A cyber security policy identifies the rules and procedures that all individuals accessing and using the City of Hermiston’s Information Technology (IT) assets and resources must follow. So why the need to have IT Security Policies? The goal of these network security policies is to address security threats and implement strategies to mitigate IT security vulnerabilities, as well as defining how to recover when a network intrusion occurs. Furthermore, the policies provide guidelines to city employees on what to do and what not to do. They also define who gets access to what, and what the consequences are for not following the rules.

Regardless of size, it is important for the City of Hermiston to have documented IT Security Policies, to help protect the city’s data and other valuable “hard” assets. It is a requirement for organizations that must comply with various regulations such as PCI, HIPAA, etc.  The key factor is to have “documented” security policies that clearly define the City of Hermiston’s position on security. This will be of critical importance in the event of a data breach and/or litigation discovery.

In the middle of August this year, 22 municipalities in Texas were infiltrated by hackers demanding a ransom. The cities affected were predominantly rural cities much like Hermiston; City of Keene, Texas - 6,100 residents, City of Borger, Texas, 13,250 residents, and Lake City, Florida, 12,000 residents another small rural community paid $450,000 in bitcoin to have their systems unlocked.

A policy will NOT PREVENT a cyberattack - but it will provide clear guidance what to do in the event of any kind of breach/cyberattack in order to minimize the operational impact of such an event, as well as to allow for cost of recovery to be insured through CIS (up to stated amounts.)

1. Approve/accept the proposed City of Hermiston Cybersecurity Policy as presented.

2. Do not approve/accept the proposed City of Hermiston Cybersecurity Policy.

3. Direct staff to amend/revise the City of Hermiston Cybersecurity Policy.