Information Technology Committee - Regular Meeting

[Music] call to order this March 5th 2025 meeting of the Grafton Information Technology committee begin with a roll call of the members Bob Carroll yeah Bob's present uh Amar Clark is absent he informed me that he wouldn't be able to make the meeting tonight Bob hassinger I'm here and David Robbins is here we officially have a completed roll call in a quorum so we will I I'm I'm not expecting Evan to join us Evan will Elvin and William were both invited I'm not expecting Evan I don't know I didn't hear from William as to whether he planned to attend so anyway our first agenda item of course as always is public input we do not have any attendees on Zoom but if any one of us has something that qualifies as public input now would be the time and hearing none next agenda item is an admin Town Administrator update I did touch base with Evan and he said that he has he has nothing to bring to our attention for this meeting tonight um he said he's kind of how did he put it Evan is up to his eyeballs in the budget not that time of year as everybody um who has a finger on any part of that is I I just watch bits and pieces of uh last night's meeting trying to figure out what they did to

the cable committee um but most of that video was um we're going to you know just plan on having overrides every few years um so Bob last night you mean the um video for the board of Selectmen yes okay that's up that's up already I was going to watch it oh yeah it usually is up the next morning okay they had it they around midm morning or so today yeah planning board is often up the evening evening yeah if our meetings shorten he has time I think he trots down to the studio and does what they do anyway so that's it for the TA update uh the uh next agenda item is an IT policy discussion and basically where why we call call that we left off at our last meeting was really kind of two things one to uh to review the existing it policy uh and start thinking about how how that might need to be updated and then there was sort of longer term thinking about uh you some context into which into you for for pursuing continued policy development a fiveyear plan of some kind we can we can talk about that too try to try to flush that out a little bit more so Bob Carol so if I may David um before we get into that um so last meeting I had brought up that topic about you know the configuration with uh um HTTP versus https and I know you sent the email off did we get

anything back on that I've not heard any response to that okay do we want to follow up with them well I'd say I'd say look and see if um it's changed and if it hasn't then yes well I can do that pretty quickly I thought you might uh find the most egregious ones no NOP still has not changed has not changed what we go no um it's as it was H it's as it was there's no difference as it was the hearing aids only are only um well what form of uh was it just Dave was going to say something um for what it's worth we should probably it would probably be worthwhile for for me to follow up and sort of get get an actual response but I have a an agenda notification that Civic plus sent out to

me this afternoon with a new planning board agenda and when I click on the link I'm getting an https so oh wait a but oh that's interesting because the the link itself is still coded as HTTP but when I when it comes into sa Safari it's https I'm not quite sure how that's happening but yes the the the link they send out in the email is still HTT so David so is this one like at um 1249 um new agenda for 31025 for the planning board yes okay because I have that one too let me go ahead and do the same thing so when I click on the agenda center right where where the link is embedded in there it says view in the agenda Center yes right so that if you Mouse over you can see that it's definitely HTTP and then like depending on the browser um like if I use let me try to Firefox because that's more literal see Firefox brings it there and it Flags it and it says not secure so Safari must be doing you know redirect or something cuz this the the URL definitely is HTTP okay I think the change you're seeing is on your computer you know uh um Chrome or whatever is uh helping you

be more secure yep on David yeah that's that's exactly what I'm seeing I when I hover over the link in the email it's HTTP when I open Firefox it's still http and then you get the little icon up in the bar where it says it's not secure exactly yeah yeah yeah so so clearly nothing has changed in response to our you know so that's that's worth a followup okay all right but I'm thinking more formal um message on the record and the next message will go to the select board I don't know I I I I may give them one more chance and then pull that's what I said on email on the record now and uh yeah we should be letting people know the site's not secure right or doesn't do what the world thinks you should do nowadays about security yep either that or figure out a way to take advantage of it well you there's the the advantage is it's it's not encrypted so you could read you know m if you were to do man in the middle or you know intercept it you could read it it wouldn't be encrypted but yeah you know as we know it's just sending a link to the so there's really

no um exploit you know oh well let's work on it okay so um yeah yeah I'm mostly worried that people you can you can see I haven't tried it but you can see that you're not secure at least in depending um the user is being told he's got an insecure link right and uh that's actually and that ought to be in the explanation that uh that doesn't Bo or speak well and and depending the device you're on you know the severity right um you know if you're on on a phone on an Android and chrome you know it won't let you navigate to it it it'll force you to like override it right so people are gonna you know think and then um Google is going to index it and um flag it also perhaps again I haven't dug into that piece of it but they possibly could I think some of that should be included in the message that uh right well yeah I mean if if they don't if they don't do anything about it um then we can you know ratchet up the rhetoric a bit um hopefully they'll just go in and fix it and this whole thing will be done well we just have to we can't change it so I don't know about ratcheting up but um uh I think the message should try to

lay lay out that site credibility impact yeah let me try it on my phone see what it does oh no do I have it on this account oh do okay here's just another data point on this that when I copy the link the HTTP link out of the email and paste it into Safari I get not secure MH yeah so like can you see I don't know if you guys can see it doesn't want to show my phone it doesn't want to the camera doesn't want to show it but I get that it's a big you know thing on this site is not secure May compromise any information you send on

this page connection is not encrypted blah blah blah and then report a problem with the site I could save this I'll grab this screen I can send it to you yeah that kind of thing in the message to both Evan and will right right cuz it's it's flagging Grafton ma.gov and say domain is not secure so yep and it's okay and that that's that's worth because worth including because what you see when you click or go navigate to that link what you see varies depending on the device and the and the software you're using to but for you for users who see what what you're seeing on your phone you know that's sort of you know that's much more noticeable than then you you know like the word not secure in my on my address bar or the little icon in the Firefox address bar you those are relatively unnoticeable people people may tend not to notice that but when you see something that's in your face that says it's it's rather prominent saying that this site is insecure or whatever however exactly that might be awarded depending on devices you know that's not a good look for the town that's the whole thing right yep comes off very amateurish yes but yeah a screenshot of something like that to include in our followup

and would be uh would be very it it would have a lot more impact okay I'll send it along yep that' be that'd be great and we could get into the certificate and all of that too if we really wanted to but yeah that would be lost so they should just go in and fix it instead of you know try to litigate this yeah or put us in contact with people at the [Music] provider well I'm sure the provider um has the functionality I'm sure it's just either a setting or when they did the config or pasted the links or however they set it up they just didn't do it right on our side but if William and um Evan can't get it fixed read then give us a path to right yeah yeah yep CU he only has a budget to worry about you know [Laughter] so all right so good sound there's definitely need for some follow up on that too uh and escalation if need be so anything more on that that topic I'm going to I'm going to going to treat this as public input following up because we you know when we discussed it last month we discussed it as public input okay yeah

yeah okay so how do we want to proceed now for this evening on uh the policy topic um did you do the is this no I've got the wrong move on yeah I should mention before I've got the wrong agenda up yeah I did notice that as I Was preparing the minutes from last year's meetings for review tonight that uh Evan at one point was saying he might want to more or less adopt the Groton policies as sort of a you know in instead of instead of just updating the the really it's kind of two but the main you know the the the policy the the general policy that the selectboard has now on computer information resources you know it was you know so s of one way we can approach this is just to review that policy and start you know thinking about how it needs to be updated but then I had forgotten this when we were talking last month but uh uh at one of the meetings last year Evan said he was interested or considering taking the set of policies from Gren or some subset of those whatever might be applicable and sort of adopting them and revising them so I'm not quite sure how we want to proceed uh it's B basically at the moment it's largely on us to make some uh policy recommendations and suggestions uh when when we have a little bit more

to discuss to start actually I'm not quite sure how I want to say it Will William has been basically doing the drafting of the policy documents um and uh I would certainly expect him to be working with us on that but the substance of what goes into that is right now at least it's largely up to us to uh give them some guidance as to where to go with it and then sort of tying into that question of well once we start looking at all policies I go back to uh you you know what you had talked about Bob Carol last month that of you know have having some sort of a longer term plan or or Vision or strategy in mind that would help to uh set some priorities and and it would help to determine what topics we should be covering in policy so I'm not sure how right now how we want to uh approach that it's probably worth our while to give some thought to the longer term Direction and scope of what we want to look at for policies uh we could just go through the existing policy and and uh Identify some areas for revision but probably would be helpful if we had had a bit more context right Bob do do we have um those policies from gon uh yeah they're on the uh one drive or share point or what I know we I know we had some I I wasn't sure if they were from there yes we have yeah we

had there were eight policy documents from Groton uploaded to that okay can you share the screen or do you have the link it it' be nice if the public we can make it so that the public could see the documents that we're dealing with not only that but I still don't know how to get into one drive or whatever it is uh I I need to find it it's been so long well if if you find it send it to me but don't worry about it yeah so this is the page from the one drive U oh okay there's a Colorado folder at the top of that for some reason but below that yeah I think I think that's one I had that I threw up there yeah I think yeah yeah but this this is within the grotten folder okay but even even these are 10 years old right yes I mean 201 is more recent but um yeah yeah so even those you know we I would certainly expect that we wouldn't we wouldn't propose just copying these things and changing the name Gren to the name Grafton I think that right there there's some there are some policy topics covered here that are not covered in our current polic which the last revision of of grafton's current policy was from September of 2021 and I don't know how substantive the changes were in that but you know

the this the board had gone through kind of an exercise in in uh uh updating and reviewing policies and adopting them it this I have a version of and I think you do too about Carol I think you me I remember you mentioning it that there's a 2007 version of this Grafton policy that we Once Upon a Time looked at as part of this committee I did not I I found the document that from 2007 I didn't compare the two to see how much had actually changed I suspect the changes were not a lot between 2007 and 2021 but between that 2021 Grafton policy document and these Gren policy documents doents we may we may want to sort of consider looking at looking at all these um identifying which of these topics are even applicable to graft and most of them probably are but the details may not be and in any case if it's particularly if it's old uh then we then we have to look at how what needs to be updated in these policies and how do we adapt to 2025 right um so I guess the suggestion would be you know we we really need the an owner right and who who's going to be responsible for this because my fear is that you know we can do whatever we're going to do it'll just be a lot of

thrashing and churning right um and uh you know it's not going to go anywhere but if we could get you know whether it's William or Evan or whoever or even um you know CMD to own these then you know we can work with them right so if I pay something the Q&A can I paste the link in here where would I how do I how do I paste the link so you guys can have it I mean you're in there David it would be for Bob not for you email it okay yeah I the way I get in there is I saved the email that Evan sent to us right and it has the link in that email email and I found that I I could I could bookmark that link but it doesn't work when I bookmark it only works when I click it uh from Evan's email that may not be the only way to make it work but that's the only way I've been able to make it work I'm so far I'm not doing well at finding that message um from Evan I I think I should the message is on five uh I forwarded it on 5124 oh to you Bob I can re forward it to you why don't you do that

you want your r. hassenger at Triple E H yes okay so I'm clicking on that link and I'm in so that link should work for you okay so there's actually a Colorado a gron in South Carolina and that's the one I loaded up all these policies from and then there's at the root the the other documents there's a whole bunch of policies yeah there are some there are some some of these policies are from other towns as Auburn and yeah Westboro Worcester right and the the thing would be right that whoever will um would need to adopt a format right what they're all going to look like for a template and then you know we would want them all to to look like that or at least to have those chapters and they and they have the um the spreadsheet too that I put up here with all the um the inventory of policies that one should have so that these are the policies and standards so there's a spreadsheet up there too in that folder yeah that is is and it policies hyphen standards from May goodness

yeah so this's definitely a a hodge pod you got Westboro Worcester and you got a whole folder of Groton South Carolina Colorado so yeah they kind of have to give us a little bit of guidance or you know they just delegate it and let us run with it right but I don't know if that's really our charge you know I could certainly do that yeah so this is part of that spreadsheet this looking at this spreadsheet this is probably a pretty good list of the policy topics that we might want to consider well so yeah I mean you guys didn't hear this but these are all of ours from work so these are these are ones we have yep and I'm right in the middle of reviewing every year we go through these and review them so this next week we're actually doing the information classification one and handling and last week we did Asset Management so this is real this is you know yep what a$6 billion dollar company does yeah yeah so so something like this and uh I don't know if there is another comparable list of potential policy topics but you I I I like a list like this that gives gives me an idea of the

various topics that we might want to include in in our policies so so Groton has the eight policies with you know here's a much longer list of policies if if if there's any other I haven't looked at the uh uh the nist framework recently to see if if there's something sort of comparable as a list of potential policy topics well this is all derived these are all derived from this yeah I rather expected that was the case right so they're actually from the um cyber security framework but you know nist B goes based on risk and size and appetite so like Grafton probably you don't need a whole standard and policy and identity and access right you know pretty simple and I don't think Grafton needs Internet of Things probably not right right um so you know a lot of these you could just punt on so yeah I think the value I see in a list like this is just to suggest topics that we want to think about do we need a policy for this do we need a policy for that because right TR trans at least at least for me you know not particularly working deeply in this area where I know all the different things might need to be covered it's good to have this as sort of a a checklist of you know do we need something for this do we need something for that so we've got our one uh our existing computer and information resources policy which is aside from being certain surely out of date and doesn't cover everything but

it you know it does cover a few things responsibilities of different uh different players you the the TA the various departments the users prohibited activities some security responsibilities for the TA and the employees um a bit a bit on malware a bit on shared resources a bit on wireless access point so those are the topic areas that our existing policy covers to some degree separately from that we do have a social media policy which is uh put up on our website as an HR policy and it mainly is it covers the use of official Town accounts on social media platforms it doesn't cover for example one thing that I think Gren covers is the employee responsibilities for their employees Town employees use of non-official social media platforms we don't have anything in our policy on that we might we might find that to be useful but so there are those topic areas then there are the topic areas that grotten covers um electronic communication except basically it's an acceptable use policy encryption key management password guidelines remote access security control social media both personal and official use technology disposal user registration which is basically which appeared to be a transition document from you know trans transition users from older system to a newer system that's that's probably of no particular interest to us but I guess I guess my point is that there's quite a number of different topic areas that we can consider I guess the other possibility the other list of topic areas you know

that you know the the South Carolina and the Colorado policies you uploaded Bob that uh also kind of suggest various topics that could be covered by policy so all that is to say you know we we've got a fair amount of a fair amount of ideas for things that we may we may decide need to be covered for Grafton and it uh it's kind of well where where do you start in in nailing down what know you know focusing on those topic areas that we we think Grafton needs to cover and then from there you know you know Finding finding for example a grotten policy that's more or less good enough and and how do we adapt that or you know whatever but it's to me it's a little bit overwhelming to have all these all these ideas and where do we start and and going back to something you said earlier about Carol that uh we also need to at some point uh as we start getting into this uh we'll need to work with Evan and William and CMD or it's really it's EV ultimately it's Evan's responsibility to say well who owns all these policies yeah because long long term it's not the it committee that is going to in any sense own the policies we can help to develop them we can provide a lot of input for developing them but uh yeah somebody's going to own the policies uh as I said before Will William is uh is the guy who basically writes the policy documents and uh and certainly you know he's got I

think a pretty pretty standard format in general for the town policy documents so you know that that that aspect of it I think we I'm pretty sure we know who's going to handle it but it's more the the the the substance of what goes into the policy documents that uh we need to we need to start moving forward on that somehow right but I right I and I think again it all comes back to the I plan right the strategy document where that lays it all out we're going to have policies we're going to have standards they're going to be ratified they're going to be under um um you know um change management and change control they're going to be reviewed either annually or by anually right and who's going to review and approve them all of that L lays it out and then the domains or that you know we're going to use this out of nist right that just tells the whole story right and that's where that that's where that all happens along with you know our Cloud strategy our backup strategy our vendor strategy you know all that stuff right that's in the the document and it doesn't doesn't have to be real verbose you know it doesn't have to be atonement I I'd be willing to bet you know there's ones out there from towns that are border you know cities like you know um like North Hampton Lexington ones that are a little more affluent have money to do these things you know that our public um domain that we could you know find and basically um you know uh we would call it um

repurpose yes and and go from there right and didn't didn't we I mean this probably what is back with Tim didn't we get in on some Grant thing and it was a pooled um like CIO resource with a number of time what didn't we have something going like that at one time remember what I'm talking about I'm trying to remember what we it was like an advisory committee or a regional committee that um you know it may not have been any uh cost it was just like a membership thing but um I would think you know e in the community different communities that you know these guys like the town administrators they have their own bulletin board right and they have their own you know um I don't know how and where they do it but I'm sure they do it where they all you know kits back and forth and I used to be plugged into all that stuff but it's been so long yeah Evan I've just been going around about the cable oversight um Evan seems to without too much effort reach out and pull in what's going on in other communities so that he may he may have uh some place to help with that um right the the I'm I'm I'm worried about uh that long list though uh that you just shown trying to picture all of it getting done and cuz uh it all gets written up and everybody gets happy

about it and then it has to go to the select board to be approved um and uh if you want to do that whole list complete and all in doing one step uh none of us will be on the committee by then yeah well I mean cut you can cut the list I'm getting some sort of a way to approach this an a uh an outline where you can plug one in at a time um yeah but I I could even go through this this was just a you know a flat list right of a a dump of all the ones now you know for Grafton I could go through and flag the ones that you know would have relevance because right off the bat each each or most most each of these have a policy and a standard the policy is the global you know it's a town policy to this and that and the standard is how you do it so if we just combine those it cuts the list in half and where the town you know doesn't develop software we don't have Dev SEC Ops or any of that stuff so we don't need to do secure engineering we don't do project management you know a lot of these could just get whacked we don't have web security we don't host you know we could chop all these right out and then we get down to a manageable list of maybe a dozen or so you know I think working along those lines and interacting with William Andor Evan about the approach and the list yeah and maybe can we take them one at a time as we go along um would be a good

start big hill right right but we need that ownership you know if we if it's going to be will then you know we need him engaged and we can certainly you know consult advise whatever but you know he needs to do it and own it and you know have some timelines deadlines to get this stuff done otherwise it's just gonna one or two of those one or two of those might go away I think you were reading off um how the sign off on policies works well Evan has a way that that gets done for all PA policies so right does that that doesn't need an IT policy no no they just need to be under you know change management right they need to be under change control so everyone has the latest version right not working off an earlier version and they all know that that's the current one if if we can establish that that's what Evan already has then that would be good because rather than putting rather than putting that down a level with what we're working on um right because all the policies ought to have that control right they they really should because they got to have Personnel ones right employees yep so they've got ones they even have unions I'm sure uh yeah yeah that's a whole another thing but uh yeah yeah as far just as as far as

policies in general seem to go um you know what I've seen over the last two or three years is and it's mostly I don't know that I aware of any re policies recently that have been yeah there I think there have been some brand new policies created I just I couldn't put my finger on it right now but you know when it when it when it gets to the you know the the process seems to be however a policy gets initially written or drafted or revised basically yeah Will William is sort of in charge of the documents and to to a greater or lesser degree William has has pulled together the information and you drafted some policy I think I've I think I remember you know some recent discussions where you there's a policy idea that maybe it comes from the select board or from Evan or some other source potentially Will William will kind of do do a lot of the work of you know putting together a draft of the policy right pres presumably Evan reviews that and then it is brought to the select board where the select board reviews and and uh recommends or or approves some you Rev s to bring it to a bring it to a point that you once the select board is happy happy with it the select board uh uh votes to adopt the policy and that becomes the current policy and uh yeah I don't know that that how formalized the procedure really is I think it's it that strikes me as being a being somewhat informal and yet fairly consistent well the ones you sent David have they have all the select board

you've got Peter Peter Carlson on here Colleen Daren Matt ofon and Ray you know they signed the ones you sent back in 2021 so you know they saw it yes and that's you know that that's been it's consistent with my observations of Select board meetings more recently is that you know will will will will show the policy on the you know like when when it's discussed at a select board meeting William will put it up on the screen they'll all talk about it and ultimately vote vote to approve it and sign it right do we know if um I'm looking at the uh our information uh resources document that you sent or put up um yeah at the very end there's the place where employees supposed to sign I'm curious whether they're getting employees to sign those that's a good question I mean if you're not even going to do that [Music] um got a some starter problems to work on right yeah because you could have all the policies in the world but if they have no way of um attesting or demonstrating that they were presented and the employee accepted them then you know good luck with that in any litigation I would like to think that the employees are provided with the copy of the policies and are asked to sign acknowledging that they've received them right and then does somebody track that to be sure they have it

yeah if you say today what percentage of the employees currently have acknowledged this policy right yeah I mean they all do that electronically now it's all presented online you have to review it you have to click on it and then it's essentially docy signed right now that may be Overkill and little expensive for the town but you know out in the private world that's how we do it yep well because um this for me goes back to the beginning of this committee um I've never seen um you know a really strongly putting out there's a policy you have to sign it you have to understand it blah blah blah for it um Peter Carlson was on our committee he I bet you had something to do with the writing of that that one right quite likely but yeah and that that would be EV Evan I'm sure could tell us what what procedures are in place for disseminating the policies to employes and ensuring that employees have acknowledged it right right well that's that's a TOD do Dave yeah so what are we um I'm I'm looking for dinner so I'm wondering what else we have or you know how much how much more do we need here yeah I think I think for right now I I don't think there's anything else that uh that we can do I think we've got a you know we we've got a I've got a better sense of the direction that we're going to be heading on this uh and I I will I will look at following up

with Evan and to see what he can obtain from you not so much specific policies but the more and I you know I'd have to go back and and and review exactly how you put it here I'm pointing at Bob Carol but you can't see what what I'm pointing at the screen but you know Bob you were talking earlier about uh things like you know strategies and and and I I forget exactly how you put it but you know looking for what I'm what I'm trying to get to is if whether Evan can uh obtain from some of his colleagues in in in the right business this the kind the kind of for lack of better term you know overall guidance document that would you know that would help to you know spell this stuff out you know and and uh you know we've got or even he could I'm sure Charlie and cmdb uh CMD C MD those guys you know they they float around and work with enough towns I'm sure they could put their hands on one and where you know municipalities um that's you know fo you right and public information so could certainly get that I mean they may want to R redact you know anything that could be a vulnerability or you know too much information but the body of the thing you know and I can just poke around see if I can search Google you know or even get AI to do it right there you go yeah but it has to be a current AI not not that one I use 3.5 um uh huh I'm sure chat chat GPT could could could construct one for you it

have it might not have a shred of reality in it oh well but might give ideas um I'm I'm I'm kind of curious about oh say Shrewsbury and Westboro since they're nearest and their good sizes and I have a fair fair active governments playtime let me do run some prompts through um either co-pilot or Gemini and see what we get okay well is there more for us to do we have minutes on the agenda we have minutes from January March May and June of 2024 and from last month I move we approve all of them and I'll second okay I moov the question and with that just by way of in any discussion on the motion I'll just mention that with these minutes having once they're approved we will now be completely up to date with our minutes in the the town clerk's office awesome so motion maid in second any other discussion if not Mr Carol Carol's I Mr hinger I and Mr Robbins votes I motion is carried unanimously I second it's not debatable motion made in seconded that this meeting be adjourned Mr Carrol I Mr asinger I Mr Robins votes I motion carried unanimously we are adjourned