Muyni
← Back to Wheaton

City Council Planning Sessions

Regular Meeting

Wheaton, IL · April 10, 2017

AgendaMinutes

Minutes

MEMORANDUM TO: Record FROM: Susan Bishel, Public Relations Coordinator SUBJECT: April 10, 2017 City Council Planning Session Minutes DATE: April 13, 2017 CC: Mayor and City Council, City Manager, City Clerk, Department Heads The Planning Session took place in the Council Chambers, Wheaton City Hall, 303 W. Wesley St., Wheaton, Illinois. Those attending the Planning Session included: Mayor Gresk, Councilwoman Fitch, Councilman Prendiville, Councilman Rutledge, Councilman Saline, Councilman Scalzo and Councilman Suess. Also in attendance were City Manager Dzugan, Assistant City Manager Duguay, Director of Finance Lehnhardt and Director of Information Technology Michaelis. The session began at 7:05 p.m. following the conclusion of a public hearing and concluded at 7:42 p.m. The following items were discussed: I. Call to Order The Wheaton City Council Planning Session was called to order at 7:05 p.m. by Mayor Gresk. Mayor Gresk introduced guests in attendance visiting from Wheaton’s sister city of Karlskoga, Sweden. A hockey team from the sister city, along with coaches and staff from the city of Karlskoga, visited Wheaton, and City of Wheaton staff members met with their counterparts from Karlskoga to exchange ideas and learn about each other’s communities. Kalle Selander and Ylva Elofsson of Karlskoga thanked City of Wheaton officials and residents for their hospitality. II. Approval of Minutes – February 27, 2017 The Council approved the February 27, 2017 Planning Session Minutes. III. Public Comment There were no public comments. IV. I.T. Security Update Director of Information Technology Michaelis summarized the steps City staff recommends taking to comply with the security policy the Council adopted in January 2017. This will increase the security of the City’s systems and data. The Council will be receiving a recommended bid award for a network infrastructure replacement in the near future. This project would cost approximately $125,000 and would replace aging infrastructure that no longer meets the City’s security needs. Director of Information Technology Michaelis also recommended training staff members on data leak prevention, as nearly one-third of all data breaches are caused by individuals within an organization. Also, City staff recommends network segmentation, so that network breaches would not affect all of the City’s systems. The main focus would be separating the City’s Police Department networks from all other City networks. City staff also recommends establishing divisions of staff duties to ensure separate systems remain secure. Finally, City staff addressed challenges related to log collection and review, including the time and effort to perform these duties. City Manager Dzugan stated the City will be seeking the services of a technology firm to assist the City with cybersecurity. City staff will be recommending a firm that uses a risk-based approach to guide the City’s security management. In response to Council questions, Director of Information Technology Michaelis stated the City Council will be presented with two bids for their consideration. The first is a network infrastructure bid that would replace physical equipment such as switches, routers and firewalls. The other bid award would be for cybersecurity consulting services. In response to a Council question about whether the City should retain log files for a longer period of time, Director of Information Technology Michaelis stated the City meets mandated requirements for data retention, and extending the time frame for record retention would dramatically increase the City’s data storage needs. In response to Council questions about the amount of security awareness staff training that will be required, Director of Information Technology Michaelis stated many employees will need to take a 2-hour training session, but staff members in the Police and I.T. departments will need more intensive training. V. Voting Requirements/Extra Majority City Manager Dzugan stated in City staff’s efforts to re-codify the City Code, they identified five instances where extra majority voting is required and two sections in the Zoning Ordinance 4/10/17 Planning Session 2 where extra majority voting is required. The City Council requested City staff bring this to a Planning Session as a separate issue for discussion. City Manager Dzugan stated the City Attorney has advised that the Council has the discretion to determine if the extra majority requirements should remain or if the Council would like to change any or all of these instances. City staff sought the Council’s direction as to whether the subject matters should require an extra majority vote, and if so, what percentage should apply and what that percentage is applied against. Council members expressed an interest in requiring five votes for an extra majority. The Council expressed interest in requiring 5 members of the city Council for approval of contracts that are not competitively bid, vacating City property, and requests for annexation to the City. For votes involving group home care, plat of subdivision, zoning amendments, or zoning variations, the Council expressed interest in requiring a simple majority of Council members qualified to vote. The Council directed City staff to draft an ordinance for their formal consideration at an upcoming meeting. VI. City Council/Staff Comments Councilman Rutledge complimented the Wheaton Environmental Improvement Commission for doing an excellent job at its paper shredding event on April 8. Mayor Gresk encouraged people to attend the Environmental Improvement Commission’s Arbor Day tree planting on April 28 and Native Plant Sale April 29. He also encouraged residents to apply to be on a board or commission. Applications are on the City’s website or in the City Clerk’s Office. VII. Adjournment The meeting was adjourned at 7:42 p.m. 4/10/17 Planning Session 3

Agenda

1. City Council Planning Agenda Documents: 2017-04-10 CITY COUNCIL PLANNING AGENDA.PDF 2. City Council Planning Voting Requirements-Extra Majority Ps05 Documents: 2017-04-10 CITY COUNCIL PLANNING VOTING REQUIREMENTS-EXTRA MAJORITY PS05.PDF 3. City Council Planning Minutes Documents: 2017-04-10 CITY COUNCIL PLANNING MINUTES.PDF 4. City Council Planning I.T. Security Update Ps04 Documents: 2017-04-10 CITY COUNCIL PLANNING I.T. SECURITY UPDATE PS04.PDF 5. City Council Planning Draft 2017-02-27 Minutes Ps02 Documents: 2017-04-10 CITY COUNCIL PLANNING DRAFT 2017-02-27 MINUTES PS02.PDF WHEATON CITY COUNCIL PLANNING SESSION WHEATON CITY HALL – COUNCIL CHAMBERS 303 W. WESLEY STREET, WHEATON, ILLINOIS MONDAY, APRIL 10, 2017 - 7:00 P.M. * AGENDA I. Call to Order II. Approval of Minutes – February 27, 2017 III. Public Comment IV. I.T. Security Update V. Voting Requirements/Extra Majority VI. City Council/Staff Comments VII. Adjournment During the Public Comment portion of the agenda, the presiding officer shall recognize any person requesting to be heard on any of the planning session agenda items only. Persons speaking during Public Comment shall not speak longer than three (3) minutes and shall be permitted to speak only once. Visitors must remain quiet and not engage in behavior that interferes with the Planning Session. The presiding officer may, or upon a majority vote of the council, request any visitor who violates any provision of this paragraph to leave the council chambers, and such visitor shall thereupon leave. Any person providing public comment shall address the presiding officer only and shall not proceed with remarks until recognized. When recognized, the person shall state his or her name and address. Cross floor discussions are prohibited. If a member of the City Council has questions of any person who has provided public comment, that person may address the specific question. * The Planning Session will commence immediately following the City Council Public Hearing Scheduled for 7:00 p.m. emorandum MichaelG.Dzugan City Manager ,, TO: The Honorable Mayor and City Council DATE: March 30, 2017 SUBJECT: Voting Requirements/Extra Majority During the recodification of the City Code, several sections where specific extra majority voting requirements were noted and deferred by the City Council for further discussion. Also, the Zoning Ordinance has two sections where extra majority voting requirements are set forth. Provided below are the pertinent sections of City Code and Zoning Ordinance, and corresponding State Statute, if applicable. 1) CONTRACTS City Code reference. 2-142 (7)(a) City Manager, Powers and Duties contracts not - - adapted to award by competitive bidding. authorized by a vote ofPvo-thirds o/’all ‘. . . the council members then holding office. State Statute reference. 65 ILCS 5/8-9-1. “...any work . when the expense thereof . . will exceed $20,000, shall be constructed either (I) by a contract let to the lowest responsible bidder after advertising for bids, in the manner prescribed by ordinance, except that any such contract may be entered into by the proper officers without advertising for bids, ifauthorized by a vote ofhvo-thirds ofall the aldermen or trustees then holding office; . . 2) ANNEXATION City Code reference. 18-6 Annexation. — authorized by an ordinance passed by a “. . . vote ofvo-thirds oft/ic members oft/ic city council theim holding office. State Statute reference. 65 ILCS 5/1 1-15.1-3. “The annexation agreement or amendment shall be executed by. upon the adoption of a resolution or ordinance directing such . . execution, which resolution or ordinance must be passed by a vote of two-thirds oft/ic corporate authorities theiz holding office.” 3) GROUP CARE HOME City Code reference. 26-174 appeal of the Group Care Home Commission denial of a - license application, renewal application or revocation of a license. ‘. .may affirm by . majority vote, or may upon the affIrmative vote of five of seven of the membership of the city council reverse, w/zo fly or in part, or nzodif’, the action of the group care home commission. State Statute reference. None 4) VACATION City Code reference. 58-142 vacation of a street, alley or right-of-way. - upon an “. . . affirmath’e vote of three-fourths oft/ic membership of the city council qualified to vote on an ordinance. State Statute reference. 65 ILCS 5/11-91-1. “whenever the corporate authorities. vacate that street or alley, or part thereof, by ordinance this ordinance shall be passed . . . by the affirmative vote ofat least three—fourths oft/ic alderman, trustees or commissioners theiz holding office. 5) PLAT OF SUBDIVISION City Code reference. 62-52 planning and zoning board does not recommend approval - of any plat of subdivision. “. has been approved by two-thirds oft/ic members oft/ic . . city council then holding office.” State Statute reference. None 6) ZONING AMENDMENTS Zoning Ordinance. 5.6(F) amendments to zoning ordinance. — passed by an “. . . affirmatire vote of‘the city council, provided that an amendment shall not be passed except by an affirmative vote of five ‘5,) members oft/ic city council whenever a iritten petition protesting the proposed amendment. State Statute reference. 65 ILCS 5/11-13-14. In case of a written protest against any proposed amendment of the regulations or districts the amendment shall not be . . . passed except by a favorable vote of two-thirds oft/ic alderman or trustees off the municipality the ii holding office. 7, ZONING VARIATIONS Zoning Ordinance. 5.7(B)(3)(9) variations. — s/ia/i be granted by the city council, ‘. . . by ordinance, by an affirmative vote oft/ic city council, provided t/iat a variation s/ia/i not be passed except by an affirmative vote of five (5) members oft/ic city council whenever the board fails to recommend favorably . State Statute reference. 65 ILCS 5/11-13-10. In municipalities where a variation is to . . be made by ordinance, upon report of the board of appeals, the corporate authorities may adopt any proposed variation. which fails to receive the approval of the board of . . appeals shall not be passed except by the fhiorable vote of two-thirds of all alderman or trustees oft/ic municipality. City Attorney Evaluation The language in the City Code and Zoning Ordinance for extra majority is generally consistent with State Statute on the specific subject matter and likely was originally included in the City Code and Zoning Ordinance since the City had not yet gained Home Rule authority and was therefore required to follow State Statutes. The City Attorney has reviewed the cited statutes and concluded that none preempt the City’s Home Rule authority. The City Council therefore has the legal discretion to establish the voting requirements it deems appropriate. Evaluation of Percentage and Its Application The two central questions are identified below. Once the City Council decides whether extra majority voting is desired for each specific subject matter, the two variables that impact vote totals are the percentage desired for the extra majority vote and how the City Council defines what the percentage is applied against. I) Does the City Council desire to require an extra majority vote for any or all 7 categories listed; and 2) What specific language does the City Council desire for the extra majority vote, since the specific language can trigger different outcomes. The two phrases that impact voting is the percentage used and what the percentage is applied against. How these two variables are defined will have different outcomes. a. Percentage used Two-thirds (.666) and three-fourths (.75) are used — in both State Statute and our City code and Zoning Ordinance. In three of the sections, a specific number is called for— 5. b. Percentage applied against How this is specified can significantly - change the outcome. The most used phrase is “then holding office”, but “qualified to vote” is also used. Two thirds of members “qualified” and “then holding office” can lead to different outcomes. For example, if a council member steps down due to a conflict of interest a two thirds vote based upon “then holding office” would require 5 of the 6 members to vote in favor (.66 x 7 members holding office 4.6). However, if the two thirds vote was based upon those “qualified to vote” then 4 of the 6 members would be required (.66 x 6 members qualified to vote = 3.9). Conclusion Current City Code extra majority voting requirements match State Statute with percentage and applied against language for subject matters 1 and 2. Subject matters 3 and 5 do not have a corresponding State Statute reference. Percentage and/or applied against language for subject matters 4. 6 and 7 differ from State Statute. City Council direction is sought for the subject matters requiring extra majority, then the percentage and applied against language for the specific subject matter. MEMORANDUM TO: Record FROM: Susan Bishel, Public Relations Coordinator SUBJECT: April 10, 2017 City Council Planning Session Minutes DATE: April 13, 2017 CC: Mayor and City Council, City Manager, City Clerk, Department Heads The Planning Session took place in the Council Chambers, Wheaton City Hall, 303 W. Wesley St., Wheaton, Illinois. Those attending the Planning Session included: Mayor Gresk, Councilwoman Fitch, Councilman Prendiville, Councilman Rutledge, Councilman Saline, Councilman Scalzo and Councilman Suess. Also in attendance were City Manager Dzugan, Assistant City Manager Duguay, Director of Finance Lehnhardt and Director of Information Technology Michaelis. The session began at 7:05 p.m. following the conclusion of a public hearing and concluded at 7:42 p.m. The following items were discussed: I. Call to Order The Wheaton City Council Planning Session was called to order at 7:05 p.m. by Mayor Gresk. Mayor Gresk introduced guests in attendance visiting from Wheaton’s sister city of Karlskoga, Sweden. A hockey team from the sister city, along with coaches and staff from the city of Karlskoga, visited Wheaton, and City of Wheaton staff members met with their counterparts from Karlskoga to exchange ideas and learn about each other’s communities. Kalle Selander and Ylva Elofsson of Karlskoga thanked City of Wheaton officials and residents for their hospitality. II. Approval of Minutes – February 27, 2017 The Council approved the February 27, 2017 Planning Session Minutes. III. Public Comment There were no public comments. IV. I.T. Security Update Director of Information Technology Michaelis summarized the steps City staff recommends taking to comply with the security policy the Council adopted in January 2017. This will increase the security of the City’s systems and data. The Council will be receiving a recommended bid award for a network infrastructure replacement in the near future. This project would cost approximately $125,000 and would replace aging infrastructure that no longer meets the City’s security needs. Director of Information Technology Michaelis also recommended training staff members on data leak prevention, as nearly one-third of all data breaches are caused by individuals within an organization. Also, City staff recommends network segmentation, so that network breaches would not affect all of the City’s systems. The main focus would be separating the City’s Police Department networks from all other City networks. City staff also recommends establishing divisions of staff duties to ensure separate systems remain secure. Finally, City staff addressed challenges related to log collection and review, including the time and effort to perform these duties. City Manager Dzugan stated the City will be seeking the services of a technology firm to assist the City with cybersecurity. City staff will be recommending a firm that uses a risk-based approach to guide the City’s security management. In response to Council questions, Director of Information Technology Michaelis stated the City Council will be presented with two bids for their consideration. The first is a network infrastructure bid that would replace physical equipment such as switches, routers and firewalls. The other bid award would be for cybersecurity consulting services. In response to a Council question about whether the City should retain log files for a longer period of time, Director of Information Technology Michaelis stated the City meets mandated requirements for data retention, and extending the time frame for record retention would dramatically increase the City’s data storage needs. In response to Council questions about the amount of security awareness staff training that will be required, Director of Information Technology Michaelis stated many employees will need to take a 2-hour training session, but staff members in the Police and I.T. departments will need more intensive training. V. Voting Requirements/Extra Majority City Manager Dzugan stated in City staff’s efforts to re-codify the City Code, they identified five instances where extra majority voting is required and two sections in the Zoning Ordinance 4/10/17 Planning Session 2 where extra majority voting is required. The City Council requested City staff bring this to a Planning Session as a separate issue for discussion. City Manager Dzugan stated the City Attorney has advised that the Council has the discretion to determine if the extra majority requirements should remain or if the Council would like to change any or all of these instances. City staff sought the Council’s direction as to whether the subject matters should require an extra majority vote, and if so, what percentage should apply and what that percentage is applied against. Council members expressed an interest in requiring five votes for an extra majority. The Council expressed interest in requiring 5 members of the city Council for approval of contracts that are not competitively bid, vacating City property, and requests for annexation to the City. For votes involving group home care, plat of subdivision, zoning amendments, or zoning variations, the Council expressed interest in requiring a simple majority of Council members qualified to vote. The Council directed City staff to draft an ordinance for their formal consideration at an upcoming meeting. VI. City Council/Staff Comments Councilman Rutledge complimented the Wheaton Environmental Improvement Commission for doing an excellent job at its paper shredding event on April 8. Mayor Gresk encouraged people to attend the Environmental Improvement Commission’s Arbor Day tree planting on April 28 and Native Plant Sale April 29. He also encouraged residents to apply to be on a board or commission. Applications are on the City’s website or in the City Clerk’s Office. VII. Adjournment The meeting was adjourned at 7:42 p.m. 4/10/17 Planning Session 3 emorandum Michael G. Dzugan City Manager J TO: The Honorable Mayor and City Council DATE: April 6,2017 SUBJECT: Information Technology Security Update/Status Attached please find a memorandum from the Director of Information Technology, Chad Michaelis, regarding our past and future information security actions. I felt it beneficial for the City Council to receive an Information Technology security effort update/status, particularly since the City will be embarking on an effort to significantly upgrade our network infrastructure, and solidify a relationship with a cybersecurity consulting finn to guide and assist the staff with continued efforts for compliance with regulations and adherence of our information security program and policies. Chad will be at the April 10, 2017 Planning Session to review his memorandum and answer any questions. Attachment Copy: Director of Infonnation Technology City of Wheaton 303 W. Wesley Street Wheaton, IL 601 87-0727 630-260-2000 City of Wheaton, Illinois www.wheaton.il.us Date: April 6, 2017 To: Mike Dzugan, City Manager John Duguay, Assistant City Manager Bob Lehnhardt, Director of Finance From: Chad Michaelis, Director of Information Technology Re: Information Security In 2013, it became clear that the City needed to do more to ensure the security of its systems and data. In that year: • details were emerging on the cost and impact of the October 2012 cyber-attack on Naperville recovery took weeks and cost them at least $750,000 — • major breaches were reported by Facebook, The New York Times, Target, and the NSA (Snowden) • the Department of Justice and FBI began to seriously enforce the Criminal Justice Infonnation Services Security Policy (CJIS) this has come to be known as the “CJIS — Mandate” • we launched the City’s Enterprise Resource Planning project which we knew would result in a significant expansion of our online presence • we launched a project to replace the City’s water utility analog control system with a modem networked SCADA system • we launched a project to replace and expand the City’s video surveillance and door control systems with modem networked systems • the City’s financial auditors began conducting their own IT risk assessments and informally advised us to begin conducting our own risk assessments Past and Current Actions Seeking a cost-effective approach to accomplish a risk assessment, we were fortunate to find a respected security consultant who desired to establish a local government reference and offered to perform the work pro bono. We entered into a formal agreement with CzarkTek, Inc. and received their report in January 2014. The report found that “Wheaton’s IT organization is protecting information systems moderately well.. but made numerous recommendations which can be .“ summarized as follows: High Importance 1. Build and maintain an information security program with supporting policies, guidelines, and procedures for risk management, data classification, configuration and change management, and social networking. Wheaton City Hall 303 W. Wesley Street Wheaton, IL 60187-0727 630-260-2000 Fax 630-260-2017 TDD 630-260-8090 Mayor Michael J. Gresk City Manager Michael G. Dzugan — — (1t, Cni,r,rI — cii rir it,-h • Ir-ihr Priridii,IIo • Irihn Piitlidci • AI Thnrcrir Iinp • Tr,rlrl crI7n • Phil ccc Progress report: With assistance from Czartek and the City’s attorney’s we developed an Information Security Program and Policy with supporting standards, guidelines, and procedures. The Council formally adopted this program and policy on December 5, 2016. The Information Security Policy requires us to perfonri a risk assessment at least once every five years, provide ongoing training to all users, and to periodically review key controls, systems and procedures (frequency to be determined by the risk assessment). 2. Implement 24x7 security monitoring and intrusion detection for networks and servers. Progress report: In 2016, we implemented a cloud based intrusion prevention system for Internet facing servers, and we implemented a host based intrusion prevention system for on-premise servers. To further improve our protection, we will implement a network based intrusion prevention system when we replace our network infrastnicture, and we will enable remote alerting of IT staff, e.g., text messages, from the host and network based intrusion detection systems. A network infrastructure bid award is being prepared for Council approval. Allocating resources to implement a 24x7 monitoring program would be very costly and outweigh the benefit. We researched hosted and cloud based network monitoring options and they are prohibitively expensive ($30K to $50K annually). 3. Implement data leak prevention for networks, servers, and email. Progress report: In 2016, we completed our migration to Office 365, including email and most of our documents. This migration eliminated four on-premise servers. Office 365 has data leak prevention built-in. We currently monitor and block the sharing of email and documents containing social security numbers, driver’s license numbers, bank account numbers, and credit card numbers. We will implement controls to block access to unapproved cloud sharing services when we replace our network infrastructure. In the coming months, we will also re-train our employees to ensure that they are aware of our policies and the consequences of intentionally violating them. It is very difficult to completely prevent data leakage. We will improve our data leak prevention by training employees to classify their data in accordance with our draft Data Classification Standard. This will be time consuming for staff in all departments. Medium Importance 1. Complete CJIS, PCI, and HIPAA compliance projects. Progress report: In 2015, we completed risk and compliance assessments for CJIS, PCI, and HIPAA. We believe that we currently comply with all applicable regulatory requirements. In August 2016, we passed a State of Illinois CJIS Technical Security Audit. In October 2016, we submitted the required annual PCI-DSS self-assessment questionnaire (SAQ-C) confirming compliance with all applicable rules. The PCI-DSS standard requires us to perfonri quarterly vulnerability scans and semi-annual penetration tests. We conducted the required scans and tests in 2016 and we are on track to complete the required scans and tests this year. 2. Establish formal 3’ Party IT vendor management guidelines, including regulatory compliance checks. Progress report: With assistance from Czartek we drafted formal Vendor Management Guidelines. Full implementation of these guidelines is pending review by the City’s attorneys and reconciliation with the City’s purchasing policies. Our current practice is to require all IT contracts to be reviewed and approved by the City’s attorney, and to require all 3 rd Party IT vendors that store, process, or transmit Protected Data, to provide proof of regulatory compliance annually. 3. Develop incident response plans. Progress report: With assistance from Czartek we drafted an Incident Response Standard. This standard defines roles and requirements for incident preparation, detection, analysis, declaration, communication, containment, eradication, recovery, and closure. Full implementation of this standard is pending review by the City Manager and the City’s attorneys. Our current practice is to follow the draft standard. 4. Increase physical network segmentation. Progress report: The City’s existing network infrastructure physically segments high risk networks and servers, e.g., the Internet, SCADA, ETSB, video surveillance, door control, credit card processing, and wireless guest networks. The City’s internal networks are not physically segmented from each other, e.g., administrative desktop computers can communicate with servers that house Police applications and data. Logical security on the servers, applications, and data, prevent unauthorized access, but best practice is to block all unnecessary communications at the network level. If we physically segment administrative desktops from police servers, we can prevent malware on an administrative desktop from attacking a police server. Segmentation of police servers, applications, and data from other departments will require additional servers and higher-capacity firewalls. Full segmentation will require additional staff. It is my opinion that the costs of full segmentation substantially outweigh the benefits. Partial segmentation, such as blocking non-police desktops from communicating with sensitive police servers, is achievable but will be time consuming, complex, disruptive, and costly. Our new network infrastructure will be capable of physically segmenting internal networks. Implementation of increased segmentation is pending a careful assessment of risks, options, and costs. To maximize the security of our existing network, we have already conducted a Network Security Risk Assessment, a Network Security Controls Assessment, a Cisco Network Device Hardening Review, a Wireless Network Security Assessment, and a Firewall Rules Assessment. 5. Implement mobile device management/security. Progress report: In 2016, we completed our migration to Office 365, this included the implementation of mobile device management. The City now enforces policies that prevent mobile access from unauthorized devices, and ensure that authorized devices have not been rooted, encrypt all locally stored data, lock after a brief period of inactivity, and require a password to unlock. Best Practice or Regulatory Requirement I. Conduct employee security awareness training. Progress report: Police, IT, and Facilities employees and contractors have completed CJIS mandated security awareness training. Policy and awareness training is being developed for all employees and will be deLivered within the next few months. Ongoing training will be provided in the fonn of email advisories, annual cyber-security awareness month campaigns, and personal coaching. 2. Develop business continuity plans. Progress report: With assistance from Czartek we drafted a Business Continuity Planning Standard. Full implementation of this standard is pending reconciliation with the City’s Emergency Operations plan. The City does not currently have documented continuity plans for most its business functions and processes. Development and testing of business continuity plans will be time consuming for staff in all departments. 3. Regularly review logs of critical system events and sensitive data access. Progress report: With assistance from Czartek we drafted a Log Management Standard and a Daily Log Review Procedure. This standard has been implemented and the procedure is being followed. Daily log review is time consuming, and incurs a 365-day burden, including weekends and holidays, on IT staff. A Security Event and Incident Management (SEIM) system may reduce this burden, but at a prohibitive cost. 4. Increase separation of duties. Progress report: Best practices, and most compliance standards, require that individuals not be granted privileges that conflict with access and audit controls. For example, the individual responsible for administering application security should not also have rights to disable or delete the application audit logs. Given existing resources, it is a challenge to implement full separation of duties at the application level without severely impacting IT staff efficiency and service levels. Microsoft’s on-premise technologies make full separation of duties at the operating system level virtually impossible. The City has mitigated this risk by increasing its use of hosted and cloud based applications. Almost all of the City’s protected data is stored and processed in hosted or cloud based applications, e.g., Police records and dispatch systems are hosted by DuPage County and DuComm, emergency medical services patient records are hosted by Central DuPage Hospital, human resources and payroll data are hosted by Tyler Technologies Inc (ERP), and credit card transactions are hosted by GoVolution Inc. The City’s IT staff has little or no access to these hosted systems, and cannot disable or tamper with the audit logs in these applications. 5. Increase the duration of log retention. Progress report: The City stores one year of logs from critical systems that process CJIS, PCI, and HIPAA data. The HIPAA security rule requires entities to retain documentation of their compliance program for 6 years. Separately, it requires that entities implement mechanisms that record and examine activity in information systems that contain or use electronic protected health information. The HHS has not clarified whether audit logs fall within the scope of the retention requirement. The prevailing interpretation is that the retention requirement only applies to policies, procedures, and other more traditional documentation. Increasing the City’s log retention scope or duration would require costly additional licensing and storage. It is my opinion that increasing the duration of log retention is unnecessary. 6. Ensure custom software development includes security. Progress report: The City’s custom development is limited to a handful of simple interfaces between applications, e.g., importing bank ACH transactions into the ERP water utility billing system, exporting moving violation citations for transmission to IDOT, etc. Although these systems process and store Protected Data, they are protected by logical security controls and are physically segmented from high risk networks, e.g. the Internet. Given the low volume of development and the minimal risk of exposure, we are hesitant to invest time in developing formal policies and procedures for secure development. Also in 2013, the City joined the Multi-State Infoniiation Sharing and Analysis Center (MS-ISAC). MS-ISAC membership is free, and provides many benefits, including: • 24/7 incident response services • cyber security event notifications and advisories • educational events and materials • joint purchasing opportunities Future Actions — To ensure continued compliance with regulations and our Information Security Program and Policy, we requested formal bids for ongoing Cybersecurity Consulting Services. A cybersecurity consulting services bid award is being prepared for Council approval. These annual services include: • a risk assessment • two external vulnerability scans • two external penetration tests • one internal vulnerability scan • two PCI cardholder data environment penetration tests • one policy, standards. and guidelines review • on-demand advisory services for remediation, incident response, training, policy development, and systems selection and implementation In addition, we have subscribed to automated services for: • monthly external vulnerability scans • quarterly internal PCI cardholder data environment vulnerability scans • point of sale system file integrity monitoring In summary, the City has taken reasonable actions to protect the integrity, availability, and confidentiality of its systems and sensitive data. Based on discussions with other local government IT leaders, and data from the MS-ISAC Nationwide Cyber Security Review, we are ahead of our peers. However, security is a process, not a product. There will always be more to do. My greatest concerns going forward are: 1. Completing the network infrastructure replacement project, including cloud application control and network based intrusion detection and alerting. 2. Improving our data leak prevention measures, including implementing the Data Classification Standard. 3. Implementing the appropriate level of network segmentation based on our risk tolerance. 4. Conducting initial security awareness training sessions for all employees, and initiating ongoing security awareness communications. 5. Developing business continuity plans for critical business functions and processes in every department. 6. Reducing the burden of log collection and daily review. 7. Implementing the appropriate level of separation of duties based on our risk tolerance. 8. Selecting a cybersecurity consultant and continuing our assessment, scanning, and testing regimens. MEMORANDUM TO: Record FROM: Susan Bishel, Public Relations Coordinator SUBJECT: Feb. 27, 2017 City Council Planning Session Minutes DATE: Feb. 28, 2017 CC: Mayor and City Council, City Manager, City Clerk, Department Heads The Planning Session took place in the Council Chambers, Wheaton City Hall, 303 W. Wesley St., Wheaton, Illinois. Those attending the Planning Session included: MayorG.resk, Councilwoman Fitch, Councilman Prendiville, Councilman Rutledge Councilman Saline, Councilman Scalzo and Councilman Suess Also in attendance were City Manager Dzugan A’siant City Manager Duguay, Director of Planning & Economic Development Kozik, bW tor f Public Works Laoang, Director of Finance Lehnhardt, Director of Engineering Redma, 1 Seriq Project Engineer Lagvankar Water Superintendent McMillen, Streets Sup tikent Wkefield Public Works Administrative Superintendent Wallace Managemerrtern owlke and Public Relations Coordinator Bishel The session began at 7 00 p m and conducted at 8 00 p m The following items were discussed: I. Call to Order The Wheaton City Council Planning Session was called to order at 7:00 p.m. by Mayor Gresk. II. Approval of February 13, 2017 Planning Session Minutes The Council approved the February 13, 2017 Planning Session Minutes. III. Public Comrnents There were no public c en% IV. qcra Streetlight LED Replacement Public Works Administrative Superintendent Wallace stated the Public Works Department has replaced 82 incndescent City streetlights in the past two years with LED streetlights. The neighborhood streetlights the City replaced had become obsolete, and replacing them with LED fixtures reduced the amount of energy used by about one-half, also providing substantial savings in energy costs. The City has learned of a state grant opportunity that would assist the City in replacing 553 Cobra streetlights, and the funding incentive is doubled for projects that can be completed in the next few months. The model of streetlights the City would like to use are the same type that CornEd has recently used to replace some of its streetlights in Wheaton. In response to Council questions, Public Works Administrative Superintendent Wallace stated the color temperature of the LED fixtures is slightly more blue than the incandescent lights that are currently used. She stated the lights proposed for replacement are on portions of parts of President, Manchester, Wiesbrook, East and West Loop Road, Scottsdale, and North Main Street. The City’s total investment in this project would be $117,000, and the City estimates the investment would be paid back in 3 years due to the energy cost savings the City will realize. In response to Council questions Public Works Administrative Superintendent aBa tated the fixtures would be under warrantee for 10 years but the fixtures lif expectancy is at east 20 years Street Superintendent Wakefield stated maintenance costs would also be decreased because with the incandescent fixtures the City has to maintain the ballast and the light but the LED fixtures do not require the same level of maintenance In response to Council questions about whether the City couId replace more lights Street Superintendent Wakefield stated the proposed project would replace all of the City-maintained Cobra fixtures except for those on Roosevelt Road The.çit does not believe replacing the lights on Roosevelt Road would be feasible for this gr t’the Illinois Department of Transportation would require the City to have engineering stu’ ore prior to replacing lights on Roosevelt Road. The City is unsure if grant money will be a ila after May 8. City Manager Dzugan stated this is a federally-funded project, and the City has already been pre-approved by the state for this project. The City Council expressed interest in proceeding with this project and directed City staff to place the item on the March 6 City Council meeting agenda for the Cocil’s forrriál consideration. V Five-Year tapital Improvement Program Assistant City l4aiager Duguay presented an overview of the Five-Year Capital Improvement Program (CIP, ich ity staff is creating as a long-term planning tool tied to the City Council s goals’ of fundikcapital project needs and providing reliable infrastructure systems that support the community xpectations The CIP will provide a methodical and strategic process to plan projects, prioritize them and plan for their funding. Assistant City Manager Duguay stated the projects were divided into the categories of new, replacement or maintenance. He also reviewed some of the recent infrastructure studies the City has done, which have allowed the City to develop long-term plans and determine funding needs. 2/27/17 Planning Session 2 Assistant City Manager Duguay reviewed the steps the City staff has taken to produce the CIP, which included working with each department to identify their capital needs. Director of Finance Lehnhardt reviewed the project categories that staff identified, including different types of infrastructure improvements, facility improvements and more. In terms of funding the capital projects, Director of Finance Lehnhardt stated staff is still developing funding strategies. Some of the options the City could consider are pay-as-you-go financing, debt financing, using the City’s existing funding sources (such as property taxes), and funding for capital projects. I Director of Finance Lehnhardt reviewed the City’s main funds, including the General Fund, capital projects funds, motor fuel tax fund, TIF District funds, debt service fund, enterprise funds and replacement funds. In response to a Council question regarding the a t the City has spent in the past two years that are considered capital improvement projects. Cit Managugan stated this amount is approximately $12 million. Director of Finance Lehnhardt revi projects by type and by proposed funding source. The majority of the projects are related to infrastructure. In response to a Council question Director of Finance Lehnhardt stated the projects beyond the first two years could not be cqmpleted ithout additional funding allotted. City Manager uga a while the City has identified the projects that staff recommend the City addres6er the ned’iie years staff is still developing the suggested funding for future projects Thtoundi can work to decrease operating expenses increase revenues reduce the amORflt of’projects, or some combination of these. Assistant City r’4nager Duguay showed examples of the worksheets staff is using for CIP projects. The worksheets include justification for the project, immediate and future impacts on the City’s budget, and factors to help staff determine if the project needs immediate action. They also include criteria to help staff prioritize projects using a scoring system. In response to Council questions about projects that require immediate action, Assistant City Manager Duguay stated between 10% and 20% of CIP projects were classified as needing immediate action. 2/27/17 Planning Session 3 City Manager Dzugan noted that no major stormwater projects are included in this plan, as City staff still needs to complete stormwater studies before being able to create a plan for how to proceed. City Manager Dzugan stated an updated CIP will be presented to the Council every year in conjunction with the annual budget review process. VI. City Council/Staff Comments City Manager Dzugan recognized the City’s Management Intern Brandon Kowalke for receiving Northern Illinois University’s intern of the year award. r E 54 VII. Adjournment The meeting was adjourned at 8:00 p.m. 2/27/17 Planning Session 4