Santa Barbara County Grand Jury • 2020-2021 • Agency Response
Response to: CYBER-ATTACKS THREATEN SANTA BARBARA COUNTY

Gua May 26, 2020 The Honorable Judge Michael J. Carrozzo Presiding Judge, Santa Barbara Superior Court*

Published: May 26, 2020 19 pages
View Original PDF

Findings and Recommendations 5 findings

F4
Nationally, cyber-attacks on governmental organizations have been successful for many years and are occurring with more frequency and sophistication. Response: Agree. <b>Recommendation 4</b> That each public entity within Santa Barbara County take substantial steps to protect data from internal and external attacks or threats. Response: Has been implemented. A hardened firewall, updated regularly, is in place to • Administration Department: Tel (805) 356.3891 Fax (805) 343.5512 918 Obispo Street P.O. Box 908, Guadalupe CA 93434 protect all City IT infrastructure from external attacks. To help remedy internal attacks, all City staff are limited to access only the data needed to perform their job functions. Auditing in place on servers allows for tracking of suspicious behavior. Enterprise-grade anti-virus is installed to protect data from any malicious activity. The City will receive a cybersecurity scan of its network to identify any weaknesses. The City will have its employees change their passwords often and will include multifactor authentication. In addition, the City is evaluating other alternatives to mitigate security risk, which may include moving records from a physical server to a cloud-based system, cybersecurity scan of its network, further isolating and protecting backups, updating to Microsoft Office 365, and rotating out outdated equipment.
Related Recommendations (1)
R4
That each public entity within Santa Barbara County take substantial steps to protect data from internal and external attacks or threats.
F5
Cyber-attackers use a number of methods to install malicious software on systems including access through backdoors, staff or employee carelessness, and known bugs in software. Response: Agree. .
Related Recommendations (4)
R5a
That each public entity within Santa Barbara County install and maintain current antivirus software to detect malware and other threats. • Response: Has been implemented. Enterprise-grade anti-virus is installed on all appropriate devices to protect data from any malicious activity (malware and other threats).
R5b
That each public entity within Santa Barbara County install and update all operating software regularly. Response: Will be implemented. The City is already in the process of upgrading all servers. The City's plan is to complete upgrades of all old workstations and laptops throughout the coming year fiscal year 20-21. The City's accounting system is in the process of being upgraded and should be completed within one year. All systems owned by the City receive weekly security updates to the current operating systems, as well as line of business applications where appropriate.
R5c
That each public entity within Santa Barbara County periodically train employees and then test their cyber security awareness. Response: Will be implemented pending available funds for service. The City will be developing a cyber-security awareness training plan for its employees within the next 6 months. Testing cyber-security awareness for the City's employees is best completed using services purchased from a 3rd party. The City currently has no funds available for this purpose. The City will seek attempt to obtain funding for this purpose by applying Administration Department: Tel (805) 356.3891 Fax (805) 343.5512 918 Obispo Street P.O. Box 908, Guadalupe CA 93434 for grants and/or trying to increase revenue. The City will instruct its employees about cyber security awareness by advising all City employees about the Grand Jury's report and the City's response and direct all employees to read the Grand Jury's report in order to increase cyber-security awareness.
R5d
That each public entity within Santa Barbara County periodically ensure electronic system- related contractors have been trained for cyber security awareness. Response: Has been implemented.
F6
If data is lost or compromised for any reason, including cyber-attack, mechanical failure or error, the most cost effective and expedient way to recover is to have current data backups and a plan to reinstall it. Response: Agree.
Related Recommendations (2)
R6a
That each public entity within Santa Barbara County create and implement a full backup and recovery plan. . Response: Has been implemented. Enterprise-grade backup and disaster recovery software is installed on all servers. All City data is stored on the servers. The City's IT service provider continually updates the recovery plan as changes take place. However, the City is evaluating the alternative of having offsite cloud backups.
R6b
That each public entity within Santa Barbara County regularly update and test their backup and recovery plan. Response: Has been implemented. The City's IT service provider tests the integrity of backups, as well as the recovery process, every 3 months. The back and recovery plan is updated as changes are made.
F7
Some public entities within Santa Barbara County do not have any, or adequate, cyber insurance. • Response: Agree.
Related Recommendations (1)
R7
That each public entity within Santa Barbara County secure adequate cyber insurance. • Response: Has been implemented. The city has cyber insurance through the California Administration Department: Tel (805) 356.3891 Fax (805) 343.5512 918 Obispo Street P.O. Box 908, Guadalupe CA 93434 Joint Powers Insurance Authority.
F8
A cost-effective method to address cyber risks and concerns is to form an information sharing and learning consortium. Response: Agree. • <b>Recommendation 8</b> That each public entity within Santa Barbara County that is unable to allocate adequate funds for cyber security develop a cybersecurity working group to establish best practices and share costs for education, expertise, and insurance. Response: Has been implemented. The City is already actively addressing cyber risks and concerns; however, the City is willing to participate in such a cyber security working group and share costs provided that the City has available funds for such purposes. Sincerely, Ariston D. Julian Mayor Gina Rubalcaba, Mayor pro tem Tony Ramirez, Council member Eugene Costa Jr., Council member Liliana Cardenas, Council member Administration Department: Tel (805) 356.3891 Fax (805) 343.5512 918 Obispo Street P.O. Box 908, Guadalupe CA 93434 <b>RESOLUTION NO. 2020-39</b> A RESOLUTION OF THE CITY COUNCIL OF THE CITY OF GUADALUPE ADOPTING A RESPONSE TO THE SANTA BARBARA COUNTY GRAND JURY REPORT ENTITLED "CYBER-ATTACKS THREATEN SANTA BARBARA COUNTY" WHEREAS, the Santa Barbara County Grand Jury released a report on March 18, 2020 titled "Cyber-Attacks Threaten Santa Barbara County" with eight (8) findings and twelve (12)
Related Recommendations (1)
R8
That each public entity within Santa Barbara County that is unable to allocate adequate funds for cyber security develop a cybersecurity working group to establish best practices and share costs for education, expertise, and insurance.

Conclusions 6

Observations 3

* This report's PDF did not contain easily extractable text and required Optical Character Recognition (OCR) for analysis. There may be minor errors in the extracted findings and recommendations due to OCR limitations with scanned documents.