📋

Extracted from Consolidated Report

This investigation was originally published as part of a larger consolidated report containing multiple investigations. View the consolidated PDF for the complete document.

San Joaquin County Grand Jury • 2008-2009

Information Technology Security: SJ County and Cities

10 pages

View PDF View Full Original

⚠️ Translation Notice: This content has been automatically translated. The original English text is the official version. Translation may contain errors.

⚠️ Este contenido ha sido traducido automáticamente. El texto original en inglés es la versión oficial. La traducción puede contener errores.

Findings 13 findings

F1 Page 54

Information Systems Division – Meets expectations for IT Security a. Written Security Policy was clear and comprehensive and all employees were made aware of its content b. The division has developed an online security training program required to be completed by all employees c. Founded intra-governmental IT Security group inviting all county departments and cities to discuss common security issues

F2 Page 54

Human Services Agency, Behavioral Health Services, Public Health Services, and San Joaquin County General Hospital – Meets expectations for IT Security a. Each of these health related departments are subject to federal and state oversight and numerous security related regulations; as a result, each exhibited a very sophisticated level of IT security

F3 Page 54

Assessor-Recorder-County Clerk Division – Meets expectations for IT Security a. Documented and thorough “Emergency Contingency and Disaster Recovery Plans for Information Systems”

F4 Page 55

Agricultural Commissioner’s Office – Does not meet expectations for IT Security a. Out-dated and unsupported Sever Operating System (Windows NT 4.0) still in service, though not in a critical role b. Disaster preparedness and recovery plan is currently under review c. Personnel IT Security training has not yet begun

F5 Page 55

Department of Child Support Services – Meets expectations for IT Security a. Provides a good model for the distribution of IT services allowing ISD to maintain and configure the network infrastructure while utilizing departmental IT staff for local support and unique development requirements

F6 Page 55

Community Development Department – Meets expectations for IT Security a. The departments’ implementation of ‘thin client terminals’ provides a high level of IT security b. Server recovery from backup is tested annually c. Reciprocal catastrophic disaster recovery plan with neighboring county

F7 Page 55

District Attorney’s Office – Does not meet expectations for IT Security a. Evidence of a documented disaster preparedness and recovery plan was not provided

F8 Page 55

Employment & Economic Development Department – Meets expectations for IT Security a. EEDD has created a detailed Disaster Recovery Plan and ensured that IT staff had it on hand at all times b. Encryption software for laptops is currently being deployed

F9 Page 55

Environmental Health Department – Meets expectations for IT Security a. EHD is transitioning to server virtualization that will significantly enhance disaster recovery efforts b. Ambitious plans for high availability, redundant data systems are in development but budget constraints make near term deployment unlikely

F10 Page 55

Public Defenders Office – Does not meet expectations for IT Security a. Primary and backup servers are out-dated. The server operating system (Windows NT 4.0) is nearly 4 years past the manufacturer’s end-of-life date. b. 90% of department employees have so far failed to complete the county’s IT security training c. Critical or confidential “case information” is allowed to be stored on local workstations d. Portable and mobile devices, presumably also with confidential case information, are unencrypted, though password protected

F11 Page 56

Public Works Department – Meets expectations for IT Security a. Installing encryption software on all new laptops b. Disaster recovery plan is dependent upon the ability to fall back to paper hard copies for daily operations. This may be appropriate for this department

F12 Page 56

Sheriff-Coroners Office – Does not meet expectations for IT Security a. Very clear and well defined standards for a user’s access to confidential data and the determination of the sensitivity of that data exists. b. At least one server is running dated operating system (Windows NT 4.0) c. The department’s IT systems have been designed for high availability and redundant components d. Disaster recovery plan was thorough and comprehensive

F13 Page 56

Treasurer and Tax Collector – Meets expectations for IT Security a. Treasury and Tax records are unique in that they are ‘public record’ City of Stockton – Does not meet expectations for IT Security

Recommendations 7

R1
Page 52

San Joaquin County a) Agricultural Commissioner’s Office i) Upgrade outdated server operating systems ii) Ensure that IT Security training for all personnel begins immediately and full compliance is achieved in a timely manner b) District Attorney’s Office i) Prepare a comprehensive and documented disaster recovery and business continuity plans c) Public Defenders Office i) Upgrade outdated server operating systems ii) Ensure that IT Security training for all personnel begins immediately and full compliance is achieved in a timely manner iii) Establish and enforce policy to prohibit local file storage of confidential information iv) Where portable devices such as laptops are required, insure that hard drives are encrypted d) Sheriff-Coroner’s Office i) Upgrade outdated server operating systems
R2
Page 52

City of Stockton a) Chronic understaffing and lack of leadership should be promptly addressed b) Prepare a comprehensive and documented disaster recovery and business continuity plans
R3
Page 52

City of Lodi a) Develop plans and preparations for the relocation of the data center to a more secure location b) Extend IT security policy to restrict access to external email accounts from the city network c) Ensure all IT support staff function under unified policies and management
R4
Page 52

City of Tracy a) Prepare a clear and comprehensive IT security policy approved and endorsed by city management b) Ensure and document that every employee is informed of the IT security policy and the consequences of violations c) Implement tighter internet access controls on the network
R5
Page 53

City of Manteca a) Expand current IT security policies to provide greater guidance and insure that all employees are informed of the policy updates b) Where portable devices such as laptops are required, insure that hard drives are encrypted c) Prepare a comprehensive and documented disaster recovery and business continuity plan d) Ensure that emergency backup power is provided to the entire data center
R6
Page 53

City of Ripon a) Prepare a clear and comprehensive IT security policy approved and endorsed by city management b) Ensure and document that every employee is informed of the contents of this policy and the consequences of its violation c) Prepare a comprehensive and documented disaster recovery and business continuity plan d) Adopt manual or automated process that insures every server and workstation is kept current with all security patches and anti-virus updates e) Ensure that the off-site storage of backup tapes is secure RESPONSE REQUIRED Pursuant to Section 933.05 of the California Penal Code: The San Joaquin County Board of Supervisors and the various City Councils, where applicable, shall report to the Presiding Judge of the San Joaquin County Superior Court, in writing and of publication of this report, with a response as follows: The San Joaquin County District Attorney and the San Joaquin County Sheriff, where applicable, shall report to the Presiding Judge of the San Joaquin County Superior Court, in writing and of publication of this report, with a response as follows: As to each finding in the report a response indicating one of the following: a. The respondent agrees with the finding. b. The respondent disagrees with the finding, with an explanation of the reasons therefore. As to each recommendation, a response indicating one of the following: a. The recommendation has been implemented, with a summary of the action taken. b. The recommendation has not yet been implemented, but will be with a time frame for implementation. c. The recommendation requires further analysis, with an explanation of the scope of analysis and a time frame not to exceed six (6) months. d. The recommendation will not be implemented, with an explanation therefore. APPENDICES
R7
Page 54

Disaster Preparedness a) Describe your department’s disaster plan for natural or man made disaster (i.e. loss of power, network connectivity, system failure, flood or earthquake). b) Has it been tested and how often? c) Describe your plans for business continuity. d) What is the most serious system failure to date? i) What was your time to full recovery? ii) What lessons were learned? Name of person completing questionnaire: __________________________________________ Phone number: _________________ Email address: _________________