Clay County technology staff briefed the Board of Commissioners on a proposed penetration testing contract during the Sept. 9 meeting, outlining options ranging from single‑year to multi‑year engagements and recommending further pricing detail before the board makes a commitment.

County presenters described the service as an external contractor simulating attacks on county systems to identify vulnerabilities and provide remediation recommendations. Staff said typical engagements run four to six weeks and produce a report with prioritized fixes that county IT and vendor partners would implement. Two initial vendor estimates presented earlier in the year included a $40,000 annual price over five years (vendor‑provided multi‑year program) and a one‑year quote in the $40,000–$45,000 range. Staff said an internal‑only test (no external perimeter work) had been estimated at about $30,000 for a one‑year engagement but that they would confirm the breakout for internal testing and whether quoted figures were one‑year or multi‑year.

Commissioners asked whether the county already receives related services from the State of Minnesota IT department; staff said the state provides a monthly threat and vulnerability management service and external scans, and that the countys external posture is reasonably covered. Commissioners and staff focused discussion on the added value of internal‑only testing, the benefit of recurring annual testing, and whether using a different vendor each year could surface new perspectives and methods. Staff said recurring tests can rotate personnel and methods to reduce the chance of missing issues and to raise the countys security baseline over time.

No procurement decision was made. Technology staff committed to obtain additional quotes (including at least one more vendor) and to provide specific pricing for an internal‑only penetration test and for one‑, three‑ and five‑year options for the board to review at a subsequent meeting.

Why this matters: County networks host sensitive resident and operational data; penetration testing identifies vulnerabilities that county IT and vendor partners must fix. Commissioners asked about cost, frequency and the role state services currently play in the countys security posture.

Provenance: Presentation and Q&A (first related comment at s:991.82–e:1009.305; vendor quotes and follow‑up Q&A s:1072.035–e:1192.92; board directions to obtain more quotes s:1529.2001–e:1536.42).