The URL can be used to link to this page

R-2020 - 05/24/2022 - BOARD OF TRUSTEES - Resolutions Supporting Documents ITEM 6.13.5 BOARD OF TRUSTEES MEETING v" `"`'' "' SAMUEL E. DEAN BOARD ROOM OAK B R , K BUTLER GOVERNMENT CENTER c� 1200 OAK BROOK ROAD OAK BROOK, ILLINOIS 630-368-5000 AGENDA ITEM Regular Board of Trustees Meeting of May 24, 2022 SUBJECT: Award of Contract-- Computer Network Security Assessment FROM: Jim Fox, Information Technology Director �" BUDGET SOURCE/BUDGET IMPACT: Information Technology Program 151-76950 RECOMMENDED MOTION: I move that the Village Board waive the formal bidding process, due to the technical and specialized nature of the consulting services requested, and award a Professional Services Agreement to Halock Security Labs, in the amount of$22,500, to complete a comprehensive computer network security assessment, and approve Resolution 2022- IT-AG-SECURITY-R-2020. Back2round/History: Security assessments are an important activity in the risk management process and an organization's information security program. Comprehensive security assessments reveal the extent to which controls are implemented correctly,operating as intended and meeting the required security levels. Assessments are intended to provide management with complete and accurate information regarding the security status of the information systems for which they are responsible; enabling them to make sound risk-based decisions regarding the operations of the information system. The digitization of information has improved services to Village residents, businesses, and employees. Unfortunately, the availability of these services have also spawned some serious side effects: cybersecurity attacks and security breaches. Today's Technology Departments must be vigilant in identifying network vulnerabilities before cyber attackers target them. Running regular security assessments and audits is necessary for the following reasons: Identify Critical Weaknesses in Cyber Security Protections: The first step in any strategic security plan is to know your risks. Security assessments use a variety of techniques and tests to conduct an in-depth audit of the organization's defense measures against 6--S, various attack methods used by intruders—internal or external. This could be an attacker targeting the network from the outside, a disgruntled employee seeking revenge, or malware. For example, WannaCry proliferated because of unpatched software common in many businesses. An assessment identifies those unpatched systems. An assessment's goal is to identify hidden vulnerabilities, loopholes, and potential gaps in the computer network security architecture. Results will detail everything from shared and accessible access credentials and software version updates needed, to a detailed review of how sensitive information was accessed by analysts—and a presentation of the specific data found. Identification is only step one, though. Security assessments also provide organizations with a rating of risk severity for each vulnerability, guidance for remediating each identified vulnerability, and the opportunity to retest to assess your remediation efforts. Ensure Sensitive Data is Secured All protected information that the Village creates,receives,maintains,or transmits must be secured and protected. Additionally, all methods of storing and transferring data, including databases, servers, connected equipment, mobile devices, and cloud storage,need to be regularly evaluated. Security assessments can routinely test if implemented security measures are properly protecting sensitive and confidential information from all potential points of attack. Meet Compliance Requirements and Be Prepared for Audits The HIPAA Security Rule requires all covered organizations to demonstrate and document a regular vulnerability scan to assess applications, and networks for vulnerabilities, exploits, and security weaknesses.HIPAA further requires covered entities to evaluate the likelihood and impact of potential risks and implement and document appropriate security measures to address those risk areas. The goal is to provide a computer network that is secure against "reasonably anticipated threats to security or integrity of the information" and that the Village maintains "continuous, reasonable, and appropriate security protections." Security assessments vary in complexity and methodology. By documenting all security and privacy, policies during an assessment will serve as an essential reference for procedural audits, and an excellent training foundation for employees. However, with today's advanced hacking and cyberattack methods, compliance does not guarantee security. Regular (at least annual) assessments ensure the Village will stay in front of government requirements and will identify areas beyond compliance that need to be addressed to meet industry cybersecurity best practices and standards. Identify Budget and/or Training Needs Security assessments enable Technology Staff to identify areas of weakness and opportunities for growth in security protection. Understanding where current vulnerabilities exist, and which are priority, allows Village Staff to make better-informed decisions about future security expenses. Assessments provide the documentation needed to guide the Village's Information Technology Department Security Budget. Assessments also allow the Village to foster a healthy internal dialogue and encourage diligence throughout the Village to all employees. Village employees play the single most important part in network security. Social engineering and other assessments provide an avenue to identify additional training or resources needed for employee education and compliance. Develop Contingency Plans Another advantage of conducting regular risk assessments is the opportunity to develop contingency plans for when disaster strikes. Whether the Village data is stored on premise, in the cloud, or both, developing a strategic back-up plan is an essential part of your disaster recovery and overall security plan. During a policy review, identify what information is or needs to be backed up and how, develop procedures to restore backups following a breach, and standard processes for regular testing of those restore procedures. Update and Strengthen Cybersecurity Policies and Procedures A strong security posture includes policies and procedures that are current and in place across the entire Village. With a strategic security assessment, the Village will be able to review, update, and enhance our cybersecurity policies and procedures including: • Access control and user account management • Information security governance and risk management • Improved workstation and device security • Business continuity and disaster recovery planning • Cryptography • Physical (environmental) security • Network and operations security • Security architecture and design • After this comprehensive review,your organization will be equipped with the steps needed to strengthen your overall security posture and can gain peace of mind knowing you've taken advanced steps to minimize your risks against threats. Summary: The Proposed Computer Network Assessment will be performed to assess the current condition of the Village's Computer Network. The assessment will not only address any vulnerabilities, it will be used as a planning tool as the Village moves forward with maintaining our network infrastructure. The Proposed Security Assessment will evaluate both the Village's internal and external facing technology resources to ensure compliance with all applicable technology security standards. Vulnerability Testing will also be performed to ensure system users are working within a secure environment and that customer and employee data is safe. Severity and guide the Village in allocation resources related to improving technology services and systems in the future will rank any vulnerabilities detected. In addition,the proposed agreement with Halock Security Labs will include a confidentiality clause to ensure that results of the Computer Network Assessment and Security Assessment are not shared with any third party and that the Village does not disclose testing methodologies used during the vulnerability detections. Recommendation: Staff recommends that the Village Board waive the formal bidding process, due to the technical and specialized nature of the consulting services requested, and award a Professional Services Agreement to Halock Security Labs, in the amount of$22,500,to complete a comprehensive computer network security assessment, and approve Resolution 2022-IT-AG-SECURITY- R-2020.