Norwalk, NPS, eyeing cyber security

NORWALK, Conn. — The City’s IT department is set for its first review by an outside agency in 15 years.

The Common Council is expected to vote Tuesday on spending $39,000 to hire Blum Shapiro to assess the IT Department’s efficiencies in terms of cyber security. This is an addition to a just-completed joint assessment of the Norwalk Board of Education’s and the City’s cyber security, Chief Financial Officer Henry Dachowitz said on Nov. 14, adding that he expects the BoE to also hire Blum Shapiro to assess the Norwalk Public Schools IT department.

Although the company was hired to do a joint cyber security assessment, it produced two separate reports due to the separate roles played by NPS and the City, Dachowitz told Council Finance Committee members. He offered to share executive summaries in an upcoming executive session but said, “very pleased with what they did, how they did it, how they conducted themselves.”

Council member Nick Sacchinelli (D-At Large) pressed for details in October, arguing that the City and BoE need to work together because they’re on the same network. He referred to municipalities in Texas being hacked.

News reports say that 22 Texas towns were hacked and held up for ransom. Sacchinelli said they their VPN (virtual private network) had been run through the same MSP (Managed Service Provider).

Dachowitz and IT Director Karen DelVecchio assured him that the assessment was done holistically. Sacchinelli said he wanted to make sure Norwalk was in line with what the state recommends down the road.

Norwalk is aligned with NIST (National Institute of Science and Technology) guidelines for cybersecurity, which are more stringent than state guidelines, DelVecchio said. And, “There’s also cyber security response plans that have come from the FBI and the Department of Justice.”

“Blum Shapiro is one of the leading accounting and consulting firms in the state. They’re all over the state, they focus on government. So I would assume whatever they’re working with, they’re absolutely in line with what the state has in mind,” Dachowitz said.

The City’s IT department does workshops with key constituents and internally but hasn’t been assessed by a third party in 15 years, DelVecchio said. Dachowitz referred to cyber security training in October, with state experts and commented that when he got to work in Norwalk, he “wanted to review the department to get a better understanding from an independent third party expert of what we’re doing, what we’re focused on how we allocate our resources, and how we can deploy them better. That was my requirement coming into manage an IT department, when it came to cyber security.”

Blum Shapiro will look at “How are we doing?” Dachowitz said. “Are there areas that we aren’t working on as intensively as we should? How’s our staffing? What’s the level of the right personnel that we should have to perform everything?”

They will review software and hardware, he said.

DelVecchio said the company will check to see if Norwalk’s infrastructure is up to date and review plans for the future.

“We think it’s a very valuable tool to allow us to make sure that we’re running the IT department as efficiently as possible,” Dachowitz said. “And it’s, it’s not just what are we doing today? And are we doing that efficiently? What aren’t we doing that we’re not thinking about that we should be investing it, whether it’s people resources, hardware, software, whatever.”


Stuart Wells November 25, 2019 at 8:00 am

I have attended some training sessions and cyber-security exercises related to elections and I have high confidence in our very fine IT Department. However, elections infrastructure is being probed and attacked by sophisticated nation-states (Russia recently and possibly others in the future). These adversaries have virtually unlimited resources and very sophisticated tools. They work from behind their own borders, making them largely immune from US criminal laws. And I have seen and heard reports that they also operate on US (and Connecticut) soil. There is no such thing as “too careful” in cyber-security. We any advice and assistance that an outside firm can bring, and I hope they specifically check our procedures in the Registrar of Voters office and our connections to the state computer networks. We are also concerned about the potential cyber vulnerabilities created by connecting additional computers to these networks on election day — as we must for communication with the polls and for Election Day Registration operations at Norwalk city hall.

John ONeill November 25, 2019 at 9:59 am

Incredibly important work. Cybersecurity can not be underestimated. Spend whatever needs to be spent to keep system secure.

Leave a Reply

Your email address will not be published. Required fields are marked *



You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>