To: Board of Supervisors
From: County Administrative Office
Agenda Section: Consent
SUBJECT:
title
Information Security Program Charter
end
RECOMMENDATION(S):
Recommendation
That the Board of Supervisors:
1. Approve the attached Information Security Program Charter; and
2. Designate the Senior Security Analyst III over the Information Security Working Group as the County of Humboldt’s Information Security Officer.
Body
SOURCE OF FUNDING:
All county funds
DISCUSSION:
As the county builds an increasingly complex world of connected information systems and devices, and responds to changing work environments, security and privacy continue to dominate the County of Humboldt’s Information Technology (IT) requirements.
The cyber threat to the county’s IT infrastructure is outpacing efforts to reduce pervasive vulnerabilities, so that the County of Humboldt must lean significantly on deterrence to address cyber threats. Victims of the eleven (11) largest ransomware attacks in 2020 have spent at least One Hundred Forty-Four Million Two Hundred Thousand Dollars ($144,200,000.00) on costs ranging from investigating the attack, rebuilding networks and restoring backups to paying the hackers ransom and putting preventative measures in place to avoid future incidents. The victims allegedly paid a ransom in seven (7) of the cases. Five (5) of the ransomware victims were municipal governments, while the remaining victims spanned verticals from legal, manufacturing and financial services to IT services, facility management and higher education.
A more proactive and systematic approach to cyber deterrence is needed. There is a pressing need to further strengthen the underlying information systems, component products and services that the county depends on in every department - ensuring that those systems, components and services are sufficiently trustworthy and provide the necessary resilience to support the economic and IT security interests of the County of Humboldt.
The Humboldt County Information Security Program Charter responds to cyber threats by embarking on a proactive and systemic approach to develop and make available a comprehensive set of safeguarding measures for all types of computing platforms, including, without limitation, general purpose computing systems, cloud-based systems, mobile devices, Internet of Things (IoT) devices, communications systems, environmental control systems and industrial control systems. Such safeguarding measures include an efficient process of implementing security and privacy controls to protect the critical and essential operations and assets of the County of Humboldt and the privacy of individuals. The objectives are to make the information systems the county depends on more penetration-resistant, limit the damage from attacks when they occur, make the systems cyber-resilient and survivable and protect individuals’ privacy.
The Humboldt County Information Security Program Charter establishes a formal security program based on principles established by the National Institute of Standards and Technology. These principles are promoted by the California Counties Information Services Directors Association to achieve a sensible level of confidence and trust. The goal of the Information Security Program is to meet the functional needs of the county in a secure manner by safeguarding the confidentiality, integrity and availability of the county informational assets. If approved, the Information Security Program will be administered by the Information Security Officer under direction from the IT Division Director.
A key component of the Information Security Program is developing a comprehensive set of security policies needed to ensure the effective, secure use of county information systems and technology in support of the county’s mission. The Information Security Policies will set the stage for appropriate behavior, help staff operate in a secure manner, assist administrators in the implementation and configuration of new systems, and provide managers a means of determining if requirements are met.
FINANCIAL IMPACT:
There are no costs associated with the attached Information Security Program Charter nor the designation of the Senior Security Analyst III over the Information Security Working Group as the County of Humboldt’s Information Security Officer.
STRATEGIC FRAMEWORK:
The recommended actions support the Board of Supervisors’ Strategic Framework by building interjurisdictional and regional cooperation, providing for and maintaining technological infrastructure and creating opportunities for improved safety and health.
OTHER AGENCY INVOLVEMENT:
None
ALTERNATIVES TO STAFF RECOMMENDATIONS:
The Board may choose not to approve the attached Information Security Program Charter and/or designate the Senior Security Analyst III over the Information Security Working Group as the County of Humboldt’s Information Security Officer. However, this alternative is not recommended since it will leave the County of Humboldt more vulnerable to cyber security threats.
ATTACHMENTS:
Information Security Program Charter
PREVIOUS ACTION/REFERRAL:
Board Order No.: N/A
Meeting of: N/A
File No.: N/A