Oversight Committee Meeting Agenda · 1/16/2013 · Oversight Committee Meeting Agenda January 16, 2013 – 2:30 p.m. Jesse Lowe Conference Room – 3rd Floor Civic Center 1819 Farnam

Oversight Committee Meeting Agenda

January 16, 2013 – 2:30 p.m.

Jesse Lowe Conference Room – 3rd

Floor Civic Center

1819 Farnam Street, Omaha, NE 68183

As required, please be advised that a copy of the rules of the Open Meetings Act as amended by LB898 is located in the

folder on the north wall of the Jesse Lowe Conference Room and assistance will be provided for anyone needing help.

1. Call to Order

2. Approval of minutes from December 13, 2012 meeting

3. Standing Business

• IT Service Management – Stangl

• Master Service Agreement Update

o Small Group Working Sessions Scheduled

• Projects – Svevad

• Security – Kruse

• Financial – Kruse/Schaefer

• Organization – Kruse

• Innovation – Kruse

4. New Business

• Coventry 2013 Renewal (Resolution for Ratification) – Kruse

• Scanning Policy (Request for Approval) – Kruse

• Password Policy (Request for Approval) – Kruse

5. Public Comments

6. Next Regular Meeting – February 20, 2013 (2:30-4:00 p.m.) Jesse Lowe Conference Room, Civic

Center

7. Executive Session for the purpose of discussing personnel and legal issues in conformance with

Nebraska Rev. Stat. 84-1410(d).

8. Adjourn

PDF processed with CutePDF evaluation edition www.CutePDF.com

http://www.cutepdf.com

Page 1 of 3

DOT.Comm Oversight Committee

Meeting Minutes

December 13, 2012 – 3:30 p.m.

Jesse Lowe Conference Room, Civic Center, 3rd

Floor

PRESENT: Deb Sander–(City)

Elizabeth Davis – (City)

Joseph Lorenz – (County)

Pam Spaccarotella – (City)

John Friend – ( County)

Mike Schonlau – (County)

ABSENT: Brian Young– (Citizen Member)

GUEST: Bernard in den Bosch – (Legal)

Derek Kruse – (DOT.Comm)

Tracy Svevad – (DOT.Comm)

Greg Andersen – (DOT.Comm)

Bob Nord – (DOT.Comm)

Julie Stangl – (DOT.Comm)

Vince Icenogle – (City)

Dianne Wallace – (County)

Acting Chair Deb Sander called the meeting to order at 3:36 p.m. She advised that the rules for

the Open Meeting Act are located in a folder on the north wall of Jesse Lowe Conference Room.

Approval of Minutes:

• Sander called for approval of the minutes from the last meeting on November 29, 2012.

Hearing no discussion, Lorenz moved to approve the minutes as distributed. Davis

seconded the motion. Motion passed unanimously.

Old Business:

• Year-end Projection for 2012 – Kruse reported that DOT.Comm is estimating $166,000

carryover to our fund balance at year end. More will be reported at the next meeting

on this.

• Scorecard for December 13, 2012 - Svevad reviewed the Scorecard with the following

presentations:

Page 2 of 3

• IT Service Management – Stangl gave her update for 12/13/2012. Julie outlined the

High Level Project Plan and reviewed the Proposed Service Review Plan with the

Oversight Committee. (Handout was included in the packet of meeting materials).

• Web Projects – Svevad reviewed the Web Services and went over the program status

summary of In-Flight projects. She then discussed the Web Applications in the pipeline

and the prioritizing of each by the IT Coordinators. She next reviewed the Web Sites

project status and Web Site projects in the pipeline, also prioritized by the IT

Coordinators. (Handout was included in the packet of meeting materials).

• Web Services Transformation Update – Kruse reported that we have requested

additional proposals with vendors and will bring this to the January 16th meeting for

Executive Session.

• Draft MSA – Kruse stated that the draft copy of the Managed Services Agreement

(handout in packet of meeting materials) is still a work in progress and should be

completed by year-end. In reviewing the draft, Spaccarotella asked if there would be a

termination clause included in the final draft. Kruse stated the usual industry standards

do not have that clause and Spaccarotella requested further discussion on that matter.

Spaccarotella also asked questions on Appendix B as to defining what is core or non-

core, per the Inter-local Agreement. The Inter-local Agreement will be reviewed and the

definition may need to be revised. There was discussion regarding Appendix C and the

SLA’s and Industry Standards. We will need a tracking tool for SLA’s. Lorenz suggested

and requested that there be a working session to go page-by-page through the draft of

the MSA to come to a final agreement. This will be set up for some time in late January

or early February. It was suggested that we start with Desktop Services and then group

working sessions based on the 26 service that will be prioritized and a schedule built.

Sessions will include the IT Coordinators in separate City and County sessions. Sessions

should be kept small so that an agenda and public posting will not be necessary.

• Cyber Security – Greg Andersen, Information Security Manager for DOT.Comm

continued with his presentation on Cyber Security carried over for the 11/29/2012

meeting.

New Business:

• CPAN Analysis – Svevad reported that a project has been opened to analyze CPAN and

the best way to make updates to that revenue generating program that has become

outdated and difficult to use. More will be reported on this after the analysis is

complete.

Page 3 of 3

• Update on Wireless – Kruse reported that the Building Commission has committed to

$126,000 funding for wireless, $50,000 committed by the County and $23,000 by the

City. Equipment will begin to be ordered.

• Email Update – Kruse and Nord reported that they went to a meeting with the State to

learn about their email upgrade. A project has been put in place and proposals have

gone out. We are working on the new requirements. The State is working on

unbundling services for the email system and they will also be giving us a proposal by

the end of January, 2013.

Public Comments:

• There were no public comments at this time.

Next Meeting:

• The next meeting of the DOT.Comm Oversight Committee is (REVISED) Wednesday,

January 16th, 2013 from 2:30-4:00 p.m. at Jesse Lowe Conference Room. The 2013

Meeting Schedule was included in the packet handout. Lorenz then announced that this

will be the last meeting for Spaccarotella as she is leaving the City at the end of the year.

She was applauded, thanked and wished well.

Adjournment:

• A motion to adjourn to Executive Session for the purpose of discussion of a personnel

issue was made at 4:48 p.m. by Friend. Seconded by Lorenz. Meeting adjourned to

Executive Session.

Minutes by: Jeanette Butzin

Project

Update

RequestRequestRequestRequest

Technology & Technology & Technology & Technology &

ArchitectureArchitectureArchitectureArchitecture

•EffortEffortEffortEffort

•CostCostCostCost

Review & Review & Review & Review &

ApprovalApprovalApprovalApproval

•BoardsBoardsBoardsBoards

• ITCs & CIOITCs & CIOITCs & CIOITCs & CIO

Prioritized Prioritized Prioritized Prioritized

QueueQueueQueueQueue

•FIFOFIFOFIFOFIFO

•ITCs & CIOITCs & CIOITCs & CIOITCs & CIO

ExecutionExecutionExecutionExecution

Completed Pending/On-Hold

CI-City DC-County DOT-DOT.Comm

Execution ClosingDefinition Go-LiveInitiation Select Vendor

Nov Dec Jan Feb Mar Apr May June July Aug Sept Oct

January 16, 2013

CI-Fatpot 1049 &1293 3-1-13 Phase 1

DC-OMS App Implement 1303

DC-Attorney Vic Witness 1254

DC-Juvenile Attorney Pay 1149 1-25-13

DC-Attorney RFID Tracking 1248 1-14-13

7-12-13





January 16, 2013

No individual projects

> 160 Hours

FileBound Migrations TBD – ROD Only

Vital Stats – 100%Clerk of District Court – 75%County Clerk – 50%Probation – 50%Sheriff – 50%ROD – 25%





January 16, 2013

Oracle Rice 1065

Oracle R12 Upgrade 1042

5-28-13

5-28-13


PfS – Access & Security



PfS Monitor – Network Phase 2

12-2-12 1st Firewall

Enterprise Email Upgrade

Active Directory Upgrade


January 16, 2013

1-31-2013 Solution Recommendation

Enterprise Wireless



Execution ClosingDefinition Go-LiveInitiationSelect Vendor


January 16, 2013

CI/DC-Faster 6 Upgrade 1082

CI-Public Works Internet 1272 6-10-13

DC-EMA Internet 1314

CI-Solid Waste 1001 7-31-13

DC-HD Diabetes Internet 1316

DC-Treasurer Updating VTR 1197 2-28-13

2-25-13

TBD

Project ID: 1272 Project Name: PWKs General Services Public Internet

Project Manager: Walter Woodford Project Sponsor: Heather Tippey Pierce Department: PWKs - General Services

Project Goal:Redesign the public facing Omaha City Public Works Internet sites to improve citizen experience and usability Initiation Start Go-Live

10/1/2012 06/10/13

Project Phase: Execution Project Budget: Est. Hours: 1,300 Act. Hours 371

Summary Update: Overall StatusParking page is nearing completion.Sewer Mainteance Page schedule nextTraffic is next in Queueintermediate schedule is being updated.No risk to Project.

Project Status Report

Gas of: January 2, 2013

Status Legend: G = as planned Y = corrective action plan R = Management attention required

Major Milestones: Org Date New Est % Comp Status Risk Key

1 Parking Web Page 12/27/12 01/07/13 90% G A, B

2 Sewer Maintenance 01/11/13 01/15/13 90% G A, B

3 Traffic - Proposed Change 01/24/13 0% G A, B

4 Fleet Maintence - VMF 02/07/13 0% G A, B

5 Street Maintenance - Proposed Change 02/21/13 0% G A, B

6 Design 03/07/13 0% G A, B

7 Facilities 03/21/13 0% G A, B

8 Construction 04/04/13 0% G A, B

9 UAT 04/24/13 0% G A, B

10 Closure 05/08/13 0% G A, B

11 End 06/13/13 0% G A, B

Major Risks / Issues: Mitigation / Action:

A R - Dependent upon a Primary Webmaster. Priorities and unplanned events

B R - Deparmental (Client) Readiness

DOT.Comm December 2012 Training

(Areas that we focused on in December)

Business Intelligence: Webfocus

Project Management

Desktop Support

Server Support

Service Desk

January 16, 2013 Resolved by the Douglas-Omaha Technology Commission (DOT.Comm):

WHEREAS, DOT.Comm provides group health insurance benefits to its full-time employees; and

WHEREAS, the current contract with Coventry Healthcare to which DOT.Comm is subject shall expire December 31, 2012; and

WHEREAS, the 2013 monthly premiums, guaranteed for a 12 month period are: Employee: $497.42 Employee + Spouse: $1,082.10 Employee + Child(ren): $928.35 Family: $1,542.87 WHEREAS, DOT.Comm recommends Coventry as the service provider; and WHEREAS, the CIO requests approval to ratify his signature to the revised

contract with Coventry providing group health insurance from January 1, 2013 to December 31, 2013; and

NOW THEREFORE, BE IT FURTHER RESOLVED, that the signature of the

CIO of DOT.Comm on the attached contract between Coventry Healthcare and DOT.Comm for the term January 1, 2013 to December 31, 2013 is hereby ratified.

APPROVED 1/16/2013

Deb Sander Date Acting Chair, DOT.Comm Oversight Committee

ITOversight

CommitteePolicy

Enterprise IT Security –

Internal/External Network

Vulnerability Scanning Policy

Owner: Service Owner, DOT.Comm IT Security

Effective Date: 1/16/2013

Review Schedule: Annual

Last Review Date: 12/26/2012

Last Revision Date: 12/18/2012

Approved by: City/County IT Oversight Committee

Purpose:

This policy grants authorization to appropriate members of DOT.Comm technical teams and its

authorized vendors to conduct internal and external vulnerability assessments on a regularly

scheduled basis and as deemed necessary by that same staff for reasons not limited to: audits,

security assessments, network hardening, remediation checking, and penetration testing.

This document contains IT terminology; a short glossary has been included in Appendix A.

Scope:

This policy applies to all equipment attached to the Enterprise Network: personal computers,

servers, routers, switches, printers, wireless “smart” devices, and all other network-connected

equipment. This includes equipment (irrespective of ownership) attached to the network via:

• Internal wired and wireless networks

• External networks and DMZ

• Virtual Private Network (VPN)

• Any other connection

Policy:

1. Vulnerability scanning will only be performed by designated employees and designated

vendors.

2. Vulnerability scanning may be scheduled or ad hoc.

3. Penetration Testing may be intrusive and will only be performed as scheduled and

approved through the Change Management process.

4. The DOT.Comm Network Vulnerability Handling Procedure document will be used in

conjunction with this policy; this procedure defines the steps that will be performed

throughout the vulnerability lifecycle. If an identified system or application with a risk

profile “CVSS Rating” of 9 or 10 is not able to be remediated or risk-accepted, the

system will be removed from the Enterprise Network.

Scheduled Scans

• Monthly Internal vulnerability scanning

• Quarterly External vulnerability scanning

Ad hoc Scans

• Adding new equipment to the data center or Enterprise network (As needed)

• Validating remediation steps

• Testing high-risk or questionable systems

• Testing against newly found security vulnerabilities

Penetration Testing

Needs for penetration testing may include:

• Server and network hardening

• Regular or ad hoc testing of critical or private systems

• Audit requirements

Enforcement:

Any scanning performed by unauthorized personnel may be interpreted to be malicious and

action will be taken to enforce appropriate use policies and appropriate security policies

according to respective organizational policies, including, but not limited to:

• City of Omaha: City Personnel Policy #32 – Computer and Network Use – Employee

Rights and Privileges

• Douglas County Civil Service Commission – Personnel Policy Manual – Article 21:

Internet, Computer, and Software Usage

• DOT.Comm – Computer and Network Use Policy

• IT Oversight Committee Security Policies

Appendix A: IT Terminology Definitions

Demilitarized Zone / DMZ (NIST Glossary)

A host or network segment inserted as a “neutral zone” between an organization’s

private network and the Internet.

Penetration Testing (NIST Glossary)

Security testing in which evaluators mimic real-world attacks in an attempt to identify

ways to circumvent the security features of an application, system, or network.

Penetration testing often involves issuing real attacks on real systems and data, using the

same tools and techniques used by actual attackers. Most penetration tests involve

looking for combinations of vulnerabilities on a single system or multiple systems that

can be used to gain more access than could be achieved through a single vulnerability.

Common Vulnerability Scoring System / CVSS (NIST VND)

The Common Vulnerability Scoring System (CVSS) provides an open framework for

communicating the characteristics and impacts of IT vulnerabilities. Its quantitative

model ensures repeatable accurate measurement while enabling users to see the

underlying vulnerability characteristics that were used to generate the scores. Thus,

CVSS is well suited as a standard measurement system for industries, organizations, and

governments that need accurate and consistent vulnerability impact scores. Two common

uses of CVSS are prioritization of vulnerability remediation activities and in calculating

the severity of vulnerabilities discovered on one's systems. The National Vulnerability

Database (NVD) provides CVSS scores for almost all known vulnerabilities.

Revision History:

January 16, 2013 – Adopted

ITOversight

CommitteePolicy

Enterprise IT Security –

Network Password Policy






Approved by: City/County IT Oversight Committee

Purpose:

Establish an enterprise network password standard enforced through Active Directory software for the use of complex passwords, frequency of change, and the protection of those passwords. The Active Directory account (network login) is the gateway to the Enterprise Network through Windows logon, VPN, and Wireless access. The intent is to increase the security of our enterprise systems and create a centralized document to establish password standards following the SANS (System Administration, Network, and Security) Institute best practice. Scope:

Passwords administered through Active Directory (network passwords).

Policy:

Password Complexity

• Password must contain at least three of the four following character classes: o Lower case characters o Upper case characters o Numbers o Other characters (e.g. @#$%^&*()_+|~-=\`{}[]:";'<>/ etc)

• Password must contain at least eight characters

• Password must not be same as last ten passwords Password Change Frequency

• Password must be changed at least every 90 days, can be changed more frequently if desired

o Two weeks prior to password expiration, user will be prompted to change password at network login.

o When password has expired, the account will be locked. o If the account needs unlocked, it will require a call to the DOT.Comm Service

Desk

Password Protection

• Account will be locked after 5 failed login attempts o Account will automatically unlock after 30 minutes o If unable to wait 30 minutes, the account will have to be manually unlocked

through the DOT.Comm Service Desk

• Do not share passwords with anyone o All passwords are to be treated as sensitive, confidential information

• Passwords should never be written down

• Do not reveal a password in email, chat, or other electronic communication

• If someone demands a password, refer them to this document.

• If an account or password compromise is suspected, report the incident to the DOT.Comm Service Desk

For more tips on how to make a harder to guess password, please refer to Appendix A:

Strong Password Creation Tips

Exception Process:

Any requests for exception to this policy can be sent to your IT coordinator.

Enforcement:

An employee violating this policy may be subject to disciplinary action according to respective organizational policies, including, but not limited to:

• City of Omaha: City Personnel Policy #32 – Computer and Network Use – Employee Rights and Privileges

• Douglas County Civil Service Commission – Personnel Policy Manual – Article 21: Internet, Computer, and Software Usage

• DOT.Comm – Computer and Network Use Policy

• IT Oversight Committee Security Policies

Revision History:

January 16, 2013 – Adopted

Appendix A: Strong Password Creation Tips

Try to create stronger passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation. (NOTE: Do not use either of these examples as passwords!)

• Always decline the use of the "Remember Password" feature of applications (e.g., Firefox, Eudora, Outlook, Netscape Messenger).

• Always use different passwords for work accounts from other non-work access (e.g., personal ISP account, option trading, benefits, etc.).

• Always use different passwords for various work access needs whenever possible. For example, select one password for systems that use directory services (i.e. LDAP, Active Directory, etc.) for authentication and another for locally authenticated access.

Weak passwords have the following characteristics:

• The password is a word found in a dictionary (English or foreign)

• The password is a common usage word such as: o Names of family, pets, friends, co-workers, fantasy characters, etc. o Computer terms and names, commands, sites, companies, hardware, software. o Birthdays and other personal information such as addresses and phone numbers. o Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc. o Any of the above spelled backwards. o Any of the above preceded or followed by a digit (e.g., secret1, 1secret)

DOT.Comm

Procedure

DOT.Comm IT Security –

Internal/External Network

Vulnerability Handling Procedure






Approved by: DOT.Comm CIO / City and County IT Coordinators

Purpose:

This document puts in place accountabilities and defines the process for internal and external

vulnerability scanning, remediation of identified risks and exception handling in order to

increase the security and integrity of enterprise systems, and promote risk awareness.

The intent of this document is to:

1. Outline the active vulnerability lifecycle: identification, prioritization, remediation and

exception handling

2. Identify roles and responsibilities

Scope: This DOT.Comm procedure defines the steps of the active vulnerability lifecycle. Authorization

to perform this work is defined in the Network Vulnerability Scanning Policy, which is an

Enterprise (IT Oversight Committee) policy.

Systems or applications that are malicious or causing outages on the Enterprise Network will be

handled with greater urgency and will be classified as a Priority 1 or Priority 2 incidents. These

time-critical incidents which are not in scope for this policy will be addressed by the

DOT.Comm Service Desk.

Procedure: Identification of Vulnerabilities

1. Initiate vulnerability scan

2. Create preliminary list of vulnerabilities

3. Identify and remove false positives, cleanup raw data, and update existing Vulnerability

Tracking Spreadsheet (VTS)

Prioritization and Assignment of Identified Vulnerabilities

1. Prioritize scan results by CVSS score

2. Review vulnerabilities with impacted technical teams, service owners, or business

process owners to perform further false positive removal and evaluate business impact

3. Assign remediation task through Service Desk (ticketing) software to responsible teams.

Service requests will be placed with the following priorities:

a. CVSS High 9.0 to 10.0 – Priority 2/3 Service Request (based on risk assessment)

b. CVSS High 7.0 to 8.9 – Priority 4 Service Request

c. CVSS Medium 4.0 to 6.9 – Priority 5 Service Request

d. CVSS Low 0 to 3.9 – Noted on master list, no ticket created

4. Review VTS monthly with the IT Security Stakeholders from DOT.Comm, City, and

County

Remediation

1. Service Owner determines and implements remediation effort which may include:

a. Modify or patch operating system or application

b. Replace current application with compliant application version

c. Move the application to different hardware or platform

d. Other mitigation efforts to reduce risk

e. Remove system or application from Enterprise Network

2. Use IT Change Management Process to implement remediation

3. Request re-scan to ensure remediation efforts have removed or minimized vulnerabilities

All requests for additional resources or funding will be escalated through the Manager of IT

Security.

Exception Handling

If a system or application has an identified vulnerability and cannot be remediated through best

efforts, one of the following remediation actions will be implemented:

1. Add identified system or application to the vulnerability exception list

• The respective service owner / business process owner, IT Coordinators, and the

DOT.Comm CIO must all agree

• The vulnerability exception list is maintained by the Manager of IT Security and

includes the following attributes: vulnerability name, date identified, list of

systems affected, risk description, expiration date, and tracking notes

• The exception list will be reviewed with IT Coordinators and the DOT.Comm

CIO on a monthly basis

2. Removal of a system or application from the network

• If the addition to the vulnerability exception list is not agreed to by the respective

service owner / business process owner, IT Coordinators, and the DOT.Comm

CIO then the system or application must be removed from the network. A

recommendation will be made to the IT Oversight Committee

• The IT Oversight Committee approves the removal of the application or system

from the network or accepts the risk of the vulnerability

A flow chart of this process is included in Appendix A.

Roles and Responsibilities

Manager of IT Security (DOT.Comm)

• Responsible to identify and resolve system and application vulnerabilities

• Vendor manager of external scanning providers

• Network Vulnerability Process Owner

IT Service Owner

• Responsible for determining the appropriate action needed to address a vulnerability

• Utilizes the IT Change Management process during remediation

• Informs the Manager of IT Security of changes in risk status

CIO / Service and/or Business Process Owner / IT Coordinators

• Makes executive exception handling decisions, including acceptation of risk

Revision History:

January 16, 2013 – adoption

Appendix A: Vulnerability Lifecycle Flowchart

Oversight Committee Meeting Agenda · 1/16/2013 · Oversight Committee Meeting Agenda January 16, 2013 – 2:30 p.m. Jesse Lowe Conference Room – 3rd Floor Civic Center 1819 Farnam

Documents