Case Study: Harmon County IT Department

🏛️ County & Organization Profile

▼

94,200

Residents Served

542

Square Miles

$87.3M

Annual County Budget

$1.84M

Annual IT Budget

822

Total County Employees

9

IT Department FTE

Background

Harmon County, Ohio (fictional) is a mid-size county in the state of Ohio with a county seat in Millhaven (population ~22,000). The county government provides a broad range of services to its 94,200 residents across 542 square miles, including law enforcement (Sheriff's Office), 911 emergency dispatch, courts, elections administration, public health, building permits, road and bridge maintenance, and financial services (Auditor, Treasurer, Recorder). The county operates under a three-member elected Board of County Commissioners with a professional County Administrator overseeing day-to-day operations.

The Harmon County Information Technology Department (HCIT) serves as the centralized IT function for all county departments, including the Sheriff's Office, Courts, Health Department, Board of Elections, and Public Works. IT Director Marcus Webb (hired 2018) reports directly to the County Administrator and leads a team of 9 FTE. Webb also serves as the county's de facto information security officer — there is no dedicated CISO, no security manager, and a cybersecurity analyst position has been unfilled for 14 months due to budget constraints approved by the Board of County Commissioners. The county joined the Multi-State Information Sharing and Analysis Center (MS-ISAC) in 2019 and deployed a CISA Albert network sensor in 2022.

County IT faces the challenges common to resource-constrained local governments: a very broad technology footprint spanning public safety, elections, health, finance, and general administration; regulatory obligations across multiple federal and state frameworks simultaneously (CJIS, HIPAA, IRS Publication 1075, HAVA/EAC); a flat IT budget that has not grown in proportion to the county's expanding digital services; aging infrastructure that was budgeted during a period of lower cybersecurity awareness; and a small staff that must manage both day-to-day operations and respond to incidents without dedicated security personnel. These conditions — extremely common across mid-size county governments — make HCIT an ideal C2M2 assessment scenario.

Organization Fact Sheet

Attribute	Detail
Full Name	Harmon County Information Technology Department (HCIT)
Jurisdiction Type	County Government — Ohio General Law County
County Seat	Millhaven, Ohio (fictional) — population ~22,000
County Population	94,200 residents (2020 Census estimate)
County Area	542 square miles (land)
Governance	Board of County Commissioners (3 elected); County Administrator: Patricia Holloway
IT Director	Marcus Webb — hired 2018; reports to County Administrator; de facto Security Officer
IT Staff	9 FTE (1 director, 2 sys admins, 1 network admin, 1 app specialist, 1 GIS analyst, 2 help desk, 1 cybersecurity analyst — VACANT)
Annual County Budget (FY2025)	$87.3 million
Annual IT Budget (FY2025)	$1.84 million (2.1% of county budget)
Cybersecurity Sub-Budget	~$94,000 (tools, training, MS-ISAC; no dedicated security staffing budget)
Dedicated CISO	None — IT Director serves as de facto security lead
MS-ISAC Membership	Member since 2019 — Albert sensor active since 2022
CISA Regional Advisor	Contact established — annual check-in; no formal assessment completed
Cyber Insurance	$2M limit; Ohio County Risk Sharing Authority (CORSA) policy; last reviewed FY2023
IT Help Desk Ratio	1 technician per 228 county employees (industry benchmark: 1:70–100)
Primary Regulatory Frameworks	FBI CJIS Security Policy v5.9.2 · HIPAA Security Rule · IRS Publication 1075 · HAVA / EAC · Ohio RC §9.08
C2M2 Self-Assessment	Completed Q1 2026 by IT Director Webb with MS-ISAC state coordinator support
Overall C2M2 Level	MIL 0–2 (mixed); MIL 2 in Asset Mgmt only; MIL 0 in Situational Awareness & Supply Chain

Context for Instructors: Harmon County represents the median cybersecurity posture for a mid-size Ohio county government based on aggregated MS-ISAC State, Local, Tribal, and Territorial (SLTT) assessment data. The combination of regulatory complexity (CJIS + HIPAA + IRS Pub 1075 + election security), limited staffing, legacy infrastructure, and no dedicated CISO is not exceptional — it is the norm for counties of this size. Students should recognize that the gaps identified here are systemic and reflect resource and governance realities, not individual negligence.

📍 Facilities & Geographic Footprint

▼

Harmon County IT supports eight primary facilities across Millhaven and the surrounding county, plus four remote township offices connected via commercial internet. All primary facilities connect to the FAC-01 data center via AT&T fiber circuits. The 911 Emergency Communications Center (FAC-03) is co-located with the Sheriff's Office (FAC-02) in a shared public safety complex, with a physically dedicated 911 network infrastructure. The Board of Elections (FAC-08) operates as a separate building with specific isolation requirements for election management systems per Ohio Secretary of State directive.

Facility ID	Name	Location	Primary IT Systems	IT Risk Notes
FAC-01	Courthouse Annex — Primary Data Center & IT Offices	Millhaven, OH (Downtown)	All county servers (SRV-01 through SRV-10); Munis ERP; domain controllers; backup infrastructure	Primary data center; server room access shared with facilities staff; no card reader — key lock only
FAC-02	Harmon County Sheriff's Office & County Jail	Millhaven Public Safety Complex	Tyler New World RMS (law enforcement); Axon/Evidence.com (body cams); CJIS-regulated workstations; jail management module	CJIS Security Policy applies — MDM not deployed; screensaver lockout policy missing; CJIS audit Q3 2026
FAC-03	911 Emergency Communications Center	Millhaven Public Safety Complex (co-located with FAC-02)	Zetron Viper 9-1-1 CAD system (SRV-06); 12 dispatch consoles; PSAP phone trunks; radio dispatch	Life-safety system; SRV-06 EOL and never patched; no IDS on VLAN 30; Zetron SLA is next-business-day
FAC-04	Harmon County Courts / Municipal Court Complex	Millhaven, OH (Courthouse Square)	Tyler New World courts/justice module (SRV-05); 32 court workstations; public kiosk terminals	SRV-05 patch lag ~6 months; Tyler support VPN persistent; public kiosks on separate VLAN — OK
FAC-05	Harmon County Health Department	Millhaven, OH (Health Services Campus)	Electronic Health Record (EHR) system; 24 HIPAA-scope workstations; state immunization registry connection	HIPAA Security Rule applies; risk analysis last updated 2022; BAA inventory incomplete; VLAN 50 isolated
FAC-06	Auditor / Treasurer / Recorder Offices	Millhaven, OH (Courthouse Main Building)	COGNOS BI (SRV-08, SQL 2014 EOL); 18 auditor workstations; IRS federal tax information; property tax portal	IRS Pub 1075 — federal tax information (FTI) on EOL SQL Server 2014; access logs not reviewed quarterly
FAC-07	Public Works / Highway Department	Route 40 East, Harmon County (outside Millhaven)	18 workstations; 8 Android tablets (field staff); road/bridge monitoring sensors; Accela (permits)	Most remote primary facility; Android tablets lack MDM; road sensors on VLAN 60 (flat, no microsegmentation)
FAC-08	County Annex / Board of Elections	Millhaven, OH (separate building)	Dominion Democracy Suite 5.17 EMS workstation; 6 administrative workstations; voter registration system	EMS workstation found connected to VLAN 10 (Admin network) Feb 2026 — Ohio SoS air-gap directive violated

Remote Township Sites

Four Harmon County township offices (Jackson Township, Perry Township, Liberty Township, and Washington Township) connect to county resources via Comcast Business SDSL circuits (25 Mbps down / 5 Mbps up). These sites have no on-site IT support, no local server infrastructure, and rely entirely on VPN connectivity to FAC-01 for access to Munis ERP and county file shares. IT support is provided remotely or by dispatch from FAC-01 (30–45 minute drive to the most remote site).

Remote Site Risk: The four township offices rely on Pulse Secure SSL VPN over Comcast SDSL with no MFA enforced. Township clerks access Munis payroll and financial systems using single-factor password authentication. These sites have no local security controls, no endpoint detection software, and their workstations (Windows 10, mixed patch levels) are outside the county's Veeam backup scope. A compromised township credential is a direct pathway into the Munis ERP financial system on VLAN 10.

👥 Organizational Structure & IT Governance

▼

Reporting Hierarchy

Board of County Commissioners

3 Elected Members

Patricia Holloway

County Administrator

Marcus Webb

IT Director / De Facto Security Officer

Systems Admin (2 FTE)

Server & virtualization

Network Admin (1 FTE)

LAN/WAN/firewall

App Specialist (1 FTE)

Tyler Munis & New World

GIS Analyst (1 FTE)

Esri ArcGIS Enterprise

Help Desk (2 FTE)

Tier 1 support (822 users)

Cybersecurity Analyst

⚠️ VACANT — 14 months

No CISO — No Dedicated Security Officer: The IT Director serves as de facto information security lead in addition to all other IT responsibilities including infrastructure, vendor management, budget, and help desk oversight. The cybersecurity analyst position has been vacant for 14 months — a budget decision by the Board of County Commissioners citing fiscal constraints. There is no formal IT security steering committee, no executive cybersecurity risk review cycle, and no separation of duties between IT operations and security oversight. All security decisions — tool purchases, incident response, policy enforcement — route through a single individual who is simultaneously managing day-to-day IT operations for 822 county employees.

IT Staffing Detail

Role	FTE	Name / Status	Key Certifications	Primary Responsibilities & Notes
IT Director	1	Marcus Webb (hired 2018)	CompTIA Network+; no security cert	All IT operations + de facto CISO; budget owner; primary vendor contact; incident commander
Systems Administrator	2	Kevin Okafor, Rachel Dietz	Microsoft MTA (Okafor); no current cert (Dietz)	Windows Server, Active Directory, Veeam backup, Tyler application server management
Network Administrator	1	Daniel Cruz	CompTIA Network+; Cisco CCNA (lapsed)	Cisco LAN/WAN, Fortinet firewall, Pulse Secure VPN, Ubiquiti wireless
Application Specialist	1	Sandra Nguyen	Tyler Technologies certified (Munis)	Tyler Munis ERP and Tyler New World system administration, user training, Tyler support liaison
GIS Analyst	1	Thomas Brewer	Esri ArcGIS Desktop Associate	Esri ArcGIS Enterprise administration, parcel mapping, county GIS data governance
Help Desk Technician	2	Aaliyah Johnson, Patrick Simmons	CompTIA A+ (Johnson)	Tier 1 support for all 822 county employees; imaging workstations; printer support
Cybersecurity Analyst	0 — VACANT	Position unfilled since January 2025	—	Intended scope: SIEM monitoring, vulnerability management, policy compliance, security awareness. All duties absorbed by IT Director ad hoc.

IT Governance Structure

Governance Challenges

No formal IT steering committee — technology decisions are made reactively by the IT Director with occasional Board approval for capital expenditures over $25,000
No documented IT strategic plan since FY2022 — current work is driven by operational tickets and vendor renewals
Security projects compete directly with operational priorities (help desk, system maintenance) for the same 9-person team
County legal counsel has not issued guidance on cybersecurity liability, regulatory obligations, or incident notification timelines
No formal change management process — system changes logged informally in a shared spreadsheet
Annual security awareness training (KnowBe4 free tier) is assigned but completion rate not tracked or enforced

$2,240

IT Budget Per Employee

1:228

Help Desk Ratio

6.2 yrs

Avg IT Staff Tenure

1 of 9

Security Positions Open

MS-ISAC Resources Available: As an MS-ISAC member, Harmon County is eligible for no-cost services including the Albert network sensor (deployed), Malicious Domain Blocking and Reporting (MDBR), free incident response support, and the CIS Controls self-assessment tool — several of which are not yet fully utilized.

💻 Information Technology Assets

▼

Servers & Core Infrastructure

Asset ID	Description	OS / Platform	Location	Status / Risk Notes
SRV-01	Primary Domain Controller / Active Directory (FSMO roles)	Windows Server 2012 R2 (EOL Oct 2023)	FAC-01 Data Center	CRITICAL — EOL; authentication, Group Policy, CJIS access mgmt depend on EOL infrastructure; budget migration denied FY2024
SRV-02	Secondary Domain Controller / AD replication	Windows Server 2012 R2 (EOL Oct 2023)	FAC-01 Data Center	CRITICAL — EOL; no security patches since Oct 2023; known CVEs unmitigated
SRV-03	Domain Controller / DNS / DHCP (replacement — partial)	Windows Server 2022	FAC-01 Data Center	Current — provisioned 2024; FSMO roles not yet migrated from SRV-01/02; transition incomplete
SRV-04	Tyler Technologies Munis ERP (Finance, HR, Payroll, Procurement)	Windows Server 2019	FAC-01 Data Center	Minor patch lag (~6 weeks); Tyler support requires change window coordination; persistent VPN for Tyler remote support unmonitored
SRV-05	Tyler Technologies New World (Courts, Justice, Jail Management, RMS)	Windows Server 2016	FAC-01 Data Center	Patch lag ~6 months — Tyler sign-off required for each patch; last OS update: August 2025; Server 2016 mainstream support ended Oct 2022
SRV-06	Zetron Viper 9-1-1 CAD Server (Life-Safety)	Windows Server 2012 R2 (EOL) — physically at FAC-03	FAC-03 (911 Comm Center)	CRITICAL — EOL; zero OS patches in 36+ months; Zetron written approval submitted Jan 2023, no response; no IDS on VLAN 30; life-safety dependency
SRV-07	File Server / County Records / Shared Drives	Windows Server 2016	FAC-01 Data Center	No DLP controls; unclassified CUI (law enforcement records, health documents) commingled with general files; no access review in 24 months
SRV-08	SQL Database Server — COGNOS BI backend (IRS Pub 1075 scope)	SQL Server 2014 (EOL Jul 2019)	FAC-01 Data Center	CRITICAL — EOL since 2019; hosts federal tax information (FTI); multiple known CVEs; IRS Pub 1075 access log review noncompliant
SRV-09	Backup Server (Veeam Backup & Replication 11)	Windows Server 2019	FAC-01 Data Center	No offsite copy; tapes rotated to locked closet in same building; restore integrity never tested; Veeam 11 (EOL — upgrade to v12 unfunded)
SRV-10	Esri ArcGIS Enterprise (GIS / Parcel Mapping)	Windows Server 2019	FAC-01 Data Center	Current patching; public-facing parcel portal — no WAF; internal parcel database exposed via unauthenticated API endpoint (minor data risk)

Workstations & End-User Devices

Department / Use	Count	OS	Regulatory Scope	Risk Notes
County Administrative Staff (Finance, HR, General)	280	Windows 10 Pro / Windows 11 Pro (mixed)	Munis ERP access; general PII	Patch compliance ~78% via WSUS; 61 workstations running Win10 21H2 (unsupported build); no EDR deployed
Sheriff / Law Enforcement	45 laptops	Windows 10 Pro	CJIS Security Policy v5.9.2	Screensaver timeout policy not enforced (CJIS §5.6.2.2); MDM not deployed for 12 mobile devices; CJIS audit Q3 2026
911 Dispatch Consoles	12	Windows 10 Pro (dedicated)	Life-safety — 911 operations	Dedicated VLAN 30; aging hardware (avg 7 years old); no redundant dispatch workstations; manual CAD fallback procedure undocumented
Courts / Justice	32	Windows 10/11 Pro (mixed)	Tyler New World; court records	2 courtroom kiosk terminals on public VLAN — isolated OK; staff workstations patching current; no MFA for Tyler New World access
Health Department	24	Windows 10 Pro	HIPAA Security Rule	HIPAA risk analysis dated 2022; no BAA inventory; EHR vendor (state-hosted) has SOC 2 Type II; workstation-level encryption not verified
Auditor / Treasurer Offices	18	Windows 10 Pro	IRS Publication 1075 — Federal Tax Information	FTI accessed via COGNOS on EOL SQL Server 2014; access logs not reviewed quarterly; shared login used by 3 of 18 staff for COGNOS reporting
Public Works (field staff)	18 workstations + 8 Android tablets	Windows 10 / Android 10–12	General county systems; Accela permits	Android tablets: no MDM, no device encryption enforced, 3 personal apps installed; workstations patching current via WSUS
Board of Elections	6 workstations + 1 EMS workstation	Windows 10 Pro	HAVA / EAC; Ohio SoS election directives	EMS workstation (Dominion Democracy Suite) found connected to VLAN 10 Feb 2026 — Ohio SoS air-gap directive violated; admin workstations patching current
IT Staff	9 (admin workstations / laptops)	Windows 11 Pro	Domain admin access; all systems	IT staff have domain admin privileges; shared account "countyit" used for server work — no individual accountability for admin actions

Business Applications & SaaS

Application	Vendor	Function	Hosting	Risk / Access Notes
Tyler Munis ERP	Tyler Technologies	Finance, payroll, HR, procurement — 822 employees	On-prem (SRV-04)	No MFA enforced for any users; Tyler support VPN persistent (always-on); payroll dependency: $2.1M/month
Tyler New World	Tyler Technologies	Courts, justice, jail records, police RMS	On-prem (SRV-05)	Patch lag 6 months; Tyler support VPN persistent; CJIS data in RMS module — not inventoried for CJIS compliance scope
Zetron Viper 9-1-1 CAD	Zetron (Motorola Solutions)	Emergency dispatch, call tracking, unit status	On-prem (SRV-06)	Life-safety; EOL OS; Zetron SLA is next-business-day; vendor patch approval process never completed in 3 years
Dominion Democracy Suite 5.17	Dominion Voting Systems	Election management, ballot programming, results tabulation	Standalone workstation (FAC-08)	Air-gap required per Ohio SoS; found on county network Feb 2026; last security update from Dominion: Oct 2024
Microsoft 365 GCC	Microsoft	Email (Outlook), Teams, SharePoint — all 822 employees	Cloud (GCC)	Microsoft Defender for Office 365 Plan 1 licensed but not fully configured; MFA enforced only for IT staff (9 of 822); conditional access policies not configured
COGNOS BI	IBM / legacy	Financial reporting; federal tax data processing (IRS Pub 1075 scope)	On-prem (SRV-08, SQL 2014)	EOL SQL Server 2014; access logs not reviewed quarterly (IRS Pub 1075 §4.6 requirement); 3 shared COGNOS logins in use
Esri ArcGIS Enterprise	Esri	GIS, parcel mapping, infrastructure planning	On-prem (SRV-10) + public portal	Public parcel portal has no WAF; unauthenticated API endpoint exposes internal parcel records — low sensitivity but unintended exposure
Accela	Accela Inc.	Building permits, inspections, code enforcement	SaaS (cloud-hosted)	SOC 2 Type II; MFA enforced by Accela; BAA not applicable; annual security review conducted by Accela
Axon / Evidence.com	Axon Enterprise	Body camera video, digital evidence chain-of-custody (Sheriff)	SaaS (cloud)	Axon-managed security; CJIS-compliant platform; encrypted at rest and in transit; SOC 2 Type II
OpenGov	OpenGov Inc.	Public budget transparency portal (citizen-facing)	SaaS (cloud)	Read-only public data; no county PII; SOC 2 Type II; no significant security risk

Critical Finding — Shared Administrator Account: All server administration across all 10 servers and all 8 facilities is conducted under the shared domain administrator account "countyit" — an account with full Domain Administrator privileges across the entire county Active Directory environment. The password for this account is written on a whiteboard in the FAC-01 server room and is known to all 9 IT staff members. The password is changed quarterly but there is no individual accountability for administrative actions taken under this account. Event logs record the account name "countyit" — not the individual — for all administrative activity including Active Directory changes, server access, and Group Policy modifications. In the event of an insider incident, malicious admin action, or forensic investigation, it would be impossible to determine which individual performed specific administrative actions. A single compromised "countyit" session — via phishing, stolen credential, or unauthorized physical access to the FAC-01 server room — would provide full domain control across all county systems, including CJIS-regulated law enforcement data, IRS federal tax information, election management systems, and 911 CAD management access.

🚨 Critical Government Systems & Public Safety Infrastructure

▼

Government IT is distinct from commercial IT in that system failures directly impact legally mandated public services, public safety, and constitutional processes. For Harmon County, five system categories carry critical or life-safety designations: 911 Emergency Dispatch, Election Management, Courts and Justice, Law Enforcement RMS, and Finance/Payroll (ERP). Unlike commercial environments where outages translate to revenue loss, outages in these systems can delay court proceedings, disrupt emergency response, interrupt legally required payroll disbursements, and compromise election integrity — each with distinct legal, regulatory, and public safety consequences.

System	Platform	Function	Connectivity	Criticality	Security Notes
Zetron Viper 9-1-1 CAD	On-prem SRV-06 (Win Server 2012 R2 EOL, FAC-03)	Emergency call intake, dispatch, incident tracking for all Harmon County 911 calls (~38,000/year)	Dedicated PSAP phone trunks; VLAN 30 (isolated from corp LAN); Zetron remote support VPN	⚠️ Life-Safety	EOL OS, zero patches in 36+ months, Zetron SLA = next-business-day, no IDS on VLAN 30, no redundant CAD server, manual fallback procedure undocumented
Tyler Munis ERP	On-prem SRV-04 (Win Server 2019, FAC-01)	County payroll ($2.1M/month for 822 employees), finance, HR, purchasing, accounts payable/receivable	VLAN 10 (Admin); Tyler persistent support VPN; Pulse Secure VPN (remote access)	High — Operational	No MFA for any user; Tyler support VPN persistent and unmonitored; ransomware on VLAN 10 could encrypt Munis data and halt county operations
Tyler New World (Courts & RMS)	On-prem SRV-05 (Win Server 2016, FAC-01)	Court docketing, case management, jail records, inmate booking, law enforcement records management (RMS)	VLAN 20 (CJIS/Sheriff) + VLAN 40 (Courts); Tyler support VPN; statewide LEADS connection	High — Justice / CJIS	6-month OS patch lag; Tyler support VPN persistent; CJIS data in RMS module — CJIS compliance audit pending; statewide LEADS connection requires CJIS certification
Dominion Democracy Suite 5.17 (EMS)	Dedicated workstation (Win 10 Pro, FAC-08)	Election ballot programming, logic & accuracy testing, results tabulation for all Harmon County elections	Should be completely air-gapped per Ohio SoS directive; found on VLAN 10 Feb 2026	High — Election Integrity	Ohio SoS air-gap directive violated; workstation connected to county Admin VLAN for voter registration data download "convenience"; Ohio SoS notification not yet made; last security patch from Dominion: Oct 2024
Esri ArcGIS Enterprise	On-prem SRV-10 (Win Server 2019, FAC-01)	County GIS, parcel mapping, infrastructure planning, public property search portal	VLAN 10 (internal) + public-facing internet portal (no WAF)	Medium — Public Service	Public parcel portal internet-exposed without WAF; unauthenticated REST API endpoint returns internal parcel owner records — low sensitivity but unintended; no monitoring on public-facing portal
COGNOS BI (IRS Pub 1075)	On-prem SRV-08 (SQL Server 2014 EOL, FAC-01)	County financial reporting; processes and stores federal tax information (FTI) for property tax administration	VLAN 10 (Admin); county auditor staff access; IRS data feed	High — IRS Pub 1075	EOL SQL Server 2014 (known CVEs); IRS access log review noncompliant; 3 shared COGNOS logins in use; IRS CP2000 equivalent risk if FTI is exfiltrated
Accela (Permits)	SaaS — Accela cloud-hosted	Building permits, inspections, code enforcement — public-facing and staff-facing	Internet HTTPS; Accela-managed infrastructure	Medium — Public Service	SOC 2 Type II; MFA enforced by Accela for staff; public portal scoped appropriately; annual security review current
Axon / Evidence.com	SaaS — Axon cloud-hosted	Sheriff body camera video, digital evidence, chain-of-custody documentation	Internet HTTPS (encrypted); Axon-managed	Medium — CJIS / Evidence	Axon-managed security; CJIS-compliant platform; encrypted at rest and in transit; SOC 2 Type II; no significant IT-managed risk

Critical Finding — 911 CAD Server (SRV-06) End-of-Life & Unpatched: The Zetron Viper 9-1-1 CAD server (SRV-06) at FAC-03 is a life-safety system running Windows Server 2012 R2 (EOL October 2023) with zero operating system patches applied in over 36 months. IT Director Webb submitted a written patch authorization request to Zetron in January 2023 — standard procedure for vendor-managed systems — but has received no response. The server has no endpoint detection or response (EDR) software, no intrusion detection on VLAN 30, and its Zetron support SLA is "next business day" — meaning a Saturday night failure would leave Harmon County operating manual 911 dispatch from paper logs until at minimum Monday morning. There is no documented manual dispatch fallback procedure, and dispatch staff have not practiced manual operations in over three years. A ransomware infection, hardware failure, or cyberattack on this single unpatched server would directly degrade 911 emergency response for 94,200 residents.

Critical Finding — Election Management System Air-Gap Violation: During pre-election Logic & Accuracy testing preparation in February 2026, a county IT technician connected the Dominion Democracy Suite 5.17 EMS workstation at FAC-08 to the county administrative network (VLAN 10) to download an updated voter registration extract via a mapped network drive — a procedure done "every election cycle for convenience." This directly violates the Ohio Secretary of State's directive requiring complete network isolation of election management systems during the pre-election period. The Ohio SoS auditor present for the L&A test observed the active network connection and flagged it. Testing has been suspended pending resolution. The county has not yet notified the Ohio Secretary of State's office of the extent of the violation, and the county Board of Elections Director is unaware of the full regulatory implications. The two-hour decision window to either isolate the workstation (and reimage it per SoS protocol) or suspend testing entirely expires before the county attorney can be reached.

🌐 Network Architecture & Communications

▼

Network Infrastructure Overview

Harmon County's network infrastructure is centralized at FAC-01 (Courthouse Annex data center) and extends to seven county facilities via AT&T fiber and to four remote township offices via Comcast SDSL. The core switching infrastructure consists of Cisco Catalyst 9200 series managed switches. Perimeter security is provided by a Fortinet FortiGate 200E next-generation firewall with UTM features licensed (IPS, web filtering, application control) — though IPS signatures have not been updated in 14 weeks. Remote access is handled by Pulse Secure SSL VPN with no MFA enforcement — a known gap affecting all remote users including IT staff and township employees. Wireless is deployed via Ubiquiti UniFi APs in a mixed deployment; several APs at the Courthouse public lobby and Public Works were installed without proper SSID isolation configuration and are not managed via the central UniFi controller.

VLAN Segmentation

VLAN	Name	Subnet	Primary Systems / Users	Segmentation Notes
VLAN 10	Admin / General	10.10.0.0/20	Finance, HR, general staff (280 workstations); Tyler Munis (SRV-04); COGNOS (SRV-08); file server (SRV-07)	Largest segment; Munis ERP and IRS Pub 1075 COGNOS data co-mingled with general staff; Election EMS workstation found here (Feb 2026)
VLAN 20	Law Enforcement / CJIS	10.20.0.0/24	Sheriff's Office workstations (45 laptops); Tyler New World RMS; jail management systems; LEADS terminal	ACL MISCONFIGURATION — traffic from VLAN 10 (Admin) can reach VLAN 20 (CJIS); violates CJIS Security Policy network isolation requirements; identified Jan 2026, not yet remediated
VLAN 30	911 Emergency Comms	10.30.0.0/24	Zetron CAD server (SRV-06); 12 dispatch consoles; PSAP telephone trunks; radio dispatch infrastructure	Physically separate at FAC-03; Zetron support VPN terminates on this VLAN; no IDS coverage; no monitoring of network traffic on this segment
VLAN 40	Courts / Justice	10.40.0.0/24	Court workstations (32); Tyler New World court module; public kiosk terminals (2, isolated sub-VLAN)	SRV-05 bridged between VLAN 20 and VLAN 40 for RMS/courts integration — bridge not documented in network diagrams; patch lag on SRV-05
VLAN 50	Health Department	10.50.0.0/24	Health Dept workstations (24); state immunization registry connection; EHR vendor connection	HIPAA-scope segment; adequately isolated; state EHR connection exits via dedicated path — not through county firewall; firewall rule review needed
VLAN 60	Public Works	10.60.0.0/24	Public Works workstations (18); field Android tablets (8, when docked); road/bridge monitoring sensors (12 sensors)	Flat — road sensors and staff workstations share segment; no microsegmentation; sensor firmware not updated since 2022; tablets connect via Wi-Fi without NAC
VLAN 70	Guest / Public Wi-Fi	192.168.70.0/22	Courthouse public lobby Wi-Fi; courtroom attorney access; public kiosk tablets	Isolated — no route to any county VLAN; Fortinet content filtering active; acceptable security posture for this segment
VLAN 80	IT Management	10.80.0.0/24	Server management interfaces; Veeam backup (SRV-09); IT admin workstations; iDRAC/BMC management	Shared account "countyit" (Domain Admin) used for all management tasks on this segment; no individual admin accountability; password on whiteboard in FAC-01 server room

Network Diagram

HARMON COUNTY NETWORK TOPOLOGY — HCIT / FAC-01 PRIMARY DATA CENTER ═══════════════════════════════════════════════════════════════════════════ INTERNET │ ▼ [ AT&T Fiber — 1 Gbps ] ← Primary WAN uplink │ ▼ [ Fortinet FortiGate 200E ] ← NGFW / UTM (IPS sigs: 14 weeks stale) │ │ │ └──── [ Pulse Secure SSL VPN ] ← NO MFA — CRITICAL GAP │ │ │ Remote users, IT staff, │ township offices (Comcast SDSL) │ ▼ [ Cisco Catalyst 9200 Core Switch — FAC-01 ] │ ├── VLAN 10 10.10.0.0/20 Admin / General (280 workstations; Munis; COGNOS) │ │ │ └── ⚠ ACL MISCONFIGURATION → reaches VLAN 20 (CJIS) │ ├── VLAN 20 10.20.0.0/24 Law Enforcement / CJIS (Sheriff; RMS; LEADS) │ ├── VLAN 30 10.30.0.0/24 911 Emergency Comms (FAC-03 via fiber; Zetron CAD) │ ⚠ No IDS; EOL SRV-06 │ ├── VLAN 40 10.40.0.0/24 Courts / Justice (SRV-05 bridged VLAN 20↔40) │ ├── VLAN 50 10.50.0.0/24 Health Department (HIPAA scope) │ ├── VLAN 60 10.60.0.0/24 Public Works (flat; sensors + workstations) │ ├── VLAN 70 192.168.70.0/22 Guest / Public Wi-Fi (isolated — OK) │ └── VLAN 80 10.80.0.0/24 IT Management ⚠ Shared "countyit" Domain Admin ── REMOTE FACILITIES ───────────────────────────────────────────── FAC-02/03 (Sheriff/911) ←── AT&T Fiber ──→ FAC-01 Core Switch FAC-04 (Courts) ←── AT&T Fiber ──→ FAC-01 Core Switch FAC-05 (Health) ←── AT&T Fiber ──→ FAC-01 Core Switch FAC-06 (Auditor) ←── AT&T Fiber ──→ FAC-01 Core Switch (same building) FAC-07 (Public Works) ←── AT&T Fiber ──→ FAC-01 Core Switch FAC-08 (Elections) ←── AT&T Fiber ──→ FAC-01 Core Switch Townships (4) ←── Comcast SDSL ──→ Pulse Secure VPN → FAC-01

Critical Finding — VLAN 10 to VLAN 20 ACL Misconfiguration: A misconfigured Access Control List on the Cisco Catalyst 9200 core switch allows unrestricted traffic originating from VLAN 10 (Admin / General — 280 county workstations) to reach VLAN 20 (Law Enforcement / CJIS). This means that a ransomware infection, malware-compromised workstation, or attacker with a foothold on any general county computer — including computers used by finance clerks, HR staff, or administrative assistants — can pivot directly to CJIS-regulated law enforcement systems including the Tyler New World RMS, jail management system, and statewide LEADS terminal. This is a direct violation of FBI CJIS Security Policy v5.9.2 network isolation requirements for systems processing Criminal Justice Information (CJI). The misconfiguration was identified during an MS-ISAC advisory review in January 2026. Network Admin Daniel Cruz has drafted a remediation plan but implementation has been deferred twice due to concern about disrupting Tyler New World's VLAN 20–40 bridge during business hours. The ACL fix has not been applied as of the date of this assessment.

Remote Access — No MFA on Pulse Secure VPN: The county's Pulse Secure SSL VPN provides remote access to all VLAN 10 resources — including Tyler Munis ERP (payroll, finance, HR) — for all 9 IT staff and approximately 40 remote county employees including township clerks. No multi-factor authentication is enforced. The FBI CJIS Security Policy v5.9.2 Section 5.6.2.2 mandates advanced authentication (equivalent to MFA) for any remote access to Criminal Justice Information. Three Sheriff's Office detectives use the county VPN for remote RMS access — meaning the VPN is already out of CJIS compliance. Pulse Secure supports RADIUS-based MFA and is compatible with Duo Security (free tier available for up to 10 users through MS-ISAC). This remediation has been on the IT roadmap for 18 months but has not been prioritized due to competing operational demands.

🛡️ Security Posture & C2M2 Domain Assessment

▼

Harmon County conducted a C2M2 v2.1 self-evaluation in Q1 2026, facilitated by IT Director Marcus Webb with support from the MS-ISAC Ohio state coordinator. The assessment evaluated all ten C2M2 domains against documented practices, interviews with IT staff, and review of available policy documentation. Results reflect a posture typical of a resource-constrained county IT department managing a broad technology footprint without dedicated security staff: generally MIL 1 across most operational domains, with MIL 2 achieved only in Asset Management (where the Tyler Munis asset module provides structured tracking), and critically MIL 0 in both Situational Awareness and Supply Chain & Dependencies — two domains where absence of capability creates outsized risk.

2

Domains at MIL 0 (Critical Gap)

7

Domains at MIL 1 (Partial)

1

Domain at MIL 2 (Managed)

0

Domains at MIL 3 (Optimized)

C2M2 Domain Maturity Assessment

Domain (Abbrev.)	Full Domain Name	MIL Achieved	Key Finding	Priority
ASSET	Asset, Change & Configuration Management	MIL 2	Server and application inventory maintained via Tyler Munis asset module; change log spreadsheet exists but is informal; configuration baselines not formally documented for servers or network devices	Maintain
THREAT	Threat & Vulnerability Management	MIL 1	Nessus Essentials (free) scans conducted quarterly; results reviewed by IT Director but not formally tracked or remediated on a defined schedule; EOL servers not scanned (vendor restriction); no threat intelligence integration	High
RISK	Risk Management	MIL 1	Informal risk register maintained by IT Director in a spreadsheet; no defined risk appetite or tolerance statements; no executive risk review cycle; Board of County Commissioners has not received a formal cybersecurity risk briefing since 2022	High
ACCESS	Identity & Access Management	MIL 1	Active Directory manages user accounts; onboarding/offboarding process exists but access review has not been conducted in 24 months; 14 former employees' accounts are still active; shared "countyit" domain admin account; no MFA on VPN or Microsoft 365 for general staff	Critical
SITUATION	Situational Awareness	MIL 0	No SIEM deployed; MS-ISAC Albert sensor generates alerts that are not actively monitored by any staff member (alert emails go to a shared mailbox checked irregularly); Microsoft 365 Defender alerts not reviewed; no log aggregation; the county would not know it was breached until operational failure	Critical
RESPONSE	Event & Incident Response, Continuity of Operations	MIL 1	Incident response plan written in 2021; never exercised or tabletop tested; no 24/7 monitoring or on-call rotation for IT; IR plan does not map to Ohio RC §9.08 72-hour reporting requirement; disaster recovery plan last updated 2021 (backup site = locked closet at FAC-01)	Critical
DEPENDENCIES	Supply Chain & External Dependencies	MIL 0	No vendor risk assessments ever conducted; Tyler Technologies, Zetron, and Dominion all have persistent VPN or direct access to county systems with no monitoring or time-limited sessions; no vendor SOC 2 reports reviewed; no third-party dependency inventory; the county cannot identify all entities with active access to its systems	Critical
WORKFORCE	Workforce Management	MIL 1	Annual security awareness training via KnowBe4 free tier; completion rate not tracked or enforced; no role-based training for high-risk roles (finance, wire/payroll, law enforcement); no background check policy for IT admin access to CJIS systems beyond state standard	Medium
ARCHITECTURE	Cybersecurity Architecture	MIL 1	Fortinet NGFW in place; VLAN segmentation implemented (with critical ACL misconfiguration in VLAN 10→20); no zero-trust principles; no endpoint detection/response (EDR) deployed; no email security gateway beyond M365 Defender (partially configured); no WAF on ArcGIS public portal	High
PROGRAM	Program Management	MIL 1	No formal cybersecurity program; IT Director manages security ad hoc alongside all other IT duties; cybersecurity analyst position vacant 14 months; no cybersecurity budget line item separate from general IT; no formal metrics reported to Board of County Commissioners	High

C2M2 Domain Detail Cards

MIL 0 — Not Performed

Situational Awareness (SITUATION)

The county has no ability to detect an active intrusion. The MS-ISAC Albert sensor generates network alerts that arrive in a shared email inbox checked irregularly. Microsoft 365 Defender for Office 365 is licensed but alert policies have not been configured. There is no log aggregation, no SIEM, and no defined process for reviewing security events.

Albert sensor alerts not actively monitored
No SIEM — logs exist on individual servers only
M365 Defender alerts unconfigured
Breach discovery would occur only via operational failure

MIL 0 — Not Performed

Supply Chain & Dependencies (DEPENDENCIES)

No vendor risk assessments have ever been conducted. Tyler Technologies, Zetron, and Dominion Voting Systems all have persistent remote access to county systems. No SOC 2 reports have been reviewed for any vendor. The county cannot enumerate all entities with current access.

Tyler support VPN: persistent, unmonitored, unlogged
Zetron support VPN: VLAN 30 access, no session timeout
No vendor security questionnaire process
No third-party dependency register

MIL 1 — Initiated

Identity & Access Management (ACCESS)

Active Directory provides user account management. However, no access review has been conducted in 24 months, 14 former employee accounts are active, the shared "countyit" domain admin account eliminates individual accountability, and MFA is enforced for only 9 of 822 M365 accounts.

14 former employee accounts still active in AD
Shared Domain Admin account "countyit"
No MFA for VPN or M365 (except IT staff)
No privileged access management (PAM) tooling

MIL 2 — Managed

Asset, Change & Configuration Mgmt (ASSET)

The Tyler Munis asset module provides structured hardware and software inventory tracking. Change management uses an informal shared spreadsheet. Configuration baselines are not formally documented, but asset visibility is significantly better than most county peers.

Hardware inventory current via Munis asset module
Software inventory maintained (partially)
Informal change log spreadsheet exists
No formal configuration baseline documentation

MIL 0 in Situational Awareness — Highest Operational Risk: A C2M2 MIL 0 rating in Situational Awareness means Harmon County has effectively zero capability to detect an active cyberattack in progress. The MS-ISAC Albert sensor deployed in 2022 generates alerts — but those alerts email to a shared mailbox that is checked sporadically. Microsoft 365 Defender, which is licensed and capable, has not been configured to generate actionable alerts. Server and network event logs exist in isolation on individual systems but are never aggregated or reviewed. In practical terms: if an attacker gained access to VLAN 10 today through a phishing attack on a county employee, moved laterally to the CJIS segment via the ACL misconfiguration, and began exfiltrating law enforcement records — Harmon County IT would have no automated mechanism to detect this activity. Discovery would most likely occur only when a county employee noticed degraded system performance, a ransomware note appeared, or a downstream system (like the FBI CJIS network) flagged anomalous query patterns.

⚖️ Regulatory & Compliance Obligations

▼

Multi-Framework Compliance Complexity: County government occupies a uniquely complex regulatory position: a single 9-person IT team must simultaneously maintain compliance with the FBI CJIS Security Policy (law enforcement), HIPAA Security Rule (health department), IRS Publication 1075 (auditor/treasurer tax data), HAVA/EAC and Ohio Secretary of State directives (elections), and Ohio Revised Code cybersecurity incident reporting — each with different requirements, different oversight bodies, and different audit cycles. No commercial sector peer faces this breadth of simultaneous regulatory obligations at this staffing level.

Regulatory Framework	Applies To	Key Requirements	Compliance Status
FBI CJIS Security Policy v5.9.2	Sheriff's Office, Courts, IT (RMS and Tyler New World system access)	Advanced authentication for remote access; MDM for mobile devices; screensaver lockout; background checks; audit logging; encryption in transit; personnel security training	Non-Compliant: VPN lacks MFA (§5.6.2.2); MDM not deployed for 12 mobile devices; screensaver policy missing on Sheriff workstations; CJIS audit letter received — Q3 2026 audit scheduled
HIPAA Security Rule (45 CFR §164)	County Health Department; any IT system handling Protected Health Information (PHI)	Annual risk analysis; access controls; audit logging; workforce training; Business Associate Agreements (BAAs) with vendors handling PHI; encryption; incident response	Partial: Risk analysis dated 2022 (should be annual or upon material change); BAA inventory incomplete — state EHR vendor BAA not on file; workstation-level encryption not verified for Health Dept workstations
IRS Publication 1075 (Tax Information Security)	County Auditor / Treasurer — all systems processing Federal Tax Information (FTI)	Quarterly access log review (§4.6); encryption of FTI at rest and in transit; background checks for FTI-authorized personnel; incident reporting to IRS within 24 hours; EOL system prohibition for FTI processing	Non-Compliant: COGNOS running on EOL SQL Server 2014 (IRS explicitly prohibits processing FTI on EOL platforms); quarterly access log review not conducted; 3 shared COGNOS logins violate individual accountability requirement
HAVA / EAC Election Security Guidelines	Board of Elections — all election management systems and processes	EMS network isolation; chain-of-custody for ballots and election media; physical security for voting equipment; pre-election logic & accuracy testing; post-election audit capability	Non-Compliant: Dominion EMS workstation found connected to county Admin VLAN during pre-election period (Feb 2026) — direct violation of Ohio SoS air-gap directive; Ohio SoS notification not yet completed
Ohio Revised Code §9.08 (Cyber Incident Reporting)	All Harmon County IT operations	Report cybersecurity incidents to the Ohio Department of Administrative Services (DAS) Office of Information Security within 72 hours of discovery; maintain incident documentation	Awareness: Requirement known to IT Director; however, no formal IR procedure maps to ORC §9.08 reporting steps; the county attorney has not issued guidance on what constitutes a reportable incident
MS-ISAC / CISA Membership	All county IT operations	Albert network sensor deployment; participation in SLTT threat intelligence sharing; access to free incident response resources; MDBR (Malicious Domain Blocking and Reporting)	Member since 2019; Albert sensor active since 2022; MDBR enrolled; CISA regional advisor contact established; MS-ISAC advisory distribution list subscribed — advisories reviewed by IT Director
Ohio Secretary of State Election Directives	Board of Elections; IT (for election system support)	Complete network air-gap for EMS workstation during pre-election and election periods; documented chain of custody; L&A testing procedures; post-election audit retention	Non-Compliant: EMS air-gap directive violated Feb 2026 (workstation on VLAN 10); Ohio SoS auditor present during violation; notification and remediation process initiated but incomplete at time of assessment
Ohio Public Records Law (ORC §149.43)	All county departments; IT for records management	Public records must be accessible and retained per schedule; cybersecurity incidents that destroy public records may create legal liability; record retention policies must account for electronic records	Partial: Records retention schedule exists; electronic records on SRV-07 not organized per schedule; a ransomware attack encrypting SRV-07 would create immediate public records law exposure

🎯 Scenario Injects & Assessment Exercises

▼

The following five scenario injects are designed for classroom and workshop use. Each presents a realistic incident grounded in documented county government cybersecurity incident patterns. Injects can be used individually (45–90 minutes each) or as a sequenced scenario arc (half-day exercise). Each inject identifies C2M2 domain gaps, regulatory notification obligations, operational consequences, and decision points realistic for a county IT director without a dedicated security team. Instructors may layer injects to demonstrate cascading effects.

🔴 Inject A — Ransomware Hits Tyler Munis ERP (Payroll Lockout)

Scenario: On a Friday at 2:45 PM, a finance department employee at FAC-01 clicks a phishing link in an email mimicking a Tyler Technologies invoice notification. Within 20 minutes, ransomware has spread across VLAN 10 via SMB, encrypting the Tyler Munis ERP application server (SRV-04), file server (SRV-07), and 47 administrative workstations. A ransom note appears demanding $180,000 in Bitcoin within 72 hours. The 911 CAD system (VLAN 30) is unaffected — VLAN segmentation held for public safety. However, county payroll totaling $2.1 million is due to be processed and disbursed by direct deposit on Monday morning. The Veeam backup server (SRV-09) is accessible but no restore has ever been tested. IT Director Webb is the only person authorized to make the ransom decision and is simultaneously fielding calls from the County Administrator, all department heads, and the Board of County Commissioners chair.

What are the first 60 minutes of containment actions? Who do you notify, in what order, and what do you not do (e.g., reboot systems, run antivirus) that could destroy forensic evidence or worsen the spread?
The county has never tested its Veeam backups. Walk through the decision tree for attempting a restore versus paying the ransom — what information do you need before making that decision, and who has authority to authorize a ransom payment on behalf of a county government?
Ohio Revised Code §9.08 requires notification to Ohio DAS within 72 hours. Does this incident trigger that requirement? Draft the notification. Does the CORSA cyber insurance policy ($2M limit) require notification to the insurer before paying a ransom or engaging an IR firm?
County employees will not receive payroll on Monday without Munis. What are the emergency payroll options — and which county official has authority to authorize emergency manual payroll disbursement under Ohio law?
Which three specific C2M2 domain gaps most directly enabled this incident? For each, identify the specific practice that was not in place and estimate the cost of implementing it versus the cost of this incident.

🔴 Inject B — 911 CAD System Failure During Peak Call Volume

Scenario: At 11:15 PM on a Saturday night — peak call volume period for 911 — the Zetron Viper CAD system (SRV-06) at FAC-03 crashes and does not respond to restart attempts. Dispatchers report that all CAD screens have gone dark. Incoming 911 calls are still being answered by the 12 dispatch consoles (the PSAP phone infrastructure is separate from the CAD server), but dispatchers have no computer-assisted dispatch capability and must revert to paper logs, radio, and verbal unit tracking. The 911 Communications Director pages IT Director Webb at 11:22 PM. Webb is on personal time 45 minutes from FAC-03. Zetron's support line confirms their SLA is "next business day" — the earliest a Zetron technician can be on-site is Monday at 8 AM. SRV-06 (Windows Server 2012 R2) has no recent backups (it is outside the Veeam scope), no hot spare, and has never been patched. The cause of the crash is unknown — it could be hardware failure, software corruption, or a cyberattack.

What is the immediate notification chain? Who must be notified within the first 30 minutes — Sheriff, County Administrator, neighboring county 911 center, Ohio EMA, CISA? What is the legal obligation to notify the Ohio 911 Coordinator's office under Ohio RC §4931.49?
Manual dispatch has not been practiced in over three years. How do you assess and manage the operational risk during the degraded dispatch period? What mutual aid agreements with neighboring counties should be activated, and who has authority to activate them?
How do you determine whether this is hardware failure or a cyberattack — and does it matter for your immediate response actions? What forensic evidence preservation steps apply even if you suspect hardware failure?
After restoration, what is the minimum acceptable patch and resilience posture for the 911 CAD system — and how do you make the business case to the Board of County Commissioners for emergency capital funding to replace an EOL life-safety server that has "never failed before"?
Which C2M2 domains — specifically — failed in this scenario? What would a MIL 2 posture in each have looked like, and what would it have cost to achieve?

🔴 Inject C — Election System Found on County Network

Scenario: At 9:10 AM on a Tuesday during pre-election Logic & Accuracy testing preparation, the Ohio Secretary of State field auditor present at FAC-08 observes that the Dominion Democracy Suite 5.17 EMS workstation has an active network cable connected to the county wall jack. A ping test from the auditor's laptop confirms the workstation is live on the county Admin VLAN (10.10.14.22). The auditor immediately stops all L&A testing and issues a verbal stop-work order. Under Ohio SoS directive, the EMS workstation must be completely air-gapped — no network connection, no Wi-Fi — during the entire pre-election period. Reimaging of the workstation may be required per SoS protocol if the isolation requirement was violated. The county Board of Elections Director, David Cho, is on-site. The primary election is 19 days away. Ballot programming on the EMS workstation is 70% complete. IT Director Webb is at FAC-01, 12 minutes away. The SoS auditor has given the county a two-hour window to respond before she suspends the L&A testing certification process entirely.

What are the immediate decisions that must be made in the next two hours? Who makes them — the IT Director, Board of Elections Director, County Administrator, County Attorney, or the SoS auditor? What happens to the election timeline if L&A testing is suspended?
The Ohio SoS protocol may require reimaging the EMS workstation if it was connected to the network during the pre-election period. What information do you need to know before deciding whether to reimage — and what are the consequences of reimaging (loss of 70% complete ballot programming) versus not reimaging (SoS may decertify the equipment)?
Mandatory notification: who must be notified — Ohio SoS, CISA, county legal counsel, the Board of County Commissioners? What is the timeline for each notification, and what do you say in the notification?
The EMS workstation was connected to VLAN 10 — the same VLAN as Tyler Munis, the file server, and 280 general workstations. What is the scope of potential compromise in both directions (from network to EMS, and from EMS to network)? How do you assess this in the two-hour window?
After the immediate crisis: what policy, technical, and training controls would have prevented this? Which C2M2 domains cover election system supply chain management and configuration control?

🔴 Inject D — CJIS Audit Letter Arrives

Scenario: On a Monday morning, Sheriff Linda Torres delivers a certified letter to IT Director Marcus Webb. The letter is from the FBI CJIS Division Ohio Compact Officer notifying Harmon County of a scheduled CJIS Security Policy audit in 90 days — a "Triennial Compliance Audit" covering all county systems that access, process, or transmit Criminal Justice Information (CJI) via the statewide LEADS network. The audit will evaluate compliance with CJIS Security Policy v5.9.2, specifically Policy Area 1 (Information Exchange Agreements), Policy Area 4 (Auditing and Accountability), Policy Area 5 (Access Control), Policy Area 6 (Identification and Authentication), and Policy Area 8 (Configuration Management). The Sheriff asks Webb to confirm that the county is compliant. Webb knows immediately it is not. The most significant gaps: no MFA on VPN for remote CJIS access (direct §5.6.2.2 violation), no MDM for 12 Sheriff mobile devices, missing screensaver timeout policy on Sheriff workstations, and the VLAN 10→VLAN 20 ACL misconfiguration that allows admin network traffic to reach the CJIS segment.

What do you tell the Sheriff right now — and what do you not say without county legal counsel present? What is the legal exposure for the Sheriff personally if the county is found to be in CJIS non-compliance during the audit?
In 90 days, what can realistically be remediated? Prioritize the four identified gaps by: (a) time to remediate, (b) cost to remediate, and (c) audit consequence if not remediated. Which gap, if unmitigated, is most likely to result in a LEADS suspension?
The VLAN ACL misconfiguration (VLAN 10→VLAN 20) is a structural network change requiring a maintenance window. How do you plan and execute this change without disrupting Tyler New World RMS operations for the Sheriff and Courts — and how do you document the remediation for the auditors?
CJIS Policy Area 6 (§5.6.2.2) requires "advanced authentication" equivalent to MFA for any remote access to CJI. Pulse Secure supports RADIUS-based MFA integration with Duo Security. What is the implementation plan, timeline, and cost to achieve CJIS-compliant MFA for the county VPN in 90 days? What is the business case to the Board of County Commissioners?
If the audit finds non-compliance, what are the consequences — immediate LEADS suspension, corrective action plan, or both? How does LEADS suspension affect the Sheriff's operations for the 2–4 weeks it typically takes to remediate and restore access?

🔴 Inject E — Suspicious Access to County Tax Data (IRS Pub 1075)

Scenario: On a Thursday at 3:20 AM, a Microsoft 365 Defender alert (one of only a handful configured) fires to the IT Director's personal email. The alert flags a successful interactive sign-in to a county Microsoft 365 account from an IP address geolocating to Kyiv, Ukraine. The compromised account is the shared "countyit" service account — the Domain Administrator account used for all server management. A follow-up check of the county network logs (manually reviewed on the Fortinet FortiGate) shows that the "countyit" account authenticated to SRV-08 (the COGNOS BI server hosting federal tax information) at 3:24 AM and ran two SQL queries against the COGNOS database before the session dropped. The COGNOS database contains Federal Tax Information (FTI) for approximately 41,000 Harmon County property tax accounts — names, addresses, partial SSN data, and prior-year income brackets used for property tax calculations. IRS Publication 1075 §10.0 requires notification to the IRS Office of Safeguards within 24 hours of discovering a potential FTI breach.

What are the immediate containment actions — specifically, how do you disable or rotate the "countyit" shared account without locking out all active IT staff and potentially breaking server-to-server communications that depend on that account?
IRS Publication 1075 §10.0 requires notification to the IRS Office of Safeguards within 24 hours of a potential FTI disclosure. Draft the incident notification. Who at the county is authorized to submit an IRS Pub 1075 notification — the IT Director, County Administrator, County Auditor, or County Attorney?
The COGNOS SQL logs show two queries were executed. What do you need to know about those queries to determine whether FTI was actually exfiltrated — and how do you obtain that information from an EOL SQL Server 2014 instance that has no formal audit trail configuration?
The compromised account is the shared "countyit" Domain Administrator. This means the attacker — if they maintained access — had full control of all 10 county servers, all 8 facilities, and all county systems at 3:24 AM. How do you scope the full extent of the potential breach, and what does "assume compromise of everything" mean operationally for county government?
After resolution: the IRS Pub 1075 requirement to notify 41,000 affected residents may apply depending on investigation outcome. What are the costs — financial, legal, and reputational — of a county government sending breach notification letters to 41,000 property tax account holders? Which C2M2 domain gaps (minimum three) directly caused this incident?

Remediation Planning Exercise

Constraints: The Harmon County Board of County Commissioners has approved a one-time supplemental IT security budget of $220,000 (FY2026) following a briefing by the IT Director on the CJIS audit notification and the election system finding. The IT Director must present a prioritized cybersecurity remediation roadmap at the next Board meeting in three weeks. The 9-person IT team can absorb no more than 12 hours per week of project work above BAU operations. Domain Controller replacement (SRV-01/02 → Server 2022 migration) is covered by a separate capital budget request pending Board approval — do not include in this exercise. The cybersecurity analyst position remains unfilled for budget reasons and is not part of this supplemental.

Discussion questions for the remediation exercise:

Which three security gaps represent the highest combined probability-of-occurrence × impact risk to Harmon County right now — and which of those can be remediated within 90 days and within the $220,000 budget?
Categorize your top 10 remediation items as: Quick Wins (0–90 days, <$15K), Short-Term (90 days – 1 year, <$100K), and Strategic (1–3 years, >$100K or requiring Board capital approval). Assign rough cost estimates and IT staff-hours for each.
The MS-ISAC offers free or low-cost resources specifically for SLTT governments: MDBR, free Duo MFA integration support, CIS Controls assessment, no-cost IR assistance, and the Nationwide Cybersecurity Review (NCSR). Which of these should be the IT Director's first calls — and in what order should they be activated?
Make the business case to the Board for hiring a dedicated CISO (estimated $95,000–$115,000/year for a county CISO in Ohio) versus engaging an MSSP with SLTT government experience (estimated $60,000–$90,000/year for co-managed security services). What does each option address — and what does each leave unresolved?
How do you communicate cascading cybersecurity risk — across CJIS, IRS Pub 1075, election security, and 911 reliability — to elected county commissioners whose primary concerns are property taxes, road maintenance, and constituent services? What language, metrics, and framing make cybersecurity risk legible to non-technical elected officials?