Character Recognition (OCR) for analysis. There may be minor errors in the extracted findings and recommendations due to OCR limitations with scanned documents.