The Orange County Grand Jury says some OC government departments are “out of compliance” with cybersecurity norms, citing a consultants’ assessment that there is a “high risk” of those agencies being compromised by a cyberattack.
The report, issued June 25, said “it is imperative that the county ensure compliance with its adopted policies across all county departments and continue to evaluate and implement new measures into their cybersecurity protocols and procedures.”
Cybersecurity has become increasingly important, as hackers target local government departments and agencies, including demands for ransom payments, at a time of increasingly tight budgets.
“The Grand Jury felt that this is an issue the various county agencies should take seriously and properly comply with the directives generated by the department created to maintain the security of the county’s sensitive computer based-files,” the Grand Jury foreperson Steven Belasco told the Business Journal by email after the report was issued.
He said the report was the “cumulative effort” of a number of Grand Jury members. It found that some county departments are “currently out of compliance” with cybersecurity guidelines known as the “Vulnerability and Patch Management Policies.”
Molly Nichelson, public information manager for the County Board of Supervisors, said the county will respond to the Grand Jury report at a later date, including information from the various affected departments and agencies.
The Grand Jury said an assessment performed by independent IT consultants in June 2019 “concluded that the top priority for the county’s cybersecurity efforts should be to update software across the county’s IT systems to remove or mitigate thousands of existing serious security vulnerabilities.”
The 19-member panel cited the Orange County Information Technology department, known as OCIT, as saying that most but not all county departments are submitting “vulnerability scanning results” on a monthly basis.
“OCIT advised the Grand Jury that the departments which are currently not submitting vulnerability scan results include the Auditor/Controller, Treasurer/Tax Collector, Health Care Agency, Sheriff/Coroner, District Attorney, and Public Defender,” according to the report.
The assessment also concluded that “because of the prevalence of out-of-support and unpatched software in the County’s environment, key agencies are at ‘high risk’ of being compromised by a cyberattack, according to the Grand Jury.
A patch is used to update or fix software, often dealing with security issues, while unpatched software is vulnerable to cyber-intruders.
“The county should require all county departments to comply with its cybersecurity policies and participate in vulnerability and penetration assessments,” according to the Grand Jury report.
The major functions of a grand jury in Orange County are divided into criminal indictments and civil investigations. Both functions are carried out by the same panel, while the civil investigation part takes up the majority of the grand jurors’ time.
The civil, or “watchdog” responsibilities of the OC Grand Jury include the examination of all aspects of county government to ensure the county is being governed honestly and efficiently and county monies are being handled appropriately.