Santa Barbara County Grand Jury • 2022-2023 • Agency Response
Response to: Cybersecurity for School Districts in Santa Barbara County

Santa Barbara County school districts

Published: June 09, 2023 2 pages
Ver PDF original

Findings and Recommendations 5 findings

F1
Santa Barbara County school districts have not mandated formal cybersecurity training for school administrators, teachers, staff, and students. SBCEO response: “Santa Barbara County school districts” (of which there are 20 districts, plus 10 charter schools), each has a local superintendent and school board that determine the types of training it requires beyond what is required by law. The Santa Barbara County Education Office does not mandate formal cybersecurity training for districts over which they do not have jurisdiction. The Honorable Pauline Maxwell Christian McGrath, Foreman Keith Staub, Chair, Cities and Districts Committee Grand Jury Members
No recommendations for this finding
F2
Santa Barbara County school districts have not required the use of multi-factor authentication. SBCEO response: “Santa Barbara County school districts” locally determine their level(s) of security authentication.
No recommendations for this finding
F3
That some Santa Barbara County school districts are not adequately insured for losses arising from cybersecurity incidents, not insured for cybersecurity, or lack sufficient coverage limits. SBCEO response: Each “Santa Barbara County school district” makes local and independent decisions as to whether to carry cybersecurity incident insurance, and if so, how much.
No recommendations for this finding
F4
That the districts fail to report cyber-attacks. SBCEO response: Local districts report cyber attacks to various sources as are required by law, and are not required to report attacks to county offices of education. Entities to which a district may report: the school district’s insurance company, legal counsel, local law enforcement, the California Cybersecurity Integration Center, and notifications to those whose personally identifying information has been compromised.
No recommendations for this finding
F5
Although some district IT members meet from time to time to discuss recent cyber updates, problems, and problem resolution, attendance is voluntary and many rarely attend. SBCEO response: A district’s IT team and its members meet as required by their local administration. SBCEO convenes voluntary countywide IT meetings approximately 3 to 5 times per year. Thank you for the work you do on behalf of Santa Barbara County, and for your consideration of the 20 school districts and nearly 70,000 students throughout our county. We are grateful for your concern for preventing cybersecurity attacks and safeguarding our systems and sensitive data. Respectfully submitted, Dr. Susan Salcido Santa Barbara County Superintendent of Schools
No recommendations for this finding