Fairport Harbor Village government now has an authorized cybersecurity program to prevent and respond to online attacks of its computer system.
Village Council recently approved the policy, which was required to comply with a new statewide mandate.
Ohio House Bill 96 was signed by Gov. Mike DeWine on June 30 and took effect three months later. The law makes it compulsory for all political subdivisions in the state to “adopt a cybersecurity program consistent with best practices to protect data, information technology and information technology resources,” according to a resolution ratified by council.
The state declared that local government entities such as townships and villages in Ohio must adopt and implement cybersecurity programs by July 1. Counties and cities had until Jan. 1 to accomplish that same goal.
Fairport Harbor Village Council’s resolution to adopt a cybersecurity policy stated that the program will be implemented in accordance with generally accepted cybersecurity best practices. Some of those standards include the National Institute of Standards and Technology Cybersecurity Framework and the Center for Internet Security Controls.
The community’s IT vendor, CMH Solutions, in coordination with the mayor and village administrator, will oversee the implementation, documentation and annual review of the cybersecurity program “to ensure continued alignment with state requirements and best practices,” the resolution stated.
Other matters addressed in the village’s cybersecurity program which also are required by Ohio law include:
• Ransomware payments or other compliance with ransom demands are prohibited unless Village Council approves the payment by taking formal legislative action. Any such measure would have to state why the payment is in the best interest of Fairport Harbor.
• Cybersecurity incidents must be reported to the Ohio Department of Public Safety’s Ohio Cyber Integration Center within seven days and to the Ohio Auditor’s Office within 30 days of discovery.
• Records related to the cybersecurity program, incident reports and acquisition of cybersecurity software and hardware will be kept confidential.
