Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Oversight Committee Meeting Agenda
January 16, 2013 – 2:30 p.m.
Jesse Lowe Conference Room – 3rd
Floor Civic Center
1819 Farnam Street, Omaha, NE 68183
As required, please be advised that a copy of the rules of the Open Meetings Act as amended by LB898 is located in the
folder on the north wall of the Jesse Lowe Conference Room and assistance will be provided for anyone needing help.
1. Call to Order
2. Approval of minutes from December 13, 2012 meeting
3. Standing Business
• IT Service Management – Stangl
• Master Service Agreement Update
o Small Group Working Sessions Scheduled
• Projects – Svevad
• Security – Kruse
• Financial – Kruse/Schaefer
• Organization – Kruse
• Innovation – Kruse
4. New Business
• Coventry 2013 Renewal (Resolution for Ratification) – Kruse
• Scanning Policy (Request for Approval) – Kruse
• Password Policy (Request for Approval) – Kruse
5. Public Comments
6. Next Regular Meeting – February 20, 2013 (2:30-4:00 p.m.) Jesse Lowe Conference Room, Civic
Center
7. Executive Session for the purpose of discussing personnel and legal issues in conformance with
Nebraska Rev. Stat. 84-1410(d).
8. Adjourn
PDF processed with CutePDF evaluation edition www.CutePDF.com
Page 1 of 3
DOT.Comm Oversight Committee
Meeting Minutes
December 13, 2012 – 3:30 p.m.
Jesse Lowe Conference Room, Civic Center, 3rd
Floor
PRESENT: Deb Sander–(City)
Elizabeth Davis – (City)
Joseph Lorenz – (County)
Pam Spaccarotella – (City)
John Friend – ( County)
Mike Schonlau – (County)
ABSENT: Brian Young– (Citizen Member)
GUEST: Bernard in den Bosch – (Legal)
Derek Kruse – (DOT.Comm)
Tracy Svevad – (DOT.Comm)
Greg Andersen – (DOT.Comm)
Bob Nord – (DOT.Comm)
Julie Stangl – (DOT.Comm)
Vince Icenogle – (City)
Dianne Wallace – (County)
Acting Chair Deb Sander called the meeting to order at 3:36 p.m. She advised that the rules for
the Open Meeting Act are located in a folder on the north wall of Jesse Lowe Conference Room.
Approval of Minutes:
• Sander called for approval of the minutes from the last meeting on November 29, 2012.
Hearing no discussion, Lorenz moved to approve the minutes as distributed. Davis
seconded the motion. Motion passed unanimously.
Old Business:
• Year-end Projection for 2012 – Kruse reported that DOT.Comm is estimating $166,000
carryover to our fund balance at year end. More will be reported at the next meeting
on this.
• Scorecard for December 13, 2012 - Svevad reviewed the Scorecard with the following
presentations:
Page 2 of 3
• IT Service Management – Stangl gave her update for 12/13/2012. Julie outlined the
High Level Project Plan and reviewed the Proposed Service Review Plan with the
Oversight Committee. (Handout was included in the packet of meeting materials).
• Web Projects – Svevad reviewed the Web Services and went over the program status
summary of In-Flight projects. She then discussed the Web Applications in the pipeline
and the prioritizing of each by the IT Coordinators. She next reviewed the Web Sites
project status and Web Site projects in the pipeline, also prioritized by the IT
Coordinators. (Handout was included in the packet of meeting materials).
• Web Services Transformation Update – Kruse reported that we have requested
additional proposals with vendors and will bring this to the January 16th meeting for
Executive Session.
• Draft MSA – Kruse stated that the draft copy of the Managed Services Agreement
(handout in packet of meeting materials) is still a work in progress and should be
completed by year-end. In reviewing the draft, Spaccarotella asked if there would be a
termination clause included in the final draft. Kruse stated the usual industry standards
do not have that clause and Spaccarotella requested further discussion on that matter.
Spaccarotella also asked questions on Appendix B as to defining what is core or non-
core, per the Inter-local Agreement. The Inter-local Agreement will be reviewed and the
definition may need to be revised. There was discussion regarding Appendix C and the
SLA’s and Industry Standards. We will need a tracking tool for SLA’s. Lorenz suggested
and requested that there be a working session to go page-by-page through the draft of
the MSA to come to a final agreement. This will be set up for some time in late January
or early February. It was suggested that we start with Desktop Services and then group
working sessions based on the 26 service that will be prioritized and a schedule built.
Sessions will include the IT Coordinators in separate City and County sessions. Sessions
should be kept small so that an agenda and public posting will not be necessary.
• Cyber Security – Greg Andersen, Information Security Manager for DOT.Comm
continued with his presentation on Cyber Security carried over for the 11/29/2012
meeting.
New Business:
• CPAN Analysis – Svevad reported that a project has been opened to analyze CPAN and
the best way to make updates to that revenue generating program that has become
outdated and difficult to use. More will be reported on this after the analysis is
complete.
Page 3 of 3
• Update on Wireless – Kruse reported that the Building Commission has committed to
$126,000 funding for wireless, $50,000 committed by the County and $23,000 by the
City. Equipment will begin to be ordered.
• Email Update – Kruse and Nord reported that they went to a meeting with the State to
learn about their email upgrade. A project has been put in place and proposals have
gone out. We are working on the new requirements. The State is working on
unbundling services for the email system and they will also be giving us a proposal by
the end of January, 2013.
Public Comments:
• There were no public comments at this time.
Next Meeting:
• The next meeting of the DOT.Comm Oversight Committee is (REVISED) Wednesday,
January 16th, 2013 from 2:30-4:00 p.m. at Jesse Lowe Conference Room. The 2013
Meeting Schedule was included in the packet handout. Lorenz then announced that this
will be the last meeting for Spaccarotella as she is leaving the City at the end of the year.
She was applauded, thanked and wished well.
Adjournment:
• A motion to adjourn to Executive Session for the purpose of discussion of a personnel
issue was made at 4:48 p.m. by Friend. Seconded by Lorenz. Meeting adjourned to
Executive Session.
Minutes by: Jeanette Butzin
Project
Update
RequestRequestRequestRequest
Technology & Technology & Technology & Technology &
ArchitectureArchitectureArchitectureArchitecture
•EffortEffortEffortEffort
•CostCostCostCost
Review & Review & Review & Review &
ApprovalApprovalApprovalApproval
•BoardsBoardsBoardsBoards
• ITCs & CIOITCs & CIOITCs & CIOITCs & CIO
Prioritized Prioritized Prioritized Prioritized
QueueQueueQueueQueue
•FIFOFIFOFIFOFIFO
•ITCs & CIOITCs & CIOITCs & CIOITCs & CIO
ExecutionExecutionExecutionExecution
Completed Pending/On-Hold
CI-City DC-County DOT-DOT.Comm
Execution ClosingDefinition Go-LiveInitiation Select Vendor
Nov Dec Jan Feb Mar Apr May June July Aug Sept Oct
January 16, 2013
CI-Fatpot 1049 &1293 3-1-13 Phase 1
DC-OMS App Implement 1303
DC-Attorney Vic Witness 1254
DC-Juvenile Attorney Pay 1149 1-25-13
DC-Attorney RFID Tracking 1248 1-14-13
7-12-13
Completed Pending/On-Hold
CI-City DC-County DOT-DOT.Comm
Execution ClosingDefinition Go-LiveInitiation Select Vendor
Nov Dec Jan Feb Mar Apr May June July Aug Sept Oct
January 16, 2013
No individual projects
> 160 Hours
FileBound Migrations TBD – ROD Only
Vital Stats – 100%Clerk of District Court – 75%County Clerk – 50%Probation – 50%Sheriff – 50%ROD – 25%
Completed Pending/On-Hold
CI-City DC-County DOT-DOT.Comm
Execution ClosingDefinition Go-LiveInitiation Select Vendor
Nov Dec Jan Feb Mar Apr May June July Aug Sept Oct
January 16, 2013
Oracle Rice 1065
Oracle R12 Upgrade 1042
5-28-13
5-28-13
Execution ClosingDefinition Go-LiveInitiation Select Vendor
PfS – Access & Security
Completed Pending/On-Hold
CI-City DC-County DOT-DOT.Comm
PfS Monitor – Network Phase 2
12-2-12 1st Firewall
Enterprise Email Upgrade
Active Directory Upgrade
Nov Dec Jan Feb Mar Apr May June July Aug Sept Oct
January 16, 2013
1-31-2013 Solution Recommendation
Enterprise Wireless
Completed Pending/On-Hold
CI-City DC-County DOT-DOT.Comm
Execution ClosingDefinition Go-LiveInitiationSelect Vendor
Nov Dec Jan Feb Mar Apr May June July Aug Sept Oct
January 16, 2013
CI/DC-Faster 6 Upgrade 1082
CI-Public Works Internet 1272 6-10-13
DC-EMA Internet 1314
CI-Solid Waste 1001 7-31-13
DC-HD Diabetes Internet 1316
DC-Treasurer Updating VTR 1197 2-28-13
2-25-13
TBD
Project ID: 1272 Project Name: PWKs General Services Public Internet
Project Manager: Walter Woodford Project Sponsor: Heather Tippey Pierce Department: PWKs - General Services
Project Goal:Redesign the public facing Omaha City Public Works Internet sites to improve citizen experience and usability Initiation Start Go-Live
10/1/2012 06/10/13
Project Phase: Execution Project Budget: Est. Hours: 1,300 Act. Hours 371
Summary Update: Overall StatusParking page is nearing completion.Sewer Mainteance Page schedule nextTraffic is next in Queueintermediate schedule is being updated.No risk to Project.
Project Status Report
Gas of: January 2, 2013
Status Legend: G = as planned Y = corrective action plan R = Management attention required
Major Milestones: Org Date New Est % Comp Status Risk Key
1 Parking Web Page 12/27/12 01/07/13 90% G A, B
2 Sewer Maintenance 01/11/13 01/15/13 90% G A, B
3 Traffic - Proposed Change 01/24/13 0% G A, B
4 Fleet Maintence - VMF 02/07/13 0% G A, B
5 Street Maintenance - Proposed Change 02/21/13 0% G A, B
6 Design 03/07/13 0% G A, B
7 Facilities 03/21/13 0% G A, B
8 Construction 04/04/13 0% G A, B
9 UAT 04/24/13 0% G A, B
10 Closure 05/08/13 0% G A, B
11 End 06/13/13 0% G A, B
Major Risks / Issues: Mitigation / Action:
A R - Dependent upon a Primary Webmaster. Priorities and unplanned events
B R - Deparmental (Client) Readiness
DOT.Comm December 2012 Training
(Areas that we focused on in December)
Business Intelligence: Webfocus
Project Management
Desktop Support
Server Support
Service Desk
January 16, 2013 Resolved by the Douglas-Omaha Technology Commission (DOT.Comm):
WHEREAS, DOT.Comm provides group health insurance benefits to its full-time employees; and
WHEREAS, the current contract with Coventry Healthcare to which DOT.Comm is subject shall expire December 31, 2012; and
WHEREAS, the 2013 monthly premiums, guaranteed for a 12 month period are: Employee: $497.42 Employee + Spouse: $1,082.10 Employee + Child(ren): $928.35 Family: $1,542.87 WHEREAS, DOT.Comm recommends Coventry as the service provider; and WHEREAS, the CIO requests approval to ratify his signature to the revised
contract with Coventry providing group health insurance from January 1, 2013 to December 31, 2013; and
NOW THEREFORE, BE IT FURTHER RESOLVED, that the signature of the
CIO of DOT.Comm on the attached contract between Coventry Healthcare and DOT.Comm for the term January 1, 2013 to December 31, 2013 is hereby ratified.
APPROVED 1/16/2013
Deb Sander Date Acting Chair, DOT.Comm Oversight Committee
ITOversight
CommitteePolicy
Enterprise IT Security –
Internal/External Network
Vulnerability Scanning Policy
Owner: Service Owner, DOT.Comm IT Security
Effective Date: 1/16/2013
Review Schedule: Annual
Last Review Date: 12/26/2012
Last Revision Date: 12/18/2012
Approved by: City/County IT Oversight Committee
Purpose:
This policy grants authorization to appropriate members of DOT.Comm technical teams and its
authorized vendors to conduct internal and external vulnerability assessments on a regularly
scheduled basis and as deemed necessary by that same staff for reasons not limited to: audits,
security assessments, network hardening, remediation checking, and penetration testing.
This document contains IT terminology; a short glossary has been included in Appendix A.
Scope:
This policy applies to all equipment attached to the Enterprise Network: personal computers,
servers, routers, switches, printers, wireless “smart” devices, and all other network-connected
equipment. This includes equipment (irrespective of ownership) attached to the network via:
• Internal wired and wireless networks
• External networks and DMZ
• Virtual Private Network (VPN)
• Any other connection
Policy:
1. Vulnerability scanning will only be performed by designated employees and designated
vendors.
2. Vulnerability scanning may be scheduled or ad hoc.
3. Penetration Testing may be intrusive and will only be performed as scheduled and
approved through the Change Management process.
4. The DOT.Comm Network Vulnerability Handling Procedure document will be used in
conjunction with this policy; this procedure defines the steps that will be performed
throughout the vulnerability lifecycle. If an identified system or application with a risk
profile “CVSS Rating” of 9 or 10 is not able to be remediated or risk-accepted, the
system will be removed from the Enterprise Network.
Scheduled Scans
• Monthly Internal vulnerability scanning
• Quarterly External vulnerability scanning
Ad hoc Scans
• Adding new equipment to the data center or Enterprise network (As needed)
• Validating remediation steps
• Testing high-risk or questionable systems
• Testing against newly found security vulnerabilities
Penetration Testing
Needs for penetration testing may include:
• Server and network hardening
• Regular or ad hoc testing of critical or private systems
• Audit requirements
Enforcement:
Any scanning performed by unauthorized personnel may be interpreted to be malicious and
action will be taken to enforce appropriate use policies and appropriate security policies
according to respective organizational policies, including, but not limited to:
• City of Omaha: City Personnel Policy #32 – Computer and Network Use – Employee
Rights and Privileges
• Douglas County Civil Service Commission – Personnel Policy Manual – Article 21:
Internet, Computer, and Software Usage
• DOT.Comm – Computer and Network Use Policy
• IT Oversight Committee Security Policies
Appendix A: IT Terminology Definitions
Demilitarized Zone / DMZ (NIST Glossary)
A host or network segment inserted as a “neutral zone” between an organization’s
private network and the Internet.
Penetration Testing (NIST Glossary)
Security testing in which evaluators mimic real-world attacks in an attempt to identify
ways to circumvent the security features of an application, system, or network.
Penetration testing often involves issuing real attacks on real systems and data, using the
same tools and techniques used by actual attackers. Most penetration tests involve
looking for combinations of vulnerabilities on a single system or multiple systems that
can be used to gain more access than could be achieved through a single vulnerability.
Common Vulnerability Scoring System / CVSS (NIST VND)
The Common Vulnerability Scoring System (CVSS) provides an open framework for
communicating the characteristics and impacts of IT vulnerabilities. Its quantitative
model ensures repeatable accurate measurement while enabling users to see the
underlying vulnerability characteristics that were used to generate the scores. Thus,
CVSS is well suited as a standard measurement system for industries, organizations, and
governments that need accurate and consistent vulnerability impact scores. Two common
uses of CVSS are prioritization of vulnerability remediation activities and in calculating
the severity of vulnerabilities discovered on one's systems. The National Vulnerability
Database (NVD) provides CVSS scores for almost all known vulnerabilities.
Revision History:
January 16, 2013 – Adopted
ITOversight
CommitteePolicy
Enterprise IT Security –
Network Password Policy
Owner: Service Owner, DOT.Comm IT Security
Effective Date: 4/8/2013
Review Schedule: Annual
Last Review Date: 1/2/2013
Last Revision Date: 1/2/2013
Approved by: City/County IT Oversight Committee
Purpose:
Establish an enterprise network password standard enforced through Active Directory software for the use of complex passwords, frequency of change, and the protection of those passwords. The Active Directory account (network login) is the gateway to the Enterprise Network through Windows logon, VPN, and Wireless access. The intent is to increase the security of our enterprise systems and create a centralized document to establish password standards following the SANS (System Administration, Network, and Security) Institute best practice. Scope:
Passwords administered through Active Directory (network passwords).
Policy:
Password Complexity
• Password must contain at least three of the four following character classes: o Lower case characters o Upper case characters o Numbers o Other characters (e.g. @#$%^&*()_+|~-=\`{}[]:";'<>/ etc)
• Password must contain at least eight characters
• Password must not be same as last ten passwords Password Change Frequency
• Password must be changed at least every 90 days, can be changed more frequently if desired
o Two weeks prior to password expiration, user will be prompted to change password at network login.
o When password has expired, the account will be locked. o If the account needs unlocked, it will require a call to the DOT.Comm Service
Desk
Password Protection
• Account will be locked after 5 failed login attempts o Account will automatically unlock after 30 minutes o If unable to wait 30 minutes, the account will have to be manually unlocked
through the DOT.Comm Service Desk
• Do not share passwords with anyone o All passwords are to be treated as sensitive, confidential information
• Passwords should never be written down
• Do not reveal a password in email, chat, or other electronic communication
• If someone demands a password, refer them to this document.
• If an account or password compromise is suspected, report the incident to the DOT.Comm Service Desk
For more tips on how to make a harder to guess password, please refer to Appendix A:
Strong Password Creation Tips
Exception Process:
Any requests for exception to this policy can be sent to your IT coordinator.
Enforcement:
An employee violating this policy may be subject to disciplinary action according to respective organizational policies, including, but not limited to:
• City of Omaha: City Personnel Policy #32 – Computer and Network Use – Employee Rights and Privileges
• Douglas County Civil Service Commission – Personnel Policy Manual – Article 21: Internet, Computer, and Software Usage
• DOT.Comm – Computer and Network Use Policy
• IT Oversight Committee Security Policies
Revision History:
January 16, 2013 – Adopted
Appendix A: Strong Password Creation Tips
Try to create stronger passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation. (NOTE: Do not use either of these examples as passwords!)
• Always decline the use of the "Remember Password" feature of applications (e.g., Firefox, Eudora, Outlook, Netscape Messenger).
• Always use different passwords for work accounts from other non-work access (e.g., personal ISP account, option trading, benefits, etc.).
• Always use different passwords for various work access needs whenever possible. For example, select one password for systems that use directory services (i.e. LDAP, Active Directory, etc.) for authentication and another for locally authenticated access.
Weak passwords have the following characteristics:
• The password is a word found in a dictionary (English or foreign)
• The password is a common usage word such as: o Names of family, pets, friends, co-workers, fantasy characters, etc. o Computer terms and names, commands, sites, companies, hardware, software. o Birthdays and other personal information such as addresses and phone numbers. o Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc. o Any of the above spelled backwards. o Any of the above preceded or followed by a digit (e.g., secret1, 1secret)
DOT.Comm
Procedure
DOT.Comm IT Security –
Internal/External Network
Vulnerability Handling Procedure
Owner: Service Owner, DOT.Comm IT Security
Effective Date: 1/16/2012
Review Schedule: Annual
Last Review Date: 12/26/2012
Last Revision Date: 12/18/2012
Approved by: DOT.Comm CIO / City and County IT Coordinators
Purpose:
This document puts in place accountabilities and defines the process for internal and external
vulnerability scanning, remediation of identified risks and exception handling in order to
increase the security and integrity of enterprise systems, and promote risk awareness.
The intent of this document is to:
1. Outline the active vulnerability lifecycle: identification, prioritization, remediation and
exception handling
2. Identify roles and responsibilities
Scope: This DOT.Comm procedure defines the steps of the active vulnerability lifecycle. Authorization
to perform this work is defined in the Network Vulnerability Scanning Policy, which is an
Enterprise (IT Oversight Committee) policy.
Systems or applications that are malicious or causing outages on the Enterprise Network will be
handled with greater urgency and will be classified as a Priority 1 or Priority 2 incidents. These
time-critical incidents which are not in scope for this policy will be addressed by the
DOT.Comm Service Desk.
Procedure: Identification of Vulnerabilities
1. Initiate vulnerability scan
2. Create preliminary list of vulnerabilities
3. Identify and remove false positives, cleanup raw data, and update existing Vulnerability
Tracking Spreadsheet (VTS)
Prioritization and Assignment of Identified Vulnerabilities
1. Prioritize scan results by CVSS score
2. Review vulnerabilities with impacted technical teams, service owners, or business
process owners to perform further false positive removal and evaluate business impact
3. Assign remediation task through Service Desk (ticketing) software to responsible teams.
Service requests will be placed with the following priorities:
a. CVSS High 9.0 to 10.0 – Priority 2/3 Service Request (based on risk assessment)
b. CVSS High 7.0 to 8.9 – Priority 4 Service Request
c. CVSS Medium 4.0 to 6.9 – Priority 5 Service Request
d. CVSS Low 0 to 3.9 – Noted on master list, no ticket created
4. Review VTS monthly with the IT Security Stakeholders from DOT.Comm, City, and
County
Remediation
1. Service Owner determines and implements remediation effort which may include:
a. Modify or patch operating system or application
b. Replace current application with compliant application version
c. Move the application to different hardware or platform
d. Other mitigation efforts to reduce risk
e. Remove system or application from Enterprise Network
2. Use IT Change Management Process to implement remediation
3. Request re-scan to ensure remediation efforts have removed or minimized vulnerabilities
All requests for additional resources or funding will be escalated through the Manager of IT
Security.
Exception Handling
If a system or application has an identified vulnerability and cannot be remediated through best
efforts, one of the following remediation actions will be implemented:
1. Add identified system or application to the vulnerability exception list
• The respective service owner / business process owner, IT Coordinators, and the
DOT.Comm CIO must all agree
• The vulnerability exception list is maintained by the Manager of IT Security and
includes the following attributes: vulnerability name, date identified, list of
systems affected, risk description, expiration date, and tracking notes
• The exception list will be reviewed with IT Coordinators and the DOT.Comm
CIO on a monthly basis
2. Removal of a system or application from the network
• If the addition to the vulnerability exception list is not agreed to by the respective
service owner / business process owner, IT Coordinators, and the DOT.Comm
CIO then the system or application must be removed from the network. A
recommendation will be made to the IT Oversight Committee
• The IT Oversight Committee approves the removal of the application or system
from the network or accepts the risk of the vulnerability
A flow chart of this process is included in Appendix A.
Roles and Responsibilities
Manager of IT Security (DOT.Comm)
• Responsible to identify and resolve system and application vulnerabilities
• Vendor manager of external scanning providers
• Network Vulnerability Process Owner
IT Service Owner
• Responsible for determining the appropriate action needed to address a vulnerability
• Utilizes the IT Change Management process during remediation
• Informs the Manager of IT Security of changes in risk status
CIO / Service and/or Business Process Owner / IT Coordinators
• Makes executive exception handling decisions, including acceptation of risk
Revision History:
January 16, 2013 – adoption
Appendix A: Vulnerability Lifecycle Flowchart