The URL can be used to link to this page

Home My WebLink About2017_06_21 Town Board Meeting PacketTOWN OF MAMARONECK TOWN BOARD AGENDA WEDNESDAY JUNE 21, 2017 THE TOWN BOARD WILL CONVENE - AT S:OOPM, IN CONFERENCE ROOM A TO DISCUSS 1. Discussion - Amended Cyber Security Policy 2. Discussion - Local Law - Revisions to Building Permit Fee Schedules 3. Update - LMC -TV Headquarters 4. Update - Clean Energy Community 5. Update - Gardens Lake 6. New Business 7. Request for Executive Session 8:OOPM CALL TO ORDER - COURTROOM PRESENTATION - REUSABLE BAG INITIATIVE VIDEO PRESENTATION PUBLIC HEARINGS -1. Amendment to the Discharge Compliance Certificate Law to Eliminate Inspections by Plumbers Law 2. Sewer District Bond SUPERVISOR'S REPORT CITIZEN COMMENTS BOARD OF FIRE COMMISSIONERS 1. Fire Claims 2. Other Fire Department Business AFFAIRS OF THE TOWN OF MAMARONECK 1. Adoption - Amended Cyber Security Policy 2. Consideration - Stipulation of Settlement - CSEA Bargaining Unit 3. Authorization - Appointment of Town Engineer 4. Salary Authorization - Highway Department 5. Authorization - Amendment to Hommocks Pool Concession Agreement 6. Authorization -Transfer of Funds - Workers Compensation Settlement 7. Authorization - Westchester County/Federal Senior Citizen Transportation Agreement 8. Consideration of Certiorari APPROVAL OF MINUTES- May 3, 2017, May 17, 2017 & June 7, 2017 REPORTS OF THE COUNCIL TOWN CLERK'S REPORT NEXT REGULARLY SCHEDULED MEETING - Monday July 17, 2017 Any physically handicapped person needing special assistance in order to attend the meeting should contact the Town Administrator's office at 381-7810 TOWN BOARD MEETING-WORKSESSION AGENDA WEDNESDAY, JUNE 21, 2017 5:OOpm Mamaroneck Town Center -Conference Room A 1. Discussion - Amended Cyber Security Policy (See Attachment). 2. Discussion - Local Law- Revisions to Building Permit Fee Schedules (See Attachment). 3. Update - LMCTV Headquarters (See Attachment). 4. Update - Clean Energy Community (No Attachment). 5. Update - Gardens Lake (See Attachment). 6. New Business 7. Request for Executive Session ` WORKSESSION ITEM 1 col \'y4 TOWN OF MAMARONECK NEW YORK CYBER SECURITY POLICY Adopted January 18, 2017 Draft 06/21/17 Table of Contents Introduction 4 Definitions 6 Data Classification 10 Policy Areas: Acceptable Use 12 Account Management 13 Administrative and Special Access 14 Asset Management 15 Back Up 17 Community Services Information Resources 18 Court Information Resources 19 Credit Card Processing 19 Email 21 File Transfer Protocol (FTP) 22 Fire District Information Technology and Resources 23 Information Management and Security 23 Incident Management 25 Internet 26 Intrusion Detection and Network Access 27 Maintenance Windows 27 Mobile Device Acceptable Use Policy 28 Network Configuration 30 Password 31 Physical Access 33 Police Department Information Technology and Resources 34 Portable Computing 35 Privacy 34 Public Access Wi-Fi 36 Public Access Workstation 36 Secure Use of Social Media 36 Security Monitoring 39 Security Policy Standards 41 2 Security Training 41 Server Hardening 42 Software Licensing 42 Support Hours 43 Surveillance and Camera Systems 43 System Development 45 Vendor Access 45 Virus Protection 47 Town of Mamaroneck Public Access Wi-Fi Terms of Service Policy 48 Town of Mamaroneck Information and Security Notification Breach Policy 50 Violation Notice 54 References 55 Acknowledgement 57 Appendix "A" - Server and Facility Information Access Form Appendix "B" - Periodic Operational Security Procedures 3 INTRODUCTION The Town of Mamaroneck is a medium sized local government with 8 remote sites and over 150 users, 140 workstations, 58 software applications, 19 servers and a complex network environment. This Security Policy is a mechanism used to establish the limits and expectations for the users of the Town of Mamaroneck, New York computer network and provides the baseline for implementing security controls to reduce both vulnerabilities and risk. Internal users should have no expectation of privacy with respect to Information Technology. The purpose of the Town of Mamaroneck, New York Security Policy is to clearly communicate the Town's information security expectations to Town employees, Officials and consultants who use Town equipment and access the Town network. This Policy applies equally to all individuals who use any Town of Mamaroneck, New York Information Resources (IR). Electronic files created, sent, received, or stored on computers owned, leased, administered, or otherwise under the custody and control of the Town of Mamaroneck are the property of the Town of Mamaroneck. This Security Policy supersedes all other Town Computer Use policies and is supported by the following Security Policy Standards: 1) IT Security controls must not be bypassed or disabled. 2) Security awareness of personnel must be continually emphasized, reinforced, updated and validated. 3) All personnel are responsible for managing their use of IR and are accountable for their actions relating to IT security. 4) Passwords, Personal Identification Numbers (PIN), Security Tokens (i.e. Smartcard), and other computer systems security procedures and devices shall be protected by the individual user from use by, or disclosure to, any other individual or organization. All security violations shall be reported to the Town Administrator and/or Information Security Officer. 5) Access to, change to, and use of IR must be strictly secured. Information access authority for each user must be reviewed on a regular basis, as well as each job status change such as: a transfer, promotion, demotion, or termination of service. 6) The use of IT must be for officially authorized business purposes only. There is no guarantee of personal privacy or access to tools such as but not limited to; email, web browsing and other electronic discussion tools. The use of these electronic communications tools may be monitored to fulfill compliance or investigative requirements. 7) Departments responsible for the custody and operation of computers shall be responsible for proper authorization of IR utilization, the establishment of effective use, and reporting of performance issues to the IT Department. 8) Any data used in an IR system must be kept confidential and secure by the user. The fact that the data may be stored electronically does not change the requirement to keep the information confidential and secure. Rather, the type of information or the information itself is the basis for determining whether the data must be kept confidential and secure. Furthermore, if this data is stored in a paper or electronic format, or if the data is copied, printed, or electronically transmitted the data must still be protected as confidential and secured according to the New York State Archives directives. 9) Personnel are also equally responsible for reporting any suspected or confirmed violations of this policy to the Town Administrator and/or IT Director. 10) On termination of the relationship with the Town, users must surrender all property and IR managed by the Town. All security policies for IR apply to and remain in force in the event of a terminated relationship until such surrender is made. Further, this policy survives the terminated relationship. 4 11) The owner must communicate to the IT Director, the intent to acquire any computer hardware or to purchase or computer software. The costs of acquisitions, development and operation of computer hardware and applications must be part of the IT Department budget adopted by the Town Board and authorized by the Town Administrator. 12) The department which requests and authorizes a computer application must take the appropriate steps to ensure the integrity and security of all programs and data files created by or acquired for computer applications. To ensure a proper segregation of duties, Administrative responsibilities cannot be delegated to the users. 13) The Town network is owned by the Town of Mamaroneck and controlled by the IT Department. 14) Approval must be obtained from the IT Department before connecting a device that does not comply with published guidelines to the network. 15) The IT Department reserves the right to remove any network device that does not comply with standards or is not considered to be adequately secure. 16) The sale or release of computer programs or data, including email lists and departmental telephone directories, to other persons or organizations must comply with all Town legal and fiscal policies and procedures. 17) The integrity of general use software, utilities, operating systems, networks, and respective data files are the responsibility of the IT Department. Data for test and research purposes must be de-personalized prior to release to testers unless each individual involved in the testing has authorized access to the data. 18) All changes to IR systems, networks, programs or data must be approved by the IT Department to preserve its integrity. 19) Individual departments must provide adequate access controls in order to monitor systems to protect data and programs from misuse in accordance with the reporting any suspected or confirmed violations of this policy to the appropriate management. 20) All departments must carefully assess the risk of unauthorized alteration, unauthorized disclosure, or loss of the data for which they are responsible, and ensure through the use of monitoring systems, that the Town is protected from damage, monetary or otherwise. The IT Department must have appropriate backup and contingency plans for disaster recovery and business continuity based on risk assessment and Town business requirements. 21) All computer systems contracts, leases, licenses, consulting arrangements or other agreements must be authorized by the IT Director and signed by the Town Administrator. These arrangements must contain terms approved as to form by the Town's Legal counsel, advising vendors of Town's IR retained proprietary rights and acquired rights with respect to its information systems, programs, and data requirements for computer systems security, including data maintenance and return. 22) IR computer systems and/or associated equipment used for Town business that is conducted and managed outside of Town control must meet Security Policy requirements and be subject to monitoring. 23) External access to and from IR must meet appropriate published Town security guidelines. 24) All commercial software used on computer systems must be supported by a software license agreement that specifically describes the usage rights and restrictions of the product. Personnel must abide by all license agreements and must not illegally copy licensed software. The IT Department reserves the right to remove any unlicensed software from any computer system. 5 Definitions: Abuse of Privilege: When a user willfully performs an action prohibited by organizational policy or law, even if technical controls are insufficient to prevent the user from performing the action. Application Software: A program or group of programs designed for end users. Application software can be divided into two general classes: systems software and applications software. Systems software consists of low-level programs that interact with the computer at a very basic level. This includes operating systems, compilers, and utilities for managing computer resources. Applied Computer Systems: Both hardware and software, and often including networking and telecommunications, usually in the context of a business or other enterprise. Often this is the name of the part of an enterprise that deals with all things electronic. Backup: Copy of files and applications made to avoid loss of data and facilitate recovery in the event of a system crash. Bare Metal Backups: A bare metal backup is a type of backup process that backs up the full software configuration from a specific system in addition to the data that is stored within software applications. Grandfather -Father -Son Backup: A Grandfather -father -son backup refers to a common rotation scheme for backup media. In this scheme there are three backup cycles, daily, weekly and monthly. The daily backups are rotated on a daily basis using a FIFO system. The weekly backups are similarly rotated on a weekly basis, and the monthly backup on a monthly basis. In addition, annual backups are also separately retained. Custodian: Guardian or caretaker; the holder of data, the agent charged with implementing the controls specified by the owner. The custodian is responsible for the processing and storage of information. For mainframe applications, The IT Department is the custodian; for micro and mini applications, the owner or user may retain custodial responsibilities. Electronic mail system: Any computer software application that allows electronic mail to be communicated from one computing system to another. Electronic mail (email): Any message, image, form, attachment, data, or other communication sent, received, or stored within an electronic mail system. E-mail: Abbreviation for electronic mail, which consists of messages sent over any electronic media by a communications application. File Transfer Protocol (FTP): Standard network protocol used to transfer computer files between a client and server on a computer network. FTP is built on a client -server model architecture and uses separate control and data connections between the client and the server. Information: Any and all data, regardless of form, that is created, contained in, or processed by, Information Resources facilities, communications networks, or storage media. Information Management (IM): The manipulation, re -organization, analysis, graphing, charting, and presentation of data for specific management and decision-making purposes. Information Resource (IR): Any and all computer printouts, online display devices, magnetic storage media, and all computer-related activities involving any device capable of receiving email, browsing Web sites, or otherwise capable of receiving, storing, managing, or transmitting electronic data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, personal digital assistant (PDA), pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment (i.e. embedded technology), telecommunication resources, network environments, telephones, fax machines, printers and service bureaus. Additionally, it is the procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information. Information Technology (IT): Includes all matters concerned with the furtherance of computer science and technology and with the design, development, installation, and implementation of information systems and applications. IT Asset: Any Town-owned information, system or hardware that is used in the course of business activities. IT Director: Responsible to the Town Administrator for administering the information security functions within the Town. The IT Director is the Town's internal and external point of contact for all information security matters. Information Security Officer (ISO): Separate from the position of IT Director, the ISO is responsible for the health and security of all Town information collected and stored in electronic format. The ISO and Town Administrator are the Town's internal and external point of contact for all information security matters. Internet: A global system interconnecting computers and computer networks. The computers and networks are owned separately by a host of organizations, government agencies, companies, and colleges. The Internet is the present "information superhighway." Intranet: A private network for communications and sharing of information that, like the Internet, is based on TCP/IP, but is accessible only to authorized users within an organization. An organization's intranet is usually protected from external access by a firewall. Light's Out Server Room: a room that contains a number of servers under lock and key and kept in the dark that under normal operation is not entered by human administrators, and all operations in the room are automated. The computers in a lights out server room typically are controlled by the use of KVM switches to help ensure the security of the locked room. Local Area Network (LAN): A data communications network spanning a limited geographical area, a few miles at most. It provides communication between computers and peripherals at relatively high data rates and relatively low error rates. Malware: An abbreviated term meaning "malicious software." This is software that is specifically designed to gain access or damage a computer without the knowledge of the owner. There are various types of malware including spyware, keyloggers, true viruses, worms, or any type of malicious code that infiltrates a computer. Generally, software is considered malware based on the intent of the creator rather than its actual features. NAS: Networked Area Storage Device usually used to house onsite data backups. 7 Offsite Storage: Based on data criticality, offsite storage should be in a geographically different location from the Town Hall that does not share the same disaster threat event. Based on an assessment of the data backed up, removing the backup media from the building and storing it in another secured location at Town Hall may be appropriate. Owner: The manager or agent responsible for the function which is supported by the resource, the individual upon whom responsibility rests for carrying out the program that uses the resources. The owner is responsible for establishing the controls that provide the security. The owner of a collection of information is the person responsible for the business results of that system or the business use of the information. Where appropriate, ownership may be shared by managers of different departments. Password: A string of characters which serves as authentication of a person's identity, which may be used to grant, or deny, access to private or shared data. PCI DSS: Payment Card Industry-Data Security Standard is a global data security standard that governs any business, including local governments that accept credit cards and stores, processes and/or transmits credit card data. Periodic Operational Security Procedure Form: A form completed by the IT Department at specific intervals to document the monitoring and review of logs, policies and procedures. Portable Computing Devices: Any easily portable device that is capable of receiving and/or transmitting data to and from IR. These include, but are not limited to, notebook computers, handheld computers, PDAs, pagers, and cell/smart phones. Ransomware: Malware for data kidnapping, an exploit in which the attacker encrypts the victim's data and demands payment for the decryption key. Ransomware spreads through e-mail attachments, infected programs and compromised websites. A ransomware malware program may also be called a cryptovirus, cryptotrojan or cryptoworm. Security Incident: In information operations, an assessed event of attempted entry, unauthorized entry, or an information attack on an automated information system. It includes unauthorized probing and browsing; disruption or denial of service; altered or destroyed input, processing, storage, or output of information; or changes to information system hardware, firmware, or software characteristics with or without the users' knowledge, instruction, or intent. Server: A computer program that provides services to other computer programs in the same or another computer. A computer running a server program is frequently referred to as a server though it may also be running other client (and server) programs. Server Information and Facility Information Access Form: A form completed by Human Resources and Department Heads that dictates the access and security level of employees specific to each department. The access controls on the form are set up by IT staff. Social Media Sites: Web-based publishing and communications technologies, such as all Town websites, Facebook sites and Twitter feeds. They are called "social" because they are designed for creating dynamic human networks and exchanging user-generated text and rich media, such as audio and video. They are among the most widely used technologies on the Internet. Strong Passwords: A strong password is a password that is not easily guessed. It is normally constructed of a sequence of characters, numbers, and special characters, depending on the capabilities of the operating system. 8 Typically, the longer the password the stronger it is. It should never be a name, dictionary word in any language, an acronym, a proper name, a number, or be linked to any personal information about you such as a birth date, social security number, and so on. System Development Life Cycle (SDLC): a set of procedures to guide the development of production application software and data items. A typical SDLC includes design, development, maintenance, quality assurance and acceptance testing. Town Calendar: Lists all approved meetings and events and is maintained by the Town Clerk. Trojan horse: Destructive programs—usually viruses or worms—that are hidden in an attractive or innocent-looking piece of software, such as a game or graphics program. Victims may receive a Trojan horse program by e-mail or on a diskette, often from another unknowing victim, or may be urged to download a file from a Web site or bulletin board. User: An individual or automated application or process that is authorized access to the resource by the owner, in accordance with the owner's procedures and rules. Vendor: Someone who exchanges goods or services for money. Virus: A program that attaches itself to an executable file or vulnerable application and delivers a payload that ranges from annoying to extremely destructive. A file virus executes when an infected file is accessed. A macro virus infects the executable code embedded in Microsoft Office programs that allow users to generate macros. Webserver: A computer that delivers (serves up) web pages. Web page: A document on the World Wide Web. Every Web page is identified by a unique URL (Uniform Resource Locator). Website: A location on the World Wide Web, accessed by typing its address (URL) into a Web browser. A Web site always includes a home page and may contain additional documents or pages. Wide Area Network (WAN): A wide area network (WAN) is a network that exists over a large-scale geographical area. A WAN connects different smaller networks, including local area networks (LAN). World Wide Web: A system of Internet hosts that supports documents formatted in HTML (Hypertext Markup Language) which contains links to other documents (hyperlinks) and to audio, video, and graphic images. Users can access the Web with special applications called browsers, such as Netscape Navigator, and Microsoft Internet Explorer. Worm: A program that makes copies of itself elsewhere in a computing system. These copies may be created on the same computer or may be sent over networks to other computers. The first use of the term described a program that copied itself benignly around a network using otherwise unused resources on networked machines to perform distributed computation. Some worms are security threats, using networks to spread themselves against the wishes of the system owners, and disrupting networks by overloading them. A worm is similar to a virus in that it makes copies of itself, but different in that it need not attach to particular files or sectors at all. 9 Data Classification: Data Classification provides a framework for managing data assets based on value and associated risks and for applying the appropriate levels of protection as required by New York State and federal law as well as proprietary, ethical, operational, and privacy considerations. All Town data, whether electronic or printed, should be classified as per the Town Records Management law and New York State Records Management and Retention Schedule MU1. Data collected and stored by various departments may fall under HIPPA, NYS OCA Criminal Records and NYS OCA Administrative Records, etc. Consistent use of data classification reinforces with users the expected level of protection of Town data assets in accordance with this policy. Purpose: The purpose of Data Classification is to provide a foundation for the development and implementation of necessary security controls to protect information according to its value and/or risk. Security standards, which define these security controls and requirements, may include: document marking/labeling, release procedures, privacy, transmission requirements, printing protection, computer display protections, storage requirements, destruction methods, physical security requirements, access controls, backup requirements, transport procedures, encryption requirements, and incident reporting procedures. Data Classification practices apply equally to all individuals who use or handle any Town Information Resource. Data shall be classified as follows: SENSITIVE: This classification applies to information that requires special precautions to assure the integrity of the information, by protecting it from unauthorized modification or deletion. It is information that requires a higher than normal assurance of accuracy and_completeness. Sensitive information might include organization financial transactions and regulatory actions such as data that may be subject to disclosure or release under the New York Freedom of Information Act, but requires additional levels of protection. • Examples of"Town-Sensitive" data may include but are not limited to: • Town operational information • Town personnel records • Town information security procedures • Town internal communications CONFIDENTIAL: This classification applies to the most sensitive business information that is intended strictly for use within the organization. This information is exempt from disclosure under the provisions of the Freedom of Information Act or other applicable federal laws or regulations. Its unauthorized disclosure could seriously and adversely impact the Town and/or its residents, For example, Birth and Death Certificates and related information should be considered at least CONFIDENTIAL. Examples of "Confidential" data may include but are not limited to: 10 • Personally Identifiable Information, such as: a name in combination with Social Security Number (SSN) and/or financial account numbers • Intellectual Property, such as: Copyrights, Patents and Trade Secrets PRIVATE: This classification applies to personal information that is intended for use within the Town of Mamaroneck offices. Its unauthorized disclosure could seriously and adversely impact the Town and/or its employees. PUBLIC: This classification applies to all other information that does not clearly fit into any of the above three classifications. While its unauthorized disclosure is against policy, it is not expected to impact seriously or adversely the Town, its employees, and/or its residents. 11 POLICY AREAS: Acceptable Use: Under the provisions of the New York State Cyber Security Policy P03-002, Information Resources are strategic assets of Government Agencies including Local Governments that must be managed as valuable resources. Thus this policy is established to achieve the following: • To ensure compliance with applicable statutes, regulations, and mandates regarding the management of information resources. • To establish prudent and acceptable practices regarding the use of information resources. • To educate individuals who may use information resources with respect to their responsibilities associated with such use. This policy area applies equally to all individuals granted access privileges to any Town Information Resources. The purpose of this policy is to outline the acceptable use of computer equipment at the Town of Mamaroneck municipal offices and facilities. These rules are in place to protect the employees and the Town of Mamaroneck. Inappropriate use exposes the Town to risks including virus attacks, compromise of network systems and services, and legal issues. Electronic files created, sent, received, or stored on Information Resources owned, leased administered, or otherwise under the custody and control of the IT Department are the property of the Town of Mamaroneck. Electronic files created, sent, received, or stored on Information Resources owned, leased, administered, or otherwise under the custody and control of the Town are not private and may be accessed by the IT Department at any time without knowledge of the Information Resources user or owner. Electronic file content may be accessed by appropriate personnel for maintenance purposes and with the authorization of the IT Director or Town Administrator in the event of security related matters. • Users must report any weaknesses in Town computer security, any incidents of possible misuse or violation of this agreement to the proper authorities by contacting the IT Department. • Users must not attempt to access any data or programs contained on Town systems for which they do not have authorization or explicit consent. • Users must not divulge Dial-up or Dial-back modem phone numbers to anyone. • Users must not share their Town account(s), passwords, Personal Identification Numbers (PIN), Security Tokens (i.e. Smartcard), or similar information or devices used for identification and authorization purposes. • Users must not make unauthorized copies of copyrighted software. • Users must not use non-standard shareware or freeware software without IT Department approval. • Users must not purposely engage in activity that may: harass, threaten or abuse others; degrade the performance of Information Resources; deprive an authorized Town user access to a Town resource; obtain extra resources beyond those allocated or circumvent Town computer security measures. • Users must not download, install or run security programs or utilities that reveal or exploit weaknesses in the security of a system. For example, Town users must not run password cracking programs, packet sniffers, port scanners or any other non-approved programs on Town Information Resources. 12 • Town Information Resources must not be used for personal benefit. • Users must not intentionally access, create, store or transmit material which the Town may deem to be offensive, indecent or obscene. • Access to the Internet from a Town owned, home based, computer must adhere to all the same policies that apply to use from within Town facilities. Employees must not allow family members or other non-employees to access Town computer systems. • Users must not otherwise engage in acts against the aims and purposes of the Town as specified in its governing documents or in rules, regulations and procedures adopted from time to time. • As a convenience to the Town user community, incidental use of Information Resources is permitted. The following restrictions apply: ❖ Incidental personal use of electronic mail, internet access, fax machines, printers, copiers, and so on, is restricted to Town approved users; it does not extend to family members or other acquaintances. ❖ Incidental use must not result in direct costs to the Town. ❖ Incidental use must not interfere with the normal performance of an employee's work duties. ❖ No files or documents may be sent or received that may cause legal action against, or embarrassment to the Town. ❖ Storage of personal email messages, voice messages, files and documents within the Town's Information Resources must be nominal. ❖ All messages, files and documents - including personal messages, files and documents - located on Town Information Resources are owned by the Town, may be subject to open records requests, and may be accessed in accordance with this policy. Account Management: Computer accounts are the means used to grant access to the Town's Information Technology. These accounts provide a means of providing accountability, a key to any computer security program for IT usage. This means that creating, controlling, and monitoring all computer accounts is extremely important to an overall security program. The purpose of this policy area is to establish the rules for the creation, monitoring, control and removal of user accounts and applies equally to all individuals with authorized access to any Town Information Resource. • All accounts created must have an associated request and approval that is appropriate for the Town's system or service. • All users must sign the Town of Mamaroneck Cyber Security policy acknowledgement before access is given to an account. • All accounts must be uniquely identifiable using the assigned user name. • All default passwords for accounts must be constructed in accordance with this Security Policy. • All accounts must have a password expiration that complies with this policy. • Accounts of individuals on extended leave (more than 30 days) will be disabled. • All new user accounts that have not been accessed within 30 days of creation will be disabled. • IT Department Personnel: •.• Are responsible for removing the accounts of individuals that change roles within the Town or are separated from their relationship with the Town. 13 • Must have a documented process to modify a user account to accommodate situations such as name changes, accounting changes and permission changes. o Must have a documented process for periodically reviewing existing accounts for validity. .• Are subject to independent audit review by the Town Administrator. • Must provide a list of accounts for the systems they administer when requested by the Town Administrator. • Must cooperate with the IT Director and/or Town Administrator when investigating security incidents. Administrative/Special Access: Technical support staff and others designated by the Mamaroneck Town Administrator may have special access account privilege requirements compared to typical or everyday users. The fact that these administrative and special access accounts have a higher level of access means that granting, controlling and monitoring these accounts is extremely important to an overall security program. The purpose of the policy area is to establish the rules for the creation, use, monitoring, control and removal of accounts with special access privilege and applies equally to all individuals that have, or may require, special access privilege to any Town information resources. • The IT Department must keep a list of user access account privileges for software connected to the Town network; • All users must sign the Town of Mamaroneck Cyber Security policy acknowledgement before access is given to an account; • All users of Administrative/Special access accounts must have account management instructions, documentation, training, and authorization; • Each individual that uses Administrative/Special access accounts must refrain from abuse of privilege and must only do investigations under the direction of the IT Director and/or Town Administrator; • Each individual that uses Administrative/Special access accounts must use the account privilege most appropriate with work being performed (i.e., user account vs. network administrator); • Each account used for administrative/special access must meet this Cyber Security policy; - • The password for a shared administrative/special access account must change when an individual with the password leaves the department or Town or upon a change in the vendor personnel assigned to the Town contract; • In the case where a system has only one IT Director there must be a password escrow procedure in place so that someone other than the IT Director can gain access to the admin account in an emergency situation; • When Special Access accounts are needed for Internal or External Audit, software development, software installation, or other defined need, they: must be authorized by the IT Director 14 .• must be created with a specific expiration date .• must be removed when work is complete Asset Management: Information technology (IT) asset management provides for policies, procedures, and guidelines for lifecycle management of the Town of Mamaroneck's IT assets from standards and acquisition to installations, management and surplus. The purpose of this policy area is to establish the rules for the creation, monitoring, control and removal of Town IT Assets and applies • equally to all individuals with authorized access to any Town Information Resource. The Town uses information technology (IT) to assist Town departments and Boards in conducting official Town business by following the rules set forth below: Policy Mandates: • The IT Department is responsible for the management of IT assets and lifecycle processes, including standards, acquisition, management, surplus and long-range planning. • Consistency in technology allows the development of efficient and cost-effective methods for supporting and managing the technology environment and in planning for upgrades, migrations, staff training and future technology installations. Long-range planning for information technology changes shall include business as well as technical input. • IT acquired for or on behalf of the Town is owned by the Town of Mamaroneck. • IT equipment is assigned to the position, not the individual and remains with the position if the individual terminates employment or is transferred to another position. If a position is abolished, IT equipment will be returned to IT Department inventory. • IT equipment will be used within the Town as long as practicable. • Employees who violate or otherwise abuse the provisions of this policy may be subject to disciplinary action, up to and including dismissal. Acquisitions: • Acquisition of all information technology for the Town is the responsibility of the IT Department as approved in the adopted budget by the Town Board. • Acquisition of IT shall follow the Purchasing Policy. Purchases, contracts, amendments, and renewals will be processed through the IT Department for approval by the Town Administrator. • Approvals for acquisition are based on availability of funds as determined by the Comptroller, conformance to IT standards, and solution match for department need. • All IT acquired for or on behalf of the Town or developed by IT Department employees or contract personnel on behalf of the Town are and shall be deemed Town of Mamaroneck property. Standards: • A standard, basic technical infrastructure will be established for the Town. It will be defined and managed by the IT Department and will include the network and the desktop. • Desktop IT consists of standard hardware and software configurations and images (excluding test computers). • The IT Department is responsible for: Establishing hardware and software standards for any IT product. .• Reviewing requests for new, amended, or replacement IT standards. New-to-Town IT will be assessed by IT Department staff for compatibility with and impact on other Town IT components, as appropriate. 15 .• Using department-wide business and technical needs in determining approval of new, amended or replacement standards. • Establishing standard software configurations and desktop images. These standards shall automate business rules where possible (e.g. use of screen saver password protection). .• New IT policy and standard decisions shall have formal plans for implementation. Equipment Management: • The Town of Mamaroneck will control its IT assets to comply with State policies and regulations, as well as applicable licensing and copyright laws. • The IT Department is responsible for tracking Town-owned software and hardware, including licenses, through an inventory control system. Software inventory records and reports shall be available for audit at any time. Installations of Software and Hardware: • The Town shall maintain an IT environment whereby installations and configurations are centrally managed through the IT Department. • Only Town designated standard software, hardware, or approved exception shall be installed. • Software, hardware or approved exception must be Town owned or licensed. All software without required licenses will be removed from the desktops/laptops. • The Town IT Director shall authorize installations of software, hardware, or approved exception. • Installation of business-related, no cost software (i.e. Adobe Acrobat Reader or browser- required applications) shall be approved through the IT Department. These types of software shall be evaluated through the standards and exception to standards procedures. • User-supplied software shall not be installed or executed on Town-owned computers. Do not install or connect non-Town hardware to a Town of Mamaroneck network. • Unauthorized duplication of licensed software is a violation of this policy and a violation of copyright laws. • All excess IT equipment within the Town shall be the responsibility of the IT Department to reuse or surplus as determined by the IT Department. First priority for redeployment requests within the Town shall be by IT Department determination. • The IT Department shall delete all data and applications, exclusive of the operating system, from all excess IT equipment prior to re-deployment or placing in spare inventory, loans or surplus. • The IT Department shall be responsible for delivery of equipment to the identified re- deployment work site. • The IT Department shall store spare IT equipment in a designated reserve location for use as needed. Exceptions: • The Town Board is responsible for reviewing and approving exceptions to IT policies. • The Town Administrator may grant exceptions to this policy under extraordinary circumstances. Requests for exceptions must be made in writing to the IT department stating the business need and unique circumstances requiring an exception. • The Town Administrator and the IT Director will evaluate and determine if the requested exception can be reasonably resolved through technology within the confines of the Town technology environment and the security of the Town network. 16 • For granted exceptions, the requester must establish with the IT Department a plan for technical support, training, and maintenance. The plan shall be developed prior to purchase or implementation of non-standard technology. • Exceptions shall be considered provisional and can be superseded any time a Town standard is determined. If a broader need is determined at the time of an exception request, then a Town standard will be established. • Upon granting an exception regarding access to or connection with the Town local or wide area network, a written agreement between the requester and IT Department must be developed stating the conditions of access, security, technical support and maintenance. IT Equipment Loans: • Only spare IT equipment that is no longer under warranty is eligible for loan to Town partners or associates. Loaned IT equipment is allowed in situations where the Town Administrator determines that the loan to a partner or associate will fulfill the Towns' mission or goals. Loan of equipment will comply with policies, rules, regulations and laws governing State or Town owned IT equipment. • Conditions of each loan shall include but are not limited to the following: •: The IT Department shall delete all data and applications, exclusive of operating system, residing on loan IT equipment. ❖ Loan IT equipment shall remain on Town IT asset and inventory records. ❖ The IT Department is responsible for completion of a loan agreement with the user • The user of the loan IT equipment shall be responsible for any physical damage or loss, ordinary wear and tear excepted, regardless of fault. :• The IT Department is not responsible for maintenance or repair of loan IT equipment, including hardware, software or connectivity. Surplus: • The IT Department shall delete all data and applications, exclusive of operating system, residing on surplus IT equipment. The IT Department shall process the surplus IT equipment and obtain a certified Town Board Resolution for all equipment surplus. Back Up: Electronic backups are a business requirement to enable the recovery of data and applications in the case of events such as natural disasters, system disk drive failures, espionage, data entry errors, or system operations errors. The purpose of this policy area is to establish the rules for the backup and storage of electronic Town information and applies to all individuals within the Town that are responsible for the installation and support of Information Resources and individuals charged with Information Security. The IT Department may have existing contracts for offsite backup data storage. These services can be extended to all Town entities upon request. • The frequency and extent of backups must be in accordance with the importance of the information and the acceptable risk as determined by the Town. • The Town Information Resources backup and recovery process for each system must be documented and periodically reviewed. • The vendor(s) providing offsite backup storage for the Town must be cleared to handle the highest level of information stored. 17 • Physical access controls implemented at offsite backup storage locations must meet or exceed the physical access controls of the source systems. Additionally, backup media must be protected in accordance with the highest Town of Mamaroneck sensitivity level of information stored. • A process must be implemented to verify the success of the Town electronic information backup. • Backups must be periodically tested to ensure that they are recoverable. • Contracts held by the offsite backup storage vendor(s) for access to the Town backup media must be reviewed annually or when an authorized individual leaves the Town. • Procedures between the Town and the offsite backup storage vendor(s) must be reviewed at least annually. • All Off-site back up contracts must be approved by the New York State Commissioner of Education pursuant to section 185.9 of the Regulations of the Commissioner of Education. • Backup tapes must have at a minimum the following identifying criteria that can be readily identified by labels and/or a bar-coding system: .• System name • Creation Date .• Sensitivity Classification [Based on the New York State Records management MU-1 Schedule] Town of Mamaroneck Contact Information • The Town must have a backup plan in place that describes the type, method and frequency of backups. Back Up Plan: ■ Physical Data Backups - Onsite • GFS System Schema - backed up to Town network area storage devices. Bare Metal Backups - Onsite One time back up then incremental as software changes on servers. The bare metal drives are to be kept in the safe in the Comptroller's Office. Community Services Information Resources: The Town of Mamaroneck recognizes the unique circumstances that separate Mamaroneck Community Services/Public Housing Authority (PHA) from Town Information Resources. This policy area is established to ensure compliance with both Town and Federal regulations. Community Services/PHA hardware in the form of workstations, laptops, printers, scanners and monitors are used by Mamaroneck personnel and are authorized by this policy to be integrated with a dedicated server and other peripherals owned by the Town of Mamaroneck. Parameters dictating the use and maintenance of Community Services/PHA equipment are listed below: • All Mamaroneck Community Services/PHA software must be installed on a dedicated server and licensed in the name of the Town of Mamaroneck. 18 • The Electronic Content Management System (ECMS-Laserfiche) Community Services/PHA repository must be separated from the main Town database and installed on the dedicated server. • All department personnel user and department documents must be separated from the main Town database and installed on the dedicated server. • Daily back-ups of software, ECMS and department documents must be performed for security purposes and immediate file restoration. Laptops and other equipment issued to officials for remote access must be inventoried, configured and maintained as per this policy, is the property of the Town of Mamaroneck and must be submitted to the IT office periodically for Security Policy conformance. Court Information Resources: The Town of Mamaroneck recognizes the unique circumstances that separate Mamaroneck Court Information Resources from Town Information Resources. This policy area is established to ensure compliance with both Town and New York State Unified Court Information Resources. New York State Unified Court hardware in the form of workstations, laptops, printers, scanners and monitors are used by Mamaroneck Court Judges and personnel and are authorized by this policy to be integrated with the Town Court server and other peripherals owned by the Town of Mamaroneck. Parameters dictating the use and maintenance of Court equipment (both New York State and Town of Mamaroneck owned) are listed below: • All Mamaroneck Court software not preinstalled on NYS Court computers and used by the Mamaroneck Court should be installed on a dedicated Court server and licensed in the name of the Town of Mamaroneck. • The Electronic Content Management System (ECMS-Laserfiche) Court repository must be separated from the main Town database and installed on the dedicated Court server. • All Court personnel user and department documents should be separated from the main Town database and installed on the dedicated Court server. • Daily back-ups of Court software, ECMS and department documents must be performed for security purposes and immediate file restoration. • Laptops and other equipment issued to Court officials for remote access must be inventoried, configured and maintained as per this policy, is the property of the Town of Mamaroneck or the NYS Unified Court System and must be submitted to the IT office periodically for Security Policy conformance. Credit Card Processing — PCI Compliance: This policy area is established to ensure Payment Card Industry compliance. The purpose of this policy area is to inform local government officials on PCI standards and to establish procedures on how to secure credit card processing in the Town of Mamaroneck. Local Governments must comply with the PCI Data Security Standard PCI DSS 3.1 and validate compliance. Compliance (securing the credit card process) requires ongoing adherence to the standard and applies to every local government regardless of the transaction volume. Validation confirms local governments, service providers, payment applications and PIN entry devices are compliant with the standard. 19 The Town of Mamaroneck contracts with third party vendors and accepts credit cards for payments for transactions that are processed thru the Building Department, Court Office, Finance Department, Recreation Department and Town Clerk's Office only. Designated as a level 3D SQA validation type, an SAQ Assessment Validation Questionnaire must be performed annually by all local governments accepting credit card payments and reported to the merchant providing the credit card terminal. In order to comply with PCI Standards and to protect personal information, the following security tasks must be initiated and followed during the course of the year: • All suspected breaches of sensitive information must be reported to the Information Security Officer as per the Information and Security Notification Breach Policy. • Sensitive authorization data must be deleted upon completion of the authorization process. • The card verification code (three or four-digit number printed on the front or back of the payment card) is not stored after authorization. • The personal identification number (PIN) is not stored after authorization. • The primary account number (PAN) is masked when displayed on receipt (The first six or last four digits are the maximum numbers to be displayed. .• Access to credit card terminals and data to be determined by the Comptroller and Information Security Officer. • Specific payment card processing procedures must be outlined in the Town of Mamaroneck Credit Card policy. .• Privileged user IDs to be restricted to least privileges necessary to perform job responsibilities and assigned only to roles that specifically require that privileged access. • Vendor supplied default Admin PIN on terminals must be changed. .• All VOIDED transactions must be performed by authorities designated in Town of Mamaroneck Credit Card policy. • All REFUNDED transactions must be performed by authorities' designated Town of Mamaroneck Credit Card policy and initiated with detailed reasons for the cancelation. :• All Media is to be physically secured (including but not limited to credit card terminals, paper receipts, paper reports, etc. .• Media must be classified as sensitive data •:• All devices that capture payment card data via direct physical interaction with the card protected against tampering by: o Periodic inspection by the Mamaroneck IT Department for tampering or substitution of devices and must check device serial numbers to inventories serial numbers. o Employees are trained to be aware of suspicious behavior and tampering and to report such activities to the local authorities in conjunction with the Town Information Security Officer. • The credit card terminals make, model and serial number as well as location be added to the IT inventory list. 20 Email: This policy area is established to ensure compliance with applicable statutes, regulations, and mandates regarding the management of information resources. It establishes prudent and acceptable practices regarding the use of email and will educate individuals using email with respect to their responsibilities associated with such use. The purpose of this policy area is to establish the rules for the use of Town email for the sending, receiving or storing of electronic mail and applies equally to all individuals granted access privileges to any Town information resource with the capacity to send, receive or store electronic mail. The following activities are prohibited by this policy: • Sending email that is intimidating or harassing. • Using email for conducting personal business. • Using email for purposes of political lobbying or campaigning. • Violating copyright laws by inappropriately distributing protected works. • Posing as anyone other than oneself when sending email, except when authorized to send messages for another when serving in an administrative support role. • The use of unauthorized e-mail software. • The following activities are prohibited because they impede the functioning of network communications and the efficient operations of electronic mail systems: o Sending or forwarding chain letters o Sending unsolicited messages to groups in excess of 35 email addresses outside of the Town domain o Sending excessively large messages o Sending or forwarding email that is likely to contain computer viruses • All user activity on Town Information Resource assets is subject to logging and review. All sensitive Town material transmitted over external network must be encrypted. Electronic mail users must not give the impression that they are representing, giving opinions or otherwise making statements on behalf of the Town or any department of the Town unless appropriately authorized (explicitly or implicitly) to do so. Where appropriate, an explicit disclaimer will be included unless it is clear from the context that the author is not representing the Town. An example of a simple disclaimer is: "the opinions expressed are my own, and not necessarily those of my employer." Individuals must not send, forward or receive confidential or sensitive Town information through non -Town email accounts. Examples of non -Town email accounts include, but are not limited to, Hotmail, Yahoo mail, AOL mail, Opt online and email provided by other Internet Service Providers (ISP). The Town hosts an email encryption system and portal for all outgoing email messages. Although the encryption system is configured to automatically identify and encrypt outgoing email containing sensitive information, it is ultimately the user's responsibility to only send sensitive information via email when absolutely necessary and to make sure that all sensitive information is encrypted prior to sending an email. • The Town of Mamaroneck must comply with the Federal Anti -Spam Act of 2003. Town officials and employees with active email addresses must: 21 ❖ Refrain from sending same subject email to more than 10 recipients outside of the Town of Mamaroneck domain from their Outlook, Third party application (such as Blackberry Internet Service, IPhone or Android email services) or email server. ❖ All mass email communications sent on behalf of the Town must be sent through the Town's email marketing service and/or specific software applications for notification purposes. File Transfer Protocol (FTP): The Town has installed an encrypted FTP site in order to facilitate the distribution of large files to external entities for both anonymous and privileged accounts. The use of commercial and personal FTP sites such as Drop Box and One Drive are prohibited. FTP System Access and use of the FTP system varies depending on whether you are using the Anonymous system or if you have a privileged account. The Town of Mamaroneck reserves the right to audit log files whenever deemed necessary. Logging captures but is not limited to account information, login date and time, files transferred, and other prudent information. FTP Clients must be SSL compatible. FTPS is a reliable client with SSL compatibility and is required. Access to this site is as follows: Privileged FTP Accounts: • Access to the FTP site and password changes must be requested through the Town of Mamaroneck Help Desk. • Are assigned by the IT Director and should be used by an individual, not to a department and should not be shared. • Should not upload any executable, program codes or databases without prior approval from the IT Director. • Users will have access to their own "H" directory and each directory has upload only access. • Detection of illegal use or practices detrimental to the Town of Mamaroneck information resources or policies will result in the withdrawal of services to the individual determined to be at fault. • A user with a Privileged Account must upload their file to ftp:HftPs.TownofMamaroneckNY.org/Department. This folder is set to allow FTP uploads of files by any user with no limit set on file size. • Anonymous FTP Accounts - Access to use the system for public retrieval: o For anonymous access, there is a Public folder that contains a hierarchy of lower -level directories, all of which are accessible by any anonymous user. The public can download files from ftp://ftp.TownofMamaroneckNY.org/Public. o Files stored in the "Public" folder will be deleted by the system after 7 days from upload. o Files stored in Privileged accounts will be deleted by the system after 45 days from upload. 22 Fire District Information Technology and Resources: The Town of Mamaroneck Fire District is completely separated from the Town of Mamaroneck Domain and network infrastructure. The network and equipment located at the Fire District is owned by the Town of Mamaroneck. All network, hardware and software installations and configurations are performed by Fire District staff. Designated Staff must ensure that District networks, equipment and IR is in compliance with this policy. This policy area is established to ensure compliance with both Town and New York State Security Policies and the Town of Mamaroneck Computer Use Policy. Parameters dictating the use and maintenance of Fire District technology are listed below: • The Mamaroneck Board of Fire Commissioners officially designate the individual responsible for the operations and maintenance of all Town information resources as it relates to their information technology infrastructure. • The Town IT Department will provide the support necessary to assist with all network infrastructure and equipment at the Fire Districts request. • A master inventory listing of all computer equipment, printers, copiers, workstations, servers, routers, switches, laptops, tablets, email accounts and other peripheral devices must be submitted to the IT Director and updated as changes and replacements are made. • An inventory listing of all software and their licenses must be submitted to the IT Director and updated as changes and replacements are made. • All equipment and software purchased with Town funds and issued to Fire District staff is the property of the Town of Mamaroneck and must be purchased by the IT Director. Designated staff must configure and maintain all equipment and software as per this policy, and their records must be submitted to the IT office periodically for Security Policy conformance. The Town of Mamaroneck recognizes the unique environment with respect to the use of volunteer staff in order to perform its responsibilities. In order to secure Fire District information resources and to comply with this policy, a Public Access network must be created for volunteers using the Fire District network on personal devices. Information Management and Security: Functional Responsibilities of Town Information Management are distributed among all Town officials, employees and consultants accessing Town information resources. The purpose of this policy area is to establish responsibilities of those responsible for the health and safety of all Town electronic information. The Town of Mamaroneck Town Administrator is responsible for: %% Evaluating and accepting risk on behalf of the Town; %% Identifying Town security goals and integrating them into relevant processes; %% Supporting the consistent implementation of information security policies and standards; •% Supporting security within the Town through clear direction and demonstrated commitment of appropriate resources; s Promoting awareness of information security best practices through the regular dissemination of materials provided by the ISO; %% Implementing the process for determining information classification and categorization, based on industry recommended practices, State directives, and legal and regulatory requirements, to determine the appropriate levels of protection for that information; 23 • Determining who, within the Town, will be assigned and serve as information owners while maintaining ultimate responsibility for the confidentiality, integrity, and availability of the data; • Participating in the response to security incidents; .• Complying with notification requirements in the event of a breach of private information; .• Adhering to specific legal and regulatory requirements related to information security; • Communicating requirements of this policy and the associated standards, including the consequences of non-compliance, to the Town workforce and third parties, and addressing adherence in third party agreements. • The ISO is responsible for: •. Maintaining familiarity with Town business functions and requirements; f Maintaining an adequate level of current knowledge and proficiency in information security through annual Continuing Professional Education (CPE) credits directly related to information security; • Assessing Town compliance with information security policies and legal and regulatory information security requirements; • Evaluating information security risks and assisting the Town in understanding its information security risks and how to appropriately manage those risks; • Representing and assuring security architecture considerations are addressed; • Advising on security issues related to procurement of products and services; • Escalating security concerns that are not being adequately addressed according to the applicable reporting and escalation procedures; • Disseminating threat information to appropriate parties; .• Participating in the response to potential security incidents; + Promoting information security awareness. • The IT Director is responsible for: • Supporting security by providing clear direction and consideration of security controls in the data processing infrastructure and computing network(s) which support the information owners; • Providing resources needed to maintain a level of information security control consistent with this policy; • Identifying and implementing all processes, policies and controls relative to security requirements defined by the Town's business processes and this policy; .• Implementing the proper controls for information owned by the Town based on the Town's classification designations; • Providing training to appropriate technical staff on secure operations (e.g., secure coding, secure configuration); • Fostering the participation of information security and technical staff in protecting information assets, and in identifying, selecting and implementing appropriate and cost-effective security controls and procedures; and • Implementing business continuity and disaster recovery plans. • The Town workforce and consultants are responsible for: • Protecting Town information and resources; • Abiding by the Town's Cyber Security policy; and • Reporting suspected information security incidents or weaknesses to the appropriate manager and ISO. 24 Incident Management: The number of computer security incidents and the resulting cost of business disruption and service restoration continue to escalate. Implementing solid security policies, blocking unnecessary access to networks and computers, improving user security awareness, and early detection and mitigation of security incidents are some the actions that can be taken to reduce the risk and drive down the cost of security incidents. The purpose of this policy area is to establish the rules for the creation, monitoring, control and removal of user accounts and applies equally to all individuals with authorized access to any Town Information Resource. This section describes the requirements for dealing with computer security incidents. Security incidents include, but are not limited to: virus, worm, and Trojan horse detection, unauthorized use of computer accounts and computer systems, as well as complaints of improper use of Information Resources as outlined in the Email, Internet, Acceptable Use Policy areas and apply equally to all individuals that use any Town Information Resources. • Required by New York State Town Law #899, The Town of Mamaroneck Information and Security Notification Breach Policy was adopted and is followed in conjunction with this policy area in the event of a Cyber Security incident; • Whenever a security incident, such as a virus, worm, hoax email, discovery of hacking tools, altered data, etc. is suspected or confirmed, the appropriate Incident Management procedures must be followed; • The Information Security Officer is responsible for notifying the Town Administrator and initiating the appropriate incident management action including restoration as defined in the Incident Management Procedures; • The Information Security Officer is responsible for determining the physical and electronic evidence to be gathered as part of the Incident Investigation; • The appropriate technical resources from the IT Department are responsible for monitoring that any damage from a security incident is repaired or mitigated and that the vulnerability is eliminated or minimized where possible; • The Information Security Officer will determine if a widespread Town communication is required, the content of the communication, and how best to distribute the communication; • The appropriate technical resources from the IT Department are responsible for communicating new issues or vulnerabilities to the system vendor and working with the vendor to eliminate or mitigate the vulnerability; • The Information Security Officer is responsible for initiating, completing, and documenting the incident investigation; • The Information Security Officer is responsible for reporting the incident to the: .• Town Administrator 4. Town Comptroller Local, state or federal law officials as required by applicable statutes and/or regulations 25 • The Information Security Officer is responsible for coordinating communications with outside organizations and law enforcement; • In the case where law enforcement is involved, the Information Security Officer will act as the liaison between law enforcement and the Town. Internet: This policy area applies equally to all individuals granted access to any Town Information Resource with the capacity to access the internet, the intranet or both and is established to achieve the following: • To ensure compliance with applicable statutes, regulations, and mandates regarding the management of information resources. • To establish prudent and acceptable practices regarding the use of the internet. • To educate individuals who may use the internet, the intranet or both with respect to their responsibilities associated with such use. • Software for browsing the Internet is provided to authorized users for business and research use only. • All software used to access the Internet must be part of the Town's standard software suite or approved by the IT Department. This software must incorporate all vendor provided security patches. • All files downloaded from the Internet must be scanned for viruses using the approved IT Department distributed software suite and current virus detection software. • All software used to access the Internet shall be configured to use the firewall http proxy. • All sites accessed must comply with the Acceptable Use policy area in this document. • All user activity on Town Information Resources assets is subject to logging and review. • Content on all Town Web sites must comply with the Acceptable Use policy area in this policy. • No offensive or harassing material may be made available via Town Web sites. • Non-business related purchases made over the Internet are prohibited. Business related purchases are subject to Town procurement rules. • No personal commercial advertising may be made available via Town Web sites. • Town internet access may not be used for personal gain or non-Town personal solicitations. • No Town data will be made available via Town Web sites without ensuring that the material is available to only authorized individuals or groups. • All sensitive Town material transmitted over external networks must be encrypted. • Electronic files are subject to the same records retention rules that apply to other documents and must be retained in accordance with departmental records retention schedules. 26 Intrusion Detection and Network Access: The purpose of this policy area is to establish the rules for the access and use of the network infrastructure. These rules are necessary to preserve the integrity, availability and confidentiality of Town information apply equally to all individuals with access to any Town Information Resource. The Town Network Access standards apply equally to all individuals with access to any Town Information Resource. • Users are permitted to use only those network addresses issued to them by the IT Department. • All remote access (dial in services) to the Town will be either through an approved modem pool or via an Internet Service Provider (ISP). • Remote users may connect to Town Information Resources only through an ISP and using protocols approved by the Town. • Users inside the Town firewall may not be connected to the Town network at the same time a modem is being used to connect to an external network. • Users must not extend or re-transmit network services in any way. This means you must not install a router, switch, hub, or wireless access point to the Town network without IT Department approval. • Users must not install network hardware or software that provides network services without IT department approval. • Non-Town computer systems that require network connectivity must conform to Town Information Security Standards. • Users must not download, install or run security programs or utilities that reveal weaknesses in the security of a system. For example, Town users must not run password cracking programs, packet sniffers, network mapping tools, or port scanners while connected in any manner to the Town network infrastructure. • Users are not permitted to alter network hardware in any way Maintenance Windows: Servers, workstations, firewalls and operating systems require periodic updates. In addition, when issues present themselves, time in required to troubleshoot issues that may require systems to be rebooted. The Town of Mamaroneck IT Department recognizes department's need flexibility to scale their operations based on circumstances within individual departments and strives to provide system uptime for as many hours per day as possible. Critical security patches on servers and hardware network wide will be performed weekly as necessary within the designated maintenance window. Workstations will be updated every Wednesday and must be left powered on at the end of the business day on Wednesdays. Routine maintenance for updates and optional updates will be performed quarterly. Designated emergency and critical operational servers and applications require higher availability and therefore are maintained separately and coordinated and scheduled in advance with Department Heads. The purpose of this policy area is to set clear expectations of system availability while allowing for IT infrastructure to be maintained. 27 NON -EMERGENCY OPERATIONS SECURITY PATCH UPDATE AND TROUBLESHOOTING MAINTENANCE WINDOW: Monday - Friday: Saturday and Sunday: 9pm - 6am 6pm - 6am NON -EMERGENCY OPERATIONS QUARTERLY ROUTINE MAINTENANCE SCHEDULE: President's Day Weekend: Memorial Day Weekend: Labor Day Weekend: Friday, 9pm - Tuesday 6am Friday, 9pm - Tuesday 6am Friday, 9pm - Tuesday 6am Thanksgiving Weekend: Wednesday, 9pm - Monday 6am EMERGENCY OPERATIONS SECURITY PATCH UPDATE AND TROUBLESHOOTING MAINTENANCE WINDOW: Monday - Friday: 9am - 2pm EMERGENCY OPERATIONS QUARTERLY ROUTINE MAINTENANCE SCHEDULE: March 15th: June 15th: September 15th: December 151h: Beginning at 9am Beginning at 9am Beginning at 9am Beginning at 9am CRITICAL OPERATIONS SECURITY PATCH UPDATE AND TROUBLESHOOTING MAINTENANCE WINDOW: Monday - Friday: Saturday and Sunday: 9pm - 6am 6pm - 6am CRITICAL OPERATIONS QUARTERLY ROUTINE MAINTENANCE SCHEDULE: Second Wednesday of March: Beginning at 5pm Second Wednesday of June: Beginning at 5pm Second Wednesday of September: Beginning at 5pm Second Wednesday of December: Beginning at 5pm Mobile Device Acceptable Use Policy: The purpose of this policy area is to define standards, procedures, and restrictions for end users who have legitimate business uses for connecting a Town provided mobile device to the Town network. This mobile device policy area applies, but is not limited, to all devices and accompanying media that fit the following classifications: • Smartphones • Other mobile/cellular phones • Tablet computers • Portable media devices • Any mobile device capable of storing corporate data and connecting to a network 28 This this policy area is to protect the integrity of the confidential data that resides within the Town's technology infrastructure. This policy area intends to prevent data from being deliberately or inadvertently stored insecurely on a mobile device or carried over an insecure network where it could potentially be accessed by unsanctioned resources. All users employing a mobile device connected to the Town of Mamaroneck network, and/or capable of backing up, storing, or otherwise accessing data of any type, must adhere to Town -defined processes for doing so. This policy area; • Applies to all Town employees, including full and part-time staff, contractors, interns, and other agents who use a mobile device to access, store, back up, or relocate any data. Such access to this confidential data is a privilege, not a right, and forms the basis of the trust that the Town of Mamaroneck has built with its employees, vendors, volunteers and other constituents. Consequently, employment at the Town of Mamaroneck does not automatically guarantee the initial or ongoing ability to use these devices to gain access to Town networks and information. • Addresses a range of threats to, or related to the use of, enterprise data; • Applies to the connectivity of all Town owned mobile devices will be centrally managed by the Town's Information Technology Department and may use authentication and strong encryption measures. Although Information Technology will directly manage portable devices, end users are expected to adhere to the same security protocols when connected to non -Town equipment. Failure to do so will result in immediate suspension of all network access privileges so as to protect the Town's infrastructure. It is the responsibility of the Individual who uses a mobile device to access Town resources to ensure that all security protocols normally used in the management of data on conventional storage infrastructure are also applied here. It is imperative that any mobile device that is used to conduct Town business be utilized appropriately, responsibly, and ethically. Failure to do so will result in immediate suspension of that user's account. Based on this requirement, the following rules must be observed: All individuals assigned Town owned mobile devices attempting to connect to the Town network through the Internet will be inspected using technology centrally managed by Town's Information Technology department. Devices that are not owned and issued by the Town of Mamaroneck must not connect to the Town's secure wireless connections and must not download any data owned by the Town via email or other means. All individuals using Town issued mobile devices must employ reasonable physical security measures, and are expected to secure all such devices whether or not they are actually In use and/or being carried. This includes, but is not limited to, passwords, encryption, and physical control of such devices. Passwords and other confidential data as defined by the Data Classification Standards in this policy may not to be stored unencrypted on mobile devices. Any mobile device that is being used to store Town data must adhere to the authentication requirements as part of the Town's Mobile Device Management system. In the event of a lost or stolen mobile device, it is incumbent on the user to report the incident to the Information Technology Department immediately. The device will be remotely wiped of all data and locked to prevent access by anyone other than Information Technology. This action will restore the device to its factory default settings. If the device is recovered, it can be submitted to the IT Department for re -provisioning. The remote wipe will destroy all data on the device, whether it is related to Town business or personal. 29 In the event of a lost or stolen mobile device, it is incumbent on the user to report the incident to the Information Technology Department immediately. The device will be remotely wiped of all data and locked to prevent access by anyone other than Information Technology. This action will restore the device to its factory default settings. If the device is recovered, it can be submitted to the IT Department for re-provisioning. The remote wipe will destroy all data on the device, whether it is related to Town business or personal. Devices that are not owned and issued by the Town of Mamaroneck must not connect to the Town's secure wireless connections and must not download any data owned by the Town via email or other means. Town email may be installed on personal devices provided the following conditions are met: o Users that are not designated to process sensitive or classified information; o Users must obtain permission from the Information Security Officer; o Users must password protect their phone; o Users must understand that installing Town email on their personal device may subject that device to FOIL or subpoena. Network Configuration: The Town network infrastructure is provided as a central utility for all users of Town Information Resources. It is important that the infrastructure, which includes cabling and the associated equipment such as routers and switches, continues to develop with sufficient flexibility to meet user demands while at the same time remaining capable of exploiting anticipated developments in high speed networking technology to allow the future provision of enhanced user services. The purpose of this policy area is to establish the rules for the maintenance, expansion and use of the network infrastructure. These rules are necessary to preserve the integrity, availability, and confidentiality of Town information applies equally to all individuals with access to any Town Information Resource. • The Town of Mamaroneck owns and is responsible for the Town network infrastructure and will continue to manage further developments and enhancements to this infrastructure; • To provide a consistent municipal network infrastructure capable of exploiting new networking developments, all cabling must be installed by a contractor approved by the IT Department; • All network connected equipment must be configured to a specification approved by IT Department; • All hardware connected to the Town network is subject to IT Department management and monitoring standards; • Changes to the configuration of active network management devices must not be made without the approval of the IT Department; • The Town network infrastructure supports a well-defined set of approved networking protocols. Any use of non-sanctioned protocols must be approved by the IT Department; • The networking addresses for the supported protocols are allocated, registered and managed centrally by the IT Department; 30 • All connections of the network infrastructure to external third party networks are the responsibility of the IT Department. This includes connections to external telephone networks; • The use of departmental firewalls is not permitted without the written authorization from the IT Department; • Users must not extend or re-transmit network services in any way. This means you must not install a router, switch, hub, or wireless access point to the Town network without IT Department approval; • Users must not install network hardware or software that provides network services without IT Department approval; • Users are not permitted to alter network hardware in any way. Password: User authentication is a means to control who has access to an Information Resource system. Controlling the access is necessary for any Information Resource. Access gained by a non-authorized entity can cause loss of information confidentiality, integrity and availability that may result in loss of revenue, liability, loss of trust or embarrassment to the Town of Mamaroneck. The purpose of this policy area is to establish the rules for the creation, distribution, safeguarding, termination, and reclamation of the Town user authentication mechanisms and applies equally to all individuals who use any Town information resources. Three factors or a combination of these factors can be used to authenticate a user. Examples are: • Something you know - password, Personal Identification Number (PIN) • Something you have - Smartcard, Employee ID/Access Control keycard • Something you are - fingerprint, iris scan, voice • A combination of factors - Smartcard and a PIN • All passwords, including initial passwords, must be constructed and implemented according to the following IT Department rules: • It must be changed every 90 days • It must adhere to a minimum length as established by the IT Department 4. It must be a combination of alpha and numeric characters .• It must not be anything that can easily tied to the account owner such as: user name, social security number, nickname, relative's names, birth date, etc. .• Password history must be kept to prevent the reuse of a password • Stored passwords must be encrypted. • User account passwords must not be divulged to anyone. The IT Department and its contractors will not ask for user account passwords. • Security tokens (i.e. Smartcard) must be returned on demand or upon termination of the relationship with the Town (if applicable). 31 • If the security of a password is in doubt, the password must be changed immediately. • IT Directors and IT staff must not circumvent this Policy for the sake of ease of use. • Users cannot circumvent password entry with auto logon, application remembering, embedded scripts or hardcoded passwords in client software. Exceptions may be made for specific applications (like automated backup, or when Windows Authentication is in use) with the approval of the IT Department. In order for an exception to be approved there must be a procedure to change the passwords. • • Computing devices must not be left unattended without enabling a password protected screensaver or logging off of the device. • Password Guidelines: • Passwords must have a minimum length of 8 alphanumeric characters. • Passwords must contain a mix of upper and lower case characters and have at least 2 numeric characters. The numeric characters must not be at the beginning or the end of the password. Special characters should be included in the password where the computing system permits. The special characters are (!@#$%^&*_+=?/N' ;:,<>I\). • Passwords must not be easy to guess and they: • Must not be your Username • Must not be your employee number • Must not be your name • Must not be the Town name • Must not be family member names • Must not be your nickname • Must not be your social security number • Must not be your birthday • Must not be your license plate number • Must not be your pet's name • Must not be your address • Must not be your phone number • Must not be the name of your town or city • Must not be the name of your department • Must not be street names 32 • Must not be makes or models of vehicles • Must not be obscenities • Must not be any information about you that is known or is easy to learn (favorite - food, color, sport, etc.) • Passwords must not be reused for 24 consecutive password changes • Passwords must not be shared with anyone • Passwords must be treated as confidential information • While the IT Director may request access to your data via proper channels, they may not request your password, nor should a user feel obliged to supply their password. • Tips for creating a strong password • Combine short, unrelated words with numbers or special characters. For example: eAt42peN • Make the password difficult to guess but easy to remember • Substitute numbers or special characters for letters. (But do not just substitute) For example: • livefish - is a bad password • LiveFish - is better and satisfies the rules, but setting a pattern of 1st letter capitalized, and i's substituted by l's can be guessed • I!v3f1Sh - is far better, the capitalization and substitution of characters is not predictable • IT Helpdesk password change procedures must include the following: • Authenticate the user to the helpdesk before changing password • Change to a strong password • The user must change password at first login • In the event passwords are found or discovered, the following steps must be taken: • Take control of the passwords and protect them • Report the discovery to the Town Help Desk :• Transfer the passwords to an authorized person as directed by the IT Department 33 • Access to the Server Room and IT Office must be granted only to Town support personnel, and contractors, whose job responsibilities require access to that facility; • The process for granting key and security code access to Information Technology facilities must include the approval from the IT Director and/or Town Administrator; • Access keys and codes must not be shared or loaned to others; • Access keys that are no longer required must be returned to the Building Superintendent. Keys must not be reallocated to another individual bypassing the return process; • Lost or stolen access keys must be reported to the IT Department; • The Server Room and IT office access log must be kept by the IT Department; • The IT Department must review access records for the Server Room and IT Office on a periodic basis and investigate any unusual access; • The IT Department must remove access rights of individuals that change roles within the Town or are separated from their relationship with the Town; • Visitors must be escorted in security code access controlled areas of Information Technology facilities; • The IT Department must review code access rights for the Server Room and IT Office on a periodic basis and remove access for individuals that no longer require access; • Signage for restricted access rooms and locations must be practical, yet minimal discernible evidence of the importance of the location should be displayed; Police Department Information Technology and Resources: The Town of Mamaroneck recognizes the unique circumstances that separate the Mamaroneck Police Department from Town Information Resources. This policy area is established to ensure compliance with Town, DCJS, eJustice, NYS Department of Corrections and FBI regulations. Town Police Department hardware in the form of workstations, laptops, printers, scanners and monitors are used by Mamaroneck personnel and are authorized by this policy to be integrated with a dedicated server and other peripherals owned by the Town of Mamaroneck. Parameters dictating the use and maintenance of Police Department equipment are listed below: All Mamaroneck Police Department software must be installed on a dedicated server and licensed in the name of the Town of Mamaroneck. The Electronic Content Management System (ELMS-Laserfiche) Mamaroneck Police Department repository must be separated from the main Town database and installed on the dedicated server. All department personnel user and department documents must be separated from the main Town database and installed on the dedicated server. Daily back-ups of software, ECMS and department documents must be performed for security purposes and immediate file restoration. Laptops and other equipment Issued to officials for remote access must be inventoried, configured and maintained as per this policy, is the property of the Town of Mamaroneck and must be submitted to the IT office periodically for Security Policy conformance. 34 Police Department Information Technology and Resources: The Town of Mamaroneck recognizes the unique circumstances that separate the Mamaroneck Police Department from Town Information Resources. This policy area is established to ensure compliance with Town, DCJS, eJustice, NYS Department of Corrections and FBI regulations. Town Police Department hardware in the form of workstations, laptops, printers, scanners and monitors are used by Mamaroneck personnel and are authorized by this policy to be integrated with a dedicated server and other peripherals owned by the Town of Mamaroneck. Parameters dictating the use and maintenance of Police Department equipment are listed below: • All Mamaroneck Police Department software must be installed on a dedicated server and licensed in the name of the Town of Mamaroneck. • The Electronic Content Management System (ECMS-Laserfiche) Mamaroneck Police Department repository must be separated from the main Town database and installed on the dedicated server. • All department personnel user and department documents must be separated from the main Town database and installed on the dedicated server. • Daily back-ups of software, ECMS and department documents must be performed for security purposes and immediate file restoration. Laptops and other equipment issued to officials for remote access must be inventoried, configured and maintained as per this policy, is the property of the Town of Mamaroneck and must be submitted to the IT office periodically for Security policy conformance. Portable Computing: Portable computing devices are becoming increasingly powerful and affordable. Their small size and functionality are making these devices ever more desirable to replace traditional desktop devices in a wide number of applications. However, the portability offered by these devices may increase the security exposure to groups using the devices. The purpose of this policy area is to establish the rules for the use of mobile computing devices and their connection to the network. These rules are necessary to preserve the integrity, availability, and confidentiality of Town information and apply equally to all individuals that utilize Portable Computing devices and access Town Information Resources. • Only Town approved portable computing devices may be used to access Town Information Resources; • Portable computing devices must be password protected; • Town data should not be stored on portable computing devices. However, in the event that there is no alternative to local storage, all sensitive Town data must be encrypted using approved encryption techniques; • Town data must not be transmitted via wireless to or from a portable computing device unless approved wireless transmission protocols along with approved encryption techniques are utilized; • All remote access to the Town of Mamaroneck network must be either through an approved modem pool or via an Internet Service Provider (ISP); 35 • Non-Town computer systems that require network connectivity must conform to Town IT Standards and must be approved in writing by the IT Department and the Town Administrator; • Access to Town IR from equipment not owned by the Town must be granted in advance via the Town's Log Me In account to a specific workstation or through a designated VPN connection via the Town's Radius server; • Unattended portable computing devices must be physically secure. This means they must be locked in an office, locked in a desk drawer or filing cabinet, or attached to a desk or cabinet via a cable lock system. Privacy: Privacy Policies are mechanisms used to establish the limits and expectations for the users of the Town's Information Technology. Internal users should have no expectation of privacy with respect to Information Technology. External users should have the expectation of complete privacy, except in the case of suspected wrongdoing, with respect to Information Technology. The purpose of this policy area is to clearly communicate the Town's privacy expectations with respect to Information Technology users and applies equally to all individuals who use any Town Information Resource. • Electronic files created, sent, received, or stored on IT owned, leased, administered, or otherwise under the custody and control of the Town of Mamaroneck Domain are not private and may be accessed by the Town of Mamaroneck IT Department, with the permission of the Town IT Director or for general maintenance at any time without knowledge of the user. • To manage systems and enforce security, the Town of Mamaroneck may log, review and otherwise utilize any information stored on or passing through its IT systems in accordance with the provisions and safeguards provided in this Security Policy. For these same purposes, the Town of Mamaroneck may also capture user activity such as telephone numbers dialed and web sites visited. • A wide variety of third parties have entrusted their information to the Town of Mamaroneck to provide Municipal services to the public, and all employees, and elected and appointed officials at working on behalf of the Town of Mamaroneck be must do their best to safeguard the privacy and security of this information. The most important of these third parties is the individual customer; customer account data is accordingly confidential and access will be strictly limited based on Municipal need for access. • Users must report any weaknesses in the Town of Mamaroneck computer security, any incidents of possible misuse or violation of this agreement to the proper authorities and must comply with the Town of Mamaroneck Information and Security Breach Notification Policy. • Users must not attempt to access any data or programs contained on Town systems for which they do not have authorization or explicit consent. Public Access WiFi: The implementation of a Public WIFI account exists to assist its citizens with the ability to access information on their personal devices wirelessly from Town Hall. The purpose of this policy area is to document the security needed in order to protect the MAMARONECK internal network from outside unauthorized access. In order for a Public Access WIFI account to exist, the following security measures must be in place prior to account activation: 36 The access point must have a separate configuration from the MAMARONECK wired and wireless networks Users must accept the Town of Mamaroneck WI-FI Terms of Service and Acceptable Use Policy prior to connection Public Access Workstations: In the Town of Mamaroneck's continuing effort to allow its citizens access to government and organizational information, workstations will become available in the Assessor's Office, Building and Recreation Departments in 2017 and 2018. The purpose of this policy area is to define the use of Public Access Workstations and to document the security needed in order to protect the MAMARONECK internal network from outside unauthorized access. In order for a Public Access Workstation to exist, the following security measures must be in place prior to account activation: + The workstations are to be configured with minimal access to the Town network specific to applications appropriate for their intended use. :• Their purpose is for public access to selected government files, websites and information. • It is not intended for normal web browsing of sites not designated by the IT Department. :• Print capabilities have been disabled with access to print determined by the individual department. Secure Use of Social Media: Social media, as referred to here, are web-based publishing and communications technologies, such as blogging, social networking, Websites, forums, wikis, and file sharing. They are called "social" because they are designed for creating dynamic human networks and exchanging user-generated text and rich media, such as audio and video. They are among the most widely used technologies on the Internet. The purpose of this policy area is to provide best practices for the secure use of social media for collaboration and transparency in the Town of Mamaroneck Town government. Social media hold enormous power for collaboration and communication. Social media carry significant dangers ranging from accidental misuse to intentional criminal abuse. Risks to information and computer systems are significant. The use of social media is ever-changing and therefore the dangers and risks also vary. Information and systems security professionals must be both vigilant and creative in responding to the shifting risk environment. Cyber criminals target social media sites because they offer an effective means of propagating malicious code to a wide, unsuspecting audience. Sites that allow user-generated content are among the most active distributors of malicious content, such as worms that can shut down networks, or spyware and keystroke loggers that can compromise State data. Many postings to blogs, chat rooms and message boards are spam or contain malicious links. Since many links on social media sites are in the form of shortened or condensed URLs (e.g., TinyURL, Bit.ly), a user is unable to determine where these links lead, making it easy for criminals to direct an unsuspecting user to malicious sites. The false sense of a trusted community when visiting social media sites increases the likelihood that a user may fall victim to this type of threat. If an employee is using Town resources when this occurs (e.g., a work PC), these resources have an increased risk of becoming infected. 37 Many social media sites do not have adequate security controls to protect the information they are holding. For example, some sites do not require strong passwords, some transmit credentials in clear text and some use easily guessed "secret" or "challenge" questions. As a result, social media accounts are frequently compromised. If the same account credentials are used for both the external social media site and Town resources, this could lead to unauthorized access to Town information. By allowing access to externally hosted social media sites, an municipality may inadvertently bypass its own security controls. For example, external instant messaging and email services, which may be blocked within an agency because of security concerns, may be accessible through applications available on externally hosted social media sites. Inadvertent exposure of confidential Town information is another risk associated with the use of social media. The ease of posting all types of content (e.g., documents, photos, videos, audio recordings) to social media sites, coupled with the erroneous assumption of a trusted environment, may result in the disclosure of confidential Town information. Use of social media sites leads to a greater web presence, which in turn leads to a greater risk of spam and targeted phishing attacks. Some social media sites harvest information from email contact lists, which may put agency contact information in the hands of a third party with no knowledge of how that third party will use and/or protect that information. Information about a user's professional role in Town government, including Town email addresses, should not be included on personal profiles. With the wealth of information available on social media sites, hackers are using tools to correlate information into a detailed user profile which can then be used for targeted phishing and other social engineering attacks. Once information is posted on a social media site, it can be captured and used in ways not originally intended. It is nearly impossible to retract, as it often lives on in copies, archives, backups and memory cache. Some social media sites may claim to own the content posted on their site. It is important to note that the information conveyed on these sites could be considered a record as defined in the NYS Arts and Cultural Affairs Law. Mitigation of Risks The following recommendations are designed to limit, but will not eliminate, the security risks associated with the use of social media. Governance and Use: • Use of social media on behalf of a Municipality or access to social media from Town resources should be at the discretion of the Town Administrator and Town Board; • Authorize use of social media after a proper evaluation of risk and demonstration of a justified business need; • Develop policies to include social media and publicize these policies to users; 38 • Educate users on Town policies and the risks associated with social media as part of the Town's annual security awareness training; • Do not use the same passwords for social media sites as are used to access Town resources; • Classify Town data prior to posting per the Information Classification Standards in this policy; • Do not post any non-public Town records (e.g., documents, photos, videos, audio recordings) without following an established Town process, consistent with the town's policy on information security that includes documented approval from Town management; • Do not post any personal, private or sensitive (PPSI) information on social media sites; • Where possible, minimize the posting of information about one's role in Town government, including Town email addresses, on social media sites. Technological Controls: • URL and IP Filtering: This technology blocks certain websites, parts of websites, or IP addresses. This can help protect users who may be redirected to a known malicious site. In addition, for some social networking sites, using URL filters to block the login pages for all but those employees with a business need, allows for access to public information while preventing access to applications and messaging tools that may bypass the Town's security controls; • Malware Filtering at the Network Perimeter: This technology inspects traffic before it gets into an entity's network to ensure that it does not contain malware and blocks any malware that it finds; • Intrusion Detection/Intrusion Prevention Systems: This technology provides near real time monitoring and analysis of network activity for potential attacks in progress; • Data Loss Prevention: This technology is designed to detect and prevent the unauthorized use and transmission of confidential information. It should be used at both the desktop and the web gateway to monitor for and block outbound confidential data; • Browser with Restricted Privileges: If available, this feature ensures that the browser and its add-ons run with a minimal set of permissions preventing the installation of malicious code; To further protect Town hosted sites, as well as to protect Town resources used to access externally hosted social media (e.g., Facebook, YouTube, Twitter), the following controls must also be in place: • Protection against Malicious Code: Software and associated controls must be implemented across Town systems to prevent and detect the introduction of malicious code; • Software Maintenance: All known security patches must be reviewed, evaluated and appropriately applied in a timely manner to reduce the risk of security incidents; • Privileged Accounts Management: The issuance and use of privileged accounts must be restricted and controlled. Inappropriate use of these account privileges is a major contributing factor to system breaches. Processes must be developed and implemented to ensure that use of privileged accounts is monitored, and any suspected misuse of these accounts is promptly investigated. Passwords of privileged accounts must be changed more often than normal user accounts. 39 Security Monitoring: Security Monitoring is a method used to confirm that the security practices and controls in place are being adhered to and are effective. The purpose of this policy area is to ensure that Information Resource security controls are in place, are effective, and are not being bypassed. One of the benefits of security monitoring is the early identification of wrongdoing or new security vulnerabilities. This early identification can help to block the wrongdoing or vulnerability before harm can be done, or at least to minimize the potential impact. Other benefits include Audit Compliance, Service Level Monitoring, Performance Measuring, Limiting Liability, and Capacity Planning and applies to all individuals that are responsible for the installation of new Information Resources, the operations of existing Information Resources, and individuals charged with Information Resource Security. Monitoring consists of activities such as the review of: • Automated intrusion detection system logs • Firewall logs • User account logs • Network scanning logs • Application logs • Data backup recovery logs • Help desk logs • Other log and error files • Automated tools will provide real time notification of detected wrongdoing and vulnerability exploitation. Where possible a security baseline will be developed and the tools will report exceptions. These tools will be deployed to monitor: Internet traffic .• Electronic mail traffic • LAN traffic, protocols, and device inventory • Operating system security parameters • The following files will be checked for signs of wrongdoing and vulnerability exploitation at a frequency determined by risk: • Automated intrusion detection system logs • Firewall logs • User account logs .• Network scanning logs .• System error logs • Application logs 40 .• Data backup and recovery logs • Help desk trouble tickets •:• Telephone activity - Call Detail Reports • Network printer and fax logs • The following checks will be performed at least annually by assigned individuals: :• Password strength • Unauthorized network devices •• Unauthorized personal web servers •• Unsecured sharing of devices .• Unauthorized modem use .• Operating System and Software Licenses .• Any security issues discovered will be reported to the IT Director and Town Administrator for follow-up investigation. Security Policy Standards: This policy area applies to all information obtained, created, or maintained by the Town's Information Technology. These Policy Standards are based on the interpretation of New York State's Cyber Security Policy P03-002 and other reference material and apply equally to all personnel including, but not limited to employees, agents, consultants, volunteers, Elected and Appointed Officials and the personnel they supervise. Further, these Policy Standards apply to all information generated by the Town's Information Technology functions, through the time of its transfer to ownership external to the Town or its proper disposal/destruction. • Application of Policy Standards o The IT Department will protect the Information Resources assets of the Town of Mamaroneck in accordance with the New York State Cyber Security Policy P02-003 and as authorized by the Town Board. o Specifically, the Town will apply policies, procedures, practice standards, and guidelines to protect its IR functions from internal data or programming errors and from misuse by individuals within or outside the Town. • This is to protect the Town from the risk of compromising the integrity of state programs, violating individual rights to privacy and confidentiality, violating criminal law, or potentially endangering the public's safety. o All Town Information Resources security programs will be responsive and adaptable to changing technologies affecting Information Resources • Violations: o Any event that results in theft, loss, unauthorized use, disclosure, modification or destruction, or degraded or denied services of IR constitutes a breach of security and confidentiality. Violations may include, but are not limited to any act that: • exposes the Town to actual or potential monetary loss through the compromise of Information Resources security; 41 • involves the disclosure of sensitive or confidential information or the unauthorized use of Town data or resources; • Involves the use of Information Resources for personal gain, unethical, harmful, or illicit purposes, or results in public embarrassment to the Town. Security Training: Understanding the importance of computer security and individual responsibilities and accountability for computer security are paramount to achieving organization security goals. This can be accomplished with a combination of general computer security awareness training and targeted, product specific training. The philosophy of protection and specific security instructions needs to be taught to, and re-enforced with, computer users. The security awareness and training information needs to be continuously upgraded and reinforced. The purpose of this policy area is to describe the requirements to ensure each user of the Town's Information Resources receives adequate training on computer security issues and applies equally to all individuals that use any Town Information Resource. • All new users must attend an approved Security Awareness training class prior to, or at least within 30 days of, being granted access to any Town information resource. • All users must sign an acknowledgement stating they have read and understand the Town of Mamaroneck Cyber Security policy. • All users (employees, consultants, contractors, temporaries, etc.) must be provided with sufficient training and supporting reference materials to allow them to properly protect the Town's Information Technology. • All users must attend an annual computer security workshop given by the IT Department. • The IT Department must develop and maintain a communications process to be able to communicate new computer security program information, security bulletin information, and security items of interest. Server Hardening: Servers are depended upon to deliver data in a secure, reliable fashion. There must be assurance that data integrity, confidentiality and availability are maintained. One of the required steps to attain this assurance is to ensure that the servers are installed and maintained in a manner that prevents unauthorized access, unauthorized use, and disruptions in service. The purpose of this policy area is to describe the requirements for installing a new server in a secure fashion and maintaining the security integrity of the server and application software and applies equally all individuals that are responsible for the installation of new IT computer systems, the operations of existing Information Technology, and individuals charged with Information Security. • A server must not be connected to the Town of Mamaroneck network until it is in a Town IT accredited secure state and the network connection is approved by Town's IT Department. • The Server Hardening Procedure provides the detailed information required to harden a server and must be implemented before use. Some of the general steps included in the Server Hardening Procedure include: Installing the operating system from an IT approved source 42 The purpose of this policy area is to establish the rules for licensed software use on Town Information Resources laws and applies equally to all individuals that use any Town Information Resources. • The Town of Mamaroneck provides a sufficient number of licensed copies of software such that workers can get their work done in an expedient and effective manner. The IT department must make appropriate arrangements with the involved vendor(s) for additional licensed copies if and when additional copies are needed in order to conduct official Town business. • Third party copyrighted information or software, that the Town does not have specific approval to store and/or use, must not be stored on Town systems or networks. The IT Department will remove such information and software unless the involved users can provide proof of authorization from the rightful owner(s). • Third party software in the possession of the Town must not be copied unless such copying is consistent with relevant license agreements and prior management approval of such copying has been obtained, or copies are being made for contingency planning purposes. Support Hours: The Town of Mamaroneck IT Department provides 24/7 Desktop and User support via the Town's Help Desk system. Provided within the support process are varying levels of support ranging from basic user credit card processing and workstation troubleshooting to advanced network and systems troubleshooting. The process to alert a Technician is as follows: 1. Open a Help Desk ticket thru the Town's Service Desk Plus system. The alert is received by the Town's IT Director and Information Security Officer and is responded to within one hour. If the issue is deemed to be urgent (based on the priority levels below), the IT Director will either resolve the issue or submit it for escalation with the Towns IT Consultants. Urgency Levels: Emergency -AH Systems Down; Critical - Operational Impact - Credit Card processing issues, software applications critical to department functions such as Rec Trac, Municity, SEI Court, Impact, BEI and KVS not running; High Priority - User Impact - Password reset, email and website issues. Surveillance and Camera Systems: The primary purpose of utilizing security cameras in public areas is to deter crime and to assist law enforcement in enhancing the safety and security of members of the public and Town employees as well as to protect Town property. The primary use of security cameras will be to record video images for use by law enforcement and other Town officials charged with investigating alleged violations of law or Town policy. The purpose of this policy area is to provide guidelines for the use of security cameras on property owned by the Town in a way that enhances security and aids law enforcement while respecting the privacy expectations of the public utilizing Town facilities. Security Camera Purpose and Placement Guidelines • Video recording cameras will be used in public spaces of Town locations to discourage criminal activity. The recording of audio and video is restricted under the Electronic Communications Privacy Act and will not be used for any purpose other than in an investigation of a crime or claim against the Town. 43 • Cameras may be installed in outdoor and indoor places where individuals lack a reasonable expectation of privacy. Examples include public common areas of the Town facilities such as parking lots, entrances, seating areas, service desks, and areas prone to theft or misconduct, or areas where money is stored or handled. • Cameras will not be installed in areas of Town facilities where individuals have a reasonable expectation of privacy such as restrooms. • Signs will be posted at all entrances informing the public and staff that security cameras are in use. • Because cameras will not be continuously monitored, the public and staff should take appropriate precautions for their safety and for the security of their personal property. The Town of Mamaroneck is not responsible for loss of property or personal injury. • Regarding the placement and use of the digital recording cameras, staff and public safety is the first priority; protection of Town property is of secondary importance. Use/Disclosure of Video Records • Access to the archived footage in pursuit of documented incidents of injury, criminal activity or violation of the Town's Code of Conduct is restricted to the Town Administrator and Law Enforcement staff with the assistance from the IT Director. • All staff may have access to real-time images, viewable on desktop monitors. The frequency of viewing and the amount of video viewed will be limited to the minimum needed to give assurance that the system is working and to monitor live events. • Access is also allowed by law enforcement when pursuant to a subpoena, court order, or for matters of local law enforcement. • Recorded data is confidential and secured in a controlled area. Video recordings will be stored for 120 days, provided no criminal activity, notice of claim or policy violation has occurred or is being investigated pursuant to the New York State MU -1 Records Retention Policy • Video records and still photographs may be used by authorized individuals to identify those responsible for Town policy violations, criminal activity on Town property or actions considered disruptive to normal Town operations. Unauthorized Access and/or Disclosure • Confidentiality and privacy issues prohibit the general public from viewing security camera footage that contains personally identifying information. If the Town receives a request from the general public to inspect security camera footage, they will be advised to file a police complaint. • Any Town employee who becomes aware of any unauthorized disclosure of a video recording and/or a potential privacy breach has a responsibility to immediately inform the Town Administrator of the breach. 44 • Recorded data is confidential and secured in a controlled area. Video recordings will be stored for 120 days, provided no criminal activity, notice of claim or policy violation has occurred or is being investigated pursuant to the New York State MU-1 Records Retention Policy • Video records and still photographs may be used by authorized individuals to identify those responsible for Town policy violations, criminal activity on Town property or actions considered disruptive to normal Town operations. Unauthorized Access and/or Disclosure • Confidentiality and privacy issues prohibit the general public from viewing security camera footage that contains personally identifying information. If the Town receives a request from the general public to inspect security camera footage, they will be advised to file a police complaint. • Any Town employee who becomes aware of any unauthorized disclosure of a video recording and/or a potential privacy breach has a responsibility to immediately inform the Town Administrator of the breach. System Development: The number of computer security incidents and the resulting cost of business disruption and service restoration continue to escalate. Implementing solid security policies, blocking unnecessary access to networks and computers, improving user security awareness, and early detection and mitigation of security incidents, are some of the actions that can be taken to reduce the risk and drive down the cost of security incidents. The purpose of this policy area is to describe the requirements for developing and/or implementing new software in the Town's Information Resources and applies equally to all individuals that use any Town Information Resources. • The IT Department is responsible for developing, maintaining, and participating in a System Development Life Cycle (SDLC) for the Town of Mamaroneck system software applications; • All software applications must have designated Owners and Custodians for the critical information they process. The IT Department must perform periodic risk assessments of the software to determine whether the controls employed are adequate; • All applications must have an access control system to restrict who can access the system as well as restrict the privileges available to these Users. The IT Department is the designated access control Administrator (who is not a regular User on the system in question) which must be assigned for all applications; • Where resources permit, there should be a separation between the administration, user access, and test environments. This will ensure that security is rigorously maintained for the application, while the development and test environments can maximize productivity with fewer security restrictions. Where these distinctions have been established, development and test staff must not be permitted to have access to production systems. Likewise, all application software testing must utilize sanitized information; • All application-program-based access paths other than the formal user access paths must be deleted or disabled before software is deployed to users. 45 Vendor Access: Vendors play an important role in the support of hardware and software management, and operations for customers. Vendors can remotely view, copy and modify data and audit logs, they correct software and operating systems problems, they can monitor and fine tune system performance, they can monitor hardware performance and errors; they can modify environmental systems, and reset alarm thresholds. Setting limits and controls on what can be seen, copied, modified, and controlled by vendors will eliminate or reduce the risk of loss of revenue, liability, loss of trust, and embarrassment to the Town. The purpose of this policy area is to establish the rules for vendor access to Town Information Resources and support services (A/C, UPS, PDU, fire suppression, etc.), vendor responsibilities, and protection of Town information and applies to all individuals that are responsible for the installation of new Information Resources assets, and the operations and maintenance of existing Information Resources and who do or may allow vendor access for maintenance, monitoring and troubleshooting purposes. • Vendors must comply with all applicable Town policies, practice standards and agreements, including, but not limited to: :• Town of Mamaroneck Cyber Security policy :• Town of Mamaroneck Security and Information Breach Notification Policy a Software Licensing Policies • Vendor agreements and contracts must specify: + The Town information the vendor should have access to. • How Town information is to be protected by the vendor. a Acceptable methods for the return, destruction or disposal of Town information in the vendor's possession at the end of the contract. • The Vendor must only use Town information and Information Resources for the purpose of any agreement entered in to between the Town and vendor. • Any other Town information acquired by the vendor in the course of the contract cannot be used for the vendor's own purposes or divulged to others. • The Town will provide the IT Department as point of contact for the Vendor. The point of contact will work with the Vendor to make certain the Vendor is in compliance with these policies. • Vendor personnel must report all security incidents directly to the appropriate IT Department personnel. • If vendor management is involved in a Town security incident management the responsibilities and details must be specified in the contract. • Regular work hours and duties will be defined in the contract. Work outside of defined parameters must be approved in writing by the IT Department. 46 • All vendor maintenance equipment on the Town network that connects to the outside world via the network, telephone line, or leased line, and all Town vendor accounts will remain disabled except when in use for authorized maintenance. • Vendor access must be uniquely identifiable and password management must comply with the Town's Password and Admin/Special Access policy areas. Vendor's major work activities must be entered into a log and available to the Town Administrator upon request. Logs must include, but are not limited to such events as personnel changes, password changes, project milestones, deliverables and arrival and departure times. • Upon departure of a vendor employee from the contract for any reason, the vendor will ensure that all sensitive information is collected and returned to the Town or destroyed within 24 hours. • Upon termination of contract or at the request of the Town, the vendor will return or destroy all Town information and provide written certification of that return or destruction within 24 hours • Upon termination of contract or at the request of the Town the vendor must surrender all Town Identification badges, access cards, equipment and supplies immediately. Equipment and/or supplies to be retained by the vendor must be documented by authorized the IT Director. • Vendors are required to comply with all State and Town auditing requirements, including the auditing of the vendor's work. • All software used by the vendor in providing service to the Town must be properly inventoried and licensed. Virus Protection: The number of computer security incidents and the resulting cost of business disruption and service restoration continue to escalate. Implementing solid security policies, blocking unnecessary access to networks and computers, improving user security awareness, and early detection and mitigation of security incidents, are some of the actions that can be taken to reduce the risk and drive down the cost of security incidents. The purpose of this policy area is to describe the requirements for dealing with computer virus, worm and Trojan horse prevention, detection and cleanup and applies equally to all individuals that use any Town Information Resources. • All workstations whether connected to the Town network, or standalone, must use the Town approved virus protection software and configuration; • The virus protection software must not be disabled or bypassed; • The settings for the virus protection software must not be altered in a manner that will reduce the effectiveness of the software; • The automatic update frequency of the virus protection software must not be altered to reduce the frequency of updates; • Each file server attached to the Town network must utilize IT Department approved virus protection software and setup to detect and clean viruses that may infect file shares; • Each E-mail gateway must utilize IT Department approved e-mail virus protection software and must adhere to the IT Department rules for the setup and use of this software; 47 • Every virus that is not automatically cleaned by the virus protection software constitutes a security incident and must be reported to the Help Desk. 48 O 4 O w � m 2 n � x TOWN OF MAMARONECK, NEW YORK PUBLIC ACCESS WI-FI TERMS OF SERVICE AND ACCEPTABLE USE POLICY 49 Acknowledgement onscreen for any personal device assessing the Town of Mamaroneck Public Access Wi-Fi Connection: "Your use of Town of Mamaroneck NY WiFi is your acknowledgment that you have read and agreed to the following: Please read and accept the Town of Mamaroneck Wireless Access Disclaimer below, before making a wireless connection. This wireless network ("WiFi") is provided as a free internet connection by the Town of Mamaroneck, NY. This pubic WiFi "hotspot" is intended for the limited personal, non-commercial use of visitors/patrons at the Town Hall. In providing this free WiFi, the Town may restrict access to certain sites considered by the Town to be illegal, malicious or inappropriate, and will terminate your access to this service if you use it in violation of this Agreement, Town Policies or Town guidelines. The Town may revise this Agreement at any time and it is your responsibility to review it for any changes each time. The Town does not exercise control over the sites you may visit and products you may use while using this WiFi. You use this WiFi at your own risk. You agree that this WiFi may not be uninterrupted or error-free, viruses or other harmful applications may be available through this WiFi, the Town does not guarantee the security of this WiFI and unauthorized third parties may access your computer or files or monitor your connection. This WiFi is provided on an "as is", "as available" basis without warranties of any kind. By logging in to this WiFi, you accept these terms and conditions and agree your access to this WiFi is at your own risk, is at the sole discretion of the Town and may be monitored, suspended or terminated at any time for any reason, including but not limited to, violation of Town policies or internet use guidelines, violation of this Agreement, actions by you that may lead to liability for the Town, disruption by you of another's access to this WiFI, actions by you which violate the rights of the Town or of any third party, or actions by you which violate any federal, state, or local law. You also agree not to utilize this WiFi in any unauthorized manner to upload or download any copyrighted matter, in any format, nor to upload or download any pornographic, adult oriented, hate or spam matter, in any format. Town Devices that are connected to the Town's Server may not use/connect to this wireless connection." 50 0©1 ( ' . 2 n {OU, f , UIS 7. TOWN OF MAMARONECK, NEW YORK INFORMATION AND SECURITY NOTIFICATION BREACH POLICY 51 1. This policy is consistent with the State Technology Law, section 208 as added by Chapters 442 and 491 of the laws of 2005. This policy requires notification to impacted New York residents and non- residents. New York State and the Town of Mamaroneck value the protection of private information of individuals. The Town of Mamaroneck ("Town") is required to notify an individual when there has been or is reasonably believed to have been a compromise of the individual's private information in compliance with the Information Security Breach and Notification Act. 2. The Town, after consulting with the Town's Information Security Officer and the New York State Office of Cyber Security and Critical Infrastructure Coordination ("CSCIC") to determine the scope of the breach and restoration measures, shall notify an individual when it has been determined that there has been, or is reasonably believed to have been a compromise of private information through unauthorized disclosure. 3. A compromise of private information. Private information is defined by New York State as "Personal information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted or encrypted with an encryption key that has also been acquired: • Social Security number; or • Driver's license number or non-driver's identification card number; or • Account number, credit or debit card number, in combination with any required security code, access code, or password which would permit access to an individual's financial account Private information does not include publicly available information that is lawfully made available to the general public from Federal, State, or local Government records." Private Information shall mean the unauthorized acquisition of unencrypted computerized data with private information. 4. If encrypted data is compromised along with the corresponding encryption key, the data shall be considered unencrypted and thus fall under the notification requirements. 5. Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. In such case, notification will be delayed only as long as needed to determine that notification no longer compromises any investigations. 6. The Town will notify the affected individual. Such notice shall be directly provided to the affected persons by one of the following methods: • Written notice sent via First Class Mail; • Electronic notice, provided that the person to whom notice is required has expressly consented to receiving said notice in electronic form and a log of each such notification is kept by the Town who notifies affected persons in such form; • Telephone notification provided that a log of each such notification is kept by the Town who notifies affected persons; or • Substitute notice, if the Town demonstrates to the New York State Attorney General that the cost of providing notice would exceed two hundred fifty thousand dollars, or that the affected class of subject persons to be notified exceeds five hundred thousand, or the Town does not have sufficient contact information. Substitute notice shall consist of all of the following: • E-mail notice when the Town has an e-mail address for the subject persons; • Conspicuous posting of the notice on the Town's web site page, if the Town maintains one; and • Notification to major statewide media. 52 7. The Town shall notify, CSCIC as to the timing, content and distribution of the notices and approximate number of affected persons. 8. The Town shall notify the New York State Attorney General and the New York State Consumer Protection Board, whenever notification to a New York resident is necessary, as to the timing, content and distribution of the notices and approximate number of affected persons. 9. Regardless of the method by which notice is provided, such notice shall include contact information for the Town making the notification and a description of the categories of information that were, or are reasonably believed to have been, acquired by a person without valid authorization, including specification of which of the elements of personal information Personal Information and private information Private Information were, or are reasonably believed to have been, so acquired. 10. This Policy also applies to information maintained on behalf of the Town by a third party. 11. When more than five thousand New York residents are to be notified at one time, then the Town shall notify the consumer reporting agencies as to the timing, content and distribution of the notices and the approximate number of affected individuals. This notice, however, will be made without delaying notice to the individuals. 53 VIOLATION NOTICE: Violation of this policy may result in disciplinary action, which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension. Additionally, individuals are subject to loss of Town Information Resources access privileges, and to civil and criminal prosecution. REFERENCES: National/ Federal Computer Fraud and Abuse Act of 1986 Computer Security Act of 1987 Copyright Act of 1976 Criminal Justice Information Services (CJIS) Security Policy Electronic Communication Privacy Act Family Education Rights and Privacy Act of 1974Foreign Corrupt Practices Act of 1977 Gramm -Leach -Bliley Act of 1999 HIPPA Information Security Policy Oregon Department of Human Resources Payment Card Industry Data Security Standard San Diego State University Sarbanes-Oxley Act of 2002 The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Texas Department of Information Resources Trust Wave Security Policies Uniform Trade Secrets Act State New York State Division of Criminal Services Internet Privacy Policy New York State Office of Cyber Security NYS Arts and Cultural Affairs Act NYS Penal Law Article 156 54 VIOLATION NOTICE: Violation of this policy may result in disciplinary action, which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension. Additionally, individuals are subject to loss of Town Information Resources access privileges, and to civil and criminal prosecution. REFERENCES: National/Federal Computer Fraud and Abuse Act of 1986 Computer Security Act of 1987 Copyright Act of 1976 Criminal Justice Information Services (CJIS) Security Policy Electronic Communication Privacy Act Family Education Rights and Privacy Act of 1974Foreign Corrupt Practices Act of 1977 Gramm-Leach-Bliley Act of 1999 HIPPA Information Security Policy Oregon Department of Human Resources Payment Card Industry Data Security Standard San Diego State University Sarbanes-Oxley Act of 2002 The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Texas Department of Information Resources Trust Wave Security Policies Uniform Trade Secrets Act State New York State Division of Criminal Services Internet Privacy Policy New York State Office of Cyber Security NYS Arts and Cultural Affairs Act NYS Penal Law Article 156 55 Employee Acknowledgement: I have read and been informed about the content, requirements, and expectations of the Town of Mamaroneck Security and Computer Use Policies. I have received a copy of the policy and agree to abide by the policy guidelines as a condition of my employment and my continuing employment at the Town of Mamaroneck I have read the Town of Mamaroneck Security and Computer Use Policies carefully to ensure that I understand the policy before signing this document and will consult with the Town Information Security Officer if I have any questions. Employee Signature: Employee Printed Name: Date: Vendor and/or Consultant Acknowledgement: I have read and been informed about the content, requirements, and expectations of the Town of Mamaroneck Security and Computer Use Policies. I have received a copy of the policy and agree to abide by the policy guidelines as a condition of my business relationship with the Town. I have read the Town of Mamaroneck Security and Computer Use Policies carefully to ensure that I understand the policy before signing this document and will consult with the Town Information Security Officer if I have any questions. Business Name: Authorized Representative: Date: 56 APPENDICES APPENDIX A — SERVER AND FACILITY INFORMATION ACCESS FORM Town of Mamaroneck Access to Server Applications and Facilities TOWN OF MAMARONECK IT DEPARTMENT 740 W. BOSTON POST ROAD, MAMARONECK, NY 10543 Server Information Access Form User Regulations as Applied to a New Employee or Modified Employee Status This form must be completed any time there is a change to the status of an employee. The process is initiated in the Town Administrator's Office with the assistance of the IT Director. Once the preliminary information is completed, the form will then be sent for final approval from the Department Head. Please allow 2 business days for an employee's profile to be built in the system. To be completed by Human Resources: Date: Active Directory Modifications Employee Name: Server User ID: Department: Position: 58 New Active Directory Modifications Due To: Creation of New User ID: Leave of Absence/Disable User: Termination: Change of Position/Responsibilities: Document Sharing Capabilities: YES or NO ❖ To be Shared with: Authority within Documents: Move Location Read-Only Modify Lock Document Properties Create Shortcut New Location Delete Shortcut Disable User 59 Email Account Set-Up Email Account: @TownofMamaroneckNY Create Email Account: YES NO Delete Email Account: YES NO Suspend and Monitor Email Account: YES NO Mailbox location for Monitoring: Access to Department Shared Mailbox: Y N I authorize the IT Department to make the changes as per the attached parameters: Human Resources: Signature: Date: IT Department Use Only Date Configured: IT Personnel / Consultant Signature (if applicable): IT Director Signature: 1 SOFTWARE USER PERMISSION LEVEL STANDARD READ ONLY DISABLE DELETE POWER USER USER CONNECTION USER USER 550 DESKTOP ACNE DIRECTORY Al ALARM BILLING ARC GIS BAS FOIL BAS ONLINE TAX BAS TOWN CLERK BEI CALL RECORDING CIVIC PLUS WEBSITE COM PLUS FUELMASTER IMPACT HONEYWELL HVAC SYSTEM HOUSING PRO IP CAMERAS-ICE RINK IP CAMERAS- POLICE IP CAMERAS- SANITATION KVS KVS-PLAY KVS STANDARD 2 KVS STANDARD - PLAY LASERFICHE REPOSITORY- MAIN LASERFICHE REPOSITORY- SANDBOX LASERFICHE WORKFLOW LASERFICHE WORKFLOW- SANDBOX LASERFICHE ADMINISTRATION CONSOLE LASERFICHE FORMS LASERFICHE BUSINESS PROCESSES: Municity Building Municity Land Use Marriage Licenses Vital Records Highway/Engineering Police Parking Permits LIGHTPATH VoIP PHONE SYSTEM MUNICITY MUNICITY MOBILE NOVUS AGENDA RECTRAC/WEBTRAC/PAYTRAC RiCi POLICE BOOKING AND FINGERPRINT SYSTEM RTA FLEET MANAGEMENT SDG SEI COURT 3 SENTINEL STREEL LIGHT SYSTEM SERVICE DESK PLUS HELP DESK T2 SYSTEMS TOWN CENTER ACCESS CONTROLS TRACK SMART TIME KEEPING SOFTWARE IT INTERNAL SUPPORT APPS CCLEANNER CLOUD DESKTOP CENTRAL EXCHANGE 365 ADMIN MALWAREBYTES ENDPOINT MICROSOFT VOLUME LICENSING OP MANAGER SYMANTEC ENDPOINT SQL 2012 ZIX ENCRYPTION PORTAL VPN ACCESS FORM LOG ME IN ACCOUNT CISCO VPN CLIENT CISCO ANY CONNECT 4 EQUIPMENT ACCESS FORM DATE DATE ISSUED RETURNED SO LAPTOP TABLET DIGITAL CAMERA CELL PHONE BUILDING SECURITY ACCESS FORM DATE FACILITY DATE ISSUED RETURNED TOWN CENTER BUILDING MASTER KEY TOWN CENTER MAIN ACCESS TOWN ADMINISTRATORS OFFICES ASSESOR'S OFFICE BUILDING/HIGHWAY/ ENGINEERING OFFICE COMPTROLLER'S OFFICE COMMUNITY SERVICES OFFICE COURT OFFICES 5 COURT ROOM IT DIRECTOR'S OFFICE NETWORK/TELPHONE SWITCHROOMS POLICE DEPARTMENT RECREATION OFFICE TOWN CLERK'S OFFICE I authorize the IT Department to make the changes as per the attached parameters: Department Head: Signature: Date: IT Department Use Only Date Configured: IT Personnel/Consultant Signature (if applicable): IT Director Signature: 6 APPENDIX B - PERIODIC OPERATIONAL SECURITY PROCEDURES Town of Mamaroneck Periodic Operational Security Procedures Target Task Daily Monthly Quarterly Bi-Annual Annually Window Security Policy Enterprise Risk Analysis X 01 Policy/standards review X 01 Security awareness orientation X Q1 Organizational Security Review security policy exceptions compliance X Q2 and 04 Asset Classification and Control Review system access controls X Q2 and 04 Review access request approvals&audit trail X 02 and 04 Audit disposal of data and media X Week-2 Personnel Security Audit terminated employee samples for system, X Week-4 network,application access Incident response team meeting X 01 Physical and Environmental Security Visit offsite storage facility and perform media X 03 inventory Review compliance of data center access&visitor x Q3 logs System Security File Integrity Scan X 1 a.m. Review Intrusion detection(IDS/IPS)logs X 10 a.m. Review all other security and event logs X 10 a.m. External vulnerability scan X Week-3 Internal vulnerability scan X Week-3 Use a Wireless Analyzer to detect unauthorized X Week-3 wireless devices in use Firewall rule set review X Week-4 External penetration testing X Q2 Internal penetration testing X Q2 Data encryption key rotation X Q3 7 WORKSESSION ITEM 2 • Town of Mamaroneck • " r, County of Westchester 740 West Boston Post Road, Mamaroneck, NY 10543-3353 COUNSEL TEL: 914/381-7815 FAX: 914/381-7809 W MakerJr@TownofMamaroneckNY.orp, MEMORANDUM To: Stephen V. Altieri, Town Administrator Christina Battalia, Town Clerk From: William Maker, Jr., Attorney for the Town Subject: Local laws regarding building permit fees Date: June 16, 2017 I attach a proposed law which, if enacted, will establish limits on the number of times construction -related permits may be renewed and fees for renewing such permits. If the Town Board considers the proposal ready for a public hearing, it can set the date for such a hearing at one of its upcoming meetings. 00 Local Law No. - 2017 This local law shall be known as the "Renewal of Certain Permits and the Fees for Renewals of those Permits" Law. BE IT ENACTED by the Town Board of the Town of Mamaroneck Section 1— Purpose: Under State law, building permits expire one year after issuance. Many construction activities require more than one year to complete. Often, others that can be done within twelve months are not completed before the first anniversary of their building permit for any of a number of reasons. This law determines the number of allowable renewals of building permits and the related permits: temporary certificates of occupancy and plumbing permits. This law also sets the fees for those renewals. Section 2 — Amendment of a current section of the Mamaroneck Code: Section 106-42 A. of the Code of the Town of Mamaroneck hereby is repealed and the following substituted in its place: A. A building permit shall expire on the first anniversary of its issuance. For good cause shown, the Building Inspector or the Director of Building Code Enforcement and Land Use Administration may allow up to two extensions of a building permit. Each renewal shall be for a period of twelve (12) months measured from the date when the original permit, or the first renewed permit shall have expired. Section 3 —Amendment of a current section of the Mamaroneck Code: Section 106-50 of the Code of the Town of Mamaroneck hereby is repealed and the following substituted in its place: The Building Inspector or the Director of Building Code Enforcement and Land Use Administration may issue a temporary certificate of occupancy for a building or structure or part thereof before the entire work covered by the building permit shall have been completed, provided that such portion or portions as have been completed may be occupied safely without endangering life or the public health or welfare. A temporary certificate of occupancy shall expire on the ninetieth (90th) day after its issuance. For good cause shown, the Building Inspector or the Director of Building Code Enforcement and Land Use Administration may allow up to two extensions of a temporary certificate of occupancy. Each renewal shall be for a period of ninety (90) days measured from the date when the original temporary certificate of occupancy, or the first renewed temporary certificate of occupancy shall have expired. Section 4 —Amendment of a current section of the Mamaroneck Code: Section 158-5E. of the Code of the Town of Mamaroneck hereby is repealed and the following substituted in its place: E. A permit for plumbing work shall expire on the first anniversary of its issuance. For good cause shown, the Building Inspector or the Director of Building Code Enforcement and Land Use Administration may allow up to two extensions of a plumbing permit. Each renewal shall be for a period of twelve (12) months measured from the date when the original permit, or the first renewed permit shall have expired. Section 5 — Amendment of a current section of the Mamaroneck Code: Chapter A250 of the Code of the Town of Mamaroneck hereby is amended to add the following new section: §A250-2. Fees for Renewals of Certain Permits. A. The fees for renewing permits issued pursuant to section 106-41 (building permit) or section 158-5 (plumbing permit), or for issuing a temporary certificate of occupancy pursuant to section 106-50 shall be: (1) for the first renewal, an amount equal to the greater of fifty (50%) percent of what the fee would be if that permit were being issued for the first time on the day that the application to renew is made and fifty and no/100ths ($50.00) dollars. (2) for the second renewal, an amount equal what the fee for such permit would be if that permit were being issued for the first time on the day that the application to renew is made. Section 6 — Severability: Should any provision of this Local Law be declared invalid or unconstitutional by any court of competent jurisdiction, such declaration of unconstitutionality or invalidity shall not affect any other provisions of this Local Law, which may be implemented without the invalid or unconstitutional provisions. Section 7 — Effective Date: This Local Law shall become effective upon filing with the Secretary of State. June 16, 2017 2 WORKSESSION ITEM 3 c Financing Alternatives for LMC -TV Facility Consolidation June 5, 2017 Prepared by Leon Potok, VOM Trustee Executive Summary ➢ LMC -TV has two alternative locations for consolidating its operations: • Old Hook & Ladder Firehouse • Town of Mamaroneck Town Center ➢ LMC -TV Board prefers the Firehouse for its central location on Mamaroneck Avenue, which affords greater public access and visibility ➢ Alternative financing arrangements • The Village of Mamaroneck has offered to lease the Firehouse with the potential for the three municipalities to recover some portion of their investment in upgrading the building upon a future sale. • The Town has proposed that LMC -TV fully absorb the cost of building out the Town Center space for its use. ➢ The Firehouse alternative is more expensive and cannot be financed solely from the PEG Equipment Fund, but other sources are available. ➢ The fundamental decision is whether the additional upfront cost for the Firehouse is warranted for the advantages of this highly visible location. Prepared by Leon Potok, VOM Trustee 1 How Much Will It Cost and How Much Is Available ➢ Upfront cost for upgrading and moving into the Firehouse adds up to nearly $2.4 million, or $1.6 million more than moving into the Town Center. ➢ PEG Equipment Fund is inadequate to fully fund the Firehouse option. Capital Expenses Renovate main floor and top floor Cost of renovating basement level Additional soft costs Contingency Additional cost of moving Temporary space at Town Center Total Facility and Moving Costs Resources- PEG Equipment Fund Capital Balance, 12/31/17 Surplus/(Shortfall), as of 12/31/17 Prepared by Leon Potok, VOM Trustee Firehouse Town Center (in $000's) 1,385 150 20% 307 10% 154 257 125 2,378 1,312 (1,066) 519 257 Pr 777 1,312 535 2 Historical Financial Summary — Unrestricted Fund ➢ Over the eight years from 2010 through 2017, franchise fees from Cablevision and Verizon have exceeded expenses by more than $2.0 million. ➢ However, annual distributions of $350,000 have added up to $2.8 million, eating into the Unrestricted Fund by nearly $800,000. ➢ The current rate of annual distributions is not sustainable. Actual Estimated Unrestricted Fund 2010 2011 2012 2013 2014 2015 2016 2017 Franchise Fee Interest Total Revenues 730 5 735 803 3 806 797 2 799 804 2 806 857 1 858 865 1 866 892 910 1 893 910 Expenses LMC -TV BOC Expenses Total Expenses Operating Surplus Cash (to)/from Municipalities Net Cash Flow 500 500 500 515 530 580 605 657 29 31 29 42 32 34 32 32 529 531 529 557 562 615 637 690 206 275 270 249 296 251 256 220 (350) (350) (350) (350) (350) (350) (350) (350) (144) (75) (80) (101) (54) (99) r (94) (130) Prepared by Leon Potok, VOM Trustee 3 Historical Summary — PEG Equipment and Unrestricted Funds ➢ Over the eight years from 2010 through 2017, fees from Cablevision and Verizon to the PEG Equipment Fund have exceeded spending by almost $700,000. ➢ On a combined basis, total fund balances fell by $100,000, from nearly $1.8 million to $1.7 million. Actual Estimated 2009 2010 2011 2012 2013 2014 2015 2016 2017 Unrestricted Fund Net Cash Flow (144) (75) (80) (101) (54) (99) " (94) (130) PEG Equipment Fund Franchise Fee 130 130 130 130 130 130 130 130 Spending (20) (95) (55) (41) (2) (93) (41) (9) Net Cash Flow 110 35 75 89 128 37 89 121 Total Fund Balances - Before Firehouse Funding Unrestricted 1,156 1,011 936 856 755 700 601 507 377 PEG Equipment 628 738 772 848 937 1,065 1,102 1,191 1,312 Total 1,783 1,749 1,709 1,704 1,692 1,766 1,704 1,698 1,689 Prepared by Leon Potok, VOM Trustee Cl Projected Financial Summary ➢ The investment in the Firehouse would require cutting back distributions to the three municipalities, as shown below. Estimated Projections 2017 2018 2019 2020 2021 2022 Unrestricted Fund Operating Surplus 220 218 215 212 209 205 Cash (to)/from Municipalities (350) - - (150) (150) (150) Net Cash Flow (130) 218 215 62 59 55 PEG Equipment Fund Franchise Fee 130 130 130 130 130 130 Spending (9) (117) (117) (117) (117) (117) Net Cash Flow 121 13 13 13 13 13 Total Fund Balances - Before Firehouse Funding Unrestricted 377 595 810 872 931 986 PEG Equipment 1,312 1,325 1,339 1,352 1,366 1,379 Total 1,689 1,920 2,149 2,224 2,296 2,365 Prepared by Leon Potok, VOM Trustee 5 Funding of Firehouse Investment ➢ The Firehouse alternative would require funding from the PEG Equipment Fund, the Unrestricted Fund, and from the Village of Mamaroneck, as shown below. Estimated Projections 2017 2018 2019 2020 2021 2022 Total Fund Balances - Before Firehouse Funding Unrestricted 377 595 810 872 931 986 PEG Equipment 1,312 1,325 1,339 1,352 1,366 1,379 Total 1,689 1,920 2,149 2,224 2,296 2,365 VOM Firehouse Move Capital Cost Sources of Funds: PEG Equipment Fund Unrestricted Fund Village of Mamaroneck Total Total Fund Balances - After Firehouse Funding Unrestricted PEG Equipment Tota I (2,378) 1,300 578 500 " 2,378 377 17 232 294 353 408 1,312 25 39 52 66 79 1,689 42 271 346 419 487 Prepared by Leon Potok, VOM Trustee 11 : Summary ➢ Renovation and move to Firehouse would require • The PEG Equipment Fund to be virtually depleted to pay for $1.3 million of the investment• • The three municipalities to accept almost $600,000 in lower istributions over the next five years; • An investment by the i age o am ec o $500,000 for upgrading the building. • The investment in the Firehouse would offer LMC -TV significantly better visibility. • The Village of Mamaroneck would recoup its investment upon the sale of the Firehouse, either to LMC -TV or to a third party upon expiration of the lease. • The direct and indirect investments by the three municipalities could potentially be recovered through the Board of Control's equity -like position in the Firehouse. Prepared by Leon Potok, VOM Trustee 7 Appendix: Adjustments to VOM -LMC -TV Draft Lease ➢ Base Rent will be set at $46,200 per year, up from $25,200 per year. ➢ LMC -TV purchase price option will reflect the additional investment by VOM, as follows: Exhibit 2: LMC -TV's Option to Purchase Base value of building plus escalations before improvements Year Base Price Value Escalation Purchase Price 1 11100,000 2.0% 11122,000 2 1,122,000 2.0°% 1,144,440 3 1,144,440 2.0% 1,167,3 29 4 1,17 3,051 2.5% 1,196, 512 5 1,202,377 2.5% 1,226,425 6 1,232,437 2.5% 1,257,085 7 1,269,410 3.0% 1,294,798 8 1,307,492 3.0% 1,333,642 9 1,346,717 3.0% 1,373,651 10 1,393,852 3.5% 1,421,729 Prepared by Leon Potok, VOM Trustee to, 1 LMCTV A TIME VILLAGE OF MAMARONECIW FIREHOUSE PROJECT - DRAFT 2 - 6/2/17 June 5, 2017 OVERVIEW OF COSTS 1. Cost of Firehouse Renovations *Cost of renovating Firehouse main floor and top floor $1,385,000 Cost of renovating basement level $150,000 Additional soft costs (20%) $307,000 Contingency (10%) $153,500 TOTAL $1,995,500 L M Z *See Attachment #1 - Bid from Suburban Construction and Attachment #3 - Email from Suburban Contracting 2. Additional Costs of Moving — -- ---------------- `Cost to move LMCYV operation into Firehouse 3Y3T,436 I *See Attachment #2 — List of Additional Expenditures. 3. Rehabilitation of Town Center for Temporary Space `Construction costs to build temporary space at Town Center and return to previous conditwn $125,000 *See Attachment #3 — Email from Suburban Construction 4. Future AN Costs for Capital Purchases `Cost of future capital equipment purchases $673,020 *See Attachment #2 — List of future capital equipment purchases. OVERVIEW OF RESOURCES 1. Capital restricted funds from Franchise Agreements available now in cash - $1,321,003 2. Capital restricted funds from Franchise Agreements yet to come ($130,000/yr to 2022) - $650,000 TOTAL - $1,971,003 *See Attachment #4 - Email from Anthony Siligato re: balance of Restricted Capital Fund CONCLUSION It is the opinion of the Space Committee of the LMCTV Board of Directors that the only way LMCTV can afford to move its operation into the Old Hooks Firehouse is if the Village of Mamaroneck is willing to participate financially by undertaking a significant amount of the structural rehabilitation of the building. LMCTV estimates we have up to $1 million to invest in the capital improvement project of the Old Hooks Firehouse. In addition, in order to proceed with the proposed project, in lieu of the current lease proposal, LMCTV would need to enter into a partnership agreement with the Village of Mamaroneck assuring LMCTV of a secure long term tenancy, details of which to be negotiated as soon as possible. F1 1 5C Verco Properties One Station Plaza Mamaroneck, NY 10543 Attn: John Verni SUBURBAN CONSTRUCTION CO. Of N.Y. INC. BUILDING CONSTRUCTION & RESTORATION IS CONSTRUCTION MANAGEMENT 75 Brook Street 2r, Scarsdale, NY 10583 ■ 914-682-0800 ■ Fax: 914-682-9559 email: subcon@optonline.net Re: LMC-TV/Firehouse of Hook & Ladder Co. No l 147 Mamaroneck Avenue Mamaroneck, NY 10543 March 1, 2017 The following pricing is a value engineering proposal based on plan and scope modifications to LMC -TV "Design Feasibility Report" revised March 7, 2013 and associated design schemes 1-4 prepared by Hage & Ruocco, Architects and C & F Consulting. Engineers as well as input from the February 16th meeting with Erik Lewis and LMC -TV staff. This pricing is based on specifications as specifically noted herein and on Suburban Construction sketches 1 and 2. All pricing is subject to final design drawings and specifications, APPROVED BY BUILDING DEPT. DIV 1 GENERAL CONDITIONS — supervision, temporary facilities, housekeeping, carting and overhead cost. $53,650. DIV 2 SITE WORK — removals as required for proposed construction including all ceiling, wall and floor finishes on lower level, removal of south stair to lower level, structural removals for elevator shaft, and new north stair to basement. Removal of existing boiler and oil tank. 128,500. DIV 3, 4 CONCRETE & MASONRY — footings, elevator pit, elevator shaft walls. 32,300. DIV 5 METALS — new steel pan stair to lower level and exterior emergency stair at lower level to rear ground level. 49,600. DIV 6 WOOD & PLASTICS — floor modifications for new stair and elevator, partition framing, kitchenette cabinetry, restroom accessories. '/Z" plywood underlayment at lower level floor. 68,750. DIV 7 THERMAL & MOISTURE PROTECTION — 3" closed cell foam and underside of roof sheathing and gable and wails, waterproofing under ceramic tile, roof modification at top of elevator shaft. 14,600. Page 1 of 3 PA pt; DIV 8 DOOR & WINDOWS — aluminum and glass front enclosure, vestibule wall and 130,425. door, hollow metal F.P.S.C. doors at stairwells, flush wood doors in metal frames at all other interior door openings. All Season wire glass aluminum lot line windows. DIV 9 FINISHES — Gysum wallboard at fire -rated and room partitions, acoustic tile ceilings as shown on reflected plan. Resilient flooring in lobbies, hallways and hi - traffic areas. Carpet in offices. Ceramic tile floors and 4 ft. high wainscot in restrooms. Painting and finishing of walls, doors, windows, stairs and other surfaces in Main and Upper Floor requiring paint finish. Refinishing of existing wood floors in Upper Floor studio. 187,300. DIV 14 CONVEYING SYSTEMS - OTIS 22100 lb. capacity Hydro -Fit hydrolic, located in rear of building, per value engineering plan. 142,400. DIV 15 MECHANICAL - Plumbing for restrooms with lavatory and toilet. Kitchenette sink and dishwasher. HVAC consisting of new natural gas service from Mamaroneck Avenue serving gas fired direct vent boiler serving four hydro air ducted heating and air conditioning systems. 4 zones including 1 each for Upper Floor studio, balance of Upper Floor, main floor and lower level. Subbasement boiler/mechanical room to have gas fired space heater only. Sprinkler as required by local code, including backflow valve, alarm, electrical connections, etc. for a complete 389 000. installation DIV 16 ELECTRICAL - New 800A service, LED lay -in fixtures in acoustical ceilings, surface mounted LED fixtures in locations where existing surfaces are to remain and combination emergency fixtures in stairwells. Electrical connections as required for HVAC, elevator and sprinkler equipment, 188,000. TOTAL 1,384,525.00 NOTES: 1. Wall finishes on upper level exterior walls will remain. 2. Drywell to be placed in removed oil tank location. 3. Stairwell doors 3'x7'x11/4" hollow metal with vision panels and push bars as required. Interior doors 3'x7'x 13/4" flush birch with lever handles. 4. Pricing includes current prevailing wage requirements. Page 2 of 3 5C 5. Existing front elevation windows are to be refurbished and fitted with energy panels. 6. Elevator is included as Otis 2100 lbs. capacity Hydro -Fit Machine -room -less hydraulic. 7. Stairwell doors include code compliant vision panel, all others are SC Birch veneer. 8. Plumbing fixtures include American Standard Champion Pro Right Height Elongated Toilet, ADA compliant bathroom and Eaton Wheelchair Sink with Delta HDF Commercial Faucet. 9. Lower level work limited to removal of finishes, new HVAC system, electrical distribution panel, %" plywood underlayment over existing subfloor. EXCLUSIONS: 1. Permit Fees. 2. Concealed conditions 3. Work on lower level except removals, HVAC, electric distribution panel and plywood underlayments. 4. Hazardous material removal/remediation, e.g.: mold remediation, except as noted 5. Planters/plants, Patch macadam, Permeable paving 6. Data/Telephone 7. Crawl space sprinkler heads 8. Wall insulation 9. Utility Fees ALLOWANCES (INCLUDED IN BASE BID): 1. Asbestos pipe insulation removal 2. 1,000 gal storm water drywell with associated piping 3. Ceramic tile/associated materials Very truly y9urs, eI is, o `President Suburban Construction Co. of NY, Inc. Page 3 of 3 $5,000. $4,000. $5/sf Future Capital Equipment Needs Additional Moving Related Expenditures A B I C D I E 1 Item PriceQuantity Total Price When Needed 2 Studio Lights 3 Portable Lights $10,000 $1,000 1 2 $10,000 $2,000 Immediately Immediately 4 Camera Pedestals 5 Video Over IP Delivery System 6 Portable Studio 7 Field Cameras $20,000 $10,000 $8,000 $1,850 3 2 1 5 $60,000 $20,000 $8,000 $9,250 Immediately Immediately Immediately Immediately 8 Tripods 9 Pop -Ups for Set Design $400 $1,000 10 2 $4,000 $2,000 Immediately Immediately 10 Green Screen ? 1 With move 11 New Curtains for Studio 7 With move 12 Desk for Set Design $4,000 1 $4,000 With move 13 PC Workstations $500 10 $5,000 With move 14 Outreach Studio $60,000 1 $60,000 With move 15 Classroom Computers $2,500 6 $15,000 With move 16 Wireless Microphone System $650 3 $1,950 With move 17 DSLR Film Cameras (for Classes) $2,700 4 $10,800 With move 18 Variable Zoom Lens for DSLR $900 4 $3,600 With move 19 Zoom Audio Recorder $650 3 $1,950 With move 20 iMAC Laptops $2,500 2 $5,000 lWith move 21 Editing Headphones $100 10 $1,000 As needed 22 Sports Cameras $3,500 3 $10,500 2018 23 Muni Towers $30,000 3 $90,000 2018-2019 24 Audio Board Field Mixers $400 3 $1,200 2019 25 Shotgun Mics $700 8 $5,600 2019-2020 26 Studio Cameras $15,000 3 $45,000 2020 27 Tricaster (Studio Switcher) $40,000 1 $40,000 2020 28 Edit Stations $2,500 8 $20,000 2022 29 Cablecast System $90,000 1 $90,000 2023 30 Equipment Repair $20,000 1 $200000 As needed 31 Misc. (Cables, adapters, etc.) $15,000 1 $15,000 As needed 32 Subtotal $560,850 33 Contingency (20%) $112,170 34 GRAND TOTAL = $673,020 35 36 *Copen & Lind Report Additional Expenditures 37 Moving Cable Operator Lines $84,033 38 General Moving Expense $10,000 39 Engineering/Integration $30,000 40 Equipment Fill-in/Upgrades $60,000 41 Consoles Workstations $10,000 42 Data/phone/RF/video/audio distro systems $10,000 43 New office & production furniture $30,000 44 Subtotal = $234,033 45 Contingency 10% $23,403 46 Total Additional Expenditures w/contingency $257,436 47 Total Capital Needs Including Equipment Through 2023 $930,456 48 Current Total Available Capital = $1,321,003 49 Difference Equipment Needs vs. Available $390,547 Attachment 3 - EMAIL FROM MIKE DISISTO OF SUBURBAN CONTRACTING May 27 (6 Mike Disisto days ago) to me Erik, These are BUDGET numbers. I would need to know more specifics for an exact price. 1. Just move and relocate internet and phone $15,000. 2. Above plus studio on north side 65,000. 3. Return space to original configuration 45,000. ALSO I think I can get the lower level finishes done at the firehouse for $ 150,000. If this gets serious I'll need to stop there and make sure I'm giving you what you need. If you need a formal estimate I'll have to meet you again and flesh out a scope of work Hope this helps Michael DiSisto Suburban Construction Co of NY Inc. 75 Brook St Scarsdale, N.Y. 10583 914-682-0800 Attachment #4 - Siligato, Anthony <ASiligato@townofmamaroneckny.orgaApr 11 to me YES anmonv sdigata Comptroller and Receiver of Taxes Town of Mamaroneck, New York 740 West Boston Post Road Mamaroneck, NY 10543 914-381-7851 (Office) 914-879-5291 (Cell) From: Erik Lewis [mailto:elewisPimc-tv.ore) Sent: Tuesday, April 11, 2017 1:58 PM To: Siligato, Anthony <ASiligato@TownofMamaroneckNY.org> Subject: Re: sorry to pester, what's the balance on the PEG cap fund? I lost info EOM so the 2017 payment/s of $130k are included in that? Erik On Tue, Apr 11, 2017 at 1:40 PM, Siligato, Anthony <ASiligato(ivtownofinamaroneckny.org> wrote: $1,321,003. This does not account for the latest studio lighting equipment request from Matt in the amount $9,084. anMor * Sdigata Comptroller and Receiver of Taxes Town of Mamaroneck, New York 740 West Boston Post Road Mamaroneck, NY 10543 914-381-7851 (Office) 914-879-5291 (Cell) From: Erik Lewis [mailto:elewis(cDlmc-tv.ore) Sent: Tuesday, April 11, 2017 1:07 PM To: Siligato, Anthony <ASilieato TownofMamaroneckNY org> Subject: sorry to pester, what's the balance on the PEG cap fund? EOM WORKSESSION ITEM 4 c NO ATTACHMENT c. c WORKSESSION ITEM 5 c, Town of Mamaroneck Town Center 740 West Boston Post Road, Mamaroneck, NY 10543-3353 OFFICE OF THE TOWN ADMINISTRATOR TEL: 914/381-7810 FAX: 914/381-7809 townadministrator@townofmamaroneck.org Memorandum To: Supervisor and Town Board Re: Update Gardens Lake Improvements Date: June 15, 2017 The following is an update on the improvements to the Gardens Lake: Aerators ➢ Three vendors responded to our RFP for the installation of aerators, one submitted a no bid. The other two bids were, $14,195 from Pond and Lake Connection and $44,900 from All Bright Electric. We are reviewing the bids now and plan to recommend a contract award this summer. Dredging ➢ It is estimated that we will need to remove approximately 1,000 yards of material from the lake. Removing the material will insure the efficiency of the aerators and will also prevent the over accumulation of material that impacts the storm water storage in the lake. Dredging will also improve the aesthetics of the lake and will impede some of the algae growth. ➢ The cost of the dredging is now estimated at $122,000 and that assumes that the material will be re -used within the Town. Re -using the material in the Town is now a very good possibility. The soil testing of the Gardens Lake came up negative and has been approved by the NYDEC for beneficial reuse. ➢ With this information in hand we have begun preparing the bid specification for the dredging of the lake. Our tentative schedule is to begin dredging in late August or early September. The representatives from the Larchmont Gardens Association were just apprised of the status of the project. Y Stephen V. Altieri Town Administrator OW %iii Printed on Recycled Paper c WORKSESSION ITEM 6 NO ATTACHMENT c. c WORKSESSION ITEM 7 C! L NO ATTACHMENT li PUBLIC HEARING #1 LEGAL NOTICE IS HEREBY GIVEN that pursuant to Section 130 of the Town Law of the State of New York, and pursuant to a resolution of the Mamaroneck Town Board adopted on June 7, 2017 a Public Hearing will be held on Wednesday, June 21, 2017 at 8:00 PM or as soon thereafter as is possible at the Town Center, 740 W. Boston Post Road, Mamaroneck, New York to consider: "Amendment to the Discharge Compliance Certificate Law to eliminate inspections by plumbers" Law Purpose When originally enacted, the law requiring a discharge compliance certificate upon the sale of real property in the unincorporated area of the Town of Mamaroneck provided that the inspection to ensure compliance with the laws regarding the discharge of liquids could be done by a plumber licensed to do business within the Town. Experience has shown that it is more efficient and less costly to sellers if inspections of the connections leading from the real property to the public storm water sewer lines and to the sanitary sewer lines are conducted by a member of the Town's Building Department. This law makes the required inspection a task to be performed by the Building Department, and not by local plumbers. The full text of this law can be viewed on the website or copies can be obtained at the Town Clerk's office during regular hours, Mon -Fri, 8:30 AM to 4:30 PM, In June, July and August until 4:00 PM at 740 W. Boston Post Road Mamaroneck, NY PLEASE TAKE FURTHER NOTICE that at the Public Hearing all persons interested will be given an opportunity to be heard and that all persons are invited to submit written comments at or prior thereto. BY ORDER OF THE TOWN BOARD OF THE TOWN OF MAMARONECK CHRISTINA BATTALIA TOWN CLERK Published: June 14, 2017 4. Local Law No. -2017 This local law shall be known as the "Amendment to the Discharge Compliance Certificate Law to eliminate inspections by plumbers" Law. BE IT ENACTED by the Town Board of the Town of Mamaroneck Section 1—Purpose: When originally enacted, the law requiring a discharge compliance certificate upon the sale of real property in the unincorporated area of the Town of Mamaroneck provided that the inspection to ensure compliance with the laws regarding the discharge of liquids could be done by a plumber licensed to do business within the Town. Experience has shown that it is more efficient and less costly to sellers if inspections of the connections leading from the real property to the public storm water sewer lines and to the sanitary sewer lines are conducted by a member of the Town's Building Department. This law makes the required inspection a task to be performed by the Building Department, and not by local plumbers. Section 2—Amendment of a current section of the Mamaroneck Code: Section 106-49 of the Code of the Town of Mamaroneck hereby is repealed and the following substituted in its place: § 106-49 Discharge compliance certificate required. A. As used in this section, the following terms have the meanings indicated: DISCHARGE COMPLIANCE CERTIFICATE (1) A certificate issued by the Issuing Officer with respect to real property not meeting the definition of a multiple housing unit, stating: (a) that all of the connections leading from the real property to the public storm water sewer lines and to the sanitary sewer lines comply with the requirements of the New York State Building Codes and the Town Code; and (b)that there are no culverts, drains, hoses, leaders, lines, pipes or pumps that discharge liquids directly onto or directly toward a street, sidewalk or right-of-way; or (2) A certificate issued by the Issuing Officer with respect to a nonexempt multiple housing unit stating: (a) either that all of the connections leading directly from that unit to the public storm water sewer lines or to the public sanitary sewer lines and not to sewer lines located outside such unit but within the building in which that unit is situated comply with the requirements of the New York State Building Codes and the Town Code or that there are no such connections; and (b) that there are no culverts, drains, hoses, leaders, lines, pipes or pumps that discharge liquids from such unit directly onto or directly toward a street, sidewalk or right- of-way. EXEMPT MULTIPLE HOUSING UNIT A multiple housing unit which does not touch the ground. This section does not apply to exempt multiple housing units. ISSUING OFFICER The Building Inspector or the Director of Building Code Enforcement and Land Use Administration. MULTIPLE HOUSING UNIT (1) An apartment whose owner: (a) holds an interest in an entity formed for the cooperative ownership of real property, and (b) is the tenant of the proprietary lease for such apartment, or (2) A unit as that term is defined in § 339-e of the New York Real Property Law and used in Article 9-B ("Condominium Act") of the New York Real Property Law. NONEXEMPT MULTIPLE HOUSING UNIT A multiple housing unit which touches the ground. REAL PROPERTY A lot or a nonexempt housing unit. RENEWAL EVENT The transfer of title in connection with the sale of real property located in the unincorporated portion of the Town that occurs after January 1, 2006. SATISFACTORY INSPECTION (1) For real property not meeting the definition of a multiple housing unit, a determination made by the Issuing Officer or such Officer's designee : (a) that all of the connections leading from the real property to the public storm water sewer lines or to the public sanitary sewer lines comply with the requirements of the New York State Building Codes and the Town Code; and (b) that there are no culverts, drains, hoses, leaders, lines, pipes or pumps that discharge liquids directly onto or directly toward a street, sidewalk or right-of-way. (2) For a nonexempt multiple housing unit, a determination made by the Issuing Officer or such Officer's designee: (a) that those connections leading directly from that unit to the public storm water sewer lines or to the public sanitary sewer lines, and not to sewer lines located outside such unit but within the building in which that unit is situated, comply with the requirements of the New York State Building Codes and the Town Code; and (b) that there are no culverts, drains, hoses, leaders, lines, pipes or pumps that discharge liquids from such unit directly onto or directly toward a street, sidewalk or right- of-way. B. No building on real property shall be used or occupied, in whole or in part, after a renewal event has occurred unless a discharge compliance certificate is issued therefor. To apply for a discharge compliance certificate, the owner of the real property or such owner's representative shall submit to the Issuing Officer an application therefor on a form approved by the Issuing Officer, together with whatever documentation the Issuing Officer may require, and payment of the fee for a discharge compliance certificate. If there is a Satisfactory Inspection of the real property, the Issuing Officer shall issue a discharge compliance certificate for that real property. By applying for a discharge compliance certificate, the owner of the real property authorizes the Issuing Officer or such Officer's designee to enter upon the real property for the purpose of conducting such inspection. C. A discharge compliance certificate can be issued at any time after a renewal event has occurred. A discharge compliance certificate also can be issued prior to a renewal event; however, such certificate shall expire on the sixtieth (60th) day after it is issued unless the renewal event shall have occurred before its expiration date. D. A discharge compliance certificate issued after a renewal event has occurred shall expire when the next renewal event with respect to that real property occurs. If a discharge compliance certificate is issued prior to a renewal event and a renewal event occurs before that discharge compliance certificate expires pursuant to § 106-49C, such certificate shall expire when the next renewal event with respect to the real property occurs. Nothing contained in this section shall be 3 construed as preventing the Issuing Officer from revoking a discharge compliance certificate if there are grounds to do so. Section 3—Severability: Should any provision of this Local Law be declared invalid or unconstitutional by any court of competent jurisdiction, such declaration of unconstitutionality or invalidity shall not affect any other provisions of this Local Law, which may be implemented without the invalid or unconstitutional provisions. Section 4—Effective Date: This Local Law shall become effective upon filing with the Secretary of State. May 12, 2017 4 PUBLIC HEARING #i NOTICE OF PUBLIC HEARING NOTICE IS HEREBY GIVEN that the Town Board of the Town of Mamaroneck, Westchester County, New York, will meet in the Town Hall, in Mamaroneck, New York, in said Town, on June 21, 2017, at 8:00 o'clock P.M., Prevailing Time, for the purpose of conducting a public hearing upon a certain map, plan and report, including an estimate of cost, in relation to the proposed increase and improvement of the facilities of the Sewer District No. 1, in said Town, being improvements to reduce inflow and infiltration of storm water into the sanitary sewer system, including original furnishings, equipment, machinery, apparatus, appurtenances, and incidental improvements and expenses in connection therewith, pursuant to an Intermunicipal Agreement with the County of Westchester, New York, at a maximum estimated cost of $11,100,000. It has been determined that said project is a Type Il Action under the regulations promulgated under the State Environmental Quality Review Act which, it has been determined, will not have any adverse effect on the environment. SEQRA compliance materials and the map, plan and report are available for inspection at the Office of the Town Clerk where they may be inspected during normal business hours. At said public hearing said Town Board will hear all persons interested in the subject matter thereof. Dated: Mamaroneck, New York, June 13, 2017. BY ORDER OF THE TOWN BOARD OF THE TOWN OF MAMARONECK, WESTCHESTER COUNTY, NEW YORK 766994387.01 43235-2-59 At a regular meeting of the Town Board of the Town of Mamaroneck, Westchester County, New York, held at the Town Hall, in Mamaroneck, New York in said Town, on June 21, 2017, at :00 o'clock P.M., Prevailing Time. PRESENT: Supervisor Councilman Councilman Councilman Councilman In the Matter of The Increase and Improvement of Facilities of Sewer District No. 1 in the Town of PUBLIC INTEREST ORDER Mamaroneck, Westchester County, New York WHEREAS, the Town Board of the Town of Mamaroneck, Westchester County, New York, has duly caused to be prepared a map, plan and report including an estimate of cost, pursuant to Section 202-b of the Town Law, relating to the proposed increase and improvement of the facilities of Sewer District No. 1, in the Town of Mamaroneck, Westchester County, New York, being improvements to reduce inflow and infiltration of storm water into the sanitary • sewer system, including original furnishings, equipment, machinery, apparatus, appurtenances, and incidental improvements and expenses in connection therewith, at a maximum estimated cost of$11,100,000 and WHEREAS, at a meeting of said Town Board duly called and held on June 7, 2017, an Order was duly adopted by it and entered in the minutes specifying the said Town Board would meet to consider the increase and improvement of facilities of Sewer District No. 1 in said Town at a maximum estimated cost of$11,100,000, and to hear all persons interested in the subject thereof concerning the same at the Town Hall, in Mamaroneck, New York, in said Town, on June 21, 2017, at : o'clock P.M., Prevailing Time; and WHEREAS, said Order duly certified by the Town Clerk was duly published and posted as required by law; and WHEREAS, a public hearing was duly held at the time and place set forth in said notice, at which all persons desiring to be heard were duly heard; NOW,THEREFORE,BE IT ORDERED, by the Town Board of the Town of Mamaroneck, Westchester County, New York, as follows: Section 1. Upon the evidence given at the aforesaid public hearing, it is hereby found and determined that it is in the public interest to make the increase and improvement of the facilities of Sewer District No. 1, in the Town of Mamaroneck, Westchester County, New York, consisting of improvements to reduce inflow and infiltration of storm water into the sanitary sewer system, including original furnishings, equipment, machinery, apparatus, appurtenances, and incidental improvements and expenses in connection therewith, at a maximum estimated cost of$11,100,000. Section 2. This Order shall take effect immediately. -2- The question of the adoption of the foregoing order was duly put to a vote on roll, which resulted as follows: VOTING VOTING MO ON Nun, VOTING VOTING VOTING The Order was thereupon declared duly adopted. * * * * * -3- 766994387.01 43235-2-59 BOND RESOLUTION At a regular meeting of the Town Board of the Town of Mamaroneck, Westchester County, New York, held at the Town Hall, in Mamaroneck, New York, in said Town, on the 21st day of June, 2017, at :00 o'clock P.M., Prevailing Time. The meeting was called to order by , and upon roll being called, the following were PRESENT: ABSENT: The following resolution was offered by Councilman who moved its adoption, seconded by Councilman to-wit: BOND RESOLUTION DATED JUNE 21, 2017. A RESOLUTION AUTHORIZING THE ISSUANCE OF $11,100,000 BONDS OF THE TOWN OF MAMARONECK, WESTCHESTER COUNTY, NEW YORK, TO PAY THE COST OF THE INCREASE AND IMPROVEMENT OF THE FACILITIES OF SEWER DISTRICT NO. 1, IN THE TOWN OF MAMARONECK, WESTCHESTER COUNTY, NEW YORK. WHEREAS, pursuant to the provisions heretofore duly had and taken in accordance with the provisions of Section 202-b of the Town Law, and more particularly an Order dated the date hereof, said Town Board has determined it to be in the public interest to improve the facilities of Sewer District No. 1, in the Town of Mamaroneck, Westchester County, New York, at a maximum estimated cost of$11,100,000; and WHEREAS, the capital project hereinafter described, as proposed, has been determined to be a Action pursuant to the regulations of the New York State Department of Environmental Conservation promulgated pursuant to the State Environmental Quality Review Act, which it has been determined will not have any significant adverse effect on the environment NOW,THEREFORE, BE IT RESOLVED, by the Town Board of the Town of Mamaroneck, Westchester County, New York, as follows: Section 1. For the class of objects or purposes of paying the cost of the increase and improvement of Sewer District No. 1, in the Town of Mamaroneck, Westchester County, New York, consisting of improvements to reduce inflow and infiltration of storm water into the sanitary sewer system, including original furnishings, equipment, machinery, apparatus, appurtenances, and incidental improvements and expenses in connection therewith, there are hereby authorized to be issued $11,100,000 bonds of said Town pursuant to the provisions of the Local Finance Law. Section 2. It is hereby determined that the maximum estimated cost of the aforesaid class of objects or purposes is $11,100,000, which class of object or purposes is hereby authorized at said maximum estimated cost, and that the plan for the financing thereof is by the issuance of the $11,100,000 bonds of said Town authorized to be issued pursuant to this bond resolution. Section 3. It is hereby determined that the period of probable usefulness of the aforesaid class of objects or purposes is 40 years pursuant to subdivision 4 of paragraph a of Section 11.00 of the Local Finance Law. It is hereby further determined that the maximum maturity of the serial bonds herein authorized will exceed five years. Section 4. The faith and credit of said Town of Mamaroneck, Westchester County, New York, are hereby irrevocably pledged for the payment of the principal of and interest on such bonds as the same respectively become due and payable. An annual appropriation shall be made in each year sufficient to pay the principal of and interest on such bonds becoming due and payable in such year. To the extent not paid from monies raised from said Sewer District No. 1 as applicable in the manner provided by law, there shall annually be levied on all the taxable real property of said Town, a tax sufficient to pay the principal of and interest on such bonds as the same become due and payable. Section 5. Subject to the provisions of the Local Finance Law, the power to authorize the issuance of and to sell bond anticipation notes in anticipation of the issuance and sale of the serial bonds herein authorized, including renewals of such notes, is hereby delegated to the Supervisor, the chief fiscal officer. Such notes shall be of such terms, form and contents, and shall be sold in such manner, as may be prescribed by said Supervisor, consistent with the provisions of the Local Finance Law. -2- Section 6. The powers and duties of advertising such bonds for sale, conducting the sale and awarding the bonds, are hereby delegated to the Supervisor, who shall advertise such bonds for sale, conduct the sale, and award the bonds in such manner as she shall deem best for the interests of said Town, including, but not limited to, the power to sell said bonds to the New York State Environmental Facilities Corporation; provided, however, that in the exercise of these delegated powers, the Supervisor shall comply fully with the provisions of the Local Finance Law and any order or rule of the State Comptroller applicable to the sale of municipal bonds. The receipt of the Supervisor shall be a full acquittance to the purchaser of such bonds, who shall not be obliged to see to the application of the purchase money. Section 7. All other matters except as provided herein relating to the serial bonds herein authorized including the date, denominations, maturities and interest payment dates, within the limitations prescribed herein and the manner of execution of the same, including the consolidation with other issues, and also the ability to issue serial bonds with substantially level or declining annual debt service, shall be determined by the Supervisor, the chief fiscal officer of such Town. Such bonds shall contain substantially the recital of validity clause provided for in Section 52.00 of the Local Finance Law, and shall otherwise be in such form and contain such recitals, in addition to those required by Section 51.00 of the Local Finance Law, as the Supervisor shall determine consistent with the provisions of the Local Finance Law. Section 8. The Supervisor is hereby further authorized, at her sole discretion, to execute a project finance and/or loan agreement, and any other agreements with the New York State Department of Environmental Conservation and/or the New York State Environmental Facilities Corporation, including amendments thereto, and including any instruments (or amendments thereto) in the effectuation thereof, in order to effect the financing or refinancing of -3- the class of objects or purposes described in Section 1 hereof, or a portion thereof, by a bond, and/or note issue of said Town in the event of the sale of same to the New York State Environmental Facilities Corporation. Section 9. The power to issue and sell notes to the New York State Environmental Facilities Corporation pursuant to Section 169.00 of the Local Finance Law is hereby delegated to the Supervisor. Such notes shall be of such terms, form and contents as may be prescribed by said Supervisor consistent with the provisions of the Local Finance Law. Section 10. The validity of such bonds and bond anticipation notes may be contested only if: 1) Such obligations are authorized for an object or purpose for which said Town is not authorized to expend money, or 2) The provisions of law which should be complied with at the date of publication of this resolution are not substantially complied with, and an action, suit or proceeding contesting such validity is commenced within twenty days after the date of such publication, or 3) Such obligations are authorized in violation of the provisions of the Constitution. Section 11. This resolution shall constitute a statement of official intent for purposes of Treasury Regulations Section 1.150-2. Other than as specified in this resolution, no monies are, or are reasonably expected to be, reserved, allocated on a long-term basis, or otherwise set aside with respect to the permanent funding of the object or purpose described herein. Section 12. This resolution, which takes effect immediately, shall be published in summary form in the official newspaper, together with a notice of the Town Clerk in substantially the form provided in Section 81.00 of the Local Finance Law. -4- The question of the adoption of the foregoing resolution was duly put to a vote on roll call, which resulted as follows: VOTING „• P1 •. . VOTING Irra � ` VOTING W - VOTING VOTING The resolution was thereupon declared duly adopted. * * * * * * -5- NJ FIRE COMMISSION ITEM 1 Town of Mamaroneck From: Tony Siligato-Town Comptroller Re: Fire Claims Date: June 21,2017 The following Town of Mamaroneck Fire Department claims have been certified by Chief Paul Tortorella and submitted to the Comptroller's Office for payment: VENDOR DESCRIPTION AMOUNT AAA Emergency Supply Co. Gas Detector,Protective Boot,Calibration Station&Gas,Demand Flow Regulator $ 2,973.90 AAA Emergency Supply Co. Flat Head/Fiberglass,Fire Extinguisher,Tamper Seal,Hooks,Sledgehammer $ 612.60 Bound Tree Medical,LLC Aspirin,Tape,Gauze,EPI&Training Kit,Gloves $ 762.60 Brewers Hardware Screws/Fasteners $ 13.84 Con Edison Fire HQ Gas service 5/1/17-5/30/17 $ 206.14 Goosetown Communications Magnetic Mic Conversion Kit $ 34.95 Home Depot Drill Bits&20v Battery $ 150.85 Sound Shore Pest Control Exterminating Services on 5/22/17 $ 65.00 Tony's Nursery Inc. 12 Hanging Baskets $ 239.90 Town of Mam'k Fire Dept. Food for Monthly Drill 5/16/17,Water,Electric Cords $ 382.93 UniFirst Corporation Cleaning supplies for building 5/26/17,6/2,6/9/17 $ 218.52 Villa Maria Pizza Food for Explorer Drill 6/7/17 $ 92.88 $ - $ - Total: $ 5,754.11 FIRE COMMISSION ITEM 2 c. NO ATTACHMENT c AFFAIRS OF THE TOWN ITEM 1 Documents under Work Session 1 9 P f<< oz. . w i rn Z n ►- 47c TOWN OF MAMARONECK NEW YORK 1 CYBER SECURITY POLICY Adopted January 18, 2017 Draft 06 21/17 1 Table of Contents Introduction 4 Definitions 6 Data Classification 10 Policy Areas: Acceptable Use 12 Account Management 13 Administrative and Special Access 14 Asset Management 15 Back Up 17 18 Court Information Resources 19 Credit Card Processing 19 Email 21 22 23 Information Management and Security 23 Incident Management 25 Internet 26 Intrusion Detection and Network Access 27 Maintenance Windows 27 28 Network Configuration 30 Password 31 Physical Access 33 34 Portable Computing 35 Privacy 34 Public Access Wi-Fi 36 Public Access Workstation 36 Secure Use of Social Media 36 Security Monitoring 39 Security Policy Standards 41 2 Security Training 41 Server Hardening 42 Software Licensing 42 Support Hours 43 43 System Development 45 Vendor Access 45 Virus Protection 47 Town of Mamaroneck Public Access Wi-Fi Terms of Service Policy 48 Town of Mamaroneck Information and Security Notification Breach Policy 50 Violation Notice 54 References 55 Acknowledgement 57 Appendix"A"- Server and Facility Information Access Form Appendix"B" - Periodic Operational Security Procedures 3 INTRODUCTION The Town of Mamaroneck is a medium sized local government with 8 remote sites and over 150 users, 140 workstations, 58 software applications, 19 servers and a complex network environment. This Security Policy is a mechanism used to establish the limits and expectations for the users of the Town of Mamaroneck, New York computer network and provides the baseline for implementing security controls to reduce both vulnerabilities and risk. Internal users should have no expectation of privacy with respect to Information Technology. The purpose of the Town of Mamaroneck, New York Security Policy is to clearly communicate the Town's information security expectations to Town employees, Officials and consultants who use Town equipment and access the Town network. This Policy applies equally to all individuals who use any Town of Mamaroneck, New York Information Resources (IR). Electronic files created, sent, received, or stored on computers owned, leased, administered, or otherwise under the custody and control of the Town of Mamaroneck are the property of the Town of Mamaroneck. and is supported by the following Security Policy Standards: 1) IT Security controls must not be bypassed or disabled. 2) Security awareness of personnel must be continually emphasized, reinforced, updated and validated. 3) All personnel are responsible for managing their use of IR and are accountable for their actions relating to IT security. 4) Passwords, Personal Identification Numbers (PIN), Security Tokens (i.e. Smartcard), and other computer systems security procedures and devices shall be protected by the individual user from use by, or disclosure to, any other individual or organization. All security violations shall be reported to the Town Administrator and/or Information Security Officer. 5) Access to, change to, and use of IR must be strictly secured. Information access authority for each user must be reviewed on a regular basis, as well as each job status change such as: a transfer, promotion, demotion, or termination of service. 6) The use of IT must be for officially authorized business purposes only. There is no guarantee of personal privacy or access to tools such as but not limited to; email, web browsing and other electronic discussion tools. The use of these electronic communications tools may be monitored to fulfill compliance or investigative requirements. 7) Departments responsible for the custody and operation of computers shall be responsible for proper authorization of IR utilization, the establishment of effective use, and reporting of performance issues to the IT Department. 8) Any data used in an IR system must be kept confidential and secure by the user. The fact that the data may be stored electronically does not change the requirement to keep the information confidential and secure. Rather, the type of information or the information itself is the basis for determining whether the data must be kept confidential and secure. Furthermore, if this data is stored in a paper or electronic format, or if the data is copied, printed, or electronically transmitted the data must still be protected as confidential and secured according to the New York State Archives directives. 9) Personnel are also equally responsible for reporting any suspected or confirmed violations of this policy to the Town Administrator and/or IT Director. 10) On termination of the relationship with the Town, users must surrender all property and IR managed by the Town. All security policies for IR apply to and remain in force in the event of a terminated relationship until such surrender is made. Further, this policy survives the terminated relationship. 4 Definitions: Abuse of Privilege: When a user willfully performs an action prohibited by organizational policy or law, even if technical controls are insufficient to prevent the user from performing the action. Application Software: A program or group of programs designed for end users. Application software can be divided into two general classes: systems software and applications software. Systems software consists of low-level programs that interact with the computer at a very basic level. This includes operating systems, compilers, and utilities for managing computer resources. Applied Computer Systems: Both hardware and software, and often including networking and telecommunications, usually in the context of a business or other enterprise. Often this is the name of the part of an enterprise that deals with all things electronic. Backup: Copy of files and applications made to avoid loss of data and facilitate recovery in the event of a system crash. Bare Metal Backups: A bare metal backup is a type of backup process that backs up the full software configuration from a specific system in addition to the data that is stored within software applications. Grandfather-Father-Son Backup: A Grandfather-father-son backup refers to a common rotation scheme for backup media. In this scheme there are three backup cycles, daily, weekly and monthly. The daily backups are rotated on a daily basis using a FIFO system. The weekly backups are similarly rotated on a weekly basis, and the monthly backup on a monthly basis. In addition, annual backups are also separately retained. Custodian: Guardian or caretaker; the holder of data, the agent charged with implementing the controls specified by the owner. The custodian is responsible for the processing and storage of information. For mainframe applications, The IT Department is the custodian; for micro and mini applications, the owner or user may retain custodial responsibilities. Electronic mail system: Any computer software application that allows electronic mail to be communicated from one computing system to another. Electronic mail (email): Any message, image, form, attachment, data, or other communication sent, received, or stored within an electronic mail system. E-mail: Abbreviation for electronic mail, which consists of messages sent over any electronic media by a communications application. Information: Any and all data, regardless of form, that is created, contained in, or processed by, Information Resources facilities, communications networks, or storage media. Information Management (IM): The manipulation, re-organization, analysis, graphing, charting, and presentation of data for specific management and decision-making purposes. 6 • Physical access controls implemented at offsite backup storage locations must meet or exceed the physical access controls of the source systems. Additionally backup media must be protected in accordance with the highest Town of Mamaroneck sensitivity level of information stored. • A process must be implemented to verify the success of the Town electronic information backup. • Backups must be periodically tested to ensure that they are recoverable. • Contracts held by the offsite backup storage vendor(s) for access to the Town backup media must be reviewed annually or when an authorized individual leaves the Town. • Procedures between the Town and the offsite backup storage vendor(s) must be reviewed at least annually. • All Off-site back up contracts must be approved by the New York State Commissioner of Education pursuant to section 185.9 of the Regulations of the Commissioner of Education. • Backup tapes must have at a minimum the following identifying criteria that can be readily identified by labels and/or a bar-coding system: System name 4. Creation Date Sensitivity Classification [Based on the New York State Records management MU-1 Schedule] :• Town of Mamaroneck Contact Information • The Town must have a backup plan in place that describes the type, method and frequency of backups. 4. Back Up Plan: ■ Physical Data Backups - Onsite • GFS System Schema - backed up to Town network area storage devices. Bare Metal Backups - Onsite One time back up then incremental as software changes on servers. The bare metal drives are to be kept in the safe in the Comptroller's Office. 18 Court Information Resources: The Town of Mamaroneck recognizes the unique circumstances that separate Mamaroneck Court Information Resources from Town Information Resources. This policy area is established to ensure compliance with both Town and New York State Unified Court Information Resources. New York State Unified Court hardware in the form of workstations, laptops, printers, scanners and monitors are used by Mamaroneck Court Judges and personnel and are authorized by this policy to be integrated with the Town Court server and other peripherals owned by the Town of Mamaroneck. Parameters dictating the use and maintenance of Court equipment (both New York State and Town of Mamaroneck owned) are listed below: • All Mamaroneck Court software not preinstalled on NYS Court computers and used by the Mamaroneck Court should be installed on a dedicated Court server and licensed in the name of the Town of Mamaroneck. • The Electronic Content Management System (ECMS-Laserfiche) Court repository must be separated from the main Town database and installed on the dedicated Court server. • All Court personnel user and department documents should be separated from the main Town database and installed on the dedicated Court server. • Daily back-ups of Court software, ECMS and department documents must be performed for security purposes and immediate file restoration. • Laptops and other equipment issued to Court officials for remote access must be inventoried, configured and maintained as per this policy, is the property of the Town of Mamaroneck or the NYS Unified Court System and must be submitted to the IT office periodically for Security Policy conformance. Credit Card Processing — PCI Compliance: This policy area is established to ensure Payment Card Industry compliance. The purpose of this policy area is to inform local government officials on PCI standards and to establish procedures on how to secure credit card processing in the Town of Mamaroneck. Local Governments must comply with the PCI Data Security Standard PCI DSS 3.1 and validate compliance. Compliance (securing the credit card process) requires ongoing adherence to the standard and applies to every local government regardless of the transaction volume. Validation confirms local governments, service providers, payment applications and PIN entry devices are compliant with the standard. 19 Email: This policy area is established to ensure compliance with applicable statutes, regulations, and mandates regarding the management of information resources. It establishes prudent and acceptable practices regarding the use of email and will educate individuals using email with respect to their responsibilities associated with such use. The purpose of this policy area is to establish the rules for the use of Town email for the sending, receiving or storing of electronic mail and applies equally to all individuals granted access privileges to any Town information resource with the capacity to send, receive or store electronic mail. The following activities are prohibited by this policy: • Sending email that is intimidating or harassing. • Using email for conducting personal business. • Using email for purposes of political lobbying or campaigning. • Violating copyright laws by inappropriately distributing protected works. • Posing as anyone other than oneself when sending email, except when authorized to send messages for another when serving in an administrative support role. • The use of unauthorized e-mail software. • The following activities are prohibited because they impede the functioning of network communications and the efficient operations of electronic mail systems: o Sending or forwarding chain letters o Sending unsolicited messages to groups in excess of 35 email addresses outside of the Town domain o Sending excessively large messages o Sending or forwarding email that is likely to contain computer viruses • All user activity on Town Information Resource assets is subject to logging and review. • All sensitive Town material transmitted over external network must be encrypted. • Electronic mail users must not give the impression that they are representing, giving opinions or otherwise making statements on behalf of the Town or any department of the Town unless appropriately authorized (explicitly or implicitly) to do so. Where appropriate, an explicit disclaimer will be included unless it is clear from the context that the author is not representing the Town. An example of a simple disclaimer is: "the opinions expressed are my own, and not necessarily those of my employer." • Individuals must not send, forward or receive confidential or sensitive Town information through non-Town email accounts. Examples of non-Town email accounts include, but are not limited to, Hotmail, Yahoo mail, AOL mail, Opt online and email provided by other Internet Service Providers (ISP). • The Town of Mamaroneck must comply with the Federal Anti-Spam Act of 2003. Town officials and employees with active email addresses must: 21 4. Refrain from sending same subject email to more than 10 recipients outside of the Town of Mamaroneck domain from their Outlook, Third party application (such as Blackberry Internet Service, IPhone or Android email services) or email server. ❖ All mass email communications sent on behalf of the Town must be sent through the Town's email marketing service and/or specific software applications for notification purposes. 0 22 Fire District Information Technology and Resources: The Town of Mamaroneck Fire District is completely separated from the Town of Mamaroneck Domain and network infrastructure. The network and equipment located at the Fire District is owned by the Town of Mamaroneck. . This policy area is established to ensure compliance with both Town and New York State Security Policies and the Town of Mamaroneck Computer Use Policy. Parameters dictating the use and maintenance of Fire District technology are listed below: • The Mamaroneck Board of Fire Commissioners officially designate the individual responsible for the operations and maintenance of all Town information resources as it relates to their information technology infrastructure. • A master inventory listing of all computer equipment, printers, copiers, workstations, servers, routers, switches, laptops, tablets, email accounts and other peripheral devices must be submitted to the IT Director and updated as changes and replacements are made. • An inventory listing of all software and their licenses must be submitted to the IT Director and updated as changes and replacements are made. • All equipment and software purchased with Town funds and issued to Fire District staff is the property of the Town of Mamaroneck and must be purchased by the IT Director. Designated staff must configure and maintain all equipment and software as per this policy, and their records must be submitted to the IT office periodically for Security Policy conformance. The Town of Mamaroneck recognizes the unique environment with respect to the use of volunteer staff in order to perform its responsibilities. In order to secure Fire District information resources and to comply with this policy, a Public Access network must be created for volunteers using the Fire District network on personal devices. Information Management and Security: Functional Responsibilities of Town Information Management are distributed among all Town officials, employees and consultants accessing Town information resources. The purpose of this policy area is to establish responsibilities of those responsible for the health and safety of all Town electronic information. • The Town of Mamaroneck Town Administrator is responsible for: :• Evaluating and accepting risk on behalf of the Town; • Identifying Town security goals and integrating them into relevant processes; • Supporting the consistent implementation of information security policies and standards; • Supporting security within the Town through clear direction and demonstrated commitment of appropriate resources; • Promoting awareness of information security best practices through the regular dissemination of materials provided by the ISO; • Implementing the process for determining information classification and categorization, based on industry recommended practices, State directives, and legal and regulatory requirements, to determine the appropriate levels of protection for that information; 23 NON-EMERGENCY OPERATIONS SECURITY PATCH UPDATE AND TROUBLESHOOTING MAINTENANCE WINDOW: Monday - Friday: 9pm - 6am Saturday and Sunday: 6pm - 6am NON-EMERGENCY OPERATIONS QUARTERLY ROUTINE MAINTENANCE SCHEDULE: President's Day Weekend: Friday, 9pm - Tuesday 6am Memorial Day Weekend: Friday, 9pm - Tuesday 6am Labor Day Weekend: Friday, 9pm - Tuesday 6am Thanksgiving Weekend: Wednesday, 9pm - Monday 6am EMERGENCY OPERATIONS SECURITY PATCH UPDATE AND TROUBLESHOOTING MAINTENANCE WINDOW: Monday - Friday: 9am - 2pm EMERGENCY OPERATIONS QUARTERLY ROUTINE MAINTENANCE SCHEDULE: March 15th: Beginning at 9am June 15th: Beginning at 9am September 15th: Beginning at 9am December 15th: Beginning at 9am CRITICAL OPERATIONS SECURITY PATCH UPDATE AND TROUBLESHOOTING MAINTENANCE WINDOW: Monday - Friday: 9pm - 6am Saturday and Sunday: 6pm - 6am CRITICAL OPERATIONS QUARTERLY ROUTINE MAINTENANCE SCHEDULE: Second Wednesday of March: Beginning at 5pm Second Wednesday of June: Beginning at 5pm Second Wednesday of September: Beginning at 5pm Second Wednesday of December: Beginning at 5pm 28 29 Network Configuration: The Town network infrastructure is provided as a central utility for all users of Town Information Resources. It is important that the infrastructure, which includes cabling and the associated equipment such as routers and switches, continues to develop with sufficient flexibility to meet user demands while at the same time remaining capable of exploiting anticipated developments in high speed networking technology to allow the future provision of enhanced user services. The purpose of this policy area is to establish the rules for the maintenance, expansion and use of the network infrastructure. These rules are necessary to preserve the integrity, availability, and confidentiality of Town information applies equally to all individuals with access to any Town Information Resource. • The Town of Mamaroneck owns and is responsible for the Town network infrastructure and will continue to manage further developments and enhancements to this infrastructure; • To provide a consistent municipal network infrastructure capable of exploiting new networking developments, all cabling must be installed by a contractor approved by the IT Department; • All network connected equipment must be configured to a specification approved by IT Department; • All hardware connected to the Town network is subject to IT Department management and monitoring standards; • Changes to the configuration of active network management devices must not be made without the approval of the IT Department; • The Town network infrastructure supports a well-defined set of approved networking protocols. Any use of non-sanctioned protocols must be approved by the IT Department; • The networking addresses for the supported protocols are allocated, registered and managed centrally by the IT Department; 30 The purpose of this policy area is to establish the rules for the granting, control, monitoring, and removal of physical access to Information Resource facilities and applies to all individuals within the Town that are responsible for the installation and support of Information Technology, individuals charged with Information Security, and data owners. • The Town of Mamaroneck Server Room is designed to be a "Lights Out" server room. Access is granted only for the purposes of accessing, installing and remediating hardware issues. All physical security systems must comply with all applicable regulations such as, but not limited to building codes and fire prevention codes; • Physical access to the Town Server Room and IT Office must be restricted and managed; • All IT facilities must be physically protected in proportion to the criticality or importance of their function in the Town; • Access to the Server Room and IT Office must be granted only to Town support personnel, and contractors, whose job responsibilities require access to that facility; • The process for granting key and security code access to Information Technology facilities must include the approval from the IT Director and/or Town Administrator; • Access keys and codes must not be shared or loaned to others; • Access keys that are no longer required must be returned to the Building Superintendent. Keys must not be reallocated to another individual bypassing the return process; • Lost or stolen access keys must be reported to the IT Department; • The Server Room and IT office access log must be kept by the IT Department; • The IT Department must review access records for the Server Room and IT Office on a periodic basis and investigate any unusual access; • The IT Department must remove access rights of individuals that change roles within the Town or are separated from their relationship with the Town; • Visitors must be escorted in security code access controlled areas of Information Technology facilities; • The IT Department must review code access rights for the Server Room and IT Office on a periodic basis and remove access for individuals that no longer require access; • Signage for restricted access rooms and locations must be practical, yet minimal discernible evidence of the importance of the location should be displayed; 34 Portable Computing: Portable computing devices are becoming increasingly powerful and affordable. Their small size and functionality are making these devices ever more desirable to replace traditional desktop devices in a wide number of applications. However, the portability offered by these devices may increase the security exposure to groups using the devices. The purpose of this policy area is to establish the rules for the use of mobile computing devices and their connection to the network. These rules are necessary to preserve the integrity, availability, and confidentiality of Town information and apply equally to all individuals that utilize Portable Computing devices and access Town Information Resources. • Only Town approved portable computing devices may be used to access Town Information Resources; • Portable computing devices must be password protected; • Town data should not be stored on portable computing devices. However, in the event that there is no alternative to local storage, all sensitive Town data must be encrypted using approved encryption techniques; • Town data must not be transmitted via wireless to or from a portable computing device unless approved wireless transmission protocols along with approved encryption techniques are utilized; • All remote access to the Town of Mamaroneck network must be either through an approved modem pool or via an Internet Service Provider (ISP); • Non-Town computer systems that require network connectivity must conform to Town IT Standards and must be approved in writing by the IT Department and the Town Administrator; • Access to Town IR from equipment not owned by the Town must be granted in advance via the Town's Log Me In account to a specific workstation or through a designated VPN connection via the Town's Radius server; • Unattended portable computing devices must be physically secure. This means they must be locked in an office, locked in a desk drawer or filing cabinet, or attached to a desk or cabinet via a cable lock system. 35 • The IT Department may make hardware resources available for testing security patches in the case of special applications. • The IT Department is responsible to implement Security patches within a reasonable timeframe after notification from Software Company. Software Licensing: End-user license agreements are used by software and other information technology companies to protect their valuable intellectual assets and to advise technology users of their rights and responsibilities under intellectual property and other applicable. The purpose of this policy area is to establish the rules for licensed software use on Town Information Resources laws and applies equally to all individuals that use any Town Information Resources. • The Town of Mamaroneck provides a sufficient number of licensed copies of software such that workers can get their work done in an expedient and effective manner. The IT department must make appropriate arrangements with the involved vendor(s) for additional licensed copies if and when additional copies are needed in order to conduct official Town business. • Third party copyrighted information or software, that the Town does not have specific approval to store and/or use, must not be stored on Town systems or networks. The IT Department will remove such information and software unless the involved users can provide proof of authorization from the rightful owner(s). • Third party software in the possession of the Town must not be copied unless such copying is consistent with relevant license agreements and prior management approval of such copying has been obtained, or copies are being made for contingency planning purposes. Support Hours: The Town of Mamaroneck IT Department provides 24/7 Desktop and User support via the Town's Help Desk system. Provided within the support process are varying levels of support ranging from basic user credit card processing and workstation troubleshooting to advanced network and systems troubleshooting. The process to alert a Technician is as follows: 1. Open a Help Desk ticket thru the Town's Service Desk Plus system. The alert is received by the Town's IT Director and Information Security Officer and is responded to within one hour. If the issue is deemed to be urgent (based on the priority levels below), the IT Director will either resolve the issue or submit it for escalation with the Towns IT Consultants. Urgency Levels: Emergency -All Systems Down; • Critical - Operational Impact - Credit Card processing issues, software applications critical to department functions such as Rec Trac, Municity, SEI Court, Impact, BEI and KVS not running; High Priority - User Impact - Password reset, email and website issues. 43 44 System Development: The number of computer security incidents and the resulting cost of business disruption and service restoration continue to escalate. Implementing solid security policies, blocking unnecessary access to networks and computers, improving user security awareness, and early detection and mitigation of security incidents, are some of the actions that can be taken to reduce the risk and drive down the cost of security incidents. The purpose of this policy area is to describe the requirements for developing and/or implementing new software in the Town's Information Resources and applies equally to all individuals that use any Town Information Resources. • The IT Department is responsible for developing, maintaining, and participating in a System Development Life Cycle (SDLC) for the Town of Mamaroneck system software applications; • All software applications must have designated Owners and Custodians for the critical information they process. The IT Department must perform periodic risk assessments of the software to determine whether the controls employed are adequate; • All applications must have an access control system to restrict who can access the system as well as restrict the privileges available to these Users. The IT Department is the designated access control Administrator (who is not a regular User on the system in question) which must be assigned for all applications; • Where resources permit, there should be a separation between the administration, user access, and test environments. This will ensure that security is rigorously maintained for the application, while the development and test environments can maximize productivity with fewer security restrictions. Where these distinctions have been established, development and test staff must not be permitted to have access to production systems. Likewise, all application software testing must • utilize sanitized information; • All application-program-based access paths other than the formal user access paths must be deleted or disabled before software is deployed to users. Vendor Access: Vendors play an important role in the support of hardware and software management, and operations for customers. Vendors can remotely view, copy and modify data and audit logs, they correct software and operating systems problems, they can monitor and fine tune system performance, they can monitor hardware performance and errors; they can modify environmental systems, and reset alarm thresholds. Setting limits and controls on what can be seen, copied, modified, and controlled by vendors will eliminate or reduce the risk of loss of revenue, liability, loss of trust, and embarrassment to the Town. 45 VIOLATION NOTICE: Violation of this policy may result in disciplinary action, which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension. Additionally, individuals are subject to loss of Town Information Resources access privileges, and to civil and criminal prosecution. REFERENCES: National/Federal Computer Fraud and Abuse Act of 1986 Computer Security Act of 1987 Copyright Act of 1976 Criminal Justice Information Services (CJIS) Security Policy Electronic Communication Privacy Act Family Education Rights and Privacy Act of 1974Foreign Corrupt Practices Act of 1977 Gramm-Leach-Bliley Act of 1999 HIPPA Information Security Policy Oregon Department of Human Resources Payment Card Industry Data Security Standard San Diego State University Sarbanes-Oxley Act of 2002 The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Texas Department of Information Resources Trust Wave Security Policies Uniform Trade Secrets Act State New York State Division of Criminal Services Internet Privacy Policy New York State Office of Cyber Security NYS Arts and Cultural Affairs Act 54 c AFFAIRS OF THE TOWN ITEM 2 Im c NO ATTACHMENT ,�l AFFAIRS OF THE TOWN ITEM 3 ' Town of Mamaroneck Town Center 740 West Boston Post Road, Mamaroneck, NY 10543-3353 OFFICE OF THE TOWN ADMINISTRATOR TO: Stephen Altieri, Town Administrator Nancy Seligson, Town Supervisor Town Board Members FROM: Connie Green O'Donnell, Assistant Town Administrator DATE: June 15, 2017 SUBJECT: Authorization to Appoint a Town Engineer TEL: 914/381-7810 FAX: 914/381-7809 townadniinistrator@townofmamaroneck.org Authorization is requested to appoint Robert Wasp to the position of Town Engineer at an annual salary of $115,000. If approved, an agreed upon start date will be determined. There are sufficient funds in the 2017 salary budget due to the position having been vacant since December 2016. Mr. Wasp will be classified as a provisional employee in that title and will be required to take a Civil Service test for the position. In order for him to serve the required probationary period, he will need to attain a score, equal to or higher than the third highest ranking eligible on the list. Currently Mr. Wasp is a licensed Professional Engineer (PE) and works for a reputable engineering firm as a Project Engineer. He has been employed by the firm since 2007. In this position, he serves as a consulting engineer for various towns and villages in Westchester County. He has extensive experience in reviewing Environmental Impact Statements (EIS), site plan applications and environmental permits, drafting environmental resolutions, reviewing projects under the State Environmental Quality Review and preparing Negative Declarations. In addition, he has assisted with grant funding applications, preparing supporting design drawings and estimates, drafting revisions and providing engineering input for municipal code updates. As Town Engineer he will be responsible for the construction and maintenance of roads, bridges, buildings and structures and will issue permits to utility companies and private contractors for street openings, sidewalk, curb and gutter construction. He will prepare designs and surveys, develop project cost estimates and directly supervise project work to ensure compliance with plan design specifications. He will assist in the preparation of contracts and bid documents and oversee the bid evaluation process for selecting contractors for Town projects and will assume the role of project manager. In addition, he will manage all Town engineering projects, from inception to completion, and will serve as a consultant to Town officials regarding engineering matters. ACTION REQUESTED: That the Town Board appoint Robert Wasp to the provisional position of Town Engineer at an annual salary of $115,000. ow dill Printed on Recycled Paper AFFAIRS OF THE TOWN ITEM 4 ' = Town of Mamaroneck Town Center 740 West Boston Post Road, Mamaroneck, NY 10543-3353 OFFICE OF THE TOWN ADMINISTRATOR TO: Stephen Altieri, Town Administrator Nancy Seligson, Town Supervisor Town Board Members FROM: Connie Green O'Donnell, Assistant Town Administrator DATE: June 15, 2017 SUBJECT: Authorization to Appoint a Motor Equipment Operator II TEL: 914/381-7810 FAX: 914/381-7809 townadministrator@townofmamaroneck.org Authorization is requested to appoint Joseph Giordano to the full-time position of Motor Equipment Operator (MEO) II in the Highway Department effective June 22, 2017 at an annual salary of $70,241. This position is vacant due to a recent retirement. Since the 2017 budget reflects this position being paid at a higher step in the CSEA Salary Schedule there will be a savings. Mr. Giordano started working for the Town's Highway Department as a seasonal Laborer in June 2007. During the next four years he held various part-time and seasonal positions in the Highway and Recreation Departments. During this time he attended John Jay College of Criminal Justice. In January 2012 he was hired as a full-time Laborer and later promoted in May 2015 to Skilled Laborer. In his current position, Mr. Giordano gained experience working with heavy automotive equipment and has developed a thorough knowledge of the operation of equipment and safety standards. He has proven to be a dedicated and conscientious employee always willing to assist others and executes assignments in an efficient and timely manner. Based on Mr. Giordano's excellent work performance, willingness to learn new tasks and ability to work extremely well with co-workers, Lou Martirano, Superintendent of Highways, it recommending that he be appointed to the position of MEO II. ACTION REQUESTED: That the Town Board approve the appointment of Joseph Giordano to the position of Motor Equipment Operator II effective June 22, 2017 at an annual salary of $70,241. �i«i Printed on Recycled Paper AFFAIRS OF THE TOWN ITEM 5 c. Town Board Agenda Memorandum To: Town Administrator Stephen Altieri From: Jill Fisher, Recreation Superintendent Date: June 13, 2017 Meeting Date: June 21, 2017 Subject: Extension of Current License Agreement — Slapshot Cafe' I would like to request consideration for a one year extension for the Slapshot Cafe' Concession Agreement. The current License Agreement with Mr. Gus Lucas of Slapshot Cafe' is scheduled to terminate on September 15, 2017. The contract currently provides for the Town to grant a one year extension. Rob Lunde and I are in agreement that a one year extension will allow us some additional time to establish a Capital Improvement Plan for the concession area prior to putting out a new RFP. Mr. Gus Lucas has operated the concession at the Hommocks Park Ice Rink/Pool for twenty plus years and I feel confident that he would continue to provide quality concession services to our patrons during this time. The current annual rent is $31,250. Mr. Lucas has requested a decrease in his rent to $26,000 on the basis that the rink general admissions have seen a recent decline and the Town has been more lenient on allowing pool patrons to bring small personalized coolers into the pool complex during the summer. Recommended Town Board Action: Therefore, I would propose to amend and extend the current License Agreement for Mr. Gus Lucas, Slapshot Cafe' until September 15, 2018 at a reduced annual rental rate of $26,000 subject to approval of the form of Agreement by Town Counsel. AFFAIRS OF THE TOWN ITEM 6 V • •q , Town of Mamaroneck � '`x Town Center 740 West Boston Post Road, Mamaroneck, NY 10543-3353 TEL: 914/381-7810 OFFICE OF THE TOWN ADMINISTRATOR FAX: 914/381-7809 townadministrator@townofinamaroneck.org Memorandum To: Supervisor & Town Board Re: Authorization — Transfer of Funds — Workers Compensation Settlement Date: June 14, 2017 At the June 7th Town Board Meeting, the Town Board authorized the settlement of the indemnity portion of a workers compensation claim for a Town Police Officer. The amount of the settlement is $120,000.00. The terms and conditions of the settlement are outlined in the attached memorandum from our Workers Compensation carrier, PERMA. It is now necessary to authorize the transfer of funds for the payment of the settlement. ACTION REQUESTED: THAT THE TOWN BOARD AUTHORIZE A TRANSFER OF FUNDS IN THE AMOUNT OF $120,000 IN ACCORDANCE WITH THE ATTACHED SCHEDULE AS PREPARED BY THE TOWN COMPTROLLER FOR THE SETTLEMENT OF THE INDEMNITY PORTION OF A WORKERS COMPENSATION CLAIM FOR A TOWN POLICE OFFICER. Stephen V. Altieri Town Administrator SETTLEMENT OF EDMONDS V. TOWN OF MAMARONECK TO: STEVE ALTIERI FROM: RICH HAYES SUBJECT: SETTLEMENT REQUEST- $120,000 DATE: 4/18/2017 CC: JEFF VAN DYK, DARLENE GARCIA, ASHLEY SHUMWAY We are requesting indemnity only settlement authority in the amount of $120,000.00. As the claim is part of the PERMA 207 coverage, the Town would be responsible for the reimbursement of any indemnity settlement paid. On September 21, 2012, Mr. Edmonds, a Police Detective for the Town of Mamaroneck, was involved in a motor vehicle accident striking his vehicle into a tree. Initially the claimant treated conservatively for injuries to the neck, left shoulder, left elbow and back with little improvement. An MRI to the neck and back where completed in 2012 and both were positive for disc herniations. Furthermore the left shoulder MRI was positive for a tendinosis. The claimant returned to work approximately three months after the injury on restricted duty. The claimant continued working restricted duty for approximately four months along with ongoing back treatment, including injections. In May 2013, the treating physician requested lumbar decompression surgery be completed. After independent medical review, surgery was approved and completed in June of 2013. In March of 2015 left shoulder surgery was completed. He has been unable to return to work since May 2013. The claimant received a regular retirement in January of 2016 therefore wages were suspended accordingly. Most recently, Mr. Edmonds was approved for accidental disability retirement opening up the potential for future indemnity exposure. Mr. Edmonds, 47, had an average weekly wage of $3,415.52. The claimant was classified in September 2016 with a 75% loss of wage earning capacity. The award equals 400 weeks of benefits at $792.07 per week for a total of $316,828.00. Payments are owed but have not started as the award was held in abeyance at the request of the claimant. The $120,000.00 settlement, if approved, will result in $196,828 in savings for the amount due in workers' compensation payments for the Town. Medical benefits would remain open and paid under the Town's workers' compensation policy with PERMA. Please let me know if you have any questions. BUDGET AMENDMENT - INCREASE 2017 PART TOWN FUND BUDGET ( 6/21/2017 TOWN BOARD MEETING PART TOWN (FUND B): INCREASE BUDGET: B.0000.5995 APPROPRIATED FUND BALANCE $ 120,000.00 B.9000.9041 WORKERS' COMP - POLICE $ 120,000.00 " REPRESENTS ANTICIPATED USAGE OF PART TOWN FUND UNRESERVED FUND BALANCE TO FUND THE WORKERS' COMPENSATION INDEMNITY ONLY SETTLEMENT TO DONN EDMONDS PREVIOUSLY APPROVED BY RESOLUTION OF TOWN BOARD ON JUNE 7, 2017 ORIGINAL BUDGET- B.9000.9041 $ 218,700.00 BUDGET AMENDMENT - R.O.B. 06121/2017 $ 120,000.00 REVISED BUDGET AS AMENDED 06121/2017 $ 338,700.00 AFFAIRS OF THE TOWN ITEM 7 I Town Board Agenda Memorandum To: Town Administrator Stephen Altieri From: Anna Danoy Date: 5/25/2017 Meeting Date: 6/21/2017 Subject: Westchester County Transportation Services Contracts for 2017 The Westchester County Department of Senior Programs and Services contracts offering Federal funding to the Town of Mamaroneck under the Title IIIB 2017 Transportation Services for senior citizens have been received and completed for your review. The Title IIIB contract funds the Senior Bus service to and from the senior center, grocery shopping and special trips, and the Ford Transit transportation to medical appointments. The funding level is the same as that of 2016, and the breakdown is as follows: HM Federal Funds: Town Match: $ 8,172 $ 5,679 An additional contract under the New York State AAA Transportation Program effective 4/1/17 through 3/31/18 has been received and completed for your review. The funding level for this contract in the amount of $2,456 is approximately 30% higher than last year's amount of $1,725. This funding is used to cover the cost of fuel for the Senior Citizen Transportation Services. I am requesting that the Town Board approve the contract and authorize you to sign the contracts for the period 1/1/2017 —12/31/2017, as well as the contract for 4/1/17-3/31/18. t West-d-lester PA!('111 Robert P. Astorino County Executive Department ofSenior Program.; and Sej-bees Rlae Carpenter ( onumxsioner April 3, 2017 Ms. Anna Danoy Director of Community Services & Housing Town of Mamaroneck 740 West Boston Post Road Mamaroneck, NY 10543 RE: Title III -B Transportation Services Contract, PY 2017 Dear Ms. Danoy: Attached is an electronic blank copy of the Title III -B Transportation Services contract, The contract is comprised of an Agreement and Schedules "A°, "B" and "C and will cover the program period commencing on January 1, 2017 and continuing through December 31, 2017. Funding for the program will be in an amount not to exceed 8,172.00 for actual services provided and data entered in the NYSOFA Client Statewide Data System: PeerPlace with the Town of Mamaroneck required to contribute $5,679.00 in matching funds to the Program. The Department may reduce the amount payable to its contractors if the New York State Office for the Aging reduces the Department's Federal and/or State funding, in which case you will be notified. The Department is continually looking for ways to streamline contracts in an effort to improve efficiencies and to make the contract process less onerous for our contractors. To that end, the Department will no longer be including the following budget pages in Schedule "B" for renewal contracts that are reimbursed based on a negotiated unit cost, as these pages would have already been provided in the original contracts: • Sample Personnel Gross Unit Cost Worksheet • Personnel Gross Unit Worksheet • Supporting Budget Schedule • Budget Summary However, your agency is still required to provide this information if and when the department requests it. Blank copies of the budget pages are available upon request to keep track of this information for your records. 9 South Fik.,t Avenue. 10"� Floor /Mount Vernon. Nc•n fork 10550-3 4 1 4 Telephone: (914)613-6400 Fax: (914)613-6399 1V•ehxite: wwtc.weslrhesterKov.com Additionally, we are now e -mailing contracts in an effort to expedite the delivery of contracts to our contractors. This allows you to have an electronic copy on hand in the event that you need to reprint a page without having to wait for it to be sent through the postal service. You MUST use the original contract documents that we have provided. NO ALTERATIONS may be made to the contract without the prior consent of the Dept. With the exception of the applicable Excel Pages, DO NOT fill out the contract electronically as we want to maintain the integrity of the document. Noncompliance with these requests will result in the contract returned to your agency. Printout a hard copy of the contract and fill it out making sure that where signatures are required on all documents that they are original. Return the ENTIRE originally signed contract to me at the address in the footer below. Contracts with COPIED signatures are unacceptable. We also suggest that you keep a completed copy of the contract for your records. Please refer to the "Standard Insurance Provisions" on pages 5 and 6 of Schedule "A" for detailed information regarding ALL required insurances. Contracts will be on hold pending receipt of any missing insurance form, Remember to list Westchester County as an Additional Insured on the Certificate of Liability Insurance. Transportation Program Contractors are required to mail in the completed PeerPlace MONTHLY REPORT signed by the staff member responsible for the report. The reports should be received by the County no later than the tenth (10th) day of the following month. The County reserves the right to withhold payment to Contractor for its failure to submit the monthly report by the deadline until the monthly report is received by the County. Please direct program -related questions to your program liaison Meleita Jones at 914-813- 6420. You may also contact me at 914-813-6058 or via e-mail at ssj3@westchestergov.com for questions pertaining to the processing of the contract. Sincerely, 61 K., Sharon Johnson Program Administrator Encl. THiS AGREEMENT made this S_1_ day of J..31'1 ci , 20aby and between: THE COUNTY OF WESTCHESTER, a municipal corporation of the State of New York, having an office and place of business in the Michaelian Office Building, 148 Martine Avenue, White Plains, New York, 10601 (hereinafter referred to as the "County") and r i ix Tow ig o 1-i+�ii/Cl��/11'%`'1CC 1c-- a municipal corporation organized under the laws of the State of New York, having an office and principal place of business at --W 666+66 Pbc& i oCA (hereinafter referred to as the "Contractor") WITNESSETH: WHEREAS, the County has been awarded a grant by the New York State Office for the Aging pursuant to Title ill -B of the Older Americans Act to provide Nutrition Site 'Transportation and Supportive Services Transportation to elderly residents of the County (the "Program"): and WHEREAS, the Contractor desires to perform said services upon the terms and conditions hereinafter set forth, and the County desires the Contractor to perform said services upon such teens and conditions. NOW, THEREFORE, in consideration of the teens, conditions, covenants, and agreements contained herein, the parties agree as follows: The Contractor shall provide the Program. as more particularly described in Schedule "B." which is attached hereto and made a part hereof (the "Work"). The Contractor shall also comply with the terms in Schedule "A." which is attached hereto and made a part hereof'. All Work must be performed in accordance with the terns of the approved Standard Assurances in the Four Year Plan and Annual Implementation Plan (collectively the "Plan) attached hereto and made a part hereof in the form of Schedule "C." it is expressly understood and agreed by the parties hereto that all schedules to this Agreement are subject to the approval of'and modification by the New York State Office for the Aging ("NYSOFA") and the County, as necessary. The Contractor warranties that services shall be provided in an accurate and timely manner without interruption, failure or error due to inaccuracy of the service's or produces operations in processing date/time data (including but not limited to calculating, comparing, and sequencing) various time/date transitions including leap year calculations. The Contractor accepts responsibility for damages resulting from any delays, errors or untimely performances resulting therefrom, including but not limited to the failure or untimely performance of such services. 2. For the Work to be performed pursuant to Paragraph "I," the Contractor shall be paid an amount not to exceed $8,172.00, payable on a monthly basis, at the unit cost amount indicated in Schedule "13" for actual services provided as data entered in the NYSOFA Client Statewide Data System ("PEER PLACE") or other NYSOFA approved electronic reporting system, after the County has received approval from NYSOFA and the County has received any and all supporting documentation the County may require and the same has been approved by the Commissioner of the Department of Senior Programs and Services or her duly authorized designee (the "Commissioner"). The County may, in its discretion, if it shall deem such payment to be required in furtherance of the Program, pay the Contractor prior to receipt of payment or approval therefore by NYSOFA, provided that, in the event NYSOFA subsequently fails or refuses to pay the County, or if such expense is not a proper expenditure under the Program, the Contractor shall reimburse the County for such payment made to the Contractor, or, the County, in its discretion, may deduct such amount from future payments due and owing the Contractor under this Agreement. 77te Contractor shall contribute $5,679.00 to the Work, as a match. Any and all requests for payment to be made, including any requests for partial payment made in proportion to the Work completed, shall be submitted by the Contractor on properly executed payment vouchers of the County and paid only after approval by the Commissioner. All payment vouchers must be accompanied by a numbered invoice and/or the appropriate required back-up documentation approved by the Department of Senior Progn•ams and Services. All invoices submitted during each calendar year shall utilize consecutive numbering and be non -repeating. In no event shall final payment be made to the Contractor prior to the completion of all services, the submission of reports and the approval of same by the Commissioner. The Contractor shall, at no additional charge, fwnish all labor, services, materials, goods, equipment and any other things necessary to complete the Work, unless specific additional charges are expressly permitted under this Agreement. It is recognized and understood that even if specific additional charges are expressly pennitted under this Agreement, in no event shall total payment to the Contractor exceed the not -to -exceed amount set forth above. Except as othcrwise expressly stated in this Agn-eement, no payment shall be made by the County to the Contractor for out of pocket expenses or disbursements made in connection with the services rendered or the work to be performed hereunder. 3. Prior to the making of any payments hereunder, the county may, at its option, audit such books and records of the Contractor as are reasonably pertinent to this Agreement to substantiate the basis for payment. The County will not withhold payment pursuant to this paragraph for more than thirty (30) days after payment would otherwise be due pursuant to the provisions of this Agreement, unless the County shall find cause to withhold payment in the course of such audit or the Contractor fails to cooperate with such audit. The County shall, in addition, have the right to audit such books and records subsequent to payment, if such audit is commenced within one year following termination of this Agreement. In addition to any general audit rights to which the County may be entitled hereunder, the County also reserves the right to audit the Contractor's performance under this Agreement. Such audit may include requests for documentation or other information which the Commissioner may, in her discretion, deem necessary and appropriate to verify the information provided by the Contractor as required by Paragraph "4." The County may also make site visits to the locations) where the services to be provided under this Agreement are performed in order to review Contractor's records, observe the performance of services and/or to conduct interviews of staff and patrons, where appropriate and not otherwise prohibited by law. The Contractor agrees to maintain appropriate records and to retain them for at least six years atter final payment is made. The Contractor agrees to provide access to all books, documents and all pertinent materials related to the contract for examination to authorized representatives of the Administration on Aging/Adninistration for Community Living (AOA/ACL) of the United States Department of Health and l luman Services (-I HIS-). the New York State Comptroller or his representatives, staff of NYSOFA, and/or the County. 4. The term of this Agreement shall commence on January 1, 2017 and expire on December 31. 2017, unless tenninated sooner pursuant to the provisions hereof. The Contractor shall report to the County ort its progress toward completing the Work. as the Commissioner may request, and shall immediately inform the Commissioner in writing of any cause for delay in the performance of its obligations under this Agreement. S. The parties recognize and acknowledge that the obligations of the County under this Agreement are subject to the Countr's receipt offunds From NYSOFA to operate the Program, and that no liability shall be incurred by the County beyond the monies made available from NYSOFA for this Agreement. The Contractor agrees that the County shall not be liable For any of the payments hereunder unless and until the County Commissioner of Finance has received said funds or said funds have been made available to said commissioner. If, for any reason, the full amount of said funds is not paid over or made available to the County by NYSOFA, the County may terminate this Agreement immediately or reduce the amount payable to the Contractor, in the discretion of the County. The County shall give prompt notice of any such termination or reduction to the Contractor. If the County subsequently offers to pay a reduced amount to the Contractor, then the Contractor shall have the right to terminate this Agreement upon reasonable prior written notice. In addition, the parties recognize and acknowledge that the obligations of the County under this Agreement are subject to annual appropriations by its Board of Legislators pursuant to the Laws of Westchester County. Therefore, this Agreement shall be deemed executory only to the extent of the monies appropriated and available. The County shall have no liability under this Agreement beyond funds appropriated and available for payment pursuant to this Agreement. The parties understand and intend that the obligation of the County hereunder shall constitute a current expense of the County and shall not in any way be construed to be a debt of the County in contravention of any applicable constitutional or statutory limitations or requirements concerning the creation of indebtedness by the County, nor shall anything contained in this Agreement constitute a pledge of the general tax revenues, funds or moneys of the County. The County shall pay amounts due under this Agreement exclusively from legally available funds appropriated for this purpose. The County shall retain the right, upon the occurrence of the adoption of any County Budget by its Board of Legislators during the tern of this Agreement or any amendments thereto, and for a reasonable period of time after such adoption(s), to conduct an analysis of the impacts of any such County Budget on County finances. After such analysis, the County shall retain the right to either terminate this Agreement or to renegotiate the amounts and rates set iorth herein. If the County subsequently offers to pay a reduced amount to the Contractor, then the Contractor shall have the right to tenninate this Agreement upon reasonable prior written notice. This Agreement is also subject to further financial analysis of the impact of any New York State Budget (the "State Budget") proposed and adopted during the term of this Agreement. The County shall retain the right, upon the occurrence of any release by the Governor of a proposed State Budget and/or the adoption of a State Budget or any amendments thereto, and for a reasonable period of time after such release(s) or adoption(s), to conduct an analysis of the impacts ofany such State Budget on County finances. After such analysis, the County shall retain the right to either terminate this Agreement or to renegotiate the amounts and rates approved herein. If the County subsequently offers to pay a reduced amount to the Contractor, then the Contractor shall have the right to tenninate this Agreement upon reasonable prior written notice. 6. The Contractor shall comply, at its own expense, with the provisions of all applicable Federal, State and local laws, regulations, rules, executive orders, policies, orders, notices, and related guidance, as such provisions may be amended from time to time. (such Federal provisions being "Federal Requirements"). In addition, the Contractor shall cause to be prominently posted, on the site where services hereunder are to be provided, a statement regarding non-discrimination, which statement shall be similar in form to the following: "In compliance with Section 504 of the Rehabilitation Act of 1975 and Title VI of the 1964 Civil Rights Act and New York State Executive Law and orders, no persons will be denied service or access to service based upon race, creed, color, national origin, religion, marital status, sexual orientation, genetic predisposition, carrier status, or handicapping condition." Without limiting any of the foregoing, the Contractor specifically agrees to the following: (a) Regarding access to records and access to sites where the Work is performed: i) in compliance with 45 C.F.R. 75.364(a), the Contractor agrees to provide the County, HHS and its awarding agency, the Comptroller General of the United States, any inspectors general, or any of the duly authorized representatives of any of these listed parties, access to any documents, papers, or other records which are pertinent to this Agreement in order to make audits, examinations, excerpts, and transcripts, as well as provide timely and reasonable access to the Contractor's personnel for the purpose of interview and discussion related to such documents. The Contractor agrees to allow the above -listed parties to reproduce, excerpt, and/or transcribe such documents, papers, and other records by any means whatsoever. The Contractor also agrees to allow the above -listed parties such other access to records as may be necessary for compliance with applicable Federal Requirements. ii.) In accordance with 45 C.F.R. 75.364(c), all of the above-described rights of access to records shall last for as long as the records are retained by the Contractor. The Contractor shall retain all such records for at least as long as is required under 45 C.F.R. 75.361. iii.) in compliance with 45 C.F.R. § 75.342(e), the Contractor agrees to permit HHS to make site visits as needed. (b) Regarding recovered materials: i.) The Contractor agrees to comply with all applicable requirements of 45 C.F.R. 75.331: Section 6002 of the Solid Waste Disposal Act, as amended by the Resource Conservation and Recovery Act and as further amended (42 U.S.C. § 6962); 40 C.F.R. Part 247, the United States Environmental Protection Agency's "Comprehensive Procurement Guideline for Products Containing Recovered Ma(erials": and Executive Order 12873. (c) Regarding the procurement of' subcontracts finance in whole or in pan with the Funds: i.) The Contractor agrees to comply with 45 C.F.R. 75.330 in procuring any subcontract financed in whole or in part with the Funds. (d) The Contractor agrees to comply with andor assist the County in complying with any and all applicable requirements of HHS. The Contractor hereby represents and warrants that it has all information it needs regarding the Federal Requirements concerning reporting, patent rights, copyrights, and rights in data, and the Contractor understands and acknowledges that all such requirements and regulations are hereby incorporated into this Agreement by reference, and shall prevail over any conflicting tenni(s) of this Agreement. The Contractor understands that the County has relied upon all materials and representations it has provided to the County concerning the Work and this Agreement in, a.) considering, among other things, whether the Contractor is capable of successfully performing under the terms and conditions of this Agreement; the Contractor's integrity and ethics; whether executing this Agreement with the Contractor is in compliance with public policy; the Contractor's record of past performance; and the Contractor's financial, administrative. and technical resources and capacity. b.) consequently determining that the Contractor is a responsible contractor, and c.) awarding this Agreement to the Contractor. It is the intent and understanding of the County and Contractor that each and every provision required by law, contract, or other proper authority to be included in this agreement shall, for all intents and purposes, be considered and deemed included herein. The Contractor understands and acknowledges that for each and every such provision that has, through mistake or otherwise, either not been inserted in writing or been inserted in writing in an incorrect form. the Contractor hereby consents to amending this agreement in writing, upon receipt of notice from the County, for the purpose of inserting or correcting the provision in question. 7. The Contractor expressly agrees neither it nor any contractor, subcontractor, employee or any other person acting on its behalf shall discriminate against or intimidate any employee or other individual on the basis of race, creed, religion, color, gender, age, national origin, ethnicity, alienage or citizenship status, disability, marital status, sexual orientation, familial status, genetic predisposition or carrier status during the term of or in connection with this Agreement, as those teens may be defined in Chapter 700 of the Laws of Westchester County or Section 291 of the New York State Human Rights Law. The Contractor acknowledges and understands that the County maintains a zero tolerance policy prohibiting all turns of harassment or discrimination against its employees by co-workers,"supervisors. vendors, contractors, or others. 8. (a) There shall be no partisan political activity in connection with this Agreement, including (i) candidate endorsements (ii) registration activities which are partisan in nature (iii) scheduled meetings of services recipients with public officials or candidates unless event is open on an equal basis to all candidates and officials regardless of policy views or partisan affiliation. This does not preclude the legitimate right of elected officials and other community leaders to visit programs in their areas. (b) The Contractor shall refrain and prevent the use by others under its control of official authority, influence or coercion to interfere with or affect elections or nominations for political office. (c) The Contractor shall refrain from and prohibit any others receiving funds under this Agreement from attempting to coerce or advise other persons to contribute anything of value to a party, committee, organization, agency or person for political purposes, nor engage in any other partisan activities under its auspices. The Contractor shall refrain from using funds to advance any partisan effort. (d) The Contractor shall ensure that any services to be provided under this Application shall be secular in nature and scope and in no event shall there be any sectarian or religious services, counseling, proselytizing, instruction or other sectarian, religious influence undertaken in connection with the provision of such services. The Contractor shall refrain from using funds to advance any sectarian effort. 9. (a) The Contractor acknowledges (i) that this Agreement may be funded in whole or in part ith funds to be provided to the County under State or Federal program grants, (ii) that the County cannot insure that all of such funds as are presently earmarked by the County for use in connection with this Agreement will ultimately be delivered to the County by the relevant grantor, and (iii) that the County's obligation to pay the Contractor for expenditures which are to be reimbursed with such funds extends only to the extent that such funds are actually received by the County. (b) The County shall have the right to terminate or modify this agreement based on changes in the availability of State and/or Federal Funds. 10. (a) As a material element of this Agreement, the Contractor agrees to fully comply with the provisions required by NYSOFA concerning equal access to services, non-discrimination and concentration of services on target populations, as more fully set forth in the Plan. (b) Attached hereto and forming a part of Schedule "A" is Ilse "Participant Contribution Standards." The Contractor shall provide participants an opportunity to voluntarily contribute to the cost of the service received, as appropriate. The Contractor shall use all collected contributions to expand the service for which the contributions were given to supplement the funds receiNed under the Older Americans Act (OAA). (c) The Contractor shall assist participants in taking advantage of benefits under other programs and assure that the services provided are coordinated and do not unnecessarily duplicate services provide by other sources. 1 1. Statistical information and supporting documentation concerning the Work conducted hereunder shall be provided to the County by the Contractor on request of the County. The Contractor shall provide the County with timely information needed to satisfy reporting requirements as specified by NYSOFA. Documentation of reports and expenses shall include, without limiting the right to require additional documentation: invoices for all purchases, payroll time records, payroll records for local support contribution, municipal payment vouchers for governmental agencies and canceled checks for private agencies, as required. The Programmatic monthly reporting system for Service Delivery Information and Service Recipient Information must be submitted electronically in PEERPLACE or other NYSOFA approved electronic reporting system. The Department of Senior Programs and Services will notify those contractors that are exempt from submitting their reports through PEERPLACE. Until further notice, all Contractors are required to mail in the PEERPLACE MONTHLY ELEC:TRONiC PAPER REPORT and/or other approved reporting measure, signed by the staff member responsible for the report. The reports should be received by the County no later than the tenth (10th) day of the following month and/or entered on the website at the same time. The Contractor understands and agrees that submission of the monthly report by the deadline set forth above constitutes a material element of this Agreement. The County reserves the right to withhold payment to Contractor for its failure to submit the monthly report by the deadline, until such time as the monthly report is received by the County. Repeated failures by Contractor to submit the monthly report by the stated deadline will constitute a material breach of this Agreement .justifying termination for cause as provided in Paragraph "17" hereof. The Contractor shall furnish the County with copies of all insurance certificates, food contracts, rental agreements, and transportation agreements relating to the services provided by the Contractor hereunder, as applicable. 12. The Contractor agrees to procure and maintain insurance naming the County as additional insured, as provided and described in Schedule "A.- entitled "Standard Insurance Provisions." which is attached hereto and made a part hereof. In addition to, and not in limitation of, the insurance provisions contained in Schedule "A." the Contractor agrees: (a) that except for the anwunt, ifany, of damage contributed to, caused by, or resulting from the negligence of the County, the Contractor shall indemnify and hold harmless the County, its officers, employees, agents, and elected officials from and against any and all liability, damage, claims, demands, costs, judgments. fees, attorney's fees or loss arising directly or indirectly out of the performance or failure to perform hereunder by the Contractor or third parties under the direction or control of the Contractor; and (b) to provide defense for and defend, at its sole expense, any and all claims, demands or causes of action directly or indirectly arising out of this Agreement and to bear all other costs and expenses related thereto. 13. The Contractor agrees that any Program, public information materials, or other printed or published materials on the work of the Program which is supported with Title 111-13 funds will give due recognition to NYSOFA, the Westchester County Department of Senior Programs and Services, and HHS. 14. The Contractor shall be solely responsible for any over expenditure of funds and the County shall not be responsible for any over expenditure. 15. The Contractor shall provide adequate qualified and trained personnel for supervision and fiscal management of the Program. 16. The Contractor and the County agree that the Contractor and its officers, employees, agents, contractors, consultants and/or subcontractors are independent contractors and not employees of the County or any department, agency or unit thereof. In accordance with their status as independent contractors, the Contractor covenants and agrees that neither the Contractor nor any of its officers, employees, agents, contractors, consultants, and/or subcontractors will hold themselves out as, or claim to be. officers or employees of the County or any department, agency or unit thereof. 17. (a) The County, upon ten (10) days' notice to the Contractor. may terminate this Agreement L- in whole or in part when the County deems it to be in its best interest. I❑ such event, the Contractor shall be compensated and the County shall be liable only for payment for services already rendered under this Agreement prior to the effective date of'tennination at the rates specified in Schedule -B.- Upon receipt of notice that the County is terminating this Agreement in its best interests, the Contractor shall stop work immediately and incur no further costs in furtherance of this Agreement without die express approval of the Commissioner, and the Contractor shall direct any approved subcontractors to do the same. In the event of dispute as to (lie value of the work rendered by the Contractor prior to the date of 9 termination, it is understood and agreed that the Commissioner shall detennine the value of such Work rendered by the Contractor. The Contractor shall accept such reasonable and good faith determination as final. (b) In the event the County detennines that there has been a material breach by the Contractor of any of (lie tens of the Agreement and such breach remains uncured for foray -eight (48) hours after service on the Contractor of written notice thereof, the County, in addition to any other right or remedy it might have, may terminate this Agreement and the County shall have the right, power and authority to complete the Work provided for in this Agreement, or contract for its completion, and any additional expense or cost of such completion shall be charged to and paid by the Contractor. Without limiting the foregoing, upon written notice to the Contractor, repeated breaches by the Contractor of duties or obligations under this Agreement shall be deemed a material breach of this Agreement justifying termination for cause hereunder without requirement for further opportunity to cure. 18. Failure of the County to insist, in any one or more instances, upon strict performance of any tern or condition herein contained shall not be deemed a waiver or relinquishment of such tern or condition, but the same shall remain in full force and effect. Acceptance by the County of any of the Work or the payment of any fee or reimbursement due hereunder with knowledge of a breach of any tern or condition hereof, shall not be deemed a waiver of any such breach and no waiver by the County of any provision hereof shall be implied. 19. If equipment costing One Thousand Dollars ($1,000) or more is purchased with any Federal or State funds provided under this Agreement, at the end of this Agreement, the County reserves the right to require that the Contractor turn the equipment over to the County. The Contractor understands, acknowledges, and agrees that it shall have no ownership interest in such equipment. 20. All notices of any nature referred to in this Agreement shall be in writing and either sent by registered or certified mail postage pre -paid, or sent by hand or overnight courier, or sent by facsimile (with acknowledgment received and a copy of the notice sent by overnight courier). to the respective addresses set forth below or to such other addresses as the respective parties hereto may designate in writing. Notice shall be effective on the date of receipt, To the County: Commissioner Department of Senior Programs and Services 9 South First Avenue, 10th Floor Mount Vernon, New York 105.50-3414 With a copy to: County Attorney Michaelian Office Building, Room 600 148 Martine Avenue White Plains, New York 10601 To the Contractor: -Town fi NII W- rb1 CCL Post Kwct 21. The Contractor represents and warrants that it has not employed or retained any person, other than a bona fide full time salaried employee working solely for the Contractor, to solicit or secure this agreement, and that it has not paid or agreed to pay any person (other than payments of fixed salary to a bona tide full time salaried employee working solely for the Contractor), any fee, commission, percentage, gift or other consideration, contingent upon or resulting from the award or making of this agreement. For the breach or violation of this provision, without limiting any other rights or remedies to which the County may be entitled or any civil or criminal penalty to which any violator may be liable, the County shall have the right, in its discretion, to terminate this agreement without liability, and to deduct from the contract price, or otherwise to recover, the full amount of such fee, commission, percentage, gift or consideration. 22. 'lliis Agreement and its attachments constitute the entire Agreement between the parties with respect to the subject matter hereof and shall supersede all previous negotiations, commitments and writings. It shall not be released, discharged, changed or modified except by an instrument in writing, signed by a duly authorized representative of each of the parties. 23. The Contractor shall ensure that where the State or local public jurisdiction requires licensure or certification for the provision of social services, the Contractor and its approved subcontractors providing such services under the approved the Plan shall be so licensed or certified. Workers delivering services must be appropriately qualified, selected trained and supervised. 24. All records or recorded data of any kind compiled by (lie Contractor in completing the Work described in this Agrreement, including but not limited to written reports, studies, drawings. blueprints, computer printouts, graphs, charts, plans, specifications and all other similar recorded data, shall become and remain the property of the County. The Contactor may retain copies of such records for its own use and shall not disclose any such information without the express Written consent of the Commissioner. The County shall have the right to reproduce and publish such records, if it so desires, at no additional cost to the County. Notwithstanding the foregoing, all deliverables created under this Agreement by the Contractor are to be considered "works made for hire." If any of the deliverables do not qualify as "works made for hire," the Contactor hereby assigns to the County all right, title and interest (including ownership of copyright) in such deliverables and such assignment allows the County to obtain in its name copyrights, registrations and similar protections which may be available. The Contractor agrees to assist the County, if required, in perfecting these rights. The Contractor shall provide the County with at least one copy of each deliverable. The Contractor agrees to defend, indemnify and hold harmless the County for all damages, liabilities, losses and expenses arising out of any claim that a deliverable infringes upon an intellectual property right of a third party. If such a claim is made, or appears likely to be made, the Contractor agrees to enable the County's continued use of the deliverable, or to modify or replace it. If the County determines that none of these alternatives is reasonably available, the deliverable may be returned. 25. The Contractor shall not delegate any duties or assign any of its rights under this Agreement without the prior express written consent of the County. The Contractor shall not subcontract any part of' the Work without the written consent of the County, subject to any necessary legal approvals. Any purported delegation of duties, assignment of rights or subcontracting of Work under this Agreement without the prior express written consent of the County is void. All subcontracts that have received such prior written consent shall provide that subcontractors are subject to all terms and conditions set forth in this Agreement. It is recognized and understood by the Contractor that for the purposes of this Agreement, all Work performed by a County -approved subcontractor shall be deemed Work perl'ornted by the Contractor and the Contractor shall insure that such subcontracted work is subject to the material terns and conditions of this Agreement. if the Contractor enters into subcontracts for the performance of work pursuant to this contract. the Contractor shall take full responsibility for the acts and omissions of its subcontractors. Nothing in the subcontract shall impair the rights of the County under this contract or the Area Agency Plan as approved by NYSOFA. h shall be the responsibility of the Contractor to monitor and assess the activities performed under such subcontracts, and to ensure that these activities are provided in accordance with all applicable requirements contained in this contract and federal and state law. The Contractor agrees that, to the extent it or its subcontractors, if any, maintains personal information relating to applicants or recipients of services pursuant to the contract, such information will be kept confidential and shared with the County; or with other entities upon the consent of applicant, 12 recipient or an authorized representative of the applicant or recipient; or as required by federal or state laws. 26. Nothing herein is intended or shall be construed to confer upon or give to any third party or its successors and assigns any rights, remedies or basis for reliance upon, under or by reason of this Agreement, except in the event that specific third party rights are expressly granted herein. 27. The Contractor recognizes that this Agreement does not grant the Contractor the exclusive right to perform the Work for the County and that the County may enter into similar agreements with other Contractors on an "as needed" basis. 28. The Contractor hereby represents that, if operating under an assumed name, it has filed the necessary certificate pursuant to New York State General Business Law Section 130. 29. All payments made by the County to the Contractor w ill be made by electronic funds transfer ("EFT") pursuant to the County's Vendor Direct program. If the Contractor is not already enrolled in the Vendor Direct Program, the Contractor shall fill out and submit an EFT Authorization Form as part of this Agreement. (in rare cases, a hardship waiver may be granted. For a Hardship Waiver Request Foran, the Contractor understands that it must contact the Count)!'s Finance Department.) The EFT Authorization Foran and related information are attached hereto and forms a part of' Schedule "A." The Contractor shall provide the County with a completed EFT Authorization Form that is attached hereto and made a part hereof If the Contractor is already enrolled in the Vendor Direct Program, the Contractor hereby agrees to immediately notify the County's Finance Department in \\riting if the EFT Authorization Foran on file must be changed, and provide an updated paper version of the document. 30. (a) The Contractor represents and warrants that it, its principals. and affiliates (as defined in 2 C.F.R. Part 180) are not currently debarred or suspended and the Contractor agrees to complete the "Certification Regarding Debarment and Suspension." which is attached hereto and forming a pall of Schedule -A.- The Contractor agrees that it shall immediately notify the County if it, its principals, and/or affiliates Ware deban•cd or suspended. or its, its principals, and/or affiliates' debarment or suspension appears likely. The Contractor further agrees to comply, and to require its subcontractors to comply, with the debannent and suspension regulations in 2 C.F.R. Part 376, as Nell as (lie applicable requirements of 2 CER. Part ISO. The Contractor represents and warrants that it is not currently excluded from receiving 13 Federal contracts, certain subcontracts, and certain types of Federal financial and non-financial assistance and benefits, by virtue of being on the United States General Service Administration's the Excluded Parties List System (EPLS), available at hitp://www.sam.gov as part of the System for Awards Management (SAM). The Contractor agrees that it shall immediately notify the County if it is so - excluded, or its exclusion appears likely. The Contractor represents and warrants that it is not currently on any debannent, suspension, or exclusion list of New York State or any political subdivision thereof, and has not been found non - responsible by New York State or any political subdivision thereof. The Contractor agrees that it shall immediately notify the County if it is added to any debannent, suspension, or exclusion list of New York State or any political subdivision thereof, or its addition to such lists appears likely. The Contractor agrees that it shall immediately notify the County if it is found non -responsible by New York State or any political subdivision thereof, or such a finding of non -responsibility appears likely. The Contractor understands and acknowledges that the County is relying upon the Contractor's above-described representations and warranties. Without limiting any of the foregoing, the Contractor certifies that, to the best of its knowledge and belief, it is and will be in compliance with 2 C.F.R. Part 376, regarding nonprocurrement debannent and suspension concerning public (Federal, State or local) transactions. If necessary, the Contractor will submit an explanation of why it cannot provide this certification. (b) The Contactor agrees to complete the "Certification Regarding Drug -Free Workplace Requirements," which is attached hereto and forming a part of Schedule "A," in order to help ensure compliance with 41 U.S.C. § 8101 et seq. and 2 C.F.R. Part 382. (c) The Contractor agrees to complete the "Certification Regarding Lobbying." which is attached hereto and forming a pail of' Schedule "A," in compliance with 45 C.F.R. Part 93. and to otherwise comply with 45 C.F.R. Part 93 and 31 U.S.C. § 1352. 31. This Agreement may be executed simultaneously in several counterparts, each of which shall be an original and all of which shall constitute but one and the same instrument. '1"his Agrreement shall he construed and enforced in accordance with the laws of the State of New York. in addition, the parties hereby agree that any cause of action arising out of this Agreement shall be brought in the County of Westchester. If any term or provision of this Agreement is held by a court of competent jurisdiction to be invalid or void or unenforceable, the remainder of the teens and provisions of this Agreement shall in no way be affected, impaired, or invalidated, and to the extent permitted by applicable law, any such tenn, or provision shall be restricted in applicability or reformed to the minimum extent required for such to be 14 enforceable. This provision shall be interpreted and enforced to give effect to the original written intent of the parties prior to the determination of such invalidity or unenforceability. 32. This Agreement shall not be enforceable until it is signed by both parties and approved by the Office of the County Attorney. IN WITNESS WHEREOF, the County of Westchester and the Contractor have caused this Agreement to be executed. THE COUNTY OF WESTCHESTER a Mae Carpenter, Commissioner Department of Senior Programs and Services CONTRACTOR: r Municipality: Tr7� t7 F oumGU'a ry Ck By (Signature) v Aar w (NAme 16wi1 A1D1LJ ;5trA- (Title) Approved by the Board of Acquisition and Contract of the County of Westchester on the 9°i day of March, 2017. Approved as to form and manner of execution: Assistant County Attorney The County of Westchester 15 STATE OF NEW YORK ss.: COUNTY OF WESTCHESTER) ACKNOWLEDGMENT On the day of in the year 2017 before me, the undersigned, a Notary Public in and for said State, personally appeared 'S-&4% ki l J - -A I h 0ii personally known to me or proved to me on the basis of satisfactory evidence to be the individual whose name is subscribed to the within instrument and acknowledged to me that he/she executed the same in his/her capacity, and that by his/her signature on the instrument, the individual, or the person upon behalf of which the individual acted, executed the instrument; and, acknowledged if operating under any trade name, that the certificate required by the New York State General Business Law Section 130 has been filed as required therein. Signature and Office of individual taking acknowledgement 16 CERTIFICATE OF AUTHORITY (MUNICIPALITY) official signing certify that I am the Town cr ic- of (Title) the -Ty W l) CA Ma-ljrpnez: It - (Name of Municipality) a Municipal Corporation duly V organized and in good standing under the laws of the State of New York that S+ d11.t? t� A 1. 1 fn' (Person executing agreement) ��`` who signed said agreement on behalf of the Tv w n o[ Maw�ra Clt— (Name of Municipality) was, at the time of executionTown n ifd li11Ir) tStr(Ato of the Municipal Corporation (Title of such person) and that said agreement was duly signed for and on behalf of said Municipal Corporation by authority of its governing board, thereunto duly authorized and that such authority is in full force and effect at the date hereof. (Signature) STATE OF NEW YORK ) ss.: COUNTY OF ) On the day of in the year 2017 before me, the undersigned, a Notary Public in and for said State, personally appeared, personally known to me or proved to me on the basis of satisfactory evidence to be the officer described in and who executed the above certificate, who being by me duly sworn did depose and say that he/she resides at and he/she is an officer of said municipal corporation; that he/she is duly authorized to execute said certificate on behalf of said corporation, and that he/she signed his/her name thereto pursuant to such authority. Notary Public Date: 17 W-stchester Robert P. Astorino County Executive 1)eluu tment of Semw I'rogninis and Seiti•ice• Alae Calpenter Conunissioner June 5, 2017 Ms. Anna Danoy Director of Community Services & Housing Town of Mamaroneck 740 West Boston Post Road Mamaroneck, NY 10543 RE: AAA Transportation Services Contract: PY 2017 - 2018 Dear Ms. Danoy: Enclosed is an electronic blank copy of the AAA Transportation Program agreement that also includes Schedules "A" "B" "C" "D" and "E" for the program period commencing on April 1, 2017 through March 31, 2018. State funding for Program will be in an amount not -to -exceed $2,456. The Department may reduce the amount payable to its contractors if the New York State Office for the Aging reduces the Department's federal and/or state funding, in which case you will be notified. Additionally, we are now e -mailing contracts in an effort to expedite the delivery of contracts to our contractors. This allows you to have an electronic copy on hand in the event that you need to reprint a page without having to wait for it to be sent through the postal service. You MUST use the original contract documents that we have provided. NO ALTERATIONS may be made to the contract without the prior consent of the Dept. With the exception of the applicable Excel Pages, DO I40T fill out the contract electronically as we want to maintain the integrity of the document. Noncompliance with these requests will result in the contract returned to your agency. Printout a hard copy of the contract and fill it out making sure that where signatures are required on all documents that they are original. Return the ENTIRE originally signed contract to me at the address in the footer below. Contracts with COPIED signatures are unacceptable. We also suggest that you keep a completed copy of the contract for your records. Return the ENTIRE completed originally signed agreement and all supporting schedules to me at the address in the footer below. Please note that ALL required insurances should be submitted with the contract, or the contract will be on hold pending receipt of these documents. Remember to include the County of Westchester as "Additional Insured" on the Certificate of Liability Insurance. Please refer to Schedule B "Standard Insurance Provisions" for further details regarding insurance documents. 9 Smith Firm Avenue. 1011, Flom Mouni Vernon. New York 10550-3111 Telephone: (91M..13-6400 Fav (914)813-6399 Website: %etr.�% .coni Program related questions should be directed to your program liaison Meleita Jones at 914-813-6420. Questions pertaining to the processing of the contract should be directed to me at 914-813-6058, Sincerely, LS".., (,bk"dp- Sharon Johnson Program Administrator Encl. COUNTY OF WESTCHESTER SERVICE/PROVIDER AGREEMENT INTER -MUNICIPAL AGREEMENT made the 15f day of _ 1 I 2017 by and between the County of Westchester, acting by and through its Department of Senior Programs and Services, (the "County"), and having an office at W�� n Pi5t ' LtC . kAa" J(Dncj LN (the "Municipality"). I . The Municipality shall furnish to the County various transportation services for seniors in accordance with the terms and conditions of the New York State AAA Transportation Program (the "Program") and as more fully described in Schedule "A" which is attached hereto and forms a part hereof (hereinafter the "Work"). All Work must be completed in accordance with the "Standard Assurances" comprised of the Four Year Plan and Annual Update to the Four Year Plan (collectively the "Plan") in the form of a Schedule "C" attached hereto and made a part hereof. All Work performed by the Municipality shall be under the direction of and subject to the complete approval of the Commissioner of the Westchester County Department of Senior Programs and Services (the "Department") or her duly authorized designee (the "Commissioner"). The Municipality shall furnish the Work only if, as, and when requested by the Commissioner. The Municipality recognizes that this Inter -Municipal Agreement ("IMA") does not grant the Municipality the exclusive right to perform the Work for the County and that the County may enter into similar IMAs with other Municipalities on an "as needed" basis. The Municipality hereby waives any claims to lost or anticipated profits based on the County's failure to use the Municipality's services to the full amount authorized to be expended under this IMA. In the performance of the Work hereunder, the Municipality shall comply with all Federal, State and local laws, rules and regulations, including but not limited to, those pertaining specifically to the Program. The Municipality further agrees to furnish copies of all required records to the County to substantiate such compliance. The Municipality shall not delegate any duties or assign any of its rights under this IMA without the prior express written consent of the County. The Municipality shall not subcontract any part of the Work without the written consent of the County, subject to any necessary legal approvals. Any purported delegation of duties, assignment of rights or subcontracting of Work under this Agreement without the prior express written consent of the County is void. All subcontracts that have received such prior written consent shall provide that subcontractors are subject to all terms and conditions set forth in this IMA. It is recognized and understood by the Municipality that for the purposes of this Agreement, all Work performed by a County -approved subcontractor shall be deemed Work performed by the Municipality and the Municipality shall insure that such subcontracted work is subject to the material terms and conditions of this IMA. All subcontracts for the Work shall expressly reference the subcontractor's duty to comply with the material terms and conditions of this IMA and shall attach a copy of the County's contract with the Municipality. The Municipality shall obtain a written acknowledgement from the owner and/or chief executive of subcontractor or his/her duly authorized representative that the subcontractor has received a copy of the County's contract, read it and is familiar with the material terms and conditions thereof. The Municipality shall include provisions in its subcontracts designed to ensure that the Municipality and/or its auditor has the right to examine all relevant books, records, documents or electronic data of the subcontractor necessary to review the subcontractor's compliance with the material terms and conditions of this IMA. For each and every year for which this IMA continues, the Municipality shall submit to the Commissioner a letter signed by the owner and/or chief executive officer of the Municipality or his/her duly authorized representative certifying that each and every approved subcontractor is in compliance with the material terms and conditions of the IMA. 2. Performance of the Work under this IMA shall commence on April 1, 2017 and shall terminate on March 31, 2018 unless terminated sooner pursuant to the provisions hereof. The Municipality shall report to the County as the Commissioner may request on its progress toward completing the Work, and shall immediately inform the Commissioner in writing of any cause for delay in the performance of its obligations under this IMA. 3. For the Work to be performed pursuant to Paragraph 1, the Municipality shall be paid an amount not to exceed $ 2,456 . Any and all requests for payment to be made, including any request for partial payment made in proportion to the Work completed, shall be submitted by the Municipality on properly executed payment vouchers of the County and paid only after approval by the Commissioner. In no event shall final payment be made to the Municipality prior to completion of all Work and the approval of same by the Commissioner. All payment vouchers must be accompanied by a numbered invoice and must contain the invoice number where indicated. All invoices submitted during each calendar year shall utilize consecutive numbering and be non -repeating. The Municipality shall, at no additional charge, furnish all labor, services, materials, tools, equipment and other appliances necessary to complete the Work. Except as otherwise expressly stated in this IMA, no payment shall be made by the County to the Municipality for out-of-pocket expenses or disbursements made in connection with the Work to be performed hereunder. 4. The parties recognize and acknowledge that the obligations of the County under this IMA are subject to the County's receipt of funds from the New York State Office for the Aging ("NYSOFA") to operate the Program and that no liability shall be incurred by the County beyond the monies made available from NYSOFA for this IMA. The Municipality agrees that the County shall not be liable for any of the payments hereunder unless and until the County Commissioner of Finance has received said funds. If, for any reason, the full amount of said funds is not paid over or made available to the County by NYSOFA, the County may terminate this IMA immediately or reduce the amount payable to the Municipality, in the discretion of the County. The County shall give prompt notice of any such termination or reduction to the Municipality. If the County subsequently offers to pay a reduced amount to the Municipality, then the Municipality shall have the right to terminate this IMA upon reasonable prior written notice. In addition, the parties recognize and acknowledge that the obligations of the County under this IMA are subject to annual appropriations by its Board of Legislators pursuant to the Laws of Westchester County. Therefore, this IMA shall be deemed executory only to the extent of the monies appropriated and available. The County shall have no liability under this IMA beyond funds appropriated and available for payment pursuant to this IMA. The parties understand and intend that the obligation of the County hereunder shall constitute a current expense of the County and shall not in any way be construed to be a debt of the County in contravention of any applicable constitutional or statutory limitations or requirements concerning the creation of indebtedness by the County, nor shall anything contained in this IMA constitute a pledge of the general tax revenues, funds or moneys of the County. The County shall pay amounts due under this IMA exclusively from legally available funds appropriated for this purpose. The County shall retain the right, upon the occurrence of the adoption of any County Budget by its Board of Legislators during the tern of this IMA or any amendments thereto, and for a reasonable period of time after such adoption(s), to conduct an analysis of the impacts of any such County Budget on County finances. After such analysis, the County shall retain the right to either tenninate this IMA or to renegotiate the amounts and rates set forth herein. If the County subsequently offers to pay a reduced amount to the Municipality, then the Municipality shall have the right to tenninate this IMA upon reasonable prior written notice. This IMA is also subject to further financial analysis of the impact of any New York State Budget (the "State Budget'') proposed and adopted during, the term of this IMA. The County shall retain the right, upon the occurrence of any release by the Governor of a proposed State Budget and/or the adoption of a State Budget or any amendments thereto, and for a reasonable period of time after such release(s) or adoption(s), to conduct an analysis of the impacts of any such State Budget on County finances. After such analysis, the County shall retain the right to either terminate this IMA or to renegotiate the amounts and rates approved herein. If the County subsequently offers to pay a reduced amount to the Municipality, then the Municipality shall have the right to terminate this IMA upon reasonable prior written notice. 5. 'The parties expressly agree that the Municipality is an independent contractor and not an employee and the Municipality or any third persons working on the Municipality's behalf hereby waive any right to claim additional benefits, privileges or compensation based on any alleged or purported theory of an employee and employer relationship. 6. The Municipality agrees and shall be subject to the insurance requirements contained in Schedule-B." ,Nhich is attached hereto and forms a part hereof. In addition to. and not in limitation of the insurance provisions contained in Schedule "B." the Municipality agrees: (a) that except for the amount, if any, of damage contributed to, caused by or resulting from the negligence of the County, the Municipality shall indemnify and hold harmless the County, its officers, employees and agents from and against any and all liability, damage, claims, demands, costs, judgments. fees, attorney's tees or loss arising directly or indirectly out of the performance or failure to perform hereunder by the Municipality or third parties under the direction or control of the Municipality; and (b) to provide defense for and defend, at its sole expense, any and all claims, demands or- causes rcauses of action directly or indirectly arising out of this IMA and to bear all other costs and expenses related thereto. 7. The Municipality represents and warrants that all prices quoted herein for the work to be performed hereunder have been arrived at by the Municipality independently and have been submitted without collusion with any other vendor of similar materials, supplies, equipment or services. In addition, the Municipality further represents and warrants that it has not paid oragrecd to pay any person (other than payments of fixed salary to a bona fide, full time: salaried employee working solely for the Municipality) any tee, commission, percentage, gift or other consideration contingent upon or resulting from the award or making of this IMA. 8. The Municipality hereby expressly agrees that neither it, nor any subcontractor, nor any other person acting on behalf of the Municipality shall discriminate against or intimidate any employee or other individual on the basis of race, creed, religion, color, gender, age, national origin, ethnicity, alienage or citizenship status, disability, marital status, sexual orientation, familial status, genetic predisposition or carrier status during the teen of or in connection with this IMA, as those teens may be defined in Chapter 700 of the Laws of Westchester County.. The Municipality acknowledges and understands that the County maintains a zero tolerance policy prohibiting all forms of harassment or discrimination against its employees by co-workers, supervisors, vendors, contractors, or others. 9. Prior to the making of any payments hereunder, the County may, at its option, audit such books and records of the Municipality as are reasonably pertinent to this IMA to substantiate the basis for payment. The County will not withhold payment pursuant to this paragraph for more than thirty (30) days after payment would otherwise be due pursuant to the provisions of this IMA, but the County shall not be restricted from withholding payment for cause found in the course of such audit or because of failure of the Municipality to cooperate with such audit. The County shall, in addition, have the right to audit such books and records subsequent to payment, if such audit is commenced within one year following tennination of this IMA. 10. The Municipality shall comply, at its own expense, with the provisions of local, state and lederal laws, rules and regulations applicable to the Municipality and the Work that is the subject of this IMA. In addition, the Municipality shall further comply, at its own expense, with all rules, regulations and licensing requirements pertaining to its professional status and that ofits employees, partners, associates, subcontractor and others employed to render the Work hereunder. 11. All records or recorded data ofany kind compiled by the Municipality in completing the Work described in this IMA, including but not limited to written reports, studies, drawings, blueprints, computer printouts, graphs, charts, plans, specifications and all other similar recorded data, shall become and remain the property of the County. The Municipality may retain copies of such records for its own use and shall not disclose any such information without the express written consent of the Commissioner. The County shall have the right to reproduce and publish such records, if it so desires, at no additional cost to the County. Notwithstanding the foregoing, all deliverables created under this IMA by the Municipality are to be considered "works made for hire." Ifa ny of the deliverables do not qtial i1j as "works made For hire." the Municipality hereby assigns to the County all right. title and interest (including. ownership of copyright) in such deliverables and such assignment allows the Count)' to obtain in its name copyrights, registrations and similar protections which may be available. The Municipality agrees to assist the County, if required, in perfecting these rights. The Municipality shall provide the County with at least one copy of each deliverable. The Municipality agrees to defend, indemnify, and hold harmless the County for all damages, liabilities, losses and expenses arising out of any claim that a deliverable infringes upon an intellectual properly right ofa third party. lf'such a claim is made, or appears likely to be made, the Municipality agrees to enable the County's continued use ofthe deliverable, or to modify or replace it. Iflhc County determines that none of these alternatives is reasonably available. Ilre deliverable may be returned. 12. Any purported delegation of duties or assignment of rights under this IMA Without the prior express written consenl ofthc County is void ab indio. The Municipality shall not subcontract any part of flee Work without the written consenl of the Commissioner. All subcontracts shall provide that subcontractors are subject to all teens and conditions set firth in the contract documents. All Work perlonned by a County -approved subcontractor shall be deemed Work performed by the Municipality. 13. Pursuant to Federal Executive Order 12549, and as prescribed by federal regulations, including 48 C.F.R. Subpart 9.4, the Contactor hereby agrees to complete the Debarment and Suspension Certificate in the form ofa Schedule "D" attached hereto and made a part hereof. 14. Failure of the County to insist, in any one or more instances, upon strict performance of any teen or condition herein contained shall not be deemed a waiver or relinquishment for the future of'such teen or condition, but the same shall remain in full force and effect. Acceptance by the County of any Work or payment of any fee due hereunder with knowledge ofa breach of any term or condition hereof, shall not be deemed a waiver of any such breach and no waiver by the County of any provision hereof shall be implied. 15. All notices of any nature referred to in this IMA shall be in writing and either sent by registered or certified mail postage pre -paid, or delivered by hand or overnight courier, or sent by facsimile (with acknowledgment received and a copy ofthe notice sent by registered or certified mail postage pre -paid), as set forth below or to such other addresses as the respective parties hereto may designate in writing. Notice shall be effective on the date of receipt. Notices shall be sent to the following: fo the County: Westchester County Department of Senior Program and Services 9 South First Avenue, 10"i floor Nit. Vernon, NY 10550 with a copy to: County Attorney Michaelian Office Building, Room 600 148 Martine Avenue White Plains, New York 10601 To the Municipality: A-6Lk; o C k aAA (i VL De -CCI AM --W US-tZ II__P A CWCW ��(� ld.V"Z�11eCtl_ jJ Ory 16. (a)'I'he County. upon ten (10) days notice to the Municipality, may terminate this IMA in whole or ill part when the County deems it to be in its best interest. In such event. the Municipality shall be compensated and the County shall be liable only for payment for Work already perfOrnled under this IMA prior to the effective date oftermination at the rates) specified in Paragraph "31" hereofand/or. ifapplicable. Schedule "A Upon receipt of -notice that the County is terminating this IMA in its best interests, the Municipality shall stop work immediately and incur no Further costs in furtherance of this IMA without the express approval of the Commissioner, and the Municipality shall direct in), approved subcontractors to do the same. In the event ofa dispute as to the \,title of the Work rendered by the Municipality prior to the date of' lertnination. it is understood and aerced that the Commissioner shall determine the value of such Work rendered by the Municipality. Such reasonable and good faith determination shall be accepted by the Municipality as final. (b) in the event the County determines that there has been a material breach by the Municipality ofany of the terms of the IMA and such breach remains uncured for forty-eight (48) hours after service on the Municipality of'written notice thereof, the County, in addition to any other right or remedy it might have, may tenninate this IMA and the County shall have the right, power and authority to complete the Work provided for in this IMA, or contract for their completion, and any additional expense or cost of such completion shall be charged to and paid by the Municipality. Without limiting the foregoing, upon written notice to the Municipality, repeated breaches by Municipality of any particular duty or obligation under this IMA shall be deemed a material breach of this IMA justifying tennination for cause hereunder without requirement for further opportunity to cure. 17. This IMA and its attachments constitute the entire IMA between the parties with respect to the subject matter hereof and shall supersede all previous negotiations, commitments and writings. It shall not be released, discharged, changed or modified except by an instrument in writing signed by a duly authorized representative of each of the parties. 18. This IMA shall not be enforceable until signed by both parties and approved by the Office of the County Attorney. 19. Nothing herein expressed or implied is intended or will be construed to confer upon or give any third party or its successors and assigns any rights, remedies or basis fine reliance upon, under or by reason of this IMA. 20. Ifany term or provision ofthis IMA is held by a court ofconlpetent jurisdiction to be invalid or void or unenforceable, the remainder ofthe terns and provisions of this IMA will in no way be affected, impaired, or invalidated, and to the extent permitted by applicable law, any such term, or provision will be restricted in applicability or reformed to the minimum extent required for such to be enforceable. ']'his provision will be interpreted and enforced to give effect to the original written intent of the parties prior to determination of'such invalidity or unenforceability. 21. The Municipality and the County agree that the Municipality and its officers, employees, agents, contractors, subcontractors and/or consultants are independent contractors and not employees of the County or any department, agency or unit thereof. in accordance with their status as independent contractors, the Municipality covenants and agrees that neither the Municipality nor any of its officers, employees, agents, contractors, subcontractors and/or consultants will hold themselves out as or claire to be employees of the County or any department, agency or unit thereof: 22. All payments made by the County to the Consultant will be made by electronic fiends transfer ("1;1=1..) pursuant to the Count's Vendor Direct program. Consultants doing business \Kith Westchester County, who are not already enrolled in the Vendor Direct Program, will be required to fill out and submit an til [ Authorization ]-orm in order to receive payment. The El"I Authorization Dorm and related infiOrmation are annexed hereto as Schedule 'T.". The completed Authorization Fornn must be returned by the Contactor to the Commissioner prior to execution of' tile contract. In rare cases, a hardship waiver may be granted. Fora i lardship Waiver Request Forme, please contact the Westchester County Finance Department. 23. This IMA shall be construed and enforced In accordance with the lays cif the State of New York. In addition the parties hereby agree that the venue for any laNysuit arising out of this IMA shall be in the County of Westchester. 24. This IMA shall not be enforceable until it is signed by both parties and approved by the (.)Rice of the County Attorney. IN WITNESS WHEREOF, the parties hereto have caused this IMA to be executed. THE COUNTY OF WESTCHESTER By- ----- - ---- - - Mae Ca►pcnter, Commissioner Department of Senior Programs and Services MUNICIPALurv:) By --- — (Signature) t u:e1 V_ A-1_tjc'�1 -- - (Name) ('Title) Approved by Act No. 75-2014 adopted by the Westchesm— County Board of I-cgislators at a meeting, duly held on the 5"' day of' May. 2014. Apprm ed by the Board of Acquisition and Conoact of the Counly ol' Westehcster on the I" day of.lune. 2017. Approved as to liirn► and ►nanner ofexecution Assistant CoUnly Attorney. CoUllty of k eslchcster STATE OF NEW YORK ss.: COUNTY OF WESTCHESTER) ACKNOWLEDGMENT On the day of in the year 2017 before me, the undersigned, a Notary Public in and for said State, personally appeared S{"eaLt 41 V A ttle-v1 personally known to me or proved to me on the basis of satisfactory evidence to be the individual whose name is subscribed to the within instrument and acknowledged to me that he/she executed the same in his/her capacity, and that by his/her signature on the instrument, the individual, or the person upon behalf of which the individual acted, executed the instrument; and, acknowledged if operating under any trade name, that the certificate required by the New York State General Business Law Section 130 has been filed as required therein. Signature and Office of individual taking acknowledgement CERTIFICATE OF AUTHORITY (MUNICIPALITY) al other than N al signing contract) certify that I am the -To wil (101- — of (Title) the -rQ L01'1 to "o-yacl-ml (ll__ (Name of Municipality) a Municipal Corporation duly organized and in good standing under the laws of the State of New York that ._)t t' )'Yu n � A t -hj j1 (Person executing IMA) Vin who signed said IMA on behalf of the J (>LL8►1 ► r I_C�- (Name of Municipality) was, at the time of execution Tou)o A d r)�,UU 5*(Alb( (Alb( of the Municipal Corporation (Title of such person) and that said IMA was duly signed for and on behalf of said Municipal Corporation by authority of its governing board, thereunto duly authorized and that such authority is in full force and effect at the date hereof. STATE OF NEW YORK ss.: COUNTY OF On the day of (Signature) in the year 2017 before me, the undersigned, a Notary Public in and for said State, personally appeared, personally known to me or proved to me on the basis of satisfactory evidence to be the officer described in and who executed the above certificate, who being by me duly sworn did depose and say that he/she resides at and he/she is an officer of said municipal corporation; that he/she is duly authorized to execute said certificate on behalf of said corporation, and that he/she signed his/her name thereto pursuant to such authority. Notary Public Date: