HomeMy WebLinkAbout04-04-2025 Admin. Comm. MinutesDUBLIN CITY COUNCIL
ADMINISTRATIVE COMMITTEE
Tuesday, March 4, 2025
5:00 p.m.
5555 Perimeter Drive
Council Chamber
Meeting Minutes
Ms. De Rosa called the March 4, 2025 Administrative Committee meeting to order at 5:00
p.m.
Committee Members present: Vice Mayor Alutto, Ms. De Rosa (Chair), Ms. Kramb
Staff present: Ms. O'Callaghan, Mr. Brown, Mr. Connolly, Mr. Hartmann, Mr. Barker, Ms.
Blake and Ms. Delgado
Others present: Ryan Abraham, FRSecure via‘ Webex
Approval of Minutes
Ms. De Rosa moved to approve the minutes of the February 5, 2025 Administrative Committee
meeting.
Vice Mayor Alutto seconded the motion.
Vote on the motion: Ms. Kramb, yes; Vice Mayor Alutto, yes; Ms. De Rosa, yes.
Items for Discussion
Draft City Council Information Security Policy
Ms. De Rosa stated that Council had requested staff support in the development of a
cyber security policy. Mr. Brown stated that the initial draft of the City Council Cyber
Security Policy was submitted to the Committee in their meeting preparatory materials.
He stated that staff spent some time researching existing policies with peers and
researching what was available at a national level as well. He shared that they also
utilized resources such as Gartner and the City’s new vCSO (Virtual Chief Security
Officer) services. Ryan Abraham from FRSecure serves as the City’s vCSO. He was
present virtually for the meeting. Mr. Abraham introduced himself (Senior Information
Security Consultant) and FRSecure who is a cybersecurity firm based out of Minnesota.
FRSecure provides risk assessments, vCSO services, security ops testing, etc. Mr.
Brown stated that the City is currently in the onboarding phase with FRSecure and soon
we will enter the assessment phase. The assessments will eventually lead to a planning
phase which Council will see come through in budget requests.
Administrative Committee Meeting
March 4, 2025
Page 2 of 4
Regarding a draft policy, Mr. Brown stated that what they learned in their research is
that there are two important considerations in developing a policy which are:
acknowledging that the information and technology is important to the business at hand
and that there are constant threats; and secondly, support through dedicating the time
and space to create an internal information security program. These were the
considerations as they developed the draft. He stated that the policy is the “why”;
standards are the “what” and procedures and guidelines represent the “how”. Mr.
Brown stated that the focus of this discussion and the draft is meant to specifically
answer the question, “what are we trying to achieve at a large scale?”
Mr. Brown introduced the draft City Council Information Security Policy (attached hereto
and incorporated herein by reference as Exhibit A). He provided an overview of what is
included in the draft policy. He stated that this policy would work in conjunction with
Administrative Orders to begin to formulate the standards, plans and procedures for
anything from training to incident response and planning. He highlighted the need to
establish an Information Security Program. Because we are a public entity, risk
assessment and protective measures regarding our residents’ information are critical
components to ensure there is minimal exposure. The education and reporting section
represents the commitment to ongoing education, training and awareness programs to
ensure staff continues to be informed of security threats and equipped to follow
security protocols. It is also in this section that this policy aligns with the City’s
Emergency Operations Plan, incident response, disaster recovery and business
continuity plans, which will continue to be developed, tested and improved. Additionally,
Mr. Brown noted that the City will continue to adhere to Ohio Revised Code § 1347.12,
reporting any data breaches in accordance with municipal cybersecurity guidelines and
the direction of the Law Director. Finally, the roles and responsibilities section defines
how this policy will be carried out, including vendor requirements. Staff sought
feedback from the draft.
Ms. De Rosa expressed the importance that Council puts on this topic. She invited
feedback from Committee members.
Ms. Kramb stated that the draft represents a good foundation, but she feels it lacks the
reporting requirements to City Council. She stated that it is important for Council to be
informed at a certain level of detail so there is comfort that the information is safe and
being handled appropriately. She used the example of the risk, protection and response
language that says, “staff will assess and mitigate risks to minimize exposure or accept
risk based on the identified risk owner's assessment.” She stated that Council does not
need to know how these things are done, but it would be helpful to know how often it
is being done — annually, monthly, etc. She also asked how results of these
assessments are being captured. She stated that if the City follows an industry standard
for example, then explain what the standard is so Council is aware. Ms. Kramb stated
that the draft policy also mentions following the Ohio Revised Code for when data is
breached, but that section is for the benefit of the people whose information has been
Administrative Committee Meeting
March 4, 2025
Page 3 of 4
breached. Council would like to know what the reporting requirements will be to report
the breach to them, which is not in the Ohio Revised Code.
Ms. De Rosa stated that the City has financial policies that define certain thresholds.
She stated that this draft is a good framework, but has no teeth to it. An example of
the detail that she would like to see included is a requirement that staff will report to
Council annually regarding the status of a third-party independent audit. The
timeframes could change from time to time as the world changes. Policies guide
Council's actions and staff’s actions. She clarified that Council does not need to be
informed of who is hired to do the audit or what is included, but residents need to know
that Council is being responsible for protecting their information by requiring certain
things. She suggested that the annual reporting happen prior to budget time so if there
are needs or requests for funds they are aware. She also suggested that this policy
could include philosophical guidance as well such as, only holding the information that
is absolutely necessary and removing it when no longer needed.
Ms. Kramb stated that during the retreat, Council was informed of the insurance that
the City has, that not everyone has. She added that another policy item could be
requiring that the City does what is necessary to keep the insurance.
Vice Mayor Alutto expressed appreciation for the work on the draft. She stated it is a
good start. She stated that looking at other policies such as the financial policies and
the Tree Waiver Policy, there is a fair amount of specificity in those. The detail is what
is missing in this policy. She shared that she noticed some inconsistency with this policy
as well and to whom it specifically applies. She noted that the scope of the policy is
different than the roles and responsibilities. She suggested adding the consistency
between the two sections. She stated that holding ourselves accountable to adhering to
a generally accepted principle of standards should be included in this policy. She stated
that the assessments and testing should be repeated prior to the reporting to Council as
prescribed in the standards to keep the accountability and insurance. She
recommended looking at financial policies for guidance in consistency and specificity.
Mr. Brown stated that the Administrative Orders reflect the standards that are upheld
and if Council would like those elevated outward for awareness that can be considered.
Regarding reporting, Mr. Brown stated that staff is exploring the best mechanism to
provide information to Council on a more regular basis. Mr. Abraham stated that they
will do reporting and are prepared to do annual assessments using standardized
frameworks. Mr. Abraham shared that there was a lot of great feedback that can be
incorporated into the policies. Ms. De Rosa added that NIST (National Institute of
Standards and Technology) has recently added a new arm on governance which she
feels acknowledges the need for this policy.
Mr. Brown stated that this discussion has provided good guidance. Ms. O’Callaghan
stated that staff will review the materials provided prior to the retreat to ensure that the
Administrative Committee Meeting
March 4, 2025
Page 4 of 4
policy addresses the areas discussed as much as possible. Ms. De Rosa expressed
appreciation for the work and the discussion. She added that preparedness is key and
this moves that forward. She asked that staff bring the amended draft to another
committee meeting for review. Mr. Abraham thanked the Committee for the feedback
and expressed that he looks forward to working with Council and staff.
Recruitment/Appointee Vacancies for 2025
Ms. Delgado shared that to better inform what vacancies will exist within our Boards,
Commissions and Committees when terms expire this May 31, staff polled members that
are eligible for reappointment to determine who would be interested in continuing to
serve. The results of those discussions were provided to the Committee. Also provided
was the summary of what staff anticipates the recruitment needs will be for this year as
well as a summary of the applications that have been received since January 2024.
Finally, as a reminder, Ms. Delgado provided the Committee with a timeline of the
recruitment/appointment process leading up to making appointments by resolution at the
second Council meeting in May. Ms. Delgado indicated that feedback was solicited from
the staff liaisons for each board/commission/committee and that feedback will be
provided to the Committee for consideration.
Ms. Kramb asked if the applications that were noted in the materials were new applications
or if they were of applicants that have already been interviewed. Ms. Delgado stated that
a few of them may have been interviewed, but the majority of the list are new from the
last update that was provided last year. Ms. Kramb stated it would be helpful to have any
notes regarding interviews that were already held.
Adjourn to Executive Session
Ms. De Rosa moved to adjourn to executive session for purposes of:
e Personnel Matters: Considering the Employment of a Public Employee
Vice Mayor Alutto seconded,the motion.
Vote on the motion: Ms. De\Rosa, yes; Ms. Kramb, yes; Vice Mayor Alutto, yes.
@ meeting waS yeconvened and adjourned at 6:30 p.m. a Hep
Chair, Adhninictrative Sorfiittes
lérk of Zouncil