Special Notice / Hearing: None__
Vote Required: Majority
To: Honorable Board of Supervisors
From: Michael P. Callagy, County Manager
Subject: Board of Supervisors’ Response to the 2019-2020 Civil Grand Jury Report “Ransomware: It is Not Enough to Think You Are Protected”
RECOMMENDATION:
title
Approve the Board of Supervisors’ response to the 2019-2020 Civil Grand Jury Report, “Ransomware: It is Not Enough to Think You Are Protected”
body
BACKGROUND:
On October 7, 2020, the 2019-2020 San Mateo County Civil Grand Jury issued a report titled “Ransomware: It is Not Enough to Think You Are Protected.” The Board of Supervisors is required to submit comments on the findings and recommendations pertaining to the matters over which it has some decision-making authority within 90 days. The Board’s response to the report is due to the Honorable Danny Y. Chou no later than January 5, 2021.
DISCUSSION:
The Grand Jury made 8 findings and 4 recommendations in its report. The Board responses follow each finding and the 4 recommendations that the Grand Jury requested that the Board respond to within 90 days.
FINDINGS
Finding 1:
Ransomware is a real and growing threat to public entities including those in San Mateo County.
Response: The respondent agrees with the finding.
Finding 2:
Across the country, local governments and schools represent 12% of all Ransomware attacks.
Response: The respondent agrees with the finding.
Finding 3:
The direct and indirect costs of Ransomware can be significant.
Response: The respondent agrees with the finding.
Finding 4:
Cybersecurity reviews and assessments, and an updated, well-executed Cybersecurity plan are critical components of IT security strategy.
Response: The respondent agrees with the finding.
Finding 5:
A comprehensive Cybersecurity plan should include, at a minimum, information concerning prevention steps, spam and malware software, and backups and full recovery testing.
Response: The respondent agrees with the finding.
Finding 6:
The identification of phishing attempts, including the use of spam filters, is an important component to protecting an IT system from Ransomware attacks.
Response: The respondent agrees with the finding.
Finding 7:
Testing a full restore of a server to ensure that backups are reliable should be undertaken regularly as part an entity’s backup plan to recover lost information.
Response: The respondent agrees with the finding.
Finding 8:
Training of new employees, and the recurring training of existing employees, is an important component of defense against Ransomware.
Response: The respondent agrees with the finding.
RECOMMENDATIONS
Recommendation 1:
Each of the governmental entities in San Mateo County with an IT department or IT function (whether in-house, handled by another government unit or outsourced to a private enterprise) as listed in Appendix F, should by November 30, 2020, make a request for a report from their IT organization that addresses the concerns identified in the report, specifically:
1. System Security (Firewalls, Anti-malware/Antivirus software, use of subnets, strong password policies, updating/patching regularly)
2. Backup & Recovery (In the event of an attack, can you shut down your system quickly? What is being backed up, how it is being backed up, when are backups run, and where are the backups being stored? Have backups been tested? Can you fully restore a Server from a backup?)
3. Prevention (turning on email filtering, setting up message rules to warn users, providing employee training on phishing and providing a reporting system to flag suspect content)
Response: The respondent will implement the recommendation with the assistance of the County’s Information Services Department (ISD). The San Mateo County Sheriff’s Office and the San Mateo County Assessor-Clerk-Recorder-Elections (ACRE) also agree with the recommendation and will implement the recommendation through their respective internal IT service divisions.
Recommendation 2:
These confidential internal reports should be provided to the governing body by June 30, 2021. This report should describe what actions have already been taken and which will be given timely consideration for future enhancements to the existing cybersecurity plan.
Response: The recommendation has not yet been implemented by respondent but will be implemented in the future with a specific time frame for implementation and reporting.
Recommendation 3:
Given the results of their internal reports, governmental entities may choose to request further guidance by means of a Cybersecurity review from the U.S. Department of Homeland Security and/or a cyber hygiene assessment from the County Controller’s Office.
Response: The respondent will implement the recommendation with the assistance of the County’s Information Services Department (ISD). The San Mateo County Sheriff’s Office and the San Mateo County Assessor-Clerk-Recorder-Elections (ACRE) also agree with the recommendation and will implement the recommendation through their respective internal IT service divisions, including obtaining guidance from the U.S. Department of Homeland Security, as necessary.
Recommendation 4:
Given the results of their internal reports, governmental entities may choose to ask their IT departments to review their own Cybersecurity Plan with the detailed template provided by the FCC’s Cybersecurity Planning Guide and consider customizing it using FCC’s Create Custom Cybersecurity Planning Guide tool (see footnote 52).
Response: The respondent will implement the recommendation with the assistance of the County’s Information Services Department (ISD). The San Mateo County Sheriff’s Office and the San Mateo County Assessor-Clerk-Recorder-Elections (ACRE) also agree with the recommendation and will implement the recommendation through their respective internal IT service divisions, as necessary.
FISCAL IMPACT:
There is no fiscal impact associated with the acceptance of this report.