2017-043 Information Security Program
Date: June 16, 2017 Report No. 2017-043
INFORMAL STAFF REPORT
TO MAYOR AND CITY COUNCIL
SUBJECT:
City of Denton Information Security Strategy
EXECUTIVE SUMMARY:
ategy.
BACKGROUND:
Information is an asset which, like other important business assets, has value to an organization
and consequently needs to be suitably protected. Information can be created, stored, destroyed,
processed, transmitted, used, corrupted, lost or stolen.
In recent years, major enterprises like Yahoo, Home Depot, Target and Sony experienced
information system breaches that required the companies to pay millions of dollars to cover the
costs related to the attacks. In the cases of Home Depot and Sony, the intrusion initially
occurred via hacked third party vendors and financial gain was the motivation. Data maintained
by Privacy Rights Clearinghouse shows that federal and state government agencies publicly
disclosed a total of 203 data breaches over the past 5 years. According to a survey conducted by
the Texas Association of Governmental Information Technology Managers (TAGITM) in 2017,
41 out of 54 Texas cities have been affected by a malware attack. A malware attack is software
that is intended to damage or disable computers and computer systems.
In 2015, the City of Denton detected over 55,000,000 threats. Over the past year, this has
increased to 138,356,036 threats and 55,606 instances of spyware. On average, we block about
50,000 malicious webpages a month. Additionally, we received over 9,423,368 emails this past
year. Out of those, 71% percent were detected as threats.
Information technology security controls should preserve the confidentiality, integrity and
availability of key information systems, programs, and data. Information Security is not a single
technology; rather it is a multi-layered strategy comprised of the people, processes and
technology necessary to prevent, detect, document and counter threats to digital and non-digital
information.
cycle of activity for assessing risk, developing and implementing effective security procedures,
and monitoring the effectiveness of these procedures. The Technology Services Department has
been proactive in implementing multiple layers of protection for IT supported technologies.
Date: June 16, 2017 Report No. 2017-043
Without a comprehensive security plan and industry best practices in place, even the best
systems can be compromised.
Multiple security tools, practices and procedures have been implemented during the last several
years to protect the systems against unauthorized access and viruses. Some of these include:
Secure architecture and design validated by third party
Electronic and physical security controls
Strong password policies and access controls
Controlled use of administrative privilege
Proactive monitoring and analysis of logs
Annual vulnerability assessments, penetration testing and tabletop exercises
Site and hardware redundancy that includes a backup Data Center
Incident response plan
Business continuity plan
Cyber Security Policies
Security retainers with companies specializing in information security for rapid response
Scheduled patch management
Periodic social engineering exercises to staff
Various security technologies
o Perimeter Security: firewall, Intrusion Detection and Prevention Systems IDS/IPS,
demilitarized zone (DMZ) for public facing applications, e-mail scanning (anti-virus)
o Network Security: firewall, web proxy, wireless security, enterprise remote access,
security information and event systems
o Endpoint Security: desktop firewall, anti-virus, patch management, local security
policies
o Application Security: application testing, code review, database monitoring,
o Data Security: drive encryption, data archive, data wiping, data classification,
identity access management
Additionally, Information Technology staff regularly reviews the US-CERT, SANS, Wired
Threat Level, Dark Reading, Dell Secureworks and other resources to maintain current
knowledge of cyber security alerts and product vulnerabilities. This information is used to
fortify City systems against threats.
STAFF CONTACT:
Melissa Kraft
Chief Technology Officer
(940) 349-7823
Melissa.Kraft@cityofdenton.com