Loading...
9. League Data Security report� L S'CANDIA Staff Report Date of Meeting: April 6, 2016 To: City Council From: Neil Soltis, Administrator Re: League of Minnesota Cities Insurance Trust Data Security Survey Background: On March 7 representatives from the League Insurance Trust met with Colleen and myself to discuss loss control topics related to data security. A copy of their report is provided along with an appendix of recommendations. The League is requesting a response from the City within 60 days regarding actions or proposed actions regarding the recommendations. Issue: To what extent should the City implement the recommendations that were generated by the survey? Details / Discussion: Below are the recommendations and my assessment of the impacts 1-3/16: Recommend changing passwords for users every 30-60 days and system passwords annually. This can be implemented at no cost. Currently this would need to be performed by each individual user. Depending on the system, passwords could be set up expire on a designated frequency. 2-3/16: Recommend that private data never be transmitted or accessed over a wireless network. The issue here is that only the Public Works Director has a City cell phone. The other employees access the SCADA system that controls the sewer equipment via personal mobile phones. There should be an analysis of the cost of providing additional access versus the benefits of having each employees having access. 3-3/16: Recommend that no city business be performed on personal mobile devices. This can be handled through an update of the City's personnel policy. 4-3/16: Recommend user access and accounts are deleted immediately upon employee's dismissal, termination, or leaving. If the account cannot be deleted, the password should be changed along with all admin passwords that the employee had access to or knowledge of. While the City's personnel policy states that employees have no rights to the content of their emails and shall not be allowed access to the computer system, a more definitive provision should be added to provide for the City to archive any information and to then disable any access to individual or city accounts. 5-3/16: Recommend that the City implement a Social Media and Computer Use Policy. The League has provided a template for a social media policy that addresses management, responsibility rules of use and moderating public comments. Consideration should be given to adopting a policy based on that template.. 6-3/16: Recommend all policies regarding technology be reviewed/updated annually. Once any revisions are completed, further modification can be set to occur annually. 7-3/16: Recommend moving the City Hall router to a more secure location. Access to the City's switch and router are located in a room that is not locked and can be accessed by the public, particularly after normal office hours. Consideration should be given to providing funds in the 2017 budget to relocate the equipment into an area that is not available to the public. o� LE AGUE of MI[YNESOTA CITIES March 11, 2016 Neil Soltis, City Administrator City of Scandia 14727 2096' St. N Scandia, MN 55073 CONNECTING & INNOVATING SINCE 1913 Data Security Survey Letter Re: Data Security Survey Conducted on March 7, 2016 Dear Neil, On the above date Cheryl Brennan and I met with you and Colleen Firkus to discuss loss control topics pertaining to Scandia. This was in conjunction with the Scandia's participation in the League of Minnesota Cities Insurance Trust (LMCIT) property, liability and/or workers' compensation program. Purpose of Visit The primary purpose of my visit was to complete a basic Data Security survey. There are many evolving risks associated with storing and sharing data on computers and mobile devices. These risks include things like: Data breaches Virus contamination Hacker attacks Employee misuse There are also a number of issues presented by different forms of social media. As technology continues to develop, cities will be faced with growing technological risks. Having policies and procedures in place can help manage and mitigate these risks. Conclusions Scandia has many safeguards in place including multiple data backups, and computer safety training as part of their annual safety committee training Implementing additional safeguards will strengthen Scandia's program. Educating employees and elected officials is a key first line of defense to security threats. Some free information and education tools follow in this letter. Members of LMCIT have access to the eRisk Hub by NetDiligence. You'll be asked to complete the new user registration form and create your own user ID and password. Once this is completed, enter 13522-13 in the access code field. LEAGUE OF MINNESOTA CITIES 145 UNIVERSITY AVE, WEST PHONE: (651) 281-1200 FAx: (651) 281-1298 INSURANCE TRUST ST. PAUL, MN 55103-2044 TOLL FREE: (800) 925-1122 WEB: WWW.LMC.ORG Discussion Minnesota Statutes, section 13.05, subdivision 5 requires Minnesota cities to establish appropriate security safeguards for all records containing data on individuals, including procedures for ensuring that data that are not public are only accessible to persons whose work assignment reasonably requires access to the data, and is only being accessed by those persons for purposes described in the procedure." With an increased number of data breaches being reported, it is more important than ever to secure data and ensure there are policies in place to protect the data as well. Examples of claims seen by LMCIT include: Contractor's tax ID# accidently displayed on city website Confidential employee data was accidently on city website Vendor displayed confidential information in a presentation Vendor lost a backup of hard drive with city's confidential data Point of sale malware on liquor store registers Cryptolocker/ransomware During our visit we discussed the importance of passwords, training, data storage, social media and other concerns. We also toured where the building router is kept. Resources Webinar: Data Privacy — Legal Risks, Mitigation, and Response for Municipalities Memo and Sample Policy: Computer and Network Loss Control Information Website: Focus on New Laws: Data Practices Act Guide (also attached): Guide to Preventing Social Engineering Fraud Recommendations I've included loss control recommendations to strengthen data security elements for your consideration in the appendix. Service Plan We decided to determine possible areas of focus for our next visit at a later date. Tracey Stille or I can also address other safety or loss control topics that you might have. We will plan to contact you in approximately 10-12 months to schedule the next loss control meeting. 60 Day Response I have submitted recommendations for your consideration as a tool to help guide your risk management efforts. The decision to complete the recommendations, either in part or in full or the decision not to complete recommendations, lies entirely with the insured. LMCIT believes completion of recommendations can ultimately reduce property, liability or workers' compensation losses as the case may be. Recommendations and comments are provided for loss control and risk exposure improvementpurposes only. They are not made for the purpose of complying with the requirements of any law, rule or regulation. We do not infer or imply in the making of these recommendations and comments that all sites were reviewed or that all possible hazards were noted. The final responsibility for conducting loss control and risk management programs rests with the member. 2 Please contact me by telephone or e-mail within the next 60 days to let me know what, if any, progress you are making on each recommendation. I look forward to hearing from you. Thanks again for the time and courtesy extended to us during our visit. Sincerely, Cody Tuttle Loss Control Representative Phone: (651) 281-1254 Email: ctuttleklmc.org C: Underwriting Attachments LMCIT Computer and Network Loss Control Memo Model Social Media Policy for the City Example Law Enforcement Social Media Policy o (Could possibly be adjusted to suit the needs of you Fire Department) Recommendations and comments are provided for loss control and risk exposure improvementpurposes only. They are not made for the purpose of complying with the requirements of any law, rule or regulation. We do not infer or imply in the making of these recommendations and comments that all sites were reviewed or that all possible hazards were noted. The final responsibility for conducting loss control and risk management programs rests with the member. 3 Recommendation Appendix The referenced products and/or services are provided solely as a source of general assistance and should not be taken as the League's endorsement of the particular product or service or a recommendation that it will meet Vour unique needs. Recommendations generated from today's visit: 1-3/16: Recommend changing passwords for users every 30-60 days and system passwords annually. Changing passwords creates a more secure network by ensuring that any breaches to password security are limited in duration and scope, which means there is limited information gleaned from the attack. If passwords are not changed frequently, there is a much greater chance of data breach. 2-3/16: Recommend that private data never be transmitted or accessed over a wireless network. This includes the wireless SCADA system that operates via personal mobile phones. 3-3/16: Recommend that no city business be performed on personal mobile devices. This includes accessing city email accounts, as well as the wireless SCADA system. City email being read on personal phones can open employees' personal phones up to discovery for city related lawsuits. 4-3/16: Recommend user access and accounts are deleted immediately upon employee's dismissal, termination, or leaving. If the account cannot be deleted, the password should be changed along with all admin passwords that the employee had access to or knowledge of. This includes disabling exiting employee's access to the wireless SCADA system. Disabling access to the City's files or system is imperative in termination instances, but also in at -will exiting. Disabling the former employee's access or changing system passwords will ensure that the City's data is protected against any potential data breach from that employee. 5-3/16: Recommend that the City implement a Social Media and Computer Use Policy. I have attached a general social media policy for cities, as well as one tailored for law enforcement that may be adjusted to suit your needs. Section V. Part A of the law enforcement policy would be especially beneficial in tailoring your policy to address fire personnel posting pictures from accident scenes. 6-3/16: Recommend all policies regarding technology be reviewed/updated annually. 7-3/16: Recommend moving the City Hall router to a more secure location. Moving the router to a location where it cannot be accessed by the public using the community center will better protect it from tampering and physical damage. Recommendations and comments are provided for loss control and risk exposure improvementpurposes only. They are not made for the purpose of complying with the requirements of any law, rule or regulation. We do not infer or imply in the making of these recommendations and comments that all sites were reviewed or that all possible hazards were noted. The final responsibility for conducting loss control and risk management programs rests with the member. 4 8-3/16: Recommend data backup monitoring. You had inquired about ways that Colleen could monitor your system to insure that every computer is successfully backing up its data. Our Asst. Tech Services Director, Greg Van Wormer, believes that most cloud based backup systems such as Norton have a monitoring system built in, and if it does not, other providers might. 9-3/16: Attack Vulnerability Testing. Attack Vulnerability testing is a way to find your network's weaknesses to cyber-attack. The league recently performed one on our own systems and were please by the results. We used NetSpi due to them being a local company, however a google search for penetration test companies will give you many more options. Treat it as any vendor search, and check references and how long they have been in business Recommendations and comments are provided for loss control and risk exposure improvementpurposes only. They are not made for the purpose of complying with the requirements of any law, rule or regulation. We do not infer or imply in the making of these recommendations and comments that all sites were reviewed or that all possible hazards were noted. The final responsibility for conducting loss control and risk management programs rests with the member. 5