The URL can be used to link to this page

Home My WebLink AboutResolution 42-25RECORD OF RESOLUTIONS BARRETT BROTHERS - DAYTON, OHIO Form 6301 Resolution No. 42-25 Passed F ADOPTING AN INFORMATION SECURITY POLICY FOR THE CITY OF DUBLIN, OHIO WHEREAS, the City of Dublin (“the City”) recognizes that technology and information are critical business assets for achieving the City’s strategic goals and committed to safeguarding said assets amid the current and ever-changing threat landscape; and WHEREAS, information security is a holistic discipline such that its application or lack thereof affects all facets of an organization or enterprise; and WHEREAS, the ability to manage, control, and protect this information will have a direct and significant impact on the City’s future success; and WHEREAS, in order to effectuate this security, the City wishes to adopt a formal Information Security Policy; and WHEREAS, the purpose of the Information Security Policy is to outline the actions and behavior necessary to mitigate inappropriate risks; and WHEREAS, this Policy establishes City Council’s commitment to the protection and responsible use of technology and information collected from and about its residents, staff, business partners, and others who have entrusted their information to the City; and WHEREAS, City Council will provide ongoing support for the City’s information security program through strategic oversight and appropriate budget allocations; and WHEREAS, this Policy establishes the need to develop and maintain an Information Security Program and serves as the framework from which other information security administrative policies and procedures may be developed, ensuring that the City can efficiently and effectively manage, control, and protect its business information assets and technologies. NOW, THEREFORE, BE IT RESOLVED by the Council of the City of Dublin, State of Ohio, “7 __ of the elected members concurring that: Section 1. Council hereby adopts the Information Security Policy attached hereto and incorporated herein as Exhibit A. Section 2. Council further hereby authorizes and directs the City Manager, the Director of Law, the Director of Finance, the Clerk of Council, or other appropriate officers of the City to take any other actions as may be appropriate to implement this Policy without further legislation being required. Section 3. This Resolution shall take effect in accordance with 4.04(a) of the Dublin Revised Charter. Passed this = day of OL, , 2025. Mayor — Presiding Officer of Counc - () ATTEST: To: Members of Dublin City Council’s Administrative Committee From: Megan D. O’Callaghan, City Manager Date: June 26, 2025 Initiated By: Brandon Brown, Chief Innovation & Technology Officer Jim Connolly, Director of Information Technology Re: Resolution No. 42-25, Adopting an Information Security Policy for the City of Dublin, Ohio. Background At the City Council’s 2024 Fall Retreat, staff were directed to draft a City Council Information Security Policy. The first draft was presented and discussed at the March 4, 2025 Administrative Committee meeting. Feedback was incorporated into a second draft that was presented and discussed at the June 17, 2025 Administrative Committee meeting. At the June 17 meeting, the Administrative Committee recommended minor changes and then passed a motion to recommend the Information Security Policy as amended to City Council for adoption. The development of the proposed Information Security Policy was informed by extensive research and benchmarking within both the public and private sectors, as well as consultations with our valued partners. This draft policy establishes City Council's commitment to the protection and responsible use of technology and information collected from and about its residents, staff, business partners, and others who have entrusted their information to the City of Dublin. Guidance for the creation and review of this proposed policy was provided by the City’s vCISO (virtual Chief Information Security Officer). Beyond this work, the vCISO plays a critical role in advising on all levels of the information security hierarchy, monitoring emerging threats and standards, supporting the development and execution of the information security strategic plan, overseeing assessments and remediation efforts, and ensuring the transfer of knowledge to staff. To further assist in shaping this proposed policy, Gartner resources, including industry research articles, template examples and analyst consultations, were utilized. Benchmarking local agencies in the region revealed no formalized ordinances, resolutions or council documents establishing a City Council Information Security Policy. Further regional and nationwide research revealed the use of proclamations and “statements” acknowledging the importance and support of information security. This proposed policy would complement a suite of Administrative Orders (AO) in governing and guiding the use of technology and data in the City of Dublin: - AO 9.1 Information Security Policy – Establishes the framework from which other information security policies are developed to ensure the City can manage, control and protect our information assets. - AO 9.2 Technology Use Policy - Establishes acceptable practices regarding the use of City information resources and technology assets. - AO 9.3 Data Classification and Protection Policy - Establishes how information is protected against unauthorized access or misuse and how it is to be secured and controlled. Office of the City Manager 5555 Perimeter Drive • Dublin, OH 43017 Phone: 614.410.4400 Memo Memo re. Information Security Policy July 1, 2025 Page 2 of 2 - Draft AO 9.4 AI Guidance Policy - Establishes the acceptable use of AI technologies. Recommendation Staff recommends the approval of Resolution No. 42-25, adopting the Information Security Policy. Exhibit A 1 City of Dublin, Ohio Information Security Policy Background The City of Dublin recognizes that technology and information are critical business assets for achieving the City’s strategic goals and is committed to safeguarding these assets amid the current and ever-changing threat landscape. Information security is a holistic discipline, meaning that its application, or lack thereof, affects all facets of an organization or enterprise. The ability to manage, control and protect this information will have a direct and significant impact on its future success. Purpose The purpose of the Information Security Policy is to outline the actions and behaviors necessary to ensure that due care is taken to mitigate inappropriate risks. This policy establishes City Council's commitment to the protection and responsible use of technology and information collected from and about its residents, staff, business partners and others who have entrusted their information to the City of Dublin. City Council will provide ongoing support for the City's information security program through strategic oversight and appropriate budget allocations. This document establishes the need to develop and maintain an Information Security Program and serves as the framework from which other information security policies and procedures may be developed, ensuring that the city can efficiently and effectively manage, control and protect its business information assets and technologies. Scope This policy applies to all technology and information resources of the City of Dublin, including those used by employees, City Council, Board and Commission members, third-party partners, contractors and service providers. It aims to ensure that information and data are protected during storage, use, and transmission. Additionally, it seeks to defend all technology assets, including hardware, software, infrastructure, communications, and data storage systems. Information Security Program The City will establish and maintain an Information Security Program grounded in the most current NIST (National Institute of Standards & Technology) Framework via a hierarchical set of policies, standards, guidelines, procedures and plans to manage and mitigate risks. These documents shall be developed to maintain the required level of security as established by NIST, CISA (Cybersecurity & Infrastructure Security Agency), the State of Ohio, Dublin City Council, the City Manager or the Chief Innovation & Technology Officer. The goal of the Information Security Program is to protect the Confidentiality, Integrity and Availability of the data and systems employed within the organization while providing value to the way we conduct business. These security fundamentals are defined as: Confidentiality – Ensuring that information is accessible only to authenticated and authorized entities, often enforced by the classic “need-to-know” principle. Integrity – Safeguarding the accuracy and completeness of information, along with the methods employed to process and manage it. Exhibit A 2 Availability – Ensuring that information assets (including information, systems, facilities, networks, and computers) are accessible and usable when needed by authorized entities. Information security policies are high-level documents that define the objectives and principles for information security. Topic-specific policies will be developed to address specific security needs. The supporting documents including standards, guidelines, procedures and plans are often confidential and more technical in nature and serve to implement policy objectives in a measurable and repeatable manner. Standards establish mandatory guidelines and boundaries for policy compliance. Guidelines/Best Practices provide directions for complying with non-mandatory policies. Plans outline the activities that will follow a specific incident or business interruption. Procedures provide step-by- step directions to complete specific tasks. The Information Security Program shall be designed and operated to allow the City to maintain cybersecurity insurance, contingent upon its ability to purchase it. In addition to policies, standards, guidelines, plans and procedures, key components of the Information Security Program are: Risk, Classification and Assessment City staff will evaluate and address risks to reduce exposure or accept risk according to the assessment of the identified risk owner. Risk management and mitigation are achieved through the use of administrative, physical, and technical controls. Information assets are to be classified according to their sensitivity and criticality. The collection of information assets shall adhere to a stringent "need-to-know" principle throughout the entire data lifecycle, ensuring that only the information required to accomplish the task or request is collected and stored. Critical functions, systems and data essential to the City’s operations will be subject to annual third-party risk assessments. All risk assessments are based on the NIST Cybersecurity Framework. Risk assessments must produce reporting that is consistent and usable for all stakeholders. Third-party partners and service providers will be assessed, and subsequently audited, for compliance with the City’s policies, standards and guidelines. Annual Reporting Annual reporting to City Council will occur prior to budget work sessions or per City Council’s request. The information report will include the following, but is not limited to: • Updates on security initiatives. • High-level risk assessment results. • Annual security policy review and updates. • Significant threats to the City’s information as identified by the City Manager and/or the Chief Innovation & Technology Officer. • Testing results from third-party vendors, i.e., external penetration test. • Any security incidents and follow-up actions. • Annual Cybersecurity financial review and budget execution. Exhibit A 3 • Cybersecurity Insurance Policy Incident Reporting The Information Technology Security Incident Response Plan will outline the severity of cybersecurity incidents. This plan requires the Chief Innovation & Technology Officer to report any significant cybersecurity incident to the City Manager, Law Director, City Council, and relevant partners. Notification should occur, within a reasonable timeframe, if the incident has a high severity level or significant impact on the organization's operations, reputation or financial standing. Additionally, incidents that involve breaches of regulatory requirements, attract public attention, require strategic decisions or policy changes, necessitate significant resource allocation, demand coordinated response efforts or impact the organization's reputation or public trust should be reported. The City will adhere to Ohio Revised Code § 1347.12, reporting any data breaches in accordance with municipal cybersecurity guidelines and the direction of the Law Director. Per contract requirements, third-party partners and service providers will be required to notify the City’s Information Technology Team, within a reasonable timeframe, of any security incident. Education and Testing The City will provide ongoing education, training and awareness programs to ensure City Council members, Board and Commission members and staff are informed of security threats and equipped to follow security protocols. In alignment with the City’s Emergency Operations Plan, incident response, disaster recovery and business continuity plans will be developed, tested as required and continually improved. Roles and Responsibilities City Council members will support the City’s Information Security Program and promote information security education and training. City Council members, Board and Commission members and staff are responsible for adhering to security protocols, reporting suspicious activities and completing cybersecurity training. The City’s Information Technology team is responsible for developing and reviewing information security policies, standards, guidelines, procedures and plans. They also review the effectiveness of policy implementation and ensure that security activities are carried out in compliance with these policies. Additionally, the team enforces security measures defined in the policies, conducts and leads internal and third-party risk assessments, develops and provides training for City employees and reports on security initiatives and defined metrics to City Council. Per contract requirements, third-party partners and service providers must review, acknowledge and comply with the City's security policies and standards. They are required to use information resources solely for their designated purposes and report any security incidents to the designated personnel.