City Council - Regular Meeting

floor manager who

Good evening, ladies and gentlemen. It is 5:30 and I will call this uh regular work session of the Burnsville City Council to order. And um I just have uh an announcement uh to make and that is about how you can participate. And so we welcome everyone to be here with us in person. Welcome. Uh but the public can also attend in person uh virtually and also choose to watch us on uh channel on burnsvillemn.gov/meings gov/meings or Comcast channel 16 or 859. The public can also um participate through Zoom by joining us at zoom. us/join. Uh and more information is available on our meetings web page and in the council agenda packet. So our work sessions are very informal and we go directly to the items on the agenda. the first item on the agenda. So, welcome everybody and welcome guests. It's good to see you all and I bet you I know what item you're all here for. And that's the first item on the agenda and that's the neighborhood organization and grant program evaluation. And presenting this evening is Mike Tracy, our human resource and interim communications director, and Amber Jacobson, assistant communications director, are presenting. Mike, the floor is yours. Yes. Good evening, Mayor and Council. U like you said, we're here to talk about our neighborhood uh pilot program evaluation. I'm also joined here by Steph Cass, who is our new communications director. This is week three for uh for Steph joining our team. And then Ishmail say, our um engagement specialist uh is also joining us who's done a lot of the work with this uh neighborhood pilot program.

Welcome. Welcome Amber and Ishmail. Thank you. Sorry. Oh, you need Oh, you need the clicker. Need the clicker. Thank you.

All right. So, um just to get us started here, I just wanted to provide um council and the community a little bit of a background on the neighborhood pilot program. So, um, we created this program, uh, really to do a one-year experiment designed to make outrageous efforts to reach and connect the community, um, really with the goal of creating a very simple, um, and an easy to easy to follow neighborhood organization and grant program. And then over the course of these last 12 months, the idea was to learn from our experience and make adjustments um accordingly um as we learn and and receive feedback from both neighborhood and staff who participated in the program. So the city council gave us some direction. Um so they uh council direction was really around community defining the neighborhoods. Um they didn't want city staff drawing borders for the neighborhood. Um really wanted this to be a community-led effort. um provide grant funding. So up to $100,000 in grant funding um from surplus property sales um with neighborhoods being able to apply for up to $10,000 of that funding. Um and then for the program administration, we reallocated staff resources to um to uh obviously fund the the administration portion of this program. So, a quick timeline. It started back in September of 2023 is when conversations around participatory budgeting um a white paper was was completed by staff. Um and then fast forward to September 2024 is when the city council provided direction um to pilot a neighborhood and grant uh program starting in 2025. So, it's exactly what we did in January. We launched the program. We worked uh throughout those first several months trying to organize neighborhoods. Um as you'll see in a future slide, we have five neighborhoods that we were able to organize um or that that were officially recognized in 2025. We opened up the

grant um application period in the summer with applications closing in September. And then this last December, we came to council um with those grant applications u for the city council to review and ultimately approve um which we'll talk about here in a future slide. And then here we are in February talking about the program evaluation. So as we kind of have said to the community and said to the city council over the course of this 12-month um pilot program, our evaluation was really going to focus on two things. One was neighborhood feedback um which we received through a formal survey that we uh sent out to every resident who lives in one of those organized neighborhoods as well as informal feedback that we heard through neighborhood interactions throughout the year. Um we participated in a number of different neighborhood meetings. Um plenty of correspondence back and forth with neighborhood leaders and people in the neighborhood as well as some of those informal community events that we've done throughout the throughout the year. Um and then lessons learned. So over the course of the over the year um things that staff have learned um through either those feedback and interactions with with the community members or just our own professional um experiences. And with that, I'm going to pass the evaluation portion over to uh Amber.

Thank you. So as Mike mentioned, we have five established neighborhoods within the first year. Cedar Bridge, River's Edge, Early Lake, North River Hills, Parkwood South, and South River Hills. Um, some highlights to share. We have five grant applications submitted and approved for a total of $50,000. And with that $50,000, we funded 12 projects. We mailed out 2,208 postcards, which was a $7,000 investment. Every Oops. Every um everyone who lived within those neighborhoods received a postcard. And then we had six neighborhood organizing meetings during this time. We had three different neighborhood popup events and we held those at different parks throughout the city and we tried to really use um different areas of the city to hold those popup events. So we held those at Sunset Pond, Red Oak and Inner Lockin. And these are just different ways that we tried to get the word out about neighborhoods. We had 28 informal outreach activities and events. And so we use some of our already established events like Party on the Plaza and Festival and Fire Muster, those kind of things. We had 41 responses to our neighborhoods program survey. And then we we had approximately 750

hours of staff time invested, which was about 50% of the time that we thought we might utilize. So overall, the feedback we received from the neighborhoods was very positive. They really appreciated the opportunities to meet each other, build community. They appreciated the clear, consistent information about events and boundaries. They're very interested in safety, parks, neighborhood identity, and caring for shared spaces. Other lessons learned as we strengthen community connections and improve city communication with neighborhoods. We really found that this program has helped us build really good relationships with community members. And so that's been a great part of this as well. These neighborled connections and projects increase community engagement and vibrancy. And this clear point of contact strengthens information sharing and trust. Some opportunities that we found is we can better standardize how neighborhood boundaries are defined. Um, that's one thing that we had a lot of back and forth on, especially at the beginning, is how to define the boundaries. You don't want to leave some areas out, but they have to be small

enough, too. So, that's something that we found at the beginning, especially um more structure to support neighborhood formation and long-term sustainability and enhanced communication support for neighborhood leaders. So, some things we would recommend is expanded communication support for neighborhoods. One idea is to potentially help each neighborhood set up a Facebook page for their neighborhood. Um, St. Louis Park does that. And we also have worked with the city attorney's office a bit to talk about potentially helping with flyers, web hosting, mailers with the neighbor with the grant funding. Um additional guidelines and resources to help neighborhoods organize which would be potentially providing some framework around structure like both Edina and St. Louis Park have more established um like what am I trying to say here? I'm

like like structure bylaws, things things of that nature just to help again it would be more of a sample or suggestion um of trying to help neighborhoods maybe get a little bit more formal leadership. Um, so the idea is that it doesn't fall on one person or two people to really carry the the bulk of the the work for for the neighborhoods and create a little bit more of a long-term uh structure.

Do they want us to provide the structure for each organiza for the or for the organizations or they will create their own organizational structure? Mayor and Council, I don't think we've heard from the neighborhoods specifically that they want us to dictate like a structure. I think it's more of we've heard just anidotically and even in some of the written feedback of just there's a little bit of a concern and I think staff also have concern just over the long-term sustainability of neighborhoods. So, I think the idea at this point in time that staff are recommending is just we put together some sample framework um that neighborhoods could use um to help strengthen their support and and build a leadership structure if they wish.

Okay. So, ours is to support them as they create their own organizational structure. Okay, that's sure. Y thank you. That makes sense for them because every neighborhood might do it differently. I think for us, for me, the outcome in each organization is our fiduciary responsibility that with the money that they're going to receive that it's spent the way that they said that they want to spend it. So that's our fiduciary responsibility and that is part of our public purpose policy. So I want to make sure we connect all those pieces.

Yep. Absolutely, Mayor and Council. and we have a process in place. We've been working with our finance team and with the city attorney's office to make sure that those grant reimbursement um that are coming in starting in 2026 um are verified um and following not only what uh what they submitted and what was approved by the city council but following public purpose um expenditure guidelines. So we have a good pro our pro process in place right now um and we'll continue to monitor that and track that um and make improvements as we as we see fit. But um we have a good process in place. Okay, good.

One other thought is implementing leadership um development and connections amongst the the neighborhoods. Um it's really great to see these neighborhoods developing and getting to know each other, but bringing maybe some of the leaders of these neighborhoods together and really um creating more community connections and not just neighborhood. So that's another suggestion staff has um further evaluation. So, we have a year of the neighborhood program and we feel like it's gone very well. So, we are recommending that we continue another year as is potentially looking at those enhancements. um administrating the first year of the grants and continuing to learn and then coming back to council after one more year and of the grants to evaluate again how the program is going. It's Okay.

Oh, sorry. I didn't get to the last slide. So, our ongoing project timeline is August we would have that neighborhood leaders meeting. September do another round of grants. So, the application deadline would be in September. And then December award grants and grant program evaluation. So before we get to the grant application, will we get a report on on the progress of how they spent the money and where they're at, how the neighborhoods have progressed in achieving what they said they wanted to achieve with the grant money? Will that be part of the report before we award another grant? So, yes, Mayor and Council, we will definitely keep the city council um up to date on grant reimbursements and projects that are being completed in real time throughout the throughout the year. So, um, the idea is that at least at least on a quarterly basis or if a big project is completed that we'll be communicating with the city council. Um, and and I'm looking at uh Jenny Roodie at the moment in terms of the form that might be a written report, could be through Council Weekly, it could be through a number of different channels, but we'll make sure not only council, but the community is also aware because we think also seeing these grant projects come to life is going to be a great way to get future neighborhoods um or other neighborhoods interested um and and hopefully organized throughout the next year. Well, it's a good way of advertising the program and then people can see what the neighborhoods have achieved and how it has made a difference in that neighborhood. Uh that communicates a lot of excitement, I think, not only from the neighborhoods

are in the grant program, but then others might say, "Oh, if they can do it, we can do it, too." Absolutely. I and we'll be celebrating some of those things in bulletins and other communication, social media throughout the year, too. As again, as those projects uh happen and are in the ground or events are are kicking off, we'll definitely be celebrating those. Okay, good. And so with that, again, the recommendation from staff is that we continue this program kind of as is um in 2026 along with those enhancements that that Amber presented

um with the idea of coming back to the city council in December with a grant program evaluation. I think it's a good plan. Let's see how it works. Do another one. See how it works and see how it thrives throughout the community. So, really good. Okay, any questions? Yeah, Dan G,

I agree. We should move forward with this. Uh, I like how it's bringing the community together and and actually I like how it's bringing our staff together with the community. So, it's we're all kind of growing together. I do have a concern about your next steps. If we're going to put them neighborhood leaders together in August and they expect a grant application by September, is that cutting it a bit short trying to get their neighborhood organized to because it took a while for these other neighborhoods to kind of come up with their projects and I'm not sure if that a 30 or 45 day period in here that is going to be enough time for the get good quality work done in the neighborhoods itself.

Yeah, mayor and council. I think to that one, the idea with that August meeting is really to bring the established neighborhoods together just to share what's working, what isn't working, and try to build that those connections. Um, we'll be holding, like we did this last year, grant information sessions and doing communications with neighborhoods and and newly established neighborhoods, especially around the grant process well before August. Um, you know, this last year, I think we kicked off the progress in our process for the grant application in June or July, and that was really because we were just getting it kickstarted. We'll start that even sooner than we did this last year. So, we wouldn't wait till August to start talking to neighborhoods about grant projects and coming up with ideas around that. We'll be doing that well in advance.

Final meeting then for the neighborhoods. Yeah, August. I think the envision for that one is less around grant. I mean, certainly there's probably going to be conversations around grants and neighborhoods talking about what their grant projects have been um and kind of sharing their success stories with that one, but really that August meeting is supposed to be focusing on building connection with those neighborhood leaders um and bringing the neighborhoods together. Thank you. Any other questions, comments? I think it's great. Yeah. I hope it doubles in size next year when it

I'm I'm anxious to so I know that uh Jonathan uh Ortla would like to uh because you're with which neighborhood Jonathan please come and um take one of the um seats with a microphone and introduce yourself and you don't have to give us your address. We're trying to be very conscientious about people's address but just say that you're a Burnsville resident.

Sounds good. Yeah, I'm Jonathan Ortoff, Burnsville resident with the uh Cedar Bridge neighborhood. I am the liaison uh for that for that group. And so I just wanted to come out here and thank mayor and the city council for this program. Uh we did have a kickoff meeting. uh Ismmail was able to come out there and uh you know there the information that was on the website was you know very pretty clear and and and concise but it was nice to have the city to come out and explain it uh to us and we had 20 25 people out there that were all very interested in it. I had a follow-up meeting a week or two later just to say, "Hey, what are some ideas?" Um, I got an email list. Um, so again, we probably have a core of 20 uh 25 people on this email list to keep things, you know, trying to keep it going. Um, this the grant ideas we have were kind of stuff this year, but we did some signage for safety um things at the park again um for it to again to hopefully get more people coming. uh with our HOA, you know, we're trying to start this um um you know, monthly thing for kids. We have a lot of young kids and stuff. So again, so last year was definitely about kind of things trying to draw people beautifification, you know, that type of stuff. And hopefully this year and moving forward, you know, maybe more events or something again to get people, you know, we always do an Earth Day cleanup and, you know, we do the the the uh neighborhood night out and stuff like that, too. Um so so that that's my biggest thing. as I was talking to some of the other um the leaders here too. I think it it would be a good idea to get the other leaders together to say what are you guys doing? What are you seeing that's working? Um since we're part of an HOA um it is kind of on our HOA meeting list now, but I can see if we weren't if a few people off this list kind of walked away, you know, the program could kind of fall away again there too. Um so that' just be a you know suggestion again from from my from me I guess there too. So,

so I'm excited that uh you're in the program and uh and uh I know your neighborhood real well and Yep. Yeah. We appreciate you stopping out, too. Yeah. Thank you. Anybody else? Okay. Thank you so much for coming in. Did you want to speak also? Oh, I just want I want to thank Yeah. Um and are you with the same neighborhood or a different neighborhood? I am from a different neighborhood. I'm from uh the local neighborhood Parkwood South. Yeah. Okay.

My name is Mark Ghart and uh I just love doing this. This is my passion to do. Uh I I was trying to get this the the neighborhood connected some way. And then I hear about last February that you guys are organizing. I said I'm all in because you're going to make it easy for me because I'm a oneman show. I'm not a oneman show anymore, but I I got about core of nine people to help. We're going to do do two events. I have a website. I show it to Mike and and Jonathan and Amber. Uh so it's going to be great. Um we're really really excited. But I want to thank you guys for helping me do more in my neighborhood. Thank you.

Well, thank you very much. Video testimonial that we can use in our promotional materials. Yeah. Well, thank you. Thank you. Okay. All right. Uh, so we're all good and then we're going to be the grant money goes out uh already. Have you awarded the mayor and council? We haven't awarded any. There have been two reimbursement requests that have come in that are in process right now. Oh, okay. And then it'll come through and it'll be on a consent agenda to approve the awards.

Not not for the reimbursements. No. Um, unless you know these are all been small monetary expenses for printing costs. So, um, we have the grant or the council's awards of the grants. So, we'll process those as as they come in. Okay. I think we So, it's about the reimbursement now. It's about the just the reimbursement. Okay. Very good. All right.

All right. Any other questions? Congratulations. Nice work. And Ishmael, I've seen you in action. So, good work. Yeah, you and Amber out there. So, good work. Yeah. Um, well, if nothing else, congratulations. I can't hardly wait to see what all materializes and I think this summer we'll see a lot. Yeah. Yeah. Thank you.

Nice work, Amber. Uh the next item on the agenda is uh our cyber security briefing from our IT director Tom Venibals. It's a very very important subject. Tom, I'm excited to talk about it.

I'm excited too. Hi, Madam Mayor. Council members, thank you for having me tonight to talk about our cyber security um posture here at the city. It's a culmination of ongoing work that we've been doing for many years, but also more u intentional work through assessments that we've completed in the last year and a half. And I'll talk about those um and then provide some additional information regarding our cyber security. Um leading up to the briefing today, um we've performed three different more recent uh assessments in the organization around IT uh activities within the last 18 months. Um the first being an information technology assessment that focused on IT operations and how we do our jobs on a day-to-day basis. Um it's focusing on our the maturity and modernization of our activities and what we need to do to fill the gaps and continue to improve how we deliver services to the organization which indirectly provides services to the community. And then we did a specific IT security assessment in February of 2025 um which I'm going to talk about mostly today. Um and then in July 2025, we also completed a capital um infrastructure planning assessment for IT infrastructure. All three of these assessments had cyber security components to them and um provided us good information that we can grow on and grow with um and make sure that we're addressing as we continue to provide security services to the organization. Uh with that, I'm going to just touch on some current state items. Where how are things going today? What do we look like today in terms of cyber security? Uh talk about the recommendations that came out of the security assessment and then also um recent improvements that we've um moved forward as a result of the

assessments in general and our plans and then talk about future informed decisions and how we will be making decisions in the future as it relates to cyber security. Um, just to give everybody a a sense of what one week in the city of Burnsville looks like in terms of our cyber security activity. Um, this is a 7-day period in January of 2026 where our security platforms and tools and services provide us protection. Um, we have some metrics that we can measure and look at and to give us a sense of how things are looking. I would categorize these metrics that are on these bullet points as uh regular trends and what we look for is the anomalies. The anomalies that really spike and that we have to respond to. Um the tools help us do that and help us identify. But just to point out a few um we in a week's period of time we receive about 60,000 emails coming into this organization. Many are blocked and we send out uh several thousand emails on a in a 7-day period. uh we manage credentials. So the the credentials that staff use to access systems are managed through password management platforms. Uh we have staff using those and on a regular 7-day period we have about in this case 5600 of those credentials stored in a password encrypted management platform. Um we also scan our devices in the organization on a regular basis. So we do vulnerability scanning. We have tools today that scan multiple up to about 2,000 devices in a 7-day period. On top of that, we also use multifactor authentication with many of our systems and our platforms. Um, in a week's time, we have a lot of authentications that are going on. We also have some that are denied based on the results of maybe they delayed too long to respond to them the the prompts or maybe there was an attempt that somebody was making that was denied. Um, we also block a lot of websites. Um, we also access a lot of

websites about 16 million in that 7-day period. And that's not just people accessing sites, it's other systems accessing sites that we monitor and maintain. Um 16 million in one week.

In one week. So there's a lot of activity coming and going out of our internet service today in the organization. Um and we have advanced tools that monitor and maintain protection around that activity. Um we also protect all of our staff devices with what's called manage, detect, and response. So if it if something is found and detected, there's a response that immediately happens through the managed service that we have. Um and then in that same given week, we actually respond to about 28 on average 28 incidents that are reported to it. Those are the typical low severity type of items that are typically fishing emails or website popups and things that you would normally see in your normal activity either at home or in your business too. As part of the external assessment that was performed on cyber security by a thirdparty u vendor um they looked at several different things within the assessment um in terms of uh our organization. They did an analysis of of our current protection strategies. What do we have in place today? What policies and procedures? What systems we have in place. They also did their own external and internal vulnerability assessment. So they use tools of their own um that were outside the normal tools that the city has um to assess our vulnerabilities also. So we had ability to compare our tools and their tools against the vulnerabilities. And then they also looked at um they did a gap analysis between our our current environment and five different industry standards around cyber security. And I'll talk about those in a future slide here. Um they also looked at how we are organized and how do we align with industry standards and security recommendations that um come out of those those standards that they um analyzed us against. And out of that they created a task list, a to-do list for us to address the gaps, the issues

that they recommend us to address and and prioritize and then um fix um over a period of time. to give you an example of what one of those assessments looks like. Um this was a slide from the vendor that showed um a vulnerability scan they they performed against our internetfacing systems. So the the the typically like our web sites and other systems that have access to the internet. Um this slide actually indicates that we had a good score a good passing score and the vulner very low um vulnerabilities found in that case. And they did this again across uh five industry standards and these are the standards that they compared us against. So um CIS version 8, HIPPA which many of you have heard previously that's a security standard. Uh NIST CSF 2.0, NIST 853 and PCIDSS. And the only reason that's important is um normally when you do an assessment, a cyber security assessment with a third party, they typically compare you against one of those industry standards um they typically don't do multiple. But we in this case because we hadn't done an assessment in a few years, we asked them to do um an assessment against multiple um security standards in the industries. Um what that typically results in is more findings and more things to address. And so um overall our score was um um reasonable protection. Um we were higher than average. Um the it was a very positive um response. The vendor verbally indicated that uh we scored higher than most of the agencies that they do similar assessments against. Um we also uh we were in a position um of good posture to address um the the gaps in the tasks that they found and created. Um and each of those graphs there are the five different

industry standards that they tested us against or analyzed us against. So our overall score in that regard was 7.7. That means we got room to improve. Uh we want to be at a 10. 10 is perfect. But uh they said this is actually a very reasonable score and uh puts us in a very good position to continue moving forward. Along with those activities um we do some of our own assessments. We have some tools today with um our Logist membership um that allows us to do our own ondemand self assessments very similar to the type of external assessment that the vendor did. But this is a tool that we can create a score a baseline score and reassess ourselves every year on our own without bringing in a vendor. But it allows us to also compare ourselves against the vendor scores. Um we also implemented as part of this process uh risk assessments um for thirdparty vendors that we do work with. We are just starting that. We started that last fall and um it's a slow process because many vendors don't aren't used to being assessed by their customers and they they are um willing to work with us especially those that are very used to security standards and and also in the very similar industries. Um so we are moving that forward. Um and then we also are subject to mandatory types of audits or industry types of audits that are part of our um so because we have law enforcement systems we are subject to regular FBI and Minnesota Bureau of Criminal Apprehension audits right now that's approximately every three years. Um so we go through uh administrative audit and then we actually go through a systems audit and a physical audit where they look at physical security too in our organization. Um we also go through our uh as part of our annual financial audit um that finance leads uh there's a cyber security component that I'm involved in and it in general is involved in where we um go through and

answer and meet with the auditors to look at our primarily focused on our financial systems but look looking at our overall cyber security efforts. Um then we also go through an assessment as we uh renew our cyber security insurance annually. So in order to um we have cyber security insurance today through the League of Minnesota Cities um insurance trust and as part of that we have to go through an assessment so we can qualify for that uh insurance and also so we can qualify for discounts on deductibles. Um we are also subject to the water infrastructure act at the federal level because we're a water utility provider and we go through an assessment with that um at least every five years and then we do annual updates to that u risk and resiliency plan as it's called. So we don't sit still when it comes to audits and assessments. Um but these are all good and these become um they're becoming routine type of activities that we just anticipate every year and u we update

Yeah. Before you move on water because I remember when we went through 911 that we had to really secure the water system because it's it was vulnerable and I think we really put some standards in place. You were here Tom at that time. Um and now when you go back and you look at uh the water infrastructure act and the risk and resiliency audit and you do that every five years you believe that uh the water treatment plant is secure.

Um Madame Mayor um it's a more formalized process that we've gone through um for at least the last 10 years. Yeah. Um and it is um it involves not only it but it involves our entire water utilities group where there's a significant portion that they have to um provide in terms of assessment and auditing. We also um a major portion of that audit um is also regarding physical security as it relates to our water utility infrastructure access to facilities in and outside of those facilities. So, and when I when we talk about cyber security, there is a physical component to it. Yeah,

we do have to physically secure access to systems also. That's part of our assessments that we go through and we're also part of the assessments that we um participated in in the last year and a half. Um and it is involved in physical security of assets in the organization. So we work closely and collaboratively with our water utility group um to review and assess those through this process but also processes on our own where we do our own assessments of those. Uh most recently council approved um security upgrades to the water treatment facility. So those are ongoing activities that we'll continue to do through our capital improvements plan and you'll continue to see those type of requests and approvals um coming through over the course of the next several years. So you would know if the water treatment plant is hacked and they get into because you have to measure the kinds of um minerals and and the different aspects of the water. You will know if it's been tampered with. I can't speak to what our water utility staff do on a routine basis, but they do test the water regularly.

Yeah. Um it in my group um we focus on those physical u security requirements. We also focus on the cyber requirements for the systems that are used for the water infrastructure on a regular basis. And we're leveraging the same tools um across the entire organization. But we do have some very specific requirements around those water utilities that we have to follow as part of the water infrastructure act. They're mutual but also um distinct. Yeah.

Okay. Um, additionally, as part of the security assessment, um, from our third party vendor, um, we grouped their recommendations into five different, um, specific activities and areas. Um, first and foremost, the tasks that they created, the task list to address, um, is a recommendation of course to complete those tasks within a reasonable amount of time. Um, one of the significant findings in our vulnerability assessment and one of the reasons why we scored a little bit lower and that 7.7 that you saw on the previous slide was because of the number of Windows 10 Microsoft Windows 10 devices that we still have in use in this organization. Um, we were aware of that going into the assessment. We assumed that that might be uh an issue. Um, it was, but it's also an issue that we can remedy fairly quickly and it is also included in our 2026 capital improvements plan. So, um, this just one example of a task that we can complete this year and and next year's assessment will look better and we'll score higher because of it. Um, that Windows 10, if you weren't aware, went uh end of life and end of support from Microsoft effective of October of 2025. So, we're not that far out from that end of life and of support, but the further we wait, the longer we wait, the higher the risk grows. So, we want to address that. Um we also one of the recommendations coming out of the report was to consider separating security roles from IT leadership roles so that there's f dedicated focus and resources on security ongoing. Um I wear a couple hats today. Um I'm a what's called a local agency security officer as it relates to the BCA and the FBI. I'm also um uh SISO. I wouldn't call myself a full SISO for uh security information officer for the city, but um I wear that a hat that's adjacent to that dedicated

role. In addition, um I lead the department uh and and direct other activities. So the the goal there is moving towards more dedicated resources to focus on security on a regular basis and leveraging that maybe with um managed service providers or third third parties that could do that more um on a regular basis and and regularly focus on that. Um we're working through that process right now and looking at assignments to existing staff within our group and also handing off more um services to third parties that we can pay to help us in this process. And then one of the other recommendations was we have a lot of systems that collect a lot of information and I showed you a lot of those metrics earlier in an earlier slide. bring it all together in a a usable dashboard or what they call key performance indicators that we can look at on a regular basis that normalizes the information and gives us good visuals to say here's what it looks like a snapshot in a day in in the organization. And it's also information that we can share with other or parts of the organization that makes it very simple to see if issues arise or again as I mentioned earlier we want to see that normal trending data and then they also recommended working on um a road map what they called the current versus ideal. So working on our current issues making sure we're addressing all the tasks that need to be addressed and then focusing on the ideal road map after we're done with those current items. And that really simplifies um our our priorities and and what we need to focus on. Ideal there's there's a nirvana level stuff that we could really be at, but the reality is what

how do we lower our risk? Yeah. How do we do it, you know, minim maximize what we do and also be able to afford it and make sure that we our budget supports it.

Yeah. Um, and that's that five bullet point list that you saw previously came out of this slide and and some of the other detail out of the the the vendor's um report. Um, I I did want to touch on a significant number of security investments that the organization has made and continues to make um going forward. Um, I mentioned earlier we have a significant number of tools. Um, in totality, we've got about 27 different tools and services that we use that are dedicated towards security. And when I say security, that's cyber security activities and also physical security systems. Um, so what that looks like in our budget though in a year, um, so in our 2026 operating budget for security alone, um, just the cyber security services and systems, um, we budget about 378,000 um, in the 2026 budget. Um just the physical security systems, the ones like our card access control systems for doors in all of our facilities, security cameras. We have about 400 cameras today. Um we also have uh we manage security gates around our water utility assets and those types of things. We spend about 75,000 annually just on maintaining and and and keeping those up to date. Um and then our capital budget also supports security in significant ways. It just so happens in 2026 we have some very big investments in security um that are um shown here in that large number of 896,000 that primarily reflects um the plan to replace staff devices the Windows 10 devices I mentioned earlier um with current generation of equipment in 2026 and in readiness for our move into the new facility.

That's okay. and also to address security um and our vulnerabilities around keeping those devices too long before they're Are we all going to have new your current badges will work with the current the new system? Oh, so these will work with the new system. The the that was our plan all along and the new um card access control platform for this facility and um other facilities that we're rolling it out to already. Um we'll continue to use your current badge unless you would like a new picture taken and you want a new badge. She's pretty old. Yeah. Okay.

Um in addition to the the staff devices, we're also in the process of implementing um previously approved capital improvements on in our network infrastructure across all facilities. We started that project in 2025 and we're going to complete it in 2026, but that represents another large amount of this 896,000 in capital improvements that we're doing. We're touching about 60 facilities in the in the next few months. So, a very big investment. I think um that gets lost to a lot of people. How many fiscal facilities that you have to that that you build the infrastructure, the IT infrastructure and the security infrastructure throughout all of those facilities that are owned by the city and assets

today about 76 sites that we touch and uh a majority of those are connected via fiber optic infrastructure that the city owns. So it's private fiber this about 40 miles of fiber optic infrastructure that allows us to distribute all these security tools to all those facilities without having to replicate them at each of those sites. So we have a very um extensive network that allows us to but that's also one of the reasons why security is a big component of what we do and how we do things um because of the number of sites that we have. Yeah,

majority of those sites are water utility sites, of course. Um, but they all represent a component within our overall city network. Yeah. And I'm glad we invested in cyber it because that allowed us to address all of the water utility aspects and to also connect.

And it's a private network today that the city owns and manages and maintains. And so it it does um provide another level of security because of that because we own it and we have physical access to it and we're able to manage it and monitor it regularly. Um as a result of the assessments and the systems that we have, we are also um one of the recommendations or tasks was to develop a plan that we can continue to move forward internally. We're calling it the the resil resiliency, excuse me, risk reduction and readiness plan. And it really is a framework of things that we're going to continue to focus on to make sure we're addressing those areas um that may have been highlighted in the assessment, but are also a very um uh ongoing regular component of our security program here in the organization. We're going to continue to have partnerships with thirdparty organizations to help us with security. The state of Minnesota is part of our security um plan. The logist we're a member of provides us security services. We're also partners with Dakota County and others for security. So, we have a lot of partnerships and and as it relates to local government, but we also use a lot of third parties that help us, private companies, commercial companies that provide us good services, too. Um, and we're going to continue to do that in our plan. Uh, we're also going to continue to um use advanced security infrastructure. Today, we have a lot of good tools in place, um, great investments. We're going to maintain those tools, make sure that they're part of our capital replacements program, and we're taking care of them on a timely basis. Um, and then we're going to continue security awareness and training through our staff. I hope that most of you have already seen no before emails and security awareness campaigns. Um, we're hoping

we got a little a little a tip.

We're going to continue to do that. We're going to continue to mature that and make it interesting and and may hear me say things like gamify it, gamification so it becomes a little bit more interesting. and we're going to use it as a tool to measure our effectiveness against um the awareness program that we've brought forward so that we can do some random what I'll call random campaigns and see if staff have taken on their training well I guess is the best way I could put it. um and we can measure that and make make sure that if we have some areas of weakness, we can identify that and address those things fairly quickly because people are another um component of this process. Um res resilience and recovery. So our goal in terms of cyber security is to lower risk as much as possible. It's a matter of when an incident occurs not if we have incidents all the time. is there are different severities the and generally majority of those are low or medium incidents. Um so it's a matter of managing those making sure the impact is as small as possible but also making sure that we can recover from incidents and we have a very robust res uh recovery platform now um so that if an incident were to occur here we would have the ability to recover from that incident in a very timely way. Um and then again, we're going to continue proactive infrastructure planning. We also now have a formal incident response plan um that we've uh put into service and we're using if an incident were to occur um so that we can step through like a wizard um a software wizard, think of it that way, that um it makes it very readable and understandable for any staff person that's involved in that. and it defines roles and responsibilities so that if an incident were to occur, we can go to that plan and follow that plan. Very similar to an emergency operations plan, but very focused on cyber security incidents.

Um, and then we're also going to focus on uh information and um security governance. And what that means is identifying the data that we we need to protect, who owns that data, what is that data, and do we have the appropriate systems in place to make sure that we're protecting that data. Um, most of the data we have today is public data, but we do have private data to also that we have to protect in different ways because of it, primarily associated with our law enforcement platforms and systems that we have access to. But um in general, it's a good practice in any cyber security plan to know what data you have and how to protect it. So we're going to formalize that and make sure that that's uh well documented. Um I mentioned we've made some improvements along the way and not only as part of what we what has come out of the cyber security uh assessment recommendations but also um recommendations that came out of our former um CIP plan and um also things that we had in the capital budget already. And just a few of those I mentioned um we're doing vendor risk assessments now. We started that in uh quarter three of 2025. We've got a few vendors that are going through that process right now. We're finding that it's a little bit slower than we'd like, but um a lot of that is just a learning curve, not only on our part, but on the vendor's part to respond to us. You know, uh vendors also want to protect their own information, and they're they're not as willing to give up a lot of secure information about themselves, and we understand that. So, we we're working with them to help. And really, the goal there is to um as we conduct business with third parties, especially new vendors, we want to know who they are. Yeah. What they are. We want to protect ourselves from anything that they may have access to and we can do that through them reporting to us on how they secure themselves.

Um we also I mentioned earlier we implemented a backup and disaster recovery platform that's one of those resiliency tools that we've mentioned. So we've got a tool in place and as of Q3 2025 that was um implemented and provides us great protection now if an incident were to occur we could recover quickly. Um, not only does it protect us on premise, but it's got a um a hosted platform mirrored image or copy of what we have. So, so we won't go through what St. Paul went through. We definitely intend not to or try not to. Um, but if an incident were to occur, really good recovery,

we would have the ability to recover is is the the good part there. Um, but it would still be impactful if anything similar were to happen like the city of St. Paul. it wouldn't take us as long to that's the intent get to recover when you have put in place these backups and for disaster recovery

and that is currently in place. So, um, we continuously monitor it and use it on a regular basis and it does day-to-day types of things like, hey, I lost a file. Can I recover that file? Yes, you can. We can do that very easily with the tools that we have today. Um, we're also we deployed some additional firewall apps that focus specifically on the the internet facing systems that we have. So, um, we put that in last quarter of 2025 and that was, um, that helps us address, um, things like, uh, services that are constantly probing our public websites,

um, and constantly trying to get into our public websites. We actually have very specific tools now that monitor and alert us to those activities and shut down those activities quickly. And then we're all part of our enhanced administrative cyber security roll out in the first quarter of 2026. So that's the no before campaign. That's the notifications that people receive. Now that's also part of our ongoing effort to continue to enhance multifactor authentication use in the organization. In addition, we're going to be moving forward with some more password change enhancements um that you'll be hearing reading about real soon. So um one of the other tools that we've had in place that was also identified in the assessments and it's also a requirement is this tool called a security information and event management tool. And all that does is it collects the data and logging and information from all the various tool security tools that we have brings it together normalizes it so that we can know what's going on. So if an incident occurs, we go to that system and it'll tell us where the incidents all come from and it'll help us correlate back to what caused that incident. So it gives us more insight and information. It again I guess the best way I could describe it is it gives us it normalizes it um so that we can interpret things quickly and respond quicker. Um, and then I mentioned earlier we we rolled out new infrastructure for all our facilities starting LA uh in quarter three of 2025, but we're anticipating to complete that project in quarter two of 2026. So, and that will be assuming um we are moving into our first phase or second phase of city hall and we would be complete at that point because the new data center would be up and operating at that point which it is part of that process. Yeah, I saw your data center downstairs.

It's tall. Yes. Well, with everything that you're keeping track of, we have a lot of um we'll uh it'll be nice when we move into that facility because that'll be our last leg of our infrastructure improvements for this capital plan. So is so do you will you still have the data also over at the uh maintenance center? So our we do have a secondary data center at at our maintenance center. But one of our goals after moving into the new data center is to transition away from a second data center and have everything in

we would what we would do is we would supplement in hosted services. So we would have not only just one data center now in our facilities but also leverage hosted services to provide us what we would consider a virtual data center secondary control excuse me is that for more control

um it's it's to reduce costs in terms of capital replacements. It's also to help us um be more resilient because there would be a cloud service that we could leverage then also in addition to the on premise um that transition it'll take a couple years to do after the new data centers up and running. But that is one of our goals right now. And one of the things that'll help us with is reduce costs and power and cooling and equipment that we have to buy. We will minimize the number of capital replacements that we have to do as a result of that. So we our goal would be down to one physical data center for the organization with one cloud data center as a backup. Yeah, that's what I was thinking because of cooling those data centers is takes a lot of

and we're we're deferring some maintenance on that secondary data center anticipating that we will be shutting it down. So um we're trying to minimize the amount of expenditures that we're going to continue to make in that regard. But um we're on track so far. We just got to get that new data center up and running. So that reduces our gigabytes. Also the amount of kilowatts that you need. It would reduce quite a bit of the power demand that we have in that secondary data center. Um and the large batteries we have is backup power. So we would no longer have to have those batteries in place and the power that we pull for our equipment that's there. And it's duplicate equipment. So we would no longer have to duplicate that equipment. So nice. Yeah.

Yeah. Um part part of that too is it provides us resiliency. If an incident were to occur, we could transition to a cloud hosted data center that would allow us the ability to continue to operate if our primary data center is not available. One of the other items I wanted to touch on um as part of our uh our uh risk in our incident plan um we we've identified how we're going to communicate out through the organization as an incident occurs and we categorize incidents in low, medium and and high severity categories. The typical um awareness or information where services become impact is in the high severity. We hope to never have to communicate high severity incidents that occur that would have impact on our operations and our ability to um do things, but we still want to plan for um incidents that occur in the medium category. Um also, and when an incident is recognized um and a response is started, that will trigger a communication to the city council so that you're aware that something is happening. We may not know what at that moment in time. We may not know the extent of it, but at least there's a communication process started at that point in time that allows us to continue to respond. And of course, the incident plan also highlights who do we involve in that communication. It would most likely be the executive team along with our attorney and other organizations that are part of protecting us. um well defined in that incident management plan but um we also have some flexibility so that we can communicate when we need when we want to and when we need to um really I I wanted to stress that most of the time when an incident occurs we don't know exactly what that incident is immediately our goal is to find out we

just know something has occurred and we we'll address it and respond to it as quickly as possible but as it evolves the goal would be to communicate along the entire duration of the event until it's resolved. Um and then obviously depending on the severity of the the incident um there's a process involving external communication that would also be coordinated with the executive team so that if an incident were to require us to communicate that incident to the community or our customers in some fashion um the plan involves that process so that we clearly define when we communicate an incident of that severity as necessary to the community. some of the future informed decisions that will be driven by other activities. Um I'll just touch on those. Um of course our capital improvements plan as we go through and I update that annually. We do a five-year plan um that's got a security component to it. We'll continue that will drive a lot of our requirements for capital replacements. Um, so we may end up having to do s some activities sooner than later than we anticipated just depending on what's going on in the industry and what are the what risks are we trying to mitigate or prevent. Um, and then of course there's always industry standards or uh requirements and mandates that we have to follow and that may drive some of the need to do some security improvements over time that we're just not aware of today because that it may not be a mandate today. And then some of the trending challenges that um will most likely have some impacts on our bu our need to do more security things. Um advanced threats like artificial intelligence. Uh there are tools now being used to attack and hack systems that are artificial. Um, quantum computing, it's kind of a buzz term, but it's it's a activity that we want an awareness around and a where quantum computing tools are now could be deployed to start doing types of nefarious activities that we'll have to

continue to keep on top of. The tools that we're investing in are keeping these items in mind and in check today and will continue to. Um and then there's other items that um continue to grow and that is what we call internet of things. So it's the the simple things like clocks now that plug into networks or speakers that plug into networks. The simple tools that we take for granted um that plug in and need connectivity to the internet. They pose some risks to us because not all those manufacturers keep security in mind. And so as we deploy those kinds of tools, we have to manage the risk around those tools, isolate them in ways that we can do and then also make sure that we're keeping on top of those tools and refreshing those tools as much as possible. Um and then those hosted systems that we're buying services for from those platforms are out of our control that typically those are platforms that are owned by third parties and making sure that this is where the vendor risk assessments really become important is that we're ensuring that those hosted platforms are secure and they're taking measures to keep them secure as we use them. Um, and then the skills gaps, of course, that's that's an ongoing challenge in a lot of ways for a lot of departments and and organizations, but just our own IT skills gaps around security and making sure we're keeping on top of the latest and greatest and then the increasing volume of risk that's occurring because of cyber security um activities out there. Um, as a result, we are going to continue to review and and look at options for expanding our managed security services. How can we buy more services that will help us protect? Um, we're going to budget for ongoing assessments. That's going to be a regular activity. We're doing self assessments, but the objective thirdparty assessments are important aspect. Figuring out the cadence of that is going to be important. Today, we don't have a set cadence, but the re one of the recommendations coming out of the um assessments is um annually or by annually.

Yeah. Um and then penetration testing. So this is a where you could actually um pay a a consultant, a third party to try to hack into systems and dive deep essentially is what we would call it. And not only involving just using um trying to get into systems but also tricking staff and doing social engineering types of activities where they may even try to physically access things and they can assess us on those activities and see how good our physical infrastructure is against physical asset access. And then um in considering increasing our cyber security insurance today we I mentioned we do have a policy

um it's through the LMCIT League of Minnesota cities. Um it is only half a million dollars today. Um doesn't cover much. Yeah. Yeah. It's

it's uh the highest level of insurance we can get through the LMC today. Um the the largest amount we have sought out quotes for additional um writers for from other third parties. Um the the two that we've looked at um that we we obtained numbers for um one policy was a $3 million policy at $40,000 a year and the other one was a $5 million policy at $60,000 a year. So the conversation still has to continue and that in regards to that and around what what we think we can afford and how much risk we think we can take on. Um insurance is a good option. It provides us some ability to recover, but it's it's one of those I'm not an expert on how much insurance we should have in this regard um because we've never had an incident of that magnitude that would require our insurance to be utilized in that fashion. But um similar incidents in in adjacent communities obviously might give us more in in in light of that and and give us some insight to recommending what level of insurance we can have. So we're going to do continue. We're going to continue our work on that and come back with recommendations through our process with finance and our annual review of insurance.

Yeah. And then you'll know what the cost was for recovery if they provide us that information. Yeah. Um, and then last but not least, um, just staying informed what's going on around us in terms of security and what we need to keep on top of and aware of. And we do that through seminars, webinars, peer meetings, memberships. We're a member of um, CISA, which is the cyber security infrastructure uh, agency for the part of Department of Homeland Security. So, um, they provide us resources and lots of great tools. I get a lot of emails um and a lot of not with links to click though, right?

We always validate where they come from first. So yeah, um I've talked a lot about our cyber security um brief and um if you have any questions, I stand for any of those. Any questions? Any questions? Oh, it's very well done. Very comprehensive and also in the check-in we're able to ask some questions about it. Very good. Thank you. Thank you, ma'am. Very comprehensive.

Can I just ask one and you don't have to elaborate on this like when you talked about the internet things, you know, you hear these stories about people's homes getting hacked through their washing machines because everything's connected to Wi-Fi now. Um, are we taking inventory of those things with the redevelop or the new city hall and how much we are connecting to those types of devices for thermostats and otherwise? Like are we vetting those things out as we're he talked about the clocks? Yeah, they're going to take Madam Mayor, I know we are, but if I'm giving you an opportunity to

Madame Mayor, council members, we we do um do have a regular um inventory of our assets and part of our vulnerability scans also identifies those unknown assets that somebody may have plugged in. We'll find those things and then we have to do some investigative work. But to your point, as we move forward into the new facility, um we will know all the devices that are connected to our infrastructure because part of the the design of our network going into the new facility will also isolate some of those devices so that they're not co-existing on the same network traffic that our more important systems are. So, we can what I'll call isolate clocks and um other devices that may just do some rudimentary things but pose bigger risks because they don't have the level of security built into them that a normal secure device would. Um it's always a concern and it's also one of the more important reasons why you keep um asset inventories up to date. And part of our capital assessment process in 2024 and five was to create that asset list and continue to maintain that asset list. Now, we're going to have a major shift in as we move into the new city hall where we're going to have to we're going to be able to take a lot of old stuff off that list and a lot of new stuff comes back comes on it and we'll have a period of time where we just have to make sure we keep that up to date. But that's an ongoing activity that's part of our cyber security program. Yeah.

I have to battle Star Galactica that

Yeah. Thank you. I don't know. I don't have Alexa, but a lot of people have Alexa. That's that internet of things. We have Google Home in our house. So, ah, so Google talk to you. Yeah. They're always listening. I think my lights at my house are all connected to my phone so I can change the color. And I'm sure that's probably a vulnerability. That's just a small one. I'll just keep quiet. You got to have stuff that people want in order for it to get stolen, too. So that's true. Yeah. Thank you.

Okay. Well, thank you so much. If there's no other questions for Tom, great. Thank you. Um then um there's nothing on round tables or reports. Vince, I got nothing. No nothing this week. Karen Ben and

if you MBTA, our board retreat is February 19th. Uh we're not very exciting though. We're just going to have it at our regular meeting place on Rup Drive at the Burnsville bus garage. Uh last meeting we received MBTA's 2025 recap and 2026 planning update and uh we held that meeting at Canterbury Park. It's the annual um postol holiday and it's a a dinner with an award for the 2025 driver of the year and then 2025 rookie driver of the year which was nice. Uh I35 solutions uh MBTA is presenting their 2025 recap of 2026 planning at our meeting this Thursday. Um Met Transit presented last week or last month. So I wanted to make sure that we got the second largest transit uh system in the state uh to come in right after them. Uh we're obviously like many of these organizations, we're planning our legislative uh session. And in March, we have Mindot coming in to present an update on the Highway 13 corridor and I3594 project updates. And in April, we invited uh with the help of city staff, I was able to get a a U of M professor to come speak about transportation and transit trends. And then uh NLC uh hope everybody's going. I know the mayor doesn't go but congressional city conference in Washington is

it's all budget driven. Yeah. March 14th to 18th.

Uh we'll learn many things including solutions for cities in AI usage and policym infrastructure housing lots to name a few. But this is very focused on visiting with our federal elected officials to bring our needs to their attention on Wednesday the final day the 18th. My participation got a little more busy this year. Um, we just had our executive committee annual planning meeting at the end of January, the first day of February. And I'll be participating on the board of directors. I'm assigned to the board legislative committee, which I'm looking forward to. And uh, the transport I'm still on the transportation federal advocacy committee and suburban cities council former name first tier suburbs, but it included all suburbs. and I'm board lays on for that committee back to the board and that's it.

Okay. Uh I don't have anything. Greg, nothing for me. Michelle, you have anything? Okay. Well, thank you everyone. And if there's nothing else, we stand adjourned by acclamation. Have a good evening everybody.