9. League Data Security report� L
S'CANDIA
Staff Report
Date of Meeting: April 6, 2016
To: City Council
From: Neil Soltis, Administrator
Re: League of Minnesota Cities Insurance Trust Data Security Survey
Background: On March 7 representatives from the League Insurance Trust met with Colleen and
myself to discuss loss control topics related to data security. A copy of their report is provided
along with an appendix of recommendations. The League is requesting a response from the City
within 60 days regarding actions or proposed actions regarding the recommendations.
Issue: To what extent should the City implement the recommendations that were generated by
the survey?
Details / Discussion: Below are the recommendations and my assessment of the impacts
1-3/16: Recommend changing passwords for users every 30-60 days and system passwords annually.
This can be implemented at no cost. Currently this would need to be performed by each individual user.
Depending on the system, passwords could be set up expire on a designated frequency.
2-3/16: Recommend that private data never be transmitted or accessed over a wireless network. The
issue here is that only the Public Works Director has a City cell phone. The other employees access the
SCADA system that controls the sewer equipment via personal mobile phones. There should be an
analysis of the cost of providing additional access versus the benefits of having each employees having
access.
3-3/16: Recommend that no city business be performed on personal mobile devices. This can be
handled through an update of the City's personnel policy.
4-3/16: Recommend user access and accounts are deleted immediately upon employee's dismissal,
termination, or leaving. If the account cannot be deleted, the password should be changed along with
all admin passwords that the employee had access to or knowledge of. While the City's personnel
policy states that employees have no rights to the content of their emails and shall not be allowed
access to the computer system, a more definitive provision should be added to provide for the City to
archive any information and to then disable any access to individual or city accounts.
5-3/16: Recommend that the City implement a Social Media and Computer Use Policy. The League has
provided a template for a social media policy that addresses management, responsibility rules of use
and moderating public comments. Consideration should be given to adopting a policy based on that
template..
6-3/16: Recommend all policies regarding technology be reviewed/updated annually. Once any
revisions are completed, further modification can be set to occur annually.
7-3/16: Recommend moving the City Hall router to a more secure location. Access to the City's switch
and router are located in a room that is not locked and can be accessed by the public, particularly after
normal office hours. Consideration should be given to providing funds in the 2017 budget to relocate
the equipment into an area that is not available to the public.
o�
LE
AGUE of
MI[YNESOTA
CITIES
March 11, 2016
Neil Soltis, City Administrator
City of Scandia
14727 2096' St. N
Scandia, MN 55073
CONNECTING & INNOVATING
SINCE 1913
Data Security Survey Letter
Re: Data Security Survey Conducted on March 7, 2016
Dear Neil,
On the above date Cheryl Brennan and I met with you and Colleen Firkus to discuss loss control topics
pertaining to Scandia. This was in conjunction with the Scandia's participation in the League of
Minnesota Cities Insurance Trust (LMCIT) property, liability and/or workers' compensation program.
Purpose of Visit
The primary purpose of my visit was to complete a basic Data Security survey. There are many
evolving risks associated with storing and sharing data on computers and mobile devices. These risks
include things like:
Data breaches
Virus contamination
Hacker attacks
Employee misuse
There are also a number of issues presented by different forms of social media. As technology
continues to develop, cities will be faced with growing technological risks. Having policies and
procedures in place can help manage and mitigate these risks.
Conclusions
Scandia has many safeguards in place including multiple data backups, and computer safety
training as part of their annual safety committee training
Implementing additional safeguards will strengthen Scandia's program.
Educating employees and elected officials is a key first line of defense to security threats. Some
free information and education tools follow in this letter.
Members of LMCIT have access to the eRisk Hub by NetDiligence. You'll be asked to complete
the new user registration form and create your own user ID and password. Once this is completed,
enter 13522-13 in the access code field.
LEAGUE OF MINNESOTA CITIES 145 UNIVERSITY AVE, WEST PHONE: (651) 281-1200 FAx: (651) 281-1298
INSURANCE TRUST ST. PAUL, MN 55103-2044 TOLL FREE: (800) 925-1122 WEB: WWW.LMC.ORG
Discussion
Minnesota Statutes, section 13.05, subdivision 5 requires Minnesota cities to establish appropriate
security safeguards for all records containing data on individuals, including procedures for ensuring
that data that are not public are only accessible to persons whose work assignment reasonably
requires access to the data, and is only being accessed by those persons for purposes described in the
procedure."
With an increased number of data breaches being reported, it is more important than ever to secure data
and ensure there are policies in place to protect the data as well. Examples of claims seen by LMCIT
include:
Contractor's tax ID# accidently displayed on city website
Confidential employee data was accidently on city website
Vendor displayed confidential information in a presentation
Vendor lost a backup of hard drive with city's confidential data
Point of sale malware on liquor store registers
Cryptolocker/ransomware
During our visit we discussed the importance of passwords, training, data storage, social media and
other concerns. We also toured where the building router is kept.
Resources
Webinar: Data Privacy — Legal Risks, Mitigation, and Response for Municipalities
Memo and Sample Policy: Computer and Network Loss Control
Information Website: Focus on New Laws: Data Practices Act
Guide (also attached): Guide to Preventing Social Engineering Fraud
Recommendations
I've included loss control recommendations to strengthen data security elements for your consideration
in the appendix.
Service Plan
We decided to determine possible areas of focus for our next visit at a later date. Tracey Stille or I can
also address other safety or loss control topics that you might have. We will plan to contact you in
approximately 10-12 months to schedule the next loss control meeting.
60 Day Response
I have submitted recommendations for your consideration as a tool to help guide your risk management
efforts. The decision to complete the recommendations, either in part or in full or the decision not to
complete recommendations, lies entirely with the insured. LMCIT believes completion of
recommendations can ultimately reduce property, liability or workers' compensation losses as the case
may be.
Recommendations and comments are provided for loss control and risk exposure improvementpurposes only. They
are not made for the purpose of complying with the requirements of any law, rule or regulation. We do not infer or
imply in the making of these recommendations and comments that all sites were reviewed or that all possible hazards
were noted. The final responsibility for conducting loss control and risk management programs rests with the member.
2
Please contact me by telephone or e-mail within the next 60 days to let me know what, if any, progress
you are making on each recommendation. I look forward to hearing from you.
Thanks again for the time and courtesy extended to us during our visit.
Sincerely,
Cody Tuttle
Loss Control Representative
Phone: (651) 281-1254
Email: ctuttleklmc.org
C: Underwriting
Attachments
LMCIT Computer and Network Loss Control Memo
Model Social Media Policy for the City
Example Law Enforcement Social Media Policy
o (Could possibly be adjusted to suit the needs of you Fire Department)
Recommendations and comments are provided for loss control and risk exposure improvementpurposes only. They
are not made for the purpose of complying with the requirements of any law, rule or regulation. We do not infer or
imply in the making of these recommendations and comments that all sites were reviewed or that all possible hazards
were noted. The final responsibility for conducting loss control and risk management programs rests with the member.
3
Recommendation Appendix
The referenced products and/or services are provided solely as a source of general
assistance and should not be taken as the League's endorsement of the particular
product or service or a recommendation that it will meet Vour unique needs.
Recommendations generated from today's visit:
1-3/16: Recommend changing passwords for users every 30-60 days and system passwords
annually. Changing passwords creates a more secure network by ensuring that any breaches to
password security are limited in duration and scope, which means there is limited information
gleaned from the attack. If passwords are not changed frequently, there is a much greater chance
of data breach.
2-3/16: Recommend that private data never be transmitted or accessed over a wireless
network. This includes the wireless SCADA system that operates via personal mobile phones.
3-3/16: Recommend that no city business be performed on personal mobile devices. This
includes accessing city email accounts, as well as the wireless SCADA system. City email being
read on personal phones can open employees' personal phones up to discovery for city related
lawsuits.
4-3/16: Recommend user access and accounts are deleted immediately upon employee's
dismissal, termination, or leaving. If the account cannot be deleted, the password should be
changed along with all admin passwords that the employee had access to or knowledge of.
This includes disabling exiting employee's access to the wireless SCADA system. Disabling
access to the City's files or system is imperative in termination instances, but also in at -will
exiting. Disabling the former employee's access or changing system passwords will ensure that
the City's data is protected against any potential data breach from that employee.
5-3/16: Recommend that the City implement a Social Media and Computer Use Policy. I have
attached a general social media policy for cities, as well as one tailored for law enforcement that
may be adjusted to suit your needs. Section V. Part A of the law enforcement policy would be
especially beneficial in tailoring your policy to address fire personnel posting pictures from
accident scenes.
6-3/16: Recommend all policies regarding technology be reviewed/updated annually.
7-3/16: Recommend moving the City Hall router to a more secure location. Moving the router
to a location where it cannot be accessed by the public using the community center will better
protect it from tampering and physical damage.
Recommendations and comments are provided for loss control and risk exposure improvementpurposes only. They
are not made for the purpose of complying with the requirements of any law, rule or regulation. We do not infer or
imply in the making of these recommendations and comments that all sites were reviewed or that all possible hazards
were noted. The final responsibility for conducting loss control and risk management programs rests with the member.
4
8-3/16: Recommend data backup monitoring. You had inquired about ways that Colleen could
monitor your system to insure that every computer is successfully backing up its data. Our Asst.
Tech Services Director, Greg Van Wormer, believes that most cloud based backup systems such as
Norton have a monitoring system built in, and if it does not, other providers might.
9-3/16: Attack Vulnerability Testing. Attack Vulnerability testing is a way to find your
network's weaknesses to cyber-attack. The league recently performed one on our own systems and
were please by the results. We used NetSpi due to them being a local company, however a google
search for penetration test companies will give you many more options. Treat it as any vendor
search, and check references and how long they have been in business
Recommendations and comments are provided for loss control and risk exposure improvementpurposes only. They
are not made for the purpose of complying with the requirements of any law, rule or regulation. We do not infer or
imply in the making of these recommendations and comments that all sites were reviewed or that all possible hazards
were noted. The final responsibility for conducting loss control and risk management programs rests with the member.
5