REQUEST FOR LEGISLATIVE ACTION
Description (e.g., Contract Authorization for Information Services):
title
Intergovernmental Shared Services Agreement between New York State Division of Homeland Security and Emergency Services and Albany County to provide a Cybersecurity Risk Assessment at no cost.
body
Date: 11/7/2024
Department: Division of Information Services
Attending Meeting: Patrick Alderson
Submitted By: Patrick Alderson
Title: Chief Information Officer
Phone: 518-447-3033
Purpose of Request: Contract Authorization Intergovernmental Agreement
CONTRACT TERMS/CONDITIONS:
Party Names and Addresses:
NYS Division of Homeland Security and Emergency Services, 1220 Washington Avenue, State Office Campus, Bldg. 7A, Albany, NY 12226
Term: (Start/end date or duration) 1/1/2025 - 12/31/2028
Amount/Raise Schedule/Fee: $0
BUDGET INFORMATION:
Is there a Fiscal Impact: Yes ☐ No ☒
Anticipated in Budget: Yes ☐ No ☒
Spreadsheet attached: Yes ☐ No ☒
Source of Funding - (Percentages)
Federal: Enter text. County: Enter text.
State: Enter text. Local: Enter text.
County Budget Accounts:
Revenue Account and Line: Enter text.
Revenue Amount: Enter text.
Appropriation Account and Line: Enter text.
Appropriation Amount: Enter text.
ADDITIONAL INFORMATION:
Mandated Program/Service: Yes ☐ No ☒
If Mandated, Cite Authority: Enter text.
Request for Bids / Proposals:
Competitive Bidding Exempt: Yes ☒ No ☐
# of Response(s): Enter text.
# of MWBE: Enter text.
# of Veteran Business: Enter text.
Bond Resolution No.: Enter text.
Apprenticeship Program Yes ☐ No ☒
Previous requests for Identical or Similar Action:
Resolution/Law Number and Date: 506 of 2022
DESCRIPTION OF REQUEST: (state briefly why legislative action is requested)
The Division of Information Services is respectfully requesting legislative authorization to enter into an Intergovernmental Shared Services Agreement with New York State Division of Homeland Security and Emergency Services to provide Albany County with a Cybersecurity Risk Assessment at no cost. This assessment will include a Phishing Assessment, Cyber Risk Assessment, Penetration Testing and Adhoc Vulnerability Scans. The Phishing Assessment will simulate an email-based phishing attack to assess the effectiveness of our email security training, including a separate training to educate users on how to spot phishing messages. A report will be issued after the assessment is complete. The Cyber Risk Assessment will include one or more of the following activities: vulnerability scanning of publicly accessible IT devices and internal IT devices, Open-Source Intelligence gathering, a review of our internal policies related to Cyber Security and interviews with personnel to understand our internal controls and policies. A final report will be provided at the end of the assessment. Penetration Testing will include a simulated cyber-attack against our local infrastructure. Any identified vulnerabilities may be noted during the assessment and will culminate in a final report. Lastly, Adhoc Vulnerability Scans will be performed against publicly accessible systems and services at our request. These scans can be used during a potential Cyber incident or to test new publicly accessible applications or services.