City Council Planning Sessions
Regular MeetingWheaton, IL · April 10, 2017
Minutes
MEMORANDUM
TO: Record
FROM: Susan Bishel, Public Relations Coordinator
SUBJECT: April 10, 2017 City Council Planning Session Minutes
DATE: April 13, 2017
CC: Mayor and City Council, City Manager, City Clerk, Department Heads
The Planning Session took place in the Council Chambers, Wheaton City Hall, 303 W. Wesley St.,
Wheaton, Illinois. Those attending the Planning Session included: Mayor Gresk, Councilwoman
Fitch, Councilman Prendiville, Councilman Rutledge, Councilman Saline, Councilman Scalzo and
Councilman Suess. Also in attendance were City Manager Dzugan, Assistant City Manager
Duguay, Director of Finance Lehnhardt and Director of Information Technology Michaelis. The
session began at 7:05 p.m. following the conclusion of a public hearing and concluded at 7:42
p.m. The following items were discussed:
I. Call to Order
The Wheaton City Council Planning Session was called to order at 7:05 p.m. by Mayor Gresk.
Mayor Gresk introduced guests in attendance visiting from Wheaton’s sister city of Karlskoga,
Sweden. A hockey team from the sister city, along with coaches and staff from the city of
Karlskoga, visited Wheaton, and City of Wheaton staff members met with their counterparts
from Karlskoga to exchange ideas and learn about each other’s communities. Kalle Selander and
Ylva Elofsson of Karlskoga thanked City of Wheaton officials and residents for their hospitality.
II. Approval of Minutes – February 27, 2017
The Council approved the February 27, 2017 Planning Session Minutes.
III. Public Comment
There were no public comments.
IV. I.T. Security Update
Director of Information Technology Michaelis summarized the steps City staff recommends
taking to comply with the security policy the Council adopted in January 2017. This will increase
the security of the City’s systems and data.
The Council will be receiving a recommended bid award for a network infrastructure
replacement in the near future. This project would cost approximately $125,000 and would
replace aging infrastructure that no longer meets the City’s security needs.
Director of Information Technology Michaelis also recommended training staff members on
data leak prevention, as nearly one-third of all data breaches are caused by individuals within an
organization.
Also, City staff recommends network segmentation, so that network breaches would not affect
all of the City’s systems. The main focus would be separating the City’s Police Department
networks from all other City networks. City staff also recommends establishing divisions of staff
duties to ensure separate systems remain secure.
Finally, City staff addressed challenges related to log collection and review, including the time
and effort to perform these duties.
City Manager Dzugan stated the City will be seeking the services of a technology firm to assist
the City with cybersecurity. City staff will be recommending a firm that uses a risk-based
approach to guide the City’s security management.
In response to Council questions, Director of Information Technology Michaelis stated the City
Council will be presented with two bids for their consideration. The first is a network
infrastructure bid that would replace physical equipment such as switches, routers and firewalls.
The other bid award would be for cybersecurity consulting services.
In response to a Council question about whether the City should retain log files for a longer
period of time, Director of Information Technology Michaelis stated the City meets mandated
requirements for data retention, and extending the time frame for record retention would
dramatically increase the City’s data storage needs.
In response to Council questions about the amount of security awareness staff training that will
be required, Director of Information Technology Michaelis stated many employees will need to
take a 2-hour training session, but staff members in the Police and I.T. departments will need
more intensive training.
V. Voting Requirements/Extra Majority
City Manager Dzugan stated in City staff’s efforts to re-codify the City Code, they identified five
instances where extra majority voting is required and two sections in the Zoning Ordinance
4/10/17 Planning Session 2
where extra majority voting is required. The City Council requested City staff bring this to a
Planning Session as a separate issue for discussion. City Manager Dzugan stated the City
Attorney has advised that the Council has the discretion to determine if the extra majority
requirements should remain or if the Council would like to change any or all of these instances.
City staff sought the Council’s direction as to whether the subject matters should require an
extra majority vote, and if so, what percentage should apply and what that percentage is applied
against.
Council members expressed an interest in requiring five votes for an extra majority. The Council
expressed interest in requiring 5 members of the city Council for approval of contracts that are
not competitively bid, vacating City property, and requests for annexation to the City.
For votes involving group home care, plat of subdivision, zoning amendments, or zoning
variations, the Council expressed interest in requiring a simple majority of Council members
qualified to vote. The Council directed City staff to draft an ordinance for their formal
consideration at an upcoming meeting.
VI. City Council/Staff Comments
Councilman Rutledge complimented the Wheaton Environmental Improvement Commission for
doing an excellent job at its paper shredding event on April 8.
Mayor Gresk encouraged people to attend the Environmental Improvement Commission’s Arbor
Day tree planting on April 28 and Native Plant Sale April 29. He also encouraged residents to
apply to be on a board or commission. Applications are on the City’s website or in the City
Clerk’s Office.
VII. Adjournment
The meeting was adjourned at 7:42 p.m.
4/10/17 Planning Session 3
Agenda
1. City Council Planning Agenda
Documents:
2017-04-10 CITY COUNCIL PLANNING AGENDA.PDF
2. City Council Planning Voting Requirements-Extra Majority Ps05
Documents:
2017-04-10 CITY COUNCIL PLANNING VOTING REQUIREMENTS-EXTRA
MAJORITY PS05.PDF
3. City Council Planning Minutes
Documents:
2017-04-10 CITY COUNCIL PLANNING MINUTES.PDF
4. City Council Planning I.T. Security Update Ps04
Documents:
2017-04-10 CITY COUNCIL PLANNING I.T. SECURITY UPDATE PS04.PDF
5. City Council Planning Draft 2017-02-27 Minutes Ps02
Documents:
2017-04-10 CITY COUNCIL PLANNING DRAFT 2017-02-27 MINUTES PS02.PDF
WHEATON CITY COUNCIL PLANNING SESSION
WHEATON CITY HALL – COUNCIL CHAMBERS
303 W. WESLEY STREET, WHEATON, ILLINOIS
MONDAY, APRIL 10, 2017 - 7:00 P.M. *
AGENDA
I. Call to Order
II. Approval of Minutes – February 27, 2017
III. Public Comment
IV. I.T. Security Update
V. Voting Requirements/Extra Majority
VI. City Council/Staff Comments
VII. Adjournment
During the Public Comment portion of the agenda, the presiding officer shall recognize any
person requesting to be heard on any of the planning session agenda items only. Persons speaking
during Public Comment shall not speak longer than three (3) minutes and shall be permitted to
speak only once.
Visitors must remain quiet and not engage in behavior that interferes with the Planning Session.
The presiding officer may, or upon a majority vote of the council, request any visitor who violates
any provision of this paragraph to leave the council chambers, and such visitor shall thereupon
leave.
Any person providing public comment shall address the presiding officer only and shall not
proceed with remarks until recognized. When recognized, the person shall state his or her name
and address. Cross floor discussions are prohibited. If a member of the City Council has questions
of any person who has provided public comment, that person may address the specific question.
* The Planning Session will commence immediately following the City Council
Public Hearing Scheduled for 7:00 p.m.
emorandum MichaelG.Dzugan
City Manager ,,
TO: The Honorable Mayor and City Council
DATE: March 30, 2017
SUBJECT: Voting Requirements/Extra Majority
During the recodification of the City Code, several sections where specific extra majority voting
requirements were noted and deferred by the City Council for further discussion. Also, the
Zoning Ordinance has two sections where extra majority voting requirements are set forth.
Provided below are the pertinent sections of City Code and Zoning Ordinance, and
corresponding State Statute, if applicable.
1) CONTRACTS
City Code reference. 2-142 (7)(a) City Manager, Powers and Duties contracts not
- -
adapted to award by competitive bidding. authorized by a vote ofPvo-thirds o/’all
‘. . .
the council members then holding office.
State Statute reference. 65 ILCS 5/8-9-1. “...any work . when the expense thereof
. .
will exceed $20,000, shall be constructed either (I) by a contract let to the lowest
responsible bidder after advertising for bids, in the manner prescribed by ordinance,
except that any such contract may be entered into by the proper officers without
advertising for bids, ifauthorized by a vote ofhvo-thirds ofall the aldermen or trustees
then holding office; . .
2) ANNEXATION
City Code reference. 18-6 Annexation.
— authorized by an ordinance passed by a
“. . .
vote ofvo-thirds oft/ic members oft/ic city council theim holding office.
State Statute reference. 65 ILCS 5/1 1-15.1-3. “The annexation agreement or amendment
shall be executed by. upon the adoption of a resolution or ordinance directing such
. .
execution, which resolution or ordinance must be passed by a vote of two-thirds oft/ic
corporate authorities theiz holding office.”
3) GROUP CARE HOME
City Code reference. 26-174 appeal of the Group Care Home Commission denial of a
-
license application, renewal application or revocation of a license. ‘. .may affirm by
.
majority vote, or may upon the affIrmative vote of five of seven of the membership of the
city council reverse, w/zo fly or in part, or nzodif’, the action of the group care home
commission.
State Statute reference. None
4) VACATION
City Code reference. 58-142 vacation of a street, alley or right-of-way.
-
upon an “. . .
affirmath’e vote of three-fourths oft/ic membership of the city council qualified to vote
on an ordinance.
State Statute reference. 65 ILCS 5/11-91-1. “whenever the corporate authorities.
vacate that street or alley, or part thereof, by ordinance this ordinance shall be passed
. . .
by the affirmative vote ofat least three—fourths oft/ic alderman, trustees or
commissioners theiz holding office.
5) PLAT OF SUBDIVISION
City Code reference. 62-52 planning and zoning board does not recommend approval
-
of any plat of subdivision. “. has been approved by two-thirds oft/ic members oft/ic
. .
city council then holding office.”
State Statute reference. None
6) ZONING AMENDMENTS
Zoning Ordinance. 5.6(F) amendments to zoning ordinance.
—
passed by an “. . .
affirmatire vote of‘the city council, provided that an amendment shall not be passed
except by an affirmative vote of five ‘5,) members oft/ic city council whenever a iritten
petition protesting the proposed amendment.
State Statute reference. 65 ILCS 5/11-13-14. In case of a written protest against any
proposed amendment of the regulations or districts the amendment shall not be
. . .
passed except by a favorable vote of two-thirds oft/ic alderman or trustees off the
municipality the ii holding office.
7, ZONING VARIATIONS
Zoning Ordinance. 5.7(B)(3)(9) variations. —
s/ia/i be granted by the city council,
‘. . .
by ordinance, by an affirmative vote oft/ic city council, provided t/iat a variation s/ia/i
not be passed except by an affirmative vote of five (5) members oft/ic city council
whenever the board fails to recommend favorably .
State Statute reference. 65 ILCS 5/11-13-10. In municipalities where a variation is to . .
be made by ordinance, upon report of the board of appeals, the corporate authorities
may adopt any proposed variation. which fails to receive the approval of the board of
. .
appeals shall not be passed except by the fhiorable vote of two-thirds of all alderman or
trustees oft/ic municipality.
City Attorney Evaluation
The language in the City Code and Zoning Ordinance for extra majority is generally consistent
with State Statute on the specific subject matter and likely was originally included in the City
Code and Zoning Ordinance since the City had not yet gained Home Rule authority and was
therefore required to follow State Statutes. The City Attorney has reviewed the cited statutes and
concluded that none preempt the City’s Home Rule authority. The City Council therefore has
the legal discretion to establish the voting requirements it deems appropriate.
Evaluation of Percentage and Its Application
The two central questions are identified below. Once the City Council decides whether extra
majority voting is desired for each specific subject matter, the two variables that impact vote
totals are the percentage desired for the extra majority vote and how the City Council defines
what the percentage is applied against.
I) Does the City Council desire to require an extra majority vote for any or all 7
categories listed; and
2) What specific language does the City Council desire for the extra majority
vote, since the specific language can trigger different outcomes. The two
phrases that impact voting is the percentage used and what the percentage is
applied against. How these two variables are defined will have different
outcomes.
a. Percentage used Two-thirds (.666) and three-fourths (.75) are used
—
in both State Statute and our City code and Zoning Ordinance. In
three of the sections, a specific number is called for— 5.
b. Percentage applied against How this is specified can significantly
-
change the outcome. The most used phrase is “then holding office”,
but “qualified to vote” is also used. Two thirds of members
“qualified” and “then holding office” can lead to different outcomes.
For example, if a council member steps down due to a conflict of
interest a two thirds vote based upon “then holding office” would
require 5 of the 6 members to vote in favor (.66 x 7 members holding
office 4.6). However, if the two thirds vote was based upon those
“qualified to vote” then 4 of the 6 members would be required (.66 x 6
members qualified to vote = 3.9).
Conclusion
Current City Code extra majority voting requirements match State Statute with percentage and
applied against language for subject matters 1 and 2. Subject matters 3 and 5 do not have a
corresponding State Statute reference. Percentage and/or applied against language for subject
matters 4. 6 and 7 differ from State Statute. City Council direction is sought for the subject
matters requiring extra majority, then the percentage and applied against language for the
specific subject matter.
MEMORANDUM
TO: Record
FROM: Susan Bishel, Public Relations Coordinator
SUBJECT: April 10, 2017 City Council Planning Session Minutes
DATE: April 13, 2017
CC: Mayor and City Council, City Manager, City Clerk, Department Heads
The Planning Session took place in the Council Chambers, Wheaton City Hall, 303 W. Wesley St.,
Wheaton, Illinois. Those attending the Planning Session included: Mayor Gresk, Councilwoman
Fitch, Councilman Prendiville, Councilman Rutledge, Councilman Saline, Councilman Scalzo and
Councilman Suess. Also in attendance were City Manager Dzugan, Assistant City Manager
Duguay, Director of Finance Lehnhardt and Director of Information Technology Michaelis. The
session began at 7:05 p.m. following the conclusion of a public hearing and concluded at 7:42
p.m. The following items were discussed:
I. Call to Order
The Wheaton City Council Planning Session was called to order at 7:05 p.m. by Mayor Gresk.
Mayor Gresk introduced guests in attendance visiting from Wheaton’s sister city of Karlskoga,
Sweden. A hockey team from the sister city, along with coaches and staff from the city of
Karlskoga, visited Wheaton, and City of Wheaton staff members met with their counterparts
from Karlskoga to exchange ideas and learn about each other’s communities. Kalle Selander and
Ylva Elofsson of Karlskoga thanked City of Wheaton officials and residents for their hospitality.
II. Approval of Minutes – February 27, 2017
The Council approved the February 27, 2017 Planning Session Minutes.
III. Public Comment
There were no public comments.
IV. I.T. Security Update
Director of Information Technology Michaelis summarized the steps City staff recommends
taking to comply with the security policy the Council adopted in January 2017. This will increase
the security of the City’s systems and data.
The Council will be receiving a recommended bid award for a network infrastructure
replacement in the near future. This project would cost approximately $125,000 and would
replace aging infrastructure that no longer meets the City’s security needs.
Director of Information Technology Michaelis also recommended training staff members on
data leak prevention, as nearly one-third of all data breaches are caused by individuals within an
organization.
Also, City staff recommends network segmentation, so that network breaches would not affect
all of the City’s systems. The main focus would be separating the City’s Police Department
networks from all other City networks. City staff also recommends establishing divisions of staff
duties to ensure separate systems remain secure.
Finally, City staff addressed challenges related to log collection and review, including the time
and effort to perform these duties.
City Manager Dzugan stated the City will be seeking the services of a technology firm to assist
the City with cybersecurity. City staff will be recommending a firm that uses a risk-based
approach to guide the City’s security management.
In response to Council questions, Director of Information Technology Michaelis stated the City
Council will be presented with two bids for their consideration. The first is a network
infrastructure bid that would replace physical equipment such as switches, routers and firewalls.
The other bid award would be for cybersecurity consulting services.
In response to a Council question about whether the City should retain log files for a longer
period of time, Director of Information Technology Michaelis stated the City meets mandated
requirements for data retention, and extending the time frame for record retention would
dramatically increase the City’s data storage needs.
In response to Council questions about the amount of security awareness staff training that will
be required, Director of Information Technology Michaelis stated many employees will need to
take a 2-hour training session, but staff members in the Police and I.T. departments will need
more intensive training.
V. Voting Requirements/Extra Majority
City Manager Dzugan stated in City staff’s efforts to re-codify the City Code, they identified five
instances where extra majority voting is required and two sections in the Zoning Ordinance
4/10/17 Planning Session 2
where extra majority voting is required. The City Council requested City staff bring this to a
Planning Session as a separate issue for discussion. City Manager Dzugan stated the City
Attorney has advised that the Council has the discretion to determine if the extra majority
requirements should remain or if the Council would like to change any or all of these instances.
City staff sought the Council’s direction as to whether the subject matters should require an
extra majority vote, and if so, what percentage should apply and what that percentage is applied
against.
Council members expressed an interest in requiring five votes for an extra majority. The Council
expressed interest in requiring 5 members of the city Council for approval of contracts that are
not competitively bid, vacating City property, and requests for annexation to the City.
For votes involving group home care, plat of subdivision, zoning amendments, or zoning
variations, the Council expressed interest in requiring a simple majority of Council members
qualified to vote. The Council directed City staff to draft an ordinance for their formal
consideration at an upcoming meeting.
VI. City Council/Staff Comments
Councilman Rutledge complimented the Wheaton Environmental Improvement Commission for
doing an excellent job at its paper shredding event on April 8.
Mayor Gresk encouraged people to attend the Environmental Improvement Commission’s Arbor
Day tree planting on April 28 and Native Plant Sale April 29. He also encouraged residents to
apply to be on a board or commission. Applications are on the City’s website or in the City
Clerk’s Office.
VII. Adjournment
The meeting was adjourned at 7:42 p.m.
4/10/17 Planning Session 3
emorandum Michael G. Dzugan
City Manager
J
TO: The Honorable Mayor and City Council
DATE: April 6,2017
SUBJECT: Information Technology Security Update/Status
Attached please find a memorandum from the Director of Information Technology, Chad
Michaelis, regarding our past and future information security actions.
I felt it beneficial for the City Council to receive an Information Technology security effort
update/status, particularly since the City will be embarking on an effort to significantly upgrade
our network infrastructure, and solidify a relationship with a cybersecurity consulting finn to
guide and assist the staff with continued efforts for compliance with regulations and adherence of
our information security program and policies.
Chad will be at the April 10, 2017 Planning Session to review his memorandum and answer any
questions.
Attachment
Copy: Director of Infonnation Technology
City of Wheaton
303 W. Wesley Street
Wheaton, IL 601 87-0727
630-260-2000
City of Wheaton, Illinois www.wheaton.il.us
Date: April 6, 2017
To: Mike Dzugan, City Manager
John Duguay, Assistant City Manager
Bob Lehnhardt, Director of Finance
From: Chad Michaelis, Director of Information Technology
Re: Information Security
In 2013, it became clear that the City needed to do more to ensure the security of its systems and
data. In that year:
• details were emerging on the cost and impact of the October 2012 cyber-attack on
Naperville recovery took weeks and cost them at least $750,000
—
• major breaches were reported by Facebook, The New York Times, Target, and the NSA
(Snowden)
• the Department of Justice and FBI began to seriously enforce the Criminal Justice
Infonnation Services Security Policy (CJIS) this has come to be known as the “CJIS
—
Mandate”
• we launched the City’s Enterprise Resource Planning project which we knew would result in
a significant expansion of our online presence
• we launched a project to replace the City’s water utility analog control system with a
modem networked SCADA system
• we launched a project to replace and expand the City’s video surveillance and door control
systems with modem networked systems
• the City’s financial auditors began conducting their own IT risk assessments and informally
advised us to begin conducting our own risk assessments
Past and Current Actions
Seeking a cost-effective approach to accomplish a risk assessment, we were fortunate to find a
respected security consultant who desired to establish a local government reference and offered to
perform the work pro bono. We entered into a formal agreement with CzarkTek, Inc. and received
their report in January 2014. The report found that “Wheaton’s IT organization is protecting
information systems moderately well.. but made numerous recommendations which can be
.“
summarized as follows:
High Importance
1. Build and maintain an information security program with supporting policies, guidelines,
and procedures for risk management, data classification, configuration and change
management, and social networking.
Wheaton City Hall 303 W. Wesley Street Wheaton, IL 60187-0727
630-260-2000 Fax 630-260-2017 TDD 630-260-8090
Mayor Michael J. Gresk City Manager Michael G. Dzugan
— —
(1t, Cni,r,rI — cii rir it,-h • Ir-ihr Priridii,IIo • Irihn Piitlidci • AI Thnrcrir Iinp • Tr,rlrl crI7n • Phil ccc
Progress report: With assistance from Czartek and the City’s attorney’s we developed an
Information Security Program and Policy with supporting standards, guidelines, and
procedures. The Council formally adopted this program and policy on December 5, 2016.
The Information Security Policy requires us to perfonri a risk assessment at least once every
five years, provide ongoing training to all users, and to periodically review key controls,
systems and procedures (frequency to be determined by the risk assessment).
2. Implement 24x7 security monitoring and intrusion detection for networks and servers.
Progress report: In 2016, we implemented a cloud based intrusion prevention system for
Internet facing servers, and we implemented a host based intrusion prevention system for
on-premise servers. To further improve our protection, we will implement a network based
intrusion prevention system when we replace our network infrastnicture, and we will enable
remote alerting of IT staff, e.g., text messages, from the host and network based intrusion
detection systems. A network infrastructure bid award is being prepared for Council
approval. Allocating resources to implement a 24x7 monitoring program would be
very costly and outweigh the benefit. We researched hosted and cloud based network
monitoring options and they are prohibitively expensive ($30K to $50K annually).
3. Implement data leak prevention for networks, servers, and email.
Progress report: In 2016, we completed our migration to Office 365, including email and
most of our documents. This migration eliminated four on-premise servers. Office 365 has
data leak prevention built-in. We currently monitor and block the sharing of email and
documents containing social security numbers, driver’s license numbers, bank account
numbers, and credit card numbers. We will implement controls to block access to
unapproved cloud sharing services when we replace our network infrastructure. In the
coming months, we will also re-train our employees to ensure that they are aware of our
policies and the consequences of intentionally violating them. It is very difficult to
completely prevent data leakage. We will improve our data leak prevention by
training employees to classify their data in accordance with our draft Data
Classification Standard. This will be time consuming for staff in all departments.
Medium Importance
1. Complete CJIS, PCI, and HIPAA compliance projects.
Progress report: In 2015, we completed risk and compliance assessments for CJIS, PCI, and
HIPAA. We believe that we currently comply with all applicable regulatory requirements.
In August 2016, we passed a State of Illinois CJIS Technical Security Audit. In October
2016, we submitted the required annual PCI-DSS self-assessment questionnaire (SAQ-C)
confirming compliance with all applicable rules. The PCI-DSS standard requires us to
perfonri quarterly vulnerability scans and semi-annual penetration tests. We conducted the
required scans and tests in 2016 and we are on track to complete the required scans and tests
this year.
2. Establish formal 3’ Party IT vendor management guidelines, including regulatory
compliance checks.
Progress report: With assistance from Czartek we drafted formal Vendor Management
Guidelines. Full implementation of these guidelines is pending review by the City’s
attorneys and reconciliation with the City’s purchasing policies. Our current practice is to
require all IT contracts to be reviewed and approved by the City’s attorney, and to require all
3
rd
Party IT vendors that store, process, or transmit Protected Data, to provide proof of
regulatory compliance annually.
3. Develop incident response plans.
Progress report: With assistance from Czartek we drafted an Incident Response Standard.
This standard defines roles and requirements for incident preparation, detection, analysis,
declaration, communication, containment, eradication, recovery, and closure. Full
implementation of this standard is pending review by the City Manager and the City’s
attorneys. Our current practice is to follow the draft standard.
4. Increase physical network segmentation.
Progress report: The City’s existing network infrastructure physically segments high risk
networks and servers, e.g., the Internet, SCADA, ETSB, video surveillance, door control,
credit card processing, and wireless guest networks. The City’s internal networks are not
physically segmented from each other, e.g., administrative desktop computers can
communicate with servers that house Police applications and data. Logical security on the
servers, applications, and data, prevent unauthorized access, but best practice is to block all
unnecessary communications at the network level. If we physically segment administrative
desktops from police servers, we can prevent malware on an administrative desktop from
attacking a police server. Segmentation of police servers, applications, and data from other
departments will require additional servers and higher-capacity firewalls. Full segmentation
will require additional staff. It is my opinion that the costs of full segmentation
substantially outweigh the benefits. Partial segmentation, such as blocking non-police
desktops from communicating with sensitive police servers, is achievable but will be time
consuming, complex, disruptive, and costly. Our new network infrastructure will be capable
of physically segmenting internal networks. Implementation of increased segmentation is
pending a careful assessment of risks, options, and costs. To maximize the security of our
existing network, we have already conducted a Network Security Risk Assessment, a
Network Security Controls Assessment, a Cisco Network Device Hardening Review, a
Wireless Network Security Assessment, and a Firewall Rules Assessment.
5. Implement mobile device management/security.
Progress report: In 2016, we completed our migration to Office 365, this included the
implementation of mobile device management. The City now enforces policies that prevent
mobile access from unauthorized devices, and ensure that authorized devices have not been
rooted, encrypt all locally stored data, lock after a brief period of inactivity, and require a
password to unlock.
Best Practice or Regulatory Requirement
I. Conduct employee security awareness training.
Progress report: Police, IT, and Facilities employees and contractors have completed CJIS
mandated security awareness training. Policy and awareness training is being developed
for all employees and will be deLivered within the next few months. Ongoing training
will be provided in the fonn of email advisories, annual cyber-security awareness month
campaigns, and personal coaching.
2. Develop business continuity plans.
Progress report: With assistance from Czartek we drafted a Business Continuity Planning
Standard. Full implementation of this standard is pending reconciliation with the City’s
Emergency Operations plan. The City does not currently have documented continuity
plans for most its business functions and processes. Development and testing of business
continuity plans will be time consuming for staff in all departments.
3. Regularly review logs of critical system events and sensitive data access.
Progress report: With assistance from Czartek we drafted a Log Management Standard and a
Daily Log Review Procedure. This standard has been implemented and the procedure is
being followed. Daily log review is time consuming, and incurs a 365-day burden,
including weekends and holidays, on IT staff. A Security Event and Incident
Management (SEIM) system may reduce this burden, but at a prohibitive cost.
4. Increase separation of duties.
Progress report: Best practices, and most compliance standards, require that individuals not
be granted privileges that conflict with access and audit controls. For example, the
individual responsible for administering application security should not also have rights to
disable or delete the application audit logs. Given existing resources, it is a challenge to
implement full separation of duties at the application level without severely impacting
IT staff efficiency and service levels. Microsoft’s on-premise technologies make full
separation of duties at the operating system level virtually impossible. The City has
mitigated this risk by increasing its use of hosted and cloud based applications. Almost all
of the City’s protected data is stored and processed in hosted or cloud based applications,
e.g., Police records and dispatch systems are hosted by DuPage County and DuComm,
emergency medical services patient records are hosted by Central DuPage Hospital, human
resources and payroll data are hosted by Tyler Technologies Inc (ERP), and credit card
transactions are hosted by GoVolution Inc. The City’s IT staff has little or no access to these
hosted systems, and cannot disable or tamper with the audit logs in these applications.
5. Increase the duration of log retention.
Progress report: The City stores one year of logs from critical systems that process CJIS,
PCI, and HIPAA data. The HIPAA security rule requires entities to retain documentation of
their compliance program for 6 years. Separately, it requires that entities implement
mechanisms that record and examine activity in information systems that contain or use
electronic protected health information. The HHS has not clarified whether audit logs fall
within the scope of the retention requirement. The prevailing interpretation is that the
retention requirement only applies to policies, procedures, and other more traditional
documentation. Increasing the City’s log retention scope or duration would require costly
additional licensing and storage. It is my opinion that increasing the duration of log
retention is unnecessary.
6. Ensure custom software development includes security.
Progress report: The City’s custom development is limited to a handful of simple interfaces
between applications, e.g., importing bank ACH transactions into the ERP water utility
billing system, exporting moving violation citations for transmission to IDOT, etc.
Although these systems process and store Protected Data, they are protected by logical
security controls and are physically segmented from high risk networks, e.g. the Internet.
Given the low volume of development and the minimal risk of exposure, we are
hesitant to invest time in developing formal policies and procedures for secure
development.
Also in 2013, the City joined the Multi-State Infoniiation Sharing and Analysis Center (MS-ISAC).
MS-ISAC membership is free, and provides many benefits, including:
• 24/7 incident response services
• cyber security event notifications and advisories
• educational events and materials
• joint purchasing opportunities
Future Actions —
To ensure continued compliance with regulations and our Information Security Program and Policy,
we requested formal bids for ongoing Cybersecurity Consulting Services. A cybersecurity
consulting services bid award is being prepared for Council approval. These annual services
include:
• a risk assessment
• two external vulnerability scans
• two external penetration tests
• one internal vulnerability scan
• two PCI cardholder data environment penetration tests
• one policy, standards. and guidelines review
• on-demand advisory services for remediation, incident response, training, policy
development, and systems selection and implementation
In addition, we have subscribed to automated services for:
• monthly external vulnerability scans
• quarterly internal PCI cardholder data environment vulnerability scans
• point of sale system file integrity monitoring
In summary, the City has taken reasonable actions to protect the integrity, availability, and
confidentiality of its systems and sensitive data. Based on discussions with other local government
IT leaders, and data from the MS-ISAC Nationwide Cyber Security Review, we are ahead of our
peers. However, security is a process, not a product. There will always be more to do. My greatest
concerns going forward are:
1. Completing the network infrastructure replacement project, including cloud application
control and network based intrusion detection and alerting.
2. Improving our data leak prevention measures, including implementing the Data
Classification Standard.
3. Implementing the appropriate level of network segmentation based on our risk tolerance.
4. Conducting initial security awareness training sessions for all employees, and initiating
ongoing security awareness communications.
5. Developing business continuity plans for critical business functions and processes in every
department.
6. Reducing the burden of log collection and daily review.
7. Implementing the appropriate level of separation of duties based on our risk tolerance.
8. Selecting a cybersecurity consultant and continuing our assessment, scanning, and testing
regimens.
MEMORANDUM
TO: Record
FROM: Susan Bishel, Public Relations Coordinator
SUBJECT: Feb. 27, 2017 City Council Planning Session Minutes
DATE: Feb. 28, 2017
CC: Mayor and City Council, City Manager, City Clerk, Department Heads
The Planning Session took place in the Council Chambers, Wheaton City Hall, 303 W. Wesley St.,
Wheaton, Illinois. Those attending the Planning Session included: MayorG.resk, Councilwoman
Fitch, Councilman Prendiville, Councilman Rutledge Councilman Saline, Councilman Scalzo and
Councilman Suess Also in attendance were City Manager Dzugan A’siant City Manager
Duguay, Director of Planning & Economic Development Kozik, bW tor f Public Works Laoang,
Director of Finance Lehnhardt, Director of Engineering Redma, 1 Seriq Project Engineer
Lagvankar Water Superintendent McMillen, Streets Sup tikent Wkefield Public Works
Administrative Superintendent Wallace Managemerrtern owlke and Public Relations
Coordinator Bishel The session began at 7 00 p m and conducted at 8 00 p m The following
items were discussed:
I. Call to Order
The Wheaton City Council Planning Session was called to order at 7:00 p.m. by Mayor Gresk.
II. Approval of February 13, 2017 Planning Session Minutes
The Council approved the February 13, 2017 Planning Session Minutes.
III. Public Comrnents
There were no public c en%
IV. qcra Streetlight LED Replacement
Public Works Administrative Superintendent Wallace stated the Public Works Department has
replaced 82 incndescent City streetlights in the past two years with LED streetlights. The
neighborhood streetlights the City replaced had become obsolete, and replacing them with LED
fixtures reduced the amount of energy used by about one-half, also providing substantial
savings in energy costs. The City has learned of a state grant opportunity that would assist the
City in replacing 553 Cobra streetlights, and the funding incentive is doubled for projects that
can be completed in the next few months. The model of streetlights the City would like to use
are the same type that CornEd has recently used to replace some of its streetlights in Wheaton.
In response to Council questions, Public Works Administrative Superintendent Wallace stated
the color temperature of the LED fixtures is slightly more blue than the incandescent lights that
are currently used. She stated the lights proposed for replacement are on portions of parts of
President, Manchester, Wiesbrook, East and West Loop Road, Scottsdale, and North Main Street.
The City’s total investment in this project would be $117,000, and the City estimates the
investment would be paid back in 3 years due to the energy cost savings the City will realize.
In response to Council questions Public Works Administrative Superintendent aBa tated
the fixtures would be under warrantee for 10 years but the fixtures lif expectancy is at east 20
years Street Superintendent Wakefield stated maintenance costs would also be decreased
because with the incandescent fixtures the City has to maintain the ballast and the light but the
LED fixtures do not require the same level of maintenance
In response to Council questions about whether the City couId replace more lights Street
Superintendent Wakefield stated the proposed project would replace all of the City-maintained
Cobra fixtures except for those on Roosevelt Road The.çit does not believe replacing the lights
on Roosevelt Road would be feasible for this gr t’the Illinois Department of Transportation
would require the City to have engineering stu’ ore prior to replacing lights on Roosevelt
Road. The City is unsure if grant money will be a ila after May 8.
City Manager Dzugan stated this is a federally-funded project, and the City has already been
pre-approved by the state for this project. The City Council expressed interest in proceeding
with this project and directed City staff to place the item on the March 6 City Council meeting
agenda for the Cocil’s forrriál consideration.
V Five-Year tapital Improvement Program
Assistant City l4aiager Duguay presented an overview of the Five-Year Capital Improvement
Program (CIP, ich ity staff is creating as a long-term planning tool tied to the City Council s
goals’ of fundikcapital project needs and providing reliable infrastructure systems that support
the community xpectations The CIP will provide a methodical and strategic process to plan
projects, prioritize them and plan for their funding.
Assistant City Manager Duguay stated the projects were divided into the categories of new,
replacement or maintenance. He also reviewed some of the recent infrastructure studies the City
has done, which have allowed the City to develop long-term plans and determine funding
needs.
2/27/17 Planning Session 2
Assistant City Manager Duguay reviewed the steps the City staff has taken to produce the CIP,
which included working with each department to identify their capital needs.
Director of Finance Lehnhardt reviewed the project categories that staff identified, including
different types of infrastructure improvements, facility improvements and more.
In terms of funding the capital projects, Director of Finance Lehnhardt stated staff is still
developing funding strategies. Some of the options the City could consider are pay-as-you-go
financing, debt financing, using the City’s existing funding sources (such as property taxes), and
funding for capital projects. I
Director of Finance Lehnhardt reviewed the City’s main funds, including the General Fund,
capital projects funds, motor fuel tax fund, TIF District funds, debt service fund, enterprise funds
and replacement funds.
In response to a Council question regarding the a t the City has spent in the past two years
that are considered capital improvement projects. Cit Managugan stated this amount is
approximately $12 million.
Director of Finance Lehnhardt revi projects by type and by proposed
funding source. The majority of the projects are related to infrastructure.
In response to a Council question Director of Finance Lehnhardt stated the projects beyond the
first two years could not be cqmpleted ithout additional funding allotted.
City Manager uga a while the City has identified the projects that staff recommend the
City addres6er the ned’iie years staff is still developing the suggested funding for future
projects Thtoundi can work to decrease operating expenses increase revenues reduce the
amORflt of’projects, or some combination of these.
Assistant City r’4nager Duguay showed examples of the worksheets staff is using for CIP
projects. The worksheets include justification for the project, immediate and future impacts on
the City’s budget, and factors to help staff determine if the project needs immediate action.
They also include criteria to help staff prioritize projects using a scoring system.
In response to Council questions about projects that require immediate action, Assistant City
Manager Duguay stated between 10% and 20% of CIP projects were classified as needing
immediate action.
2/27/17 Planning Session 3
City Manager Dzugan noted that no major stormwater projects are included in this plan, as City
staff still needs to complete stormwater studies before being able to create a plan for how to
proceed.
City Manager Dzugan stated an updated CIP will be presented to the Council every year in
conjunction with the annual budget review process.
VI. City Council/Staff Comments
City Manager Dzugan recognized the City’s Management Intern Brandon Kowalke for receiving
Northern Illinois University’s intern of the year award. r E
54
VII. Adjournment
The meeting was adjourned at 8:00 p.m.
2/27/17 Planning Session 4