Citizen Portal
Sign In

Mount Vernon adopts expanded cybersecurity policy, names oversight structure and audit schedule

6379334 · October 14, 2025

Get AI-powered insights, summaries, and transcripts

Subscribe
AI-Generated Content: All content on this page was generated by AI to highlight key points from the meeting. For complete details and context, we recommend watching the full video. so we can fix them.

Summary

Council amended and adopted a revised cybersecurity policy that draws on NIST and Center for Internet Security guidance, designates the safety service director as chief information security officer (with option to delegate), sets training requirements and requires biennial compliance reviews.

Mount Vernon city council enacted an amended cybersecurity policy intended to formalize responsibilities, training, incident reporting and periodic audits for municipal information systems.

Councilman Mahan moved to replace the ordinance’s Exhibit A with a revised policy document; the amendment passed and council adopted the ordinance as amended. Staff told council the updated exhibit aligns the city with National Institute of Standards and Technology (NIST) and Center for Internet Security frameworks and adds detail on risk management, access control, patch management, vendor oversight, incident response timelines and records confidentiality consistent with Ohio Revised Code requirements.

Staff explained the policy assigns the safety service director as the city’s chief information security officer (CISO) but allows the director to designate a qualified CISO — a change staff said corrects a prior policy error that had placed all responsibility outside a coordinated governance structure. The revised policy requires role‑based annual training and calls for a cybersecurity compliance review at least once every two years to be conducted internally or by an independent auditor; findings must be presented to the mayor and city council.

"This is a good starting point that I think is, you know, pretty thorough and gives us a good, good footing," the staff presenter said, describing the revised exhibit as a more detailed operational floor for future administrative guidance.

The policy also establishes reporting expectations to council (program updates, counts and types of incidents without sensitive details, training status, and budgetary recommendations) and identifies statutory reporting timelines for incidents under Ohio law.

Why it matters: City officials said the expanded policy is intended to reduce risk to municipal services and to provide clear oversight and accountability. Council members and staff cited the city’s municipal tech board and operational needs as ongoing governance mechanisms to keep the policy current.

Ending: The council adopted the ordinance as amended. Staff said it will continue to refine administrative procedures, training plans and incident playbooks under the policy.