Lake County Technology Committee Meeting - May 1, 2026
STREAMING COPY IN PREPARATION — RECORDING AVAILABLE FROM THE ORIGINAL SOURCE
Good morning, everyone.
Today is May 1st, 2026, and I call the Lake County Technology Committee to order at 8 30 a.m.
In addition to being able to attend in person, remote attendance has been made available to the public via Zoom at the link on the agenda.
This meeting is being recorded through Zoom.
Can you please join me in the Pledge of Allegiance?
I fled allegiance to the flag of the United States of America.
And to the Republic for which it stands.
One nation under God, indivisible with liberty and justice for all.
Can I get a roll call, please?
Oh, member Altenburg?
Here.
Vice Chair Kasman?
Here.
Chair Clark?
Here.
Member Dan Ford.
Member Frank?
Here.
Member Peterson.
And Member Roberts.
Okay.
Terrific.
All right.
There's no agenda to the agenda.
Is there any public comment today?
No public comment.
All right.
No chairs remarks.
No unfinished business.
Our new business is the consent agenda, which is item 8.1.
Can I get a motion in a second?
Motion by Altenburg, second by Frank.
All in favor?
Aye.
Any opposed?
Motion carries.
All right, on to our regular agenda.
Item 8.2 is a joint resolution approving an access control policy.
Can I get a motion in a second?
Motion by Vice Chair Kasmin, second by member Roberts.
Good morning, CIO Blandy.
Good morning, Chris Blinding, CIO.
Happy May.
Morning, Eric Carlson, CQ.
First two items we have are two policies.
One is about protecting data and how we do that.
And one is about ensuring that people who have access to the data have the right controls and only have access to data they need.
Eric's going to go into a little more detailed overview of the policies.
I just wanted to highlight and thank the partners around the county and our advice, our policy advisory team that we work with the other IT groups.
And it's really a collaborative effort.
It helps uh ensure we get everything that their concerns and we can all uh live by a set of standards in these policies.
So I really appreciate it appreciative of them and Eric's work with them in the sessions, getting the policies prepared for you all.
Um then it goes through the county policy process where um the policy coordinators get to comment and there were no comments.
Um so we're hopeful that because of the great collaboration with the IT groups uh prior to that process that they feel comfortable that these are pretty technical policies.
So um, and I guess we're getting better at grammar, et cetera.
So we don't get a lot of comments on that.
So we're really excited about the process, and Eric will give you an overview of these starting with the access control policy.
Very good.
Thanks, Chris.
Um just a reminder that the the policies that we're bringing forward right now are really standard security policies, and they're based on the NIST framework.
And so we're following basically a solid foundation for Lake County.
So I'll start with the access control policy.
Um, it's really about who gets access to county IT resources, how that access is approved, and how we keep it accurate over time.
So it helps us provide a consistent baseline.
Um really the purpose is people should have have access to what they need to do their jobs, but only that level of access.
And we should be able to change or remove access quickly when roles change or someone leaves.
So I'll give an example.
Um, let's say an employee leaves the county.
The policy requires a formal offboarding process.
That means HR uh would notify IT, accounts would be disabled, access to systems, applications are removed, and this is how we make sure former employees cannot continue accessing sensitive data after they leave.
Another example is let's say someone changes roles within our um department.
Um, the policy requires access to be reviewed and updated.
Their old access would be removed, new access is approved based on their new role and limited to what they actually need.
Um another example is uh when it comes to sensitive information that's on our network.
The policy requires access to be based on your job responsibility.
Access must be approved and limited to only what you need access.
For example, someone in uh that has access to a payroll or HR system, but not law enforcement or health systems.
Um, this is how we make sure sensitive data is only available to the right people.
Um, so that's kind of the high-level overview of the access control policy, not very exciting, but very foundational.
And important to note that these are these are things that we do in practice today, these policies are on the policy.
Thank you.
And of course, we I think it's very exciting as always.
Thank you.
And yeah, I so I want to thank you again.
I mean, once putting together this team, these working groups and working through with all of our countywide partners and department heads, and then coming together collaboratively to come up with these policies.
I mean, you guys are on a roll.
So I think that really shows how well everyone can work together and that way it's easy to embrace the policies.
And also I think it is good to bring up that this these were policies that people were following before, but now making it clear, making an actual policy so that everybody on our network knows to follow them.
It's so important for you know cybersecurity for safety, and um, you know, just to make sure our network um is secure.
So my one question is who does this?
Because it I just have curious.
So I understand, you know, who do we have somebody who's like in charge of permissions to see who gets which permissions to what?
Or is it is it like centralized, or is it every department kind of thing?
We do have people who focus on that uh when the the users created, et cetera, the security access form, give them access to this role, and then somebody enables that.
Um then the some of the IT groups outside of enterprise IT would maintain access to their specific systems since they're the experts on those.
But the overall enterprise wide, your basic user things like that, access to data, we we handle that.
So it's kind of collaborative.
Did you ever do like auditing just to go through and be like so?
Because I I just will say sometimes I've like looked at something like, wow, I have access, not here, but like, whoa, I didn't realize I had access to this whole database.
And I know this is making sure people have the appropriate permission to use different things.
Do you ever like just double check?
Yeah, that's a uh a great thing that we are considering as we get the policies in place and get our processes matured, then let's have an audit of it.
My prior life uh I was very familiar with Sarbanes Oxley uh auditing every year.
So um we're working towards that, and then that proves your controls are so yes, something we'll consider.
Given our data safe is so important.
Member Frank.
Thank you, Chair.
Uh one related question, but one that you might ask me to hold to another topic.
But um so I think the as you described it, you know, control, it seems like a very centralized process where you can say, hey, this person, you you know their ID, you know how to like remove access.
Um strikes me that like a companion piece, but somewhat more less clear to me is uh inventory control, right?
So who's responsible for tracking what devices, monitors, printers, all that kind of stuff that uh an employee might have if they're working remotely or they've got them, you know, for for other purposes.
Yeah, so we do track laptops um and equipment.
And with workday moving forward, we are looking at non-capitalized assets.
What is the definition of that?
And how will we track those sorts of things within workday then?
We track them within our IT software that also is our ticketing system so we can attach a laptop to a per a user, et cetera.
Um so putting them in work day, then we'll consider will we be barcode scanning them and then will we be including monitors?
Um, how how deep does that go down?
Waiting for the definite working with finance on the definition of those non-capitalized assets, um, and then how we'll track of them better.
Uh actually, perhaps with barcode scanning, and now we know who it's assigned to, um, etc.
And when you when you're, let's say I'm setting up a home office and my work requires me to have two monitors and a printer, and the department authorizes it.
Like, is there an attestation or a sign, you know, any sort of a form the employee acknowledges, hey, this is like county equipment and I'll bring it back when I'm done with it, et cetera.
I'm gonna have to look into if there's an actual uh a form that they sign for that or if it's part of the acceptable use.
Um, but I can get back to you on yeah, my dream is to have the barcodes on like the monitors and everything so that we do, because I believe at least we've talked because we've talked about this before, that we don't, I believe, um, keep track as much as like monitors or other peripheral systems, but almost just laptops.
But part of it was because I believe that there wasn't a way to do that.
Um, but I think hopefully with the new system, we can like have like barcode scanning.
And so yeah, you can check it out and be like, this person is associated with these devices.
Is that correct?
Like hopefully going forward, we'll be able to do that.
It'll be more of a formalized mature process.
We do track, we when we deploy laptops, clearly, we we know who they're assigned to with monitors uh in an office.
It's we know who what monitors we've deployed for a person, but we can't necessarily track whether somebody took it and moved it to this desk and and that.
Um, so this will help formalize that a little a bit more um with uh potentially with power credit scanning, et cetera, for monitors.
Yeah, I think we would be, I mean, seeing your myself and maybe the community, I think, yeah, that would be something that we'd be interested in.
I think is keeping track of all these things.
I mean, it adds up to a lot of money and then just making sure we know where everything is.
So maybe with the new system, you know, we could do the barcode or whatever for everything and to keep track of things.
My other question related to access control was about like user licenses and costs and things like that, but maybe that's better for an AI-related topic.
Okay.
Okay.
Yeah, okay.
Don't forget though.
All right, vice chair.
Um, I really appreciate the work that went into this.
I I appreciate the clarity um yeah that it provides and the communication, the clarity of communication that it provides everyone.
I think these clear guidelines will help people um, you know, uh at least know the rules, but also be able to follow them better.
Um thing I wanted to ask was so if a user has um a certain role and they need um access to a certain level of information, I would assume that that would go along with their um like their what they're labeled, what their tier is labeled in their jobs.
Um good.
Okay.
So then um how do we make it so that it's nimble enough that some of their access can be changed based on what they're working on, and then maybe that access is that is that a pretty nimble process.
Yeah, um I'll start by saying it's pretty much role-based at this point.
So, hey, give uh the user access request or the security access request comes through, make this person accountant role or help desk role, et cetera.
And so that pretty much follows a set of security and what folders they have access to.
We can alter that too, uh, but that sets it up in general.
Did you have something to add?
I was just gonna say that each of the departments have somebody in that role that approves access at their department level, and then those people submit system access request forms to us to make those those changes happen.
So once we get that form, it's documented, then we know that the change happened, and we leave it up to the department to make those approvals because it's the systems that they manage and they know who should be getting access to what, and it doesn't come from us.
We don't decide what they should have access to.
We just really follow their lead.
That's helpful because sometimes roles change and expand, or people work on a team with someone else in a different role and they need that.
Okay, good to know.
The other thing was um so are there then um sort of firewalls between departments and or different roles or different levels of access.
How does that work?
Yeah, we can use firewall in a general term.
Um, and this will actually touch on the next policy a bit more about uh securing data.
So we could pause for that one for the next policy.
Eric could talk about that.
Thank you.
And I will add one thing that the the collaboration we're doing when we develop the policies and are working with uh our partners is that as we're talking about them, it'll bring up what is our standard process, or should we all standardize a process for this?
And so now we're moving towards let's work on standard operating procedures that we can all follow together.
So it's it's maturing and formalizing things, which is really great.
It is really great.
All right, any other questions?
All right, all in favor?
Aye.
Any opposed?
Motion carries.
Item 8.3 is a joint resolution approving a system and communications protection policy.
Can I give it a motion in a second?
Motion by Eltonberg, second by Robert.
Oh second by Robert.
I know, I think it's go ahead, Eric.
Okay, so the system and communications protection policy, um, it's really about protecting county uh information or data wherever it lives, whether whether it's traveling, uh moving across our network or sitting on a device or a system.
It sets the baseline safeguards to reduce the risk of interception, tampering with it, misuse, or accidental exposure.
So it's mainly about protecting county data.
Um, it requires secure system and network configurations.
Uh, it applies safeguards to shared and internet-facing systems, and it keeps public facing and internal networks appropriately separated.
So a lot of different guidelines and requirements.
I'll give a couple examples.
Um, if you have resident data and it's stored on a county system, it ensures that the database is secured and not openly accessible.
So sensitive information like personal details cannot be easily exposed.
Another example would be an employee accessing email remotely.
It ensures that the connection is encrypted so that the data cannot be intercepted.
Another example is that when we deploy a new server, uh we have a security baseline.
So default passwords are removed, unused ports are closed, and the system is fully updated before going live.
So some simple but basic requirements.
And it would, if we had a uh another example is a public facing county website is placed behind a firewall or a web filter and monitored so attackers cannot directly access internal systems or exploit vulnerabilities.
So that's a basic um idea behind it, is just to protect county data.
And to your question, um we're doing some really cool things if you're in technology, uh network segmentation.
I always use this example, which probably isn't a good one, like but like the Titanic, um, when they have the walls that go up to help prevent the water from starting.
It didn't work in that case because the walls weren't high enough or something.
Um we segment the data.
Segment our network.
So we focused on health courts and sheriff, so that if there is a breach, um, it can't spread.
So we're doing that.
We started at a high level, and then we go to a more micro level where we're really securing perhaps departments within it.
So now, and it's complicated because they cross work, but it it helps prevent spread of breach and that reduces risks.
Did I say that right in general?
Okay, I appreciate this explanation.
I know when we talked about this before, I could not wrap my head around it, but now I've wrapped my head around it.
So thank you.
All those explanations, those examples were really helpful.
So this is just ways we're keeping our like procedures to keep our data safe by making sure everything around it is done like properly with all these safeguards.
All right, that makes sense.
Well, it's good to hear we're doing this.
This is a good thing, and that it's for the whole system.
And thank you again for working with everyone to do this.
All right, any questions?
All right, it was great explanation.
All in favor?
Aye.
Any opposed?
Motion carries.
All right.
Item 8.4 is a joint resolution authorizing a contract with CDWG of Vernon Hills, Illinois, in the amount of 64,855 for the external threat monitoring software.
Can I get a motion?
A second.
Motion by Vice Chair Kasmin, second by member Frank.
Um, and uh important to note we are planning a uh deeper dive into security program in general, perhaps next month, um, where we'll we can really talk security um and but this is a piece of it.
Um we have a security platform, which is, and we've matured our program over the years.
This is a piece that um mitigates uh uh another gap.
I won't call it a gap, but it's just further maturing it.
And it basically scans our network, our systems, um a periodic basis and helps uncover threats or gaps or vulnerabilities so that we can address them quicker.
Typically, you'll do an annual scan, something like this.
So this is kind of the continuously scanning and looking for where we have public facing like our boss system or our websites, uh, how it's looking for vulnerabilities there.
It ties into our main platform, so we would see the alerts and stuff, and we could address vulnerabilities quicker, which is really what it's about because then they don't sit there, they can't get exploited.
Um go ahead and add on to that, Eric.
Very good.
Thanks, Chris.
Good high level.
So what this project really is about, what the tool can do.
It's about protecting um the over 200 different sites and services that are associated with Lake County that are exposed to the internet.
So I'll give some examples like our our Lake County website, the GIS mapping site, our passage traffic management sites, um, all of our Office 365 environment, and even our future workday solution.
Um, so the here's here's the main problem.
Every day, 24-7 intruders are looking for a way to get into our network.
Um, they don't sleep and they automate what they do.
So they're constantly looking, and now they're using AI.
Um, new vulnerabilities are being discovered daily.
Um, in fact, two weeks ago, you may have seen it in the news.
Um, the AI company Anthropic announced that they had developed a new model called Mythos.
Mythos discovered thousands of unknown zero-day vulnerabilities in everyday applications, products, and tools.
The good thing is they gave the companies that that they found the vulnerabilities in uh kind of a preview so that they could patch quickly um what it was found.
But the bottom line is now the intruders are using AI focused directly on discovering weaknesses in products.
So our traditional methods, they're just not good enough.
Um periodic patching and then doing an annual penetration test.
Um is kind of the old way of doing things.
Um, and we need to respond to this heightened risk.
So, what the industry recommends is they call it attack surface management.
Um, and it's it's basically a tool that is uh it takes the attacker's perspective on our network.
So it's an external tool scanning our network just like they're an attacker.
And it's scanning 24-7.
So it basically learns our environment, builds an inventory of everything we have exposed, knows what versions and everything we're running on.
Um, and the real trick is that our environment changes, it's not static.
We add new things, things change.
Uh other departments might add a service um that we don't know about inside of a web application.
Something may be turned on.
Um the old way is if a vulnerability was found on uh a system, the company that owned the system would usually send an email and put out a notification.
Well, that can easily be missed um by our teams because if it's could just come in in a general email.
Um, and so you look at that email, you look at what the vulnerability is.
Then you have to go out to our systems.
Are we vulnerable?
Do we have that version?
Takes a lot of work.
Um, and and if you miss it, uh, then you're vulnerable.
And so with the attack management surface solution, they know what we have.
So if a zero day is discovered, they'll immediately alert us that this system has this vulnerable and you're vulnerable.
Uh, and it can open a ticket with our help desk system, immediately our team would jump on it, patch it, or mitigate it, whatever they need to do to address it in a timely fashion.
Um, it's integrated with our security platform.
Um, so it can even do automation if we if we if if if it's appropriate, uh, where we can automate it, actually blocking what what's happening.
So it's just a it's a it's a daily or a yearly cat and mouse game.
They improve, we have to improve as well.
So that's basically what it's about.
Happy to answer any other questions.
Thank you.
I think that was thank you.
It was an excellent explanation.
Um, and I'm really glad, you know, because to think maybe next month or whatever, we can have like the broad overview because it just seems like there's layer upon layer upon layer upon layer, and we come in and it's like another one.
And so I'm really glad we'll be able to get context to all the different things and how they work together.
That's like the plan um going forward.
And you know, I did hear about the mythos and you know, and looking at these vulnerabilities.
So I'm glad to see here that we're aware of them, that and are really working to ensure that our networks stay secure.
Um, it is an interesting time.
And I don't, I know here we don't I hopefully we I know we've talked about AI policies, and I think we can talk about AI, maybe, and when we talk about secure things, maybe it'll be an executive session versus open session, because um it just seems like every day things are changing very rapidly.
And I'm glad to see that we are that you are up on this and are changing to meet the the needs of today.
All right, any questions about this then?
I look forward to hearing our deeper discussion.
All right, all in favor?
Aye, any opposed?
Motion carries.
Thank you.
Item 8.5 is our uh enterprise technology uh enterprise information technology annual update.
Wait, for the preaching.
I believe it's coming up awkward sign once.
Um so today we're gonna talk about uh current projects overview and then ongoing activities and um I'll give an overview and these are a lot of the things we'll talk about our um work plan items that you've approved some of them already, and but I'm just gonna give an overview because these are our big activities this year, uh projects.
Oh, I'm gonna charge.
Sorry.
All right.
All right, strategic alignment um to the county strategic plan.
We mostly tie everything to superior county operations and services, it makes the most sense, but adaptive infrastructure is also an area where emerging technologies, security, et cetera, while that one primarily points in the strategic plan towards um DOT or roads like infrastructure that way.
We talk about technology infrastructure.
So we tie it to both of these strategic items on the plan.
The projects we'll talk about today.
Um I feel I would be remiss if I didn't mention work day, and we'll have an update on that.
While it's not directly just an IT project, it's a county project.
We will touch on it because uh obviously IT has a big involvement, as do the other departments.
We'll talk about external threat monitoring.
That's what we just talked about, Microsoft cloud backup and user visibility, network modernization, remote and incident response readiness.
So these are the projects on our technology CIP basically.
And so those are the ones we'll touch on the big projects.
Um Workday.
So you're all familiar with work day, and we'll have an update.
Um what our involvement is so IT doing data conversion, part of the work streams, just like all the other departments.
Patrice Evans will uh be given the ERP update, is our internal project manager.
So she works hand in hand with the uh implementation partner, Strata's uh project manager.
Then Strata has a program manager who oversees the program.
I'm the equivalent of that on the Lake County side.
So IT is overseeing the project, but we're also part of it, mostly data conversion integrations, et cetera.
So I wanted to mention that, although it's a county project.
We have uh a lot of skin in the game there.
This is the one we just talked about, so I won't really talk about this.
This is scanning ourselves uh looking for those vulnerabilities and getting to them quicker.
Cloud backup, we actually brought this one earlier in the year.
So this is filling a gap where uh, and and stop me at any point if you have questions.
Um trying to make it a little more digestible uh for you.
The big text is really what we focus on.
So this is filling a gap in our cloud backup while providers like Microsoft do backup your data in the cloud.
You don't have as much control over restoring it when you want and and how you do, and then also securing it from um major security incidents like ransomware, et cetera.
So this project ties all that in and helps bring it to our on uh the same as our on-prem backups happen.
So it's filling a gap, maturing our process there.
Can I ask a question?
Thank you.
Um so if we I'd heard recently about like an AI agent erasing a whole database for a company on against its orders.
If something like that happened here, is this what this kind of backup would be where this is like, you know, because that company, I guess, had backed up quarterly.
So like they lost the last three months of data, but they could go back three months.
So is that what this kind of is for us where it wouldn't be connected?
So if an AI agent went all crazy on our data, this is like a separate, like this would be a way we could back up the net everything later.
So this is backing up the stuff that's in the cloud.
So whether it's stored in your OneDrive or SharePoint.
Microsoft backs it up, but you don't have that control over to restore it and have it as part of your backup.
So we have a great robust backup solution, which helps protect us in the event of uh a major incident that we can restore data, and we can talk about that in depth in our security overview.
Um this ties this cloud data into that system.
So we are that the data is now protected in the same way that our on-prem data is, basically.
So it's like backing up on person and the cloud, we have our backup for all of that.
Okay.
And it's a trend in the industry, a gap that's been found.
And so again, I I would say we we lead the way on a lot of these initiatives, and so it's filling that gap so that that data is protected the same as our other data is.
Great.
Member Frank.
Thank you, Chair.
So my questions are designed to get at understanding what is like the footprint of our cloud utilization.
Do we know how much data, like how many gigabytes, terabytes, whatever it is we have in the cloud, and how much is the backup?
Do we have like uh an understanding of what that size looks like?
Yes.
Okay, do you want to know?
Yeah.
So I'm it's not gonna mean much to me, but yes.
It's about 70 terabytes.
70 terabytes for the county code.
That includes email, OneDrive, SharePoint, Teams, chats, you name it, anything that you're doing in the Microsoft universe.
And that's what's in Microsoft Cloud, and then we have another 70 to equal that for the backup.
Is that correct?
That's correct.
So it basically basically backing up the cloud to a different uh tenant that so if somebody gets into that environment and let's say they have admin admin access, they could just start deleting things, causing chaos.
And for us to bring that back would be difficult with Microsoft.
And so all told our data footprint is externally is about 140 terabytes.
If you yeah, if you include it cloud, the cloud data, there's on-prem data, correct, Eric, that's not included in that.
Eric that's not included in that.
And in terms of backup security separate from Microsoft Enterprise Cloud, we know they are in different locations, different systems, like that that provides us that security.
Is that one of the things that they provide?
That's exactly what it is.
That's our backup solution that we have, and we can talk really deeply on that, but absolutely hits on all those points that that's why we want to get this cloud data in that solution.
Uh so now we will is there an existing industry metric that says how much electricity carbon footprint physical footprint there is, you know, is there a ratio per terabyte?
Do we know is does that exist someplace?
The metric on what with the data, like the power usage and the sustainability from that aspect.
Um that is something that the Microsoft does have that, and the large players do.
Um could you speak up a little bit?
I'm sorry, sorry, so sorry, microphone closer or just move the microphone closer to you.
Um people are listening intently online.
They do have metrics, yes.
And um, I don't have them right here for you, but we we Microsoft has that of what the sustainability and per do you have any of that by chance off the top of your head?
I don't have it, but I think what you're asking is like data that we have on site here, right?
What's the metric for carbon footprint per terabyte?
That's generally what I'm trying to get at, but there's really and then the question is is there is there an environmental or cost savings to moving all of our data that are hosted locally out to the cloud and increase increasing that expensive I'm taking that there's not, but I just want to know what they I'm not asking reinvent the wheel, but if they have something that's existing in terms of that ratio, I'd be curious to see what it is.
There is and our backup solution is partially on site, so it's not all in the cloud, but we are utilizing cloud just for that separation as well, so that we it is available.
Like if you back up your personal photos, you can back them to the cloud and a hard drive.
And is our cost based on the amount?
So like we we have to pay Azure or whoever the vendor is based on how much we're backing up.
Correct.
Storage costs money, and that's uh a part of another larger conversation about retention and let's get rid of data because there is a cost, and then there's an environmental cost as well.
Absolutely.
Thank you.
It all goes back to storage.
I know we've had this conversation many times about the storage, and and it'd be interesting to see when we once we start implementing or figuring out our policies on data storage, because I feel it, I mean, it's like an addict.
There's probably places we can clean it out, but what will that do?
That could decrease our carbon footprint also.
So it saves us money, but also saves would could save on like our emissions.
If suddenly we could find two terabytes of data we we could not store anymore, that could do both save money and those.
And so I think I know we've been talking a lot about for year about the storage thing.
So coming up with these policies could help improve that because I would like to see that too.
And is as we bring that backup solution as it reaches its end of life and needs to be renewed, we will be talking about the the cost to the storage amount.
And I mean, storage is just it's it's just digital hoarding is what it becomes in a way.
I mean, we I do it personally, why not keep it?
But there is a cost to it, and then there's uh uh a footprint cost as well.
So we will highlight that.
We do try to move things and the retention will help uh delete stuff.
Um, but there is a cost, absolutely.
It's easy to save everything.
I know on my own computer, I'm like, oh, look at all these pictures or whatever, but we do that here too.
And making the time to do it takes a lot of time.
It is the hard thing, but it will save us money and that.
So that's that that strategy will be it is a change management effort as well.
Yeah.
You know, I have 10 years worth of emails.
Do I need it?
Uh-huh.
It's one thing for us to delete it, but to reach into the inbox or the their account and delete it is another thing.
So there is change to it, change management.
You're right.
And there's a lot of change management and education.
Because even like for people to know how long should I keep emails?
Like, I just assume I have to keep all the emails when I adhere.
But maybe we don't.
So maybe you know that can be part of the education process too.
Is anything over this many years you can delete?
Because I think we all just uh then you just get too much.
And even our videos, you know, I've talked about these videos.
I love our videos, but video storage is a lot of um is a lot of takes a lot of room, costs a lot, and we video store a lot of stuff.
And I think you know, we coming up with policies on what we want to keep long term and everything could help clean out our attic a little bit too.
So we look forward to hearing more.
Member Altenberg.
So I know it's not exactly on this topic, but I'm wondering is there new softwares coming out that um help organizations like ours deter hackers?
Um, like this, are we able to put more firewalls up to make our information safer?
I don't I don't want to just answer with not understanding exactly what you're asking me.
So uh can you clarify a bit?
Is it more than what they talked about today with the scanning and everything?
Oh, I guess I guess maybe I could have asked it earlier.
Um you can ask it now.
I just to clarify your question, is it because is it more than that?
Are you looking at it?
Is it harder to hack into our computers these days into our into the county's information?
Are we putting more?
I know what you're what we talked about earlier.
You are doing that is is I'm just wondering, are we um increasing how difficult it is to do that?
Are we making it harder for people to hack us in general?
Is that the question?
Yes, yeah.
I feel we have uh we we will talk in depth uh about the security program and how it all ties up together and the pieces you've been approving and supporting how what role they play.
And today we talked about eight piece, so it's all layers over the years.
I I would say that Lay County is a leader in the security uh space and how we're doing that.
That said, we're never gonna say we're not gonna get hacked.
I think that would be uh jinxing yourself to say that.
But we have a pretty mature program.
So how do we test that?
We have annual vulnerability tests where we bring in folks and we focus on different areas, um, a third party uh understanding because I can say we're safe, but yeah, we want a third party validation.
They come in and they they test our systems, they'll give us high, medium, low.
We focus it on the highs, obviously, then the mediums, and we've done that for the past several years.
And um we are making great progress.
So um that said, it's always keeping up with the hackers, if you will.
And um, like Aaron Eric mentioned, AI is now playing a role in the the hacking now.
So now AI is playing a role in defending the hacking.
So it is um, it's always been a game.
When I was first hired here, they asked, you know, what were what are some of the top things that are of concern and it's cybersecurity and it still is, and I don't know that it ever won't be.
So, but we're in a good place and we test ourselves and we'll we can talk way in depth about specifics uh at an upcoming meeting.
That's a good answer.
Thank you.
Thank you.
Member Roberts.
I I just wanted to kind of pig back on you about the policy about saving emails, because it would be really I I think I'm I save way too many things on like county board because like you, I'm like, do I need to like I know like in the law office, we have to keep files for X amount of years, and so we but like we hoard all the time and just stop this.
Yeah.
I think it's a good point.
I think for everybody finding out these guidelines because we know we're subject, you know, working at a government, we're we're subject to different requirements, like we would be in private industry where we have to have them available for a certain number of years.
So I think we all do just sort of like go on the we'll just keep everything world.
And after you've been here, like the uh the year start adding up.
Um, you know, it would probably that could maybe help, and even for employees too, just like having these guidelines.
And I know this is something that's been worked on um throughout whatever is like you know, and and then educating people.
Because I I mean I'd be happy to go back and delete all my emails, but I just don't know what years I have to keep.
And and I think other employees probably feel the same way.
So coming up with these kind of storage guidelines um for in general for everyday operational guidelines, and then for us policy guidelines on like the bigger items that we have um say on versus because under statutory authority, I mean, for statutory rules, there's certain things we have to keep, but I don't even know what they are.
So, like understanding what they are, how long that maybe that could help us a little bit move down our our and it would be interesting if we started like an educational thing and then as like member Frank was saying, we could kind of track if we're saving any on storage just by you know the change management part.
Because I and also that would be a good reason for people to do it.
If I'm like, I can save all this, you know, these trees.
If I delete my emails, then I'm gonna delete them.
But it's really, I think it's just an it's just an educational part.
I I don't think we understand what we should and should not keep.
So I feel like there's two ways there, right?
There's the operational rules and then the policy rules.
So um, I'd love to move forward on both.
I just picture us storing so much stuff.
And then you say 140 terabytes of data, and that's you know, it's just gonna get bigger, but it doesn't have to.
Just like the old days, we used to have rooms of filing systems now.
Just that we, yes, but we could see the filing systems.
Now we don't see it.
So it's easier to keep it.
I can't either.
I I can't either.
That seems like enough data for like a country, but apparently not.
All right, all right.
Well, thank okay, sorry, we'll go on to the next slide.
I wrote down tips and trip trick tricks for a potential newsletter or a lunch and learn part of that purging, spring cleaning, perhaps.
Maybe we missed it, although it's kind of seems like winter still sometimes.
So we will do that.
And then there's the retention policy and guidelines that the county is working on, and that plays into all this.
But you can go in and clean up your inbox if you want.
Yeah.
We're capturing it on the back end according to retention policies.
That's where I talked about if we put retention policies on the back end, but you don't it's a difference.
Are we reaching into yours and cutting it at two years?
Now you're going, where'd my stuff go?
But if you clean it up, we're still capturing what we need to capture.
I think if we knew that, that would be helpful.
So if you so if we delete emails, then you still have them, like on your end for retention.
So we don't have to worry about retention.
You don't have to worry about retention.
I'm not keeping them, but uh the system is keeping them.
And it is for legal holds and discovery as well as for FOIA.
We use it for them.
Um but it's setting those retention guidelines, which is the tricky part because you may want to delete your stuff and only have a year, but we keep two.
But we're if you want to keep 10, we're not reaching in and grabbing those in years.
Um, and that's the tricky part.
Yeah.
Yeah.
So if I go back and delete my emails from the month of April, and then I get FOIA'd.
I want everything that so you know, conversations between all of us.
And I say, Oh, I have nothing.
Well, but you will know to say, go to the backup and see if you have FOIA officers are using our discovery system to fulfill the FOIA requests for the dates.
This is like life changing.
This makes you feel better.
So it's up to us.
Because you have some folder, it has to be discovered.
There's a cost, etc.
Let me pause and make sure I didn't say anything completely out of line, Eric.
I tried, but you're correct.
Okay.
So in a way, it's almost like everything is like double stored because you're storing the things you have to for FOIA or whatever, and then we have it on our end too.
Yeah.
I did not know that.
Well I call it a change management issue.
Yes.
I think all of us on the board probably have a number of emails we could probably free up like a terabyte if we all delete all our emails.
I do spring cleaning every year.
Yeah.
We talk about Microsoft cloud backup, right?
Or or just storing stuff in the cloud.
Remember when Gmail came out and and they changed the game and they said you can store up email forever.
That's really what we have with Microsoft.
They don't really put limits on us.
We can store it's like an unlimited amount of storage.
They are some caps for your personal OneDrive.
I think it's a couple terabytes, which is quite a lot of data.
Um, so we're not paying for you having 10 years worth of email.
Oh, okay.
It does it doesn't work that way.
The only time we're actually paying for is when we back it up, right?
Then they then they go, well, how much do you have?
Because you're gonna make another copy.
It would make a difference there.
Yeah, it makes a difference there, but again, it's it's pretty pretty insignificant when you look at the cost of trying to get everybody to clean it up.
Yeah, would spend you'd spend way more money in in employee time than you would ever save over here in storing storing it on a server.
Just for emails.
When you talk retention, it's a large topic that probably will go on for a while.
So the the best would be we set a retention guideline on the back end, and then after let's just say it's two years, you have an email that approaches two years in one day, it gets deleted out of yours and everywhere.
Like that would be the most efficient way to do it.
I see.
Yeah, I know.
I feel like I can get like six years of email right here.
Follow the retention guidelines.
That's the key.
Well, and that's what I think we need the education on are the retention guidelines.
Because then we hear that, and then we're like, but then you just said you retention them for us.
So anyway, well, this will get our conversation for to chime in on that because she was leading was leading that effort.
So we are working on a record retention policy, and there are guidelines through um the state archives.
Um the word archive might uh lead you to believe that it is paper-based, and it really is.
Well, we've been told by the state archivist is it matters in which form that you get the original documents.
Um, but that being said, I know that we are working closely with IT because it does matter um that our record retention guidelines we are our electronic record retention guidelines because just imagine someone sends you an attachment and then you save it to your computer and you save it to your computer and you save it to your computer, right?
And I can search and I can find something from 10 years ago.
But that is not necessarily the best practice to do.
So I think it's going to be uh life-changing when we adopt the record retention policy and move forward with that.
I think so too.
I'm excited.
It'll be a big spring cleaning for all of us.
We'll be like, yay, now we know what we can do, and we can get rid of all this.
Well, I'm so glad we're moving forward on that.
All right, well, thank you.
This has been super, I mean, this part alone has been super helpful.
Great.
I love the conversation.
Um another project, end user visibility and performance, another one that had a really technical we struggle trying to make sense of, and it probably still doesn't make sense.
But the bottom line is this is a project about getting um issues resolved quicker for end users.
So understanding where performance issues are before somebody calls.
Hey, I'm having a problem with my computer.
They call the help desk, they say, yeah, the help desk starts looking as a network problem.
Is it your computer problem?
Is it an application problem?
What is it?
And this will help us understand what it is through a dashboard and monitoring, perhaps even before you call would be the goal.
So we know we're having a network issue, it's affecting this, or you're trying to access workday, workdays having an issue, we see that.
So we can help the end user and get them working rather than like just waiting on us to figure things out.
So it helps us be able to efficiently troubleshoot where the issues are quicker, and it helps ultimately the end users who use the systems.
So the end users wouldn't see this.
The people who are monitoring it see it.
This would be using seeing it, yeah.
And using it.
This is um network switches replacement.
They're they've reached their useful life, and we are replacing them.
It gives us better security because they get out of out of end of life.
You can't security patch them anymore.
So that's the key reason.
Modern switches work efficiently and prepare us for the future.
If you'll recall in a prior conversation, we had done this huge switch uh replacement a couple of years ago.
These ones still had life left on them, so we didn't want to replace them then just to sync up the timelines, even though it kind of made sense.
So we're doing those ones now.
Yeah, like just doing this ahead of time is much better than when they go out and then it's takes all the time and money.
So this is yeah, good to keep it moving slow moving smoothly.
I don't know if I need to point this.
Uh remote support modernization.
Uh, this is another one that was chewy, but there's a security component of it.
So by putting this, this is basically we can support you remotely.
So you call in, hey, I need some help.
Boom, we can connect to your computer in a secure manner.
Um, it also reduces uh the way that some remote support is done involves a risky component.
This mitigates that and allows us to shut that down, which is a big thing, and give you more uh quicker remote support, I guess I'll say.
Oh, I'm sorry, I remember Frank.
Yeah, okay.
Thank you, Chair.
Does the security aspect of the remote support modernization include education for remote access, like requirements around what type of Wi-Fi router, password individuals have to use some of the same training that we have here about phishing protection, because once you're outside of the environment, people have different protocols and habits that they use at their remote facilities or even public Wi-Fi or riskier Wi-Fi.
I just think that's a vulnerability that people need to be educated on.
Heard absolutely.
This is this is more about our a tool to support people remotely.
The remote word, maybe I'm not understanding, but it you call and it's how we support you remotely.
So I don't have to come to your computer and do it.
We can connect to you the way we used to do that.
There was a vulnerability.
But the other point is absolutely, yeah, some of that is in the policies we're doing, how how Wi-Fi and networks are set up and secured.
Um, we try to make it so that an end user doesn't have to think about that, and they are using secure.
Um, so we put in a VPN solution, which is more secure.
We upgraded our Wi-Fi, which is more secure.
So we are doing those things so that you don't necessarily need to be educated on how to use it.
You are just using them.
I don't know if I answered that.
Okay, thank you.
So we're excited about this.
It closes the security gap and gives us a better uh support tool.
And again, some of the partners are excited about that as well, uh, evaluating it, utilizing it as well.
So it's it seems to be a great tool.
Everybody, everybody likes.
Did I miss anything?
Anything to add?
Okay.
Incident response, this one's exciting.
Found a quote from Abraham Lincoln, thought it was good.
Um this is about we have response plans, right?
And and we have incidents where there's an outage within IT.
This is about a security incident.
So let's just say ransomware.
All right, what happens?
It's more than just IT, it involves communications, finance, county administrator's office.
And this is basically a tabletop exercise from a third party to help test our response plans that we have, and to understand there will be gaps and and how can we tighten that up and make people prepared for in the event something like that happens?
And it's about prep matters, right?
You can have a plan, and that was the point of the quote.
Um, but until it happens, the plans kind of go out the window.
So you but you have to be prepared.
So it's testing our plans, understanding from it.
One of our collar counties did have was unfortunate enough to have a ransomware problem.
And um, they did share information with us, which we hearing what somebody went through is invaluable.
And a lot of tips, and then we update our plans, and their first thing is your plan kind of goes out the window because this happens and this happens, but the more prepared you are um you can adjust on the fly.
The plan's a good foundation.
So that was one county in Illinois, in here, which county.
Um I didn't specifically.
Oh, okay.
So has that been mostly not an issue in Illinois, or has it been an issue among counties around the country or not so much?
I mean, is ransomware up right now?
It ebbs and flows.
It's a business, basically.
It's the same.
It's it's probably increasing always because with with automation, they're they're getting better at it.
Um it's just not as newsworthy as it used to be.
Okay.
Things that you know, people are now interested in talking about AI.
They don't really talk about ransomware anymore.
And a lot of a lot of places keep it secret.
They don't they feel they're embarrassed, they don't want to tell their customers or that they were attacked.
Um, so there's some of that too.
So we do meet regularly with the Illinois County CIO group.
We have not everybody participates, but um and so we've only heard of the one really that has talked about it that participates in the group.
Well, that's good news.
Yeah, but uh they're very willing to share with us and educate the rest of the group, and it's really really was useful.
Thank you.
Yeah, I'm glad to think these table exercises as we all know.
I mean, because like you said, you just you think you know until you know, and until it happens.
And so having that third party come in so you don't know what to expect, and have to everyone really take it seriously with all the different departments and how to go, I think is like so invaluable.
So glad to hear that.
And is there as much federal uh funding for like cybersecurity response for governments?
I know that was cut a while ago.
Is that still not happening so much, like the governor Isaac or whatever, or are you or what you do with the other counties, is that like kind of separate from the effort?
The we talked about that uh at NACO a little bit, the MI MSI SAC, right?
And so we are we are paying for that uh support because it's invaluable, we feel um we have not secured any grants, but we have been looking for those opportunities when when they are there and and looking for them.
Well, I'm glad to hear there's still the collaboration going, because even if it doesn't have like federal support, I mean these are all really important issues, and just like you said, sharing information, sharing data really helps everybody.
So glad to hear it.
I'm sure this is is you know, is this like a once-a-year thing or like this?
Yeah, um, this is uh the first time we're doing this by having a third party come in and do it.
Yeah, uh we've done some internal ones, but we want to test it, and then we will probably do some internal and probably ongoing testing it as it makes sense.
Yeah, yeah.
Well, it should be exciting.
All right, yeah.
Okay, that was projects, ongoing activities, try to insert a little humor to show I'm not just a robot, right?
Um collaboration, we talked a lot about that.
We're really putting effort in that.
So we have a technology round table and we meet with partners, it's open, come on in and join.
We talk about things like um projects, you know, how are those gonna have affect other county departments, um, sharing information?
We have each group will kind of tell what they have going on.
So it's great, we're all kind of understanding, just building that those those relationships, um, moving more towards kind of like, hey, how can we take this to the next level?
How can when we're planning strategic initiatives for next year or the next year?
Um, does this help you?
Does this make sense?
Is just furthering that we were doing it to a degree before this is even making it better.
Um, and what are your things?
Maybe we build a plan together.
Perhaps that's a bit lofty of a goal, but we're we're sitting together talking about strategy, talk about road mapping and what makes sense for all of us and trying to do it together.
So it's been really great building that up, and we're getting a lot of uh traction out of that.
Wouldn't you agree?
Policy advisory team, same thing.
That kind of was born out of this round table.
A lot of the same same members.
We wanted to keep the round table separate, keep a policy advisory team focused on just that.
So again, we've talked about that collaboration, but it's been invaluable to getting the policies uh approved, I believe.
And they advise AI advisory team.
So that that initially started, we're focusing on risk, so evaluating software, what are the risks?
But as we move forward with that group and time passes, AI is moving so fast that we are asking that group, let's look at this policy and the process, even the risk evaluation process.
Does it need to be improved?
Does it need to be altered?
Are we focusing on the right thing?
What kind of AIs are we looking at?
Agent, the era of agents, perhaps you're hearing that is the next era that's going to change all kinds of things.
So trying to stay ahead of it, and then roadmapping, what kind of standard tools do we want?
Should we standardize on them?
Should we how do we how do we move forward as a group?
Um, because it's moving so quick.
So it's uh great to have that team doing more than just evaluating a piece of software for use.
Um forming our strategy.
Um and then excellence, we're doing a lot of things behind the scenes.
I talked about standard operating procedures, it's just to mature our organization, do things standard with the up intention of less downtime, less interruption.
You you all just want your systems to work.
Change management, that's behind the scenes.
When we make a change, do a patch, uh, something like that, that we thoroughly test it and communicate it so we don't put a change in, then it disrupts things.
So it's just a process.
We follow that and incident response.
When and when there is a system down, how do we respond to it?
And our teams respond 24-7.
They're completely dedicated individuals working with our partners across the county.
When there's an incident, I mean, everybody comes together.
It's it's fantastic.
So they they are just dedicated to work on it, but it's kind of formalizing that a bit more and how can we communicate and the proper level of communication to people, improving that.
And then some of our initiatives, uh, continued communication.
We're doing, you know, our lunch and learns, uh, tips and trips in the newsletters, etc.
Umterprise, we've we're putting an enterprise, many departments have Adobe that they use software.
Um, and we're putting that at the enterprise level so that we can bring them into it.
So we're working on that.
It gives them standard um versioning, secure versions, et cetera.
So they're excited about that.
So we're taking a department as we go.
Um, and that's in progress.
And some other things like phone legacy phone line modernization, not all that exciting but important.
A few years ago, copper lines, the the big company is getting out of that business.
So we had to kind of move those towards a modern solution, reduces the need for those.
And some of the website ADA compliance, et cetera.
So I believe that's it.
Questions?
I just have one question, and this is probably for our future discussion, but is the AI um, it's about AI.
I know you said you've got this working group.
I think it's great in the policy group and talking to everybody.
And I guess I one of the things I always think about when we hear about this new age of AI, you know, hear about these agents, right?
The age of agents, you know, we're we're gonna change everything.
But like at some point, I don't, and this is like for future discussion is um, you know, what are what is our role in this?
You know, as a county board, could we say, you know what, we're not gonna use AI agents?
Like, because we're not usually the people who decide things like that are super, you know, like in the weeds, but at the same time, AI agents are something that is new and could really change things.
And so, and but but it could have some security vulnerabilities or things that it really affects our workforce.
And so I don't know, like for us just to think about, you know, what are in going forward, like what is going, do are we do we have a role in setting some of these policies?
You know, could we say, well, you know what, we're not gonna use AI agents, we're just gonna keep our processes for like workflows.
We're going to keep the processes the same, you know, because we don't want to we decide we don't want to risk the vulnerabilities or whatever.
Or we want people to, because you know, they can do their jobs how they're doing it now, and not use like agents.
You know, is and that's where I like struggle to know what our role as a county board is going to be, or if we, you know, if we don't have a role.
Because some of those seem like big policy decisions versus just operational decisions.
And I don't know if there's an answer to that.
But would I don't know if you have a feeling for that?
Or yeah, no, I mean it's a great thought process, and everybody is having that same thought process.
It's moving so quickly.
I've listened to podcasts on the way in, and it's yeah, it's kind of about the agent era is here, and the models are shifting, how they're gonna monetize them and charge usage.
There's so much to keep up with.
So it's great that I don't have to make all the decisions, or you don't, right?
We have this advisory team, so we get a smart group of people, diverse opinions, and how should we approach it?
I think your role comes in when we want to revise the policy process, etc.
We come to you and say this is what we all think is a good approach.
And and I'm sure it will be a balance.
Clearly, you need to be secure, but I think you also don't want to fall behind and not utilize AI.
And um, how can we do that safely?
And that's what everybody is talking about.
So I'm glad we have this team, which and that's why we're moving from just let's approve the software to use, to what should we be doing?
What should we be investing in AP Microsoft Copilot?
Should that be it?
Or should we allow these things?
What about agents?
And that group will be instrumental in forming our advice, I guess, to to you as uh at this point.
Yeah, I am glad about the collaboration and the uh the the advice because these are hard.
I think that's gonna get harder and harder choices.
I mean, if that we come to a point where like we could use AI agents to replace a whole bunch of people.
Um, and but you know, there's pros and cons.
You know, would that be a policy decision?
You know, we would be involved in.
And I and I don't know.
So that's where so it sounds like for like overall AI policies.
I mean, we're not there yet, but the way things are changing so quickly.
Um, you know, you hear about what these different technologies are doing.
I just it's sort of it's not how it always has been with technology, because now it's more like policies, and maybe we maybe we don't want to keep up with everyone and we say, you know what, we're not gonna have agents like these AI agents replace you know, these people because and there's reasons that maybe they're insecure or we worry that that you know, there's hallucination effects.
You know, you hear about the companies that are getting their databases hurt from AI agents gone amuck.
Um, and I just feel like for us to be thoughtful that maybe we have, you know, that then we might have a little bit more of a role um on some of these decisions on whether or not to move so fast so far.
We are four technologies, you can see an advancement.
And and I think that's a different decision than do we want to have make sure that our you know, we're for cybersecurity.
You know, we're not gonna be like, well, we don't want to use our cybersecurity because we don't like it, because obviously to keep our network secure, I don't think we have a choice.
But when it comes to these decisions about how we're gonna be using it for county operations, I mean, that could be a really different thing.
Um, our county operates really well, and there's a difference between AI agents versus just using AI or which AR using generative AI or what sources, and I don't know, these could be some big decisions that we need to make.
So I'm glad you're gonna be keeping us posted, and I'm sure you're having these discussions in your work, you're um in these working groups too.
We talk about it all the time.
Yeah, and everybody is thinking about it.
The good news is there, I think that there's a lot of hype, and you hear this agents, you hear coding, it's focused on some things.
You hear people replacing people.
That's kind of a hype too.
If you but it's all being discussed.
I think it's when you look at it like that, it's it gets crazy when you focus on it.
But the reality is our software vendors that we use are gonna be integrating AI.
They're not gonna be, you know, putting agents that you have to use, they're gonna be integrating it slowly.
So that's how do we evolve evaluate that from a business standpoint?
Because they're gonna they're they're gonna have to meet security guidelines.
Nobody's gonna put in software that has risk and it shares my data and things like that.
So it's gonna be how do we as a company want to utilize it?
And it'll probably be a pay pay per module is what I believe it will be.
Um, they're not just gonna put it in for free.
I don't know.
Well, I know, but we always we don't, I think we're also about people and serving good services, so we're not just a business.
So I don't know.
I thought I heard an alarm, that's why I posed.
Okay.
I think it's outside.
Or it's a loud bird.
Um, but it's fascinating.
I said to our team the other day, it's just it's exciting to be in IT when there's something really exciting.
There's always exciting stuff, but this is pretty uh exciting.
So we'll see where it goes.
I think everybody's in the same boat, and we will approach it cautiously and judiciously.
Keep us updated, and I think it's all a lot of stuff we're all gonna have to think about.
All right, thank you very much.
Thank you.
Any other questions?
All right.
Okay.
Um, item nine.
So thank you both.
Item 9.1 is our enterprise resource planning ERP system implementation update.
I have not heard from Patrice Evans.
Are you out there in Cyber?
I'm here.
I've been here the entire meeting.
So happy long day, everybody.
So I'd like to welcome back Patrice Evans, our project manager on the internal for Lake County.
Um I had been given the high-level updates.
She's gonna go into a little bit more depth, ask questions anytime.
Um go ahead, uh Patrice.
Sure.
Um, all transparency.
The slides I'm showing today were actually um lifted from the presentation we had at the executive steering committee on the 22nd.
So there's Strata slides, so not my original content.
So if we want to next slide, please.
Oh, sorry, gotcha.
Um, so the project milestone.
So this is what um Strata presented to the committee, executive steering committee um last week.
And as you can see, the uh transformation alignment, which was a big portion of this um current phase we're in, um, is complete.
We had a lot of those uh use case uh meetings and discussions to gather that alignment on the high level of these processes.
Um the governance framework charter was established, and every um project lead and SME was provided with a copy of that, and um we often refer right back to it.
What are the you know the objectives and the goals um of this initiative?
So it is um it is a document that we refer to quite often.
We are currently in the FDM, which is the foundation data model um redesign, the BP, which is the business processes, and the configuration reviews.
So the Strata team together with uh the work stream are kind of going through where we left off with the configurations, and as these discussions are going on, as the FDA um redesign is going through, and some of these other changes with um HCM, which is the human capital management module.
The strata team is making some of those configurations now to that past tenant to get us ready for the next tenant bill, that next environment bill, where we'll start the testing at the end of June.
So data conversion is going to be launching pretty soon as well.
And again, building towards that new environment for the Lake County team to start testing at the end of June.
And then you can see we go into that testing, we should be complete at the end of August, marching towards that 12.1 go live date.
And then we go into a period of post-production support, hyper care is another term.
Strata team likes to use where they are still with us side by side as we go live to provide that immediate support if something goes wrong.
Strata also presented to us this high-level timeline.
So not the detailed project plan, but this just kind of gives this block time.
So uh easier to digest for the team, and every team member has um access to this.
Uh the purple line's a little off because again, this was presented last week, but it kind of shows where our current placement is.
The yellow is just highlighting the uh upcoming short week of the Memorial Day and then the Thanksgiving.
We did add a few extra yellow weeks.
Um the team members are aware of that.
And we are just um in this phase of again reconfiguring the FDM, any business processes, any changes there.
And we're getting ready to start the test scenario um creation.
So that will begin mid-May.
Um, Strata is going to be on site with their testing lead to help guide our team in that scenario creation.
So that will be about the week of May 18th to get the uh team ready, and we have until the end uh mid-June to have all of the test scenarios uh created and submitted back to Strata so that they can get loaded and ready for us to start our our testing at the end of June.
So as you see the roles uh or the column uh with all the the purple and gray in the middle there, that's testing.
So you can see all the craziness up to that is getting it all there, and then you test it, and then we move towards go live after that.
So it's all really about getting to that testing.
And the testing window is bigger than we had last time, but it's still as aggressive and you gotta test.
So it's as much as we can get configured and set and then test it and then fix the bugs and and get through that so that we can move forward.
So it's a key clearly a lot of work right now to get to that point.
Sorry, Patrice, go ahead.
Nope.
That was about again just a high level overview.
This is what this block schedule looks like, these major events to get us to go live.
These were the risks that the strata team brought forward to the executive steering committee last week.
Um there is significant work that is remaining in the requirements, confirmation again for the HCM work stream, which is the human capital management, the bulk of those HR processes.
Um, trying to get it all completed again this May time frame to get us ready for that end to end build uh tenant build.
Um what are some of the mitigation plans again, increasing these meetings, tracking the progress?
I can say that already those strata work stream leads have already increased the level of meeting with the HR work streams, doubling some time, including you know increasing the meetings per week.
So we're already seeing progress towards that.
Um the other risk again is as it relates to the FDM model and those uh in the business asset work streams.
Again, just trying to get us ready for that testing that happens at the end of June.
So making sure that our decisions are made and the configurations are updated.
Again, how do we get there?
It is to continue this meeting cadence, increase it, um confirm where the efforts and are in alignment with anything that's upstream or downstream of these processes.
We again have already seen that there has been an uptick in the number of meetings with the strata teams and work streams, uh increasing that effort.
So it's um progress is being made and it's being monitored.
Yeah, unfortunately, the answer to answer a lot of times is more meetings and more time, but that is really what they have done.
And I believe H HR HCM work streams were meeting two hours a day uh all week long.
So they're they're seeing some items getting knocked out.
So um it's recognizing where you need to focus and catch up a little bit, and they are doing that.
I think that's uh what we have questions.
I know this is such an important, obviously, such an important project.
I'm uh I appreciate all of everybody who's working on this and all the different you all you both of you, and then everybody in all the departments that are working on it through HR, because you know, getting this done is so important for the efficiency in our future um, you know, just for our technology going forward.
Um, I think the boss system is definitely beyond its end of life.
And this is gonna allow us, and this is something I know we've asked to say like how many different softwares, how many different things do we not need anymore?
You know, there's gonna be a lot of cost savings, so much efficiencies.
And so, you know, everyone who's on, you know, I think for all the departments, we can say, hey, you know, this is how much money we're gonna save going forward.
This is how much more effective it's going forward.
And I we've been hearing, I think, from many departments on all the new things they're gonna be able to do now with the workday system from even like keeping track of monitors, right?
We'll be able to do that.
And so I'm really um, you know, whatever we can do to help keep it moving forward.
Yeah, vice chair.
Thank you, Chair.
Um for how long after the go live do we have strata there to hold our hands a little bit?
Is it six weeks, Patrice?
It is six weeks.
Six weeks.
So, and of course they offer a we'll keep working with you forever.
Like um, sure.
Um we we consider that and as well other partners to help provide some support.
But we clearly are building a post-production support model.
It's a mouthful, but basically, how are we going to support this?
We'll have the governance structure, all departments have a say, you know, you're gonna do twice annual updates, changes to configurations.
We need to have a process to um ensure we're all on the same team, all on the same how we're doing things.
So that process will be developed as we go.
They'll help us for those six weeks, then we'll be on our own.
We may augment that with third party to help us.
Um, we're still looking at the options there.
So, but six weeks uh dedicated already built in.
Okay, I can hear a lot of thought going into the ongoing support.
So that's that was my concern.
Thank you.
Absolutely key.
Yeah, yeah.
Looking forward to when we're at that spot, I have to say.
Member Altenberg.
When is the go live date?
What's the plan for that?
December 1st, December 1st, yeah.
Okay.
Yeah.
Yes.
It seems far, but it seems close, doesn't it?
And then will there be like a lot of trainings at that point for people?
Yep.
Training, uh, communication, all that is part of the plan.
And the change management is like how, right?
All the training, making sure people don't use it.
Even right now, getting everybody together and making sure it works.
So yeah, as far as the end users, it usually usually happens closer to the go live because otherwise they'll they forget it.
So it's timed, but they are definitely working on those plans uh behind that.
I love talking about post-production support because that means we're live.
Exactly.
As soon as you ask that question, I'm like, oh, I can't wait till that's what we're talking about.
Because that means it is, it's live and we can look at supporting it.
All right.
Well, we're glad to see them looking at all the things, keeping it on track.
So looking forward to seeing what happens by next month.
Yeah, I just wanted to give my uh standard disclaimer.
You know, we are still working through the HCM stuff and the FIM stuff, and some of that is alignment challenges.
We still have we're working through those.
You know, I'm I'm not still, I don't want to go away saying everything's great.
Yeah, we have challenges, and we are working through those.
How those shake out some of those alignments or compromise, et cetera, whatever you want to call it, plays into how we configure things.
And so that plays into getting to that end-to-end because things got to get configured.
So we are looking at that day by day, week by week, trying to resolve that, come to those compromises, agreements on how we're gonna move forward so we can get them configured because that's where the work's done to get us to end to end so we can test and then go live.
So yellow status, which I you know, who likes yellow?
All right, you're gonna go or you're gonna stop.
What you know, what do you do?
Florida or you hit the brakes.
Um, but I wanted to be fair about it, that we are working through that.
It is uh it's part of part of a project.
Well, yep, all the stakeholders realize that this board is taking this very seriously.
And we we went to move forward with this workday.
There's a lot of work that's gone into it, there's a lot of efficiencies.
And if if people want to use their old software and then make it that we have to have spend more money on supporting that software, and you know, it's not just supporting like the one person, then we have all the cybersecurity layers around that software because they don't want to use this software.
And then there's more people, and then there's more vulnerabilities.
I mean, the security vulnerabilities that it adds in if they want to do something that's not our system.
And you know, for what?
You know, I this is what we're this is what how we're moving forward.
Um, and this is what is the efficient and best way to do it.
And if people don't want to do that, then I think I mean I think they should have to explain why they don't want to do it and how much money why do we have to have these vulnerabilities?
Why do we have to pay extra?
Like and it maybe there is a reason.
Maybe there's a legitimate reason that they don't want to be part of the workday system, but I would like to hear it.
And I think the taxpayers would also like to hear it, because that's taxpayer money they're talking about.
And those are a lot of the conversations we're having, trying to get to okay.
Well, how doesn't it work?
And and in a lot of cases, yeah.
Oh, okay.
I didn't know that.
So it's just a matter of kind of having the conversation with the right people.
And okay, well, we could do that, and we're good with that.
In some cases, it's more challenging, and we're working through it.
So it's not it works, it doesn't work somewhere in the middle.
Um, it it's that's the change management of a large project.
Change management, always the hardest part.
And then of course the technology.
All right, well, thank you for all your work on this.
Thank you to all the stake, everyone who's working on this, and um let us know if there's anything you know we can do to help move this along.
Thank you.
All right, thank you.
And thank you, Patricia.
All right.
Do we have a um county ministry's report?
Oh, people, I forgot we have executive session.
We do I want to see Eric or Chris.
Did you have a director's report as well?
Oh, I'm sorry.
Okay, thank you.
Perfect.
We don't have a county administrator's report, but we do have reason for executive session.
Do you have to read the items for what the reasons are?
Oh, yes.
Okay, so item 12.1 is executive session to review closed session minutes pursuant to five ILCS 120 slash 2 C21.
And then oh, that's it.
We need a motion.
Can I get a motion in a second?
Motion by Robert, second by Altenberg.
Can I get a roll call, please?
Uh Robert, second by Altonberg.
All right, member Altenberg.
Aye.
Hold on, let's do that again.
Member Altenberg.
Aye.
Vice Chair Kasben, Chair Clark.
Aye, member Frank, member Peterson, and member Roberts.
All right, we are now outside of closed session.
Item 13.1 is committee action approving the technology committee exact executive session minutes from October 31st, 2025.
Can I get a motion in a second?
Motion by Frank, second by Robert.
Um, all in favor?
Aye.
Any opposed?
Motion carries.
Item eight, item 13.2 is committee action regarding the periodic review of closed session minutes.
The state's attorney's office has reviewed the executive session minutes for the technology committee.
The state's attorney's office has provided recommendations for which executive session minutes to release and which executive session minutes will remain confidential at this time.
Those recommendations are as follows.
For the technology committee, there are six items, and the state's attorney's office recommends based on their legal opinion that none of the items should be released or open to the public, and all of the items should remain closed at this time.
Uh motion by Kasmin, second by Peterson.
All in favor?
Aye.
Any opposed?
Motion carries.
All right.
Are there is there any members or marks?
Yes.
Chair Clark, earlier you mentioned the amount of videos that we have in terms of storage during that conversation.
And I'm just wondering, uh, assistant administrator hall, if the uh policy review that you're leading, if that includes like video and retention of videos, and if we're gonna relook at that policy as well.
So we're looking at the records retention policy, and as I said earlier, we are looking to mirror it with IT, and so we can include video as well.
Okay.
Great.
Thank you.
Yeah.
And I think part of it, we'll have to know what the law is, but then part of it is what we just want.
So I know it's gonna be an interesting discussion.
Was it six, seven years ago when we record started the policy of recording and retaining all of our committee meetings?
It's a lot of volume.
It's a lot of content.
And so maybe it's worth us revisiting.
It is for, yeah.
Exactly.
And in which ones?
I know I think we've talked about in here before about maybe we just want to keep the board meetings, you know, for like ever.
And that that's what we're talking about, or our finance meetings or whatever.
And that's I think what the conversation is going to be.
Member Robert.
I I'm wondering if there's a state statute on how if we have to keep those for so long.
I is that's there may be some something through the state archives.
And as you said, it might say you can delete after a year, but you may say, hey, we'd like to keep them for five years.
So um, with all things with the state, you we have to look for um exact guidance there, but we can be stricter.
Yes, because we do love all our meetings.
So it's over hard to think we're gonna erase all these meetings we had, but it is a storage issue.
And I know it's something we've been talking about a long time.
So hopefully we will have that discussion.
And it is a policy decision, because probably we can erase all of it, but maybe we don't want to.
I know it's gonna be a tough one.
All right, any other members' remarks?
All right, I declare this meeting adjourned.
Our next meeting is May 29th, 2026.
Have a great day, everyone.
Lake County Technology Committee Meeting - May 1, 2026
The Lake County Technology Committee met on May 1, 2026, at 8:30 AM. Chair Clark called the meeting to order, followed by the Pledge of Allegiance and roll call. Members present: Altenburg, Vice Chair Kasman, Chair Clark, Frank, Peterson, and Roberts. Member Dan Ford was absent. Remote attendance was available via Zoom. The meeting was recorded. The committee approved several policies, a contract for external threat monitoring, received an annual IT update and an ERP implementation update, and held an executive session.
Consent Calendar
- Item 8.1 – Consent Agenda: Motion by Altenburg, second by Frank. All in favor, motion carried. No further details provided.
Discussion Items
- Item 8.2 – Joint Resolution Approving an Access Control Policy: CIO Chris Blandy and Eric Carlson presented the policy, based on the NIST framework, to ensure that personnel have appropriate access to IT resources and that access is reviewed and removed when roles change. The policy formalizes existing practices. Questions arose about auditing access, inventory control of devices (monitors, printers), and the process for changing access based on role. The policy was approved unanimously.
- Item 8.3 – Joint Resolution Approving a System and Communications Protection Policy: Eric Carlson explained the policy protects county data through secure configurations, encryption, network segmentation, and firewalls. Examples included securing databases, encrypting remote email access, and deploying servers with security baselines. The policy was approved unanimously.
- Item 8.4 – Joint Resolution Authorizing a Contract with CDWG of Vernon Hills, Illinois, for External Threat Monitoring Software (Amount: $64,855): Chris Blandy and Eric Carlson described the tool as an attack surface management solution that continuously scans over 200 internet-facing county sites and services for vulnerabilities, addressing the increasing use of AI by intruders. The contract was approved unanimously. A deeper security program review is planned for next month.
- Item 8.5 – Enterprise Information Technology Annual Update: Chris Blandy presented an overview of current projects including Workday ERP, external threat monitoring, Microsoft cloud backup (70 terabytes of cloud data, plus 70 terabytes backup), network switch replacement, remote support modernization, and incident response tabletop exercises. Discussion covered data retention, storage costs, carbon footprint, cybersecurity maturity, and the role of AI agents. The committee expressed interest in retention policies and education for employees.
- Item 9.1 – Enterprise Resource Planning (ERP) System Implementation Update: Patrice Evans, internal project manager, provided an update. The transformation alignment phase is complete. The project is currently in foundation data model redesign, business process configuration, and preparing for test scenario creation in mid-May. End-to-end testing begins at the end of June, with a go-live date of December 1, 2026. Post-production support (hyper care) from the implementation partner Strata will last six weeks after go-live. Risks include remaining work on HCM requirements and FDM alignment; mitigation includes increased meeting cadence. The project is in yellow status.
Key Outcomes
- Item 8.2 (Access Control Policy): Approved unanimously.
- Item 8.3 (System and Communications Protection Policy): Approved unanimously.
- Item 8.4 (Contract with CDWG for $64,855): Approved unanimously.
- Item 8.1 (Consent Agenda): Approved unanimously.
- Executive Session (Item 12.1): Motion by Roberts, second by Altenberg to enter executive session to review closed session minutes. Roll call: all ayes.
- Item 13.1 (Approving Executive Session Minutes of October 31, 2025): Motion by Frank, second by Roberts. Approved unanimously.
- Item 13.2 (Periodic Review of Closed Session Minutes): Motion by Kasmin, second by Peterson. The state's attorney's office recommended that all six items remain confidential. Approved unanimously.
- Next Meeting: May 29, 2026.
Meeting Transcript
Good morning, everyone. Today is May 1st, 2026, and I call the Lake County Technology Committee to order at 8 30 a.m. In addition to being able to attend in person, remote attendance has been made available to the public via Zoom at the link on the agenda. This meeting is being recorded through Zoom. Can you please join me in the Pledge of Allegiance? I fled allegiance to the flag of the United States of America. And to the Republic for which it stands. One nation under God, indivisible with liberty and justice for all. Can I get a roll call, please? Oh, member Altenburg? Here. Vice Chair Kasman? Here. Chair Clark? Here. Member Dan Ford. Member Frank? Here. Member Peterson. And Member Roberts. Okay. Terrific. All right. There's no agenda to the agenda. Is there any public comment today? No public comment. All right. No chairs remarks. No unfinished business. Our new business is the consent agenda, which is item 8.1. Can I get a motion in a second? Motion by Altenburg, second by Frank. All in favor? Aye. Any opposed? Motion carries. All right, on to our regular agenda. Item 8.2 is a joint resolution approving an access control policy. Can I get a motion in a second? Motion by Vice Chair Kasmin, second by member Roberts. Good morning, CIO Blandy. Good morning, Chris Blinding, CIO. Happy May. Morning, Eric Carlson, CQ. First two items we have are two policies. One is about protecting data and how we do that. And one is about ensuring that people who have access to the data have the right controls and only have access to data they need. Eric's going to go into a little more detailed overview of the policies. I just wanted to highlight and thank the partners around the county and our advice, our policy advisory team that we work with the other IT groups. And it's really a collaborative effort.
openpublica.com