Citizen Portal
Sign In

Waukesha IT staff outlines plan to map city policies to CIS cybersecurity controls

3221425 · April 2, 2025

Get AI-powered insights, summaries, and transcripts

Sign Up Free
AI-Generated Content: All content on this page was generated by AI to highlight key points from the meeting. For complete details and context, we recommend watching the full video. so we can fix them.

Summary

City IT staff described a plan to map municipal IT policies to the Center for Internet Security (CIS) critical controls, run self-assessments and split policy documents into separate end-user and IT handbooks to reduce duplication and improve audit readiness.

City IT staff told the Waukesha City Information Technology Board on April 2 that they are mapping the city’s IT policies to the Center for Internet Security (CIS) critical controls and using CIS’s self-assessment tools to measure current practice against CIS implementation groups.

Staff described CIS as a free resource for state, local, tribal and territorial agencies and said the mapping supports multiple compliance requirements — including CJIS, PCI and cybersecurity insurance — by highlighting where one policy can satisfy multiple frameworks. The mapping documents will show which existing policies cover which CIS controls and where gaps exist, staff said.

To reduce overlap, staff proposed splitting paperwork into two handbooks: an end-user handbook (short, user-facing policies such as acceptable use and awareness training) and an IT handbook (procedural and technical documents such as vulnerability management). Staff said policies will be kept short (three pages or less where possible) and that the department will run the CIS self-assessment twice a year — first to confirm implementation-group 1 coverage, then to measure progress toward implementation-group 2.

Staff demonstrated the CIS assessment interface and noted controls such as incident response management and audit-log management. They said many activities are already done informally or documented in different places (wiki, SharePoint, network drives) and that the assessment will help centralize documentation and SOPs so auditors can be given clear evidence of practice. IT staff said they expect to be fully compliant with CIS implementation-group 2, and that IG3 largely applies to much larger enterprises.

Board members asked about the frequency of outside audits and staff replied that the Department of Justice audits CJIS every couple of years, PCI assessments are largely self-assessed, and the city performs some form of audit annually. Staff said the CIS membership also provides access to pen-testing and an incident-response team as needed. Board members discussed where remaining policy text currently resides and whether gaps in policy mapping should be treated as missing policies or simply unmapped items; staff clarified that an empty mapping cell indicates no policy currently mapped to that control, not automatically that a new policy is required.

Staff said the CIS mapping exercise is an internal guidance tool and does not require immediate board approval, though the resulting policies will be brought forward for formal adoption at future meetings.