Section 4: Follow-up Illegal Dumping: Talking Trash

, F1.2, and Recommendations R1.1, R1.2, and R1.3. The San Joaquin County Board of Supervisors is required to respond to: Findings F2.1 and Recommendation R2.1. Mail or hand deliver a hard copy of the response to: Honorable Michael D. Coughlan, Presiding Judge San Joaquin County Superior Court 180 E. Weber Ave., Suite 1306J Stockton, California 95202 Also, please email a copy of the response to Mr. Irving Jimenez, Judicial Secretary to the Grand Jury, at grandjury@sjcourts.org. 173 174 Follow-up Report to the 2021-2022 San Joaquin County Grand Jury Stockton Unified School District Board of Educa�on: A Failing Grade in Public Trust Case #0121 Preface This report contains the responses to the 2021-2022 San Joaquin County Civil Grand Jury report regarding Stockton Unified School District. This follow-up report focuses on the 2021-2022 Grand Jury findings and recommenda�ons and the Stockton Unified School District responses, which are presented verba�m in this report. The 2022-2023 Grand Jury reviewed the agency responses to those recommenda�ons. The Grand Jury’s follow-up conclusions are presented a�er the agency responses. Discussions, findings, and recommendations from the 2022-2023 Grand Jury are in text boxes framed in black. Complete copies of the original report and the agency’s responses may be found on the San Joaquin County Grand Jury website at htps//www.sjcourts.org/grandjury/. Summary Over the past two years, the San Joaquin County Civil Grand Jury has conducted two separate investigations of Stockton Unified School District (SUSD) spanning topics from Superintendent turnover to fiscal mismanagement. While many circumstances have changed over the past two 175 years, one thing has remained the same: the SUSD Board of Trustees. The November 2022 election has changed the current majority of the Board, nonetheless, the 2022-2023 Civil Grand Jury maintained a keen eye on Stockton Unified School District, especially with respect to SUSD’s response to Case #0121 – A Failing Grade in Public Trust. The San Joaquin County Civil Grand Jury is constitutionally established as a branch of the California Superior Court. The rules and regulations for the Grand Jury proceedings and for those who must reply to recommendations are long established by statutory law. These regulations are mainly found in the California Penal Code. In reply to the 2021-2022 Grand Jury report issued in July 2022, the SUSD Trustees either inadvertently or deliberately failed to follow the law in some responses. The supplemental responses are listed after the initial agency response in this follow-up report. Method of Follow-up Inves�ga�on The 2022-2023 Grand Jury: • attended SUSD Board meetings, • conducted follow-up interviews, • requested documents that were germane to Case #0121, • reviewed Board agendas, and • reviewed Board videos. Materials Reviewed • Board meetings. • Board minutes. • Document requests. • Interviews. • Media reports. Findings, Recommenda�ons, Agency Responses, and Grand Jury Conclusions 1.0 Finance 2021-2022 Grand Jury Finding F1.1.1 Stockton Unified School District does not u�lize financial so�ware that aligns with the San Joaquin County Office of Educa�on so�ware, making analysis and review by the San Joaquin County Office of Educa�on difficult. Agency Response: The District recognizes the importance of its financial software and of its compatibility with the software utilized by the San Joaquin County Office of Education. 176 2021-2022 Grand Jury Finding F1.1.2 Stockton Unified School District Business Services staff lacks necessary training and guidance to execute complex District business needs, resul�ng in the need to hire outside consultants at an increased cost to the District. Agency Response: The District disagrees with this finding. There are many excellent administrators and staff in the District’s Business Services Department, and these employees undergo regular and consistent training. Nevertheless, it has been necessary to retain the services of outside consultants to augment these services, particularly in light of recent personnel vacancies and shortages, but the Board disagrees that doing so reflects a lack of staff training. 2021-2022 Grand Jury Finding F1.1.3 The current Chief Business Officer was hired without following Board Policy 4211, crea�ng an appearance of par�ality and crea�ng diminished internal and external confidence. Agency Response: In hiring its prior Chief Business Officer, although the District engaged in an expedited process in order to fill the vacancy as soon as possible, the District complied with the basic principles set forth in Board Policy 4211, including that “there will be no unlawful discrimination in selection.” 2021-2022 Grand Jury Recommenda�on R1.1.1 By January 1, 2023, the Stockton Unified School District Board of Trustees direct the Superintendent to assess the current financial so�ware to be compa�ble with the San Joaquin County Office of Educa�on so�ware. Agency Response: On August 9, 2022, the Board of Trustees complied with this

and Recommendation R3.5 and would like to further clarify that staff confirmed that the city of Lathrop does in fact have cybersecurity insurance coverage, and is currently in discussions with Risk Management to enhance said coverage. The 2022-2023 Grand Jury determined to take no further action. 4.0 City of Lodi 2021-2022 Grand Jury Finding F4.1: The City of Lodi does not have an approved Business Continuity Plan, rendering the City relatively unprepared to restore essential services in a disruptive event. Agency Response: Lodi agrees with this finding. However, Lodi was already on track to complete a BCP before this investigation began and will have one in place by the end of June 2023. 2021-2022 Grand Jury Finding F4.2: The City of Lodi has implemented an excellent cyber awareness training program for all employees minimizing risk to damage from cyberattack. Agency Response: Lodi agrees with this finding. 2021-2022 Grand Jury Recommendation R4.1: By January 1, 2023, the Lodi City Council, in conjunction with the City’s IT division, develop, adopt and implement a Business Continuity Plan. Agency Response: Lodi will adopt a Business Continuity plan by the recommended date. The City of Lodi agrees to comply by July 1, 2023. 5.0 City of Manteca 2021-2022 Grand Jury Finding F5.1: The City of Manteca has an Information Technology Security Policy which has not been updated since 2010, leaving the City relatively unprepared for a cyber event. Agency Response: The City agrees with this finding in part; while the City’s policy has not been updated since 2010, the City has undertaken other security measures and trainings to stave off a cyber-event. 2021-2022 Grand Jury Finding F5.2: The City of Manteca lacks a policy and procedure for ransomware attacks. This absence of policy could cause confusion, delay, and greater loss of security in the event of such an attack. Agency Response: The City agrees with this finding in part; though the City does not have a formal policy, IT staff is trained and capable to deal with a cyber-event. 2021-2022 Grand Jury Finding F5.3: The City of Manteca has a significant number of security devices with single power supplies. This lack of redundant power presents vulnerability in major or prolonged power outages. Agency Response: The City agrees with this finding. 2021-2022 Grand Jury Recommendation R5.1: By January 1, 2023, the Manteca City Council, in conjunction with the City’s ISD, develop, approve, and implement an updated Information Technology Security Policy. Agency Response: This recommendation will be completed by January 1, 2023. 2021-2022 Grand Jury Finding F5.1: The City of Manteca has an information technology security policy that has not been updated since 2010, leaving the City relatively unprepared for a cyber event. The 2022-2023 Grand Jury’s request for confirmation of action taken has not been answered. The 2022-2023 Grand Jury Recommendation 1.0: By October 1, 2023, the Manteca City Council, in conjunction with the City’s ISD, develop, approve, and implement an updated Information Technology Security Policy and forward the approved policy to the 2023-2024 San Joaquin County Civil Grand Jury. 2021-2022 Grand Jury Recommendation R5.2: By January 1, 2023, the Manteca City Council, in conjunction with the City’s ISD, develop, approve, and implement a confidential policy and procedure for response to a ransomware attack. Agency Response: The City will implement this recommendation on or before March 1, 2023. 2021-2022 Grand Jury Finding F5.2: The City of Manteca lacks a policy and procedure for ransomware attacks. This absence of policy could cause confusion, delay, and greater loss of security in the event of such an attack. The 2022-2023 Grand Jury’s request for confirmation of action taken has not been answered. The 2022-2023 Grand Jury Recommendation R1.1: By October 1, 2023, the Manteca City Council, in conjunction with the City’s ISD, develop, approve, and implement a confidential policy and procedure for responding to a ransomware attack and forward the approved policy to the 2023-2024 San Joaquin County Civil Grand Jury. 2021-2022 Grand Jury Recommendation R5.3: By March 1, 2023, the Manteca City Council, in conjunction with the City’s ISD, develop, approve and adopt an updated timeline to replace single- powered units with dual-powered or redundant-powered units in their network architecture. Agency Response: All critical network architecture have been updated with redundant- powered units. 205 2021-2022 Grand Jury Finding F5.3: The City of Manteca has a significant number of security devices with single power supplies. This lack of redundant power presents vulnerability in major or prolonged power outages. The 2022-2023 Grand Jury’s request for confirmation of action taken has not been answered. The 2022-2023 Grand Jury Recommendation R1.2: By October 1, 2023, the Manteca City Council, in conjunction with the City’s ISD, to provide confirmation of the completion of the replacement of single-powered units with dual-powered or redundant-powered units in their network architecture and forward the confirmation to the 2023-2024 San Joaquin County Civil Grand Jury. 6.0 City of Ripon 2021-2022 Grand Jury Finding F6.1: It is unclear in the City of Ripon’s Organization Chart where responsibilities for IT and IT security lie, creating confusion over who is responsible to act in a disruptive event. Agency Response: The City of Ripon respectfully disagrees with this finding for the reasons set forth below. The IT Department is organized into Information Technology Technician level I and II, with the tier II technician reporting directly to the Lieutenant of the Ripon Police Department. The Police Department’s organizational chart (sic) depicts the relationship between the two IT positions and the Lieutenant. In a disruptive event it is clear that the technicians within the IT Department, as well as all identified vendors and contractors, respond to, preserve and reinstate functions as the City of Ripon, under the supervision of the Lieutenant. At this time, both Information Technology Technician positions are filled and both employees have been fully briefed as to the organizational structure. 2021-2022 Grand Jury Finding F6.2 The City of Ripon has a rudimentary network diagram outlining the City’s router and firewall relationship with networks used, but the diagram lacks detail, leaving uncertainty about data security. Agency Response: The City of Ripon respectfully disagrees with the finding. The City of Ripon has contracted with Waypoint Network Solutions for the last 15 years to assist in creating very detailed diagrams of network structure including documentation on router and firewall settings. Both of the City’s Information Technology technicians understand these diagrams and work with Waypoint Network Solutions as updates are periodically needed when improvements are made to increase the security of the City’s network. 2021-2022 Grand Jury Finding F6.3: Although the City of Ripon met expectations in the areas of data confidentiality and security, lack of IT staff and leadership leaves these areas vulnerable to cyberattack. Agency Response: The City of Ripon has addressed this Finding as to staffing following the information-gathering phase of the Report. The City of Ripon has created a second full time 206 position as part of the Fiscal year 2022-2023 budget. The City has filled both full-time positions since the completion of the information-gathering phase. The City of Ripon respectfully disagrees with the finding regarding lack of leadership. The IT team leader reports directly to the Lieutenant of the Ripon Police Department for status updates and administrative decisions. 2021-2022 Grand Jury Finding F6.4: The City of Ripon lacks a Business Continuity Plan, rendering the City relatively unprepared to restore essential services in a disruptive event. Agency Response: The City of Ripon has addressed this finding following the information- gathering phase of this Report. The City of Ripon has drafted a formal plan for business continuity as part of the City’s Network Security Plan (sic) that was approved by the City Council on December 13, 2022. 2021-2022 Grand Jury Finding F6.5: The City of Ripon does not have a Disaster Preparedness Plan, leaving the City at risk for significant delay and cost to restore IT systems in the event of a disaster. Agency Response: The City of Ripon has addressed this finding following the information- gathering phase of this Report. Many of the disaster response measures were already in place prior to the information-gathering phase. To avoid the confusion of utilizing multiple plans in the event of a ransomware attack, the City of Ripon has drafted the elements of the of the disaster preparedness plan as part of the City’s Network Security Plan. 2021-2022 Grand Jury Finding F6.6: The City of Ripon does not have a formal policy or procedure to address ransomware attacks. This absence of policy could cause confusion, delay and greater loss of security in the event of an attack. Agency Response: The City of Ripon has addressed this finding following the information- gathering phase of this Report. Many of the measures to address a ransomware attack were already in place prior to the information-gathering phase. To avoid the confusion of utilizing multiple plans in the event of a ransomware attack, the City of Ripon has incorporated the elements of the ransomware attack response as part of the Network Security Plan. 2021-2022 Grand Jury Recommendation R6.1: By January 1, 2023, the Ripon City Council develop and make public an updated City Organizational chart showing details of the City’s IT functions, including all IT positions. Agency Response: The City of Ripon has updated its organizational chart to show the changes made to our current staff positions (sic). The 2022-2023 Grand Jury determined to take no further action. 2021-2022 Grand Jury Recommendation R6.2: By January 1, 2023, the Ripon City Council develop and adopt a detailed Network Diagram to decrease security vulnerabilities. Agency Response: The City of Ripon already has developed and adopted highly detailed networks diagrams that are kept confidential and secure internally. The City of Ripon 207 recognizes the importance of maintaining network documentation and will continually maintain its network documentation consistent with the Grand Jury’s recommendation. The 2022-2023 Grand Jury determined to take no further action. 2021-2022 Grand Jury Recommendation R6.3: By January 1, 2023, the Ripon City Council obtain a third-party security review of the City’s IT department assets, positions, and policies and an evaluation of data confidentiality, security systems and protocols. Agency Response: The City of Ripon has obtained the third-party firm “Resolute Guard” to perform an independent review of the City’s IT department assets, which has been completed. The City of Ripon’s IT department has incorporated the recommendations of this third-party review into the operations of the IT department, consistent with the Grand Jury’s findings. The 2022-2023 Grand Jury determined to take no further action. 2021-2022 Grand Jury Recommendation R6.4: By January 1, 2023, the Ripon City Council develop, adopt and implement a formal Business Continuity Plan. Agency Response: The City of Ripon has conducted an internal review of its network and developed the elements of the business continuity plan as part of the City’s Network Security Plan that is accessible to the IT department and relevant Response Team Members. This plan was adopted by the City Council on December 13, 2022 and will be continually reviewed and updated to stay current and effective with evolving technologies. The 2022-2023 Grand Jury determined to take no further action. 2021-2022 Grand Jury Recommendation R6.5: By January 1, 2023, the Ripon City Council develop, adopt and implement a formal Disaster Preparedness Plan for IT functions. Agency Response: The City of Ripon has conducted an internal review of its network and incorporated the elements of the Disaster Preparedness Plan as part of the City’s Network Security Plan previously described. The 2022-2023 Grand Jury determined to take no further action. 2021-2022 Grand Jury Recommendation R6.6: By January 1, 2023, the Ripon City Council develop, adopt, and implement a formal internal policy and procedure for response to a ransomware attack. Agency Response: The City of Ripon has conducted an internal review of its network and incorporated the elements of responding to a ransomware attack as part of the City’s Network Security Plan previously described. The 2022-2023 Grand Jury determined to take no further action. 208 7.0 City of Stockton 2021-2022 Grand Jury Finding F7.1: The City of Stockton does not have a formal internal policy concerning payments or procedures in ransomware attacks. This absence of policy could cause confusion, delay, and greater loss of security in the event of an attack. Agency Response: The City agrees with this finding. 2021-2022 Grand Jury Finding F7.2: The City of Stockton has a large IT Department which places cybersecurity and disaster preparedness at a high priority, minimizing risk to the City’s information and service systems. Agency Response: The City agrees with this finding. 2021-2022 Grand Jury Recommendation R7.1: By November 1, 2022, the Stockton City Council, in conjunction with the City’s IT department, develop, adopt, and implement a formal internal policy and procedure for response to a ransomware attack. Agency Response: A formal internal policy and procedure for response to a ransomware attack was approved by the City Manager on September 1, 2022, and presented to the City Council at its September 13, 2022 public meeting (sic). The 2022-2023 Grand Jury determined to take no further action. 8.0 City of Tracy 2021-2022 Grand Jury Finding F8.1: Lacking a requirement for encryption of thumb drives used on City devices exposes the City of Tracy to potential data theft and contamination. 2021-2022 Grand Jury Recommendation R8.1: By November 1, 2022, the Tracy City Council, in conjunction with the IT division, develop, adopt, and implement a policy requiring encryption of thumb drives used on City devices. Agency Response: IT has developed a draft policy to require encrypted thumb drives which will be routed through HR for official adoption. For the implementation of administrative policies such as the one for the encryption of thumb drives, the City of Tracy's procedures require that these draft policies be routed to the various bargaining units for approval. The draft IT policy is currently being circulated to these units and should be ready for adoption shortly. While we strive to remove technological barriers that encourage removable storage use, we recognize special situations exist that require it. Once the new policy is rolled out all thumb drives used for City data or on City-owned devices will be required by the policy to be encrypted. The 2022-2023 Grand Jury determined to take no further action. 2021-2022 Grand Jury Finding F8.2: The City of Tracy lacks a completed Business Continuity Plan, rendering Tracy relatively unprepared to restore essential services in a disruptive event. 209 2021-2022 Grand Jury Recommendation R8.2: By January 1, 2023, the Tracy City Council, in conjunction with the IT division, develop, adopt and implement a formal Business Continuity Plan. Agency Response: Human Resources coordinated with a consultant and management from each department to draft a Business Continuity Plan to be finalized as an Annex to the City of Tracy Emergency Management Plan. The South San Joaquin County Fire Authority has contracted services to prepare the draft Emergency Management Plan which is anticipated to be finalized in the fall of 2022. The IT Manager had several meetings with the consultant to summarize the business continuity plan for the information technology needs of the organization. The IT department is aware of the lack of an IT-specific Disaster Recovery/ Business continuity plan as it relates to a Cyber incident. The IT department will be crafting an RFP to include a disaster preparedness plan and necessary infrastructure additions as well as IT-specific Business Continuity. In addition, we plan to add a dedicated information security position this fiscal year in line with the Grand Jury recommendation. It is generally recognized practice for the Security Officer in an organization to maintain a Disaster Preparedness and Business Continuity Plan. Due to the nature of this policy adoption, as part of the Tracy Emergency Management Plan, City Council approval is required. The City is striving to adopt this Business Continuity Plan by the first quarter of 2023. The 2022-2023 Grand Jury determined to take no further action. 2021-2022 Grand Jury Recommendation R8.3: By January 1, 2023, the Tracy City Council provide the Grand Jury with an updated formal Disaster Preparedness Plan. Agency Response: We view the business continuity, and the disaster preparedness plans as two sides of the same coin that work hand in hand and should be addressed holistically. Any large- scale Cyber business continuity event should be treated in a similar way as a disaster. Most equipment will be unavailable for extended periods of time due to the necessary forensics. We plan on addressing this in conjunction with the IT-specific business continuity plan as outlined in the response to Finding 8.2. Due to the nature of this policy, as an annexation to the City of Tracy Emergency Management Plan, City Council approval is required. The City is striving to adopt the Disaster Preparedness Plan by the first quarter of 2023. The 2022-2023 Grand Jury determined to take no further action. Disclaimer Grand Jury reports are based on documentary evidence and the testimony of sworn or admonished witnesses, not on conjecture or opinion. However, the Grand Jury is precluded by law from disclosing such evidence except upon specific approval of the Presiding Judge of the Superior Court, or another judge appointed by the Presiding Judge (Penal Code Section 911, 924.1(a), and 929). Similarly, the Grand Jury is precluded by law from disclosing the identity of witnesses except upon an order of the court for narrowly defined purposes (Penal Code Sections 924.2 and 929). Response Requirements California Penal Code Sections 933 and 933.05 require that specific responses to all findings and