Eddie Gardner, who’s also the Governance, Risk Management and Compliance (GRC) manager for the consolidated city/county government, was the guest for “Securing a Stay-at-Home Workplace: How the City and County of San Francisco Improved IT Operations and Security,” a webinar hosted by Teri Takai, co-director of the Center for Digital Government.*
Gardner said that after immediately opening a COVID-19 command center, the city relied on employees, volunteers and vendors to help the cybersecurity team patch holes and procure equipment.
“And we had to accelerate some of our initiatives that we had already started,” Gardner said, adding:
- “We increased the purchases of additional laptops and Chromebooks.”
- “We used Cisco Umbrella for the Chromebooks.”
- “We deployed more FireEye HX agents as well as Tanium clients for additional visibility.”
- “We enrolled all of our users into MFA (multifactor authentication) for VPN.”
Once the pandemic was declared a national emergency, Gardner said, city IT leaders sought federal funding under the CARES Act.
“We were able to attach some of the funds from the CARES Act, as well as some of the city’s emergency funds, to procure all these laptops,” Gardner said. “We also bought hot-spots for those (employees) who didn’t have broadband at home.”
And yes, sending tens of thousands of employees off to work at home was a task fraught with risks — phishing, viruses and fundraising scams under the guise of COVID-19 relief.
Remote-working employees “didn’t always have all the security protection we had on our network,” Gardner said. “We had to work with our vendors to fine-tune because they were really easy to get through.”
Gardner said that like most jurisdictions, San Francisco had a lot of employees across 65 municipal departments who didn’t have city-issued equipment and had to use their own.
Takai noted: “When you’re working at home, you have this illusion that the threat is going to decrease.”
Gardner agreed, and said the city took steps to mitigate the perception of safety and the reality of risk.
“We did some other things to protect the city’s network,” he said, including making sure employees’ personal equipment had “the latest patches, anti-virus and things like that before we would even let them on our network.”
“One of the mandatory agents we have ... provides us the visibility and being able to identify the assets we have out there,” Gardner said. “It allows us to quickly know which endpoint needs patches or remediation ... and to scan for vulnerabilities.”
And of course, the city had to make changes to its IT architecture and its tech infrastructure.
“We changed some plans, downgraded others,” Gardner said. That included upgrading the city’s own network, expanding VPN accessibility, adding network bandwidth and modifying network architecture “as if we’re not going to be coming back to the office anytime soon.”
*TheCenter for Digital Government is part of e.Republic, parent company of Techwire and Government Technology. It is a national research and advisory institute focused on information technology policy and best practices in state and local government. The Center is a division of e.Republic, the nation’s only media and research company focused exclusively on state and local government and education.
