The URL can be used to link to this page

Home My WebLink About2017_01_18 Town Board Meeting Packet Town of Mamaroneck Town Board Agenda Wednesday,January 18, 2017 VFW Building-1288 Boston Post Road THE TOWN BOARD WILL CONVENE-AT 5:00PM,'at the VFW Building to discuss: 1. Town of Mamaroneck Cyber Security Policy 2. Review- Boards and Commissions 3. Review-Goals and Objectives-2016/2017 4. Update on Procedures for Property Sale 5. Energy Cost Impact- New York State Nuclear Plants 6. New Business 8:00pm CALL TO ORDER SUPERVISORS.REPORT CITIZEN COMMENTS PUBLIC HEARINGS a) Outlawing Firearms on or in Town Owned or Town Leased Property or Buildings b) Creation of an Accessible Parking Space on Copley Road c) Restriction on Parking on Thompsons Street and a section of Laurel Avenue BOARD OF FIRE COMMISSIONERS 1. Fire Claims 2. Fire Department Business AFFAIRS OF THE TOWN OF MAMARONECK 1. Appointments- Boards and Commissions 2. Designation- Information Security Officer 3. Report of Bids-Contract TA13-16 Furnishing Police Uniforms 4. Retirement Reporting-Deputy Town Clerk 5. Salary Authorizations-Part Time and Seasonal Employees 6. Declaration of Surplus Equipment 7. Consideration of Certiorari APPROVAL OF MINUTES REPORTS OF THE COUNCIL TOWN CLERK'S REPORT NEXT REGULARLY SCHEDULED MEETING-Wednesday, February 1, 2017 Wednesday, February 15, 2017 Any physically handicapped person needing special assistance in order to attend the meeting should contact the Town Administrator's office at 381-7810 I TOWN BOARD MEETING-WORKSESSION AGENDA WEDNESDAY,JANUARY 18, 2017 5:00PM VFW BUILDING—1288 BOSTON POST ROAD 1. Town Cyber Security Policy (See Attachment) 2. Review-Boards and Commissions (See Attachment) 3. Review-Goals and Objectives 2016-2017 (No Attachment material will be provided to the Town Board electronically) 4. Update on Procedures for Property Sales) (No Attachment) 5. Discussion-Local Energy Cost Impact-New York State Nuclear Electric Plants (No Attachment) 6. New Business . 0 . X91. 7p •FOUNDED 1661 • TOWN OF MAMARONECK NEW YORK SECURITY. POLICY Adopted XX XX , 2017 1 Table of Contents Introduction 4 Definitions 7 Data Classification 12 Policy Areas: Acceptable Use 14 Account Management 16 Administrative and Special Access 16 Asset Management 17 Back Up 21 Court Information Resources 22 Credit Card Processing 22 Email 24 Fire District Information Technology and Resources 25 Information Management and Security 26 Incident Management 27 Internet 29 Intrusion Detection and Network Access 30 Maintenance Windows 30 Network Configuration 32 Password 33 Physical Access 36 Portable Computing 37 Privacy 37 Public Access Wi-Fi 38 Public Access Workstation 38 Secure Use of Social Media 39 Security Monitoring 43 Security Policy Standards 44 Security Training 44 Server Hardening 45 Software Licensing 46 Support Hours 46 2 System Development 47 Vendor Access 47 Virus Protection 49 Town of Mamaroneck Public Access Wi-Fi Terms of Service Policy 50 Town of Mamaroneck Information and Security Notification Breach Policy 52 Violation Notice 56 References 56 Acknowledgement 57 Appendix"A"-Server and Facility Information Access Form Appendix"B"- Periodic Operational Security Procedures • 3 INTRODUCTION The Town of Mamaroneck is a medium sized local government with 8 remote sites and over 150 users, 140 workstations, 52 software applications, 17 servers and a complex network environment. This Security Policy is a mechanism used to establish the limits and expectations for the users of the Town of Mamaroneck, New York computer network and provides the baseline for implementing security controls to reduce both vulnerabilities and risk. Internal users should have no expectation of privacy with respect to Information Technology. The purpose of the Town of Mamaroneck, New York Security Policy is to clearly communicate the Town's information security expectations to Town employees, Officials and consultants who use Town equipment and access the Town network. This Policy applies equally to all individuals who use any Town of Mamaroneck, New York Information Resources (IR). Electronic files created, sent, received, or stored on computers owned, leased, administered, or otherwise under the custody and control of the Town of Mamaroneck are the property of the Town of Mamaroneck. This Security Policy is supported by the following Security Policy Standards: 1) IT Security controls must not be bypassed or disabled. 2) Security awareness of personnel must be continually emphasized, reinforced, updated and validated. 3) All personnel are responsible for managing their use of IR and are accountable for their actions relating to IT security. 4) Passwords, Personal Identification Numbers (PIN), Security Tokens (i.e. Smartcard), and other computer systems security procedures and devices shall be protected by the individual user from use by, or disclosure to, any other individual or organization. All security violations shall be reported to the Town Administrator and/or Information Security Officer. 5) Access to, change to, and use of IR must be strictly secured. Information access authority for each user must be reviewed on a regular basis, as well as each job status change such as: a transfer, promotion, demotion, or termination of service. 6) The use of IT must be for officially authorized business purposes only. There is no guarantee of personal privacy or access to tools such as but not limited to; email, web browsing and other electronic discussion tools. The use of these electronic communications tools may be monitored to fulfill compliance or investigative requirements. 7) Departments responsible for the custody and operation of computers shall be responsible for proper authorization of IR utilization, the establishment of effective use, and reporting of performance issues to the IT Department. 8) Any data used in an IR system must be kept confidential and secure by the user. The fact that the data may be stored electronically does not change the requirement to keep the information confidential and secure. Rather, the type of information or the information itself is the basis for determining whether the data must be kept confidential and secure. Furthermore if this data is stored in a paper or electronic format, or if the data is copied, printed, or electronically transmitted the data must still be protected as confidential and secured according to the New York State Archives directives. 4 9) Personnel are also equally responsible for reporting any suspected or confirmed violations of this policy to the Town Administrator and/or IT Director. 10) On termination of the relationship with the Town, users must surrender all property and IR managed by the Town. All security policies for IR apply to and remain in force in the event of a terminated relationship until such surrender is made. Further, this policy survives the terminated relationship. 11) The owner must communicate to the IT Director, the intent to acquire any computer hardware or to purchase or computer software. The costs of acquisitions, development and operation of computer hardware and applications must be part of the • IT Department budget adopted by the Town Board and authorized by the Town Administrator. 12) The department which requests and authorizes a computer application must take the appropriate steps to ensure the integrity and security of all programs and data files created by or acquired for computer applications. To ensure a proper segregation of duties, Administrative responsibilities cannot be delegated to the users. 13) The Town network is owned by the Town of Mamaroneck and controlled by the IT Department. 14) Approval must be obtained from the IT Department before connecting a device that does not comply with published guidelines to the network. 15) The IT Department reserves the right to remove any network device that does not comply with standards or is not considered to be adequately secure. 16) The sale or release of computer programs or data, including email lists and departmental telephone directories, to other persons or organizations must comply with all Town legal and fiscal policies and procedures. 17) The integrity of general use software, utilities, operating systems, networks, and respective data files are the responsibility of the IT Department. Data for test and research purposes must be de-personalized prior to release to testers unless each individual involved in the testing has authorized access to the data. 18) All changes to IR systems, networks, programs or data must be approved by the IT Department to preserve its integrity. 19) Individual departments must provide adequate access controls in order to monitor systems to protect data and programs from misuse in accordance with the reporting any suspected or confirmed violations of this policy to the appropriate management. 20) All departments must carefully assess the risk of unauthorized alteration, unauthorized disclosure, or loss of the data for which they are responsible, and ensure through the use of monitoring systems, that the Town is protected from damage, monetary or otherwise. The IT Department must have appropriate backup and contingency plans for disaster recovery and business continuity based on risk assessment and Town business requirements. 5 21) All computer systems contracts, leases, licenses, consulting arrangements or other agreements must be authorized by the IT Director and signed by the Town Administrator. These arrangements must contain terms approved as to form by the Town's Legal counsel, advising vendors of Town's IR retained proprietary rights and acquired rights with respect to its information systems, programs, and data requirements for computer systems security, including data maintenance and return. 22) IR computer systems and/or associated equipment used for Town business that is conducted and managed outside of Town control must meet Security Policy - requirements and be subject to monitoring. 23) External access to and from IR must meet appropriate published Town security guidelines. 24) All commercial software used on computer systems must be supported by a software license agreement that specifically describes the usage rights and restrictions of the product. Personnel must abide by all license agreements and must not illegally copy licensed software. The IT Department reserves the right to remove any unlicensed software from any computer system. 6 Definitions: Abuse of Privilege: When a user willfully performs an action,prohibited by organizational policy or law, even if technical controls are insufficient to prevent the user from performing the action. Application Software: A program or group of programs designed for end users. Application software can be divided into two general classes: systems software and applications software. Systems software consists of low-level programs that interact with the computer at a very basic level. This includes operating systems, compilers, and utilities for managing computer resources. Applied Computer Systems: Both hardware and software, and often including networking and telecommunications, usually in the context of a business or other enterprise. Often this is the name of the part of an enterprise that deals with all things electronic. Backup: Copy of files and applications made to avoid loss of data and facilitate recovery in the event of a system crash. Bare Metal Backups: A bare metal backup is a type of backup process that backs up the full software configuration from a specific system in addition to the data that is stored within software applications. Grandfather-Father-Son Backup: A Grandfather-father-son backup refers to a common rotation scheme for backup media. In this scheme there are three backup cycles, daily, weekly and monthly. The daily backups are rotated on a daily basis using a FIFO system. The weekly backups are similarly rotated on a weekly basis, and the monthly backup on a monthly basis. In addition, annual backups are also separately retained. Custodian: Guardian or caretaker; the holder of data, the agent charged with implementing the controls specified by the owner. The custodian is responsible for the processing and storage of information. For mainframe applications, The IT Department is the custodian; for micro and mini applications, the owner or user may retain custodial responsibilities. r. Electronic mail system: Any computer software application that allows electronic mail to be communicated from one computing system to another. Electronic mail (email): Any message, image, form, attachment, data, or other communication sent, received, or stored within an electronic mail system. E-mail: Abbreviation for electronic mail, which consists of messages sent over any electronic media by a communications application. 7 Information: Any and all data, regardless of form, that is created, contained in, or processed by, Information Resources facilities, communications networks, or storage media. Information Management (IM): The manipulation, re-organization, analysis, graphing, charting, and presentation of data for specific management and decision-making purposes. Information,Resource (IR): Any and all computer printouts, online display devices, magnetic storage media, and all computer-related activities involving any device capable of receiving email, browsing Web sites, or otherwise capable of receiving, storing, managing, or transmitting electronic data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, personal digital assistant (PDA), pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment (i.e. embedded technology),, telecommunication resources, network environments, telephones, fax machines, printers and service bureaus.. Additionally, it is the procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information. Information Technology (IT): Includes all matters concerned with the furtherance of computer science and technology and with the design, development, installation, and implementation of information systems and applications. IT Asset: Any Town-owned information, system or hardware that is used in the course of business activities. IT Director: Responsible to the Town Administrator for administering the information security functions within the Town. The IT Director is the Town's internal and external point of contact for all information security matters. Information Security Officer (ISO): Separate from the position of IT Director, the ISO is responsible for the health and security of all Town information collected and stored in electronic format. The ISO and Town Administrator are the Town's internal and external point of contact for all information security matters. Internet: A global system interconnecting computers and computer networks. The computers and networks are owned separately by a host of organizations, government agencies, companies, and colleges. The Internet is the present"information superhighway." Intranet: A private network for communications and sharing of information that, like the Internet, is based on TCP/IP, but is accessible only to authorized users within an organization. An organization's intranet is usually protected from external access by a firewall. Light's Out Server Room: a room that contains a number of servers under lock and key and kept in the dark that under normal operation is not entered by human administrators, and all operations in the room are automated. 8 The computers in a lights out server room typically are controlled by the use of KVM switches to help ensure the security of the locked room. Local Area Network (LAN): A data communications network spanning a limited geographical area, a few miles at most. It provides communication between computers and peripherals at relatively high data rates and relatively low error rates. Malware: An abbreviated term meaning "malicious software."This is software that is specifically designed to gain access or damage a computer without the knowledge of the owner. There are various types of malware including spyware, keyloggers, true viruses, worms, or any type of malicious code that infiltrates a computer. Generally, software is considered malware based on the intent of the creator rather than its actual features. NAS: Networked Area Storage Device usually used to house onsite data backups. Offsite Storage: Based on data criticality, offsite storage should be in a geographically different location from the Town Hall that does not share the same disaster threat event. Based on an assessment of the data backed up, removing the backup media from the building and storing it in another secured location at Town Hall may be appropriate. Owner: The manager or agent responsible for the function which is supported by the resource, the individual upon whom responsibility rests for carrying out the program that uses the resources. The owner is responsible for establishing the controls that provide the security. The owner of a collection of information is the person responsible for the business results of that system or the business use of the information. Where appropriate, ownership may be shared by managers of different departments. Password: A string of characters which serves as authentication of a person's identity, which may be used to grant, or deny, access to private or shared data. PCI DSS: Payment Card Industry-Data Security Standard is a global data security standard that governs any business, including local governments that accept credit cards and stores, processes and/or transmits credit card data. Periodic Operational Security Procedure Form: A form completed by the IT Department at specific intervals to document the monitoring and review of logs, policies and procedures. Portable Computing Devices: Any easily portable device that is capable of receiving and/or transmitting data to and from IR. These include, but are not limited to, notebook computers, handheld computers, PDAs, pagers, and cell/smart phones. Ransomware: Malware for data kidnapping, an exploit in which the attacker encrypts the victim's data and demands payment for the decryption key. Ransomware spreads through e- mail attachments, infected programs and compromised websites. A ransomware malware program may also be called a cryptovirus, cryptotrojan or cryptoworm. Security Incident: In information operations, an assessed event of attempted entry, unauthorized entry, or an information attack on an automated information system. 9 It includes unauthorized probing and browsing; disruption or denial of service; altered or destroyed input, processing, storage, or output of information; or changes to information system hardware, firmware, or software characteristics with or without the users' knowledge, instruction, or intent. Server: A computer program that provides services to other computer programs in the same or another computer. A computer running a server program is frequently referred to as a server though it may also be running other client (and server) programs. Server Information and Facility Information Access Form,: A form completed by Human Resources and Department Heads that dictates the access and security level of employees specific to each department. The access controls on the form are set up by IT staff. Social Media Sites: Web-based publishing and communications technologies, such as all Town websites, Facebook sites and Twitter feeds. They are called "social" because they are designed for creating dynamic human networks and exchanging user-generated text and rich media, such as audio and video. They are among the most widely used technologies on the Internet. Strong Passwords: A strong password is a password that is not easily guessed. It is normally constructed of a sequence of characters, numbers, and special characters, depending on the capabilities of the operating system. Typically the longer the password the stronger it is. It should never be a name, dictionary word in any language, an acronym, a proper name, a number, or be linked to any personal information about you such as a birth date, social security number, and so on. System Development Life Cycle (SDLC): a set of procedures to guide the development of production application software and data items. A typical SDLC includes design, development,,maintenance, quality assurance and acceptance testing. Town Calendar: Lists all approved meetings and events and is maintained by the Town Clerk. Trojan horse: Destructive programs—usually viruses or worms—that are hidden in an attractive or innocent-looking piece of software, such as'a game or graphics program. Victims may receive a Trojan horse program by e-mail or on a diskette, often from another unknowing victim, or may be urged to download a file from a Web site or bulletin board. User: An individual or automated application or process that is authorized access to the resource by the owner, in accordance with the owner's procedures and rules. Vendor: Someone-who exchanges goods or services for money. Virus: A program that attaches itself to an executable file or vulnerable application and delivers a payload that ranges from annoying to extremely destructive. A file virus executes when an infected file is accessed. A macro virus infects the executable code embedded in Microsoft Office programs that allow users to generate macros. 10 Webserver: A computer that delivers (serves up) web pages. Web page: A document on the World Wide Web. Every Web page isc identified by a unique URL (Uniform Resource Locator). Website: A location on the World Wide Web, accessed by typing its address (URL) into a Web browser. A Web site always includes a home page and may contain additional documents or pages. Wide Area Network (WAN): A wide area network (WAN) is a network that exists over a large-scale geographical area. A WAN connects different smaller networks, including local area networks (LAN). World Wide Web: A system of Internet hosts that supports documents formatted in HTML (Hypertext Markup Language) which contains links to other documents (hyperlinks) and to audio, video, and graphic images. Users can access the Web with special applications called browsers, such as Netscape Navigator, and Microsoft Internet Explorer. Worm: A program that makes copies of itself elsewhere in a computing system. These copies may be created on the same computer or may be sent over networks to other computers. The first use of the term described a program that copied itself benignly around a network using otherwise unused resources on networked machines to perform distributed computation. Some worms are security threats, using networks to spread themselves against the wishes of the system owners, and disrupting networks by overloading them. A worm is similar to a virus in that it makes copies of itself, but different in that it need not attach to particular files or sectors at all. 11 Data Classification: Data Classification provides a framework for managing data assets based on value and associated risks and for applying the appropriate levels of protection as required by New York State and federal law as well as proprietary, ethical, operational, and privacy considerations. All Town data, whether electronic or printed, should be classified as per the Town Records Management law and New York State Records Management and Retention Schedule MU1. Data collected and stored by various departments may fall under HIPPA, NYS OCA Criminal • Records and NYS OCA Administrative Records, etc. Consistent use of data classification reinforces with users the expected level of protection of Town data assets in accordance with Town of Mamaroneck Security and Computer Use Policies. Purpose: The purpose of Data Classification is to provide a foundation for the development and implementation of necessary security controls to protect information according to its value and/or risk. Security standards, which define these security controls and requirements, may include: document marking/labeling, release procedures, privacy, transmission requirements, printing protection, computer display protections, storage requirements, destruction methods, physical security requirements, access controls, backup requirements, transport procedures, encryption requirements, and incident reporting procedures. Data Classification practices apply equally to all individuals who use or handle any Town Information Resource. Data shall be classified as follows: SENSITIVE: This classification applies to information that requires special precautions to assure the integrity of the information, by protecting it from unauthorized modification or deletion. It is information that requires a higher than normal assurance of accuracy and completeness. Sensitive information might include organization financial transactions and regulatory actions such as data that may be subject to disclosure or release under the New York Freedom of Information Act, but requires additional levels of protection. • Examples of"Town-Sensitive" data may include but are not limited to: • Town operational information • Town personnel records • Town information security procedures • Town internal communications 12 CONFIDENTIAL: This classification applies to the most sensitive business information that is intended strictly for use within the organization. This information is exempt from disclosure under the provisions of the Freedom of Information Act or other applicable federal laws or regulations. Its unauthorized disclosure could seriously and adversely impact the Town and/or its residents, For example, Birth and Death Certificates and related information should be considered at least CONFIDENTIAL. Examples of"Confidential" data may include but are not limited to: • Personally Identifiable Information, such as: a name in combination with Social Security Number (SSN) and/or financial account numbers • Intellectual Property, such as: Copyrights, Patents and Trade Secrets PRIVATE: This classification applies to personal information that is intended for use within the Town of Mamaroneck offices. Its unauthorized disclosure could seriously and adversely impact the Town and/or its employees. PUBLIC: This classification applies to all other information that does not clearly fit into any of the above three classifications. While its unauthorized disclosure is against policy, it is not expected to impact seriously or adversely the Town, its employees, and/or its residents. 13 POLICY AREAS: Acceptable Use: Under the provisions of the New York State Cyber Security Policy P03-002, Information Resources are strategic assets of Government Agencies including Local Governments that must be managed as valuable resources. Thus this policy is established to achieve the following: • To ensure compliance with applicable statutes, regulations, and mandates regarding the management of information resources. • To establish prudent and acceptable practices regarding the use of information resources. • To educate individuals who may use information resources with, respect to their responsibilities associated with such use. This policy area applies equally to all individuals granted access privileges to any Town Information Resources. The purpose of this policy is to outline the acceptable use of computer equipment at the Town of Mamaroneck municipal offices and facilities. These rules are in place to protect the employees and the Town of Mamaroneck. Inappropriate use exposes the Town to risks including virus attacks, compromise of network systems and services, and legal issues. Electronic files created, sent, received, or stored on Information Resources owned, leased administered, or otherwise under the custody and control of the IT Department are the property of the Town of Mamaroneck. Electronic files created, sent, received, or stored on Information Resources owned, leased, administered, or otherwise under the custody and control of the Town are not private and may be accessed by the IT Department at any time without knowledge of the Information Resources user or owner. Electronic file content may be accessed by appropriate personnel for maintenance purposes and with the authorization of the IT Director or Town Administrator in the event of security related matters. • Users must report any weaknesses in Town computer security, any incidents of possible misuse or violation of this agreement to the proper authorities by contacting the IT Department. • Users must not attempt to access any data or programs contained on Town systems for which they do not have authorization or explicit consent. • Users must not divulge Dial-up or Dial-back modem phone numbers to anyone. • Users must not share their Town account(s), passwords, Personal Identification Numbers (PIN), Security Tokens (i.e. Smartcard), or similar information or devices used for identification and authorization purposes. • Users must not make unauthorized copies of copyrighted software. • Users must not use non-standard shareware or freeware software without IT Department approval. 14 • Users must not purposely engage in activity that may: harass, threaten or abuse others; degrade the performance of Information Resources; deprive an authorized Town user access to a Town resource; obtain extra resources beyond those allocated or circumvent Town computer security measures. • Users must not download, install or run security programs or utilities that reveal or exploit weaknesses in the security of a system. For example, Town users must not run password cracking programs, packet sniffers, port scanners or any other non-approved programs on Town Information Resources. • Town Information Resources must not be used for personal benefit. • Users must not intentionally access, create, store or transmit material which the Town may deem to be offensive, indecent or obscene. • Access to the Internet from a Town owned, home based, computer must adhere to all the same policies that apply to use from within Town facilities. Employees must not allow family members or other non-employees to access Town computer systems. • Users must not otherwise engage in acts against the aims and purposes of the Town as specified in its governing documents or in rules, regulations and procedures adopted from time to time. • As a convenience to the Town user community, incidental use of Information Resources is permitted. The following restrictions apply: ❖ Incidental personal use of electronic mail, Internet access, fax machines, printers, copiers, and so on, is restricted to Town approved users; it does not extend to family members or other acquaintances. ❖ Incidental use must not result in direct costs to the Town. ❖ Incidental use must not interfere with the normal performance of an employee's work duties. ❖ No files or documents may be sent or received that may cause legal action against, or embarrassment to the Town. ❖ Storage of personal email messages, voice messages, files and documents within the Town's Information Resources must be nominal. ❖ All messages, files and documents - including personal messages, files and documents - located on Town Information Resources are owned by the Town, may be subject to open records requests, and may be accessed in accordance with this policy. Account Management: Computer accounts are the means used to grant access to the Town's Information Technology. These accounts provide a means of providing accountability, a key to any computer security program for IT usage. This means that creating, controlling, and monitoring all computer accounts is extremely important to an overall security program. 15 The purpose of this policy area is to establish the rules for the creation, monitoring, control and removal of user accounts and applies equally to all individuals with authorized access to any Town Information Resource. • All accounts created must have an associated request and approval that is appropriate for the Town's system or service. • All users must sign the Town of Mamaroneck Security and Computer Use Policies Acknowledgements before access is given to an account. • All accounts must be uniquely identifiable using the assigned user name. • All default passwords for accounts must be constructed in accordance with this Security Policy. • All accounts must have a password expiration that complies with this Security Policy. • Accounts of individuals on extended leave (more than 30 days) will be disabled. • All new user accounts that have not been accessed within 30 days of creation will be disabled. • IT Department Personnel: • Are responsible for removing the accounts of individuals that change roles within the Town or are separated from their relationship with the Town. a Must have a documented process to modify a user account to accommodate situations such as name changes, accounting changes and permission changes. :• Must have a documented process for periodically reviewing existing accounts for validity. ❖ Are subject to independent audit review by the Town Administrator. Must provide a list of accounts for the systems they administer when requested by the Town Administrator. 4. Must cooperate with the IT Director and/or Town Administrator when investigating security incidents. Administrative/Special Access: Technical support staff and others designated by the Mamaroneck Town Administrator may have special access account privilege requirements compared to typical or everyday users. The fact that these administrative and special access accounts have a higher level of access means that granting, controlling and monitoring these accounts is extremely important to an overall security program. The purpose of the policy area is to establish the rules for the creation, use, monitoring, control and removal of accounts with special access privilege and applies equally to all individuals that have, or may require, special access privilege to any Town information resources. • The IT Department must keep a list of user access account privileges for software connected to the Town network; 16 • All users must sign the Town of Mamaroneck Security and Computer Use Policies Acknowledgement before access is given to an account; • All users of Administrative/Special access accounts must have account management instructions, documentation, training, and authorization; • Each individual that uses Administrative/Special access accounts must refrain from abuse of privilege and must only do investigations under the direction of the IT Director and/or Town Administrator; • Each individual that uses Administrative/Special access accounts must use the account privilege most appropriate with work being performed (i.e., user account vs. network administrator); • Each account used for administrative/special access must meet this Security Policy; • The password for a shared administrative/special access account must change when an individual with the password leaves the department or Town or upon a change in the vendor personnel assigned to the Town contract; • In the case where a system has only one IT Director there must be a password escrow procedure in place so that someone other than the IT Director can gain access to the admin account in an emergency situation; • When Special Access accounts are needed for Internal or External Audit, software development, software installation, or other defined need, they: • must be authorized by the IT Director • must be created with a specific expiration date •a must be removed when work is complete Asset Management: Information technology (IT) asset management provides for policies, procedures, and guidelines for lifecycle management of the Town of Mamaroneck's IT assets from standards and acquisition to installations, management and surplus. The purpose of this policy area is to establish the rules for the creation, monitoring, control and removal of Town IT Assets and applies equally to all individuals with authorized access to any Town Information Resource. The Town uses information technology (IT) to assist Town departments and Boards in conducting official Town business by following the rules set forth below: Policy Mandates: • The IT Department is responsible for the management of IT assets and lifecycle processes, including standards, acquisition, management, surplus and long-range planning. 17 • Consistency in technology allows the development of efficient and cost-effective methods for supporting and managing the technology environment and in planning for upgrades, migrations, staff training and future technology installations. Long-range planning for information technology changes shall include business as well as technical input. • IT acquired for or on behalf of the Town is owned by the Town of Mamaroneck. • IT equipment is assigned to the position, not the individual and remains with the position if the individual terminates employment or is transferred to another position. If a position is abolished, IT equipment will be returned to IT Department inventory. • IT equipment will be used within the Town as long as practicable. • • Employees who violate or otherwise abuse the provisions of this policy may be subject to disciplinary action, up to and including dismissal. Acquisitions: • Acquisition of all information technology for the Town is the responsibility of the IT Department as approved in the adopted budget by the Town Board. • Acquisition of IT shall follow the Purchasing Policy. Purchases, contracts, amendments, and renewals will be processed through the IT Department for approval by the Town Administrator. • Approvals for acquisition are based on availability of funds as determined by the Comptroller, conformance to IT standards, and solution match for department need. • All IT acquired for or on behalf of the Town or developed by IT Department employees or contract personnel on behalf of the Town are and shall be deemed Town of Mamaroneck property. Standards: • A standard, basic technical infrastructure will be established for the Town. It will be defined and managed by the IT Department and will include the network and the desktop. • Desktop IT consists of standard hardware and software configurations and images (excluding test computers). • The IT Department is responsible for: o Establishing hardware and software standards for any IT product. o Reviewing requests for new, amended, or replacement IT standards. New-to- Town IT will be assessed by IT Department staff for compatibility with and impact on other Town IT components, as appropriate. o Using department-wide business and technical needs in determining approval of new, amended or replacement standards. o Establishing standard software configurations and desktop images. These standards shall automate business rules where possible (e.g. use of screen saver password protection). o New IT policy and standard decisions shall have formal plans for implementation. 18 Equipment Management: • The Town of Mamaroneck will control its IT assets to comply with State policies and regulations, as well as applicable licensing and copyright laws. • The IT Department is responsible for tracking Town-owned software and hardware, including licenses, through an inventory control system. Software inventory records and reports shall be available for audit at any time. Installations of Software and Hardware: • The Town shall maintain an IT environment whereby installations and configurations are centrally managed through the IT Department. • Only Town designated standard software, hardware, or approved exception shall be installed. • Software, hardware or approved exception must be Town owned or licensed. All software without required licenses will be removed from the desktops/laptops. • The Town IT Director shall authorize installations of software, hardware, or approved exception. • Installation of business-related, no cost software (i.e. Adobe Acrobat Reader or browser-required applications) shall be approved through the IT Department. These types of software shall be evaluated through the standards and exception to standards procedures. • User-supplied software shall not be installed or executed on Town-owned computers. Do not install or connect non-Town hardware to a Town of Mamaroneck network. • Unauthorized duplication of licensed software is a violation of this policy and a violation of copyright laws. • All excess IT equipment within the Town shall be the responsibility of the IT Department to reuse or surplus as determined by the IT department. First priority for redeployment requests within the Town shall be by IT Department determination. • The IT Department shall delete all data and applications, exclusive of the operating system, from all excess IT equipment prior to re-deployment or placing in spare inventory, loans or surplus. • The IT department shall be responsible for delivery of equipment to the identified re- deployment work site. • The IT Department shall store spare IT equipment in a designated reserve location for use as needed. Exceptions: • The Town Board is responsible for reviewing and approving exceptions to IT policies. • The Town Administrator may grant exceptions to this policy under extraordinary circumstances. Requests for exceptions must be made in writing to the IT department stating the business need and unique circumstances requiring an exception. • The Town Administrator and the IT Director will evaluate and determine if the requested exception can be reasonably resolved through technology within the confines of the Town technology environment and the security of the Town network. 19 • For granted exceptions, the requester must establish with the IT Department a plan for technical support, training, and maintenance. The plan shall be developed prior to purchase or implementation of non-standard technology. • Exceptions shall be considered provisional and can be superseded any time a Town standard is determined. If a broader need is determined at the time of an exception request, then a Town standard will be established. • Upon granting an exception regarding access to or connection with the Town local or wide area network, a written agreement between the requester and IT Department must be developed stating the conditions of access, security, technical support and maintenance. IT Equipment Loans: • Only spare IT equipment that is no longer under warranty is eligible for loan to Town partners or associates. Loaned IT equipment is allowed in situations where the Town Administrator determines that the loan to a partner or associate will fulfill the Towns' mission or goals. Loan of equipment will comply with policies, rules, regulations and laws governing State or Town owned IT equipment. • Conditions of each loan shall include but are not limited to the following: ❖ The IT Department shall delete all data and applications, exclusive of operating system, residing on loan IT equipment. ❖ Loan IT equipment shall remain on Town IT asset and inventory records. ❖ The IT Department is responsible for completion of a loan agreement with the user ❖ The user of the loan IT equipment shall be responsible for any physical damage or loss, ordinary wear and tear excepted, regardless of fault. ❖ The IT Department is not responsible for maintenance or repair of loan IT equipment, including hardware, software or connectivity. Surplus: • The IT Department shall delete all data and applications, exclusive of operating system, residing on surplus IT equipment.The IT Department shall process the surplus IT equipment and obtain a certified Town Board Resolution for all equipment surplus. Back Up: Electronic backups are a business requirement to enable the recovery of data and applications in the case of events such as natural disasters, system disk drive failures, espionage, data entry errors, or system operations errors. The purpose of this policy area is to establish the rules for the backup and storage of electronic Town information and applies to all individuals within the Town that are responsible for the installation and support of Information Resources and individuals charged with Information Security. The IT Department may have existing contracts for offsite backup data storage. These services can be extended to all Town entities upon request. • The frequency and extent of backups must be in accordance with the importance of the information and the acceptable risk as determined by the Town. 20 • The Town Information Resources backup and recovery process for each system must be documented and periodically reviewed. • The vendor(s) providing offsite backup storage for the Town must be cleared to handle the highest level of information stored. • Physical access controls implemented at offsite backup storage locations must meet or exceed the physical access controls of the source systems. Additionally backup media must be protected in accordance with the highest Town of Mamaroneck sensitivity level of information stored. • A process must be implemented to verify the success of the Town electronic information backup. • Backups must be periodically tested to ensure that they are recoverable. • Contracts held by the offsite backup storage vendor(s) for access to the Town backup media must be reviewed annually or when an authorized individual leaves the Town. • Procedures between the Town and the offsite backup storage vendor(s) must be reviewed at least annually. • All Off-site back up contracts must be approved by the New York State Commissioner of Education pursuant to section 185.9 of the Regulations of the Commissioner of Education. • Backup tapes must have at a minimum the following identifying criteria that can be readily identified by labels and/or a bar-coding system: • System name • Creation Date • Sensitivity Classification [Based on the New York State Records management MU-1 Schedule] ❖ Town of Mamaroneck Contact Information • The Town must have a backup plan in place that describes the type, method and frequency of backups. o Back Up Plan: • Physical Data Backups - Onsite • GFS System Schema - backed up to Town network area storage devices. Bare Metal Backups - Onsite One time back up then incremental as software changes on servers. The bare metal drives are to be kept in the safe in the Comptroller's Office. 21 Court Information Resources: The Town of Mamaroneck recognizes the unique circumstances that separate Mamaroneck Court Information Resources from Town Information Resources. This policy area is established to ensure compliance with both Town and New York State Unified Court Information Resources. New York State Unified Court hardware in the form of workstations, laptops, printers, scanners and monitors are used by Mamaroneck Court Judges and personnel and are authorized by this policy to be integrated with the Town Court server and other peripherals owned by the Town of Mamaroneck. Parameters dictating the use and maintenance of Court equipment (both New York State and Town of Mamaroneck owned) are listed below: • All Mamaroneck Court software not preinstalled on NYS Court computers and used by the Mamaroneck Court must be installed on a dedicated Court server and licensed in the name of the Town of Mamaroneck. • The Electronic Content Management System (ECMS-Laserfiche) Court volume must be separated from the main Town database and installed on the dedicated Court server. • All Court personnel user and department documents must be separated from the main Town database and installed on the dedicated Court server. • Daily back-ups of Court software, ECMS and department documents must be performed for security purposes and immediate file restoration. • Laptops and other equipment issued to Court officials for remote access must be inventoried, configured and maintained as per this policy, is the property of the Town of Mamaroneck or the NYS Unified Court System and must be submitted to the IT office periodically for Security Policy conformance. Credit Card Processing — PCI Compliance: This policy area is established to ensure Payment Card Industry compliance. The purpose of this policy area is to inform local government officials on PCI standards and to establish procedures on how to secure credit card processing in the Town of Mamaroneck. Local Governments must comply with the PCI Data Security Standard PCI DSS 3.1 and validate compliance. Compliance (securing the credit card process) requires ongoing adherence to the standard and applies to every local government regardless of the transaction volume. Validation confirms local governments, service providers, payment applications and PIN entry devices are compliant with the standard. The Town of Mamaroneck contracts with third party vendors and accepts credit cards for payments for transactions that are processed thru the Building Department, Court Office, Finance Department, Recreation Department and Town Clerk's Office only. Designated as a level 3D SQA validation type, an SAQ Assessment Validation Questionnaire must be performed annually by all local governments accepting credit card payments and reported to the merchant providing the credit card terminal. 22 In order to comply with PCI Standards and to protect personal information, the following security tasks must be initiated and followed during the course of the year: ❖ All suspected breaches of sensitive information must be reported to the Information Security Officer as per the Information and Security Notification Breach Policy. a Sensitive authorization data must be deleted upon completion of the authorization process. • The card verification code (three or four digit number printed on the front or back of the payment card) is not stored after authorization. ❖ The personal identification number (PIN) is not stored after authorization. ❖ The primary account number (PAN) is masked when displayed on receipt (The first six or last four digits are the maximum numbers to be displayed. • Access to credit card terminals and data to be determined by the Comptroller and Information Security Officer. •s Specific payment card processing procedures must be outlined in the Town of Mamaroneck Credit Card policy. 4. Privileged user IDs to be restricted to least privileges necessary to perform job responsibilities and assigned only to roles that specifically require that privileged access. • Vendor supplied default Admin PIN on terminals must be changed. • All VOIDED transactions must be performed by authorities designated in Town of Mamaroneck Credit Card policy. • All REFUNDED transactions must be performed by authorities' designated Town of Mamaroneck Credit Card policy and initiated with detailed reasons for the cancelation. ❖ All Media is to be physically secured (including but not limited to credit card terminals, paper receipts, paper reports, etc. 4. Media must be classified as sensitive data ❖ All devices that capture payment card data via direct physical interaction with the card protected against tampering by: o Periodic inspection by the Mamaroneck IT Department for tampering or substitution of devices and must check device serial numbers to inventories serial numbers. o Employees are trained to be aware of suspicious behavior and tampering and to report such activities to the local authorities in conjunction with the Town Information Security Officer. ❖ The credit card terminals make, model and serial number as well as location be added to the IT inventory list. Email: This policy area is established to ensure compliance with applicable statutes, regulations, and mandates regarding the management of information resources. It establishes prudent and acceptable practices regarding the use of email and will educate individuals using email with respect to their responsibilities associated with such use. 23 The purpose of the this policy area is to establish the rules for the use of Town email for the sending, receiving or storing of electronic mail and applies equally to all individuals granted access privileges to any Town information resource with the capacity to send, receive or store electronic mail. The following activities are prohibited by this policy: • Sending email that is intimidating or harassing. • Using email for conducting personal business. • Using email for purposes of political lobbying or campaigning. • Violating copyright laws by inappropriately distributing protected works. • Posing as anyone other than oneself when sending email, except when authorized to send messages for another when serving in an administrative support role. • The use of unauthorized e-mail software. • The following activities are prohibited because they impede the functioning of network communications and the efficient operations of electronic mail systems: o Sending or forwarding chain letters o Sending unsolicited messages to groups in excess of 35 email addresses outside of the Town domain o Sending excessively large messages o Sending or forwarding email that is likely to contain computer viruses • All user activity on Town Information Resource assets is subject to logging and review. • All sensitive Town material transmitted over external network must be encrypted. • Electronic mail users must not give the impression that they are representing, giving opinions or otherwise making statements on behalf of the Town or any department of the Town unless appropriately authorized (explicitly or implicitly) to do so. Where appropriate, an explicit disclaimer will be included unless it is clear from the context that the author is not representing the Town. An example of a simple disclaimer is: "the opinions expressed are my own, and not necessarily those of my employer." • Individuals must not send, forward or receive confidential or sensitive Town information through non-Town email accounts. Examples of non-Town email accounts - include, but are not limited to, Hotmail, Yahoo mail, AOL mail, Optonline and email provided by other Internet Service Providers (ISP). • The Town of Mamaroneck must comply with the Federal Anti-Spam Act of 2003. Town officials and employees with active email addresses must: • Refrain from sending same subject email to more than 10 recipients outside of the Town of Mamaroneck domain from their Outlook, Third party application (such as Blackberry Internet Service, IPhone or Android email services) or email server. 24 ❖ All mass email communications sent on behalf of the Town must be sent through the Town's email marketing service and/or specific software applications for notification purposes. Fire District Information Technology and Resources: The Town of Mamaroneck Fire District is completely separated from the Town of Mamaroneck Domain and network infrastructure. The network and equipment located at the Fire District is owned by the Fire District and managed by the Town of Mamaroneck IT Department. Day to day tier 1-3 Technical support is performed by a Fire District support technician under the supervision of the Town IT Director. This policy area is established to ensure compliance with both Town and New York State Security Policies and the Town of Mamaroneck Computer Use Policy. Parameters dictating the use and maintenance of Fire District technology are listed below: • The Mamaroneck Board of Fire Commissioners officially designate the individual responsible for the operations and maintenance of all Town information resources as it relates to their information technology infrastructure. This technician will work closely with the Town IT Director to ensure the security and efficiency of the Fire District network. The Town IT Department will provide the support necessary to assist and maintain all network infrastructure and equipment. • A master inventory listing of all computer equipment, printers, copiers, workstations, servers, routers, switches, laptops, tablets, email accounts and other peripheral devices must be maintained by the IT Director and updated as changes and replacements are made. • An inventory listing of all software and their licenses must be maintained by the IT Director and updated as changes and replacements are made. • Working with the Fire District Support Technician, The Town IT Director is responsible for submitting an annual draft technology budget that identifies software license renewals and server and workstation end of life replacements. • All equipment and software purchased with Town funds and issued to Fire District staff is the property of the Town of Mamaroneck Fire District and must be purchased by the IT Director. Designated staff must configured and maintained all equipment and software as per this policy, and their records must be submitted to the IT office periodically for Security Policy conformance. The Town of Mamaroneck recognizes the unique environment with respect to the use of volunteer staff in order to perform its responsibilities. In order to secure Fire District information resources and to comply with this policy, a Public Access network must be created for volunteers using the Fire District network on personal devices. 25 Information Management and Security: Functional Responsibilities of Town Information Management are distributed among all Town officials, employees and consultants accessing Town information resources. The purpose of this policy area is to establish responsibilities of those responsible for the health and safety of all Town electronic information. ❖ The Town of Mamaroneck Town Administrator is responsible for: o Evaluating and accepting risk on behalf of the Town; o Identifying Town security goals and integrating them into relevant processes; o Supporting the consistent implementation of information security policies and standards; o Supporting security within the Town through clear direction and demonstrated commitment of appropriate resources; o Promoting awareness of information security best practices through the regular dissemination of materials provided by the ISO; o Implementing the process for determining information classification and categorization, based on industry recommended practices, State directives, and legal and regulatory requirements, to determine the appropriate levels of protection for that information; o Determining who, within the Town, will be assigned and serve as information owners while maintaining ultimate responsibility for the confidentiality, integrity, and availability of the data; o Participating in the response to security incidents; o Complying with notification requirements in the event of a breach of private information; o Adhering to specific legal and regulatory requirements related to information security; o Communicating requirements of this policy and the associated standards, including the consequences of non-compliance, to the Town workforce and third parties, and addressing adherence in third party agreements. ❖ The ISO is responsible for: o Maintaining familiarity with Town business functions and requirements; o Maintaining an adequate level of current knowledge and proficiency in information security through annual Continuing Professional Education (CPE) credits directly related to information security; o Assessing Town compliance with information security policies and legal and regulatory information security requirements; o Evaluating information security risks and assisting the Town in understanding its information security risks and how to appropriately manage those risks; o Representing and assuring security architecture considerations are addressed; o Advising on security issues related to procurement of products and services; o Escalating security concerns that are not being adequately addressed according to the applicable reporting and escalation procedures; o Disseminating threat information to appropriate parties; o Participating in the response to potential security incidents; o Promoting information security awareness. 26 ❖ The IT Director is responsible for: o Supporting security by providing clear direction and consideration of security controls in the data processing infrastructure and computing network(s) which support the information owners; o Providing resources needed to maintain a level of information security control consistent with this policy; o Identifying and implementing all processes, policies and controls relative to security requirements defined by the Town's business processes and this policy; o Implementing the proper controls for information owned by the Town based on the Town's classification designations; o Providing training to appropriate technical staff on secure operations (e.g., secure coding, secure configuration); o Fostering the participation of information security and technical staff in protecting information assets, and in identifying, selecting and implementing appropriate and cost-effective security controls and procedures; and o Implementing business continuity and disaster recovery plans. ❖ The Town workforce and consultants are responsible for: o Protecting Town information and resources; o Abiding by the Town's Computer Use and Security Policies; and o Reporting suspected information security incidents or weaknesses to the appropriate manager and ISO. Incident Management: The number of computer security incidents and the resulting cost of business disruption and service restoration continue to escalate. Implementing solid security policies, blocking unnecessary access to networks and computers, improving user security awareness, and early detection and mitigation of security incidents are some the actions that can be taken to reduce the risk and drive down the cost of security incidents. The purpose of this policy area is to establish the rules for the creation, monitoring, control and removal of user accounts and applies equally to all individuals with authorized access to any Town Information Resource. This section describes the requirements for dealing with computer security incidents. Security incidents include, but are not limited to: virus, worm, and Trojan horse detection, unauthorized use of computer accounts and computer systems, as well as complaints of improper use of Information Resources as outlined in the Email, Internet, Acceptable Use Policy areas and apply equally to all individuals that use any Town Information Resources. • Required by New York State Town Law #899, The Town of Mamaroneck Information and Security Notification Breach Policy was adopted and is followed in conjunction with this policy area in the event of a Cyber Security incident; • Whenever a security incident, such as a virus, worm, hoax email, discovery of hacking tools, altered data, etc. is suspected or confirmed, the appropriate Incident Management procedures must be followed; 27 • The Information Security Officer is responsible for notifying the Town Administrator and initiating the appropriate incident management action including restoration as defined in the Incident Management Procedures; • The Information Security Officer is responsible for determining the physical and electronic evidence to be gathered as part of the Incident Investigation; • The appropriate technical resources from the IT Department are responsible for monitoring that any damage from a security incident is repaired or mitigated and that the vulnerability is eliminated or minimized where possible; • The Information Security Officer will determine if a widespread Town communication is required, the content of the communication, and how best to distribute the communication; • The appropriate technical resources from the IT Department are responsible for communicating new issues or vulnerabilities to the system vendor and working with the vendor to eliminate or mitigate the vulnerability; • The Information Security Officer is responsible for initiating, completing, and documenting the incident investigation; • The Information Security Officer is responsible for reporting the incident to the: ❖ Town Administrator • Town Comptroller :• Local, state or federal law officials as required by applicable statutes and/or regulations • The Information Security Officer is responsible for coordinating communications with outside organizations and law enforcement; • In the case where law enforcement is involved, the Information Security Officer will act as the liaison between law enforcement and the Town. Internet: This policy area applies equally to all individuals granted access to any Town Information Resource with the capacity to access the internet, the intranet or both and is established to achieve the following: • To ensure compliance with applicable statutes, regulations, and mandates regarding the management of information resources. • To establish prudent and acceptable practices regarding the use of the internet. • To educate individuals who may use the internet, the intranet or both with respect to their responsibilities associated with such use. • Software for browsing the Internet is provided to authorized users for business and research use only. 28 • All software used to access the Internet must be part of the Town's standard software suite or approved by the IT Department. This software must incorporate all vendor provided security patches. • All files downloaded from the Internet must be scanned for viruses using the approved IT Department distributed software suite and current virus detection software. • All software used to access the Internet shall be configured to use the firewall http proxy. • All sites accessed must comply with the Acceptable Use policy area in this document. • All user activity on Town Information Resources assets is subject to logging and review. • Content on all Town Web sites must comply with the Acceptable Use policy area in this policy. • No offensive or harassing material may be made available via Town Web sites. • Non-business related purchases made over the Internet are prohibited. Business related purchases are subject to Town procurement rules. • No personal commercial advertising may be made available via Town Web sites. • Town internet access may not be used for personal gain or non-Town personal solicitations. • No Town data will be made available via Town Web sites without ensuring that the material is available to only authorized individuals or groups. • All sensitive Town material transmitted over external networks must be encrypted. • Electronic files are subject to the same records retention rules that apply to other documents and must be retained in accordance with departmental records retention schedules. Intrusion Detection and Network Access: The purpose of this policy area is to establish the rules for the access and use of the network infrastructure. These rules are necessary to preserve the integrity, availability and confidentiality of Town information apply equally to all individuals with access to any Town Information Resource. The Town Network Access standards apply equally to all individuals with access to any Town Information Resource. • Users are permitted to use only those network addresses issued to them by the IT Department. • All remote access (dial in services) to the Town will be either through an approved modem pool or via an Internet Service Provider (ISP). • Remote users may connect to Town Information Resources only through an ISP and using protocols approved by the Town. 29 • Users inside the Town firewall may not be connected to the Town network at the same time a modem is being used to connect to an external network. • Users must not extend or re-transmit network services in any way. This means you must not install a router, switch, hub, or wireless access point to the Town network without IT Department approval. • Users must not install network hardware or software that provides network services without IT department approval. • Non-Town computer systems that require network connectivity must conform to Town Information Security Standards. • Users must not download, install or run security programs or utilities that reveal weaknesses in the security of a system. For example, Town users must not run password cracking programs, packet sniffers, network mapping tools, or port scanners while connected in any manner to the Town network infrastructure. • Users are not permitted to alter network hardware in any way Maintenance Windows: Servers, workstations, firewalls and operating systems require periodic updates. In addition, when issues present themselves, time in required to troubleshoot issues that may require systems to be rebooted. The Town of Mamaroneck IT Department recognizes department's need flexibility to scale their operations based on circumstances within individual departments and strives to provide system uptime for as many hours per day as possible. Critical security patches on servers and hardware network wide will be performed weekly as necessary within the designated maintenance window. Workstations will be updated every Wednesday and must be left powered on at the end of the business day on Wednesdays. Routine maintenance for updates and optional updates will be performed quarterly. Designated emergency and critical operational servers and applications require higher availability and therefore are maintained separately and coordinated and scheduled in advance with Department Heads. The purpose of this policy area is to set clear expectations of system availability while allowing for IT infrastructure to be maintained. NON-EMERGENCY OPERATIONS SECURITY PATCH UPDATE AND TROUBLESHOOTING MAINTENANCE WINDOW: Monday - Friday: 9pm - 6am Saturday and Sunday: 6pm - 6am 30 NON-EMERGENCY OPERATIONS QUARTERLY ROUTINE MAINTENANCE SCHEDULE: President's Day Weekend: Friday, 9pm - Tuesday 6am Memorial Day Weekend: Friday, 9pm - Tuesday 6am Labor Day Weekend: Friday, 9pm - Tuesday 6am Thanksgiving Weekend: Wednesday, 9pm - Monday 6am EMERGENCY OPERATIONS SECURITY PATCH UPDATE AND TROUBLESHOOTING MAINTENANCE WINDOW: Monday - Friday: 9am - 2pm EMERGENCY OPERATIONS QUARTERLY ROUTINE MAINTENANCE SCHEDULE: March 15th: Beginning at 9am June 15th: Beginning at 9am September 15th: Beginning at 9am December 15th: Beginning at 9am CRITICAL OPERATIONS SECURITY PATCH UPDATE AND TROUBLESHOOTING MAINTENANCE WINDOW: Monday - Friday: 9pm - 6am Saturday and Sunday: 6pm - 6am CRITICAL OPERATIONS QUARTERLY ROUTINE MAINTENANCE SCHEDULE: Second Wednesday of March: Beginning at 5pm Second Wednesday of June: Beginning at 5pm Second Wednesday of September: Beginning at 5pm Second Wednesday of December: Beginning at 5pm Network Configuration: The Town network infrastructure is provided as a central utility for all users of Town Information Resources. It is important that the infrastructure, which includes cabling and the associated equipment such as routers and switches, continues to develop with sufficient flexibility to meet user demands while at the same time remaining capable of exploiting anticipated developments in high speed networking technology to allow the future provision of enhanced user services. The purpose of this policy area is to establish the rules for the maintenance, expansion and use of the network infrastructure. These rules are necessary to preserve the integrity, availability, and confidentiality of Town information applies equally to all individuals with access to any Town Information Resource. • The Town of Mamaroneck owns and is responsible for the Town network infrastructure and will continue to manage further developments and enhancements to this infrastructure; 31 • To provide a consistent municipal network infrastructure capable of exploiting new networking developments, all cabling must be installed by a contractor approved by the IT Department; • All network connected equipment must be configured to a specification approved by IT Department; • All hardware connected to the Town network is subject to IT Department management and monitoring standards; • Changes to the configuration of active network management devices must not be made without the approval of the IT Department; • The Town network infrastructure supports a well-defined set of approved networking protocols. Any use of non-sanctioned protocols must be approved by the IT Department; • The networking addresses for the supported protocols are allocated, registered and managed centrally by the IT Department; • All connections of the network infrastructure to external third party networks are the responsibility of the IT Department. This includes connections to external telephone networks; • The use of departmental firewalls is not permitted without the written authorization from the IT Department; • Users must not extend or re-transmit network services in any way. This means you must not install a router, switch, hub, or wireless access point to the Town network without IT Department approval; • Users must not install network hardware or software that provides network services without IT Department approval; • Users are not permitted to alter network hardware in any way. Password: User authentication is a means to control who has access to an Information Resource system. Controlling the access is necessary for any Information Resource. Access gained by a non-authorized entity can cause loss of information confidentiality, integrity and availability that may result in loss of revenue, liability, loss of trust or embarrassment to the Town of Mamaroneck. The purpose of this policy area is to establish the rules for the creation, distribution, safeguarding, termination, and reclamation of the Town user authentication mechanisms and applies equally to all individuals who use any Town information resources. Three factors or a combination of these factors can be used to authenticate a user. Examples are: • Something you know - password, Personal Identification Number (PIN). • Something you have - Smartcard 32 • Something you are - fingerprint, iris scan, voice • A combination of factors - Smartcard and a PIN • All passwords, including initial passwords, must be constructed and implemented according to the following IT Department rules: :• It must be changed every 90 days It must adhere to a minimum length as established by the IT Department • It must be a combination of alpha and numeric characters It must not be anything that can easily tied to the account owner such as: user name, social security number, nickname, relative's names, birth date, etc. • Password history must be kept to prevent the reuse of a password • Stored passwords must be encrypted. • User account passwords must not be divulged to anyone. The IT Department and its contractors will not ask for user account passwords. • Security tokens (i.e. Smartcard) must be returned on demand or upon termination of the relationship with the Town (if applicable). • If the security of a password is in doubt, the password must be changed immediately. • IT Directors and IT staff must not circumvent this Policy for the sake of ease of use. • Users cannot circumvent password entry with auto logon, application remembering, embedded scripts or hardcoded passwords in client software. Exceptions may be made for specific applications (like automated backup, or when Windows Authentication is in use) with the approval of the IT Department. In order for an exception to be approved there must be a procedure to change the passwords. • Computing devices must not be left unattended without enabling a password protected screensaver or logging off of the device. • Password Guidelines: • Passwords must have a minimum length of 8 alphanumeric characters. • Passwords must contain a mix of upper and lower case characters and have at least 2 numeric characters. The numeric characters must not be at the beginning or the end of the password. Special characters should be included in the password where the computing system permits. The special characters are (!@#$%^&*_+=?/N' ;:,<>I\). • Passwords must not be easy to guess and they: • Must not be your Username 33 • Must not be your employee number • Must not be your name • Must not be the Town name • Must not be family member names • Must not be your nickname • Must not be your social security number • Must not be your birthday • Must not be your license plate number • Must not be your pet's name • Must not be your address • Must not be your phone number • Must not be the name of your town or city • Must not be the name of your department • Must not be street names • Must not be makes or models of vehicles • Must not be obscenities • Must not be any information about you that is known or is easy to learn (favorite - food, color, sport, etc.) • Passwords must not be reused for 24 consecutive password changes • Passwords must not be shared with anyone • Passwords must be treated as confidential information • While the IT Director may request access to your data via proper channels, they may not request your password, nor should a user feel obliged to supply their password. • Tips for creating a strong password • Combine short, unrelated words with numbers or special characters. For example: eAt42peN • Make the password difficult to guess but easy to remember 34 • Substitute numbers or special characters for letters. (But do not just substitute) For example: • liverish - is a bad password • LiveFlsh - is better and satisfies the rules, but setting a pattern of 1st letter capitalized, and i's substituted by l's can be guessed • I!v3f1Sh - is far better, the capitalization and substitution of characters is not predictable • IT Helpdesk password change procedures must include the following: • Authenticate the user to the helpdesk before changing password • Change to a strong password ❖ The user must change password at first login • In the event passwords are found or discovered, the following steps must be taken: Take control of the passwords and protect them :• Report the discovery to the Town Help Desk • Transfer the passwords to an authorized person as directed by the IT Department Physical Access: Technical support staff, security, IT Directors, and others designated by the Town Administrator may have Information Technology physical facility access requirements as part of their function. The granting, controlling, and monitoring of the physical access to IT facilities is extremely important to an overall security program. The purpose of this policy area is to establish the rules for the granting, control, monitoring, and removal of physical access to Information Resource facilities and applies to all individuals within the Town that are responsible for the installation and support of Information Technology, individuals charged with Information Security, and data owners. • The Town of Mamaroneck Server Room is designed to be a "Lights Out" server room. Access is granted only for the purposes of accessing, installing and remediating hardware issues. All physical security systems must comply with all applicable regulations such as, but not limited to building codes and fire prevention codes; • Physical access to the Town Server Room and IT Office must be restricted and managed; • All IT facilities must be physically protected in proportion to the criticality or importance of their function in the Town; • Access to the Server Room and IT Office must be granted only to Town support personnel, and contractors, whose job responsibilities require access to that facility; 35 • The process for granting key and security code access to Information Technology facilities must include the approval from the IT Director and/or Town Administrator; • Access keys and codes must not be shared or loaned to others; • Access keys that are no longer required must be returned to the Building Superintendent. Keys must not be reallocated to another individual bypassing the return process; • Lost or stolen access keys must be reported to the IT Department; • The Server Room and IT office access log must be kept by the IT Department; • The IT Department must review access records for the Server Room and IT Office on a periodic basis and investigate any unusual access; • The IT Department must remove access rights of individuals that change roles within the Town or are separated from their relationship with the Town; • Visitors must be escorted in security code access controlled areas of Information Technology facilities; • The IT Department must review code access rights for the Server Room and IT Office on a periodic basis and remove access for individuals that no longer require access; • Signage for restricted access rooms and locations must be practical, yet minimal discernible evidence of the importance of the location should be displayed; Portable Computing: Portable computing devices are becoming increasingly powerful and affordable. Their small size and functionality are making these devices ever more desirable to replace traditional desktop devices in a wide number of applications. However, the portability offered by these devices may increase the security exposure to groups using the devices. The purpose of this policy area is to establish the rules for the use of mobile computing devices and their connection to the network. These rules are necessary to preserve the integrity, availability, and confidentiality of Town information and apply equally to all individuals that utilize Portable Computing devices and access Town Information Resources. • • Only Town approved portable computing devices may be used to access Town Information Resources; • Portable computing devices must be password protected; • Town data should not be stored on portable computing devices. However, in the event that there is no alternative to local storage, all sensitive Town data must be encrypted using approved encryption techniques; • Town data must not be transmitted via wireless to or from a portable computing device unless approved wireless transmission protocols along with approved encryption techniques are utilized; 36 • All remote access to the Town of Mamaroneck network must be either through an approved modem pool or via an Internet Service Provider (ISP); • Non-Town computer systems that require network connectivity must conform to Town IT Standards and must be approved in writing by the IT Department and the Town Administrator; • Access to Town IR from equipment not owned by the Town must be granted in advance via the Town's Log Me In account to a specific workstation or through a designated VPN connection via the Town's Radius server; • Unattended portable computing devices must be physically secure. This means they must be locked in an office, locked in a desk drawer or filing cabinet, or attached to a desk or cabinet via a cable lock system. Privacy: Privacy Policies are mechanisms used to establish the limits and expectations for the users of the Town's Information Technology. Internal users should have no expectation of privacy with respect to Information Technology. External users should have the expectation of complete privacy, except in the case of suspected wrongdoing, with respect to Information Technology. The purpose of this policy area is to clearly communicate the Town's privacy expectations with respect to Information Technology users and applies equally to all individuals who use any Town Information Resource. • Electronic files created, sent, received, or stored on IT owned, leased, administered, or otherwise under the custody and control of the Town of Mamaroneck Domain are not private and may be accessed by the Town of Mamaroneck IT Department, with the permission of the Town IT Director or for general maintenance at any time without knowledge of the user. • To manage systems and enforce security, the Town of Mamaroneck may log, review and otherwise utilize any information stored on or passing through its IT systems in accordance with the provisions and safeguards provided in this Security Policy. For these same purposes, the Town of Mamaroneck may also capture user activity such as telephone numbers dialed and web sites visited. • A wide variety of third parties have entrusted their information to the Town of Mamaroneck to provide Municipal services to the public, and all employees, and elected and appointed officials at working on behalf of the Town of Mamaroneck be must do their best to safeguard the privacy and security of this information. The most important of these third parties is the individual customer; customer account data is accordingly confidential and access will be strictly limited based on Municipal need for access. • Users must report any weaknesses in the Town of Mamaroneck computer security, any incidents of possible misuse or violation of this agreement to the proper authorities and must comply with the Town of Mamaroneck Information and Security Breach Notification Policy. 37 • Users must not attempt to access any data or programs contained on Town systems for which they do not have authorization or explicit consent. Public Access WiFi: The implementation of a Public WIFI account exists to assist its citizens with the ability to access information on their personal devices wirelessly from Town Hall. The purpose of this policy area is to document the security needed in order to protect the MAMARONECK internal network from outside unauthorized access. In order for a Public Access WIFI account to exist, the following security measures must be in place prior to account activation: • The access point must have a separate configuration from the MAMARONECK wired and wireless networks • Users must accept the Town of Mamaroneck WI-FI Terms of Service and Acceptable Use Policy prior to connection Public Access Workstations: In the Town of Mamaroneck's continuing effort to allow its citizens access to government and organizational information, workstations will become available in the Assessor's Office, Building and Recreation Departments in 2017 and 2018. The purpose of this policy area is to define the use of Public Access Workstations and to document the security needed in order to protect the MAMARONECK internal network from outside unauthorized access. In order for a Public Access Workstation to exist, the following security measures must be in place prior to account activation: ❖ The workstations are to be configured with minimal access to the Town network specific to applications appropriate for their intended use. ❖ Their purpose is for public access to selected government files, websites and information. • It is not intended for normal web browsing of sites not designated by the IT Department. • Print capabilities have been disabled with access to print determined by the individual department. Secure Use of Social Media: Social media, as referred to here, are web-based publishing and communications technologies, such as blogging, social networking, Websites, forums, wikis, and file sharing. They are called "social" because they are designed for creating dynamic human networks and exchanging user-generated text and rich media, such as audio and video. They are among the most widely used technologies on the Internet. The purpose of this policy area is to provide best practices for the secure use of social media for collaboration and transparency in the Town of Mamaroneck Town government. Social media hold enormous power for collaboration and communication. Social media carry significant dangers ranging from accidental misuse to intentional criminal abuse. 38 Risks to information and computer systems are significant. The use of social media is ever- changing and therefore the dangers and risks also vary. Information and systems security professionals must be both vigilant and creative in responding to the shifting risk environment. Cyber criminals target social media sites because they offer an effective means of propagating malicious code to a wide, unsuspecting audience. Sites that allow user-generated content are among the most active distributors of malicious content, such as worms that can shut down networks, or spyware and keystroke loggers that can compromise State data. Many postings to blogs, chat rooms and message boards are spam or contain malicious links. Since many links on social media sites are in the form of shortened or condensed URLs (e.g., TinyURL, Bit.ly), a user is unable to determine where these links lead, making it easy for criminals to direct an unsuspecting user to malicious sites. The false sense of a trusted community when visiting social media sites increases the likelihood that a user may fall victim to this type of threat. If an employee is using Town resources when this occurs (e.g., a work PC), these resources have an increased risk of becoming infected. Many social media sites do not have adequate security controls to protect the information they are holding. For example, some sites do not require strong passwords, some transmit credentials in clear text and some use easily guessed "secret" or"challenge" questions. As a result, social media accounts are frequently compromised. If the same account credentials are used for both the external social media site and Town resources, this could lead to unauthorized access to Town information. By allowing access to externally hosted social media sites, an municipality may inadvertently bypass its own security controls. For example, external instant messaging and email services, which may be blocked within an agency because of security concerns, may be accessible through applications available on externally hosted social media sites. Inadvertent exposure of confidential Town information is another risk associated with the use of social media. The ease of posting all types of content (e.g., documents, photos, videos, audio recordings) to social media sites, coupled with the erroneous assumption of a trusted environment, may result in the disclosure of confidential Town information. Use of social media sites leads to a greater web presence, which in turn leads to a greater risk of spam and targeted phishing attacks. Some social media sites harvest information from email contact lists, which may put agency contact information in the hands of a third party with no knowledge of how that third party will use and/or protect that information. Information about a user's professional role in Town government, including Town email addresses, should not be included on personal profiles. With the wealth of information available on social media sites, hackers are using tools to correlate information into a detailed user profile which can then be used for targeted phishing and other social engineering attacks. 39 Once information is posted on a social media site, it can be captured and used in ways not originally intended. It is nearly impossible to retract, as it often lives on in copies, archives, backups and memory cache. Some social media sites may claim to own the content posted on their site. It is important to note that the information conveyed on these sites could be considered a record as defined in the NYS Arts and Cultural Affairs Law. Mitigation of Risks The following recommendations are designed to limit, but will not eliminate, the security risks - associated with the use of social media. Governance and Use: • Use of social media on behalf of a Municipality or access to social media from Town resources should be at the discretion of the Town Administrator and Town Board; • Authorize use of social media after a proper evaluation of risk and demonstration of a justified business need; • Develop policies to include social media and publicize these policies to users; • Educate users on Town policies and the risks associated with social media as part of the Town's annual security awareness training; • Do not use the same passwords for social media sites as are used to access Town resources; • Classify Town data prior to posting per the Information Classification Standards in this policy; • Do not post any non-public Town records (e.g., documents, photos, videos, audio recordings) without following an established Town process, consistent with the town's policy on information security that includes documented approval from Town management; • • Do not post any personal, private or sensitive (PPSI) information on social media sites; • Where possible, minimize the posting of information about one's role in Town government, including Town email addresses, on social media sites. Technological Controls: • URL and IP Filtering: This technology blocks certain websites, parts of websites, or IP addresses. This can help protect users who may be redirected to a known malicious site. In addition, for some social networking sites, using URL filters to block the login pages for all but those employees with a business need, allows for access to public information while preventing access to applications and messaging tools that may bypass the Town's security controls; 40 • Malware Filtering at the Network Perimeter: This technology inspects traffic before it gets into an entity's network to ensure that it does not contain malware and blocks any malware that it finds; • Intrusion Detection/Intrusion Prevention Systems: This technology provides near real time monitoring and analysis of network activity for potential attacks in progress; • Data Loss Prevention: This technology is designed to detect and prevent the unauthorized use and transmission of confidential information. It should be used at both the desktop and the web gateway to monitor for and block outbound confidential data; • Browser with Restricted Privileges: If available, this feature ensures that the browser and its add-ons run with a minimal set of permissions preventing the installation of malicious code; To further protect Town hosted sites, as well as to protect Town resources used to access externally hosted social media (e.g., Facebook, YouTube, Twitter), the following controls must also be in place: • Protection against Malicious Code: Software and associated controls must be implemented across Town systems to prevent and detect the introduction of malicious code; • Software Maintenance: All known security patches must be reviewed, evaluated and appropriately applied in a timely manner to reduce the risk of security incidents; • Privileged Accounts Management: The issuance and use of privileged accounts must be restricted and controlled. Inappropriate use of these account privileges is a major contributing factor to system breaches. Processes must be developed and implemented to ensure that use of privileged accounts is monitored, and any suspected misuse of these accounts is promptly investigated. Passwords of privileged accounts must be changed more often than normal user accounts. Security Monitoring: Security Monitoring is a method used to confirm that the security practices and controls in place are being adhered to and are effective. The purpose of this policy area is to ensure that Information Resource security controls are in place, are effective, and are not being bypassed. One of the benefits of security monitoring is the early identification of wrongdoing or new security vulnerabilities. This early identification can help to block the wrongdoing or vulnerability before harm can be done, or at least to minimize the potential impact. Other benefits include Audit Compliance, Service Level Monitoring, Performance Measuring, Limiting Liability, and Capacity Planning and applies to all individuals that are responsible for the installation of new Information Resources, the operations of existing Information Resources, and individuals charged with Information Resource Security. Monitoring consists of activities such as the review of: 41 • Automated intrusion detection system logs • Firewall logs • User account logs • Network scanning logs • Application logs • Data backup recovery logs • Help desk logs • Other log and error files • Automated tools will provide real time notification of detected wrongdoing and vulnerability exploitation. Where possible a security baseline will be developed and the tools will report exceptions. These tools will be deployed to monitor: • Internet traffic • Electronic mail traffic ❖ LAN traffic, protocols, and device inventory • Operating system security parameters • The following files will be checked for signs of wrongdoing and vulnerability exploitation at a frequency determined by risk: :• Automated intrusion detection system logs Firewall logs • User account logs a Network scanning logs e• System error logs • ❖ Application logs • Data backup and recovery logs :• Help desk trouble tickets • Telephone activity - Call Detail Reports • Network printer-and fax logs 42 • The following checks will be performed at least annually by assigned individuals: :• Password strength a Unauthorized network devices e• Unauthorized personal web servers ❖ Unsecured sharing of devices • Unauthorized modem use ❖ Operating System and Software Licenses • Any security issues discovered will be reported to the IT Director and Town Administrator for follow-up investigation. Security Policy Standards: This policy area applies to all information obtained, created, or maintained by the Town's Information Technology. These Policy Standards are based on the interpretation of New York State's Cyber Security Policy P.03-002 and other reference material and apply equally to all personnel including, but not limited to employees, agents, consultants, volunteers, Elected and Appointed Officials and the personnel they supervise. Further, these Policy Standards apply to all information generated by the Town's Information Technology functions, through the time of its transfer to ownership external to the Town or its proper disposal/destruction. • Application of Policy Standards o The IT Department will protect the Information Resources assets of the Town of Mamaroneck in accordance with the New York State Cyber Security Policy P02- 003 and as authorized by the Town Board. o Specifically, the Town will apply policies, procedures, practice standards, and guidelines to protect its IR functions from internal data or programming errors and from misuse by individuals within or outside the Town. • This is to protect the Town from the risk of compromising the integrity of state programs, violating individual rights to privacy and confidentiality, violating criminal law, or potentially endangering the public's safety. o All Town Information Resources security programs will be responsive and adaptable to changing technologies affecting Information Resources • Violations: o Any event that results in theft, loss, unauthorized use, disclosure, modification or destruction, or degraded or denied services of IR constitutes a breach of security and confidentiality. Violations may include, but are not limited to any act that: • exposes the Town to actual or potential monetary loss through the compromise of Information Resources security; • involves the disclosure of sensitive or confidential information or the unauthorized use of Town data or resources; 43 • Involves the use of Information Resources for personal gain, unethical, harmful, or illicit purposes, or results in public embarrassment to the Town. Security Training: Understanding the importance of computer security and individual responsibilities and accountability for computer security are paramount to achieving organization security goals. This can be accomplished with a combination of general computer security awareness training and targeted, product specific training. The philosophy of protection and specific security instructions needs to be taught to, and re- enforced with, computer users. The security awareness and training information needs to be continuously upgraded and reinforced. The purpose of this policy area is to describe the requirements to ensure each user of the Town's Information Resources receives adequate training on computer security issues and applies equally to all individuals that use any Town Information Resource. • All new users must attend an approved Security Awareness training class prior to, or at least within 30 days of, being granted access to any Town information resource. • All users must sign an acknowledgement stating they have read and understand the Town of Mamaroneck Security and Computer Use Policies. • All users (employees, consultants, contractors, temporaries, etc.) must be provided with sufficient training and supporting reference materials to allow them to properly protect the Town's Information Technology. • All users must attend an annual computer security workshop given by the IT Department. • The IT Department must develop and maintain a communications process to be able to communicate new computer security program information, security bulletin information, and security items of interest. Server Hardening: Servers are depended upon to deliver data in a secure, reliable fashion. There must be assurance that data integrity, confidentiality and availability are maintained. One of the required steps to attain this assurance is to ensure that the servers are installed and maintained in a manner that prevents unauthorized access, unauthorized use, and disruptions in service. The purpose of this policy area is to describe the requirements for installing a new server in a secure fashion and maintaining the security integrity of the server and application software and applies equally all individuals that are responsible for the installation of new IT computer systems, the operations of existing Information Technology, and individuals charged with Information Security. • A server must not be connected to the Town of Mamaroneck network until it is in a Town IT accredited secure state and the network connection is approved by Town's IT Department. 44 • The Server Hardening Procedure provides the detailed information required to harden a server and must be implemented before use. Some of the general steps included in the Server Hardening Procedure include: •a Installing the operating system from an IT approved source :• Applying vendor supplied patches • :• Removing unnecessary software, system services, and drivers s Setting security parameters, file protections and enabling audit logging • Disabling or changing the password of default accounts • The IT Department will monitor security issues, both internal to the Town and externally, and will manage the release of security patches on behalf of The Town of Mamaroneck. • The IT Department will test security patches against IT core resources before release where practical. • The IT Department may make hardware resources available for testing security patches in the case of special applications. • The IT Department is responsible to implement Security patches within a reasonable timeframe after notification from Software Company. Software Licensing: End-user license agreements are used by software and other information technology companies to protect their valuable intellectual assets and to advise technology users of their rights and responsibilities under intellectual property and other applicable. The purpose of this policy area is to establish the rules for licensed software use on Town Information Resources laws and applies equally to all individuals that use any Town Information Resources. • The Town of Mamaroneck provides a sufficient number of licensed copies of software such • that workers can get their work done in an expedient and effective manner. The IT department must make appropriate arrangements with the involved vendor(s) for additional licensed copies if and when additional copies are needed in order to conduct official Town business. • Third party copyrighted information or software, that the Town does not have specific approval to store and/or use, must not be stored on Town systems or networks. The IT Department will remove such information and software unless the involved users can provide proof of authorization from the rightful owner(s). 45 • Third party software in the possession of the Town must not be copied unless such copying is consistent with relevant license agreements and prior management approval of such copying has been obtained, or copies are being made for contingency planning purposes. Support Hours: The Town of Mamaroneck IT Department provides 24/7 Desktop and User support via the Town's Help Desk system. Provided within the support process are varying levels of support ranging from basic user credit card processing and workstation troubleshooting to advanced network and systems troubleshooting. The process to alert a Technician is as follows: 1. Open a Help Desk ticket thru the Town's Service Desk Plus system. The alert is received by the Town's IT Director and Information Security Officer and is responded to within one hour. If the issue is deemed to be urgent (based on the priority levels below), the IT Director will either resolve the issue or submit it for escalation with the Towns IT Consultants. Urgency Levels: Emergency -A// Systems Down; Critical - Operational Impact - Credit Card processing issues, software applications critical to department functions such as Rec Trac, Municity, SEI Court, Impact, BEI and KVS not running; High Priority - User Impact - Password reset, email and website issues. System Development: The number of computer security incidents and the resulting cost of business disruption and service restoration continue to escalate. Implementing solid security policies, blocking unnecessary access to networks and computers, improving user security awareness, and early detection and mitigation of security incidents, are some of the actions that can be taken to reduce the risk and drive down the cost of security incidents. The purpose of this policy area is to describe the requirements for developing and/or implementing new software in the Town's Information Resources and applies equally to all individuals that use any Town Information Resources. • The IT Department is responsible for developing, maintaining, and participating in a System Development Life Cycle (SDLC) for the Town of Mamaroneck system software applications; • All software applications must have designated Owners and Custodians for the critical information they process. The IT Department must perform periodic risk assessments of the software to determine whether the controls employed are adequate; • All applications must have an access control system to restrict who can access the system as well as restrict the privileges available to these Users. The IT Department is the designated access control Administrator (who is not a regular User on the system in question) which must be assigned for all applications; 46 • Where resources permit, there should be a separation between the administration, user access, and test environments. This will ensure that security is rigorously maintained for the application, while the development and test environments can maximize productivity with fewer security restrictions. Where these distinctions have been established, development and test staff must not be permitted to have access to production systems. Likewise, all application software testing must utilize sanitized information; • All application-program-based access paths other than the formal user access paths must be deleted or disabled before software is deployed to users. Vendor Access: Vendors play an important role in the support of hardware and software management, and operations for customers. Vendors can remotely view, copy and modify data and audit logs, they correct software and operating systems problems, they can monitor and fine tune system performance, they can monitor hardware performance and errors; they can modify environmental systems, and reset alarm thresholds. Setting limits and controls on what can be seen, copied, modified, and controlled by vendors will eliminate or reduce the risk of loss of revenue, liability, loss of trust, and embarrassment to the Town. The purpose of this policy area is to establish the rules for vendor access to Town Information Resources and support services (A/C, UPS, PDU, fire suppression, etc.), vendor responsibilities, and protection of Town information and applies to all individuals that are responsible for the installation of new Information Resources assets, and the operations and maintenance of existing Information Resources and who do or may allow vendor access for maintenance, monitoring and troubleshooting purposes. • Vendors must comply with all applicable Town policies, practice standards and agreements, including, but not limited to: -- Town of Mamaroneck Security and Computer Use Policies • Town of Mamaroneck Security and Information Breach Notification Policy • Software Licensing Policies • Vendor agreements and contracts must specify: ❖ The Town information the vendor should have access to. + How Town information is to be protected by the vendor. ❖ Acceptable methods for the return, destruction or disposal of Town information in the vendor's possession at the end of the contract. ❖ The Vendor must only use Town information and Information Resources for the purpose of any agreement entered in to between the Town and vendor. • Any other Town information acquired by the vendor in the course of the contract cannot be used for the vendor's own purposes or divulged to others. 47 • The Town will provide the IT Department as point of contact for the Vendor. The point of contact will work with the Vendor to make certain the Vendor is in compliance with these policies. • Vendor personnel must report all security incidents directly to the appropriate.IT Department personnel. • If vendor management is involved in a Town security incident management the responsibilities and details must be specified in the contract. • Regular work hours and duties will be defined in the contract. Work outside of defined parameters must be approved in writing by the IT. Department. • All vendor maintenance equipment on the Town network that connects to the outside world via the network, telephone line, or leased line, and all Town vendor accounts will remain disabled except when in use for authorized maintenance. • Vendor access must be uniquely identifiable and password management must comply with the Town's Password and Admin/Special Access policy areas. Vendor's major work activities must be entered into a log and available to the Town Administrator upon request. Logs must include, but are not limited to such events as personnel changes, password changes, project milestones, deliverables and arrival and departure times. • Upon departure of a vendor employee from the contract for any reason, the vendor will ensure that all sensitive information is collected and returned to the Town or destroyed within 24 hours. • Upon termination of contract or at the request of the Town, the vendor will return or destroy all Town information and provide written certification of that return or destruction within 24 hours • Upon termination of contract or at the request of the Town the vendor must surrender all Town Identification badges, access cards, equipment and supplies immediately. Equipment and/or supplies to be retained by the vendor must be documented by authorized the IT Director. • Vendors are required to comply with all State and Town auditing requirements, including the auditing of the vendor's work. • All software used by the vendor in providing service to the Town must be properly inventoried and licensed. Virus Protection: The number of computer security incidents and the resulting cost of business disruption and service restoration continue to escalate. Implementing solid security policies, blocking unnecessary access to networks and computers, improving user security awareness, and early detection and mitigation of security incidents, are some of the actions that can be taken to reduce the risk and drive down the cost of security incidents. 48 The purpose of this policy area is to describe the requirements for dealing with computer virus, worm and Trojan horse prevention, detection and cleanup and applies equally to all individuals that use any Town Information Resources. • All workstations whether connected to the Town network, or standalone, must use the Town approved virus protection software and configuration;. • The virus protection software must not be disabled or bypassed; • The settings for the virus protection software must not be altered in a manner that will reduce the effectiveness of the software; • The automatic update frequency of the virus protection software must not be altered to reduce the frequency of updates; • Each file server attached to the Town network must utilize IT Department approved virus protection software and setup to detect and clean viruses that may infect file shares; • Each E-mail gateway must utilize IT Department approved e-mail virus protection software and must adhere to the IT Department rules for the setup and use of this software; • Every virus that is not automatically cleaned by the virus protection software constitutes a security incident and must be reported to the Help Desk; 49 103 •}: 30 • W 5f -'f rZft •FOUNDED 1641 • TOWN OF MAMARONECK, NEW YORK PUBLIC ACCESS WI-FI TERMS OF SERVICE AND ACCEPTABLE USE POLICY 50 Acknowledgement onscreen for any personal device assessing the Town of Mamaroneck Public Access Wi-Fi Connection: "Your use of Town of Mamaroneck NY WiFi is your acknowledgment that you have read and agreed to the following: Please read and accept the Town of Mamaroneck Wireless Access Disclaimer below, before making a wireless connection. This wireless network ("WiFi") is provided as a free internet connection by the Town of Mamaroneck, NY. This pubic WiFi "hotspot" is intended for the limited personal, non-commercial use of visitors/patrons at the Town Hall. In providing this free WiFi, the Town may restrict access to certain sites considered by the Town to be illegal, malicious or inappropriate, and will terminate your access to this service if you use it in violation of this Agreement, Town Policies or Town guidelines. The Town may revise this Agreement at any time and it is your responsibility to review it for any changes each time. The Town does not exercise control over the sites you may visit and products you may use while using this WiFi. You use this WiFi at your own risk. You agree that this WiFi may not be uninterrupted or error-free, viruses or other harmful applications may be available through this WiFi, the Town does not guarantee the security of this WiFI and unauthorized third parties may access your computer or files or monitor your connection. This WiFi is provided on an "as is", "as available" basis without warranties of any kind. By logging in to this WiFi, you accept these terms and conditions and agree your access to this WiFi is at your own risk, is at the sole discretion of the Town and may be monitored, suspended or terminated at any time for any reason, including but not limited to, violation of Town policies or Internet use guidelines, violation of this Agreement, actions by you that may lead to liability for the Town, disruption by you of another's access to this WiFI, actions by you which violate the rights of the Town or of any third party, or actions by you which violate any federal, state, or local law. You also agree not to utilize this WiFi in any unauthorized manner to upload or download any copyrighted matter, in any format, nor to upload or download any pornographic, adult oriented, hate or spam matter, in any format. Town Devices that are connected to the Town's Server may not use/connect to this wireless connection." 51 m TOWN OF MAMARONECK, NEW YORK INFORMATION AND SECURITY NOTIFICATION BREACH POLICY 1. This policy is consistent with the State Technology Law, section 208 as added by Chapters 442 and 491 of the laws of 2005. This policy requires notification to impacted New York residents and non-residents. New York State and the Town of Mamaroneck value the protection of private information of individuals. The Town of Mamaroneck ("Town") is required to notify an individual when there has been or is reasonably believed to have been a compromise of the individual's private information in compliance with the Information Security Breach and Notification Act. 2. The Town, after consulting with the Town's Information Security Officer and the New York State Office of Cyber Security and Critical Infrastructure Coordination ("CSCIC") to determine the scope of the breach and restoration measures, shall notify an individual when it has been determined that there has been, or is reasonably believed to have been a compromise of private information through unauthorized disclosure. 3. A compromise of private information. Private information is defined by New York State as "Personal information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted or encrypted with an encryption key that has also been acquired: • Social Security number; or • Driver's license number or non-driver's identification card number; or • Account number, credit or debit card number, in combination with any required security code, access code, or password which would permit access to an individual's financial account Private information does not include publicly available information that is lawfully made available to the general public from Federal, State, or local Government records." Private Information shall mean the unauthorized acquisition of unencrypted computerized data with private information. 4. If encrypted data is compromised along with the corresponding encryption key, the data shall be considered unencrypted and thus fall under the notification requirements. 5. Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. In such case, notification will be delayed only as long as needed to determine that notification no longer compromises any investigations. 6. The Town will notify the affected individual. Such notice shall be directly provided to the affected persons by one of the following methods: • Written notice sent via First Class Mail; 53 • Electronic notice, provided that the person to whom notice is required has expressly consented to receiving said notice in electronic form and a log of each such notification is kept by the Town who notifies affected persons in such form; • Telephone notification provided that a log of each such notification is kept by the Town who notifies affected persons; or • Substitute notice, if the Town demonstrates to the New York State Attorney General that the cost of providing notice would exceed two hundred fifty thousand dollars, or that the affected class of subject persons to be notified exceeds five hundred thousand, or the Town does not have sufficient contact information. Substitute notice shall consist of all of the following: • E-mail notice when the Town has an e-mail address for the subject persons; • Conspicuous posting of the notice on the Town's web site page, if the Town maintains one; and • Notification to major statewide media. 7. The Town shall notify, CSCIC as to the timing, content and distribution of the notices and approximate number of affected persons. 8. The Town shall notify the New York State Attorney General and the New York State Consumer Protection Board, whenever notification to a New York resident is necessary, as to the timing, content and distribution of the notices and approximate number of affected persons. 9. Regardless of the method by which notice is provided, such notice shall include contact information for the Town making the notification and a description of the categories of information that were, or are reasonably believed to have been, acquired by a person without valid authorization, including specification of which of the elements of personal information Personal Information and private information Private Information were, or are reasonably believed to have been, so acquired. 10. This Policy also applies to information maintained on behalf of.the Town by a third party. 11. When more than five thousand New York residents are to be notified at one time, then the Town shall notify the consumer reporting agencies as to the timing, content and distribution of the notices and the approximate number of affected individuals. This notice, however, will be made without delaying notice to the individuals. 54 PROCEDURES FOR HANDLING A SUSPECTED BREACH OF INFORMATION: Any Town employee or official who discovers that private information may have been compromised must fulfill all of his/her responsibilities as detailed below. Any Town employee or official who does not fulfill his or her responsibility related to this policy may face disciplinary action up to and including termination, and may also face severe monetary penalties and incarceration by HIPAA Enforcement entities (Federal Office of Civil Rights and New York State Attorney General). 1. Any Town employee or official will report any potential breach directly to the Information Security Officer. 2. The Information Security Officer will contact the affected Department Head and Town Administrator to inform him/her of the potential breach, and will work with the Town Administrator to complete an investigation. 3. Based on the breach risk assessment completed during the investigation, the Town Administrator, working with the Information Security Officer will decide whether the incident is a breach. 4. If the incident is not a high-risk incident, Information Security Officer will oversee the remainder of the incident response to ensure compliance with related State and Federal Laws. 5. For high-risk breach incidents, the Information Security Officer will engage the oversight of the Town Administrator and Town Attorney to review the incident investigation documentation, and oversee the remainder of the incident response pursuant to State Technology Law 208. 6. All records will be retained for a period of 6 years after the incident has been closed. 55 VIOLATION NOTICE: Violation of this policy may result in disciplinary action, which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of Town Information Resources access privileges, and to civil and criminal prosecution. REFERENCES: National/Federal Copyright Act of 1976 Foreign Corrupt Practices Act of 1977 Computer Fraud and Abuse Act of 1986 Computer Security Act of 1987 The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Gramm-Leach-Bliley Act of 1999 Sarbanes-Oxley Act of 2002 Family Education Rights and Privacy Act of 1974 Oregon Department of Human Resources Uniform Trade Secrets Act Payment Card Industry Data Security Standard Trust Wave Security Policies San Diego State University Texas Department of Information Resources State New York State Office of Cyber Security 56 Employee Acknowledgement: I have read and been informed about the content, requirements, and expectations of the Town of Mamaroneck Security and Computer Use Policies. I have received a copy of the policy and agree to abide by the policy guidelines as a condition of my employment and my continuing employment at the Town of Mamaroneck I have read the Town of Mamaroneck Security and Computer Use Policies carefully to ensure that I understand the policy before signing this document and will consult with the Town Information Security Officer if I have any questions. Employee Signature: Employee Printed Name: Date: Vendor and/or Consultant Acknowledgement: I have read and been informed about the content, requirements, and expectations of the Town of Mamaroneck Security and Computer Use Policies. I have received a copy of the policy and agree to abide by the policy guidelines as a condition of my business relationship with the Town. I have read the Town of Mamaroneck Security and Computer Use Policies carefully to ensure that I understand the policy before signing this document and will consult with the Town Information Security Officer if I have any questions. Business Name: Authorized Representative: Date: 57 APPENDICES APPENDIX A — SERVER AND FACILITY INFORMATION ACCESS --_____-- _____-___ __._-- FORM Town of Mamaroneck Access to Server Applications and Facilities 0 -7 TOWN OF MAMARONECK m IT DEPARTMENT _f• 740 W.BOSTON POST ROAD, MAMARONECK, NY 10543 FOUNDEO 16644 Server Information Access Form User Regulations as Applied to a New Employee or Modified Employee Status This form must be completed any time there is a change to the status of an employee. The process is initiated in the Town Administrator's Office with the assistance of the IT Director. Once the preliminary information is completed, the form will then be sent for final approval from the Department Head. Please allow 2 business days for an employee's profile to be built in the system. To be completed by Human Resources: Date: Active Directory Modifications Employee Name: Server User ID: Department: Position: 59 New Active Directory Modifications Due To: Creation of New User ID: Leave of Absence/Disable User: Termination: Change of Position/Responsibilities: Document Sharing Capabilities: YES or NO ❖ To be Shared with: Authority within Documents: Move Location Read-Only Modify Lock Document Properties Create Shortcut New Location Delete Shortcut Disable User 60 Email Account Set-Up Email Account: ©TownofMamaroneckNY Create Email Account: YES N0 Delete Email Account: YES NO Suspend and Monitor Email Account: YES NO Mailbox location for Monitoring: Access to Department Shared Mailbox: Y N I authorize the IT Department to make the changes as per the attached parameters: Human Resources: Signature: Date: IT Department Use Only Date Configured: IT Personnel / Consultant Signature (if applicable): IT Director Signature: 1 SOFTWARE USER PERMISSION LEVEL STANDARD READ ONLY DISABLE DELETE POWER USER USER CONNECTION USER USER 550 DESKTOP ACNE DIRECTORY Al ALARM BILLING ARC GIS BAS FOIL BAS ONLINE TAX BAS TOWN CLERK BEI CALL RECORDING CIVIC PLUS WEBSITE COM PLUS FUELMASTER IMPACT HOUSING PRO IP CAMERAS-ICE INK IP CAMERAS-POLICE IP CAMERAS- SANITATION KVS KVS-PLAY KVS STANDARD KVS STANDARD-PLAY 2 LASERFICHE REPOSITORY-MAIN LASERFICHE REPOSITORY- SANDBOX LASERFICHE WORKFLOW LASERFICHE WORKFLOW- SANDBOX LASERFICHE ADMINISTRATION CONSOLE LASERFICHE FORMS LIGHTPATH VoIP PHONE SYSTEM MUNICITY MUNICITY MOBILE NOVUS AGENDA RECTRAC/WEBTRAC/PAYTRAC RiCi POLICE BOOKING AND FINGERPRINT SYSTEM RTA FLEET MANAGEMENT SDG SEI COURT SERVICE DESK PLUS HELP DESK T2 SYSTEMS TRACK SMART TIMEKEEPING 3 IT INTERNAL SUPPORT APPS CCLEANNER CLOUD DESKTOP CENTRAL EXCHANGE 365 ADMIN MALWAREBYTES ENDPOINT MICROSOFT VOLUME LICENSING OP MANAGER SYMANTEC ENDPOINT SQL 2012 VPN ACCESS FORM LOG ME IN ACCOUNT CISCO VPN CLIENT CISCO ANY CONNECT EQUIPMENT ACCESS FORM • DATE DATE ISSUED RETURNED LAPTOP TABLET DIGITAL CAMERA CELL PHONE ACCESS FORM 4 BUILDING SECURITY DATE FACILITY DATE ISSUED RETURNED TOWN CENTER BUILDING MASTER KEY TOWN CENTER MAIN ACCESS TOWN ADMINISTRATORS OFFICES ASSESOR'S OFFICE BUILDING/HIGHWAY/ ENGINEERING OFFICE COMPTROLLER'S OFFICE COMMUNITY SERVICES OFFICE COURT OFFICES COURT ROOM IT DIRECTOR'S OFFICE NETWORK/TELPHONE SWITCHROOMS POLICE DEPARTMENT RECREATION OFFICE TOWN CLERK'S OFFICE 5 I authorize the IT Department to make the changes as per the attached parameters: Department Head: Signature: Date: IT Department Use Only Date Configured: IT Personnel/Consultant Signature (if applicable): IT Director Signature: 6 ;APPENDIX B - PERIODIC OPERATIONAL SECURITY vPROCEDURESJ Town of Mamaroneck Periodic Operational Security Procedures Target Task Daily Monthly Quarterly Bi-Annual Annually Window Security Policy Enterprise Risk Analysis X Q1 Policy/standards review X Q1 Security awareness orientation X Q1 Organizational Security Review security policy exceptions compliance X Q2 and Q4 Asset Classification and Control Review system access controls X Q2 and Q4 Review access request approvals&audit trail X Q2 and Q4 Audit disposal of data and media X Week-2 Personnel Security Audit terminated employee samples for system, X Week-4 network,application access - Incident response team meeting X Q1 Physical and Environmental Security Visit offsite storage facility and perform media inventory X Q3 Review compliance of data center access&visitor X Q3 logs System Security File Integrity Scan X 1 a.m. Review intrusion detection(IDS/IPS)logs X 10 a.m. Review all other security and event logs X 10 a.m. External vulnerability scan X Week-3 Internal vulnerability scan X Week-3 Use a Wireless Analyzer to detect unauthorized X Week-3 wireless devices in use Firewall rule set review X Week-4 External penetration testing X Q2 Internal penetration testing X Q2 6 _ Data encryption key rotation X Q3 7 1114 - 8 • • ITEM 2 • TQWN:Or MAMARONECK ROSTER As of January 1, 2016 BOARDS, COMMITTEES AND COMMISSIONS BOARD, COMMITTEE OR COMMISSION Member TERM EXPIRES ACTIONS NOTES BOARD OF ARCHITECTURAL-5 Members-2 Alternates- 3 yr term, Liaison-E. Odierna Donald Meeker A 12/31/18 Ed Jacobson-Chair B 12/31/16 Ken Ricci C 12/31/16 Joseph Shein D 12/31/16 Diane Neff E 12/31/17 BOARD OF ASSESSMENT REVIEW 5 Members 2 Alt- 5 years Liaison-A. Katz Cary Sleeper A 09/30/18 Leonard Verrastro B 09/30/19 Kathleen Spadaro C 09/30/20 Eve Neuman D 09/30/16 VACANT E 09/30/17 VACANT ALT 1 09/30/17 VACANT ALT 2 09/30/12 COASTAL ZONE-5 Members from each Municipality,3 year terms Liaison-A. Katz Tara Anderson 08/30/16 Howard McMichael 08/31/18 Matthew Teitsch 08/31/18 Alan Mason 08/31/18 VACANT 08/31/17 BOARD OF ETHICS-5 members,3 yr terms Liaison-T. Murphy Robert Degen A 12/31/18 Grace D'Alessio B 12/31/18 Ted Hecht C 12/31/16 Martin Ronan Chair 12/31/16 Martin Ronan D 12/31/16 Carol Scharff E 12/31/17 HOUSING AUTHORITY-5 members,5 yr terms Liaison-J Elkind Eney • • Robert Kirby - A 12/31/18 ( Chair apptd by Authority) Richard Cherry B 12/31/19 Sal lacono C 12/31/20 Caroline Silverstone D 12/31/16 Page 1 TOWN OF MAMARONECK ROSTER As of January 1, 2016 BOARDS, COMMITTEES AND COMMISSIONS Dolores Battalia E 12/31/17 LIBRARY BOARD OF TRUSTEES-3 Members from each Municipality-5 years Liaison-E. Odierna Maureen LeBlanc 05/31/18 Linnet Tse 05/31/21 Jen Connley 05/31/20 PLANNING BOARD-7 members,7 yr terms Liaison-J. Elkind-Eney Ralph Engel Chair 12/31/16 Elizabeth Cooney Vice Chair 12/31/16 Eileen Weingarten A 12/31/17 Donald Kravet B 12/31/17 Ralph Engel C 12/31/17 Elizabeth Cooney D 12/31/18 Ed Papazian E 12/31/18 George Roniger F 12/31/18 Ira Block G 12/31/19 VACANT ALT.A 12/31/19 - Ron Mandel ALT. B 12/31/19 RECREATION COMMISSION 7 Members, 2 Alternates-7 years Liaison-J. Elkind-Eney Robert Morello A 12/31/17 James Druker B 12/31/17 Susan Sigel C 12/31/17 William Paonessa D 12/31/18 Rita Plansky E 12/31/18 Terry Rainaldi F 12/31/18 Nathalie Orans G 12/31/19 SUSTAINABILITY COLLABORATIVE 10 Members-3 years I - Liaison-N. Seligson Mitch Green Chair 12/31/16 VACANT A VACANT B Frank Owens C 12/31/18 Elizabeth Radow D 12/31/16 Michele Lewis E 12/31/16 Stephen Moser F 12/31/16 Page 2 TQWN'OF MAMARONECK ROSTER As of January 1, 2016 BOARDS, COMMITTEES AND COMMISSIONS George Roniger G 12/31/17 Marc Karel! H 12/31/17 Tony Gelber I 12/31/17 Mitch Green J 12/31/17 TRAFFIC COMMITTEE-7 members, 3 year terms Liaison-A. Katz Robert Herbst A 12/31/2018 Donald Sutherland B 12/31/18 Linnet Tse C 12/31/16 Doris Block D 12/31/16 Doris Block-Chair Chair 12/31/16 Stephen Bartell_ E 12/31/17 Camille Odierna F 12/31/17 Kimberly Larsen G 12/31/17 ZONING BOARD OF APPEALS -5 members-5 yr terms Liaison-T. Murphy Jonathan Sacks A 12/31/18 Jeff King B 12/31/18 Irene O'Neil C 12/31/19 Arthur Wexler Chair 12/31/16 Arthur Wexler D 12/31/19 Evans Simpson E 12/31/20 Steve Marsh ALT.A 12/31/20 VACANT ALT. B 12/31/15 LMC-TV BOARD OF CONTROL Richard Slingerland Administrator Tont Siligato Secr/Treas. Mayor Norm Rosenblum VOM Mayor Lorraine Walsh VOL Councilman Tom Murphy TOM Page 3 TOWN OF MAMARONECK ROSTER As ofJanuary 1, 2016 BOARDS,COMMITTEES AND COMMISSIONS Page 4 WO R KSESSIO N ITEM 3 TOWN OF MAMARONECK 2016 GOALS/PRIORITIES U LEGISLATIVE GOALS Projected Schedule for I Completion I L1. PACE Technical Grant-Greening of Town Code Completion and final Carryover from 2015. Town has received draft report that will first go through staff review review. June of 2016 and then be forwarded to the Town Board for further consideration. The greening of the code project was not completed in 2016 and will be carried over to 2017. 2. Residential Site Plan Law Completion and Moratorium adopted effective Jan. 1, 2016. Local law to be drafted with review by staff, adoption by March 31, Town Board, Planning and Zoning Board Chairs. This project is complete. The Town did 2016 adopt a residential site plan law. This project is essentially complete however minor amendments to the law will be under consideration in 2017. 3. Mechanical Rock Removal Law Completion by April 20, Carryover from 2015. Proposed removal of rock quantity threshold and limit all mechanical 2016 rock removal to 15 days maximum in a 12 month period. This project is complete as amendments were made to the rock removal law. In addition changes were made in the best practices component of rock removal regarding dust control during rock removal operations. 4. ` Review of Private Sewer Lateral Legislation Completion to be Carryover from 2015. Proposed legislation to mandate periodic inspection of private conjunction with SSES sewer laterals. Legislate a program for repair or replacement of sewer laterals. This Study in 2016/17 project is not complete. We have completed research of other government agencies on methods used to evaluate the condition and arrange repairs for private sewer laterals. Final recommendations to the Town Board will be made when the Sewer System Evaluation Study is completed. 11 5. Amend Flood Damage Prevention Law- The law would be amended to comply with new Carryover from 2015. FEMA maps issued in 2015. This project is not completed and will be carried over to 2017. Completion by fall of 2016 6 pdate of LWRP-This project entails an update to the policies of the LWRP to be I Carryover from 2015- I 1 coordinated with revised policies in the New York State LWRP. This project is not Expected completion completed. There were some difficulties with the consultant retained for the project which late spring 2016 extended the completion time for the update. The consultant has finally completed his 11 work on the project and the Elizabeth Paul will be working with the CZMC to complete the update by the end of the winter. 7. Codification of Traffic Regulations- Preparing all of the Town's traffic codes into one Carryover from 2015- section of the Town Code for ease of reference and amendment when necessary. This Expected completion project is complete from the standpoint that a completed traffic code has been drafted. summer of 2016 The code is under review by the Traffic Committee and Town Board. ` 8. Noise Ordinance Amendment-Consider an amendment to the noise ordinance as it relates Completion by the to a requirement for landscapers to utilize lower decibel output equipment. This project is summer of 2016 not complete although our enforcement of the existing noise code was greatly improved. In 2016 56 summons were issued for the illegal use of leaf blowers. To complete this project we must evaluate how the Town can adopt and enforce a requirement for _ 11 landscapers to use low decibel output leave leaf blowers. Amendment to Peddlers Law- Consider an amendment that would provide a fee waiver for 9. veterans. This project is complete. Completion by spring of 2016 I OPERATIONAL PROJECTS AND GOALS Projected Schedule for Completion 11 1. Completion of all approved 2016 capital projects as listed in the 2016 Town Budget- See All projects planned for Capital project report included in the 2016 Town Budget for further details. A separate completion by report on the status of all capital projects will be provided separately. December2016 j. Update of Town Assessment Roll-Preparation for 2017 Full Revaluation. The 2017 revaluation is well under way. Data mailers were issued in December and are due back to Spring of 2016 through the Town is January of2017. Total project completion resulting in a new updated December of 2016 assessment roll will be available in May. 3 Website Redesign- Move to Civic Plus as the Town's website provider and designer. This Expected launch of project is completed. The new Civics Plus website has been operational for some time. new site Summer 2016 Ongoing improvements and changes to the website will be an ongoing function of our Information technology function. 2 4. Communications Project-With the assistance of a consultant, evaluate alternatives to Ongoing throughout improve communications and outreach with the community to inform them of Town 2016. government activities and initiatives. Project to be conducted in conjunction with website redesign. Also would include consideration of an alternative emergency notification system. This project is complete a/though like the website there will be ongoing revisions. In conjunction with the website the Town instituted the Town Supervisor's monthly electronic news letter along with the development of a print newsletter that will be distributed twice a year. The Town Facebook pages and e-mail blasts systems were completed and our new emergency notification system Swift-999 is operational. 5. Implementation installation of the new Lightpath Telephone System for all Town March through May Departments. This project is not complete. At this time the telephone system is being 2016 installed in the various Town offices and in the Weaver Street Firehouse. The delays in the completion of this project were due to difficulties with Lightpath and re prioritizing other IT related projects. The new phone system should be functional in February 2017. 6. Implement on line payment and registration for Recreation Programs and Facilities. This Spring of 2016 project is complete. Residents can now sign for and pay for virtually all of the Town's Recreation Programs.11 7. Implement on line payment of property taxes This project is complete. Residents may now September of 2016 for pay school, Town and County taxes using our new online system. first School tax payment Li. Expand on line payments in the Town Court to include traffic infractions. This project/s Fall of 2016 complete. On line payments are now accepted for traffic infractions. This supplements the existing program that allows for online payments of parking tickets. 9. Technology Projects: Adoption of Cybersecurity policy This project is not complete March of 2016 however the Cybersecurity policy was just issued to the Town Board for review. Anticipated completion of this project is February 2017. Upgrades and improvements to Town Computer network system to improve security of the Winter/Spring 2016 system. This project will be complete by the end of January 2017. All security initiatives have been completed with the exception of certain security activities at the ice rink and in the Recreation Office. We are in the process of passing our PCI compliance protocols which are required on any agency or organization that allows for the use of credit cards for 6.., the purchase of goods and services. 10. Continued review and consideration of Community Choice Aggregation Program. This ( January 2016 3 project is complete as the Town approved participation in the CCA program. I I Continued review and consideration of Municipal Solar Buyer's Group Program- Evaluate 11. the feasibility and value of introducing solar power to select Town Facilities. This project is January-August 2016 not complete. We are evaluating the feasibility and value of the installation of solar panels and comparing the alternative of contracting for installation of the panels through a capital project authorization versus entering into a power purchase agreement for solar power. ® Negotiation of Renewal Collective Bargaining Agreement-Career Firefighters The Town Negotiations to I Lremains in negotiations with the career firefighters at this time. commence March 2016 Completion of Sanitary Sewer Evaluation System for the entire unincorporated area in 13. accordance with the Town's agreement with Westchester County. This project is not Spring of 2016 through complete. The Sewer System Evaluation Study(SSES)got underway in October of 2016. June of 2017 Expected completion of the project is expected between June and August 2017. 14. Implementation of Sanitary Sewer Capacity Management Operations and Maintenance Program to go into Program- This is a requirement of our agreement with Westchester County for sewer effect when approved upgrades This project is complete to the extent that Westchester County and the New York by West. County DEC have approved our program. The SSES study is essentially the first implementation of Approval expected in the CMOM program. This will be an ongoing program conducted by the Highway Dept. spring of 2016 15. Senior Center-expand outreach to seniors in the community to increase participation in Ongoing throughout the congregate meal program and senior center activities through communications to 2016 churches, and other organizations. The initial outreach program is complete. At this time we have about 300 senior citizens registered in the program. Participation in all programs is up with the greatest increase in Senior Citizen fitness programs. Continued outreach to the senior community is now an ongoing component of our program. 16. ` Development of Future Plans for Third Floor of Town Center-Commencement of this Carryover from 2015. project awaits final decision by LMCTV as to their permanent headquarters. This program No final schedule is not complete. There does not appear to be a final schedule of how and when LMCTV will available move to the old Village Firehouse. The question of whether the project will require prevailing wages is still outstanding. In 2017 we will be meeting with architects to determine the best means of moving forward with the feasibility study. _ 1111 Develop a Town Policy for the use of Pesticides and Fertilizers This project is not complete. Spring of 2016 We will look to complete the development of a formal pesticide and fertilizer policy in 2017. I 18. Sustainability Collaborative Projects: I Completion by of all • Rain barrel purchasing program programs 4 • Energy Data Monitoring (see goal #15) December 2016 • Leaf Mulching • Green Gardening Program • Complete Streets Program-Walkable, bikable streets • Townwide Bicycle Event A number of these projects are complete. The rain barrel purchasing program was initiated and will be an ongoing activity. Encouraging greater leaf mulching by residents will also be an ongoing program of education to the community to reduce the quantity of leaves collected each fall. The Green Gardening program is still a work in progress. The complete streets program has been ongoing and a contract has been awarded to a consultant to evaluate the placement of bike lanes in Town. Also to develop education programs to remind motorists to share the road. The study is scheduled for completion by the summer of 2097 19. Grants-In-Aid: On an ongoing basis evaluate available grant opportunities and their No specific schedule potential application to the Town's goals and projects. This is an ongoing activity for the for completion Town government. Grants were awarded in to the Town in 2016 for the Town Center Parking Lot project and for improvements in the Town Court. We are in the process of implementing grant programs for the Weaver Street Sidewalk project. We are awaiting notice from the State for a grant for a new sidewalk on Colonial Avenue. 20. Baldwin Avenue Parking-Purchase parking meters and establish both short term and long Completion by summer term parking on Baldwin Avenue for park users and short term commuter parking. Also of 2016 establish special parking permit for residents of Baldwin Avenue that do not have on-site parking. Seek amendment to residential parking law to include Baldwin Avenue residents. This project is complete in terms of the legislation needed to restrict the type of parking on Baldwin Avenue. The challenge of this project has been identifying a feasible alternative for the long term daytime parking spaces. For the eight long term spaces the use of a pay machine appears cost prohibitive. However the installation of standard coin meters is problematic because of the amount of change a parker would need to carry. We are working on several other alternatives and plan on having a final recommendation for the Town Board no later than the end of Februrary 2017. 5 Town of Mamaroneck 2017 Goals/Priorities Goal/Priority Projected Schedule 1. All incomplete 2016 projects are carried over into 2017 for continued progress towards completion. See the status report for the 2016 Goals/Priorities for further details. 2. Reorganization of Capital Program Presentation-This project entails developing a more effective Summer of presentation of the proposed capital programs and to provide a more detailed five year analysis of 2017 projected projects '3. Departmental Reorganizations- In the Town Administrator's office there will be a rearranging of tasks and Spring of responsibilities now that Benefits administration will be handled from the office. Also the rearranging of 2017 tasks is intended to provide for more project management and long term planning of operational needs of the Town government. In the Building Department/Engineering Department with new staff expected land use procedures are being revised to make the departments more user friendly. 4. Development of a Comprehensive Plan-This was previously discussed. The idea is to develop a No schedule comprehensive plan that coordinates the goals and objectives of the Town's LWRP, Hazard Mitigation Plan for and Land Use Plan. Included in this would be the updating of the 1986 corridor studies for both the Boston completion Post Road and Palmer Avenue. Consideration should be given to coordinating this study with one or both at this time of the Villages 5. Hommocks Pool-This project is to initiate with the School District an all-inclusive discussion of possible No schedule changes and improvements for running the pool facility. There are issues of operating costs, condition of for the locker rooms, and expansion of pool use for the community. completion at this time. 6. Kayak Launch-Hommocks Conservation Area-This project was previously funded in 2016 for the Summer of development of a kayak launch at the Hommocks. The Recreation Department is now accepting 2017 consultant proposals to proceed with the analysis. 1 7. Traffic Roundabout-Madison Avenue/I-95 Ramps-This project is to consider the development of a Summer of roundabout rather than install traffic signals at this location. A study was authorized by the Town Board in 2017 2016 and that study will be completed by February. The further analysis would include identifying sources of funding such as grants and the benefits of such an improvement. 8. Senior Center/VFW Site Plan- Now that the Town owns the facility this project would be a more in depth Fall 2017 look at uses on the site and planning an efficient use of the outdoor space. 9. Applications of EV Technology in the Town-We have identified a number of programs that would subsidize Summer the introduction of electric vehicles into the Town operations as well as developing charging stations for 2017 some of our parking lots. The analysis would include looking at the feasibility of purchasing electric vehicles as part of our regular capital vehicle replacement program and establish the best locations for charging stations. 10. FAR Review- During our discussion of the residential site plan law consideration was given to revising our No schedule FAR law to further restrict the size of new in the Town. for completion at this time. 11. Electronic Agenda Program-This project would provide for the development of a Town Board agenda Spring of system that can be managed electronically. Currently we are working with Novus Agenda on a trial 2017 program. 12. Reusable Bag Initiative-This project is to revisit a program to ban the use of certain types of plastic bags No Schedule in retail outlets. for completion at this time 13. 2017 Capital Improvement Projects- Details on these projects were provided as part of the 2017 budget February process. However an updated report on the projects will be provided at the time final financing approval 2017 is sought from the Town Board 14. Affordable Housing Opportunities-Although the housing settlement activity appears to be winding down No specific the Town should consider exploring feasible affordable housing opportunities particularly in zone areas completion that were rezoned in the SBR and BR zones. schedule. 2 15. Collective Bargaining Activity-The Town's collective bargaining agreement with the CSEA representing No specific office and Highway Department employees expired on December 31, 2016. Negotiations with the union completion have begun. schedule. 16. Regulation of Gun Stores- This project would be to investigate what if any measures the Town could take No specific in terms of regulating the development of gun and ammunition stores. completion schedule. 3 1.424300 ( , „. • . . 1TE .; 1,- \ C-1 . fr r . .. .. . . • -.. • ,. ,, . . : ... r Y L •� 9 § ( ; ./', S r• .I. i ,t s 1. I C rTh I I IP ' . . . .. . E r .. • 4 5 (1) . • . . . . ; • + r, , ( '-'. 0 LEGAL NOTICE IS HEREBY GIVEN that pursuant to Section 130 of the Town Law of the State of New York, and pursuant to a resolution of the Mamaroneck Town Board adopted on January 9, 2017 a Public Hearing will be held on Wednesday, January 18, 2017 at 8:00 PM or as soon thereafter as is possible at the VFW Lodge, 1288 Boston Post Road Larchmont, New York to consider to consider: "Outlawing Firearms on or in Town-owned or Town-leased Property or Buildings" Law The Town Board is aware of the sad reality currently plaguing our country of shootings, often fatal, of innocent persons. While the Town Board recognizes that it cannot solve this problem, it also recognizes that there is no need for persons, other than specific officers and personnel, to carry firearms on, or in Town-owned or Town-leased property or buildings. This law makes it illegal for persons, other than those permitted to do so by this law, to bring firearms onto such property. The full text of this law can be viewed on the website or copies can be obtained at the Town Clerk's office during regular hours, Mon-Fri, 8:30 AM to 4:30 PM, In June, July and August until 4:00 PM at 740 W. Boston Post Road Mamaroneck, NY PLEASE TAKE FURTHER NOTICE that at the Public Hearing all persons interested will be given an opportunity to be heard and that all persons are invited to submit written comments at or prior thereto. BY ORDER OF THE TOWN BOARD OF THE TOWN OF MAMARONECK CHRISTINA BATTALIA TOWN CLERK Published: January 13, 2017 Local Law No. -2017 This local law shall be known as the "Outlawing Firearms on or in Town-owned or Town-leased Property or Buildings" Law. BE IT ENACTED by the Town Board of the Town of Mamaroneck Section 1—Purpose: The Town Board is aware of the sad reality currently plaguing our country of shootings, often fatal, of innocent persons. While the Town Board recognizes that it cannot solve this problem, it also recognizes that there is no need for persons, other than specific officers and personnel, to carry firearms on, or in Town-owned or Town-leased property or buildings. This law makes it illegal for persons, other than those permitted to do so by this law, to bring firearms onto such property. Section 2—Creation of a new article in a current chapter of the Mamaroneck Code: Chapter 100 of the Code of the Town of Mamaroneck hereby is amended to add the following article to it: Chapter 100 Firearms Article III— Prohibition of Firearms on or in Town-owned or Town-leased Property § 100-7. Definitions For the purpose of this article,the following terms have these meanings: "Exempt person" means (a) police officers as that term is defined in subdivision thirty-four of section 1.20 of the NY Criminal Procedure Law, (b) peace officers as that term is defined in section 2.10 of the NY Criminal Procedure Law, (c) individuals in the military service of the State of New York or the United States, and (d) persons in the service of the United States who, whether in pursuit of their official duty, or when authorized by federal law, regulation or order are authorized to possess an item defined in this section "Firearm" means an instrument meeting the description contained in any one of the following paragraphs of section 265.00 of the NY Penal Law: (1): Machine-gun (3): Firearm (11): Rifle (12): Shotgun (15-a): Electronic dart gun (15-c): Electronic stun gun (20): Disguised gun (21): Semiautomatic (22): Assault weapon. "Real property" includes the buildings and other improvements erected thereon. "Town-leased property" means any real property that the Town of Mamaroneck or any of its departments or authorities leases from another party whether such lease is oral or in writing. "Town-owned property" means any real property the title to which is vested in the Town of Mamaroneck or any of its departments or authorities. § 100-8. References to state statutes. The provisions of the state statutes incorporated by reference into this article mean those provisions as they currently exist or as they may exist at the time a violation of this article occurs, or any statute that replaces any of those statutes may exist at the time a violation of this article occurs. § 100-9. Illegal possession It shall be illegal for any person, other than an exempt person, to possess a firearm when on town-leased property or town-owned property. Notwithstanding the preceding sentence, a tenant of the Hommocks Park apartments who is allowed by law to possess an item defined in this section shall not violate this law if that tenant possesses such item while on the grounds of the Hommocks Park apartments. § 100-10. Penalty A person who violates this article shall be charged with a violation and if convicted shall be punished by a fine of not less than five hundred and no/ths ($500.00) dollars and not more than one thousand and no/ths($1,000.00) dollars. Section 3—Severability: Should any provision of this Local Law be declared invalid or unconstitutional by any court of competent jurisdiction, such declaration of unconstitutionality or invalidity shall not affect any 2 other provisions of this Local Law, which may be implemented without the invalid or unconstitutional provisions. Section 4— Effective Date: This Local Law shall become effective upon filing with the Secretary of State. January 13,2017 3 • • ,• A;5 •• • ' • ' 4. ' A LEGAL NOTICE IS HEREBY GIVEN that pursuant to Section 130 of the Town Law of the State of New York, and pursuant to a resolution of the Mamaroneck Town Board adopted on January 9, 2017 a Public Hearing will be held on Wednesday, January 18, 2017 at 8:00 PM or as soon thereafter as is possible at the VFW Lodge, 1288 Boston Post Road Larchmont, New York to consider: "Creation of an Accessible Parking Space on Copley Road" Law. There shall be one (1) accessible parking space on the north side of Copley Road, located approximately one hundred (100) feet from the intersection of Copley Road and Alden Road. The full text of this law can be viewed on the website or copies can be obtained at the Town Clerk's office during regular hours, Mon-Fri, 8:30 AM to 4:30 PM, In June, July and August until 4:00 PM at 740 W. Boston Post Road Mamaroneck, NY PLEASE TAKE FURTHER NOTICE that at the Public Hearing all persons interested will be given an opportunity to be heard and that all persons are invited to submit written comments at or prior thereto. BY ORDER OF THE TOWN BOARD OF THE TOWN OF MAMARONECK CHRISTINA BATTALIA TOWN CLERK Published: January 13, 2017 Local Law No. -2017 This local law shall be known as the"Creation of an Accessible Parking Space on Copley Road"Law. BE IT ENACTED by the Town Board of the Town of Mamaroneck as follows: Section 1 —Purpose. The purpose of this local law is to create an accessible parking space on Copley Road. Section 2—Creation of an accessible parking space on Copley Road There shall be one (1) accessible parking space on the north side of Copley Road, located approximately one hundred (100) feet from the intersection of Copley Road and Alden Road. Section 3 —Signs to be erected and painting to be done An appropriate sign or signs shall be erected on the north side of Copley Road indicating the location of the accessible parking space. If deemed appropriate by the Superintendent of Highways, the accessible parking space also may be painted to indicate the accessible parking space. Section 4—Severability Should any Road of competent jurisdiction declare any provision of this Local Law invalid or unconstitutional, such declaration of unconstitutionality or invalidity shall not affect any other provisions of this Local Law, which may be implemented without the invalid or unconstitutional provisions. Section 5—Effective Date This Local Law shall become effective on the date that it is filed in the office of the Secretary of State. December 30,2016 • , • _ • . #3 ;. . ) LEGAL NOTICE IS HEREBY GIVEN that pursuant to Section 130 of the Town Law of the State of New York, and pursuant to a resolution of the Mamaroneck Town Board adopted on January, 9, 2017 a Public Hearing will be held on Wednesday, January 18, 2017 at 8:00 PM or as soon thereafter as is possible at the VFW Lodge, 1288 Boston Post Road Larchmont, New York to consider: "Restriction on Parking on Thompson Street and Laurel Avenue" Law. Commuters continue to park on Thompson Street and Laurel Avenue to the detriment of the neighborhood. To relieve that intrusion upon the peace and tranquility of the residents, the Town Board has decided to prohibit parking for two hours per day (one hour in the morning and one hour in the afternoon) on weekdays on these streets. The full text of this law can be viewed on the website or copies can be obtained at the Town Clerk's office during regular hours, Mon-Fri, 8:30 AM to 4:30 PM, In June, July and August until 4:00 PM at 740 W. Boston Post Road Mamaroneck, NY PLEASE TAKE FURTHER NOTICE that at the Public Hearing all persons interested will be given an opportunity to be heard and that all persons are invited to submit written comments at or prior thereto. BY ORDER OF THE TOWN BOARD OF THE TOWN OF MAMARONECK CHRISTINA BATTALIA TOWN CLERK Published: January 13, 2017 Local Law No. -2017 This local law shall be known as the "Restriction on Parking on Thompson Street and a Section of Laurel Avenue"Law. BE IT ENACTED by the Town Board of the Town of Mamaroneck Section 1 —Purpose: Commuters continue to park on Thompson Street and Laurel Avenue to the detriment of the neighborhood. To relieve that intrusion upon the peace and tranquility of the residents, the Town Board has decided to prohibit parking for two hours per day(one hour in the morning and one hour in the afternoon) on weekdays on these streets. Section 2—Regulation of Parking on Thompson Street: (a) No motor vehicle shall be parked on the east side of Thompson Street between the hours of 10:00 AM and 11:00 AM (prevailing time) on Mondays, Tuesdays, Wednesdays, Thursdays and Fridays of each week. (b) No motor vehicle shall be parked on the west side of Thompson Street between the hours of 2:00 PM and 3:00 PM (prevailing time) on Mondays, Tuesdays, Wednesdays, Thursdays and Fridays of each week. Section 3-Regulation of Parking on a Section of Laurel Avenue: (a) No motor vehicle shall be parked on the north side of Laurel Avenue from its commencement at Thompson Street to its dead end between the hours of 10:00 AM and 11:00 AM (prevailing time) on Mondays, Tuesdays, Wednesdays, Thursdays and Fridays of each week. (b) No motor vehicle shall be parked on the south side of Laurel Avenue from its commencement at Thompson Street to its dead end between the hours of 2:00 PM and 3:00 PM (prevailing time) on Mondays, Tuesdays, Wednesdays, Thursdays and Fridays of each week. Section 4—Holidays excluded: This law shall not apply on holidays. Section 5—Sign(s)to be Erected and Painting to be Done: An appropriate sign or signs shall be erected on and/or above, and/or striping shall be painted on the surfaces of Thompson Street and Laurel Avenue indicating where and when parking is prohibited by this law. • Section 6—Severability: Should any provision of this Local Law be declared invalid or unconstitutional by any court of competent jurisdiction, such declaration of unconstitutionality or invalidity shall not affect any other provisions of this Local Law, which may be implemented without the invalid or unconstitutional provisions. Section 7—Effective Date: This Local Law shall become effective upon filing with the Secretary of State. January 6,2017 2 k • * . ' • 0, • • . . ,.„ Town of Mamaroneck From: Tony Siligato-Town Comptroller CO Re: Fire Claims Date: January 18,2017 The following Town of Mamaroneck Fire Department claims have been certified by Chief Noah Goldberg&Paul Tortorella and submitted to the Comptroller's Office for payment: VENDOR DESCRIPTION AMOUNT AAA Emergency Supply Co. RIT-Replacement,Akron-Mercury Quick Attack Monitor,2.5"Gate Valve,Hydrotest/Rechg. $ 4,122.00 Amazon Aquastick&Genuine Hum,Nike men's Dri-Fit $ 258.05 AT&T Mobility Wireless Service 11/12/16-12/11/16 $ 362.28 Arbom Printing&Graphics Business Cards-Shaun Hughes $ 75.00 Brady,Melissa Sew on 2 Patches,purchase flag patch $ 6.56 Brewers BRZ STL Hose hanger,Halo bulb,Foam tape $ 28.74 Cablevision Cable Services for 12/23/16-1/22/16 $ 212.70 Con Edison Fire HQ Gas Svc 11/30-12/30/16 $ 772.40 DiMuro Awards LLC Jade acryllic,laser engraving $ 130.05 Galls,LLC TEK3 Female 4 pocket trousers $ 54.99 USB program Cable,DMR Port Prog Cable,Battery Impres NiMh 2100 mAh,Programming of Goosetown Communications Radios,Pagers $ 858.24 Granger Building Supplies $ 488.56 KVI Uniforms&Equipment Career Staff Uniforms $ 2,426.25 Nick Bruno Electrical,LLC Supply&install a Led Spot light on rear side exterior of the building $ 1,475.00 NYS Association of Fire Chiefs 2017 Yearly Dues $ 175.00 OSP Fire Protection Inspection Fire System $ 175.00 Physio-Control,Inc. LP 500 Battery $ 260.69 Proftech LLC Paper,Office Supplies $ 253.10 Ready Refresh Rental for Water Coolers at FD HQ 11/19-12/18/16 $ 114.96 Sound Shore Pest Exterminating Services on 12/27/16 $ 65.00 SG Fire Protection Kitchen hood cleaning $ 350.00 Town of Mam'k Fire Dept. Special Fast Drill,Special OSHA Drill Supplies 12/22&12/14/16 $ 603.80 Tony's Nursery Inc. Fertilizer $ 59.98 Uni First Corp. Cleaning supplies for building 12/16,12/23,12/30/16 $ 250.95 United Overhead Door Corp Repair overhead door,adjust clutch,reset door $ 340.57 Verizon Fire HQ Svc 12/10-1/09/17 $ 237.32 Villa Maria Pizza Food For Fast Drill 12/27/16 $ 134.56 V F I S LOSAP-LIFE Insurance Renewal 1/1/17-12/31/17 $ 48,969.76 Westch Joint Water Works 205 Weaver ST Chgs 9/1-12/1/16 $ 403.87 Total: $ 63,665.38 • . . . . • • • • , ?''•• ; . r . , •-• : c , . • • `-% ' of , s —) , 4,• ,,: • 4. • e, ,g1 .• • • L • • •o . 4 •, I • . : . • • •, . , Documents under Work Session 2 ....., r—\ ) .‘ ... AF9 ,_. , ...e. ,1 , V . ' t,' ' "' '.' : i..' ''''.•; *- 0.' :.. • 'i . . .. ., ■ . ... T .:4 ., . , ,.. ,.. . , . ., . . , • ( \\ \ ) U TOWN OF MAMARONECK TOWN BOARD REGULAR MEETING WEDNESDAY,JANUARY 18,2017 RESOLUTION DESIGNATING AN INFORMATION SECURITY OFFICER WHEREAS,pursuant to NYS Information Security Breach Act of 2005,NYS General Business Law section 899aa,NYS Cyber Security Policy P03-002,the Town of Mamaroneck Security Policy and PCI Compliance Assessment Questionnaire D Attestation of Compliance for Merchants,the Town of Mamaroneck is required to designate an Information Security Officer to be responsible for the security of all electronic information; NOW, THEREFORE, BE IT RESOLVED, that the Town Board of the Town of Mamaroneck hereby designates Rosalind Cimino as Information Security Officer. ,r-----, , . , .. .. . , .. .. . 'I-- ., . ... , , . c..-. ...,,,,.. FA" '1.4:-: : ,:' 0 F -1-- . . ,. . A ''' ' ' ' 1 '.. 1-+'• e . .. N . . . .. . ,,,,,.-.■ :.!I, . ,..,•• . . . . , ,• . .: . . 'f.- i , ' — : • I Q • ek,O �9�9° Town of Mamaroneck w m Town Center Hr o u N os s,. 740 West Boston Post Road,Mamaroneck,NY 10543-3353 OFFICE OF THE TOWN ADMINISTRATOR TEL: 914/381-7810 FAX: 914/381-7809 townadministrator @townofmamaroneck.org Memorandum To: Supervisor and Town Board Re: Report of Bids-Contract TA-13-16 Furnishing of Police Uniforms Date: January 13, 2017 On December 13, 2016 the Town publicly opened and read bids for the above referenced contract. The scope of this contract requires the successful bidder to furnish police uniform items in accordance with the Town's bid specifications. The bid notice was published in the Journal news and bid specifications were issued to two vendors however only one vendor responded with a proposal. Potential bidders were asked to bid on a two year contract for the years 2017 and 2018. The one and only bid received was submitted by New England Uniform of Danbury Ct. New England Uniform is the current vendor providing uniforms to the Town Police Department. Below is a table showing the bid for 2017 and 2018 including a comparison with 2015 and 2016.The bid price is calculated by taking the sum of the unit prices for the most commonly purchased uniform items including:trousers, shirts, sweaters,jackets and hats. 2015 2016 2017 2018 Total Uniform $503.48 $503.48 $540.98 $544.98 Price per Officer The price bid is the first increase since December of 2014. New England Uniforms performance for contract compliance has been excellent. ACTION REQUESTED:THAT THE TOWN BOARD ACCEPT THE BID SUBMITTED BY NEW ENGLAND UNIFORMS ON DECEMBER 13, 2016 TO PROVIDE POLICE UNIFORMS FOR THE YEARS 2017 AND 2018 AND THAT THE TOWN ADMINISTRATOR BE AUTHORIZED TO EXECUTE A CONTRACT WITH NEW ENGLAND UNIFORMS A-6_______ Stephen V.Altieri Town Administrator I' %417 Printed on Recycled Paper 4( a, o� v Town of Mamaroneck 0 0 m Town Center iA. x 740 West Boston Post Road, Mamaroneck, NY 10543-3353 TEL: 914/381-7810 OFFICE OF THE TOWN ADMINISTRATOR FAX: 914/381-7809 townadministrator@townofmamaroneck.org January 24, 2017 Mr. Norman Asmar New England Uniform LLC 356 Main Street Danbury, CT,06810 Re: Town of Mamaroneck Contract TA-16-13 Furnish Police Uniforms Dear Mr. Asmar: This letter is to advise you that the Town Board of the Town of Mamaroneck, at its meeting of January 18, 2017, awarded the above-referenced contract to your company in accordance with your bid submitted on December 13, 2016. Please find enclosed two copies of the articles of agreement which are to be executed and returned to my office within ten days of receipt. Please contact Exec. Lt. Robert Koziak of the Town Police Department regarding implementation of this contract. Sincerely, /v v Stephen V. Altieri Town Administrator SVA/glf cc: Exec. Lt. Robert Koziak Anthony Siligato TOWN OF N AM/RONECK WESTCHESTEF COUNTY, NEW YORK PROPOSAL FOR CONTRACT 4 i IA--I l; 13 FURNISHING OF POLICE UNIFORM$' To The Mer ibers of the Town Board Of the Town of Mamaroneck Mamaropenk, Nc'-ti -"k 10543 Gentlemen/Ladies: The undersigned as bidder, declares thu the only persons interested in this proposal, or the contract proposed eo be made, as p r cipalF are as stated; that he/she has carefully exe;-lined the infcimation to bidders a.-(1 Jhe specifications pertaining thereto; and p--',doses and agrees, if this proposal is ac :e ited that he/she will enter into a contract with '.Ie Town of M'maroneck to furnish the .arvrc&s specified in the manner and within the lime prescribed for the following price: FL" FISHING ('F POLICE UNIFORMS UNIT PRICES TR,)USERS 2017 79 00 •-fi2018-5-.° EIGHT POINT POLICE HAT a 00 ,;2 SV DAP,; BLUE SHIRTS US y �. `/'9 L�g 9 9 DAF< BLUE SHIR S, _ 17/Co.. y 9 116 . 9' 9 WH,-E SHIRTS US y3 L1 3 . 50 WHi E SHIRTS, Si y/ 0 0 • 5(J ELOUSE I q c{ . 0 o f clq 'CC) iWEATER 51 .0o..11 59 . s0 DP �_i': Decemb�r �3 , 2016 TOTAL w 98 / `� NQ,- E N(y 10 UN IT/Z rM NAME OF COMPANY 3 6 MAIN Sr 6;,ADDRESSi_ 0 c /O ft� • 77l- t... CLII'L-ei\_' IGNATURE mc.rMxi jsrvT to r SQL ac PRINT NAME&TITLE — 71'd- Sol s6 New England Uniform Company LLC PHONE NUMBER 356 MAIN STREET DANBURY CT 06810,5838 _ R , . . , 7--- •. . . . . ..,. . . . • .. . ,. . , . . . . . . , . • ...:5..,.:.. ,...,, ,i..\,,:...7,,,L..i.. ;.i..,,,,,,IL.,„ I:„,: .4:10•ri ,t\i,... .iI,,, i. =, ,_,.i. LI = 1. • i f ' '. ''' i •, . '• !, !,,, v. , ,1 ' '•', •:;':::• i •. ... ..,; `',,....., '• ,•A, ,,,./.' • . . • .- . ■ •-,, _ . ,;:,.-,,, • ..,., , ., ...,...,,. .. . ... • . . i ,,,,,,,,___. \ },,. . , .• ,....„ , O q 9 Town of Mamaroneck amaroneck w . A{ z ' Town Center x o t .x 740 West Boston Post Road, Mamaroneck,NY . fOU40601661. 10543-3353 Christina Battalia, Town Clerk TEL:914/381-7870 FAX:914/381-7813 cbattalia @townofmamaroneck.org DATE: January 3,2017 MEMO TO: Town Supervisor,Town Administrator and Assistant Town Administrator MEMO FROM: Christina Battalia-Town Clerk SUBJECT: Agenda Item for January 9,2017 Town Board Meeting-Retirement Reporting for Elected and Appointed Officials—Laura DeMuro As required the Board should approve the required resolution for NYS Retirement Reporting for Elected and Appointed Officials,for Laura DeMuro. Laura DeMuro has completed her three month log,and I have prepared a resolution for Town Board approval.There are no other appointed or elected officials who need to recertify at this time. Christina Attachments Standard Work Day and Reporting Resolution On motion of , seconded by ,it was RESOLVED, that the Mamaroneck Town Board hereby establishes the following as a standard work day for a newly appointed officials and reports the following days worked to the New York State and Local Employees' Retirement System based on the record of activities maintained and submitted by this individual, and recertified where applicable,to the Town Clerk of this body: Title Name Social Registration Standard Term Begins/Ends Participates In Days/Month Security Number Work Employer's (based on Number Day Time Keeping record of (last 4 System(Y/N) activities) digits) Deputy Town Laura DeMuro 7 * 6/1/2016 thru N 18.73 Clerk 12/31/2019 * Term set forth as per direction of NYS Retirement System and established for purposes of this report ONLY. The above resolution was put to a roll call vote: Murphy Aye Elkind Eney Aye Katz Aye Odierna Aye Seligson Aye On ,2017, I Christina Battalia,Clerk of the Board of the Town of Mamaroneck, of the State of New York,do hereby certify that I have compared the foregoing with the original resolution passed by the Mamaroneck Town Board on January 9,2017,on file as part of the Minutes of such meeting,and that same is a true copy thereof and the whole of such original. I further certify that the full Board,consists of five(5) members,and that five (5)of such members were present at such meeting and five(5)of such members vote in favor of the above resolution. IN WITNESS WHEREOF,I have hereunto set my hand and the Seal of the Town of Mamaroneck. Christina Battalia,Mamaroneck Town Clerk T . . . . . : 0 . . ' ) • j ;) •O z Town of Mamaroneck • w A m Town Center fAL~F o u x os e, • 740 West Boston Post Road,Mamaroneck,NY 10543-3353 OFFICE OF THE TOWN ADMINISTRATOR TEL: 914/381-7810 FAX: 914/381-7809 townadministrator@townofinamaroneck.org TO: Stephen Altieri, Town Administrator Nancy Seligson, Town Supervisor Town Board Members FROM: Connie Green O'Donnell, Assistant Town Administrator DATE: January 13, 2017 SUBJECT: Salary Schedule for Part-time, Seasonal & Part-time Availability Employees The enclosed Part-time, Seasonal and Part-time Availability Salary Schedule reflects the 2017 salary ranges for the Civil Service job titles listed. The salary ranges indicated were used in formulating the 2017 Town Budget that was adopted in December. Town Board authorization is required in order to continue the practice of hiring part-time, seasonal and part-time availability employees without having to obtain individual approval from the Town Board during the calendar year, provided the salary in within the range specified for the respective job title. ACTION REQESTED: That the Town Board approve the 2017 Part-time, Seasonal and Part-time Availability Salary Schedule. cif Printed on Recycled Paper Town of Mamaroneck 2017 Part-time, Seasonal& Part-time Availability Salary Schedule Hommocks Day Camp Director $8,000 - $12,500/season Assistant Director $4,600 - $7,500/season Unit Leaders $2,800 - $6,700/season Specialist/EMT $2,200 - $5,600/season Counselor/Lifeguard $1,500 - $4,000/season Custodian $1,000 - $4,000/season Hommocks Day Camp Breakfast Club & Extended Day Director $1,000 - $3,500/season Specialist $800 - $1,400/season Counselor $1,200 - $1,600/season Camp Monroe Director $4,000 - $5,800/season Assistant Director $2,800 - $4,200/season Unit Leader $1,500 - $3,200/season Specialist/EMT $1,500 - $4,500/season Counselor $1,000 - $3,500/season Pre School Camp & Extended Day Director $3,800 - $5,800/season Assistant Director $2,600 - $4,200/season Unit Leader $1,200 - $3,200/season Specialist/EMT $1,200 - $4,500/season Counselor $800 - $3,000/season Hommocks Pool Manager/CPO $16.00 - $30.00/hr. Lifeguard $7.75 - $16.00/hr. Key Attendant $7.50 - $16.00/hr. Swim Instructor $12.00 - $60.00/hr. Early Morning Swim Lifeguard $25.00 - $30.00/session Matron/Custodian $14.00 - $18.00/hr. Head Coach $9,000 - $12,000/season Assistant Coach $2,100 - $6,000/season Diving Coach $4,500 - $7,000/season Aqua Jog/Aqua Zumba Instructor $50.00 - $80.00/session Program Instructors Kayak Instructor $15.00 -$30.00/hr. Paddleboard Instructor $50.00 - $85.00/hr. Cooking Instructor $45.00 -$55.00/hr. Dance Instructor $50.00 - $75.00/hr. Art Instructor $50.00 - $75.00/hr. Music/Movement Instructor $50.00 - $75.00/hr. Fashion/Sewing/Beading Instructor $70.00 -$120.00/hr. Fencing Instructor $15.00 -$60.00/hr. Fitness Instructor $50.00 - $75.00/hr. Volleyball Instructor $40.00 - $80.00/hr. Men's Basketball Instructor $40.00 - $80.00/hr. Ice Hockey Instructor $8.00 - $30.00/hr. Ice Hockey Director $40.00 - $75.00/hr. Ice Rink Alternate Manager $16.00 - $30.00/hr. Recreation Supervisor $20.00 - $25.00/hr. Cashier $14.00 - $20.00/hr. Custodian $14.00 - $20.00/hr. Skate Guard $9.00 - $14.00/hr. Skate Room Attendant $9.00 - $14.00/hr. Floor Changeover $20.00 - $40.00/hr. Skating School Skating School Director $17,000 - $20,000/season Skating School Instructor $8.00 - $21.00/hr. Concerts Crossing Guard $60.00 - $70.00/event Memorial Park Park Attendant $12.00 - $16.00/hr. Senior Center Recreation Attendant $15.00 - $16.00/hr. Food Service Helper $9.00 - $10.00/hr. Bus Driver $13.00 - $18.00/hr. Ambulance District Paramedic $31.00 - $35.00/hr. EMT $18.00 - $22.00/hr. Police Department Parking Enforcement Officer $20.00 - $25.00/hr. School Crossing Guard $60.00 - $65.00/day Court Court Attendant $35.00 - $38.00/hr. Building Department Assistant Building Inspector $60.00 - $65.00/hr. Miscellaneous Intermediate Account Clerk $12.00- $35.00/hr. Intermediate Clerk $12.00 - $40.00/hr. Office Assistant $10.00 - $25.00/hr. Laborer $10.00 - $30.00/hr. AFFAIRS OF THE TOWN ITEM 6 TOWN OF MAMARONECK TOWN BOARD REGULAR MEETING WEDNESDAY,JANUARY 18,2017 Resolution Declaring Surplus Computer Equipment WHEREAS,pursuant to NYS Information Security Breach Act of 2005,NYS General Business Law section 899aa,NYS Cyber Security Policy P03-002 and PCI Compliance Assessment Questionnaire D Attestation of Compliance for Merchants,the Town of Mamaroneck is required to designate an Information Security Officer to be responsible for the security of all electronic information; and WHEREAS,the Town of Mamaroneck Town Board has determined that these items,which are listed on the attached schedule should be disposed of accordingly,either by sale or by payment by the Town for disposal or by other means of disposal available to the Town. NOW, THEREFORE, BE IT RESOLVED, that the Town Board of the Town of Mamaroneck hereby authorizes the disposal of its outdated computers through the Town's Sanitation's services for disposal into Westchester County's E-Waste Recycling Program.. NOW, THEREFORE,BE IT FURTHER RESOLVED, that all physical hard drives will be removed and disposed of as per NYS Cyber Security Policy P03-002 and the Town of Mamaroneck Security Policy to protect the Town's information assets.