HomeMy WebLinkAboutShort Term Rental consultant lack of IT input for RFP
[CAUTION - EXTERNAL EMAIL]
I would like to question the reasoning behind selecting a software company 'consultant' to do any analysis on Short Term Rentals, when our city does not even KNOW what our LONG TERM
RENTAL situation is.
I have a real problem with the RFP posted. It was not clear nor well thought out. There are a myriad of issues with it, but more importantly is that there is a situational ignorance
of IT and data shown by our RFP for a short term rental data from a consultant. In their proposal they are asking for access to city/county property data. This is concerning. The company's
proposal is sloppy, and what should be clear about them is not. I am at a loss as to WHY the city IT department did not weigh in on the RFP, and why legal was not represented. The RFP
was too vague, and did not require any standard software compliance from the proposed vendor.
I urge the city council to recommend that this company not be hired, and that a NEW RFP be solicited with input from the IT and legal departments, and that use of any city data also
include requirements for best standards third party software compliance, and regular, clear auditing. I also recommend that we do not allow our data to be used for any other purpose,
and that the database created be internal, and not external.
What concerns me is that in their proposal I see that the vendor requests data from both the city and the county (page E-69 of the council packet) "in this program Port Angeles and Clallam
county will provide permit and parcel data to the GOVos Team to populate a new database integrated to advertised...."
They want our private data on permit and parcel data to use in their third-party software? How do is this NOT an issue? Where is the fiduciary obligation to the people of Port Angeles
and Clallam County to protect our data.
I do not see the RFP was clear enough to require proof of "compliance strategy" and obviously this measurement and evaluation would be something that should have involved both the IT
and legal departments. This is a lot of money to spend, and important data to be delivered, without an awareness of current best-practices in the software industry.
As far as I know Mr. Fleming; Mr Braudrick; Ms. Cartmel, Mr. Emery or Mr Rubin lack data security/IT compliance knowledge or awareness of threats to our community from lack of software
compliance and regulations by a third party vendor.
The RFP was flawed and the selection criteria banal. The RFP merely asks a software sales group to assure compliance? Really? This may have been done 20 years ago, but it is NOT DONE
by any sane organization, today.
My issue:
I see no assurances about this company being compliant with SOC 2 which, in today's world, is necessary to ensure that our public records are protected by any 3rd party software company.
ANY organizations evaluating SaaS or cloud services providers, should demand compliance with SOC 2 as a minimum requirement. This proposal lacks any level of maturity around security
best practices. In fact, it appears Port Angeles has no awareness of, or requirements regarding any security practices, either. (https://www.strongdm.com/soc2/compliance <https://gcc02.safelinks.pr
otection.outlook.com/?url=https%3A%2F%2Fwww.strongdm.com%2Fsoc2%2Fcompliance&data=05%7C01%7Ckmbailey%40cityofpa.us%7C032fa40f69e5495a863108db6564f1d3%7C57b967ad7ef047f092f508dad41714f3%7C0%7C0%7C6382
15256482153874%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=XDXn6OUjbRvZQyi1IyfwYTC8S2Mg2M5mvbR0voMCM%2BQ%3D&reserved=0>
)
At the very least this vendor must be FISMA compliant. (https://www.cisa.gov/topics/cyber-threats-and-advisories/federal-information-security-modernization-act <https://gcc02.safelinks.protection.ou
tlook.com/?url=https%3A%2F%2Fwww.cisa.gov%2Ftopics%2Fcyber-threats-and-advisories%2Ffederal-information-security-modernization-act&data=05%7C01%7Ckmbailey%40cityofpa.us%7C032fa40f69e5495a863108db6564
f1d3%7C57b967ad7ef047f092f508dad41714f3%7C0%7C0%7C638215256482153874%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=hwSlakKKEcyrXRTU6
Vb7bHRHOpmZ0ymYrIfMSLnAlkw%3D&reserved=0> )
FISMA is U.S. government legislation that defines a comprehensive framework to protect government information, operations, and assets against threats. Signed into law in 2002 and updated
in 2014, FISMA requires that government systems meet a set level of security requirements (also known as “controls”). Security compliance is an integral part of every IT pro’s decision-making
process. Even though FISMA is not absolutely a requirement, it should be a consideration. Especially because we ARE a border town. You should be protecting the data of all the businesses
and property owners.And, because we ARE a border town, and subject to various DHS requirements which are beyond what a "landlocked" community would be -- we should demand that third
party software vendors exceed the standards.
Certainly, with such a close proximity to Vancouver Island we have some homeowners who are most probably Canadian Citizens -- so that data could need to be PIPEDA compliant (requiring
an individual's consent before government private information can be used by a third party software developer, and YES Canada is very strict) .
Presumably that divulged city and county data will include information on the Medical centers in town. So, does this company have HITRUST Certification? This isn't just applicable to
individual medical records, but all functions of a hospital prone to exploitation. Building permits could be considered a valid risk.
Is anyone who chose and recommended this vendore even aware of any of these software certifications? PIPEDA, HITRUST, SOC 2 , FISMA compliance, HITRUST or at the very least NIST best
practices?
Do we even have an IT consultant to guide us? (Maybe that would be a better investment than this STR nonsense.)
This should NOT be a decision of one department, but of many, working in unison. Data should not be handed over without strict controls, and audits of how/why/where it will be stored/used/manipulated
.
As a city have we even identified the security level risk for this kind of potentially exposed data? Have we addressed issues of privacy, authenticity and integrity of how our data
will be used, protected, secured, and potentially re-sold by a third-party vendor?
I am appalled that the concern is NOT setting any priority for security, but moving right into hiring a "consultant".
Although property records/permit records do not seem "important" to you (for which I am at a loss) Has anyone (with a real technical IT background) evaluated how this information could
be used for nefarious purposes? Are you AWARE that there are predators who are looking for property data to put fake liens or obscure property ownership? Who -- with IT experience
-- has actually vetted this company. AS a small town we are PREY to bad operators. Who is assessing that risk? I see no real details in this proposal -- only fancy sales literature.
The real concern regarding the lack of situational awareness is the lack of city knowledge of Risk Mitigation.
At best, in my opinion, this company appears to be shovelware (aka hastily thrown together without proper testing, then shoved down a customer's throat with strong marketing and vague
promises). None of the "comparable" towns are foreign border towns. Nothing on their website even speaks of compliance issues. It's a dorky company out of Colorado, with a lot of
sales people (several of whom worked for some questionable sales websites in the past) and, not an abundance of high tech savvy. The CFO does not have a Silicon Valley background, which
is not a plus. In fact, this really seems like a company that might not have the chops for what they are promising.
How can you recommend this company -- over the others -- when the RFP was flawed, at best, and your selection criteria banal?
In fact, what they are promising doesn't even speak of regular audits of their data, or even outlines where our data will be stored (once populated to their database),not that the RFP
even thought of that. I find this all to be ridiculously naive, and could open the city to trouble.
And, I'd really like to know how they propose to gather this data from the various STR groups, as I've spoken to people involved with these kinds of projects -- and much of the data
is protected by the short term rental agencies, and the systems are shielded from disclosure of rental address data so that they are not exploited or raided by competitors. From my
research, I highly doubt what they claim can really be delivered, and the question becomes one of how to audit the data provided. Or, are we just going to give away our money AND our
data?
Most important to me is the question: is anyone in our government receiving a referral fee for recommending them?
But what do I know? I've only been in and around high tech since 1979.
Marolee Smith-Dvorak
<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.avast.com%2Fsig-email%3Futm_medium%3Demail%26utm_source%3Dlink%26utm_campaign%3Dsig-email%26utm_content%3Dwebmail&data=05%7C01%
7Ckmbailey%40cityofpa.us%7C032fa40f69e5495a863108db6564f1d3%7C57b967ad7ef047f092f508dad41714f3%7C0%7C0%7C638215256482153874%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWw
iLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=SaIJczW2YVauGqB%2F%2BA9wt6gAZILT9vPYjmPr6g7E4zo%3D&reserved=0> Virus-free.www.avast.com <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
avast.com%2Fsig-email%3Futm_medium%3Demail%26utm_source%3Dlink%26utm_campaign%3Dsig-email%26utm_content%3Dwebmail&data=05%7C01%7Ckmbailey%40cityofpa.us%7C032fa40f69e5495a863108db6564f1d3%7C57b967ad7e
f047f092f508dad41714f3%7C0%7C0%7C638215256482153874%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=SaIJczW2YVauGqB%2F%2BA9wt6gAZILT9v
PYjmPr6g7E4zo%3D&reserved=0>