HomeMy WebLinkAbout06-17-2025 Admin. Comm. MinutesDUBLIN CITY COUNCIL
ADMINISTRATIVE COMMITTEE
Tuesday, June 17, 2025
5555 Perimeter Drive
Council Chamber
Meeting Minutes
Chair De Rosa called the June 17, 2025 Administrative Committee meeting to order at 5:00
p.m.
Committee Members present: Vice Mayor Alutto, Ms. De Rosa (Chair), Ms. Kramb
Approval of Minutes
Chair De Rosa moved to approve the minutes of the May 6, 2025 Administrative Committee
meeting.
Vice Mayor Alutto seconded the motion.
Vote on the motion: Ms. Kramb, yes; Vice Mayor Alutto, yes; Chair De Rosa, yes.
Items for Discussion
Chair De Rosa stated that the committee has one follow-up item for discussion this
evening - continued consideration of a draft City Information Security Policy. She asked
Mr. Brown to provide the topic overview.
Mr. Brown stated that tonight staff is providing a revised draft of the proposed policy,
which incorporates the committee’s feedback from the previous discussion, as well as
revisions that reflect recent research they have been conducting. He reviewed the
revisions that had been made to the previous draft. They checked the draft policy against
the list formulated at Council’s retreat to ensure it is consistent with what Council had
requested at that time. The staff memo describes the background and impetus for
developing the policy and its purpose. The scope clarifies that the policy applies to the
technology and resource data used by City of Dublin employees, City Council, board and
commission members, third party contractors and service providers. The staff memo
refers to other bodies we compared our proposed policy with and definitions that are
consistent with the industry standards of confidentiality, integrity and availability, which
are the three pillars of an information security program. The policy addresses cyber
insurance. Recently, the City increased its cyber security insurance coverage, and the
intent is to ensure we maintain the current program. The information security program
area is broken into risk classification and assessment. The risk classification and
assessment states that data should be kept for the minimum time needed for a job.
Access should be only for the work one is doing, the task at hand. The policy describes
critical functions and systems and their annual assessments. We strengthened the
Administrative Committee Meeting
June 17, 2025
Page 2 of 5
language about third-party service providers, specifically their assessment and audits for
compliance with our standards and guidelines.
They see reporting in two ways, from the aspect of a cadence in annual reporting. There
is also incident response specific reporting. There are reporting mechanisms when an
incident occurs. The policy is consistent with ORC 1347.12, which provides the
requirements for data breach notification of citizens. We added a paragraph about third-
party providers. We have always worked with third party providers through our
professional services contracts and through security assessments. We hope to look at
some third-party risk management tools, which essentially provide industry-standard
grade cards on different vendors. The education and testing section remains largely
unchanged. We provide testing and training awareness aligned with the City’s emergency
operation plan, and we test the plans, as well. The roles and responsibilities are
consistent with the scope. It includes the core function of the City’s information
technology team and their major role within an information security program. He
welcomes the committee’s feedback.
Chair De Rosa stated that when she noticed there was discussion about cyber security in
the state budget, she emailed Mr. Brown asking if any of the state’s efforts would impact
the City's proposed policy and would like him to share his assessment.
Mr. Brown stated that there are two provisions within the Senate’s version of the Budget
Bill. Within that budget amendment, there are the following two bullet points: requires
the legislative authority of a political subdivision to adopt a cyber security program that
safeguards the political subdivision’s data information technology and information
technology resources to ensure availability, confidentiality and integrity. Those same
words already appear in the City’s policy. The second provision is that it prohibits a
political subdivision under a ransomware attack to pay or otherwise comply with the
ransom demand unless the political subdivision’s legislative authority formally approves
the payment or compliance with the ransom demand. House Bill 283 provides more
detailed requirements, but it includes the two provisions mentioned by the Senate Bill
amendment. The main point is that you must have a cyber security plan. There is a
specific provision concerning ransomware. The I.T. team has been following the proposed
bills and providing feedback to our City lobbyist. In general, the majority of what the
State legislature is proposing is something Dublin already is doing. What the City is
proposing is consistent with the current versions of the state legislation.
Chair De Rosa stated that the state’s proposed language regarding paying ransomware
does not necessarily prohibit it; it requires formal authorization by the governing body.
The Senate bill does not dictate the form of that authorization; the House bill does state
by passage of a resolution or ordinance.
Administrative Committee Meeting
June 17, 2025
Page 3 of 5
Chair De Rosa stated that City Council would be required to make a security-related
statement in public.
Mr. Brown stated that the essential recommendation is not to comply with or pay for
ransomware. If we are following sound security protocol, we will be in a good position to
not have to do that. Doing so only perpetuates the cycle. As the state legislation moves
through its review process, the City is utilizing its team of lobbyists and legal team to
keep apprised of the legislation and offer our feedback.
Chair De Rosa stated that she believed it was important to discuss and have on the
record that the City is managing its interests in that process. She knew the City was
aware and involved; she thought it warranted a committee update.
Ms. Kramb stated that she thought staff’s memo was well done and easy to understand.
She thinks the policy language would make a great public document to reassure City
residents of our information security efforts. She envisions creating a public information
brochure, similar to that we have prepared explaining our local taxes. It could be titled
the City of Dublin Information Security Program, rather than policy.
Ms. Kramb offered the following minor revisions. The first time an acronym is used, it
should be spelled out. In the first sentence under “Reporting”, clarify that annual
reporting to City Council occurs in executive session. The executive session reason must
be stated, which she assumes would be for the purposes of discussing confidential
security issues.
Vice Mayor Alutto stated that the clerk’s office can provide the appropriate language.
Ms. Kramb stated that also under Reporting, on page two, to the statement, “the City
Manager will notify City Council...”, add the language, “within a reasonable time.”
Chair De Rosa suggested the verbiage, “as soon as possible.”
Ms. Kramb stated that the same language should be added in the last sentence of that
section that, “third parties will be required to notify the City’s information team ‘within a
reasonable time’.”
Vice Mayor Alutto stated that she believes there is a required notification standard.
Ms. Kramb stated that there is for the City, per Ohio Revised Code. The second
paragraph under Reporting states, “The City will adhere to Ohio Revised Code §
1347.12, reporting any data breaches in accordance with municipal cybersecurity
guidelines and the direction of the Law Director.” She is suggesting that it be added to
the statements requiring the City Manager to tell City Council and third parties to inform
the information security team.
Vice Mayor Alutto stated that she believes the proposed policy is well done. She
appreciates the revisions that were made and the memo clarifying the reasons for doing
so, such as the Administrative Orders. It is important for staff to understand the reasons
Administrative Committee Meeting
June 17, 2025
Page 4 of 5
for the policy. She likes Ms. Kramb’s suggestion for a public information brochure
explaining the City’s program to protect their information — their tax dollars at work.
She appreciates that their reference to testing is not prescriptive. That is important
because the City security team conducts different testing at different times for different
reasons.
Chair De Rosa stated that the policy language was easy to read and understand. Under
“Information Security Program,” she would recommend the policy not refer to a particular
version (NIST 2.0), as the language would become outdated.
Ms. Kramb suggested it be revised to “grounded in the most current version,” to avoid
the need for future amendment.
Chair De Rosa stated that under “Confidentiality,” the language, “...ensuring that the
information is accessible only to authorized...”, she would like to add the verbiage, “and
authenticated.”
Chair De Rosa requested that under “Reporting,” insurance reporting be added. She
inquired if page 3 should begin a new section, “Information Technology Security Incident
Report Plan”.
Mr. Brown stated that it was intended to be part of the Reporting section, but the section
could be broken into two subsections.
Chair De Rosa stated that in the reporting by third party service providers, to the
language, “will be required to notify City Council...” add the words, “as per their
contract.” They are contractually required to provide that notification (of any security
incidents within a reasonable timeframe.)
Chair De Rosa stated that under “Education and Training,” the language that the City will
provide ongoing education and training awareness programs to ensure staff are
informed.... add boards and commission to the list.
Mr. Brown stated that the language would be revised to consistently mention all four
groups.
Vice Mayor Alutto stated that in the second paragraph under “Education and Testing,”
instead of saying “tested annually,” say “tested as needed or as required.”
Chair De Rosa stated that under “Roles and Responsibilities”, for third party service
providers, add the same language, “per contract.” The City’s contracts contain these
provisions; the policy language should reference it.
Ms. Kramb stated that the title of the policy should be consistent with the titles used for
other City policies. Although City Council initiates the policy, it is a City policy; therefore,
the words “City Council” should be replaced with “City of Dublin” Information Security
Policy. The public information brochure should be titled, “City of Dublin Information
Security Program” (not policy).
Administrative Committee Meeting
June 17, 2025
Page 5 of 5
Mr. Brown stated that when they researched other entities, they did not find any that had
a policy, although they did have statements or charters. Our citizens do have questions
about the security of their information within City systems, so the public education
brochure would be very helpful. In addition to a printed brochure, it could be posted on
the City’s website.
Ms. Kramb suggested that members of the public have asked questions about the storage
of data from cameras such as license plate readers. Recently, the City of Columbus
experienced a breach of their Police Department data. Adding a cross reference to a
public statement of this type on the Dublin Police website would be beneficial for our
citizens.
Vice Mayor Alutto stated that due to a personal experience of having personal data
stolen, she would suggest adding to the web section a series of links providing guidance
to our citizens on where to turn or who to contact if their personal data is stolen.
Ms. Kramb stated that Police and Tax are the two areas where this question might be
raised.
Chair De Rosa requested that staff revise the policy to incorporate the suggestions made
by committee members. The next step would be to provide the updated policy to City
Council for their review and consideration.
Ms. Kramb stated that the changes are small; therefore, the revised document does not
need to be reviewed by the committee again. It can move on to City Council review.
Chair De Rosa will provide Council an update on the Administrative Committee’s
discussion and recommendation tonight.
Chair De Rosa moved that the policy as amended by the Administrative Committee be
referred to City Council with a recommendation of approval.
Vice Mayor Alutto seconded the motion.
Vote: Ms. Kramb, yes; Vice Mayor Alutto, yes; Chair De Rosa, yes.
e meeting was adjourned at 5:35 p.m.
Ih | Chair, Administrative-Committee
rao Clerk of Council