The Waukesha City Information Technology Board unanimously approved on Feb. 5 the annual reapproval of five existing IT policies and said staff will work through 2025 to align the city's policies with the Center for Internet Security (CIS) implementation guidance.

Board members voted to approve five policies attached to the agenda: the PCI DSS policy, the antivirus policy, the B20 software-usage policy (the citys acceptable-use policy), the change-management policy and the email policy. The motion was made by the meeting chair (name not specified in the record) and seconded by Mr. Gruters; the board recorded no objections and the motion passed unanimously.

The action keeps the current policies in force while staff implements a plan, described in email text read aloud during the meeting, to map the citys policies and procedures to CISs 18 controls. Greg Viness, the IT teams staff representative, read the email and summarized the plan: "The Center for Internet Security, CIS, has a set of 18 controls that they call the community defense model or CDM that have become industry best practices when it comes to good cyber hygiene. ... Starting in 2025, I plan to align all of our IT policies, cyber processes, and procedures to IG1 and then IG2, which will help my staff focus their attention on the most important steps to defending the city's network from attacks." The email said many procedures already exist and the alignment will formalize them.

Board members clarified how the process will proceed. The intent is to reapprove the current policies at this meeting and then, beginning in March, to revise policy language or add missing policies to fit CIS implementation groups (IG1/IG2). Greg Viness said he has been working on a matrix that maps existing policies to the CIS controls and that sample templates were attached for staff review.

Members raised vendor management and credential policies as priority gaps. One board member noted that service-provider or vendor security is a common source of incidents and asked how the city vets vendors. Greg Viness said the city uses a vendor-assessment document that vendors complete to describe their antivirus, update and perimeter-security practices.

The board also discussed authentication and password rules. Participants said the city's current minimum password length is 16 characters with complexity requirements; the board was told that, with the adoption of modern authentication methods, the city no longer forces periodic password changes. On logging and attacks, staff said that systems log thousands of automated access attempts but reported no known successful attacks on city infrastructure during the period discussed.

Members agreed the board will maintain the governance-level policies subject to annual review while staff fills gaps and brings substantive policy revisions back to the board as they are drafted.

The policy approval was the only formal business item on the agenda and the board adjourned at 6:22 p.m.