Communication, Technology & Information Systems Committee - Regular Meeting

Welcome to the 01/07/2026 meeting of the CTIS committee. In attendance, Juan Moreno and Sherry Reardon. Unfortunately, Cesar Cardenas could not make it today. Approval of the minutes from 12/03/2025. Did you read the minutes?

Did you Yes. I read.

Okay. Apparently, if we read them, we can we

can okay. Because I had to go for that one. Right?

Yes. So if you can motion

to it. Motion.

And I'll second. And all in favor Aye. To approve the minutes from December 3? Aye.

Aye.

K. There are no citizens here to be heard, so we will move on to the agenda items. And the first agenda item, ninety three twenty six, award a contract to CDWG for Mimecast Web Security and Critical Protection Cloud Gateway annual review in the amount of $48,880.21.

Yeah. So Mimecast does two primary things for us. So you can kinda break it into two groups. It does web security for us. So on all Citi devices, there is what we call it's a Mimecast agent, essentially.

It's a little program that runs on every laptop that ensures that you can't go to malicious websites, inappropriate websites. You know, it's pretty standard anywhere. One of the things we've always we've used Mimecast for of the last five, six years for is because with the agent, it means even when you disconnect from our network. So if you're using your laptop at home, off-site, you're still held to our security standards, and you still cannot access those things even if you're not directly connected to our network. A lot of other solutions, it's more at your firewall level, which means you have to be on our city network to stop that kind of stuff.

So Mimecast is, like, great for that. The other side of it, which I'm sure is near and dear to everybody's heart, is all of the email protections. So this is what protects us from phishing emails. If you think about the number of phishing emails that slip through, there are thousands that don't slip through for every single one that does get through, that Mimecast does stop. Oh, and over the last few years, Mimecast has continuously updated their their products.

So we you know, it does phishing attacks now, now does business email compromise. Business email compromise and insider threat are kind of two things it does, and it uses this has been over the last two years they've been working on this. They now use AI to essentially review, basically, how like, if we were communicating through email on a regular basis, how do we normally talk to each other? What are things we normally say to each other? What are things we normally work on together?

If all of a sudden you're asking me for bank information and we've never discussed financial information in the past, it's going to flag that email. Is there something off? Because oftentimes now what threat actors will do is they will compromise somebody's email account. They may sit in that email account for six months waiting for the perfect opportunity to jump in and intercept and start to comp like, carry on a current conversation. You know, my favorite example, because one of our employees did an amazing job at catching it, we were working out an agreement, I believe, at the time with a park district.

And this had been, like, almost a year long engagement, discussions back and forth. You could see that the emails were ramping towards, like, we're finally we all we're all agreeing on things. Things were just about to move forward. And then all of sudden, an email came in to our employee that was like, okay. You know, for the final transaction, this is my bank information. Just have it just have the money wired here. Well, our employee had been talking to this person for a year, and they're like, email didn't have any of the normal, like, pleasantries. Ries

that no.

No. It just it was it just felt very off. So she picked up the phone and called, and she's like, hey. Are you sure this is it was their email account had been

compromised. Yeah.

And they had sat there watching

Waiting.

For months this negotiation, waiting till it to be nearly wrapped to send that information.

Wow. That's great.

Right? Yes. So now we, you know, we have the technology to kind of monitor those things and kinda keep an eye on that. So if there's suddenly a shift in the way somebody's talking and other things, it it will alert. And let the person know, like, you may wanna take an extra look at this email or you may want to call the person and make sure you verify it.

Yeah. And who sends, like, banking information over an email? Yes. I was like Yes. Never.

I just lost my notes there. And then, of course, in other world, email, it it blocks, like, you know, malware attempts and things of that nature. You know, all of your standard things. You know, this is this is one of our our typical yearly renewal type things. We've been working with Mimecast for quite a few years.

And how did the renewal come in as far as last year's cost?

Do have any idea?

Yeah. It would just been slightly the the normal, I mean, slight increase over our yearly. Every I mean, pretty much every year.

I'm assuming as they as they increase, like, the or they fix their services or upgrade their services, they probably add a little bit on that. Typically. Oh, yes.

It's usually anywhere from two to 5% cost every year. Okay.

Just a side note to all this. Were Chris was talking about all the malicious emails that this catches prior to like they don't even make it to anybody's inbox. I did get a report back for the numbers in December and there were over 14,000 emails that were blocked.

For the whole

For the For city of Georgia. For just for December. Just for December. And that's a Seems to be a pretty steady number.

Pretty average for the monthly. Yep. It's scary that when you

talk about the AI, how

they use that to catch the, you know, the malicious things. It also can be used the other way to make sure their email sounds like the other like what a normal email would be too.

You know, we've and we started doing putting that more in our training recently. Mhmm. You know, and that's kind of why we need these tools more now than ever is because it used to be really easy. Right? You'd catch these things because you'd read the email and it was, you know, poorly worded, misspelling. They just didn't it didn't make any sense. Now they're just running these things through AI before they send it out. Yeah. And they've cleaned all that kind of stuff up. It's getting harder and harder to identify the malicious emails.

It has to be the person that's receiving it. Thanks. Mhmm.

That doesn't that sounds a

little off.

That's not how we normally talk.

Yeah. Yeah.

Well, do you do does he get the training sent to him? You should I don't know if you do it or not, but you should do it. I do not. You'd be surprised. It's very quick. It probably doesn't take you ten minutes. And you learn so much. I mean, I remember I was thinking I was just doing one Monday. Mhmm. And I was thinking years ago when it started, I actually struggled trying to, like, you know, which one do I think is right, you know? And now I I have learned so much from it, and it's so beneficial for me personally in my business just, you know Mhmm. Overall.

Appreciate that. We'll

You should try and do it. They're they're very, very good. Yeah. Yeah.

There's a lot of stuff that you learn, especially with it's like, it's scary. Like, it's as we as AI is getting more widely used, it's it's we use it. Right? But, like, there's so many other bad things that they can use it against you.

Mhmm. Yes.

Yeah. Definitely. Good to refresh your skills basically.

Yeah. Yes. Somebody that sits next to me and had counsel who may be an attorney said because I personally am I'm I'm the reason they have to build these data centers because I I love AI. Well, you know what? It is great when you use it.

Yes. We work with them quite a bit now. A lot of AI tools.

Alright. Do you have any other questions? No. Okay. Alright. So we'll move on to agenda item ninety three twenty seven. Need to Oh, I'm sorry. Yes.

I'm Most

Sometimes we group them all together in other committees. We can do that here. No. No. That's okay. Can we get a motion? Motion. Okay. And I'll second and to move item ninety three twenty six to the full council with the committee's approval. All in favor? Aye. Okay. We'll move on to ninety three twenty seven, award a contract to CDWG for the renewal of Barracuda Cloud Data Protection Services.

Yeah. So Barracuda is, at a high level, is our our one of our backup solutions. It it does it does two this also does two major things for us. One is it offers what's called cloud to cloud backup. So we have our Microsoft three sixty five environment, which encompasses things like our email, our SharePoint, our Teams environment, our OneDrive, all of you know, solve our different ways individual staff members and every all employees here have a Microsoft account.

We have to back that information up. You know, the way our the way Microsoft works their contracts is they're responsible for providing you the applications and the tools, and then but they will not contractually ever agree to protect your data. They will they always will do best efforts. So if our environment here were compromised or we would have a catastrophic failure, they would help us, you know, invest efforts, but they would not guarantee that they can retrieve our information. So what Barracuda does is we actually take and back up that entire Microsoft world every night and back it up to a whole another data center.

If we were to ever lose our information in the Microsoft world, we would be able to restore from those bare human backups. So that's one aspect of what they do. The other side of it is their email archive. So in our in if you were to look at your email inbox, you only have about three years worth of emails in there, but we actually maintain significantly longer than that in the archive. The archive is used for things like e discovery.

So when we get FOIA ed, those kind of things, or we have litigation going on, legal has access to our, you know, archive, and they would just simply go in and be able to do, like, very complex searches on, you know, all communications between these five different individuals, and they would just go through every inbox throughout the city and pull all that information together so they can package that up to send it out for different things. Again, this is one of these tools we have used for quite a few years. It's a a pretty standard renewal. The one thing that we had added this year was we would like to back up our Entra ID. So Entra ID is how we do single sign in.

So you guys probably don't see it too much because you guys typically just use just the Microsoft world, but here, obviously, we have, you know, a dozen major applications that all of our employees use. It used to be you'd have to remember passwords and usernames for every one of those systems. Now everything is just it's all hooked to your Microsoft account, which is x ride. So you're able to just seamlessly log in to everything here through that one connection. This allowing us to back this up allows us to back up things such as our usernames, our our groups, our user groups, our authentication policies, which is a big deal.

That that's what determines, like, how difficult your password has to be set up and all these different things. Like, do you have like, everybody here uses multifactor authentication. Let you guys know. Like, when you log in to things, sometimes you'll have to get alerts on your phone and things of that nature. All of those all of that information, we need to back that up so that if our environment ever, you know, went down in a disaster recovery situation, this would allow us to rapidly restore all of those features and all of those security aspects. How

how much that would that new the add on that you're speaking about, that one, just is it on there, like, individually?

Or Yes. Should is be it

It's so it's a three year contract, $79,990.

It's the attachment for CDWG Barracuda PRCN six nine eight is the quote.

Yeah. Got the I'm just know what I'm

I apologize. I'm mean the cost of the year?

No. No. The annual Just for that one. Oh, that one thing. Yeah. Because that was a new add

on. Right? Yes.

Yeah. Yeah. So it's just

The annual for everything is 79 and some 79,080 thousand.

Yeah. Yeah. So $9.92.

Okay.

And we have a three year contract that same price if we Yes. Choose the price all three

years. Okay.

Are we locked into three years or is it if we want to take this

option? We're locked into three years.

Yeah. We've

Not that we would change. I mean

No. We've been using using this. Barracuda for since 2014. A a big reason why we've stayed with them for so long is because beyond the benefits that IT sees in the disaster recovery world, the e discovery piece for legal and city clerk's office is a is a major component to this. It's used every single day by them.

Mhmm. Yeah.

And it it's kinda and it is works very well. And we we try we've looked at other products, and Barracuda is still the the best solution we have found for that. So

You know what I've had recently, which I

kinda like? It seems

like it's catching on everywhere as far as all your different websites. But when you have a forgot your password type of thing, rather than having you reset your password, they're just sending you the authentication code through your email or to your phone. And you don't even have to reset it anymore. You just do it and and you're in. You know? I I think that's kinda good. I don't know if that's careless. What do you guys how do you feel about that? The fact that they're doing it that way?

Oh, yeah. I I you know, the the other thing they're doing is, like, the key passes. I don't know if you've seen that.

Yeah. Oh, yeah. I did. I have seen that. Yeah.

Yeah. The key passes and other really good I can tell you in the security world, the most most of the major security advisers are pushing more and more to get away from passwords.

Yeah. I think

that's what they're calling the key pass.

That's what the yeah. That's what they're saying when I do it.

They're really trying to get us away from passwords.

So that is a good way to do it. Yeah.

It is. Okay. It is. Because passwords are easy to compromise. Uh-huh. The there's a really cool chart out there. Could tell you the numbers exactly off the top of my head, but it basically shows if you have, like, a eight character password, a computer can break that in, you know, three hours. You know, if you have a you know what mean? You really have to get to the point where, like, if you're using a password, you should really be using, like, a pass phrase. Like, I use a pass phrase. So I have it's, like, the entire sentence that I type every time I type my password. Mhmm. Because if you don't have that many characters, the computers nowadays are so quick and so powerful. They'll just brute force your password. They'll just guess your password in, like

You know what I thought was really good? And I I just got a new Wi Fi system system in my my house. And the guy that helped me set it up, he's a friend of ours. He's like, you know what I use? And he he's telling me, use all numbers. And I bet you that's difficult for a computer to figure that out because there's no rhyme or reason. They don't know what combination of numbers you're doing and I have done that and it's easy for me to remember because I'm not gonna tell you why, but but it is easy for me to remember and I just can't see it being cracked because, you know, it's not a word. It's not a you know? I Okay. Don't So do we have a motion to move?

So moved. Okay. We'll move ninety three twenty seven to the full council with our recommendation to approve. I will second. All in favor?

Aye. Okay.

Do we have any old or new business not for final action? You'd like to bring up you guys anything? Nope. I don't either. We have no public comments. We have no public here. No request for closed session. So we have a motion to adjourn.

So moved.

Second. All in favor?