Marin County Grand Jury
• 2024-2025
• Agency Response
Response to:
Cyberattacks: A Growing Threat to Marin Government
Response to Grand Jury Report Form "cyberattacks: a Growing Threat to Marin Government"*
⚠️ Translation Notice: This content has been automatically translated. The original English text is the official version. Translation may contain errors.
⚠️ Este contenido ha sido traducido automáticamente. El texto original en inglés es la versión oficial. La traducción puede contener errores.
Findings and Recommendations 8 findings
F3
Transparency is lacking regarding cybersecurity because past breaches have not been publicly disclosed, and city and town councils have not facilitated public discussion of cybersecurity issues. Disagree. The City of Larkspur has not experienced a security breach that would require public disclosure. The City of Larkspur will not comment on findings concerning other cities and towns. Therefore, the City of Larkspur cannot agree with the portions of the finding concerning other municipalities.
No recommendations for this finding
F4
Most elected officials in Marin's cities and towns are not sufficiently engaged in ensuring robust cybersecurity policies and procedures are in place. Disagree. This is a general statement concerning most elected officials in Marin cities and towns. The City of Larkspur will not comment on the findings asserting practices of other cities and towns. Therefore, the City of Larkspur cannot agree with the portions of the finding concerning other municipalities.
Related Recommendations (1)
R4
Starting in fiscal year 2020-2021, the county board of supervisors and the city and town councils should request their managers report, at least annually, regarding their cybersecurity profile and any measures being taken to improve it. This recommendation will be implemented in the future. The City of Larkspur is in the process of implementing a 5-Year Technology Master Plan and will report progress in implementing the plan (including cybersecurity measures) as part of the mid-year FY 2020-21 budget review. This report will be presented in January or February of 2021.
F5
County and municipal officials and managers have been generally unaware of breaches that have occurred outside their own agencies in Marin and therefore have not felt the need to collaborate on measures to improve cybersecurity. Disagree partially. The City of Larkspur has not consistently been made aware of breaches outside of our agency. However, issues of cybersecurity have been discussed by the Marin Managers Association.
Related Recommendations (1)
R5
Starting in fiscal year 2020–2021, the county, cities, and towns should convene periodic discussions, at least annually, in a public forum such as a board or council meeting, regarding the importance of good cybersecurity practices for our government, residents, and other organizations. This recommendation will be implemented in the future. Starting in October 2020, the County of Marin will host an NCSAM event that is open to members of the public to facilitate a discussion on cybersecurity. As a member of the recently formed Marin Information Security Collaboration (MISC), Larkspur will help promote this event to our residents and organizations.
F6
Municipalities have been lax in following FBI guidance that cybersecurity breaches be reported to federal law enforcement. Disagree. The City of Larkspur has not experienced a cybersecurity breach that would have been required to be reported to federal law enforcement. The City of Larkspur will not comment on findings concerning other cities and towns. Therefore, the City of Larkspur cannot agree with the portions of the finding concerning other municipalities.
Related Recommendations (1)
R6
The county and each city and town should adopt a policy to report to federal law enforcement any cybersecurity intrusion that results in financial fraud or unauthorized disclosure of information and make that intrusion public. This recommendation will be implemented in the future. The City of Larkspur has not had any recent cybersecurity breaches, financial fraud, or unauthorized disclosure of information that have required the reporting to federal law enforcement. If the City were to become victim to any of the above attacks staff would work closely with all law enforcement personnel, including federal law enforcement, as required to properly respond to the threat. The County of Marin has access to existing security policy templates that have been developed in collaboration with the California Counties Information Services Director's Association (CCISDA) Information Security Council (ISC). These templates will be shared with the members of the recently formed Marin Information Security Collaboration (MISC) and will be considered for updates to the City's own security policies.
F7
Marin's cities and towns have not made a concerted effort to standardize around a common set of best practices with respect to cybersecurity. Agree. The City of Larkspur agrees more can be done to share cybersecurity best practices. While the strategy and approach to cybersecurity in Marin cities and towns have not been standardized amongst all jurisdictions, most of the cities and towns utilizing the MIDAS network share the network security protocols in place for MIDAS. The City of Larkspur will work with the recently formed Marin Information Security Collaboration (MISC) between Marin County regional agencies to develop and share best practices for cybersecurity.
Related Recommendations (1)
R7
of the date of this report, cities and towns should implement the first four practices described in the Best Practices section of this report, regarding mandatory user training, email flagging and filtering, password management, and backup. These recommendations have been implemented: Daily backup, email flagging and filtering. These recommendations have been partially implemented and require further analysis: Employee training and password management. Employees receive examples of recent phishing attempts and fraudulent emails on a regular basis. Best practices regarding sending sensitive information has been discussed at staff meetings and all hands meetings. Password management, including two-factor authentication, is used for some programs. As of July 2020, the City of Larkspur has engaged a new managed IT provider. The City of Larkspur will discuss additional staff training and formalized password management practices with its IT services provider of this report. This may require further analysis or be implemented immediately once discussed.
F8
The Marin County Council of Mayors & Councilmembers has not made cybersecurity a priority, which has minimized the awareness and engagement of elected officials in cybersecurity matters. Agree. However, individual Councils and/or Councilmembers may be aware and engaged in cybersecurity. The City of Larkspur will not comment on the findings asserting practices of other cities and towns. Therefore, the City of Larkspur cannot agree with the portions of the finding concerning other municipalities.
Related Recommendations (1)
R8
In fiscal year 2020–2021, cities and towns should complete an analysis of the feasibility of implementing the remainder of the practices described in the Best Practices section of this report. These recommendations have been implemented: Automated malware detection and removal, firewalls, and monitoring systems. These recommendations have been partially implemented and require further analysis: Use of expert resources and hardware and patching. These recommendations require further analysis: Management of mobile devices, documentation, vulnerability assessments. Staff will need to further study recommendations requiring further analysis to determine if resources can be allocated to complete these tasks in Fiscal Year 2020-21. As of July 2020, the City of Larkspur has engaged a new managed IT provider. The City will discuss these tasks with the provider for feasibility.
F9
The Marin Managers Association has not done enough to facilitate the sharing of cybersecurity information and resources among its members. Disagree. In December 2019, the City of San Rafael made a presentation to the Marin Managers Association about a recent overhaul of IT service delivery model, including cybersecurity. Their presentation included a consultant they hired to conduct an assessment of their service model and the president of the company who manages their cybersecurity.
Related Recommendations (1)
R9
In fiscal year 2020–2021, cities and towns should, through the Marin Managers Association, complete an analysis of the feasibility of contracting with a cybersecurity expert to be available to cities and towns on a shared basis, in order to raise the overall level of cybersecurity in Marin's cities and towns. This recommendation will be implemented in the future. The Larkspur City Manager will work with the Marin Managers Association to add the consideration of hiring a cybersecurity firm to the list of potential shared services that is currently in development. i i . . . . . . . . . . . . . . . . . . . . - . - . 17.19 2020 JUL 22 P 2: 00 CONVERUS OFFICE i .
F10
Various low-cost best practices exist that could, if implemented, significantly improve the cybersecurity posture of Marin's cities and towns. Agree partially. Agree as it relates to the City of Larkspur. The City of Larkspur will not comment on the findings asserting practices of other cities and towns. Therefore, the City of Larkspur cannot agree with the portions of the finding concerning other municipalities.
No recommendations for this finding
* This report's PDF did not contain easily extractable text and required Optical Character Recognition (OCR) for analysis. There may be minor errors in the extracted findings and recommendations due to OCR limitations with scanned documents.