Case #0321

Cybersecurity:

Local Defense Against a Global Threat

San Joaquin County is well protected regarding cybersecurity. The seven cities in the county vary with respect to Grand Jury expectations, most being well secured but lacking defined plans for Business Continuity and IT Disaster Preparedness. Cybersecurity is an evolving concern and requires ongoing efforts by government entities to remain current and vigilant against risks to their Information Systems.

Summary

 

Major Findings

The Grand Jury concluded that San Joaquin County (SJC) has mature and robust security policies and systems. The County’s security architecture provided a model in evaluating each city’s systems. The Grand Jury determined that Escalon, Lodi and Stockton met a lay person’s expectations for cybersecurity but were lacking either a formal Business Continuity Plan (BCP) or Disaster Preparedness Plan (DPP). Lathrop, Manteca and Tracy were found to have adequate security systems in place but lack documented plans for both Business Continuity and Disaster Preparedness. Ripon was found to need improvement in meeting several of the Grand Jury’s expectations, with lack of personnel being their greatest challenge.

Major Recommendations

The Grand Jury recommends that the County and affected cities:

  • develop, adopt and implement a Business Continuity Plan;

  • develop, adopt and implement an IT Disaster Preparedness Plan;

  • remedy specific cybersecurity risks found in this investigation; and

  • the City of Ripon undergo a data system security review by an expert third party to assess the City’s IT systems and protocols.

    The Grand Jury recognizes that cybersecurity is a dynamic process, a continually moving target which needs constant monitoring and updating.

Stockton city council to vote on policy to respond to ransomware attacks

The policy, which experts say is a step in the right direction, was called for in a June grand jury report.