CONTRA COSTA COUNTY

Committee Meeting Minutes

Internal Operations Committee

Supervisor Diane Burgis, Chair

Supervisor Candace Andersen, Vice Chair

https://cccounty-us.zoom.us/j/85280600959

Call In: 888-278-0254 Conference code: 845965

11:00 AM

Monday, July 8, 2024

309 Diablo Rd, Danville

3361 Walnut Blvd, Suite 140, Brentwood

https://cccounty-us.zoom.us/j/85280600959

Call In: 888-278-0254 Conference code: 845965

Call to Order

Chair Burgis called the meeting to order at 11:00 a.m. In attendance were: Jason Chan, Marc

Shorr, Nathan Wiebe, Bob Campbell, Rex Fujikawa, Chrystine Robbins, Sara Bunnell, Tamina

Alon, Alicia Nuchols, Sonia Bustamonte, Ellen McDonnell, and staff attending remotely from the

District II and III Supervisors' offices.

Diane Burgis and Candace Andersen

Present:

Public comment on any item under the jurisdiction of the Committee and not on this agenda (speakers

may be limited to two (2) minutes).

No one requested to speak during the public comment period.

RECEIVE and CONSIDER approving the Record of Action for the June 10, 2024 Internal

Operations Committee meeting. (Jason Chan, County Administrator's Office)

DRAFT IOC ROA 6-10-24

Attachments:

Approved as presented.

Aye:

Chair Burgis and Vice Chair Andersen

Passed

Result:

RECEIVE presentation on the proposed Information Security Policy and CONSIDER

approving the recommended policy for Board of Supervisors consideration or providing

direction to staff on any changes. (Marc Shorr, Chief Information Officer)

Presentation: Admin Bulletin on Information Security

Final Draft: Information Security Administrative Bulletin

Sample Electronic Data Management Plan

Attachments:

Marc Shorr and Nathan Wiebe presented the staff report. Marc contrasted the County’s

current cybersecurity awareness and capabilities with that of seven years ago when he

first arrived at the County. He mentioned prior grand jury reports that pointed out that

while the County had duplication of security technologies, it did not have true

redundancy or fail-safe security capabilities. He said that the COVID pandemic

exacerbated that challenge because it diverted limited staff focus away from IT security.

Marc explained how in recent years, the IT threat environment has increased

significantly. For example, on the dark web today, hackers sell hacking toolkits for

significant profit, effectively weaponizing hacking tools for use by individuals needing

very little knowledge to do tremendous damage.

The goal of the new cybersecurity policy is to provide tools, strategies and guidance for

the benefit of all County departments whether supported by DoIT or by department IT

staff. He briefly discussed some of the tools and services DoIT employees to actively

monitor the County’s IT environment and detect intrusion. He provided some actual

events in which these tools and services were employed to good effect.

The new proposed policy was developed in collaboration with ITAC (Information

Technology Advisory Committee), following meetings with County departments and with

County Counsel. The policy provides minimum security guidelines and standards for

departments to attain. Marc acknowledged that some departments may be subject to

much higher security standards based on their business and data.

Marc emphasized the importance of consistent and comprehensive staff training, citing

that more than 70% of cyber attacks involved a human element. High ranking County

officials are often targets of these attacks due to their level of decision making and

discretion within the County. The County’s staff is its first line of defense against cyber

attacks.

Marc briefly discussed how artificial intelligence (AI) is presenting both exciting

opportunities and new and difficult challenges in terms of IT security. For example, by

agreeing to the Terms and Conditions of many popular AI platforms, staff may

inadvertently be consenting to the platform owning any data - potentially private data --

entered onto the platform via user prompts. He said that DoIT intends to bring a

separate policy forward specific to AI.

Nathan explained how these new cyber security standards and guidelines will be

socialized with departments to better understand the impacts associated with their

adoption and ensure their feasibility. Following BOS approval, next steps would be to

assess where security gaps exist and engage with those departments to elevate them to

the new standard for security.

Chair Burgis said it would be important to incorporate personal responsibility for

security breaches, so that education and training can be targeted to prevent recurrence.

She would like to see more awareness among staff as to the consequences to the County

and its clients of security breaches in terms of cost, lost time, and personal impacts.

Marc responded that the mandatory staff training would be conducted annually.

Vice Chair Andersen asked if DoIT has the necessary resources to respond to a major

cyber security event. Marc responded that DoIT now has a five-person team dedicated to

information security. If outside help is needed, DoIT coordinates with Risk

Management to engage any needed supplemental resources depending on the severity of

the event. Outside assistance can be very helpful, particularly for events requiring public

notification.

Marc and Nathan expressed their gratitude for the Board’s and County Administrator’s

prioritization of cyber security and providing the necessary resources to support the

proper tooling and insurance.

No one requested to speak during the public comment period for this item.

The Committee approved the proposed policy, as presented. Vice Chair Andersen

requested staff to pass along to the County Administrator her request to schedule a

closed session briefing for the Board on cyber security threats.

Aye:

Chair Burgis and Vice Chair Andersen

Passed

Result:

The August 12, 2024 meeting has been canceled. The next meeting is currently scheduled for September 9,

2024.

Adjourn

Chair Burgis confirmed the next scheduled meeting on September 9, 2024, and adjourned the

meeting at 11:33 a.m.

General Information

This meeting provides reasonable accommodations for persons with disabilities planning to attend a the

meetings. Contact the staff person listed below at least 72 hours before the meeting. Any disclosable public

records related to an open session item on a regular meeting agenda and distributed by the County to a majority

of members of the Committee less than 96 hours prior to that meeting are available for public inspection at 1025

Escobar St., 4th Floor, Martinez, during normal business hours. Staff reports related to items on the agenda are

also accessible on line at www.co.contra-costa.ca.us.

HOW TO PROVIDE PUBLIC COMMENT:

Persons who wish to address the Committee during public comment on matters within the jurisdiction of the

Committee that are not on the agenda, or who wish to comment with respect to an item on the agenda, may

comment in person, via Zoom, or via call-in. Those participating in person should offer comments when invited

by the Committee Chair. Those participating via Zoom should indicate they wish to speak by using the “raise

your hand” feature in the Zoom app. Those calling in should indicate they wish to speak by pushing *9 on their

phones.

Public comments generally will be limited to two (2) minutes per speaker. In the interest of facilitating the

business of the Board Committee, the total amount of time that a member of the public may use in addressing the

Board Committee on all agenda items is 10 minutes. Your patience is appreciated.

Public comments may also be submitted to Committee staff before the meeting by email or by voicemail.

Comments submitted by email or voicemail will be included in the record of the meeting but will not be read or

played aloud during the meeting.

For Additional Information Contact: Julie Enea, Sr. Deputy County Administrator; julie.enea@cao.cccounty.us