The URL can be used to link to this page

Home My WebLink AboutAgenda CC 11.13.2018 WorkshopNotice of M eeting of the Governing B ody of the City of Georgetown, Texas November 13 , 20 18 The Ge orgetown City Council will meet on No vember 13, 2018 at 4:00 PM at Co uncil Chambers - 101 East 7th Street The City o f Georgetown is committed to co mpliance with the Americans with Disabilities Act (ADA). If you re quire assistance in participating at a public meeting due to a disability, as defined under the ADA, reasonable assistance, adaptations, or ac c ommo datio ns will be provided upo n request. P lease contact the City Se c retary's Office, at least three (3 ) days prio r to the scheduled meeting date, at (512) 930- 3652 o r City Hall at 113 East 8th Street fo r additional information; TTY use rs ro ute through Relay Texas at 7 11. Policy De ve lopme nt/Re vie w Workshop - A Prese ntation and discussion on the 2030 Comprehensive Plan Update outreach effo rts -- Sofia Nelso n, P lanning Director B Prese ntation, review and discussio n of the Citywide Risk Assessme nt Re port -- Laurie Brewer, Assistant City Manager Exe cutive Se ssion In compliance with the Open Meetings Ac t, Chapter 551, Government Co de , Verno n's Texas Codes, Annotate d, the items listed below will be discussed in closed session and are subject to action in the regular se ssio n. C Se c . 55 1.0 71 : Consul tati on wi th Atto rney Advic e from attorney about pending o r contemplated litigation and othe r matters on which the attorney has a duty to advise the City Co uncil, including agenda items Se c . 55 1.0 72 : Del i berati ons of Real P roperty - Wastewater Easement, Berry Creek Country Club - Berry Creek Interceptor -- Travis Baird, Real Estate Services Coordinator - Sale of Pro perty at 101 E. 7th Street Se c . 55 1.0 74 : Personnel Matter s City Manager, City Attorney, City Se c retary and Municipal Judge: Consideration of the appointment, employment, evaluatio n, reassignment, duties, discipline, o r dismissal Se c . 55 1.8 6: Certai n Publ i c P o w er Uti l i ti es: Competi ti ve Matters - Quarterly Financial FY18 Q4 Electric Updates - Chris Foster, Reso urc e Management and Integration Manager Se c . 55 1.0 87 : Del i berati on Regardi ng Eco nomi c Devel opment Ne go ti ati ons - Do wntown Utility Upgrades - Pro ject Legacy Adjournme nt Ce rtificate of Posting Page 1 of 104 I, Shelley No wling, City S ecretary for the C ity of Geo rgeto wn, Texas , do hereby c ertify that this Notic e o f Meeting was posted at City Hall, 113 E. 8th Street, a p lac e read ily acc es s ib le to the general pub lic at all times , o n the _____ day of _________________, 2018, at __________, and remained so p o s ted for at leas t 72 c o ntinuo us ho urs p receding the s cheduled time of s aid meeting. __________________________________ Shelley No wling, City S ecretary Page 2 of 104 City of Georgetown, Texas City Council Workshop November 13, 2018 SUBJECT: P resentation and discussio n on the 2030 Compre he nsive Plan Update outreach effo rts -- So fia Nelson, Planning Dire c to r ITEM SUMMARY: B ackground: At the 8/28 Council workshop, City staff and Council discussed the Public Engagement Plan which was reviewed and recommended by the Steering Co mmittee at their June and July meetings. Additio nal information on the 2030 Update P ublic Engagement Plan c an be found online at https://2 03 0.georgetown.org/how-do-i-get-involved/public-engageme nt- plan-2030-update/. Purpose of the Workshop: The purpose of this wo rksho p is to update the City Council o n the Comprehensive P lan Update outreach process, share community fee dback and discuss the process for re vie wing the existing 2030 goals and po licies. Staff will provide Council an overview of the 2 03 0 Update goal development pro c e ss, share and discuss themes eme rging from public comme nt and discuss the next steps in the P ublic Engagement Plan, as ge ne rally outlined in the four (4) parts below. Part 1- Comprehensive Plan Update Recap Elements of the Update Review of Public Engagement Plan Part 2- Summary o f public engagement and feedback received Part 3 - Next steps - Goal and policy review Part 4 – Directio n Feedback Requeste d: Staff is seeking the fo llowing feedback from City Co uncil: • Are we meeting the Goals of the Public Engagement P lan? • Do yo u understand with the themes eme rging fro m public input? Is the re anything missing? • Do yo u suppo rt the process to revie w the goals and policies of the 203 0 Plan? FINANCIAL IMPACT: N/A SUBMITTED BY: Nat Waggoner, PMP, AICP ATTACHMENT S: Description Exhib it 1 - 2030 P ublic Engagement Plan Exhib it 2- Pres entation Page 3 of 104 1 2030 PLAN UPDATE Public Engagement Plan The purpose of the Public Engagement Plan is to achieve valuable public involvement and input during the 2030 Plan update. This public engagement plan acts as a preliminary guideline on how to:  Engage the public and stakeholders,  Convey project information, and  Obtain input from the public, stakeholders, organizations and other interested groups in Georgetown. Goals of the Public Engagement Plan are to: 1. Provide participation opportunities where people are already gathered 2. Maximize existing networks (private and public domains) 3. Facilitate as much meaningful input as possible 4. Gain representative participation (every zip code, council district, demographic group) 5. Remove/lower barriers to participation 6. Organize and demonstrate incorporation of feedback Engagement Opportunities The public will be given opportunities to provide input and feedback through various methods including: Public meetings  Citywide, one day engagement event (Fall 2018)  3 public meetings (Winter, Spring and Summer 2019)  16 steering committee meetings (First Thursday of the month at 6 pm)  Joint Planning & Zoning/City Council meetings  Planning & Zoning Commission meeting during the adoption process  City Council meeting during adoption process Virtual participation  Dedicated Email - 2030@georgetown.org  Website – 2030.Georgetown.org  City Reporter- at least 2 articles (1 Fall, 1 Spring)  Social media – Use existing citywide platforms (Facebook, Twitter, NextDoor, Instagram, survey questions, awareness of events Page 4 of 104 2 2030 PLAN UPDATE Public Engagement Plan Meetings-to-go  Three types available (Host, Family, Students & Youth) for pickup or print off the website Staff presentations  City Board and Commission meetings  For and Non-Profit Organizations  Request/schedule Staff to speak at your organization meeting Survey questions (once a month)  Rotating survey questions on the website or via MetroQuest Idea boards  Maps or vision boards at library or rec center, refreshed by Phase of the Update Outreach events  Music on the Square  Organization/club presentations on request  Chamber of Commerce Event (Development Alliance)  Retail centers  Downtown Breakfast Bites (Quarterly Update)  Georgetown Project  PTA meetings/GISD  Recreation center/Library events  Realtor outreach event in February  Senior Expo sponsored by the Commission on Aging  Local athletic activities  GISD flyer for parents  National Night Out Page 5 of 104 3 2030 PLAN UPDATE Public Engagement Plan Engagement Strategies The following strategies will be used to ensure the goals of the public engagement plan are met. Goals Supported Strategy 1, 3, 6 1. Provide convenient and innovative ways to document project progress online. a. Meeting agendas and presentations will be available on the project website. 2, 4, 5 2. Leverage partners for broader audience communication. a. Representative community stakeholders will be reached throughout the process to leverage communication through partner networks.  GISD  Georgetown Health Foundation  Chamber of Commerce/Leadership Georgetown  Ministerial Alliance  Georgetown Young Professionals  SEGCC  Boards/Commissions  Business Retention visits  Property managers association 6 3. Acknowledge feedback through visible incorporation of public comments. a. Staff will promptly respond to comments or concepts suggested during development of the 2030 Plan update. Online feedback will be collected and presented during the relevant policy discussions for consideration by the Steering Committee and joint meetings of the City Council and the Planning & Zoning Commission. 3, 4, 5 4. Provide translation services for print materials, website and presentations. a. Identify groups in need of outreach in a language other than English. Page 6 of 104 2030 PLAN UPDATE City Council Workshop | Public Engagement | November 13, 2018 Page 7 of 104 PRESENTATION TEAM •Nat Waggoner, Planning Department •Susan Watkins, Planning Department •Jackson Daly, City Managers Office Page 8 of 104 OUTREACH TEAM Community Partners •GISD-Melinda Brashear •Georgetown Health Foundation - Suzy Pukys •Southwestern –Paul Secord •Chamber –Jim Johnson, Wendy Cash •SEGCC –Norma Perales •Georgetown Ministerial Alliance - Reverend Harriett Jones Staff Team •Engaged Leader Series •Communications Team •Jackson Daly •Keith Hutchison •Beth Wade •John Njagi •IT •Jess Henderson •Austin Madison •Rick Barnes Page 9 of 104 MEETING PURPOSE •Update the City Council on the Comprehensive Plan Update outreach process. •Share community feedback. •Discuss the process for reviewing existing 2030 goals and policies. Page 10 of 104 FEEDBACK WE ARE SEEKING •Are we meeting the Goals of the Public Engagement Plan? •Do you understand with the themes emerging from public input? Is there anything missing? •Do you support the methodology to review the goals and policies of the 2030 Plan? Page 11 of 104 AGENDA Part 1 -Comprehensive Plan Update Recap •Elements of the Update •Review of Public Engagement Plan Part 2 -Summary of public engagement and feedback received Part 3 -Next steps -Goal and policy review Part 4 -Direction Page 12 of 104 PART 1 Comprehensive Plan Update Recap Page 13 of 104 UPDATE PROCESS AND ELEMENTS Technical Advisory Committee Steering Committee Joint Sessions P&Z/Council General Public Alignment Updated Demographics Housing Element Update Housing Toolkit Gateway Development Strategies Williams Drive Subarea Plan Growth Scenarios Future Land Use Map Update Public Engagement Implementation Strategies AdoptionPage 14 of 104 PUBLIC ENGAGEMENT PLANNING •10/2017 workshop •General discussion on importance of Council and public involvement •2/2018 workshop •Discussion on methods to involve Council and engage the public including the Steering Committee and joint CC/P&Z meetings •3/2018 workshop and legislative action •Review of public engagement components of project scope •Steering Committee appointment •8/28 workshop •Update on outreach activities to date Page 15 of 104 ENGAGEMENT STRATEGIES 3.1.6. 4.2.5. 6. 4.3.5.Goal(s) Supported Goal(s) Supported Goal(s) Supported Goal(s) Supported Page 16 of 104 GOALS Page 17 of 104 PART 2 Public Engagement Results Page 18 of 104 PUBLIC INPUT OPPORTUNITIES •Survey #1 •July-October •Purpose •Inform public of project •Gather contact information •On the Table Georgetown •October 2 •Purpose •Develop strategic partnerships •Encourage civic dialogue about the future Page 19 of 104 SURVEY #1 •1,455 responses •Survey Kiosks •Recreation Center •Library •GMC •Book Mobile •Music on Square •Paper copies made available at speaking engagements Page 20 of 104 ON THE TABLE –CITYWIDE ENGAGEMENT DAY •1,411 total participants •357 City of Georgetown employees •455 GISD students, faculty and staff •62 Southwestern students •Over 70 different groups •840 unique comments Page 21 of 104 SURVEY #1 RESPONDENTS 25% 33% 39% 3%78626 78626 78633 Other Respondents by Zip Code 1% 3% 10% 13% 28% 88% Hope to live Used to live Other Out of City, but in WilCo Work Live Connection to Georgetown Page 22 of 104 REASONS PEOPLE MOVED TO GEORGETOWN 1st Small Town 2nd Sun City 3rd Family 4th Schools 5th Proximity to Austin Page 23 of 104 LIKE MOST ABOUT LIVING IN GEORGETOWN 2% 3% 5% 6% 7% 8% 12% 18% Schools Family Sun City Friendly/Friendliness Safety Parks Community Downtown/Square Small Town 24% Page 24 of 104 PLACES MOST VISITED 3% 3% 4% 5% 6% 7% 10% 13% 16% 23% 24% Palace Theater Sun City Home Depot Trails Lake Rec Center Gabriel Park Square Library Grocery Stores Restaurants Wolf Ranch 29% Page 25 of 104 WHAT SHOULD GEORGETOWN LOOK LIKE IN 2030? 1.Keep Small Town 2.Not Round Rock 3.Effective Public Transportation 4.Improve Williams Drive 5.Improve traffic flow 6.More service to Sun City 7.Increased green space 8.Not Cedar Park 9.More affordable housing 10.Control growth Page 26 of 104 LOVE ABOUT GEORGETOWN Family-Oriented/ Small Town Recreation and Open Space Historic Preservation Urban Design Events/ Festivals Page 27 of 104 CONCERNS ABOUT GEORGETOWN Traffic Circulation/ Public Transit Housing Affordability Citizen Participation Economic Development Health & Human Services Page 28 of 104 MISSING IN GEORGETOWN Page 29 of 104 (7) INPUT THEMES Maintain the family-oriented, small-town feel Continue to encourage quality urban design Enhance citizen participation and engagement Focus on housing and affordability . Enhance economic development opportunities Maintain and expand existing parks and recreation amenities Improve and diversify the transportation networkPage 30 of 104 PROGRESS TO DATE 2 x Real Estate Discussions, 86 x participants 5 x Steering Committee meetings 5 x Technical Advisory meetings 14 x Board and Commission presentations 18 x outreach events, over 700 x participants 1,455 x online survey 1,411 x participants in On the Table GeorgetownPage 31 of 104 PART 3 Next Steps--2030 Update goal development process Page 32 of 104 GOAL DEVELOPMENT PROCESS •Survey #1 •On the Table Ask broad questions •Impact Report Develop themes •Council workshop •Steering Committee •Joint Workshop #1 Confirm themes •Survey #2 •Steering Committee Establish goals Page 33 of 104 PART 4 Council Direction Page 34 of 104 FEEDBACK WE ARE SEEKING •Are we meeting the Goals of the Public Engagement Plan? •Do you understand with the themes emerging from public input? Is there anything missing? •Do you support the methodology to update the goals of the 2030 Plan? Page 35 of 104 City of Georgetown, Texas City Council Workshop November 13, 2018 SUBJECT: P resentation, review and discussion of the Citywide Risk Assessment Report -- Laurie Brewer, Assistant City Manager ITEM SUMMARY: During 2018, the City initiated a c itywide internal risk assessment. The City co ntracted with P lante Moran to perform the assessment. The purpose was to perform a broad base d review of all risks, current mitigating activities, and to recommend future mitigation activities. While City staff were generally aware o f several risks, it was impo rtant to do a comprehensive review to check for gaps in awareness, and to document findings and set up a framework for continuo us review and impro vement. P lante Moran’s methodo lo gy co nsisted o f interviewing staff across the City, and looked at inherent risk, residual risk, and risk velocity. The attached report includes summary and detail on the City’s risk universe, with Plante recommendatio ns and management’s response. The study found a concentratio n of risks related to Information Technology, many o f which were alre ady known and mitigating activitie s and resources in place. The City will move forward assigning risk owners and reviewing action plans and resource during the annual budget process. This item was pre sented to GGAF on October 3rd. FINANCIAL IMPACT: N/A SUBMITTED BY: Laurie Brewer, Assistant City Manager ATTACHMENT S: Description Ris k As s es s ment Pres entatio n Ris k As s es s ment Report Page 36 of 104 2018 Internal Risk Assessment Citywide Internal Risk Assessment Page 37 of 104 2018 Internal Risk Assessment Background Why the City initiated an Internal Risk Assessment •40 different business units •Multiple physical locations •Limited staff resources •Supports the City’s Fiscal & Budgetary Policy •Gives City Manager, Directors & Finance responsibilities •Provide guidance for those responsibilities •Not requested by auditors, and is not an independent audit with testing Goal of the Internal Risk Assessment •Ensure risk mitigation and risk acceptance levels are appropriate •Set up framework for continuous improvement over time 2018 RFP –Internal Risk Assessment •Plante Moran selected Page 38 of 104 2018 Internal Risk Assessment Methodology January 2018 –Executive Team set objectives and identified Risk Universe •Plante Moran started with 90 risks used with all types of clients •Executive Team narrowed City of Georgetown Risk Universe to 35 risks •Executive Team assigned an owner to each risk for future mitigation Feb 2018 –Departmental meetings with Plante Moran •Plante Moran met with each department to assess the inherent and residual risks of the risk universe in each key business department •The primary means of collection of information was done through interviews of City staff and not traditional accounting audit testing •Plante Moran identified current methods departments use to mitigate these risks •Plante Moran recommends future mitigation strategies May –September 2018 –Review of Findings, Management Response •Follow up and validate initial findings with departments, consultant •Review mitigation strategies, work plan and resources •Preparation of final report Page 39 of 104 2018 Internal Risk Assessment Key Definitions Inherent Risk •the perceived impact and likelihood associated with a process or activity that exists simply from the perspective of its current environment BEFORE consideration of mitigating activities such as insurance, internal controls or other risk treatment strategies. Residual Risk •the level of impact and likelihood of an adverse event occurring to impede the City, Department, and/or Processes from achieving success AFTER identifying and testing of management’s mitigating activities and internal control structure. Velocity •the speed assessment of how quickly a risk will impact the organization •Fast •Moderate •Slow Page 40 of 104 2018 Internal Risk Assessment Inherent Risk Evaluation Criteria Impact Criteria Ranking 5 (high)4 3 2 1 (low) Financial Impact: Expense or Lost Revenue >$150K $100K -150K $50K -$100K $25K -$50K <$25K or Strategic Impact: Strategy/ Mission/ Legislature Failure to meet key strategic objective Major impact on strategic objective Moderate impact on strategy Minor impact on strategy No impact on strategy or Operational Impact: Reputation Extreme Severe Moderate Low None Process / System Shutdown > 7 Days 5 -7 days 3 -5 days 1 -3 days < 1 day Compliance Impact: Regulatory -State/ Local/ HIPAA/ Debt Covenants Large-scale material breach of regulation Material breach but cannot be rectified Material breach which can be readily rectified Minimal breach which cannot be rectified Minimal breach which can be readily rectified Likelihood Criteria Ranking 5 (high)4 3 2 1 (low) Probability of an event occurring in a given year: >20%15 -20%10 -15%5 -10%<5% or Event Occurrence (on average): Once a year or more 1 in 3 years 1 in 5 years 1 in 7 years 1 in 10 years Page 41 of 104 2018 Internal Risk Assessment Weighted Residual Risks by Key Business Department (KBD) •The graph on following slide shows number of risks by department, and coloring indicates weight based on risk ranking. Key business departments are listed below. Key Business Departments (KBD) Listing 1. (AIR) Airport 14. (GUS) Georgetown Electric / (NRG) Energy Services 2. (ASV) Animal Services 15. (PLH) Planning/Housing 3. (ATT) City Attorney 16. (HUR) Human Resources 4. (COD) Code Enforcement 17. (BINS) Building Inspection Services 5. (COM) Communications 18. (ITS) Information Technology Services 6. (CRT) Municipal Court 19. (LIB) Library 7. (CUS) Customer Care / Conservation 20. (MGR) City Manager’s Office 8. (CVB) Convention & Visitor's Bureau 21. (PKR) Park & Rec 9. (ECO) Economic Development / Main Street 22. (SEC) Secretary / Records 10. (ENG) GUS Systems Engineering / GIS 23. (SWR) Solid Waste & Recycling 11. (FIN) Finance, Purchasing & Payroll 24. (TSP) Transportation 12. (GFD) Georgetown Fire Department 25. (WSV) Water Services 13. (GPD) Georgetown Police Department Page 42 of 104 2018 Internal Risk Assessment Weighted Residual Risks by Key Business Department (KBD) Page 43 of 104 2018 Internal Risk Assessment Residual Risk Rating Distribution 7 High Rated Residual Risks (of 33) 1.IT Cybersecurity Governance 2.Utility Market 3.IT Asset Management 4.IT Access Management 5.IT Contingency Plan 6.Legislation 7.Segregation of Duties Page 44 of 104 2018 Internal Risk Assessment Top 7 Findings/Response -IT Risk 1 –Cybersecurity Governance •City has ad hoc security programs •City needs to formalize a comprehensive Information Security Program, cybersecurity policy and procedure •Current initiatives: •IT Catalyst Strategic Plan •Document policies •Develop and deploy citywide cybersecurity training •2 security audits •Payment Card Industry audit •Two factor authentication •Hire Lead System Security Analyst position Page 45 of 104 2018 Internal Risk Assessment Top 7 Findings/Response -IT Risk 3 –Data Classification •City has inventoried hardware and applications •City needs to inventory and classify data to create procedures and controls •Current initiatives: •Classification of HR and Finance data during ERP project •Payment Card Industry compliance audit •IT Catalyst Strategic Plan •Document policies •Future initiatives: •Inventory and classify other types of data Page 46 of 104 2018 Internal Risk Assessment Top 7 Findings/Response -IT Risk 4 –System Access Management •Access to systems, assets and facilities is limited to appropriate personnel •City needs formal access procedures put in place for each system •Current initiatives: •Two factor authentication •Role based access plans for CIS and ERP systems •IT Catalyst Strategic Plan •Future initiatives: •Enterprise application access control policy and annual audits •Physical security audits with Facilities dept Page 47 of 104 2018 Internal Risk Assessment Top 7 Findings/Response -IT Risk 5 –IT Contingency Plan •City has a data back-up and disaster recovery plan •City needs to develop Business Impact Analysis plans to guide recovery •Current initiatives: •Set up fail-over data center; conduct testing •Future initiatives: •Lead System Security Administrator to partner with Emergency Management Coordinator on business continuity plans for City departments •Develop Business Impact Analysis plans Page 48 of 104 2018 Internal Risk Assessment Top 7 Findings/Response -Other Risk 2 –Energy Market •The City has inherent financial risk in hedging energy demand and transmission congestion •The City should enhance forecasting to improve accuracy, and develop a alternative strategies to meet peak demand •Current initiatives: •Continue rate studies every 3 years •Continue building contingency reserves •Frequent financial monitoring and reporting to City Manager, GUS Board and Council •Exploring resource diversification options through Bloomberg grant and other studies Page 49 of 104 2018 Internal Risk Assessment Top 7 Findings/Response -Other Risk 6 –Legislation •Existing and new state legislation adversely affects City’s financial, operating or strategic autonomy and goals •City needs to continue building relationships with local legislators and monitoring state affairs •Current initiatives: •Government affairs advisory contract •Council strategies and tactics on influencing State government Risk 7 –Segregation of Duties •Various financial duties and systems access are segregated within and across departments •City needs to evaluate duties and enhance controls in various locations and systems •Current initiatives: •Review and update of segregations in CIS and ERP systems •Add cameras to cash handling locations •Emphasize segregation of duties during quarterly financial trainings •Partner with IT on risks 1, 3, 4 and 5Page 50 of 104 2018 Internal Risk Assessment Conclusions •Rapid growth in community and organization applying pressure to resources and systems •Assessment was a partnership with industry experts and city staff/management from all areas of the City •Disparate information across organization documented in one place •IT was reviewed in the most detail due to the reliance on systems for provision of services •Concentrated risks in IT •Resources added in FY19 to mitigate risks •Initiatives underway to mitigate high risks •Medium and low risks are also being addressed •Ongoing effort and long-term commitment to review risks •Risk owners to create teams to work on action plans •Review assessment and action plans during annual budget process Page 51 of 104 Make the mark. CITY OF GEORGETOWN, TEXAS SEPTEMBER 25, 2018 Citywide Risk Assessment Results & Next Steps Page 52 of 104 September 25, 2018 Mr. David Morgan, City Manager City of Georgetown 113 E. 8th Street Georgetown, Texas 78627 Dear David, We have performed the procedures as agreed upon in our consultation agreement dated November 7, 2017. Those procedures were applied solely to provide consulting services to assist City of Georgetown, Texas (“City”) in developing a Citywide Risk Assessment (CRA) to understand the risk environment and internal control structure of your functional areas and processes to identify key risks and the internal controls over those risks. The results of this report contain our assessment of the key risks to your organization, rankings of current mitigation strategies, treatment plans to assist in the management of key risks, and emerging best practices in government industry control environments. We were not engaged to, and did not perform an examination, the objective of which would be the expression of an opinion of City of Georgetown, Texas’s internal control environment. Accordingly, we do not express such an opinion. We were not engaged to perform any specific internal control testing procedures beyond inquiry of management and, therefore, we have not done so. Had we performed additional procedures, other matters might have come to our attention that would have been reported to you. This report is solely for the information and use of the management of City of Georgetown, Texas and is not intended to be, and should not be, used by anyone other than the specified party. We would like to recognize and thank the staff of City of Georgetown, Texas for the cooperation and courtesy extended to us throughout this process. Sincerely, Doug Farmer, CICA Partner – Risk & Accounting Advisory Services Plante Moran, PLLC Page 53 of 104 TOC | Page Table of Contents Executive Summary 1 Project Scope and Approach 3 Risk Universe 4 Impact and Likelihood Criteria 5 Risk Assessment Results and Next Steps 7 Appendix A: Risk Treatment Action Plans 11 Appendix B: Information Technology Detail 40 Page 54 of 104 1 | Page Executive Summary Purpose and Introduction In 2017, staff updated the City’s Fiscal and Budgetary Policies to enhance the existing internal audit and risk program. The General Government and Finance Advisory Board and the Council added ongoing funding to the Finance Administration budget to support this change. As a first step in the program, the City procured a firm to perform a comprehensive risk assessment. The outcome of the assessment will be used to prioritize the steps to continue enhancing the audit program and mitigating risk. Plante Moran performed a Citywide Risk Assessment (CRA) of the City of Georgetown, Texas (“Georgetown”, “COG” or “City”) with the objective of helping the City achieve its strategic priorities and advance management’s process to identify, classify and mitigate risks to the organization. Our CRA services consisted of the following: 1. Interview key stakeholders to understand Georgetown’s viewpoint on risk management 2. Conduct interviews with key City Departments to assess inherent and residual risks of the risk universe 3. Assess the strength of Georgetown’s mitigating activities and risk treatment factors 4. Assignment of risk owners and actions steps for remediation plans, if necessary 5. Preparation of reports to management and Council detailing the results of our work and recommendations to manage risk and strengthen the control environment High Level Themes Noted: • The City is exposed to four high Information Technology (IT) residual risks. We recognize the City is currently in process of an ERP system upgrade and the status of these conditions will change in the near future: IT Cybersecurity, IT Asset Management: Data Classification, IT Access Management and IT Contingency Plan. See Appendix B for IT Risk Report. • The City lacks a clear process for the assignment and review of user access roles and responsibilities to achieve segregation of duties in three key business departments. We noted during discussions with Finance, Customer Care and Parks and Recreation one person can control more than two phases of a transaction exposing the City to unauthorized transactions and fraud risk. • The Georgetown Utility Service (GUS) electricity is a vertically integrated monopoly which is allowed in the State of Texas. The Texas Legislature granted an exception called OPT OUT of bundled services and this gets reviewed at each legislative session every two years. If this OPT OUT provision is rescinded, the City would still have the wires/ transmission equipment and would be the whole seller to the power companies but there would be significant effort and expense to the City to be OPT IN ready if the legislature changes position and the resulting transition would take about 2 years. • Management indicated several potential costly Texas legislative acts are due for review at future legislative sessions. • The City is challenged with documentation of operating policies and procedures. Currently, 15 out of 25 (60%) departments we interviewed have a lack of clearly written policies and procedures available to all employees. Page 55 of 104 2 | Page Project Approach and Scope Approach We met with management to develop the following: • Planning Meeting – This segment was dedicated to understanding the risks to key individuals in the organization. We worked with management to outline the risks impacting the City. • Ranking Criteria – Based on our conversations with key individuals, we created impact and likelihood criteria for grading / assessment of the risks. • Risk Assessment Interviews - We held risk assessment interviews with key individuals from key departments across the City to capture management’s view of inherent risks and mitigating activities. • Control Gaps & Observations – Using the information gained in the items above, we noted observations, identified the top residual risks to the organization, and offered recommendations for control and process improvements. Scope In context of this risk assessment, a “Key Business Department (KBD)” is defined as a vital business process, function or activity on which the organization spends a significant amount of financial or personnel resources to perform, or an activity over which they have primary responsibility within the City. The following 25 departments are considered KPD’s and in scope for this engagement: Key Business Departments (KBD) Listing 1. (AIR) Airport 14. (GUS) Georgetown Electric / (NRG) Energy Services 2. (ASV) Animal Services 15. (PLH) Planning/Housing 3. (ATT) City Attorney 16. (HUR) Human Resources 4. (COD) Code Enforcement 17. (BINS) Building Inspection Services 5. (COM) Communications 18. (ITS) Information Technology Services 6. (CRT) Municipal Court 19. (LIB) Library 7. (CUS) Customer Care / Conservation 20. (MGR) City Manager’s Office 8. (CVB) Convention & Visitor's Bureau 21. (PKR) Park & Rec 9. (ECO) Economic Development / Main Street 22. (SEC) Secretary / Records 10. (ENG) GUS Systems Engineering / GIS 23. (SWR) Solid Waste & Recycling 11. (FIN) Finance, Purchasing & Payroll 24. (TSP) Transportation 12. (GFD) Georgetown Fire Department 25. (WSV) Water Services 13. (GPD) Georgetown Police Department Plante Moran met with the department heads and key managers to discuss the risk universe, assess the inherent risks and document the key internal controls and mitigation strategies for each risk in the risk universe applicable to each department. Residual risk scores are calculated based on inherent risk minus strength of mitigation activities. Page 56 of 104 3 | Page Risk Universe A planning meeting was held with the City Manager and Assistant City Managers to co-develop a risk universe using a standard governmental entity risk profile customized to the Georgetown specifics for population, demographics, services offered, operations and complexity. The initial universe started with approximately 90 risks and the list was distilled down to the top 33 risks applicable to the City of Georgetown. We then met with each department individually to discuss the impact and likelihood to their department. It is important to note that not all 33 risks are applicable to every department. Only 14 out of 33 risks were determined to be citywide impacting all departments. The illustration below is the risk universe utilized for this assessment: City of Georgetown Risk Universe 1. Access to Talent 18. IT Security Awareness, Training and Education 2. Billing for Citizen Services 19. IT Third Party Roles & Responsibilities 3. Budget and Planning 20. Leadership 4. Composition of Tax Base 21. Legislation 5. Disaster Recovery / Business Continuity 22. Physical Security 6. Emergency Notification System Failure 23. Police Failure 7. Fire Department Failure 24. Records Management 8. Freedom of Information Act (FOIA) 25. Regulatory Filings 9. Fraud 26. Segregation of Duties 10. Grant Obligations 27. State-Fed Regulations 11. Health & Safety 28. Succession Planning 12. IT Access Management 29. Talent Management 13. IT Asset Management: Data Classification 30. Tax 14. IT Contingency Plan 31. Utility Market 15. IT Critical Security Event Identification 32. Utility Outage 16. IT Cybersecurity Governance Model 33. Vendor Reliance 17. IT Incident Response Management Note: the 14 bold risks were common citywide across all departments. The remaining risks were assessed on a case-by-case scenario by department. Information Technology risks were evaluated in three categories: 1) Centrally Managed, 2) Vendor Managed, and 3) Department Managed. Impact and Likelihood Criteria Key department personnel participated in the risk interviews to rank the risks to the organization using an impact and likelihood criteria developed with senior management. The impact and likelihood criteria table below is applied to each risk to assign the inherent risk. The inherent risk rankings are then used as the starting point to calculate residual risks. Impact Criteria Ranking 5 (high) 4 3 2 1 (low) Financial Impact: Expense or Lost Revenue >$150K $100K - 150K $50K - $100K $25K - $50K <$25K or Strategic Impact: Page 57 of 104 4 | Page Strategy/ Mission/ Legislature Failure to meet key strategic objective Major impact on strategic objective Moderate impact on strategy Minor impact on strategy No impact on strategy or Operational Impact: Reputation Extreme Severe Moderate Low None Process / System Shutdown > 7 Days 5 - 7 days 3 - 5 days 1 - 3 days < 1 day Compliance Impact: Regulatory - State/ Local/ HIPAA/ Debt Covenants Large-scale material breach of regulation Material breach but cannot be rectified Material breach which can be readily rectified Minimal breach which cannot be rectified Minimal breach which can be readily rectified Likelihood Criteria Ranking 5 (high) 4 3 2 1 (low) Probability of an event occurring in a given year: >20% 15 - 20% 10 - 15% 5 - 10% <5% or Event Occurrence (on average): Once a year or more 1 in 3 years 1 in 5 years 1 in 7 years 1 in 10 years Page 58 of 104 5 | Page Risk Identification and Ratings It is important to clarify the factors in determining the levels of risk as presented in the following departmental risk assessment graphs. For comparability purposes, risk is evaluated by distinguishing between types of risk and the following definitions are provided: INHERENT RISK – the perceived impact and likelihood associated with a process or activity that exists simply from the perspective of its current environment BEFORE consideration of mitigating activities such as insurance, internal controls or other risk treatment strategies. This assumes no significant actions taken by management to mitigate (address) those risks. For example, the City has inherent risks associated with its citizen demographics, funding sources, population, economic slowdown, structure of federal and state government, etc. This can then begin to be refined to the departments within the City government. RESIDUAL RISK – the level of impact and likelihood of an adverse event occurring to impede the City, Department, and/or Processes from achieving success AFTER identifying and testing of management’s mitigating activities and internal control structure. The citywide risk assessment considered primarily inherent risks, with limited identification of control risk as self-reported by management. We did not substantively test specific management controls in detail and therefore, do not render an opinion on the effectiveness of design nor the efficiency in implementation or existence. The ratings do not imply a judgment on how management is addressing risk and thus is not a specific assessment of management performance nor concludes on ‘Residual Risk’. Management will need to perform detail testing to determine: (1) if mitigation activities reported by management are actually in place, and (2) if the mitigation activities are designed and operating effectively. VELOCITY – the speed assessment of how quickly a risk will impact the organization: • Fast: These risks are becoming more relevant to Georgetown’s operations and can quickly impact the organization. Risks with a moderate to high residual risk ranking and fast velocity should be closely monitored as a risk event could occur quickly and without warning. • Moderate: No known or pending events suggest either an increase or decrease in the composite risk weighting. These risks will impact the organization at neither a fast nor a slow pace. • Slow: These risks will impact the organization over time and might require a playbook that extends over a longer period of time. Risk Assessment Results and Next Steps The following pages summarize the Risk Assessment Results from 3 different perspectives: Page 59 of 104 6 | Page Graph 1 - Net Risks by KBD 1: (1) Net Risks by Key Business Departments: the total number of risks from the Risk Universe that apply to each department. As noted earlier, 14 of the 33 risks have been identified as pervasive across all departments and the others are assessed on a case-by-case scenario. The net risk assessment by KBD revealed that Georgetown Fire Department, Information Technology Service2, Finance, Georgetown Police Department and Parks & Recreation fall within the high risk category based on Net Risks by Department. 1 Each department was assessed for the 33 risks outlined in the Risk Universe on p. 3. There are 14 risks that are pervasive across the City and the remaining risks were assessed on a case-by-case scenario. 2 For the purposes of risk ranking, certain Information Technology risks with similar mitigation activities and control objectives were combined for reporting purposes. The Risk Universe shows 8 IT risks and the detail IT Risk Assessment report is included in Appendix B has 11 risks. Page 60 of 104 7 | Page Graph 2 – Weighted Residual Risks by KBD: (2) Weighted Risks by Key Business Departments: the total number of risks weighted by rankings using the following weighting formula: Red 17 or > (3 points), Yellow 8-16 (2 points), and Green <8 to 5 (1 point), <4 (0 points). Therefore, the higher risk rankings carry a higher weighted risk. The Weighted Residual Risk by KBD reveals there are two (2) additional departments needing consideration as the ratio of high risks to total brings the residual risk to a high for Customer Service and Building Inspection Services, in addition to the KBD’s noted in Graph 1. Evaluation of these various factors provides indicators on prioritizing the potential Future State Risk Mitigation Activity recommendations outlined in Appendix A. Page 61 of 104 8 | Page Graph 3 – Citywide Composite Residual Risk Rankings X = Fast Velocity | = Moderate Velocity (3) City-wide Composite Residual Risk Rankings: the profile of consolidated highest ranking risks to the City regardless of KBD. As noted earlier, certain risks may only apply to a limited number of KBD and may be insignificant on a City-wide basis. Page 62 of 104 9 | Page Composite scores represent a cross-section view of risk without regard to KBD. The composite scores above are an average of the risk rankings for only the departments where the risks are applicable. For example, Billing for Citizen Services is a risk to the City but only applies to 13 out of 25 KBD’s. The scores above are an average of those applicable departments excluding the departments that do not do billing. Results from this graph illustrate the severity of risk regardless of the department which they fall under. Residual Risk Dispersion The following graph depicts the dispersion of the risk events between high, medium, and low residual risk (including the consideration of existing control or mitigation activities) categories. High indicates that the residual risk score fell beyond Georgetown’s risk tolerance. These risks require the most attention and strongest mitigation strategies. Medium indicates that the residual risk was within tolerance. Low indicates that the risk fell well below Georgetown’s tolerance. It may be possible that some of these risks are being over mitigated. Next Steps 1. Strengthen and implement mitigating activities for each risk to bring the residual risk down into tolerance (see Risk Treatment Action Plans in Appendix A). 2. Assign risk owners and control owners and determine what information needs to be reported back to the City Manager on a periodic basis (i.e., quarterly). 3. Identify a risk management resource to manage the risk owners and communicate all necessary information from the risk owners to the City Manager and City Council. 4. Risk Owners identify key risk indicators (KRI’s) for each risk. 5. Build execution playbooks for each risk treatment. RANK RESIDUAL RISK COUNT High > 16 7 Medium 8 – 16 14 Low < 8 12 Total 0 – 25 33 Page 63 of 104 APPENDIX A – RISK TREATMENT ACTION PLANS 10 | Page Recommended Risk Treatment Action Plans Page 64 of 104 APPENDIX A – RISK TREATMENT ACTION PLANS 11 | Page # Risk Risk Detail Residual Risk Score Risk Owner Current State Mitigating Activities Future State Mitigating Activities Management Response 1 IT Cybersecurity Governance Model A comprehensive Information Technology (IT) cybersecurity policy and procedures document has not been approved by management and communicated to all employees and relevant external parties, outlining responsibility and oversight for Information Security (IS) and policy administration. 21.00 IT Director 1) The City has a documented IT Acceptable Use Policy in place but it does not encompass an overall Information Security Program (ISP) containing the following elements: Purpose/Scope, Roles and responsibilities (including those related to regulatory requirements), Enforcement, Information Sharing, Data Classification, Information Risk Management (IRM), Data Backup and Retention, Data Destruction/ Retention Policy 2) Members of the IT department perform several duties beyond their originally assigned tasks and roles and responsibilities related to key initiatives such as Risk & Incident Management, Disaster Recovery & Business Continuity are not clearly defined 3) The IT department has taken measures in implementing security practices throughout the IS environment; however organizational cybersecurity risk management practices are not formalized, and risk is managed in an ad hoc/reactive manner; a citywide approach to managing cybersecurity risk has not been established 1) We recommend the City implement a governance framework that allows for the proper management of a successful ISP. An effective ISP involves participation from senior management to set the direction for proper information security practices, adequate staffing and compliance with policies 2) Further, we recommend the City adopt a practice of performing a Cybersecurity risk assessment periodically. The periodic approach may take either of the following approaches: (A) performing a full assessment every other year due to intensive resources required to facilitate such an exercise or, (B) a targeted approach done annually including: • revisiting this report findings and updating controls where appropriate, • re-assessing the City’s mitigation plan to update progress and note any further concerns, and/or, • selecting a few high-priority control areas (e.g. vendor management, or any business objective/goal identified by executive management) and re-assessing associated threats related to those areas The City is already taking several steps to comprehensively manage and enhance security: 1) Implementing IT Catalyst Plan – 5 year Strategic Plan 2) Developing documented policies to address various IT areas 3) Developing Cybersecurity Training 4) Conducted 2 security audits 5) Budgeting Lead System Security Analyst in FY19 6) Conducting PCI (Payment Card Industry) study 7) Implementing two factor authentication IT agrees that an Information Security Program (ISP) needs to be created. IT Immediate actions (next 12 months) 1. IT Cybersecurity Risk Assessment by the US Department of Homeland Security. 2. Determine best practices, implement security policies, and identify staffing/challenges to implement ISP. 3. Identify staffing needs to appropriately manage IT security challenges and ISP. IT future planned actions (12 - 36 months) 1. Continue Cybersecurity scanning on a yearly basis. 2. Implement ISP. 3. Assign security roles to existing staff and hire any security staff needed to manage an Information Security Program Page 65 of 104 APPENDIX A – RISK TREATMENT ACTION PLANS 12 | Page # Risk Risk Detail Residual Risk Score Risk Owner Current State Mitigating Activities Future State Mitigating Activities Management Response 2 Utility Market Exposure to fluctuations in the market price of utilities. 18.75 Deputy General Manager – Georgetown Utilities 1) The City has no physical risk and low financial risk from the power supply market. 2) ERCOT, the state run system operator, manages and controls the physical matching of supply to demand statewide, thus eliminating the City’s exposure to physical supply risk. 3) As a Utility within ERCOT, the City takes delivery of all power from ERCOT at the market rate, thus exposing inherent financial risk. 4) The City mitigates the inherent financial risk through hedging demand with offsetting, fixed-price power purchase agreements (PPA’s) and hedging transmission congestion charges through congestion revenue rights (CRR’s) which are forward contracts on congestion. Additional residual financial risk is further mitigated through the industry standard utility practice of passing the variance though to customers as a power cost adjustment factor (PCA). The City does currently use a form of the PCA pass- through, however it is not the current practice to adjust this on a monthly basis. 5) The City has a diversified portfolio of PCA’s with both short and long terms. The two principle agreements are a 20 year wind and a 25 year solar contract. Together, these two contracts exceed the City’s current needs and will accommodate growth. 6) The long duration power agreements at fixed price provide long term rate stability through a long term hedge. 7) A utility rate study is in progress, to update the most recent study from 2012 8) Quarterly financial updates are presented to the GUS Board and the City Council. 1) Continue to enhance the City’s forecasting tools and techniques to increase granularity and improve accuracy. 2) Continue development of a strategy to meet future peak demand growth with distributed generation and storage rather than remote central generation to mitigate exposure to transmission congestion. The City will continue its efforts to mitigate exposure to the utility market: 1) Implementing rate study recommendations 2) Will grow reserves for contingency and market fluctuations to comply with Fiscal & Budgetary Policy 3) Will perform rate study every 3 years 4) Providing quarterly reports to GUS board 5) and City Council. Page 66 of 104 APPENDIX A – RISK TREATMENT ACTION PLANS 13 | Page # Risk Risk Detail Residual Risk Score Risk Owner Current State Mitigating Activities Future State Mitigating Activities Management Response 3 IT Asset Management: Data Classification The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy. 17.00 IT Director 1) The City has identified and catalogued its hardware and software via a tool called Lansweeper. This approach ties into an overall information flow enforcement (NIST SP 800-53 Rev. 4 AC-4) which ensures the confidentiality, integrity, and availability of critical data when defined and enforced 2) In addition, the City also maintains a manual list of all inventoried applications/ software 3) An information classification policy does not currently exist 1) The City should consider classifying data within the system based on its criticality and / or sensitivity (NIST SP 800-53 Rev. 4 RA-2). Classification of data will also help drive the above-mentioned information flow enforcement and help define the City’s security architecture 2) We recommend the classification of City data to define an appropriate set of protection levels and communication required for special handling Classifications and associated protective controls (including encryption for data at rest and data leak prevention tools) should take into account department needs for sharing or restricting information and the associated business impacts if such data were compromised. Successful data classification in an organization requires a thorough understanding of where the organization’s data assets reside and on what applications/devices they are stored. Handling procedures should include details regarding the secure processing, storage, transmission, declassification, and destruction of data. The City is currently taking several steps to classify and protect data: 1) Implementing IT Catalyst Plan – 5 year Strategic Plan 2) Developing documented policies to address various IT areas 3) Classification of HR and Finance data during Enterprise Resource Planning project 4) Payment Card Industry compliance audit IT sees value in creating a data classification policy that outlines how the city classifies data for each system. IT Immediate actions (next 12 months) *Work with new ERP vendor to develop classification framework for financial, asset and employee information. Create a Data Classification policy. IT future planned actions (12 - 36 months) Classify data in all systems city wide that IT is responsible for administering. Page 67 of 104 APPENDIX A – RISK TREATMENT ACTION PLANS 14 | Page # Risk Risk Detail Residual Risk Score Risk Owner Current State Mitigating Activities Future State Mitigating Activities Management Response 4 IT Access Management Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions. 17.00 IT Director 1) New employees and vendors are required to sign off on the Acceptable Use policy 2) For financial system, Application Administrator is assigned responsibility of setting permissions for add/removal of users after approval from system owners 3) Security administration duties are assigned to various applications whereby all analysts have a designated system/application they are assigned to. Department directors are considered system owners; the IT department facilitates requests/approval of application owner for security access. All IT employees are CJIS certified 4) Application vendors must be CJIS certified and CJIS certification is also required in vendor agreements. It was noted that not all applications have a formal process of provisioning and de-provisioning 5) Every building is on its own VLAN and segregated, DMZs also exist which is separated by firewalls (in and out). SCADA systems are also air gapped and do not interact with other parts of the network 1) A role-based access scheme should be established to ensure consistent application of user access rights within the system. Users should be assigned their base set of access authorizations based on the concept of “Least Privilege Necessary” to perform their role or job function (as defined within their formal job description). Additional access beyond the previously established role-based access scheme should be formally requested, reviewed for conflicts and approved (NIST SP 800-53 Rev. 4 AC-2). Moreover, Management should consider integrating access rights with data classification efforts identified in Appendix B of this report 2) Ensure a process is in place to approve special access requests and timely de-provision access upon notification from HR The City agrees with these recommendations and is taking the following steps: 1) Implementing IT Catalyst Plan – 5 year Strategic Plan 2) Implementing 2 factor authentication 3) Implementing consistent role based access to CIS and ERP system functions through ERP conversion project IT agrees that additional process and policy is needed to enhance IT access control. IT feels ownership of physical security audits need to be conducted by the department(s) that maintain keys to buildings or the system controlling automated keycard access. IT Immediate actions (next 12 months) Implementation of Enterprise Application Access Control policy. Leverage new Systems Admin Lead to identify additional costs and resources to implement auditing of these changes in the future. IT future planned actions (12 - 36 months) Identify a way to audit Application Access on a yearly bases. Implement yearly audits for Application Access. Page 68 of 104 APPENDIX A – RISK TREATMENT ACTION PLANS 15 | Page # Risk Risk Detail Residual Risk Score Risk Owner Current State Mitigating Activities Future State Mitigating Activities Management Response 5 IT Contingency Plan Loss or inability to continue business due to natural disaster, system capacity or performance issues, interruption in communication, loss or corruption of data, or loss of critical vendors or staff members. 17.00 IT Director 1) The City has an extensive data backup strategy is in place in order to ensure that critical data for operations are available in the event of an interruption or incident 2) The current data backup plan has redundancy built into the datacenter environmental controls 3) Recovery processes are in place to restore systems/assets affected by cybersecurity events. However, CoG is yet to formalize a BCP/DRP 4) The City has prepared a five year IT Strategic Plan which includes a plan for implementing business continuity practices over the next 2-3 years Plante Moran recommends the City conduct and formalize: (1) A Business Impact Analysis (BIA) which identifies and analyzes mission-critical business functions, and then quantifies the impact a loss of those functions would have on the City, and (2) An information system contingency plan to mitigate the risk of critical system and service unavailability. The contingency planning process should occur after a formal Business Impact Analysis (BIA) is conducted, in order to correlate the system with the critical processes and services provided, and based on that information, characterize the consequences of a disruption. Three steps are typically involved in accomplishing the BIA: • Determine mission/business processes and recovery criticality • Identify resource requirements • Identify recovery priorities for system resources The City will continue with the efforts already planned to mitigate this risk: 1) Planning and funding fail-over data center 2) Developing and testing protocol to fail-over data center IT feels this risk is related to the lack of a City Wide Business Continuity plan. IT fully takes responsibility for Disaster Recovery of IT systems, a city wide BCP is needed to identify the Business Impact Analysis and criticality of City wide services to assist with proper implementation of Disaster Recovery activities IT Immediate actions (next 12 months) Identify how the city wants to address business continuity city wide. Work with Emergency Management to look for third party support to develop a BCP. Leverage new Lead System Admin to start planning and identified resources needed to create a DR plan. IT future planned actions (12 - 36 months) Develop consistent DR plan that can co-exist with city BCP. Page 69 of 104 APPENDIX A – RISK TREATMENT ACTION PLANS 16 | Page # Risk Risk Detail Residual Risk Score Risk Owner Current State Mitigating Activities Future State Mitigating Activities Management Response 6 Legislation Governmental laws change that impact the organization by financial, operating, strategic or compliance issues. 16.36 City Manager’s Office 1) The City Attorney’s office monitors legislative sessions for the City as a whole, and communicates the effects of legislation to appropriate departments 2) The Electric Department utilizes a third party engineering firm to monitor potential legislation that could impact the Department 3) The City has an agreement with an outside government affairs and advisory firm which specializes in advising and assisting municipalities in legislative activities 4) The Transportation Department has developed a detail plan of response to the effects of the City passing the 50,000 population threshold, specifically related to the traffic signal operation. After the 2020 census, the City will be responsible for operating all traffic signals in the City, which is double the number the City currently operates. A large financial commitment will be required to operate and maintain all traffic signals in the City 1) Council and Management should review and closely monitor the status of annexation plans for the City. After the 2020 census, the City will be limited in its ability to perform annexations due to Williamson County’s population surpassing 500,000 citizens 2) The City should work with legislators to clarify the impact of harmful legislation including revenue caps and limits on debt financing for infrastructure during the City’s period of high growth and should stress the removal of local control restrictions that impact citizens ability to impart changes in their local community The City will continue its efforts to monitor state actions and advocate for what is best for the organization and community: 1) Implement Council strategies and tactics related to influence with State government 2) Continue supporting TML efforts 3) Continue working with government affairs and advisory firm 4) Continue to build relationships with other governmental agencies Page 70 of 104 APPENDIX A – RISK TREATMENT ACTION PLANS 17 | Page # Risk Risk Detail Residual Risk Score Risk Owner Current State Mitigating Activities Future State Mitigating Activities Management Response 7 Segregation of Duties The Organization fails to adequately segregate roles and tasks between team members. 16.43 Finance Director 1) Each department communicates a personnel change to HR and IT to add/remove/change a staff member’s access 2) HR and payroll have segregated rolls for processing employee payroll and benefit information. Only Finance has access to process changes within the payroll module 3) Segregation within the finance department is maintained by separate individuals processing payroll and accounts payable 4) Utilities customer cash receipts are handled through Customer Care front facing staff. Cash drawers are reconciled and closed on a daily basis. Bank deposits are prepared by Customer Care back office operations daily and are couriered to the bank by Police Officers. Revenue financial reporting is done by Finance 5) A police officer travels to the cash locations to provide secure courier service on all bank deposits 1) An annual review of user access for all staff members within the City across all programs managed by IT should be performed 2) Departments that have not had an internal control review within the past five years should evaluate the design and effectiveness of their internal controls 1) Implementing new CIS and ERP systems which requires thorough review of system segregation controls. 2) Cameras being evaluated for various cash areas 3) Emphasize and explain segregation of duties attributes during training for new or revised financial policies and procedures. 4) Parks & Recreation has segregated deposit duties separate from cashiers. 5) Finance is reviewing the segregation of the vendor database duties for the new ERP system. IT feels this risk requires joint ownership with other departments. IT already has controls in place for user access to computer resources and access to applications. IT Immediate actions (next 12 months) Implementation of Enterprise Application Access Control policy. Train IT employees on the new policy. Enforce the new policy on new Enterprise systems as they roll out. Leverage new Lead Admin to identify resources, and costs associated with reviewing user access for all city computer resources and applications. IT future planned actions (12 - 36 months) Implement annual reviews/audits of user accounts with access to computers and enterprise applications. 8 Access to Talent Organization lacks sufficient staffing levels to carry out its routine operations. 11.75 HR Director 1) The growth of the City has resulted in a large talent pool for many positions within the City, with some job openings attracting over 300 applicants. Overall, the City gets sufficient applicants for general open positions 2) The City is in the process of performing an assessment of retirement eligibility for key personnel 3) Departments within the City utilize third party contractors to fill non-key positions on a temporary basis 1) The City should evaluate positions with required specialized certifications and determine whether entry level staff members can obtain certifications after hire 2) For specialized positions, including, but not limited to, building inspectors, paving foremen, and traffic engineers, the City should conduct an assessment of staffing levels with a 3-year outlook 3) The Fire Department should develop a plan to acquire the necessary EMS personnel talent 1) HR and Fire are continuously developing a recruitment strategy for future station staffing 2) The City currently recruits many positions such as 911 dispatcher and Electric Linemen Apprentices in the manner described in mitigating recommendation #1 and continues to review options as new vacancies arise. 3) The City works continuously to keep pay and benefits market competitive and HR staff is currently working on enhanced recruitment branding techniques to continue to bring in excellent talent. Page 71 of 104 APPENDIX A – RISK TREATMENT ACTION PLANS 18 | Page # Risk Risk Detail Residual Risk Score Risk Owner Current State Mitigating Activities Future State Mitigating Activities Management Response 9 Emergency Notification System Failure (ENSF) The City's Emergency Notification System fails to alert citizens in the event of an emergency. 13.81 Emergency Management Coordinator 1) There is a city-wide emergency notification system consisting of tornado sirens and reverse 911 (Code Red) which are tested on a regular basis. The outdoor warning system is place to notify citizens to take shelter and is not intended to be heard in doors 2) The City recently added a position dedicated to Emergency Planning 3) Incident Action Plans are developed for large scale community events, such as the Red Poppy Festival 1) The City should communicate Incident Action Plans for large scale events to all parties involved with the event, including the Convention and Visitors Bureau (CVB) 2) Management should inform all departments of the operating procedures related to the ENSF 3) The EMC should develop basic and advanced emergency management training for key stakeholders in the City (Division Managers) and conduct table top and/or practical training exercises that replicate local level emergencies The City agrees with these mitigating activities and will prioritize them in the EMC’s work plan Page 72 of 104 APPENDIX A – RISK TREATMENT ACTION PLANS 19 | Page # Risk Risk Detail Residual Risk Score Risk Owner Current State Mitigating Activities Future State Mitigating Activities Management Response 10 Fraud Customer, third party, or internal fraud occurs resulting in a significant misappropriation of assets and/ or incorrect financial reporting, or corruption/ kickback schemes. 13.75 Controller 1) The Finance Department performs a review of a small number of P-Cards to verify the legitimacy of the purchases 2) Fixed assets over $5,000 in value are tracked in the ERP fixed asset module 3) Currently no fraud prevention program is communicated to all employees with training to identify and prevent fraud. 4) The Finance team indicated internal controls can be strengthened around: • Communication, billing and collection from - Planning and Housing and GUS Engineering on construction/ development contracts with developers and as they have limited visibility on project status, progress, completion and timelines of payment due dates. Cannot get My Permit Now to reconcile to Accounting • Processing and internal controls around Grant Administration regarding collections and subsequent compliance reporting • Credit Card (P-Cards) payment procedures are inconsistently applied across City operations 5) The City lacks internal monitoring controls and audit logs around Master File Maintenance on IT databases (employee, customer, vendor, etc.) 6) Segregation of duties reduces the chance of fraud 7) The City has a personnel policy related to fraud 8) A fraud hotline is advertised to the City staff, so that staff can report fraud anonymously. The reports are collected by an outside firm, who sends information to representatives in Human Resources, Finance, and the CMO for investigation. The CMO follows up on any investigations 9) Purchasing cards have strict limits to ensure the risk of misuse by a single employee is limited to an average of $1,000. 1) The Finance Department should perform more robust reviews of P-Card purchases and consider utilizing software to perform regular audits of P-Cards 2) The Finance Department should perform annual reviews of P-Card users to evaluate whether the all users actually need P-Cards 3) The City should implement a more extensive asset tracking program, utilizing fixed asset tags on assets valued over $1,000 with consideration of periodic asset audits 4) Vendor Ship-To addresses should be limited to a “drop down” list consisting only of City facilities 5) The City should consider developing a fraud awareness and prevention training program with active participants across all City departments 6) All changes to IT databases deemed to be material should be tracked on an Audit File Log and reviewed by someone without access to the databases 1) Asset tracking and vendor shipping will improve as part of the ERP project. 2) The City has already implemented and conducted training on grant tracking and reporting. 3) Staff are currently developing a citywide fraud awareness and reporting training. Page 73 of 104 APPENDIX A – RISK TREATMENT ACTION PLANS 20 | Page # Risk Risk Detail Residual Risk Score Risk Owner Current State Mitigating Activities Future State Mitigating Activities Management Response 11 Health & Safety Exposure to potentially significant workers' compensation liabilities due to the inability to maintain compliance with applicable health and safety laws and regulations. 13.04 HR Director 1) All Public Works and Utility departments have a robust safety program consisting of monthly safety training, daily safety summaries, semi- monthly safety meetings, and detailed safety policies. Public Works departments also provide sufficient safety equipment to all relevant staff members 2) The Fire and Police Departments have a robust line of safety gear, training, fitness assessments, inspections, and safety policies 3) All safety incidents are communicated to Human Resources for review and to work as a liaison between the department and the employee 4) The Airport requires all non-airport employees to be escorted by a staff member with knowledge of Air Traffic Control communication 5) Parks and Recreation requires safety maintenance with swimming pools to ensure chemicals are in balance Overall, the City has robust health and safety procedures and should consider adding the following: 1) The Library should develop clear policies and procedures on a course of action when a customer, employee, or volunteer is injured at the facility. 2) The City should review the lifeguard policy for pool facility rentals. The City currently does not provide a lifeguard for pool rentals by the Georgetown Independent School District and does not require GISD to provide their own lifeguard. 3) Consider adding an Active Shooter response plan 1)HR and Library will work together to develop consistent injury procedure 2) The City has met with GISD swim coaches to brainstorm ways to mitigate lifeguard risk and is drafting a facility use agreement that outlines the lifeguard requirements of the City and GISD 3) HR and Police are developing Active Shooter training for departments Page 74 of 104 APPENDIX A – RISK TREATMENT ACTION PLANS 21 | Page # Risk Risk Detail Residual Risk Score Risk Owner Current State Mitigating Activities Future State Mitigating Activities Management Response 12 IT Incident Response Management Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events. 12.00 IT Director 1) The City has no formalized or documented information security incident response procedure 2) CoG's IT department has an informal (undocumented/ad-hoc) resolution process to ensure appropriate steps are taken to respond to incidents. The process is triggered in the event of a report/discovery of compromise, loss, or theft of system data We recommend the City implement a formal incident response plan including: 1) Provide a roadmap for implementing its incident response capability; 2) Describes the structure and organization of City of Georgetown’s incident response capability; 3) Provides a high-level approach for how the incident response capability fits into City of Georgetown as a whole and the overall Family of Companies; 4) Meets the unique requirements of City of Georgetown’s mission, size, structure, and functions; 5) Defines reportable incidents as well as requirements and guidelines for external communications and information sharing (e.g., what can be shared with whom, when, and over what channel); 6) Provides metrics for measuring the incident response capability within the organization; 7) Defines the resources and management support needed to effectively maintain and mature an incident response capability; and 8) Is reviewed and approved by senior management IT agrees a formal process and procedures need to exist to manage cybersecurity incidents appropriately. IT Immediate actions (next 12 months) Implement Incident response policy. Train IT staff on procedures to ensure policy is being met. IT future planned actions (12 - 36 months) Document formal incident response plan including all recommendations by Plante. 13 Utility Outage The City is unable to respond to mass failures of electrical, water, or sewage outages in a timely manner. 11.89 Utility Director 1) Control Center has monitoring alarms in the event of outages 2) Control Center has an outage management system to diagnose location of fault and provide area of impact and customer count 3) Response plan is in place for water, wastewater, and electric system failures. 4) Regular maintenance tracking of all critical equipment; replacement is made when showing signs of degrading through testing 1) Maintain equipment useful lives schedule and proactively monitor components which have reached their useful lives 2) Perform a vulnerability assessment to judge your preparedness for handling the increased likelihood for power outages Emergency Response Procedures have been expanded to include establishment of an Operations Command Center procedure for emergency response for large scale utility outages that do not rise to the level of EOC activation. Page 75 of 104 APPENDIX A – RISK TREATMENT ACTION PLANS 22 | Page # Risk Risk Detail Residual Risk Score Risk Owner Current State Mitigating Activities Future State Mitigating Activities Management Response 14 Disaster Recovery / Business Continuity Planning Inability of the organization to continue key business processes during a potential disaster due to lack of sufficient disaster recovery planning and/or execution. 11.60 City Manager’s Office 1) Most city staff members are able to work remotely via Virtual Desktop Infrastructure (VDI) 2) The Public Works Departments conduct assessments of potentially hazardous situations (ex: tree trimming to prevent outages during windstorms) 3) The Fire and Police Departments can immediately route 911 calls to the Williamson County 911 center 4) Tabletop disaster recovery simulations are performed on an annual basis by the Emergency Management Coordinator in conjunction with the Fire Department 5) No backup plan in place at Airport if fueling system or lighting vault fails. This has been identified as a weakness and accounted for in the Airport Master Plan to remediate over the next 5 years. 6) No DR/BCP plan at the Library, Communications, Convention & Visitor’s Bureau, Customer Care and Inspection Services 7) Back in 2005, the Municipal Court had a system crash and were unable to recover records. They had to recreate 2.5 months of records and it took about 6 months. The issue has not been resolved 1) The City has inconsistent DR/BCP across the organization. Some departments have a robust plan and others have none. A DR/BCP should be developed for every City department. Each of these department-level plans should then be integrated into a city-wide plan 2) Tabletop disaster recovery simulations should be performed with all City Departments 1) As the City buys new or upgrades existing software, we are prioritizing cloud options that improve security and access Page 76 of 104 APPENDIX A – RISK TREATMENT ACTION PLANS 23 | Page # Risk Risk Detail Residual Risk Score Risk Owner Current State Mitigating Activities Future State Mitigating Activities Management Response 15 Billing for Citizen Services Citizens are billed incorrect amounts or not billed at all for citizen services. 11.37 Customer Care Director 1) Rates and/or fees for Utility Services, Building Inspection Services, Animal Services, Permits, Fire, Police and Airport are approved by Council 2) Parks and Recreation rates are set and approved by the Parks and Recreation Director and submitted to the Council annually 3) Customer Care utilizes systems built into the meter data management (MDM) and customer information systems (CIS) that apply validation methodology to detect abnormal consumption or amount billed. These “exceptions” are identified in the systems for staff to review and validate manually (referred to as “Edit Process”) 4) Billing for EMS services is performed by a 3rd party service and any hardship write downs require the Fire Chief’s approval 5) Departments handling cash perform daily cash reconciliations 6) The Municipal Court clerks review all tickets/citations before being sent to the recipient 7) The Code Enforcement Department maintains evidence of violations to be billed, and the Energy Services Department maintains the police report as evidence for billing for damages 8) Airport uses a third party appraisal for lease amounts along with fuel prices set by City Council a. The fine schedule for the Municipal Court citations should be restricted to specific users b. All invoices should be created in a single system across the City and remit-to addresses should be limited by a “drop-down” function consisting of only addresses the City accepts payments c. Management should consider a third party revenue recognition study to validate all sources of revenue are complete and accurate across the City operations d. An outside party, Emergicon, reviews billing for EMS incidents as there are various rates depending on citizen’s ability to pay. Emergicon also collects funds and this helps reduce the occurrence of billing errors and improves collections. However, Emergicon also writes off funds and there is no reconciliation of EMS revenue to billings. We recommend the City enhance reconciliation controls around billing procedures and perform internal audits of quality control and verification of vendor compliance. 1) Implementing a new ERP system will include a thorough review of the Accounts Receivable/Billing module. 2) Once Emergicon has completed a full fiscal year of billings and collections, the City can audit and evaluate the performance and compliance of Emergicon’s processes and procedures. Page 77 of 104 APPENDIX A – RISK TREATMENT ACTION PLANS 24 | Page # Risk Risk Detail Residual Risk Score Risk Owner Current State Mitigating Activities Future State Mitigating Activities Management Response 16 Composition of Tax Base Changes in the balance of commercial and residential tax base result in losses of revenue from taxes. 10.63 City Manager’s Office 1) The City has performed a detailed mapping of how each square mile of the city will be used in the future 2) The City Manager’s Office completes regular fiscal impact models to determine the effects of commercial vs. residential development 3) The Economic Development Department has established a comprehensive strategic plan 4) Economic Development relies on demographic research for talking to prospects regarding future development. Works closely with the Planning Department 5) The Fire Department should be involved in all communications regarding commercial development in order to ensure the Department is able to acquire the necessary equipment to manage emergencies at large scale commercial properties 6) The Fire Department has increased its staff to respond to an increase in calls for service. The rate of EMS calls for service is growing at double the rate of population 7) The City is updating its Comprehensive Plan which will include an update to the future land use plan 8) Planning Dept. promotes and encourages a varied level of housing products and commercial tax base per the Comprehensive Plan. 1) The City should communicate potential new commercial and residential development to directly impacted City departments and evaluate how new development would affect each directly impacted department 2) Management should utilize a concentration strategy that is flexible and supported by realistic expectations The City is updating its Comprehensive Plan through a robust citizen engagement process during 2018/19. This plan will identify community standards and goals for growth. City staff from various departments impacted by development meet with the City Manager’s Office on a bi-weekly basis to discuss major development applications as well as to collaborate and problem solve on various issues. 17 Grant Obligations Organization fails to meet grant covenant requirements. 10.55 Controller 1) Grants filings across the City are monitored by various personnel within the Finance Department 2) Grant applications require City Council approval per the City’s Fiscal and Budgetary Policy 3) Federal and State grants require compliance filings and, if omitted, could impact future grant funding, as well as result in audit findings 1) The City should designate a staff member as a Grant Administrator. This staff member should be responsible for maintaining a repository of all grants being applied for, awarded, contact person, and any required filings associated with each grant. City should require that all Grants be managed through the new Grant Administrator 2) A Grant Status Report should be provided on a periodic basis to the City Manager’s office for potential budget considerations The City has completed these recommendations. The Controller is the Grant Administrator. A new policy was implemented in the spring and the status report is presented to Council in the quarterly financial report. Page 78 of 104 APPENDIX A – RISK TREATMENT ACTION PLANS 25 | Page # Risk Risk Detail Residual Risk Score Risk Owner Current State Mitigating Activities Future State Mitigating Activities Management Response 18 IT Third Party Roles & Responsibilities Security roles and responsibilities are not established for all third-party service providers and lack clear contractual obligations for service level agreements and KPI’s. 10.00 IT Director 1) The City has identified trusted partners with respect to hardware and hosted applications 2) Roles and responsibilities have been established but are not formally documented. Within the workforce, absence of a formal documentation poses a risk for segregation of duties and with third parties, accountability may be lacking 3) The contract between City of Georgetown and the service provider does not specifically outline the roles and responsibilities related to Cybersecurity controls handled by each organization 4) There is no monitoring of external party use of the system for potential Cybersecurity events We recommend management take the following actions: 1) Clearly identify the cybersecurity responsibilities to be outlined in the contract with the service provider including roles for identification, response, and recovery procedures 2) Establish Key performance indicators for third- party responsibilities including number of events, data breaches, number of notifications 3) Continuously monitor contract SLA’s and established key performance indicators IT has been working to ensure new contracts meet a higher level of security requirements. For example the Office 365 contract with Microsoft has advanced alerting for things like elevation in access privileges and enhanced reporting to view our security posture at any time. IT manages KPI’s for 3rd party contracts through simple notification of security events that can follow the city’s Information Security Response plan should provide adequate documentation for security events. Incident response risks are being addressed under Risk # 3 on this document. IT Immediate actions (next 12 months) Continue to monitor all new contracts to ensure proper cybersecurity language exists. Require all vendors to use multi factor authentication to access city resources. IT future planned actions (12 - 36 months) Review older contracts and make notes of where changes are needed during contract renewals. Page 79 of 104 APPENDIX A – RISK TREATMENT ACTION PLANS 26 | Page # Risk Risk Detail Residual Risk Score Risk Owner Current State Mitigating Activities Future State Mitigating Activities Management Response 19 Vendor Reliance Any termination of, or adverse change in, the Organization's relationships with its key suppliers, or loss of the supplies in support of one of the organization’s key services. 9.81 Purchasing Manager 1) The majority of City Departments have multiple vendors available to supply goods & services and would not face disruption if they had to switch vendors 2) We noted 3 departments that have a reliance on key vendors and they are closely monitoring this process: Transportation (asphalt and concrete), Fire Department (specialty vehicle repair) and Animal Services (specialty veterinarian drugs and feed) 1) Assign one person the responsibility of monitoring all key vendors to the City 2) Create a subsidiary listing of all key vendors with contract details, SLA’s and performance metrics 3) Report back to City Manager when it is determined a vendor may become insolvent or is not meeting SLA’s 4) Prior to contract renewal, negotiate with all key vendors to capture volume discounts and preferred pricing 5) Management indicated Garland Power & Light currently reconciles their meter data to the scheduling data and the transaction settlement engine. This could be done in house but would require additional headcount as the process runs 24/7. Management should consider a cost/ benefit study to do this in-house The new ERP will enhance the ability to analyze vendor and contract details. The City’s purchasing policy receives quotes and/or formal bids for purchased over $3,000. Purchases over $50,000 are approved by Council so more review is given to these large expenditures. The management acknowledges that certain items noted are “sole source” which provides a reliance on key vendors in limited situations/purchases. Page 80 of 104 APPENDIX A – RISK TREATMENT ACTION PLANS 27 | Page # Risk Risk Detail Residual Risk Score Risk Owner Current State Mitigating Activities Future State Mitigating Activities Management Response 20 IT Critical Security Event Identification A formal risk event identification process is not in place to identify, classify and resolve security events 9.00 IT Director 1) Currently there are a variety of log generation methods in place for the system, however there is no catalog of security event types being identified and reviewed within the logs by security professionals 2) As noted in the Segregation of Duties risk, there are no documented audit log reviews of changes made to critical City databases 1) Identify high risk events that can be alerted from current logging capabilities (NIST SP 800- 53 Rev. 4 AU-6). Potential high risk events can be discerned through the risk assessment process (NIST SP 800-53 Rev. 4 RA-3), penetration testing, and best practice documentation. Some common threat events include: • Multiple failed login attempts • Elevations in access privileges • Changes to application code • Changes to security settings • Process specific actions 2) Consider alert generation techniques for risky events such as devices that connect to the network without authorization 3) Identified events should be responded to in accordance with the organization’s Incident Response Plan IT does not currently have designated security staff. This makes it challenging to implement controls at this level because of the time and knowledge necessary to keep a proactive approach maintained. IT agrees we should have an advanced alerting process on high risk events however continuing to maintain these types of processes can be staff intensive. IT Immediate actions (next 12 months) Hire a Lead System Administrator (approved for FY19) to assist with security activities. Identify high risk events that occur in current logging tools. Research methods for alerting based on events. Research staff time needed to implement and maintain an alerting process that always follows best practices. Research managed security services and costs. Discuss options with City Manager’s Office for implementation. IT future planned actions (12 - 36 months) Create an alerting strategy/process that alerts staff when appropriate. Implement alerting for high risk events. Implement managed security services if feasible. Page 81 of 104 APPENDIX A – RISK TREATMENT ACTION PLANS 28 | Page # Risk Risk Detail Residual Risk Score Risk Owner Current State Mitigating Activities Future State Mitigating Activities Management Response 21 IT Security Awareness, Training and Education Personnel are not informed of potential IT threats to the organization and are unable to respond effectively. 9.00 IT Director 1) The City has implemented an Acceptable Use Policy amongst other policies around proper use of computers and accessing digital information. However, to ensure compliance, there is a need to assess employee’s understanding of policies and response to cybersecurity threats via periodic awareness and training 2) IT staff monitors and reports email scams to all employees in an effort to increase awareness 1) Rely on end users as the first line of defense to limit exposure to social engineering frauds and threats 2) Consider increasing complexity of password requirements 3) Create a formal IT Awareness training and provide to all employees on a periodic basis 4) Require employees to formally acknowledge in writing that they have read and understand the security awareness training, and that they recognize the ramifications of non-compliance IT Immediate actions (next 12 months) Implement city wide security awareness program and training. Partner with HR to leverage use of LMS for security training. IT future planned actions (12 - 36 months) Continue to provide security awareness training and review annually for new material and best practices. 22 Fire Department Failure The Fire Department is not adequately equipped to handle responses to emergencies in the City. 8.00 Fire Chief 1) The GFD studies data points to best position their resources in order to minimize response times. In instances when there are no resources available, GFD has agreements with third party ambulance providers who are obligated to provide the same response time as the GFD 2) Also, the GFD have mutual aid agreements with neighboring communities to assist in calls when the City is not available 3) The GFD indicated they perform fire inspections of public buildings (schools, hospitals, government buildings, etc.) but there are not enough resources to do fire inspections/ capacity evaluations on all businesses in the City 4) The City is currently building two stations to ensure adequate response to the growing population 1) Consider an independent third party evaluation study of the GFD capabilities, response metrics and resource allocations to evaluate if there needs to be changes to the current resource allocation model 2) Consider cooperative agreements with ESD8 and/or contiguous municipalities to elevate synergistic programs (co-located/co-operated) fire stations and boundary drops (enhanced auto-aid). 3) Consider making licensed buildings be required to be inspected annually. Also, consider a self- inspection program for low risk properties and/or an inspection matrix as follows: • Low Risk – every 3 years • Medium Risk – every 2 years • High Risk – annually 4) Management should consider the implications for property owners and businesses when the Public Protection Classification (PPC) issued by the Insurance Services Organization (ISO) is not performed, as there may be a negative impact if not inspected annually. GFD regularly reviews KPIs and communicates with city management on service delivery standards. Mutual aid agreements are in place for assistance when additional resources are needed. Additionally, GFD is exploring partnership opportunities on a long-term future station with Round Rock. A Fire inspector has been added to the staff for FY19 to help address the backlog of inspections and keep up with the growing number of business inspections. Page 82 of 104 APPENDIX A – RISK TREATMENT ACTION PLANS 29 | Page # Risk Risk Detail Residual Risk Score Risk Owner Current State Mitigating Activities Future State Mitigating Activities Management Response 23 Physical Security Facilities are not appropriately secured from unauthorized access. 9.00 Asst. Parks & Recreation Director Overall the City has robust physical securities controls in Place: 1) Customer Care and Municipal Courts have robust physical security programs in place. Safes are utilized for cash and cameras cover registers and safes. Dual access controls with keys and codes are used at cash access points 2) Most City buildings require access badge/ fob to enter restricted (non-public) areas. 3) Police, Fire and Energy Services departments have restricted access areas 4) However, we noted several areas with limited physical security controls: • Animal Services – lack of physical security is a major issue as animals have been stolen. Cash is not well controlled and cameras are not in place on critical areas. The safe is not adequately secured. • Building Inspection Services, Public Works, GIS, Systems Engineering and the Georgetown Municipal Complex have poor physical security 1) Consider taking inventory of all key cards to validate none have been stolen or lost 2) Consider development of physical security training for all personnel regarding safeguarding of assets, restrictive access to high risk areas, etc. The City must support integrity of physical security through the organization with the assistance of the City’s Risk Manager 3) Standardize a consistent security plan across all locations appropriate for each facility 4) The City currently monitors physical access to the facility where IT resides to detect and respond to physical security incidents. However, CoG does not review physical access logs periodically 1) Cameras are being evaluated for various cash areas 2) Security access will be part of the current facilities study 3) Security access will be evaluated with the opening of each new or renovated facility. 24 Freedom of Information Act (FOIA) Non-compliance with FOIA requests 6.22 City Secretary 1) The procedure is for all FOIA requests to enter through Legal. They will decipher the request and handoff to the City Secretary office to obtain information. 2) FOIA request process is currently being transferred from Legal to City Secretary and is approximately 90% complete 3) GovQA is an electronic system used to maintain and track FOIA requests. 1) When the transfer of FOIA request process is complete, consider documenting the process with written policies and procedures 2) 1) The City has completed the transfer of FOIA request process to the Open Records Coordinator in the City Secretary’s office. 2) Citywide training has been completed by the Open Records Coordinator to provide guidelines and consistency to the process. 3) The City Secretary Department is in the process of completing Policies and Procedures for FOIA and should have completed within the next month. Page 83 of 104 APPENDIX A – RISK TREATMENT ACTION PLANS 30 | Page # Risk Risk Detail Residual Risk Score Risk Owner Current State Mitigating Activities Future State Mitigating Activities Management Response 25 Police Failure The Police Department is inadequately equipped to respond to emergencies or responds in an unauthorized manner. 6.00 Police Chief 1) Police department is aware of people, process, technology and regulatory requirements 2) Robust controls are in place to monitor progress and key performance indicators 3) A culture of clearly communicating expectations, behaviors, and training is in place so officers are held accountable for their actions 3) Guardian Tracking is a day-to-day tracking of personnel performance entry recordkeeping. Police management reviews and a conversation with the employees occurs when they handle situations incorrectly 4) Training includes the following: • Handling of persons with mental illness • Defusing techniques to encourage peaceful tactics • Non-lethal methods of restraint 5) Internal affairs division investigates all complaints against officers 1) Develop the following Key Risk Indicators (KRI’s) and monitoring controls which may indicate a risk event is about to occur a. Increase in City crime rates b. Increase in police misconduct/brutality incident claims c. Increase in squad car accidents d. Excessive overtime e. Unexpected cost overruns/continuous unfavorable budget variances f. Increase in dismissed cases due to insufficient evidence, improper procedures or failure to follow legal standards for police 1) The City will monitor quality of life crimes within the city and identify strategies for reduction where feasible. 2) The City will monitor and investigate all complaints, including use of force and pursuits and will identify strategies for reduction where feasible. 3) The City will monitor police overtime and identify strategies for reduction where feasible. 4) An annual report of crime statistics is presented publically to the City Council. 26 Talent Management Organization lacks a clear assessment and evaluation process to align qualified employees with specific business requirements and needs. 5.42 HR Director 1) The City personnel policy requires bi-monthly performance discussions with all employees 2) Formal annual and mid-year performance evaluations, including employee development and training plans, are performed on all employees 3) Energy Department has a robust training curriculum with a 4-year apprentice program 4) Police department uses Guardian Tracking to evaluate officer performance daily 1) Have HR department work collaboratively with business lines to gain in depth knowledge of resource needs and constraints 2) Consider using an outside party for diversity in pre-hire assessments 1) HR staff is developing a supervisor survey to identify employee development for current and future roles 2) HR staff trained all supervisors in 2017 on proper hiring techniques including ways to overcome various forms of hiring bias 3) The city conducted an employee survey in 2016 and again in 2018. 79% of employees believe their job makes good use of their skills and abilities. 84% believe their job provides opportunities to do challenging and interesting work. 27 Records Management No records management policy is in place, adhered to, or is inadequately designed. 5.27 Records Program Manager 1) The City’s records retention policy is in line with the Texas State Library records retention policy. The department receives alerts from the state library of any changes to policy 2) Finance indicated they are unclear on how electronic records storage should be handled 3) Parks and Recreation has a large quantity of waivers and registration hard copy forms 4) Animal Services has a lack of electronic records and believes there is a risk of information loss 1) Formalize Records Management policy regarding digital records and communicate to all departments 2) Consider additional training on electronic records management 3) Consider digitizing Parks & Recreation forms 1) The Records Team is training various departments on retention, destruction of records and digitalization of records. 2) Policies and Procedures have been completed and implemented. 3) The following information has been made available to employees via the internal GO site: a. Records Management Policy & Procedures b. Retention Schedules c. Off-site storage information d. Destruction authorization forms Page 84 of 104 APPENDIX A – RISK TREATMENT ACTION PLANS 31 | Page # Risk Risk Detail Residual Risk Score Risk Owner Current State Mitigating Activities Future State Mitigating Activities Management Response 28 Regulatory Filings Failure to comply with regulatory filings such as GASB, EPA, etc. 5.20 Controller 1) Water Services completes Environmental Protection Agency (EPA) and Texas Commission on Environmental Quality (TCEQ) permit reports every 3-5 years 2) Finance prepares annual CAFR and SEFA which is submitted to the clearinghouse 3) Customer Care prepares annual filings on storm water use survey breaking out how much water was taken in to the system. 4) City of Georgetown has an exemption from complying and filing necessary reports mandated by Senate Bill 898 (reducing energy consumption in City owned facilities) & administered via the State Energy Conservation Offices (SECO) because of the 100% renewable designation. 5) Customer Care is required by TCEQ to report water quality testing results to customers on an annual basis. Deadline for customer communications is 7/1. GUS must certify with TCEQ by 5/1 that we provided water quality testing results to water purveyors that obtain wholesale water from GUS. 6) Energy Services relies on outsource provider Snyder Engineering for all regulatory findings 7) Utility services is subject to an annual requirement with the ERCOT to validate that a risk management plan is in place 8) Airport has a significant amount of regulatory filings ranging from EPA, TCEQ, Stormwater, Airplane inventory, and Property Taxes through MCAT. Use Microsoft Outlook as reminders 9) Fire Dept. has numerous state health services filings regarding training, certifications, incidents, fatalities, etc. 1) There is a significant amount of regulatory filings across the City. Management should consider a consolidated Regulatory Compliance Landscape (RCL) ledger be compiled to have one list of all requirements outlining the filing dates. Further, Management should store this on a shared drive and assign all filings to an owner who is required to indicate when the filing is complete. Someone should be responsible for checking for missed filings Management is evaluating a contracts management system to track and comply with contractual and regulatory requirements. This may be part of the ERP implementation or a stand-alone system. Page 85 of 104 APPENDIX A – RISK TREATMENT ACTION PLANS 32 | Page # Risk Risk Detail Residual Risk Score Risk Owner Current State Mitigating Activities Future State Mitigating Activities Management Response 29 Succession Planning Leadership talent within the organization is insufficiently developed to provide for orderly succession in the future. 4.39 HR Director 1) No formal succession planning in place. Per Human Resources, they emphasize internal cross training to grow future leaders from inside the City organization 2) The City is in the process of performing an assessment of retirement eligibility for key personnel 1) The City should consider an outside party to implement a formal Succession Plan 2) Consider a mentor shadowing program to protect the City against unplanned terminations or leaves of absences 1) City initiated first Emerging Leader training program in 2018 with 20 graduates. Anticipate annual opportunity to grow employees at various levels each year 2) Supervisory Series initiated in 2017 and successfully completed by 168 supervisors. Additional curriculum to be added this year aimed at growing managerial skillset of all city supervisors 3) The city conducted an employee survey in 2016 and again in 2018. 76% of employees plan to continue working for Georgetown for 5+ years, which is significantly higher than most employers. 30 Budget and Planning Budgets and business plans are not realistic, based on appropriate assumptions, based on cost drivers and performance measures, accepted by key managers, or useful or used as a monitoring tool. 3.24 Finance Director 1) The City uses a robust budget and planning tool across the organization using historical data supplemented with forward looking analytics. Each Department head formalizes their budget and forward to Finance for consolidation 2) Finance utilizes Excel to manually consolidate the budgets and upload into the ERP system 3) Final budgets are presented to City Council for review and approval 4) Quarterly budget to actual reports are presented to City Council 1) Certain departments such as utilities, water, electric, etc. count on supplemental data to prepare their budget (see Data Governance risk #27). We recommend management validate and document the completeness and accuracy of assumptions for all budget line items 2) Management should set a clearly defined threshold for all material variances to be explained (e.g. +/-XX% and $YY,YYY) 1) The new ERP system will facilitate a central location of budget development information and reporting 2) Finance Administration’s performance measures include budget to actual variance targets 31 Tax Non-compliance with state or federal tax law. 3.00 Controller 1) Finance maintains schedule of tax payments and receipts to/ from County, State and Federal authorities 1) Consider the creation of a master tax filing schedule and reporting to City Manager The City agrees with this recommendation. 32 State / Federal Regulations Failure to comply with new or existing federal or state regulations. 2.44 Controller 1) Building Inspection Services provided that maintaining state licenses and Continuing Professional Education (CPE) is a challenge 2) State regulations require the Police Department to report all racial profiling and crime data 3) Parks and Recreation indicated that there is a State Health and Safety Code that requires public play equipment comply with the American Society for Testing Materials (ASTM) F1487-07 which provides performance standards for public playgrounds and this is NOT being done on a routine basis 1) Develop a Citywide license and CPE tracking system 2) Develop a process to ensure all City playgrounds comply with ASTM F1487-07. The code does not require a formal inspections process, just that the City complies with the ASTM F1487-07 standard The City will review a tracking system in context of all other technology needs. Employees and supervisors will continue to be responsible for tracking individual and departmental CPE and licensing. Parks Department is working on a schedule to evaluate older parks to replace equipment as needed. Newer parks and equipment is compliant. Page 86 of 104 APPENDIX A – RISK TREATMENT ACTION PLANS 33 | Page # Risk Risk Detail Residual Risk Score Risk Owner Current State Mitigating Activities Future State Mitigating Activities Management Response 33 Leadership The people responsible for the important City processes do not or cannot provide the leadership, vision, and support necessary to help employees be effective and successful in their jobs. 2.42 City Manager 1) All departments we interviewed provided the same issue on leadership – there is a strong management base that sets realistic strategic objectives and has an open communication line with each department head 2) Leadership has frequent meetings with department heads to check on status of operations and those concepts are clearly communicated throughout the organization 3) Detail performance evaluations are done at all levels of the City government and each employee is evaluated for job performance 1) The City should consider an upward feedback program to validate lower levels of employees are satisfied with management’s performance 1) A 360 evaluation process was implemented last year for Directors and will be rolled out to mid-level management in the upcoming year. 2) The city has implemented a bi-monthly check- in program where employees have the capability to provide upward feedback to their supervisor. 3) The city conducted an employee survey in 2016 and again in 2018. Employee response rates were 85% and 82% respectively and the city has involved employees in tactical action planning to further improvement engagement and enablement. Page 87 of 104 APPENDIX B Information Technology Executive Summary Appendix B Page 88 of 104 APPENDIX B CYBERSECURITY RISK ASSESSMENT EXECUTIVE SUMMARY Inherent Risk: Risk management is the ongoing process of identifying, assessing, and responding to risk. To manage risk, organizations should understand the probability that a threat event will occur and the resulting impact. The probability and impact analysis leads to identification of inherent risk (i.e., risk without consideration of controls) to the IT environment. With this information, organizations can determine the acceptable level of risk for delivery of services and can express this as their risk tolerance. Factors considered when performing the risk assessment are: • Probability: What is the likelihood that a threat will occur? • Impacts: What are the immediate damages if the threat is realized (e.g., disclosure of information, modification of data, disruption of key systems/processes, containment, and resolution costs)? • Identify Information Assets: What should be protected in relation to electronic data, IT applications and IT infrastructure? Our methodology takes into consideration any third parties or vendors that transmit, host, or process your organization’s data or IT systems. • Criticality Analysis: How critical are your information assets? Each technology layer (i.e., data, applications, and infrastructure) has its own unique criticality analysis. • Threats: Identify the natural to man-made threats that impact the confidentiality, availability, and integrity of your data and information systems. • Consequences: What are the long-term effects of the threat being realized (e.g., damage to reputation of your organization, loss of business or revenue, damage to your brand)? • Controls: What effective security measures (security services and mechanisms) are needed to protect the assets? In understanding the high risk areas for the IT applications and systems, several key questions came to mind when addressing the Cybersecurity considerations: • What security controls are needed to satisfy the security requirements and to adequately mitigate risk incurred by using information and information systems in the execution of organizational missions and business functions? • Have the security controls been implemented, or is there an implementation plan in place? • What is the desired or required level of assurance that the selected security controls, as implemented, are effective in their application? The answers to these questions are not uniquely answered in isolation but rather in the context of an overall effective risk management process suggested by the NIST Cybersecurity Framework. Through the control evaluation process, we isolated areas that City of Georgetown can continue to identify, mitigate, and monitor risks associated with cyber threats identified through the threat assessment. Logically, areas of high risk would require more extensive controls than low risk areas and in most cases, inherent risks can be controlled by the implementation of adequate countermeasures. Page 89 of 104 APPENDIX B NIST Cybersecurity Framework Maturity Summary The chart below indicates City of Georgetown’s overall picture of the current state versus it’s desired/target state in accordance with the Cybersecurity framework. Page 90 of 104 APPENDIX B Mitigation Plan Page 91 of 104 APPENDIX B 3.1 FINDINGS AND RECOMMENDATIONS 3.1.1 Cybersecurity Governance Model Assigned to: City of Georgetown Priority High Recommendations Currently, the City’s Information Technology department has no succession plan for key roles occupied by experienced staff. In addition, most members of the IT department perform several duties beyond their originally assigned tasks and roles and responsibilities related to key initiatives such as Risk & Incident Management, Disaster Recovery & Business Continuity are not clearly defined. According to Inform ation Security Governance Guidance for Boards of Directors and Executive Management, 2nd edition, the five basic outcomes of information security governance include: 1. Strategic alignment of information security with business strategy to support organizational objectives 2. Risk management by executing appropriate measures to manage and mitigate risks and reduce potential impacts on information resources to an acceptable level 3. Resource management by utilizing information security knowledge and infrastructure efficiently and effectively 4. Performance measurement by measuring, monitoring and reporting information security governance metrics to ensure that organizational objectives are achieved 5. Value delivery by optimizing information security investments in support of organizational objectives At a minimum, we recommend the City implement a governance framework that allows for the proper management of a successful Information Security program (ISP). An effective ISP involves participation from senior management to set the direction for proper information security practices, adequate staffing (with assigned roles and responsibilities) and compliance with policies. Furthermore, a commitment from management helps to ensure support and funding from for security activities requiring financial resources; and that organization-wide risk management programs are developed and implemented effectively. Source: http://www.isaca.org/Knowledge- Center/Research/ResearchDeliverables/Pages/Information-Security-Governance-Guidance- for-Boards-of-Directors-and-Executive-Management-2nd-Edition.aspx Page 92 of 104 APPENDIX B 3.1.2 Risk Management Assigned to: City of Georgetown Priority High Recommendations At the City of Georgetown, it is evident that the IT department has taken measures in implementing security practices throughout the IS environment; however organizational cybersecurity risk management practices are not formalized, and risk is managed in an ad hoc/reactive manner; an organization-wide approach to managing cybersecurity risk has not been established. As a result, security activities or business strategies may not be directly aligned with organizational risk objectives or the current threat landscape. The City has undertaken an effort through this assessment to evaluate the security controls needed to combat cybersecurity risks, but there is a need for an overall information security risk assessment to identify risks to the organization and threat mitigation strategies. To this effect, we recommend that management adopt a practice of performing a risk assessment periodically. The periodic approach may take either of the following approaches: (A) performing a full assessment every other year due to intensive resources required to facilitate such an exercise or, (B) a targeted approach done annually. The targeted approach may include: (1) revisiting Plante Moran’s deliverables and updating controls where appropriate, (2) re-assessing the City’s mitigation plan to update progress and note any further concerns, and/or (3) Selecting a few high-priority control areas (e.g. vendor management, or any business objective/goal identified by executive management) and re-assessing associated threats related to those areas. Irrespective of the approach selected, the process for performing a risk assessment typically includes: • Identification of information assets (data, applications, infrastructure, and vendors) • Assigning value to identified assets based on criticality (or dollar value in some cases) • Evaluation of vulnerabilities and threats In addition to the above, we also suggest that the City assess the penalties and impact of security breaches. From a regulatory perspective, such liabilities should be considered to ensure that risks to sensitive data is properly assessed and accounted for. Moreover assessing information security risks throughout the organization provides keen insight into management’s risk tolerance for implementing security layers within the organization. The IT risk assessment should be in-line with the City's risk management strategies for identifying risks, evaluating existing controls and mitigating controls, understanding residual risk and establishing a risk mitigation plan. Page 93 of 104 APPENDIX B 3.1.3 Policies and Procedures Assigned to: City of Georgetown Priority High Recommendations Security policies and procedures are key components of an Information Security Program. They reflect the organization's business processes and strategy, thereby enabling management to define the scope of security, what is expected from employees, dictate what must be protected and to what extent, and what the consequences of noncompliance will be. To this effect, in addition to the already existing Acceptable Use policy in place, we recommend management consider an organization-wide Information Security Policy, to include key sections such as the ones listed below: • Purpose/Scope • Roles and responsibilities (including those related to regulatory requirements) • Management commitment and business owner requirements • Enforcement • Information Sharing: Define and set requirements for relationships with or connections to information systems of other agencies. Additional policies that the City should consider adding include: • Data Classification • Information Risk Management (IRM) • User Access Provisioning and Review • Data Backup and Retention • Data Destruction/Retention Policy • Media Handling/Disposal Policy (this can be combined with the existing Computer Disposal Policy) • Data Protection and Encryption • Secure Configuration/Hardening • Physical Security Policy • Contingency Plan • Vulnerability Assessment and Remediation • Incident Response Policy (for breaches, events and other critical incidents) The ISP should be reviewed periodically (e.g. annually) by senior management and enforced through annual end-user acknowledgement signoffs. Page 94 of 104 APPENDIX B 3.1.4 Asset Management: Data Classification Assigned to: City of Georgetown Priority High Recommendations The City has identified and catalogued its hardware and software via a tool called Lansweeper. This approach ties into an overall information flow enforcement (NIST SP 800-53 Rev. 4 AC-4) which ensures the confidentiality, integrity, and availability of critical data when defined and enforced. The next step is to classify data within the system based on its criticality and / or sensitivity (NIST SP 800-53 Rev. 4 RA-2). Classification of data will also help drive the above- mentioned information flow enforcement and help define the City’s security architecture. Most organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Plante Moran recommends the classification of City data to define an appropriate set of protection levels and communication required for special handling. Classifications and associated protective controls (including encryption for data at rest and data leak prevention tools) should take into account department needs for sharing or restricting information and the associated business impacts if such data were compromised. Successful data classification in an organization requires a thorough understanding of where the organization’s data assets reside and on what applications/devices they are stored. Handling procedures should include details regarding the secure processing, storage, transmission, declassification, and destruction of data. Page 95 of 104 APPENDIX B 3.1.5 Access Management Assigned to: City of Georgetown Priority High Recommendations Logical Access: Access provisioning to the system is completed on the practice of mirroring, that is, 'set up as another user within the system’. This practice can potentially lead to excessive access rights being provided to users. On the other hand, for existing users, additional access is provisioned without a formal review for SoD (Segregation of Duties) conflict. When users are terminated, access removal from all necessary applications may not be performed in a timely manner due to delayed notification from HR to the IT department. Furthermore, in all aforementioned scenarios (access provisioning, modification and termination), it was noted that not all applications have a formal process of provisioning and de-provisioning. A role-based access scheme should be established to ensure consistent application of user access rights within the system. Users should be assigned their base set of access authorizations based on the concept of “Least Privilege Necessary” to perform their role or job function (as defined within their formal job description). Additional access beyond the previously established role-based access scheme should be formally requested, reviewed for conflicts and approved (NIST SP 800-53 Rev. 4 AC-2). Moreover, Management should consider integrating access rights with data classification efforts identified in the findings within this report (See 3.1.4 above, for more details). Physical Security: The City currently monitors physical access to the facility where information system resides to detect and respond to physical security incidents. However, CoG does not review physical access logs periodically (e.g. quarterly/annually). We recommend management take the following actions: 1. Establish a role based access scheme that takes into account the job responsibilities associated with each role for City of Georgetown. 2. Establish a process to periodically review user access (including physical access) to ensure accuracy and adherence to existing/changed business processes. 3. Ensure a process is in place to approve additional or special access requests and timely de-provision access upon notification from HR. 4. Implement and enforce procedures to identify and document appropriate access requirements for removing, adding or modifying City personnel’s access to electronic PHI. The need for and extent of access should be based on an assessment of risk, cost, benefit and feasibility as well as business need, and permission to view, alter, retrieve and store ePHI. 5. Perform a periodic review of user access to PHI and ePHI (including access to the data center) to verify the list is accurate and to ensure access is still commensurate with job responsibilities. Page 96 of 104 APPENDIX B 3.1.6 Contingency Plan Assigned to: City of Georgetown Priority High Recommendations In order to ensure that critical operations are available in the event of an interruption or incident, redundancy is built into the datacenter environmental controls at the City and an extensive data backup strategy is in place. However, a formal contingency plan is not in place and related resources/systems are not catalogued and prioritized. Plante Moran recommends the City conduct and formalize: (1) a Business Impact Analysis (BIA) which identifies and analyzes mission-critical business functions, and then quantifies the impact a loss of those functions would have on the City, and (2) An information system contingency plan to mitigate the risk of critical system and service unavailability. The contingency planning process should occur after a formal Business Impact Analysis (BIA) is conducted, in order to correlate the system with the critical processes and services provided, and based on that information, characterize the consequences of a disruption. Three steps are typically involved in accomplishing the BIA: • Determine mission/business processes and recovery criticality • Identify resource requirements • Identify recovery priorities for system resources The information system contingency plan should consider three phases: (1) Activation and Notification Phase which outlines activation criteria and notification procedures, (2) Recovery Phase which outlines recovery activities, escalation, and notification, and (3) Reconstitution Phase which allows validating successful recovery and deactivation of the plan through activities such as validation testing, notifications, and event documentation. The contingency planning process should also include the following elements: • Roles and responsibilities • Scope as applies to common platform types and organization functions (i.e., telecommunications, legal, media relations) • Resource requirements • Training requirements • Exercise and testing schedules • Plan maintenance schedule, and • Minimum frequency of backups and storage of backup media Further, an effective contingency plan should tie into the City’s Incident Response Plan and should consider City’s personnel as information system contingency plans are not executed on their own and an incident will often impact individuals that are crucial to tasks related to information system operations. Personnel safety and evacuation, personnel health, personnel welfare, relationships with response organizations, and communication planning should be considered when developing the contingency plan. Finally, the agreed upon plan should be compatible with the enterprise-wide Business Continuity Plan. Sources: http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata- Nov11-2010.pdf Page 97 of 104 APPENDIX B 3.1.7 Incident Response Management Assigned to: City of Georgetown Priority High Recommendations Based on inquiry, it was noted that the City of Georgetown does not have a formal Incident Response Plan. Incident management includes a proactive and reactive phase. While reactive measures help to ensure that incidents are properly handled, proactive measures allow incidents to be detected in a timely and controllable manner (See finding 3.1.9). An improved approach will be to implement an Incident Management Program, which is initiated by an Incident Response Policy and include the following key elements: • Provide a roadmap for implementing its incident response capability; • Describes the structure and organization of City of Georgetown’s incident response capability; • Provides a high-level approach for how the incident response capability fits into City of Georgetown as a whole and the overall Family of Companies; • Meets the unique requirements of City of Georgetown’s mission, size, structure, and functions; • Defines reportable incidents as well as ; • Requirements and guidelines for external communications and information sharing (e.g., what can be shared with whom, when, and over what channel) • Provides metrics for measuring the incident response capability within the organization; • Defines the resources and management support needed to effectively maintain and mature an incident response capability; and • Is reviewed and approved by senior management We recommend management take the following actions: 1. Develop a more comprehensive plan incorporating the above elements. 2. Integrate City of Georgetown’s Incident Response Plan testing activities with relevant third parties. Page 98 of 104 APPENDIX B 3.1.8 Third Party Cybersecurity Roles & Responsibilities Assigned to: City of Georgetown Priority High Recommendations While the City has identified trusted partners with respect to hardware and hosted applications. We noted the following deficiencies related to third party roles and responsibilities: • The contract between City of Georgetown and the service provider does not specifically outline the roles and responsibilities related to Cybersecurity controls handled by each organization. • There is no monitoring of external party use of the system for potential Cybersecurity events. Security roles and responsibilities should be established for all third-party service providers (NIST SP 800-53 Rev. 4 PS-7). Responsibilities are key to ensure that the City of Georgetown and its service providers understand exactly who is responsible for which Cybersecurity controls; this is especially important in a business continuity situation. These roles and responsibilities should be formally documented in a contractual agreement. Service level agreements should be established based on Key Performance Indicators (KPI) where City of Georgetown’s expectations are set for each outsourced responsibility to its third-party service providers. Once established, KPIs should be monitored to ensure third- party service providers adhere to contractual obligations (NIST SP 800-53 Rev. 4 CA-7). Furthermore, adherence to Key Performance Indicators should be used to identify potential issues with vendor service that can be addressed through negotiations or seeking a new vendor. We recommend management take the following actions: 1. Clearly identify the cybersecurity responsibilities to be outlined in the contract with the service provider including roles for identification, response, and recovery procedures. 2. Establish Key performance indicators for third-party responsibilities including number of events, data breaches, number of notifications. 3. Continuously monitor established key performance indicators. Page 99 of 104 APPENDIX B 3.1.9 Critical Security Event Identification Assigned to: City of Georgetown Priority Medium Recommendations We noted a variety of log generation methods are in place for the system. These logs can be used to identify everything from system health to potential security violations. Presently, there is not a comprehensive catalog of security related event types being identified and reviewed within the logs by security professionals. To establish an effective event logging and monitoring program, City of Georgetown will need to first identify high risk events that can be alerted from current logging capabilities (NIST SP 800-53 Rev. 4 AU-6). Potential high risk events can be discerned through the risk assessment process (NIST SP 800-53 Rev. 4 RA-3), penetration testing, and best practice documentation. Some common threat events include: • Multiple failed login attempts • Elevations in access privileges • Changes to application code • Changes to security settings • Process specific actions For more risky events, such as devices that connect to the network without authorization, the organization may consider alert generation techniques while for less risky events they may simple review on a periodic basis. Identified events should be responded to in accordance with the organization’s Incident Response Plan (NIST SP 800-53 Rev. 4 IR-4, IR-5). Once event detection processes are implemented a process to test said processes should be established. Security assessments by internal or external independent parties can be an effective way to ensure logging and monitoring processes are effective (NIST SP 800-53 Rev. 4 CA-2). Management should seek continuous improvement opportunities for the event logging and monitoring program based on the results of security assessments. We recommend management take the following actions: 1. Identify the system events that may indicate a potential security event. 2. Define monitoring techniques commensurate with associated risk. 3. Establish formal policies and procedures related to defined monitoring activities. 4. Periodically test the effectiveness of event logging and monitoring processes. Page 100 of 104 APPENDIX B 3.1.10 Security Awareness, Training and Education Assigned to: City of Georgetown Priority Medium Recommendations The City has implemented an acceptable use policy amongst other policies around proper use of computers and accessing digital information. However, to ensure compliance, there is a need to assess employee’s understanding of policies and response to cybersecurity threats via periodic awareness and training. End users are the first line of defense against a variety of social engineering threats and must be relied upon to appropriately select strong passwords, perform secure day-to-day operations, and appropriately use equipment. By not providing formal training to all employees, the risk is increased that employees may not follow appropriate security procedures. We recommend a formal IT security awareness training be provided to all employees on a periodic basis. Employees should be educated on the organization’s information security policies upon hire, periodically (at least annually), and as major changes occur. In addition, employees should be required to formally acknowledge that they have read and understand the security topics discussed, and that they understand the ramifications of noncompliance. Management should consider allocating resources for security awareness activities (including other items, e.g. banners and posters), and enforce employee participation/attendance within the organization. Page 101 of 104 APPENDIX B 3.1.11 Unauthorized Mobile Code Detection Assigned to: City of Georgetown Priority Low Recommendations Mobile code is defined as any program, application, or content that is capable of being embedded and transferred (via email, document, website, etc.). Examples of mobile code include: JavaScript, Active X, PDF, VBscripts, etc. Avenues There are currently multiple avenues for mobile code to be introduced into the information systems supporting the system. Mobile code may be introduced from USB (current USB restriction only prevent data being copied to a USB), through email, and through downloads from websites. The City should identify the types of mobile code that are approved for use within the information system and educate users on the proper use of related technologies. Likewise, organizations should define which types of mobile code are not approved for use within the information system. Processes should be defined to identify unauthorized mobile code deployed within the environment. These processes could include configuration management controls, vulnerability scanning, etc. (NIST SP 800-53 Rev. 4 SC-18). City of Georgetown does have controls in place to mitigate the risk of malicious mobile code: antivirus controls, and limiting user access to administrator functions based on the concept of least privilege. We recommend management take the following actions: 1. Define acceptable and unacceptable mobile code and mobile code technologies. 2. Deploy a process to monitor for the presence of mobile code 3. Integrate mobile code detection processes into the Incident Response Plan Page 102 of 104 APPENDIX B Page 103 of 104 City of Georgetown, Texas City Council Workshop November 13, 2018 SUBJECT: Sec. 551.071: Consul tati on w i th Attorney Advice from attorney abo ut pending or co ntemplated litigation and o ther matters on which the attorney has a duty to advise the City Council, including agenda items Sec. 551.072: De l i berati o ns of Real Property - Wastewater Easement, Berry Creek Country Club - Berry Creek Interceptor -- Travis Baird, Real Estate Se rvic e s Coordinator - Sale of Prope rty at 1 01 E. 7th Street Sec. 551.074: Personnel Matters City Manager, City Attorney, City Secretary and Municipal Judge: Consideration of the appointment, employme nt, evaluation, reassignment, duties, discipline, or dismissal Sec. 551.86: Certai n Publ i c P ow er Uti l i ti es: Competi ti ve Matters - Quarterly Financial FY18 Q4 Electric Updates - Chris Foster, Resource Manageme nt and Integration Manager Sec. 551.087: De l i berati o n Regardi ng Economi c Devel opment Negoti ati ons - Downtown Utility Upgrades - P roject Legacy ITEM SUMMARY: FINANCIAL IMPACT: NA SUBMITTED BY: Page 104 of 104