The URL can be used to link to this page

Home My WebLink AboutCC Resolution 15326 (Response to Grand Jury Report - Cyber Preparedness - Are We There Yet)RESOLUTION NO. 15326 A RESOLUTION OF THE CITY COUNCIL OF THE CITY OF SAN RAFAEL APPROVING AND AUTHORIZING THE MAYOR TO EXECUTE THE RESPONSE TO THE MARIN COUNTY CIVIL GRAND JURY REPORT ENTITLED – CYBER PREPAREDNESS - ARE WE THERE YET? WHEREAS, pursuant to Penal Code section 933(c), a public agency which receives a final grand jury report addressing aspects of the public agency’s operations must, within ninety (90) days, provide a written response to the presiding judge of the Superior Court, with a copy to the foreperson of the grand jury, responding to the report’s findings and recommendations pertaining to matters under the control of the governing body; and WHEREAS, Penal Code section 933(c) requires that the “governing body” of the public agency provide said response and, in order to lawfully comply, the governing body must consider and adopt the response at a noticed public meeting pursuant to the Brown Act; and WHEREAS, Penal Code section 933.05 specifies the required contents of a city’s response to findings and recommendations of a civil grand jury; and WHEREAS, the City Council of the City of San Rafael has received and reviewed the Marin County Grand Jury Report, dated May 17, 2024, entitled “Cyber Preparedness - Are We There Yet?”; and WHEREAS, at a regular City Council meeting held on July 15, 2024, the City Council discussed the report’s findings and recommendations. NOW, THEREFORE, BE IT RESOLVED that the City Council of the City of San Rafael hereby: 1. Approves and authorizes the Mayor to execute the City’s response to the Marin County Grand Jury’s May 17, 2024, report, entitled “Cyber Preparedness - Are We There Yet?” a copy of which response is attached hereto and as Attachment 1 and incorporated herein by reference. 2. Directs the City Clerk to forward the City’s response forthwith to the presiding judge of the Marin County Superior Court, with copy to the foreperson of the Marin County Grand Jury. I, Lindsay Lara, Clerk of the City of San Rafael, hereby certify that the foregoing Resolution was duly and regularly introduced and adopted at a regular meeting of the San Rafael City Council held on the 15th day of July 2024, by the following vote to wit: AYES: Councilmembers: Bushey, Kertz & Mayor Kate NOES: Councilmembers: None ABSENT: Councilmembers: Hill & Llorens Gulati LINDSAY LARA, City Clerk ATTACHMENT 1 RESPONSE TO GRAND JURY REPORT FINDINGS AND RECOMMENDATIONS REPORT TITLE: "Cyber Preparedness: Are We There Yet?" REPORT DATE: May 17, 2024 RESPONSE BY: San Rafael City Council GRAND JURY FINDINGS • We agree with the finding(s) numbered: F1, F2, F3, F4, F5, • We disagree wholly or partially with the finding(s) numbered: F6 GRAND JURY RECOMMENDATIONS ■ Recommendations numbered R2 — R5, R7 — R10 do not require a response by the City of San Rafael. • Recommendation numbered R1 has been implemented. • Recommendations numbered R6(a), R6(b) have not been implemented yet, but will be in the future. Date ! Signed: Mayor K to Colin City of San Rafael Response to Grand Jury Report Findings and Recommendations "Cyber Preparedness: Are We There Yet?" May 17, 2024 RESPONSE TO GRAND JURY FINDINGS F1. Contracts for Information Technology, Information Systems, and Cybersecurity services between third -party providers and Marin County governmental agencies should contain a Business Continuity clause, or other language, protecting that agency from a sudden cessation of services provided by the third -party provider. Response: Agree Utilizing a managed service provider for IT services requires an understanding that continuity of public services is critical for public safety and the maintenance of daily operations. Any cessation of agreements between an agency and IT provider should include thoughtful transition of responsibility to ensure services are not disrupted for the public. The City currently contracts with Xantrion Inc. for IT services and that agreement includes language confirming Xantrion's responsibilities during a cybersecurity incident and an agreement to provide sufficient efforts and cooperation to ensure an orderly and efficient transition of services to another service provider. F2. Marlin County municipalities should have current, written contracts with third -party providers of Information Technology, Information Systems, and Cybersecurity services, and should not continue to use those providers' services without a current contract. Response: Agree Cities and Counties rely upon IT services to maintain daily operations. Contracts are critical to protect Cities and Counties from risks and liabilities that may occur as part of the management of critical IT infrastructure. As noted in Finding 1, the City has a current agreement with Xantrion for IT services. F3. Membership in insurance risk pools provides the benefits of cybersecurity assessments and audits, which highlight cybersecurity deficiencies and make suggestions for improvement. Response: Agree A potential cybersecurity attack could cost a municipality millions of dollars to remediate. Insurance risk pools help to mitigate the overall potential cost impact on a City to recover from an attack. The City participates in California Joint Powers Risk Management Association (CJPRMA) and cyber insurance coverage is a part of this membership. The pool also provides training around cybersecurity. Additionally, CJPRMA has suggested language to use in contracts to provide the City the best Cyber coverage when using third -party vendors. City of San Rafael Response to Grand Jury Findings and Recommendations Page 2 of 5 gPar� P� City of San Rafael Response to Grand Jury Report Findings and Recommendations "Cyber Preparedness: Are We There Yet?" May 17, 2024 F4. Having a completed, adopted and regularly updated cybersecurity plan helps ensure that all staff within a government agency are working together to optimize that organization's cyber preparedness and security. Response: Agree The City includes cybersecurity as part of its core IT service delivery model and annual work plan. These efforts include security for network infrastructure, desktops, mobile devices, users, internal processes, and disaster recovery. For example, this year, the City is developing a disaster recovery plan and policy that outlines roles, responsibilities, and procedures to ensure IT business continuity in the case of a disaster. Examples of how cybersecurity has been integrated into the City's IT service delivery and risk mitigation strategy include, but are not limited to: • Requiring that anyone with access to the City network participate in regular cybersecurity training, receive email updates on current and trending security threats, and regularly update their passwords. • Using a managed service provider, Xantrion Inc. to monitor and respond to threats, provide network backups, and manage cybersecurity training. • Requiring staff to participate in annual security training, including email updates on current threats, phishing simulations, and regular password changes. • Using measures for email flagging, spam filtering, and regular backups of City files and servers. • Requiring multi -factor authentication for City staff with access to City networks and documents. • Central management of IT infrastructure equipment to ensure that all equipment is properly configured and maintained. • Ensuring that Digital Service staff are engaged in the procurement and risk assessment of new applications. • Conducting ongoing firewall and network server maintenance. • Maintaining Department of Justice -compliant network connectivity to serve our Police Department and reporting any known breaches to federal authorities. • Participating in Digital Marin and the Marin Information Security Collaborative (MISC) to share best practices around cybersecurity. • Maintaining cyber insurance coverage through participation with CJPRMA. • Deployment of Mobile Device Management (MDM) for public safety devices. • Adoption of a Disaster Recovery Environment for rapid recovery of any compromised data following a cybersecurity incident or disaster. • Deployment of a Security Information and Event Management (SIEM) system to help combat cyber threats by providing key threat -detection capabilities, real-time reporting, compliance tools, and long-term log analysis. F5. Joint Powers Authorities in Marin County exist to provide more efficient and cost- effective services to the people of Marin. Response: Agree City of San Rafael Response to Grand Jury Findings and Recommendations Page 3 of 5 City of San Rafael Response to Grand Jury Report Findings and Recommendations "Cyber Preparedness: Are We There Yet?" May 17, 2024 Marin County jurisdictions have relied on JPAs to develop shared services that benefit residents of the County. Smaller towns in Marin County generally have less resources dedicated to IT and cybersecurity and may benefit from a resource that provides mutual support for cybersecurity. F6. The current County Collective Bargaining Agreements prevent the Marin County Department of Information Systems & Technology from unilaterally negotiating managed service agreements (outsourcing work to third parties). Response: Partially Disagree It is not within the City of San Rafael's realm of responsibility to agree or disagree with this finding. The County's collective bargaining agreements are the responsibility of the County of Marin. RESPONSE TO GRAND JURY RECOMMENDATIONS R1. Marin agencies should require a current (executed within the last five years), competitively -bid, written contract which includes business continuity language for any third -party Information Technology services they use. The City has implemented this recommendation The current agreement with the City of San Rafael and Xantrion Inc. includes language confirming Xantrion's responsibility and support in the case of a security incident and an agreement to provide sufficient efforts and cooperation to ensure an orderly and efficient transition of Services to Client or another service provider in the case of a termination of convenience. In addition, the City of San Rafael and Digital Service Team are developing a disaster recovery plan and policy that outlines roles, responsibilities, and procedures to ensure IT business continuity in the case of a disaster. The disaster recovery plan and plan and policy will be completed no later than October 2024. We will include language referring to business continuity and disaster recovery as part of the renewal of our agreement with Xantrion. R6 (a) All Marin municipalities should: a) take all steps necessary to acquire an appropriate .gov or .ca.gov domain. The City will implement this recommendation by the end of 2024. On October 8, 2023, the California Assembly passed AB1637 which requires municipalities to move .gov or .ca.gov domains no later than 2029. The City of San Rafael will acquire a domain name by the end of 2024 and will migrate to the .gov domain prior to the 2029 deadline. R6 (b). All Marin municipalities should: (b) formulate and adopt a plan for rolling out a .gov or .ca.gov website and emails by the start of the 2025-2026 Fiscal Year. City of San Rafael Response to Grand Jury Findings and Recommendations Page 4 of 5 City of San Rafael Response to Grand Jury Report Findings and Recommendations "Cyber Preparedness: Are We There Yet?" May 17, 2024 The City will implement this recommendation as part of the Digital Service Department's fiscal year (FY) 2025-26 work plan. AB1637 (which requires municipalities to move .gov or .ca.gov domains no later than 2029) is an unfunded mandate from the State of California. Currently, the City of San Rafael's website, email, and servers all rely on the cityofsanrafael.org domain including identity, single -sign on, multifactor authentication, and integrations with third party software. The domain change will impact all City digital services including public safety. A report from the California League of Cities estimated costs upwards to $600,000 for mid -sized cities to make this migration for all City services. The process to move to a .gov or .ca.gov domain will require planning, time, and funding to coordinate with our managed service provider to complete. At the time of the bill's passage, the City and Digital had priority projects identified as part of our FY 2024-25 goals and objectives and work plan that require attention and have funds available. The Digital Service Department will begin planning for this migration as part of our work plan for FY 2025 — 26 to ensure we do not risk disruptions to City services and to assess whether the State will make funding available to offset the costly mandate that this bill requires of municipalities in the State. City of San Rafael Response to Grand Jury Findings and Recommendations Page 5 of 5