The Humana Resources and Information Technology Committee met 03/09/2022. One of the items they discussed and voted on was to award a sole source IT network assessment contract to Heartland Business Systems for $60,000. This item was also discussed during the Finance Committee meeting on 03/07/2022.
IT Director Corey Popp told the committee that the funding for the contract was covered by the allocations in Resolution 2-R-22 which the Finance Committee had voted to approve on 03/07/2022.
He also noted that because it was a sole source contract, he had made sure that he followed the proper protocol and ran it past the city’s purchasing manager. The memo from the purchasing manager supporting the sole sourcing nature of the project was included in the agenda packet.
The project itself was a network assessment and internal security assessment of the city’s IT network. It would include everything in the data center, all servers, virtual servers, and the network itself—i.e., all the fiber optics that run between locations and all the hardware and software that drive the network. The assessment would also include the directory services which he said were the usernames and passwords, computers, and security of the network. Finally, the assessment would also include disaster recovery, backups, and business continuity.
The estimated time to complete the assessment was approximately 30 days. Then it would take another week or two for Heartland to report their findings which would come back to Director Popp both verbally and in written form. The report would include a list of prioritized remediations.
He emphasized that although the contract would include a list of remediations it would not include implementation of those remediations. It was an assessment only. The findings would be prioritized into “Immediate,” “Three Year,” and “Five Year” plans.
Although remediation was not included in the assessment, the assessment would include a piece of equipment that Heartland would supply to the city. This equipment would monitor the network. Director Popp mentioned that the current device the city used to monitor the network had fallen into “disrepair” and it had not been utilized to the extent it could have been for a couple of years. The device supplied by Heartland would be used to perform the assessment and then after the assessment would be used by the city for network monitoring. It was the only tangible item/piece of hardware that would come out of the assessment.
He opened things up for question.
Alderperson Kristine Alfheim (District 11) said that, as a person who didn’t understand the IT world, she really appreciated his explanation at the Finance Committee. He had done a great job of helping the alderpersons understand what he was looking for through the assessment and how the streamlining and security of the system was important. She thought he did a good job of explaining the urgency of the situation and that it was important to support the assessment.
Alderperson Michael Smith (District 10) said that in reading the memo it looked like Heartland had been providing the city services for 20 years, but they were only now getting a request for an assessment. He would have thought that this would have been something that the IT Department would have been on top of with regular checkups and making sure that everything was current, instead of it only happening when Director Popp came onboard and said it needed to happen.
Director Popp responded that he couldn’t speak to what had happened before he was hired.
Alderperson Smith understood that, but he wondered if the urgency Director Popp indicted this assessment needed to be done was indicative of a lack of due diligence by the IT Department.
Director Popp said he had asked the members of the IT Department if they had every been through an assessment like this before. The most senior person on staff had been with the city for 10 years but could not recall a previous assessment like this having taken place.
He went on to say that an assessment like this was a large, top-to-bottom assessment, not just a security assessment or a look at the network. How often such assessments are performed varies from organization to organization. It is a leadership-type decision. He couldn’t speak to what happened prior to when he started working for the city, but he could say now that such an assessment was definitely due.
Alderperson Smith asked, during Director Popp’s communications with Heartland, if Heartland indicated they had recommended performing an assessment five years or ten years ago. Or were they just happy to talk about it now and do the work now?
Director Popp responded that they had been in to do this type of work in the past. The network had been built in segments, so Heartland would be brought in for a particular project, complete the project, and then leave. They themselves had said that they had never taken this type of look at the system before. A holistic, top-to-bottom, umbrella look at, not just the data center, the network, and the directory services on their own, but everything together and how it interacted to form a single cohesive network had not been looked at.
Alderperson Smith said that with everything that was going on around the world regarding hacking, he felt Director Popp had already earned his paycheck.
Alderperson Katie Van Zeeland (District 5) asked regarding the device Appleton currently had to monitor its network if it was atypical for a piece of equipment to be usable for a very long time. Would the new “device” Director Popp spoke about just be updated software or an updated configuration, or would the city be receiving a new device?
Director Popp answered that it was software that runs on a PC. He could speak to exactly what would take place, but it would include all software updates that would be needed to make the device run. It would probably not require new hardware which was just a personal computer. He suspected it would just be a matter of turning the computer back on and updating the configurations.
He added that there were probably some devices on the network that weren’t monitored. Not only would the device be able to find those, but it would also turn up the monitoring.
Alderperson Denise Fenton (District 6) asked if the report was going to indicate “immediate”, “three year”, and “five year” remediation needs, did that mean they would also basically triage those for the city. She would think that “immediate” needs would mean there was a risk and then “three year” or “five year” issues would perhaps be a matter of getting a patch for a vulnerability or aligning with whatever industry “best practices” were for a specific issue.
Director Popp said that he could go through the highlights out of the “statement of work” for the contract.
As part of the network assessment, they would gather device information, analyze configuration, correlate configuration to best practices for equipment. The assessment would include any initial short-term recommendations include a three-to-five-year roadmap. Performance and related architecture requirements would also be a part of the assessment as would prioritized, identified risks and budgetary estimates. He thought “estimates” was a keyword. “Nothing in this will be guaranteed pricing. It’s not going to be a menu of things to buy.”
The data center assessment would dive into the computer environment, the power of the computing, the available storage, what the backup systems looked like, and what type of disaster recovery the city had in place and how that compares to best practices.
They would also perform a standard health and vulnerability analysis of the city’s equipment, identify security concerns, do a high availability analysis, analyze the scalability of infrastructure, and review the network diagrams and updated documentation. They would also provide a prioritization of their findings and opportunities for automation and centralized management.
He was particularly looking forward to their findings about automation opportunities.
Alderperson Fenton said it sounded like the quote was a pretty good deal.
Alderperson Sheri Hartzheim (District 13) moved to approve the assessment request and was seconded by Alderperson Alfheim. The committee had no further questions and voted 5-0 to approve the item.
View full meeting details here: https://cityofappleton.legistar.com/MeetingDetail.aspx?ID=922442&GUID=4BCD06EF-B59F-4AAC-BDF4-CF7D8644C62A
One thought on “Human Resources And Information Technology Committee Approves Sole Source Contract With Heartland Systems To Provide An IT Infrastructure, Systems, And Vulnerability Assessment”