Executive Committee February 12, 2021

EXECUTIVE COMMITTEE FEBRUARY 12, 2021

Executive Committee Meeting Meeting Date: February 12, 2021

EXECUTIVE MANAGEMENT COMMITTEE ROSTER

COUNTY MEMBER Los Angeles: Ara Najarian (Chair) 1 vote

San Bernardino: Larry McCallon (Vice-Chair) 1 vote

Orange: Doug Chaffee (2nd Vice-Chair) 1 vote

Riverside: Brian Berkson 1 vote

Ventura: Tony Trembley 1 vote

EXECUTIVE COMMITTEE MEETING

FRIDAY, FEBRUARY 12, 2021 – 10:00 AM RIVERSIDE CONF RM, 12TH FL 900 WILSHIRE BLVD LOS ANGELES, CA 90017 ONLINE ACCESS: HTTPS://METROLINKTRAINS.COM/MEETING IN ACCORDANCE WITH GOV. NEWSOM'S EXEC ORDER N-29-20 SIGNED 3/17/2020

AGENDA DESCRIPTIONS The agenda descriptions are intended to give notice to members of the public of a brief general description of items of business to be transacted or discussed. The posting of the recommended actions does not indicate what action will be taken. The Authority may take any action that it deems to be appropriate on the agenda item and is not limited in any way by the notice of the recommended action. The Chair reserves the right to discuss the items listed on the agenda in any order.

A person with a disability may contact the Board Secretary’s office at (213) 452-0255 or via email [email protected] at least 72-hours before the scheduled meeting to request receipt of an agenda in an alternative format or to request disability-related accommodations, including auxiliary aids or services, in order to participate in the public meeting. Later requests will be accommodated to the extent feasible.

SUPPORTING DOCUMENTATION The agenda, staff reports and supporting documentation are available from the Board Secretary, located at 900 Wilshire Blvd., Suite 1500, Los Angeles, CA 90017, and on the Metrolink website at www.metrolinktrains.com under About > Agendas & Documents.

PUBLIC COMMENTS ON AGENDA ITEMS AND ITEMS NOT ON THE AGENDA Members of the public wishing to address the Board of Directors regarding any item appearing on the agenda or any item not on the agenda, but within the subject matter jurisdiction of the Board, may do so by completing a Speaker’s Form and submitting it to the Board Secretary. All speakers will be recognized by the Chairman and will be considered under Item 5 (Public Comment). When addressing the Board, please state your name for the record. Please address the Board as a whole through the Chair. Please note comments to individual Board members or staff are not permitted when addressing the Board. A speaker’s comments shall be limited to three (3) minutes.

Executive Committee Meeting Meeting Date: February 12, 2021

2 1. Call to Order

2. Safety Briefing

3. Pledge of Allegiance

4. Roll Call

5. Public Comment

6. REGULAR CALENDAR

6.A Approval of the Meeting Minutes - January 8, 2021 Executive Committee

It is recommended that the Committee approve the Minutes of the January 8, 2021 Executive Committee Meeting.

6.B Adoption of Integrated Digital & Technology Services (IDTS) Policies

Recommendation for approval is needed to address recent corrective action findings, modernize policies, and reflect internal realignment.

It is recommended that the Committee recommend the Board adopt IDTS Policies (Attachment A) comprising: IDTS-1 – Business Continuity Policy IDTS-2 – Acceptable Use Policy IDTS-3 – Change Management Policy IDTS-4 – Asset Management Policy IDTS-5 – IDTS Security Policy IDTS-6 – IDTS Governance Policy IDTS-7 – IDTS Data Center and Colocation Policy

There is no budgetary impact as a result of this report.

6.C Small Business Partnership Policy

Consistent with Contract and Procurement Policies approved by the Board in November 2019 and the Recovery Plan “New Normal” Framework approved by the Board in September 2020, staff has developed a Small Business Partnership Policy that allows for the agency to develop and implement a local Small Business Partnership Program (SBPP) that is separate and distinct from Metrolink’s Disadvantaged Business Enterprise (DBE) program and increases access to Metrolink procurements for all businesses.

It is recommended that the Committee recommend the Board approve the addition of a Small Business Partnership Policy (Attachment A) to the Procurement and Contracts Policy.

There is no budgetary impact as a result of adopting the Small Business Partnership Policy.

Executive Committee Meeting Meeting Date: February 12, 2021

3 6.D Promotional Fares for COVID-19 Vaccinated Riders

At its meeting on January 8, 2021, the Executive Committee directed staff to research the feasibility of offering free or discounted rides on a temporary basis for those who have been vaccinated against COVID-19. Staff agreed to report back to the Committee at its February meeting.

The Committee may receive and file this item.

6.E Metrolink's Locomotive Fleet Modernization Study Update

The Metrolink Locomotive Fleet Modernization Study (Fleet Study) is nearing completion. The Fleet Study will provide cost estimates and benefits to modernize Metrolink’s locomotive fleet. Once completed, the Fleet Study will provide a range of options for the overhaul of the MP36 fleet as well as zero emission transition concepts. The results will be used to support Metrolink’s effort for justifying and securing both internal funds and potential external grants which may become available in 2021. Given the recent executive order's issued at the State and Federal level, staff is providing a status update on the Fleet Study.

The Committee may receive and file this report.

6.F February Legislative Update

Staff will provide an update on current legislative affairs.

The Committee may receive and file this report.

6.G Quarterly Compensation Report 2nd Quarter FY21 - October 1, 2020 through December 31, 2020

In compliance with HR Policy No. 2.1, Wage and Salary Administration – Salary Program Administration, staff is required to make quarterly and annual reports to the Board on compensation matters.

The Committee may receive and file the report.

6.H External Disadvantaged Business Enterprise (DBE) and Labor Compliance Services

This report is an update on the External Disadvantaged Business Enterprise and Labor Compliance Services bench contract.

The Committee may receive and file this report.

6.I FY2020-2021 Marketing Update - Quarter Ending December 31, 2020 and Upcoming Q3 2020-2021 Programs and Campaigns

Staff is updating the Board on Marketing activities for FY 2020-21 for the Executive Committee Meeting Meeting Date: February 12, 2021

4 Quarter ending December 31, 2020, and upcoming activities in Q3 2020-2021.

The Committee may receive and file this report.

7. Chief Executive Officer's Report

8. Committee Members' Comments

9. Chair's Comments

10. ADJOURNMENT

Executive Committee Meeting Meeting Date: February 12, 2021

5 ITEM 6.A

ITEM ID: 2020-217-0

TRANSMITTAL DATE: February 5, 2021

MEETING DATE: February 12, 2021

TO: Executive Committee

FROM: Collette Langston, Board Secretary

SUBJECT: Approval of the Meeting Minutes - January 8, 2021 Executive Committee

Recommendation

It is recommended that the Committee approve the Minutes of the January 8, 2021 Executive Committee Meeting.

Prepared by: Collette Langston, Board Secretary

Approved by: Noelia Rodriguez, Chief of Staff Don Del Rio, General Counsel

Attachment(s)

Attachment A - 1.08.21 ECOM Minutes

6 MINUTES OF THE EXECUTIVE COMMITTEE MEETING Friday, January 8, 2021

BOARD MEMBERS/ALTERNATES IN ATTENDANCE VIA ZOOM or TELECONFERENCE:

COUNTY MEMBER Los Angeles: Ara Najarian (Chair) 1 vote

San Bernardino: Larry McCallon (Vice-Chair) 1 vote

Orange: Doug Chaffee (2nd Vice-Chair) 1 vote

Riverside: Brian Berkson 1 vote

Ventura: Brian Humphrey 1 vote

7 STAFF/PRESENTERS: STEPHANIE N. WIGGINS, Chief Executive Officer DON O. DEL RIO, General Counsel MONICA BOULDIN, Director, Marketing and Partnerships LISA COLICCHIO, Director, Special Projects RODERICK DIAZ, Director, Planning and Development JEFFERY DUNN, Director, Government Relations HENNING EICHLER, Market Insights and Analytics Manager DON FILIPPI, Chief, System Safety, Security and Compliance Officer GEOFFREY FORGIONE, Associate General Counsel NOELIA RODRIGUEZ, Chief of Staff COLLETTE LANGSTON, Board Secretary

Meeting minutes are prepared in a format that corresponds with the Executive Committee Meeting Agenda, which is incorporated by reference with these minutes. Executive Committee Agendas are available online at www.metrolinktrains.com under the Meetings and Agendas link or from the Board Secretary at (213) 452-0255.

1. Call to Order

The January 8, 2021 Executive Committee Meeting was called to order by Chair Najarian who presided over the meeting at 10:04 a.m. at the Metrolink Headquarters Building, Riverside Conference Room, 12th Floor at 900 Wilshire Blvd, Los Angeles, CA 90017.

2. Safety Briefing

Don Filippi, Chief, Safety, Security and Compliance Officer conducted the safety briefing.

Chair Najarian asked when transportation employees will be eligible for the vaccination to which Mr. Filippi responded that Metrolink employees and contractors are in the Phase 2B category.

3. Pledge of Allegiance

Chair Najarian led the group in the pledge of allegiance.

4. Roll Call

The Board Secretary called roll and confirmed that a quorum of the Committee was present.

5. Public Comment

Chair Najarian called on members of the public who requested to speak.

The Board Secretary confirmed no requests were received. 2

8 6. REGULAR CALENDAR

6.A Approval of the Meeting Minutes - December 11, 2020 Executive Committee

ACTION: Upon a motion by Director Humphrey and seconded by Vice-Chair McCallon, the Committee approved the minutes. There was no opposition and the motion passed unanimously.

6.B Strategic Business Plan/Short Range Transit Plan (SBP/SRTP) - Final Draft Report

Roderick Diaz, Director, Planning and Development, provided a brief background on this item as detailed in the staff report and requested approval of staff’s recommendation.

Chair Najarian asked to what extent do we have ambassadors or concierges to assist them passengers on the platforms? Ms. Wiggins responded that this concept was suggested in 2020 by Mary Reimer, Director of Customer Experience for our busiest hubs but unfortunately was put on the back burner because of COVID-19. Chair Najarian followed-up that it is a good idea and is a way to shine light our brand for permanent riders. Ms. Wiggins agreed, commenting that we tried to use digital media as leverage in the interim.

ACTION: EXECUTIVE COMMITTEE RECOMMENDED (5-0) the Board adopt the Strategic Business Plan / Short Range Transit Plan.

6.C Title VI Review for Fare Policy Changes (5-Day Flex Pass & Kids Ride Free on Weekends)

Henning Eichler, Market Insights and Analytics Manager, provided a brief background on this item as detailed in the staff report and requested approval of staff’s recommendation.

Director Berkson requested clarification about the cost of going through the process to bring these into our general fares. If we can have these special fares for 6 months, then maybe we can replace these with a different type of discounted fare. He suggested a discounted fare for people who have been vaccinated. Mr. Eichler responded that the direct cost for outreach is minimum because the community meetings will be virtual but that they are still compiling the data regarding the staff time.

Chair Najarian added that he feels frustrated about this because we are offering a discounted fare program to the public across the board and Title VI requires us to do a fare equity analysis. He said we saw from the Antelope Valley Line fare reduction that a reduction in fares does drive ridership in many cases to

9 offset the reduction. It is a good idea for the agency to explore creative fare reduction methods.

Second Vice-Chair Chaffee expressed his concurrence with the concept of rewarding people that have been vaccinated, adding vaccine hesitancy issues exist and if we reward people who have been vaccinated then it would give people confidence that others that are riding are safe.

Chair Najarian asked for a report back during the next Committee cycle.

Vice-Chair McCallon agreed that the idea is good, but the logistics may be overwhelming.

ACTION: EXECUTIVE COMMITTEE RECOMMENDED (5-0) the Board approve the initiation of the public comment period for the Title VI analysis of the Kids Ride Free on Weekends and the 5-Day Flex Pass fares.

6.D 2021 Legislative Program

Jeff Dunn, Director, Government and Community Relations, provided a brief background on this item as detailed in the staff report and requested approval of staff’s recommendation.

Director Humphrey said there are many things that we should talk about because there are many things that we consider eternal or sacrosanct, which is rightfully Title VI. It might be time to consider looking at Title VI through legislation with regards to how it applies to lowering fares.

Chair Najarian agreed with Director Humphrey, adding that with other agencies and APTA our voices can be amplified to alleviate some of the burdens that have been on us for so long.

ACTION: EXECUTIVE COMMITTEE RECOMMENDED (5-0) the Board adopt the 2021 Federal, State and Local Legislative Program.

6.E SoCal Explorer Rewards Program Partner Update

Monica Bouldin, Director, Marketing and Partnerships, provided a brief background on this item as detailed in the staff report.

Vice-Chair McCallon said this is a great program especially for small businesses suffering during this pandemic, it is a win-win.

Director Humphrey asked if there are certain guidelines that staff has for who we will partner with to which Ms. Bouldin responded that we will not partner with alcohol or cannabis businesses, adding there is an entire list of guidelines for who we will partner with throughout Southern California.

10 Chair Najarian asked for a typical example of a partnership benefit. Ms. Bouldin explained that we have a list of businesses, we reach out to the owner, give a short presentation explaining the program, give examples of what they can offer such as percentages off or buy-one-get-one free, then promote one another on each other’s digital media accounts.

EXECUTIVE COMMITTEE received and filed this report.

6.F Sustainability Initiatives Update

Lisa Colicchio, Director, Special Projects, provided a brief background on this item as detailed in the staff report.

Vice-Chair McCallon expressed concerns for criteria pollutants because those are the ones that really affect the health of the people along our routes and in our disadvantaged communities. The State’s emphasis is on greenhouse gas reduction we’ve really got to reduce NOx and particulate matter 2.5. He asked to include a chart with those in the next update.

Chair Najarian asked if the renewable diesel pilot uses biodiesel collected from food preparation sources. Ms. Colicchio responded that it is from a number of sources but primarily from all-natural plant and animal sources. Chair Najarian requested that these sources are included in the next update, including whether renewable diesel contributes to 2.5 particulate matter and NOx to the same extent as regular diesel.

EXECUTIVE COMMITTEE received and filed this report.

6.G January Legislative Update

Jeff Dunn, Director, Government and Community Relations, provided a brief background on this item as detailed in the staff report.

EXECUTIVE COMMITTEE received and filed this report.

7. Chief Executive Officer's Report

 Policy Issues, How We Work Because of COVID-19  Strategic Business Plan  Fare Policy Updates  Federal Advocates Virtual Meeting in January

8. Committee Members' Comments

Director Humphrey congratulated the Committee for moving forward with the strategic business plan which offers us great hope for the future. He also clarified that he does support Title VI and the philosophy behind it. His previous suggestion was merely to look 5

11 at legislative relief related to things that may constrict us in the world we have right now. Lastly, he commented on the vaccination plan. He’s been on the forefront with the fire department and has seen the challenges that organizations have had, even the best organizations. It is up to us to have our employees prioritized for the vaccinations and that they do not leave with unused doses.

Vice-Chair McCallon inquired if the virtual meeting with the advocates will be public so he can attend. Ms. Wiggins responded that she believed he would able to attend and Don Del Rio, General Counsel, confirmed that although between Chair Najarian and Vice-Chair McCallon there are 6 votes, they only represent 2 counties and so there would not be a quorum issue.

9. Chair's Comments

Chair Najarian confirmed that the agency fully respects the goals of Title VI analyses. His previous comments were about the paradox of permanently lowering fares across the board and how this still requires an analysis. In addition, he mentioned that it is a bit frustrating that the top 3 officers of the Board cannot legislate together due to the Brown Act violation it would create. He thinks that we are bottoming out on the ridership decline with the vaccine on the horizon. Businesses will be getting back up to speed so let’s use this as an opportunity to capture the ridership we had before to make a great comeback.

10. ADJOURNMENT

There being no further business for consideration by the Committee, the meeting was adjourned at 10:59 a.m.

Prepared by,

Collette Langston Board Secretary

12 ITEM 6.B

ITEM ID: 2020-214-0

TRANSMITTAL DATE: February 5, 2021

MEETING DATE: February 12, 2021

TO: Executive Committee

FROM: Stephanie Wiggins, Chief Executive Officer

SUBJECT: Adoption of Integrated Digital & Technology Services (IDTS) Policies

Issue

Recommendation for approval is needed to address recent corrective action findings, modernize policies, and reflect internal realignment.

Recommendation

Strategic Commitment

This report aligns with the Strategic Business Plan commitments of: Safety is Foundational: We will stay on the leading edge by deploying new technologies and processes to enhance the safety and security of our riders, our fellow employees, and the communities we serve. The policies set forth implements what constitutes allowable, necessary, and reasonable business practices to safeguard the

13 Authority's technology infrastructure. Modernizing Business Practices: We will improve our operational efficiency through transparency, objective metrics and streamlined governance, reducing over-reliance on subsidy while bringing our system into a state of good repair and investing in the development of our employees. The policies document continues to separate procedures from policies while incorporating best practices through the streamlining process.

Background

In April 2020, the Board received and filed Internal Audit’s cybersecurity findings on Positive Train Control Network Control Operations (PTC NCO). PTC NCO has since adopted Internal Audit’s recommendations in which the policies document reflect (see Attachment A). In addition, the CEO established the new business unit IDTS to be under the leadership of Melvin Lee, the Chief Technology Officer, that brings together IT, PTC NCO, and Fare Collection Services (FCS) in September 2020. As a result, the policies document also reflects this realignment by rebranding the former IT Policies to IDTS Policies.

Discussion

The changes in the policies document were made with the following goals: Implement Internal Audit recommendations pursuant to findings received and filed by the Board in April 2020 Rebrand and generalize the policies document to reflect the new IDTS business unit. Expand the policies document to include FCS and PTC NCO, where applicable.

Budget Impact

There is no budgetary impact as a result of this report.

Next Steps

These policies will go into effect upon approval by the Board.

Prepared by: Melvin Lee, Chief Technology Officer Sasank Kuditipudi, IT Architect II (Train Control Systems) Kihanya Mucheru, Train Control Network Engineer Michael Rodriguez, Senior Manager, Train Control Systems Sam Wong, IT Manager

Approved by: Melvin Lee, Chief Technology Officer

Attachment(s)

Attachment A - IDTS Policies (Redlined)

14 Attachment A - IDTS Policies (Clean)

IT Integrated Digital & Technology Services Policies

16 Table of Contents

Introduction ...... 3 IDTS-1 – Business Continuity Policy ...... 45 IDTS-2 – Acceptable Use Policy ...... 89 IDTS-3 – Change Management Policy ...... 132 IDTS-4 – Asset Management Policy ...... 175 IDTS-5 – IDTS Security Policy ...... 1820 IDTS-6 – IDTS Governance Policy ...... 297 IDTS-7 – IDTS Data Center and Colocation Policy ...... 342

IDTS-1 – Business Continuity Policy Page 3 Introduction

The Southern California Regional Rail Authority (SCRRA) Information Technology (IT) Integrated Digital & Technology Services (IDTS) policies provides the innovative framework for the selection and use of technology within the Agency. The policies are centered around creating a technical environment to optimize both internal and external user’s experience through sound policy best practices.

The IDTS business unit consists of the following departments. Any deviations, exceptions or additions to IDTS policies will explicitly be indicated for the appropriate department(s) within the policy documents:  Fare Collections Services (FCS) – ensures seamless ticket purchase experience; designed and executed the new Ticket Vending Machine (TVM) installations; implements new features, fare products and changes to ticket pricing for paper and mobile tickets.  Information Technology (IT) – ensures that Information Technology solutions and supporting technologies are available, secure and reliable. IT supports computer centers and operations at all agency facilities, with a primary business data center at the Dispatch and Operations Center (DOC) in Pomona and a secondary data center in Las Vegas. IT consists of the following three teams: 1. Application Systems – manages all business applications such as Financial Information Systems, Asset Management Systems, Customer Relationship Management Systems, Business Intelligence Systems, and Content Management Systems. 2. Infrastructure Systems – manages all infrastructure assets which include email and user accounts, administration of SCRRA’s cloud productivity and licensing environment, Storage Area Network (SAN), servers, firewalls, switches, routers, and cybersecurity tools such as antivirus and antispam. 3. End-user Services – manages all end-user needs such as setup, maintenance, provisioning, and configuration of desktops, laptops, mobile phones, desk phones, user accounts, conference rooms, and output peripherals such as printers, plotters and fax machines.  Positive Train Control Network Control Operations (PTC NCO) – responsible for design, installation, maintenance, and retirement of Metrolink Operations’ Network and Infrastructure in support of dispatch and train control operations. PTC NCO also serves as Tier 2/3 Support to the PTC Helpdesk for Dispatch and Field Applications, PTC Backoffice Applications and PTC Business Applications.

IDTS-1 – Business Continuity Policy Page 4 SCRRA will keep all IDTS polices current and relevant. Therefore, from time to time it will be necessary to modify and amend some sections of the policies or add new policies.

Any suggestions, recommendations or feedback on the policies are welcomed.

Revision Effective Date Description of Changes Number 1 07/28/20 Initial version 2 02/26/21 In all sections, the Positive Train Control Network Control Operations (PTC -NCO) policies are included within the Integrated Digital & Technology Services business unit due to a re-organization.

IDTS-1 – Business Continuity Policy Page 5

Southern California Regional Rail Authority Information Integrated Digital & Technology Services Policies

TITLE: Business Continuity Policy NO. IDTS – 1

ORIGINATING UNIT: Information Integrated Digital & Technology Services

EFFECTIVE DATE: February 26, 2021July 28, 2020 REVISION: 910.0

PURPOSE

The purpose of this policy is for SCRRA’s continuity of business namely, to establish an innovative and governed framework to allow for and use of technology to safeguard SCRRA’s information assets, prevent loss of data due to accidental deletion or corruption, and to facilitate timely restoration of information and business processes should a system failure occur. This policy will include details on data backup, data retention, data destruction, colocation, disaster recovery and the proper communication channels and escalations.

APPLICATION

This document applies to all Southern California Regional Rail Authority (SCRRA) entities, employees, contractors and third parties who use computing devices connected to the SCRRA network to process or store SCRRA owned data.

POLICY STATEMENT

It is the policy of SCRRA to maintain business continuity by ensuring IDTS resources are always accessible in the events of system failure or data corruption. Resources include: the network; servers; applications; databases; data and computers.

It is the responsibility of SCRRA to identify and protect data in the organization to ensure it can be recovered or restored in the event it is deleted, lost or corrupted. There are three various

IDTS-1 – Business Continuity Policy Page 6 locations that hold SCRRA owned data that must be backed up according to IDTS backup procedure. These locations include:

 2704 North Garey Avenue, Pomona, CA 91768 (DOC)  2558 Supply Street, Pomona, CA 91767 (MOC)  2700 Melbourne Avenue, Pomona, CA 91768 (MSF)  7375 Lindell Road, Las Vegas, Nevada 89139 (Switch co-location “CL1”)  Microsoft Azure Cloud (US-West and US-West1)

SCRRA IDTS is responsible for the following:

 Production data residing on servers such as databases and file servers must be backed up regularly and have replicated copies stored at alternate location, see Data Backup and Retention section for details  Production data backup must be retained for a period of time, see Data Backup and Retention section for details  Production data backup restoration must be routinely tested  Having a Disaster Recovery Plan and Procedures document readily available to execute and must be tested at least annually, the procedure must include the following details: o Authorized personnel that can declare a disaster o Roles and responsibilities of IT and PTC NCO staff during a disaster o Recovery Time Objective (RTO) o Recovery Point Objective (RPO) o Recovery test history o Procedure document revision history  Protect against equipment failure, intentional destruction of data, or disaster.

1.0 DATA BACKUP AND RETENTION

To prevent loss of data due to accidental deletion or corruption, SCRRA’s information asset(s) stored on any server hosted by SCRRA IDTS, whether onsite or remote, must be backed up and replicated at a colocation no less than this schedule:

IT PTC NCO Data Minimum Minimum Minimum Classification Frequency Retention Retention Virtual machine Upon system change 2 copies kept 2 copies kept template

IDTS-1 – Business Continuity Policy Page 7 Current Year File and print server Daily 3 months + 2 Years Current Year SQL database Daily 2 weeks + 2 Years 2 weeks & 3 Oracle database Daily and monthly N/A months Varies based on criticality Current Year Other server 1 month and data change rate + 2 Years

2.0 DATA DESTRUCTION

SCRRA data residing on any hardware storage needing to be decommissioned will require a certificate of the actual physical destruction of the hardware or proper data wipe using industry standards.

3.0 COLOCATION

The colocation environment is a secondary environment that plays a critical role in SCRRA IDTS’s business continuity plan. Its equipment and configuration mirrors the primary data center. For more information please see Data Center and Colocation Policy.

4.0 DISASTER RECOVERY

SCRRA IDTS must maintain a Disaster Recovery Procedure documents and have it tested at least annually for accuracy and revision as needed.

5.0 COMMUNICATIONS AND ESCALATIONS

Disaster Recovery Procedure document must identify the specific communication and escalation channels but in essence should include the following:  Authorized IDTS personnel that can declare a disaster.  Communicate disaster details such as impact, data loss (if any), estimated recovery time to Chief Technology Officer.  Chief Technology Officer will share necessary details to Executive Leadership Team.  IDTS will communicate information and periodic updates to staff.

EXCLUSIONS

IDTS-1 – Business Continuity Policy Page 8 Data that is not backed up includes all data not listed in this policy such as:  Data contained on users’ Microsoft OneDrive or other cloud-based storage  Data contained on any type of removable media (IE: Flash drive, external hard drive, CD/DVD)  Data stored locally (IE: Laptop, desktop, tablet, mobile phone, etc.)  Data contained on servers not managed by the IDTS Department

DEFINITION OF TERMS see IDTS-DF Definition of Terms

REFERENCES

None

POLICY HISTORY

April 17, 2017 – New Policy and Procedures document approved April 4, 2019 – Backup policy updated to include co-location facility and indicate minimum backup frequencies November 13, 2019 – Separated procedures and updated policy June 26, 2020 – presented to Executive Committee, awaiting Board approval on July 24 July 24, 2020 – New policy document was approved by the Board December 29 – incorporated PTC Network Control Operations into IT Policy that is now known as the IDTS Policy

Approvals Chief Technology Officer Legal Counsel Chief Executive Officer

IDTS-2 – Acceptable Use Policy Page 9

Southern California Regional Rail Authority Information Integrated Digital & Technology Services Policies

TITLE: Acceptable Use Policy NO. IDTS – 2

ORIGINATING UNIT: Information Integrated Digital & Technology Services

EFFECTIVE DATE: February 26, 2021July 28, 2020 REVISION: 910.0

PURPOSE

The purpose of this policy is to establish guidelines and responsibilities for the acceptable use of Southern California Regional Rail Authority (SCRRA) information, technology assets and resources as defined herein.

APPLICATION

This policy applies to all users of SCRRA information resources, including employees, temporary employees, consultants and contractors. The policy also applies to IDTS staff responsible for system administration duties. Contractors may be subject to additional provisions in accordance with SCRRA and Contractor Agreements.

POLICY STATEMENT

SCRRA information resources are provided to establish an innovative and governed framework to allow for and use of technology to streamline processes for SCRRA users. The innovative framework will allow users to easily perform their assigned business function and promptly locate, access and retrieve information within a safe and reliable networked environment.

SCRRA information resources are purchased with public funds and are the property of SCRRA. SCRRA information resources are intended for legitimate, business-related purposes only. Information resources include all computer hardware, software, communication facilities, telephones, cellular phones, pagers, radios, electronic messaging systems, personal digital

IDTS-2 – Acceptable Use Policy Page 10 assistants, applications, information and data – regardless of format, storage method, type, size and location – used to support the operation of SCRRA and its contractors. The policy also applies to internet access provided by SCRRA.

Each company user is individually obligated to protect all SCRRA resources and information in accordance with this policy and should any questions or concerns arise, to inform his or her immediate supervisor, Human Resources, IT, PTC NCO or the Legal Department, as needed.

SCRRA retains sole ownership rights to its information resources. Users do not have a personal privacy right in the messages or information stored in SCRRA information resources, including messages created or received via e-mail, paging or voice mail systems, digital transmissions using SCRRA networks and equipment except as allowed by law. Without prior notification to the user, SCRRA reserves the right to access, review, retrieve, modify, suspend, delete, remove, move, archive, encrypt, unencrypt and make lawful use of any and all electronic information that is created, received, copied, stored or transmitted in whatever format on its information resources as may be required for business needs.

1.0 General Access and Use

The following activities are strictly prohibited, with no exception. The list below is by no means exhaustive but is an attempt to provide a framework for activities which fall into the category of unacceptable use or conflicts with the management’s ability to provide a computing environment that is controlled and secured. The following is also intended to enhance the productivity of all users.  Accessing, viewing, or distributing inappropriate or pornographic material.  Online gambling, including real time gambling sites as well as other sites that allow for the ability to place wagers.  Online gaming such as live interactive games, peer-to-peer games, or games that are based off external websites.  Accessing any website that allows access to peer-to-peer network sharing of music files, movies, programs, or other information.  Downloading or installing any unauthorized programs or files from the internet.  Listening to or viewing, for any non-business-related activity, any live or real time streaming media files.  Unauthorized port scanning, network probing or security scanning.  Uploading or downloading personal or company information from any Internet- based personal network storage and backup sites, unless specifically authorized by IDTS. Examples would be Box.com, Xdrive.com, Dropbox.com, Snapfish.com, Shutterfly.com, or other externally hosted sites.  Connecting personal any devices to network ports or computers at any SCRRA facility without prior authorization from IDTS.

IDTS-2 – Acceptable Use Policy Page 11  Posting business related information on publicly accessible information systems, websites, social networking and blogging unless approved by management and/or posted by appointed staff only.  Transmit or forward unprofessional or unsolicited commercial or personal electronic mail, including chain email.  Sharing of individual passwords and credentials used for accessing systems.  Excessive time on the internet not related to authorized business function.  Unauthorized used or reproduction of copyrighted software and use of unlicensed software or hardware.  Attempt to access the information systems, files or directories of other users without proper authorization and a clear business purpose.

2.0 Acceptable Use of Personally Identifiable Information (PII).  PII information for Customers (e.g. Names, Addresses, Credit Cards, Emails, Phone- Numbers), Vendors, Employees, Contractors and government officials associated with SCRRA will be protected, secured and used as authorized for business purposes only and by authorized staff and contractors.

3.0 Monitoring  When using SCRRA assets or devices, employees and contractors should have no expectation of privacy for any information they store, send, receive, or access via the company network. Content monitoring of email, internet traffic, encrypted login credentials and other forms of digital transmission may occur preemptively by digital agents, spam filters and other mechanisms to ensure viruses and malware are not carried in digital transmissions.  Other monitoring, including but not limited to, internet activity, email content, volume or size, and other forms of electronic data exchange may occur in response to authorized requests from chiefs or the Office of the Legal Counsel.  SCRRA issued mobile phones are equipped with Mobile Data Management tools to monitor acceptable use, limit the applications installed on the phone and data theft prevention.

4.0 Termination  At the termination of employment or contract, employee or contractor shall return all SCRRA issued equipment to IT, PTC NCO or to HR. Failure to do so, may result in the SCRRA holding the employee or contractor liable for the replacement cost of the unreturned equipment.

All authorized users must adhere to SCRRA policies and procedures related to information resources and all applicable federal, state and local laws, statutes and regulations governing

IDTS-2 – Acceptable Use Policy Page 12 electronic communications. Employees who violate this policy may be subject to disciplinary action in accordance with the Positive Discipline® Policy (HR–5.3). Violations of this policy by contractors or consultants may result in termination of the users’ access or other actions as the contract may allow. Some intentional actions that violate these policies may constitute computer crimes and may result in criminal and/or civil liability.

POLICY HISTORY

March 26, 2004 – New Policy and Procedures document approved October 3, 2011 – Revised (ADM 6 updated and renamed IT-2) November 13, 2019 – Separated Procedures from Policy & updated Policy June 26, 2020 – presented to Executive Committee, awaiting Board approval on July 24 July 24, 2020 – New policy document was approved by the Board December 29 – incorporated PTC Network Control Operations into IT Policy that is now known as the IDTS Policy

Approvals Chief Technology Officer Legal Counsel Chief Executive Officer

IDTS-3 – Change Management Policy Page 13

Southern California Regional Rail Authority Information Integrated Digital & Technology Services Policies

TITLE: Change Management Policy NO. IDTS – 3

ORIGINATING UNIT: Information Integrated Digital & Technology Services

EFFECTIVE DATE: February 26, 2021July 28, 2020 REVISION: 910.0

PURPOSE

The purpose of this policy document is to describe the policies and procedures employed to track and approve modifications (changes) to enterprise IDTS systems, technologies and supporting infrastructure and solutions.

APPLICATION

This policy applies to all Southern California Regional Rail Authority’s (SCRRA) entities, employees, contractors, and third parties who request changes, upgrades, or modifications to the IDTS production environment. This Policy also applies to any event that may alter the normal operating procedures and/or any change that may affect one or more of the production environments that the SCRRA network users and customers rely on to conduct normal business operations.

POLICY STATEMENT

It is the policy of SCRRA to establish an innovative and governed framework to allow for and use of a Change Management policy to support users dependent on the network, client machines, administrative systems and application programs. From time to time changes occur; both planned and unplanned that may have an impact on the normal operations of information technology systems, train control systems and the underlying infrastructure supporting these systems. Managing these changes is a critical part of providing a robust and reliable information resources infrastructure.

IDTS-3 – Change Management Policy Page 14

Changes require planning to consider their impact on users and SCRRA. Careful monitoring and follow-up evaluation must be part of the planning process to reduce any negative impacts that may result from the change process. It is the intent of this policy to manage changes in a rational and predictable manner so that management and staff can plan accordingly. This policy is designed to control, and document changes made to the software, configurations, databases hardware, networking components and other elements that support a production application (collectively known as the IDTS Environment). Notable changes requiring Change Management are:

 Installation, removal, configuration, reconfiguration, patches and updates of infrastructure hardware onto SCRRA network.  Standard maintenance on servers (e.g. server operating system security patches).  Enterprise application updates, upgrades, deployments, patches, and reconfigurations.  Group policy deployments.

Changes described above are subject to the following:

1.0 Timing of Changes o IT will have a 24-hour window each weekend for system maintenance where most changes will be implemented. Systems and services impacted or unavailable during this maintenance window will be communicated to all impacted users at least 3 (three) business days prior to performing the change o PTC NCO will perform system maintenance quarterly during windows of time that do not interfere with train operations. o o Additional windows for system maintenance for urgent, small changes or changes requiring more than 24 hours can be requested outside of business hours at a mutually agreed upon time between IDTS and the impacted users. o o Emergency changes that impact business continuity can be made during business hours after approval from: . Head of the responsible IDTS Departments or their designee . Chief or their designee of impacted group(s)

2.0 Approval of Changes o All changes must be tested and approved prior to the change either by the requesting user department for business related changes or the IDTS Manager or above for non- business specific changes such as infrastructure and security. o All changes relating to rail safety, rail security and/or rail interoperability must follow SCRRA PTC Safety Plan.

IDTS-3 – Change Management Policy Page 15

3.0 Change Management Environments o A minimum of 2 environments, Production and Development, and optionally a Quality Assurance (QA) and/or User Acceptance Testing (UAT) environment must be established for each application system. Changes must be first developed and tested in the Development environment and then migrated to the QA and/or UAT environment, and finally or to the Production environment after securing the approvals for the change. A provision for falling back to the current version in the event that the new version experiences unforeseen issues must be planned for every change. o If establishing multiple environments are not practicable, and the changes are implemented directly in the production environment, change management will include a test in the production environment to be executed to ensure the change functions as desired. A provision for reversing the change in the event that the new version experiences unforeseen issues must be planned for every change. o Source codes or configuration files supporting the Agency’s information systems must have versioning control for proper tracking of changes and for contingency planning.

4.0 Recording of Changes o Each change must be recorded in a Change Management request that describes the nature and purpose of the change and the change ticket approved by a Manager or higher within the IDTS departments.

DEFINITION OF TERMS see IDTS – DF Definition of Terms

REFERENCES

1) Site HelpDesk Overview Guide 2) IDTS-5 Security Policy 3) IDTS-2 Acceptable Use Policy 3)4) SCRRA PTC Safety Plan

POLICY HISTORY

March 21, 2008 – New Policy and Procedures document approved October 2, 2011 – Policy revised and expanded

IDTS-3 – Change Management Policy Page 16 November 13, 2019 – Separated procedures and updated policy June 26, 2020 – presented to Executive Committee, awaiting Board approval on July 24 July 24, 2020 – New policy document was approved by the Board December 29 – incorporated PTC Network Control Operations into IT Policy that is now known as the IDTS Policy

Approvals Chief Technology Officer Legal Counsel Chief Executive Officer

IDTS-4 – Asset Management Policy Page 17

Southern California Regional Rail Authority Information Integrated Digital & Technology Services Policies

TITLE: Asset Management Policy NO. IDTS – 4

ORIGINATING UNIT: Information Integrated Digital & Technology Services

EFFECTIVE DATE: February 26, 2021July 28, 2020 REVISION: 910.0

PURPOSE

The purpose of this policy document is to describe the policies employed to manage the acquisition, use, assignment, release and disposal of IDTS Assets that include, but are not limited to, computers, software, single user applications, multiple user applications, network applications, databases and other network attached hardware or software used by the Southern California Regional Rail Authority’s (SCRRA) employees, temporary workers and contractors.

In establishing this Policy, SCRRA expects to improve asset utilization by preventing loss, managing usage, maintaining compliance, assuring availability and identifying and removing problem and dormant assets. Compliance with this policy will:

 Maximize asset operability and service life;  Avoid redundant maintenance and warranty coverage;  Fulfill SCRRA’s legal, statutory and audit requirements for hardware and software;  Facilitate the management of planning, acquiring and disposal tasks for hardware and software. SCRRA-owned computing and communications equipment is assigned to employees, temporary employees and contractors for company business only. While employees and contractors may return their equipment directly to IT and PTC NCO as applicable, hiring managers are ultimately responsible for the collection and return of equipment to the Information Technology Department (IT) and PTC Network Control Operations (NCO) immediately after any user is terminated or reassigned, voluntarily and involuntarily. Computing equipment is only assigned to a designated user or usage by IDTS ,who is responsible for the inventory and control of this equipment.

IDTS-4 – Asset Management Policy Page 18 APPLICATION

The Policy applies to all SCRRA entities and third parties who use computing devices or data owned by SCRRA.

POLICY STATEMENT

Assets acquired for, or on behalf of, SCRRA are wholly owned by SCRRA. It is the policy of SCRRA to establish a governed framework to allow for and use of innovative procedures to maintain accurate records of assets whose value and useful life impact the overall operation of SCRRA. The policy is as follows:

 Equipment Request – all new equipment requests exceeding value of $100 must be submitted using Equipment Request Form (ERF) from the appropriate IDTS Department(s) and subject to availability of budget funding.  Equipment Acquisition – all IDTS hardware and software are purchased consistent with established procurement policies. All equipment exceeding value of $500 must have an asset tag and tracked in the Asset Management Solution.  Equipment Disposal – all IDTS hardware and software to be disposed will be in accordance with established procurement policies. SCRRA data residing on any storage hardware being disposed will require a certificate of the actual physical destruction of the hardware or proper data wipe using industry standards.  Equipment Assignment and Release – all assigned and unassigned equipment with asset tags must be reflected in the Asset Management Solution System to ensure accurate tracking of assets.  Equipment Management – Hardware and software assets must comply with federal and state regulations, as well as applicable licensing and copyright laws. Software license assignment and renewal information will be maintained.  Loaned Equipment – IDTS equipment that are loaned or temporarily assigned to users do not require updates to Asset Management Solution System but instead will be tracked in the Helpdesk Ticketing System.  Lost or Stolen Equipment – any lost or stolen IT equipment must be reported to IDTS immediately. User of lost or stolen equipment may be held liable for its replacement value at the sole discretion of IDTS. Replacement chargeback may be excused with proof of a police report.  Equipment Installation – IDTS equipment is to be installed and configured by the appropriate IDTS Department unless exceptions are made and approved by IT IDTS. Any software installed on SCRRA device without prior approval can be uninstalled and subject

IDTS-4 – Asset Management Policy Page 19 to data loss. Any hardware installed on SCRRA network without prior approval is subject to immediate removal.  Equipment Lifecycle – all equipment in Asset Management Solution System should include an anticipated end-of-life date to allow SCRRA to identify if and when equipment should be replaced.  Annual Audit – the ITDS department will perform annual physical audit of all active equipment in the Asset Management Solution.

DEFINITION OF TERMS

See IDTS-DF Definition of Terms

REFERENCES

IDTS-2 IT Acceptable Use Policy IDTS-6 IT Governance Policy

POLICY HISTORY

March 21, 2008 – New Policy and Procedures document effective October 3, 2011 – Policy revised November 13, 2019 – Separated procedures and updated policy June 26, 2020 – presented to Executive Committee, awaiting Board approval on July 24 July 24, 2020 – New policy document was approved by the Board December 29 – incorporated PTC Network Control Operations into IT Policy that is now known as the IDTS Policy

Approvals Chief Technology Officer Legal Counsel Chief Executive Officer

IDTS-5 – IDTS Security Policy Page 20

Southern California Regional Rail Authority Information Integrated Digital & Technology Services Policies

TITLE: IDTS Security Policy NO. IDTS – 5

ORIGINATING UNIT: Information Integrated Digital & Technology Services

EFFECTIVE DATE: February 26, 2021July 28, 2020 REVISION: 910.0

PURPOSE

This document provides an overview of the security requirements of the Southern California Regional Rail Authority (SCRRA) systems. Additionally, it describes controls implemented to meet those requirements.

APPLICATION

The IDTS Security Policy applies to all SCRRA entities and third parties who use computing devices owned, leased or connected to SCRRA’s IT network. Additionally, it applies to those who process or store critical data owned by SCRRA.

POLICY STATEMENT

It is the policy of SCRRA to establish a governed framework to allow for and use of innovative technology to safeguard file integrity and to maintain security for users; the network; computers; servers; applications; databases; remote access and other network attached devices within the SCRRA infrastructure. This policy:

 Protects the infrastructure against the inappropriate use of data;  Prevents users from gaining access rights that they are not qualified to receive;  Prevents applications from intrusion, malware, virus attacks, data loss, etc.; and  Protects against equipment failure, intentional destruction of data, or disaster.

IDTS-5 – IDTS Security Policy Page 21 The Policy mitigates risk with a combination of technical, management and operational security controls. Security controls, when used appropriately, can limit, detect or prevent threat-sourced impairments to SCRRA’s productivity.

1.0 USER PRIVILEGES

 Usernames and Passwords o User access privileges are authorized based on need and are provided only with an approved System Request Form (SRF) from the appropriate IDTS Department(s). An SRF must be authorized by the employee or contractor’s manager or above. o Every user has a unique username assigned by IDTS and a user-selected password that provides access to SCRRA’s computers, networks and applications connected to the network. o A user is not permitted to use a non-authenticated (no password) User ID or an ID that is not associated with that user. Shared or group User IDs are NOT permitted for user-level access, exceptions may be made where practicable but subject to IDTS approval. Service accounts may also be created and used under IDTS’s supervision and approval. o Passwords must be changed at a minimum of 180 days.  Account Expiry o Human Resources are to notify IDTS of employee accounts to be disabled due to the user’s departure from SCRRA within 24 hours of such termination being effective. Similarly, hiring managers, or above, of contractors are to notify IDTS of user accounts to be disabled when a contractor separates from SCRRA. Such notification is submitted using the SRF. In the case of an extended leave of absence, Human Resources or the hiring manager may request that a user account be suspended, during which time the account is disabled and cannot be used until enabled. o User Account expiration dates for contract and/or temporary employees is determined by a termination date reflecting the end of the contractor’s assignment with SCRRA. A termination date is required on all non-SCRRA employee SRF’s and cannot exceed 12 months ahead. Upon account expiration, the account’s sponsor is required to submit a new SRF to renew the expired account.

At a minimum frequency of every 180 days, IDTS will perform an audit of inactive and/or terminated employees and contractors and ensure that their access has been revoked from all systems.

IDTS-5 – IDTS Security Policy Page 22 Employees and contractors who have not logged into an application for 6 months or longer will be subject to an audit and their access revoked after confirming with the user’s manager or the head of their department.

2.0 USER ACCESS LIMITATIONS

 Internet access is a privilege which is controlled and limited to those business uses that are being performed by the requestor. SCRRA reserves the right to monitor internal usage and to limit access to restricted content and sites.  Internet access to restricted sites can be enabled after the approval of the user’s manager with appropriate business justification .  User access to external resources is limited to standard port 80 and 443 only, unless other provisions have been made.

3.0 NETWORK (ACTIVE DIRECTORY) SECURITY POLICY

 Active Directory passwords are a minimum of ten (10) characters in length. Passwords must contain at least one lower case letter, at least one upper case letter, at least one numeral and one special character. Passwords must also not contain SCRRA references, common dictionary words or fragments.  Each user is prompted to create a new User Password at least every one hundred eighty (180) days.  Users may not reuse their last 10 previous passwords.  Sharing of passwords is strictly prohibited and users doing so will be liable to having their account access revoked.  If a password is forgotten by its user, the user must arrange with the IDTS HelpDesk for corporate IT access or PTC NCO for train control access to create a new password.  If five (5) consecutive User login attempts fail, THEN the system will lock the account for fifteen (15) minutes. IDTS will unlock the account after the user’s identity is verified.  When the unauthorized use of a User-ID is confirmed or suspected, IDTS must disable the account and coordinate with user to change their password.

4.0 DATABASE SECURITY POLICY

 Users have limited or no direct access to database servers. Access may be granted with approval from user’s manager and with business justification via SRF, subject to IDTS approval.  Database servers are not exposed beyond any firewall.  Database servers are configured to accept only connections from trusted IP addresses.

IDTS-5 – IDTS Security Policy Page 23  Connections to database servers from secured applications/application servers shall be properly configured. Connections shall use trusted IP addresses only.  Only Database Administrators and the Chief Technology Officer (or designee) may grant access to update the database system.  Database Administrator (DBA) accounts are secured with non-default passwords. The new passwords are recorded by the Network Engineer and the Database Administrator and stored in a secure location.  Database Server Passwords and Database Passwords comply with the criteria listed in this policy.

5.0 NETWORK EQUIPMENT SECURITY POLICY

 Access to SCRRA routers, switches and any network devices are restricted to authorized IDTS employee or contractor personnel.  Any network devices with default passwords are changed upon receipt of a new or replacement router. New administrator passwords are assigned and documented.  IDTS will establish and manage Demilitarized Zones (DMZs), as necessary, to separate external-facing devices from internal networks.  Any network changes and configurations are to be documented and stored in a secured location. All changes must be tested and validated by network team.  IDTS manages firewall rules that govern access to servers, network, websites, applications and other traffic. Any requests to modify the configurations must be submitted via Helpdesk Ticketing System and approved by IT for the corporate IT network, and via Train Control Ticketing System and approved by NCO for Train Control network.  VPN tunnel connections are limited to authorized outside entities, only.

6.0 NETWORK ATTACHED DEVICE POLICY

 Network-based and host-based security programs are employed to detect malicious activity, protect systems and data, and support incident response efforts.  IDTS must approve and reserves the right to remove any device connecting to the SCRRA network.  Change Management process approves and releases security patches and update files to all connected workstations.  Network attached devices must use an enterprise licensed antivirus with a current signature file, updates and definitions.  All networked workstations are configured for automatic update of security related patches.

IDTS-5 – IDTS Security Policy Page 24  All remote workstations (laptops) must be connected to the network at least once a month to receive security patches and current policies.

7.0 PHYSICAL ACCESS POLICY

 Physical access controls restrict the entry and exit of personnel, equipment, and media from SCRRA locations including locations that contain system hardware, wiring used to connect elements of the system, electric power, backup media and other elements of the SCRRA operating network.  Access to locations such as but not limited to data centers, inventory storage locations, Intermediate Distribution Facilities (IDFs) and Main Distribution Facilities (MDFs) are controlled through approved badge access. Access to these locations is audited and monitored on a periodic basis to prevent unauthorized access to these locations.  For more information on Data Center access please see Data Center and Colocation Policy.

8.0 REMOTE ACCESS POLICY

 Remote access may be granted to any employee or contractor, all remote access requests subject to approval from the user’s manager via the SRF for the appropriate IDTS Departments (i.e. IT for corporate IT VPN, PTC NCO for Train Control VPN).  Remote access shall be granted and secured through virtual private networking (VPN).  VPN access will require multifactor authentication such as Active Directory credentials, user certificates, and/or token authentication.  VPN access logs will be maintained for all successful and failed login attempts; as well as the dates and times each user connected and disconnected in each user session.

9.0 INTERNET SECURITY POLICY

 Internet access is a privilege which is controlled and limited to those business uses that are being performed by the Requestor. SCRRA reserves the right to monitor internal usage and to limit access to restricted content and sites.  IDTS maintains a White-List of approved sites that may be accessed.  IDTS maintains a restricted access list of sites and employs a site filter that blocks access to: o Adult orientated sites; o Pornographic and sexually explicit sites; o Terrorist or criminal skills sites; o Gambling or Gaming Sites; o Violence or Weapon sites;

IDTS-5 – IDTS Security Policy Page 25 o Hate sites; o Drugs, Alcohol, and Tobacco sites; o Hacking sites; o Glamour and Intimate apparel sites; o Personals and Dating sites; o Remote Proxy sites; o Other sites as deemed by the IT staff.

 Streaming protocols are disabled by default. Access to streaming sites will be allowed with the approval of the Head of IT Chief Technology Officer only or their designee.  Access to “Chat” sites are disabled by default.

10.0 EMAIL SECURITY POLICY

 Email access is a privilege which is controlled and limited to those business uses being performed by the Requestor. SCRRA reserves the right to monitor internal usage and to limit access to restricted content and sites. Email systems are managed and protected across SCRRA in accordance with common standards and procedures.  Attachment Type Limitations - Email attachments received by SCRRA Email servers are filtered to exclude specific filename extensions (e.g. .exe, .com) as may be determined to be a security threat by IT.  Attachment Size Limitations – Email attachments sent from and/or received by SCRRA Email servers are subject to a file size limit determined by IT based on bandwidth and user requirements.  Conveyance of Confidential or Sensitive Information - Users of all SCRRA Email systems must be informed that information that originated in, or was received through, Email messages is probably not encrypted and should not be considered as confidential or unaltered. Unencrypted Email will not be used for the conveyance of personal or sensitive information.  Email Relay - All SCRRA hosted Email systems are configured to prevent use by third parties as Email relay platforms unless authorized by IT.  Email Systems - SCRRA IT operates centrally managed Email systems that to support the needs of staff and contractors. No other Email servers shall be permitted on the network.  SMTP Protocol - SCRRA Email systems are only permitted to send and receive Simple Mail Transfer Protocol (SMTP) traffic to and from the Internet. All other devices are blocked (for SMTP traffic) at the Internet Router.  Encryption of Web-based Access - Client read access to Email must utilize a minimum of 256-bit encryption for authentication to protect account passwords. Web clients may use a secure web server utilizing the HTTPS and SSL protocols. POP and IMAP clients may use

IDTS-5 – IDTS Security Policy Page 26 secure POP or IMAP protocols with SSL connections. Clients with direct Linux or Unix shell client software may use a secure encrypted protocol such as SSH to login to the server.  Patch Management - Servers must be updated with new security patches for both the Operating System and mail server applications as those patches are released by vendors.  Virus Detection and Removal - Active anti-virus detection and quarantine software or services protect all servers. Where possible, these anti-virus applications are configured for the automatic update of virus signatures. Additionally, anti-virus gateways are used to scan inbound and outbound messages.  Compromised Account - When the unauthorized use of a User-ID is confirmed or suspected, IT must disable the account and coordinate with user to change their password.

11.0 CONFIDENTIALITY DISCLOSURE AGREEMENT

 System administrators are specialized users that have unique access to systems, software services and data. These specialized roles allow for the support and administration of software packages, supporting computer architectures and underlying networks. Only specifically qualified staff are designated as Systems Administrators and granted System Administrator Authorities. Granting of such authority must be approved in advanced by the system owner and the Chief Technology Officer at the sole discretion of the Chief Technology Officer. All staff designated as System Administrators must complete and have on file a current Confidentiality Discloure Agreements (CDA) or equivalent such as Non-Disclosure Agreement (NDA), which confirm that the designated System Administrator understands the responsibilities and accountability of the role.  Any IDTS personnel, whether employee or contractor, that are not system administrators but still have any level of exposure to SCRRA’s infrastructure, technology or proprietary information may still be subject to completing the CDA or NDA.

12.0 SOCIAL MEDIA POLICY

 One of the primary ways that the SCRRA communicates with its customers, employees and other stakeholders is through its external and internal websites via the Internet and Intranet, respectively.  SCRRA believes in fostering a robust online community that supports agency objectives by engaging in constructive and informative dialogue with customers and employees through blogs, social networking, wikis, and other web-based social media. SCRRA’s ability to reach its customers, employees, and other stakeholders directly is crucial to adequate dissemination of information.  In order to maximize and maintain SCRRA’s messaging and branding and limit its liability, it is critical that all web communications and online postings to official SCRRA websites

IDTS-5 – IDTS Security Policy Page 27 for external audiences be authorized and approved by SCRRA’s Communications department.  Only individuals authorized by the Chief of Marketing and Communications Officer (CMCO) or designee are permitted to create, maintain and participate in an official SCRRA blog, social networking and / or social media site on behalf of the CEO. No other person or department is authorized to engage in online discourse to external audiences without the specific consent of the CMCO.

13.0 ALERT AND LOG MANAGEMENT POLICY

 Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing audits, identifying operational trend and long-term problems.  Logs will be periodically reviewed to proactively detect suspicious or malicious activity.  Systems will be configured and monitored for the following events: o Server/Device restarts/resets; o Loss of time-sync between devices; o Access and configuration changes; o IP and denial of service attacks; o Virus detection, quarantine and removal; o Malware and spyware attacks.

14.0 THIRD PARTY CONTRACTOR SERVICE SECURITY POLICY

 Contractors are employed by the IDTS and PTC departments to augment the work performed by the agency employees. Contractors have access to privileged access to information and systems. All contractors employed by the IDTS departments and PTC teams must have a background check performed before they can begin work at the agency. In the event a contractor is hired to perform time-sensitive tasks on critical projects, a background check must be performed within 3 (three) weeks of the contractor joining the IDTS or PTC team.

15.0 DATA INTEGRITY POLICY

IDTS-5 – IDTS Security Policy Page 28  Access shall be granted based on the principle of least privilege, which means that each program and user will be granted the fewest privileges necessary to complete their tasks.  Access to data categorized as “Confidential” or “Sensitive” under Security Information Categories shall be limited to authorized persons whose job responsibilities require it as determined by Human Resources Department and/or the user’s manager.

16.0 USER CYBERSECURITY TRAINING POLICY

 All new hires that are provided with a SCRRA email address, whether an employee or contractor, is required to attend and pass cybersecurity training course provided by IDTS.  All personnel with a SCRRA email address are also subject to attend and pass annual cybersecurity training provided by IDTS.  Personnel that do not have a SCRRA email address but with access to SCRRA network may still be required to partake in cybersecurity training as determined by IDTS.

DEFINITION OF TERMS

See IDTS-DF Definition of Terms

REFERENCES

1) Critical data is defined as data that when absent or compromised will interfere with the daily operations of SCRRA. 2) Payment Card Industry Data Security Standard (PCI DSS) - PCI DSS applies to organizations that “store, process or transmit cardholder data” for credit cards. 2)3) The IDTS Data Classification Guidelines document further identifies the type of data that belong under particular Security Information Categories (Confidential, Restricted, Private, Public). 4) IDTS-2 Acceptable Use Policy 3)5) IDTS-7 Data Center Policy 4) IT-DF Definition of Terms

POLICY HISTORY

IDTS-5 – IDTS Security Policy Page 29 July 24, 2020 – New policy document was approved by the Board December 29 – incorporated PTC Network Control Operations into IT Policy that is now known as the IDTS Policy

Approvals Chief Technology Officer Legal Counsel Chief Executive Officer

IDTS-6 – IDTS Governance Policy Page 30

Southern California Regional Rail Authority Information Integrated Digital & Technology Services Policies

TITLE: IDTS Governance Policy NO. IDTS – 6

ORIGINATING UNIT: Information Integrated Digital & Technology Services

EFFECTIVE DATE: February 26, 2021July 28, 2020 REVISION: 910.0

PURPOSE

To establish the process for prioritization, requirements definition, user participation and rollout for the development and implementation of major and minor projects, individual requests and unforeseen activities including but not limited to the development, deployment, provisioning and integration of requested communication/information technologies.

APPLICATION

This policy and procedures document applies to all SCRRA entities, employees, contractors and third parties who request a new project that affects the current IDTS environment including additions or changes to hardware, software or applications; modifications to configurations, additions, deletions, or changes to the LAN/WAN, Network or Server hardware and software, and any other addition, change, or modification that significantly affect the SCRRA computing environment (e.g. electrical, cooling, physical access).

This policy applies to any new project that may change or affect one or more of the environments that the SCRRA network users and customers rely on to conduct normal business operations.

POLICY STATEMENT

It is the policy of SCRRA to have a strong policy to support the users dependent on the network, client machines, administrative systems and application programs. As the business environment as well as changes in new technology occur, it is necessary for SCRRA to adopt and implement

IDTS-6 – IDTS Governance Policy Page 31 these new technologies. Managing these changes is a critical part of providing a robust and valuable information resources infrastructure.

The governance policy provides a broad framework that addresses large-scale projects that are prioritized by a steering committee to small individual user requests. It is our policy to ensure that regardless of the scale of work, users must receive the most advantageous and cost-effective solution and IDTS must deliver a structured approach to the solution. It also states the governance for IDTS’s response for unplanned incidents.

1.0 IT Technology Steering Committee

 An IT Technology steering committee will be established comprising of a subset of members of the executive leadership (by rotation) and the Head of ITChief Technology Officer. The role of the IT Technology Steering Committee will be to: o Assign priorities for large technology-related projects. Large projects are those that involve new technology or changes to technology involving multiple user departments. o Ensure that technology projects are adequately funded. o Review and approve project scope and plans for all new technology-related projects. o Ensure that appropriate business process protocols are considered during any implementation. o Resolve scope or process issues encountered during implementation of technology projects.  The IT Technology Steering Committee will meet at least once a quarter with the provision of holding an ad-hoc meeting should one be needed or requested.  At each meeting, IDTS will present projects with business case, anticipated costs and timelines, as well as key project staff to the IT Technology Steering Committee for their consideration. In addition, IDTS will also present compatibility with existing systems, adherence to technology standards and future technology considerations where applicable.

2.0 Project Management

 IDTS will engage with the business users and teams to learn about new projects and requirements. IDTS will engage business users when rolling out a new technology discussing new business need, issues with an existing technology solution, or existing system upgrade.  IDTS will leverage the IDTS Project Management document as a framework that outlines the applicable steps in the lifecycle of a project including: o Stakeholder identification o Stakeholder buy-in o Project staffing - both IDTS and business resources

IDTS-6 – IDTS Governance Policy Page 32 o Business process analysis o Scope definition o Testing and environment plan o Development and deployment processes o Training plan o Systems documentation and end-user guides o Project timeline and funding plan

3.0 Call Management

Information Technology (IT)  It is the policy to staff a HelpDesk dedicated to capturing, tracking, escalating and coordinating the resolution of issues related to the Authority’s Information Technology systems and assets. The HelpDesk is supported by an issue tracking and management solution (HelpDesk system) that is used to collect, track and provide reporting on the type, disposition, work performed and ultimate resolution to issues reported.  The HelpDesk is available to support end user requests both during business hours from 8:00am PST to 5:00pm PST Monday through Friday (except company holidays) by calling 213-452-0411, as well as outside these hours and holidays for urgent requests by calling 213-452-0412. The HelpDesk can also be contacted via email at [email protected].  Helpdesk staff will attempt to resolve the issue based on priority and may transfer the issue to another member of the IT staff if specialized application or infrastructure resolution is needed.  Upon resolution of an issue, users will be notified by an email from the HelpDesk system, with a request for comments and service rating on the quality of service delivered.  Response time, open tickets and user comments will be monitored by IT management as a Key Performance Indicator (KPI).

PTC Network Control Operations (PTC NCO)  It is the policy to staff Train Control HelpDesk dedicated to capturing, tracking, escalating and coordinating the resolution of issues related to the Authority’s Train Control systems and assets. The Train Control HelpDesk is supported by an issue tracking and management system solution (NAS) that is used to collect, track and provide reporting on the type, disposition, work performed and ultimate resolution to issues reported.  The Train Control HelpDesk is available to support end user requests 24x7 by calling 888.446.9720. The Train Control HelpDesk can also be contacted via email at [email protected]

IDTS-6 – IDTS Governance Policy Page 33  Train Control Helpdesk staff will attempt to resolve the issue based on priority and may transfer the issue to another member of the PTC NCO staff if specialized application or infrastructure resolution is needed.

4.0 Incident Response

In addition to planned projects and user requests, there may be the need for IDTS to respond to unforeseen or unplanned events and incidents such as natural disasters, acts of terrorism, cybersecurity breaches or sabotage, etc. While the type and scale of each incident may vary significantly, the IDTS Governance policy stipulates 3 types of incident response frameworks that would be leveraged to mitigate and minimize disruption to the business and steps to foster business continuity.

 Level 3 Incident o IDTS will support the Agency’s Incident Response Plan (IRP) for incidents categorized as Level 3 incidents defined as “Major incidents or accidents to Metrolink trains, which result in injuries or deaths to passengers or crew members.” o IDTS’s response to a Level 3 incident is detailed in the Incident Response Plan (IRP) document in the section titled Organization and Assignment of Responsibilities Section under Information Technology and Positive Train Control C&S Systems Team, where applicable - ROLES & RESPONSIBILITIES section G. Chief Financial Officer (CFO). o IDTS will support mock drills to simulate a Level 3 incident and ensure preparedness of the IDTS team to mitigate such an incident.  Cybersecurity Incident IDTS will prepare a Cybersecurity Incident Response plan to outline the steps needed to mitigate and recover a cybersecurity incident examples of which are detailed below: o Loss or theft of SCRRA customers’ Personally Identifiable Information (PII) or Credit Card information. o Denial of Service (or similar) attack that prevents use of the Agency’s website(s) by the general public, or the agency’s customers. o Loss, theft, breach or compromised integrity of business application or infrastructure caused by malicious or suspicious third parties using email, virus, malware, or other means.  Disaster Recovery Incident o IDTS will prepare a Disaster Recovery and Business Continuity plan to outline steps to deal with the loss of major system(s) or service(s). o The plan will leverage redundant or standby infrastructure to establish systems and services as a stop-gap arrangement while the original system is recovered. The plan determines recovery point objectives (RPO) and

IDTS-6 – IDTS Governance Policy Page 34 recovery time objectives (RTO) for each system and service, based on the criticality of the system or service to the business. o The Disaster Recovery and Business Continuity plan is used in conjunction with the Level 3 incident and/or Cybersecurity Incident if the cause of the disaster is a Level 3 incident or a Cybersecurity Incident. o Disaster recovery will comply with IDTS-1 Business Continuity Policy.

DEFINITION OF TERMS

See IDTS-DF Definition of Terms

REFERENCES

. IDTS-1 Business Continuity Policy. . IDTS-5 Security Policy . Incident Response Plan (IRP) . IDTS Project Management

DEFINITION OF TERMS

See IT-DF Definition of Terms

POLICY HISTORY

March 3, 2011 – New Policy and Procedures document approved November 13, 2019 – 4 Policies (Steering Committee, Project Management and Initiation, Call Management and Incident Response) merged into IT Governance Policy. Policy separated from Procedures June 26, 2020 – presented to Executive Committee, awaiting Board approval on July 24 July 24, 2020 – New policy document was approved by the Board December 29 – incorporated PTC Network Control Operations into IT Policy that is now known as the IDTS Policy

Approvals Chief Technology Officer Legal Counsel Chief Executive Officer

IDTS-6 – IDTS Governance Policy Page 35

IDTS-7 – IDTS Data Center Policy Page 36

Southern California Regional Rail Authority Information Integrated Digital & Technology Services Policies

TITLE: IDTS Data Center and Colocation Policy NO. IDTS – 7

ORIGINATING UNIT: Information Integrated Digital & Technology Services

EFFECTIVE DATE: February 26, 2021July 28, 2020 REVISION: 910.0

PURPOSE

Data centers house critical information assets belonging to the agency. The information assets are critical to supporting the operating needs of the agency. The purpose of the policy is to establish guidelines for proper maintenance and protection of the data center to ensure the continued and optimal use and access to the assets contained therein. The policy applies to data centers hosted in-house by SCRRA and by third-party hosting solutions known as a colocation.

APPLICATION

This policy applies to all Southern California Regional Rail Authority (SCRRA) owned or leased data centers.

POLICY STATEMENT

The IT department, in collaboration with PTC manages several data centers that houses critical technical infrastructure such as servers, switches, routers, HVAC systems, power systems, etc. The policies described herein are the responsibility of IT and PTC teams IDTS Departments, with the Director of each team accountable for their implementation.

1.0 Physical Access

IDTS-7 – IDTS Data Center Policy Page 37 Physical access to data centers and supporting infrastructure facilities (e.g. MPOE – Minimum Point of Entry, MDF – Main Distribution Frame, IDF – Intermediate Distribution Frame, etc.) will be provided through electronic access cards to IDTS- authorized personnel only. Access privileges will be granted to individuals who have a legitimate business need to be in the data center and supporting infrastructure facilities on a regular basis. Anyone visitorwithout authorized access (e.g. vendor, employee, contractor) to the data center must be accompanied by an authorized access card holder at all times. Physical access to the data centers must be monitored periodically to detect any unauthorized access. All issued identification must be worn at all times while in the data center and supporting infrastructure facilities.

Any access card may be used only by the individual to whom it has been issued for obtaining access to the data center. Access cards may not be loaned or exchanged between individuals for any reason. Abuse or misuse of access cards may result in removal from the Building and denial of future access. Data center doors should be locked at all times.

Security Operations Center and Colocation Security must be notified of terminated employees and contractors to have their access revoked immediately. To safeguard SCRRA’s data center and infrastructure, IDTS may revoke data center access from anyone at any time with Chief Technology Officer or designee’s approval. Data center access is also subject to annual review and audit.

2.0 Fire and Hazardous Materials Protection

Data centers must be equipped with approved temperature and smoke detection and fire suppression systems. Data centers must be equipped with fire extinguishers. Fire extinguishers must be inspected 2 times a year. All cabling used must meet national electrical and fire standards. No exposed cables shall be installed under raised flooring. The following items are not permitted in the building: alcohol, controlled substances, explosives, flammable liquids, gases or chemicals, chemical agents, weapons of any kind, wet cell batteries and all similar equipment and materials. Should any hazardous materials be released in or around the premises, the IT and PTC IDTS department heads should be promptly notified, and corrective action taken immediately.

3.0 Data Center Etiquette

 Smoking, eating or drinking inside the data center is not permitted. No food or drink is allowed on the data center premises. To further maintain a clean environment, no packing materials can be brought into the data center. Alcohol and illegal controlled

IDTS-7 – IDTS Data Center Policy Page 38 substances shall not be allowed on the premises. No person under the influence of these substances is permitted on the premises.  Unless otherwise expressly permitted by IDTS in writing, non-essential, refuse and/or packing materials and items are prohibited from entering data centers and supporting infrastructure facilities such as, but not limited to: boxes, crates, corrugated paper, plastic, foam packing materials.  Under no circumstances should anyone action any of the following without prior knowledge, consent, and oversight of the IT Technology Steering Committee: a) Change the configuration within the data center b) Tamper with or interfere with the normal function of the transformers or Power Distribution Units (PDU) c) Tamper with or interfere with the normal function of the Air Conditioning units. D) Plug any device into another cabinet power supply. E). Remove any cables or power connections from equipment other than those covered by an approved change order.

4.0 Data Center Design and Maintenance

 UPS systems in the data center must be sized to meet current and future needs, with sufficient battery backup to allow for a controlled shutdown of primary servers in case of a power outage. UPS systems must be designed, installed and maintained by authorized electricians and technicians and housed in a secure location. UPS systems follow manufacturer’s recommended maintenance schedule. UPS systems must have bypass capability to allow for periodic maintenance.

 HVAC - Cooling and related equipment must be sized to account for - The size of the cooling load of all equipment, the size of the cooling load of the building (lighting, power equipment, personnel, building envelope). Sizing should account for appropriate future growth projections. All cooling equipment must be designed, installed, and maintained by qualified technicians that meet local and state codes. All cooling equipment must follow the vendor’s recommended maintenance schedule. Air filtration media should be installed at air intake points.  Technology Infrastructure Installation and Maintenance - All equipment in the data center must be clearly labelled and inventoried. New equipment installation or removal must follow Change Management Policy, IDTS-3.

DEFINITION OF TERMS

See IDTS – DF Definition of Terms

IDTS-7 – IDTS Data Center Policy Page 39

REFERENCES

IDTS-3 Change Management Policy

POLICY HISTORY

April 6, 2018 – IT Data Center Policy Documented and approved November 13, 2019 – Separated procedures and updated policy June 26, 2020 – presented to Executive Committee, awaiting Board approval on July 24 July 24, 2020 – New policy document was approved by the Board December 29 – incorporated PTC Network Control Operations into IT Policy that is now known as the IDTS Policy

Approvals Chief Technology Officer Legal Counsel Chief Executive Officer

54 TITLE: Definition of Terms NO. IDTS- DF

ORIGINATING UNIT: Integrated Digital & Information Technology Services

EFFECTIVE DATE: October 03, 2011 REVISION: 2.03.0

1.0 DEFINITION OF TERMS

Access – The ability to read, write, modify or communicate data/information or otherwise use any system resource.

Access Controls – Rules for limiting access to safeguard systems and data at all times and under all conditions.

Access Rights – A method of administering permissions to specific users and groups of users. These permissions control the ability of the users affected to view or make changes to the contents of the file system.

Accountability – The security goal that generates the requirements for actions of an entity to be traced uniquely to that entity. This supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.

Agency – For purposes of the I. T. IDTS Policies and Procedures, the Agency or the Authority is the SCRRA.

Archive – (1) A long-term storage media, often on magnetic tape, for backup copies of files or files that are no longer in active use (2) to move data to a less accessible or less expensive storage media or method.

Asset – All I. T. IDTS assets are those computers, servers, single user applications, network applications, database application and other network attached hardware or software owned by the SCRRA, listed on the balance sheet with a debit balance.

Asset Management – The method used to track fixed assets including tracking the physical location of the I. T. IDTS assets, managing the demand for them and accounting for them as described in this Policy.

Audit Log – Captures the computer user’s actions while logged on to a system and saves the information to a database table or formatted file.

Authentication – Process of verifying the identity of an entity that is either providing or requesting resources, information, data, or documents.

55 Authorization – Process of establishing and enforcing an entity’s rights and privileges to access or provide specified resources, information, data or documents.

Availability – Ensuring timely and reliable access to and use of information. The security goal that generates the requirement for protection against (1) intentional or accidental attempts to perform an unauthorized deletion of data or otherwise cause a denial of service or data; and (2) unauthorized use of system resources.

Backup – In computer engineering refers to the copying of data so that these additional copies may be restored if the original are damaged or lost, a process that is known as data recovery or restore. The “data” may be either created data as such, or stored program code, both of which are treated similarly by the backup software. Backups differ from an archive in that data are duplicated rather than moved.

Bandwidth – A measure of the amount of data that can be passed by a communication channel in a given amount of time.

Boundary router – Performs packet filtering at the edge of a network to block certain attacks, filter unwanted protocols, and perform simple access control.

Computer – Electronic device that performs logic, arithmetic, or memory functions by the manipulations of electronic or magnetic impulses and includes all input, output, processing, storage, software or communications facilities that are connected or related to such a device in a system or network.

Computer Security Log Management – Log management for computer security log data only.

Computer Services – Computer time, data processing, storage functions and all types of communication functions.

Computer Software – Set of computer programs, procedures, and associated documentation concerned with the operation of a computer system.

Computer System – Set of related, connected or unconnected computer equipment, devices and software, including storage, media and peripheral devices.

Confidential Data/Information – Data whose loss, corruption, or unauthorized disclosure would violate SCRRA policies and procedures, state or federal laws and/or regulations. Some “Confidential Data/Information” will be more sensitive than others and shall be protected in a more secure manner.

Confidentiality – Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. The security goals that generates the requirement for protection from intentional or accidental attempts to perform unauthorized data reads. Confidentiality covers data in storage, during processing, and in transit.

56 Cybersecurity – is the practice of protecting systems, networks, and programs from digital attacks. These cyberattacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes.

Cryptography – Technology used to protect the confidentiality of information. Some forms may be used as the basis for ensuring the integrity of information and authentication of users.

Database – An organized collection of information that can be searched, retrieved, changed, and sorted using a collection of programs known as a database management system.

Database Administrator – A person with a high degree of technical expertise who is responsible for the design and management of an organization’s database.

Database Management System (DBMS) – Set of computer programs with a user and/or programming interface that supports the definition of the format of a database, and the creation of and access to its data. A database management system removes the need for a user or program to manage low-level database storage. It also provides security for and assures the integrity of the data it contains. Types of database management systems are relational (table oriented) and object oriented.

Data Integrity – Assurance that information can only be accessed or modified by those authorized to do so. Data integrity can be maintained by the DBMS or maintained by the software application. Therefore, data integrity can be implemented inside the database and through data access rules.

Degauss – To demagnetize data from storage devices in order to destroy the media so it is no longer usable.

Demilitarized Zone (DMZ) – A host or network segment inserted as a “neutral zone” between an organization’s private network and the Internet.

Disabled Account – The process of preventing a user from authenticating to the network for purposes of access, usually a manual process performed by an administrator.

Disaster – any event that makes an organization unable to provide critical business functions for a pre-determined period of time.

Disaster Recovery Plan – A plan that applies to major, usually catastrophic events that deny access to the normal facility for an extended period. This IT focused plan is designed to restore operability of the target system, application, or computer facility at an alternate site after an emergency.

Domain Controllers – A primary server that contains information about user’s accounts and network configuration. Primarily used in reference to the Microsoft network architecture.

57 Download – To transfer (data or programs) from a central computer to a peripheral computer or device.

Emergency – For purposes of the I. T. Policies and Procedures, emergencies exist only as a result of no service, severe degradation of service needing immediate action, a system/application/component is inoperable and the failure causes a negative impact, a natural disaster, an emergency business need.

Event Filtering – The suppression of log entries from analysis, reporting, or long-term storage because their characteristics indicate that they are unlikely to contain information of interest.

File – is a data object that can be managed by a file system. Files act at an abstraction level that allows them to be given a symbolic name that uniquely identifies the data, which can be assigned ownership and access rights. Files may be created and deleted or may change in size during their lifetimes.

File Transfer Protocol (FTP) – The TCP/IP protocol enabling users to copy files between systems and perform file management functions such as renaming or deleting files.

Firewall – A network node set up as a boundary to prevent traffic from one segment to cross over to another. Firewalls are used to improve network traffic, as well as for security purposes.

Hardware – A computer, its components, its peripherals, and other associated equipment – any physical object this is part of a computer system.

Host – Almost any kind of computer, from a centralized mainframe that is a host to its terminals, to a server that is host to its clients, to a desktop personal computer that is host to its peripherals. In network architectures, a client station (user’s machine) is also considered a host because it is a source of information to the network in contras to a device such as a router or switch that directs traffic.

Information System – A discrete set of information resources organized for the collection, processing, maintenance, use sharing, dissemination, or disposition of information.

Information System Owner – The individual assigned by the management team to be responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system.

Information Technology – Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the Agency. Used in this context, equipment means equipment used by the Agency directly or used by a contractor under a contract with the Agency which (1) requires the use of such equipment; or (2) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. Information Technology in this instance includes computers, ancillary

58 equipment, software, firmware, and similar procedures, services (including support services) and related resources.

Information Type – A specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security management) defined by the SCRRA or by a specific law, Board Item, executive order, directive, policy or regulation.

Interface – A shared boundary defined by common physical interconnection characteristics, signal characteristics, and meanings of interchanged signals or data.

Intermediate Distribution Frame – is a free-standing or wall mounted rack for wiring or cable from a Main Distribution Frame (MDF) and leading to individual cables for each piece of equipment such as workstations, personal computers and other end-user devices.

Life Cycle – Generally, each phase of the software development process includes the following steps:  Requirements Analysis  Design  Development  Code Review  QA Implementation  QA Testing  Documentation  Production Implementation  Production Testing; and  Maintenance

Local Area Network (LAN) – A data communications system confined to a limited geographic area (up to 6 miles or about 10 km) with moderate to high data rates (100 Kbps to 50 Mbps). The area served may consist of a single building, a cluster of buildings or a campus-type arrangement. The network uses some type of switching technology and does not use common carrier circuits (although it may have gateways or bridges to other public or private networks). This communications network is made up of servers, workstations, a network operating system and a communication link that serves users within this geographical area.

Locked Account – The process used to prevent a user from authenticating to the network for purposes of access, usually an automatic process.

Log – A record of the events occurring within an organization’s systems and networks.

Log Analysis – Studying log entries to identify events of interest or suppress log entries for insignificant events.

Log Archival – Retaining logs for an extended period of time, typically on removable media, a storage area network (SAN), or a specialized log archival appliance or software.

59 Log Clearing – Removing all entries from a log that precede a certain date and time.

Log File Integrity Checking – Comparing the current message digest for a log file to the original message digest to determine if the log file has been modified

Log Management – The process for generating, transmitting, storing, analyzing, and disposing of log data.

Log Retention – Archiving of logs on a regular basis as part of standard operational activities.

Log Rotation – Closing a log file and opening a new log file when the first log file is considered to be complete.

Mail Server – A host that provides “electronic post office” facilities. It stores incoming mail for distribution to users and forwards outgoing mail. The term may refer to just the application that performs this service, which can reside on a machine with other services, but for this document, the term refers to the entire host including the mail server application, the host operating system and the supporting hardware.

Mail Transfer Agent – A program running on a mail server that receives messages from mail user agents or other mail transfer agents and either forwards them to another mail transfer agent or, if the recipient is on the mail transfer agent, delivers the message to the local delivery agent (LDA) for delivery to the recipient. SCRRA mail transfer agent is Microsoft Exchange.

Malware – A program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system or of otherwise annoying or disrupting the victim.

Mb – Megabyte Main Distribution Frame (MDF) – is a signal distribution frame or cable rack used in telephony to interconnect and manage telecommunication wiring between itself and any number of intermediate distribution frames and cabling from the telephony network it supports.

Main Point of Entry (MPOE) – the minimum point of entry is the point at which a telecommunication provider's wiring crosses or enters a building. This often occurs in a box on the outside of the building, or possibly in the basement.

Network – An interconnected group of modes; a series of points, nodes, or stations connected by communications channels; the assembly of equipment through which connections are made between data stations.

Network Architecture – A set of design principles, including the organization of functions and the description of data formats and procedures. The basis for the design and implementation of a network.

60 Network Topology – The physical and logical relationship of modes in a network. The schematic arrangement of the links and modes of a network. Networks typically have a star, ring, tree, or bus topology, or some combination.

Operational Controls – The security controls (i.e. safeguards or countermeasures) for an information system that primarily are implemented and executed by people (as opposed to systems).

Organizational Change Management – The process of developing a planned approach to change in an organization. Typically the objective is to maximize the collective benefits for all people involved in the change and minimize the risk of failure of implementing the change. The discipline of change management deals primarily with the human aspect of change.

Operating System – The software “master control application” that runs the computer. It is the first program loaded when the computer is turned on, and its principal component, the kernel resides in memory at all times. The operating system sets the standards for all application programs (such as the mail server) that run in the computer. The applications communicate with the operating system for most user interface and file management operations.

Patch – A “repair job” for a piece of programming; also known as a “fix.” A patch is the immediate solution that is provided to users; it can sometimes be downloaded from the software maker’s Web site. The patch is not necessarily the best solution for the problem, and the product developers often find a better solution to provide when they package the product for its next release. A patch is usually developed and distributed as a replacement or an insertion in compiled code (that is, in a binary file or object module). In many operating systems, a special program is provided to manage and track the installation of patches.

Physical Access – The measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media.

Protocol – A formal set of conventions governing the formatting and relative timing of message exchange between two communicating systems.

Physical Security – the protection of building sites and equipment and all other information and software contained within from theft, vandalism, natural disaster, man-made catastrophes and accidental damage

Public Information – Data that is made generally available without specific custodian approval and that has not been explicitly and authoritatively classified as confidential.

Positive Train Control (PTC) – is a system designed to prevent train-to train collisions, over- speed derailments, incursions into established work zones, and movements of trains.

Quality Assurance (QA) – the process of or an environment that enables users to test a system in a controlled environment to validate and verify changes to the system ahead of deployment to

61 User Acceptance Testing (UAT) or production environment. It may also be an environment exclusively configured to mirror production for support and troubleshooting purposes.

Random Access Memory (RAM) – Semiconductor read/write volatile memory. Data stored are lost if power is turned off.

RDBMS – Relational Data Base Management System

Records – The recordings of evidence of activities performed or results achieved (e.g. forms, reports, test results) which serve as a basis for verifying that the Agency and the information system are performing as intended. Also used to refer to units of related data fields (i. e. groups of data fields that can be accessed by a program and that contain the complete set of information on particular items).

Remote Access – Access by users (or information systems) communicating from an external source to an information system behind a secured firewall.

Remote Maintenance – Maintenance activities conducted by individuals communicating from an external source to an information system behind a secured firewall.

Restore – The process of bringing stored data back from the offline media and putting it on an online storage system such as a file server.

Revision Control – also known as version control or source control. This is any practice that tracks and provides control over changes to source code and/or the management of multiple revisions of the same unit of information. It is most commonly used in engineering software development to manage the ongoing development of digital documents such as application source code, art resources (blueprints or electronic models) and other critical information that may be worked on by a team of people.

Risk – The level of impact on Agency operations (including mission, functions, image or reputation) Agency assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood or that threat occurring.

ROM - Read-Only Memory – Memory chips that sore data or software

Router – A LAN/WAN device operating at Layers 1 (physical), 2(data link), and 3(network) of the OSI 7 Layer Reference Model.

SDLC – System Development Life Cycle, see Life Cycle

Security – The establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or influences. Measures taken by the SCRRA to protect itself against all acts designed to, or which may, impair its I. T. infrastructure including measures that prevent unauthorized persons from having access to official information that is safeguarded in the interests of SCRRA security.

Security Controls – The management, operational, and technical controls (i.e. safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.

Security Information Categories  Confidential – applies to the most sensitive business information which is intended strictly for use within SCRRA. Unauthorized disclosure could seriously and adversely impact the company, stockholders, business partners, and/or its customers. Examples include: passwords, encryption keys, cardholder information, bank account information, etc.  Sensitive – applies to less sensitive business information which is intended for use within SCRRA. Unauthorized disclosure may adversely impact the company, its member agencies, its business partners, and/or its customers. Examples include: internal market research, audit reports, etc.  Private – applies to personal information which is intended for use within the SCRRA. Unauthorized disclosure could adversely impact the SCRRA and/or its employees.  Public – Applies to all other information which does not clearly fit into any of the above three classifications. Unauthorized disclosure isn’t expected to seriously or adversely impact the SCRRA. Release of this information must follow the appropriate SCRRA Policy and Procedure and the Public Records Act.

Security Requirements – Requirements levied on an information system that are derived from laws, executive orders, directives, policies, instructions, regulations, or organizational (mission) needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted.

Server – A shared computer that supports the processing, communications, or file management of other computers on a network.

Server Room – A secure room that houses a computer or processor holding applications, files, or memory shared by users on a network.

Service Pack – A collection of patches integrated into a single large update.

Simple Mail Transfer Protocol (SMTP) – A most commonly used mail transfer agent protocol.

Software – The programs, programming languages, and data that control the functioning of the hardware and direct its operations – systems software and applications.

Software License – A legal agreement between the developer and the user of software that specifies the conditions for distributing, storing, and using that software.

Software Testing – A process used to help identify the correctness, completeness, security and quality of developed computer software.

63 Software Upgrade – To replace a software program with a more recently released version.

Spam – Unsolicited bulk commercial email messages.

Spyware – Software that is secretly or surreptitiously installed into an information system to gather information on individuals or organizations without their knowledge. Malware intended to violate a user’s privacy.

Standard – A directive or specification whose compliance is mandatory and whose implementation is deemed achievable, measurable, and auditable for compliance.

Subsystem – A major subdivision or component of an information system consisting of information, information technology, and personnel that perform one or more specific functions.

SQL – Structured Query Language

Testing – The process of executing a program or application with the intent of finding errors. It is criticism or comparison, comparing the actual value with an expected one.

Testing and Revision – A documented process of periodic testing of written contingency plans to discover weaknesses and the subsequent process of revising the documentation if necessary.

TCP/IP – Transmission Control Protocol/Internet Protocol – Two interrelated protocols for network communications routing and data transfer. TCP is used to break data into packets and IP routes the packets.

Train Control Systems – Are a collection of hardware and software equipment that monitor train locations and movements in order to ensure system safety.

User – Individual or (system) process authorized to access an information system.

User Acceptance Testing (UAT) – the process of or an environment that enables end-users to test a system in a controlled environment to validate and verify changes to the system ahead of deployment to production.

Volatile Memory – A storage medium that loses all data when power is removed

Vulnerability – A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy. A security exposure in an operating system or other system software or application software component.

WAN - Wide Area Network – A communications network connecting computing devices over geographically distant locations. A WAN covers a much larger area than a LAN, such as a city, state or country. WANS can either use phone lines or dedicated communication lines.

64 Web Page – A single page displayed by a Web browser

Web Server – A computer that provides World Wide Web (WWW) services on the Internet. It includes the hardware, operating system, Web Server software, and Web site content (Web pages). When the Web server is used internally and not by the public, it is known as the “intranet server.”

White List – An access list maintained by IT for the purposes of allowing access to internet sites that have been approved by the Agency.

Integrated Digital & Technology Services Policies

66 Table of Contents

Introduction ...... 3 IDTS-1 – Business Continuity Policy ...... 5 IDTS-2 – Acceptable Use Policy ...... 9 IDTS-3 – Change Management Policy ...... 13 IDTS-4 – Asset Management Policy ...... 17 IDTS-5 – IDTS Security Policy ...... 20 IDTS-6 – IDTS Governance Policy ...... 29 IDTS-7 – IDTS Data Center and Colocation Policy ...... 34

IDTS-1 – Business Continuity Policy Page 3 Introduction

The Southern California Regional Rail Authority (SCRRA) Integrated Digital & Technology Services (IDTS) policies provides the innovative framework for the selection and use of technology within the Agency. The policies are centered around creating a technical environment to optimize both internal and external user’s experience through sound policy best practices.

The IDTS business unit consists of the following departments. Any deviations, exceptions or additions to IDTS policies will explicitly be indicated for the appropriate department(s) within the policy documents: • Fare Collections Services (FCS) – ensures seamless ticket purchase experience; designed and executed the new Ticket Vending Machine (TVM) installations; implements new features, fare products and changes to ticket pricing for paper and mobile tickets. • Information Technology (IT) – ensures that Information Technology solutions and supporting technologies are available, secure and reliable. IT supports computer centers and operations at all agency facilities, with a primary business data center at the Dispatch and Operations Center (DOC) in Pomona and a secondary data center in Las Vegas. IT consists of the following three teams: 1. Application Systems – manages all business applications such as Financial Information Systems, Asset Management Systems, Customer Relationship Management Systems, Business Intelligence Systems, and Content Management Systems. 2. Infrastructure Systems – manages all infrastructure assets which include email and user accounts, administration of SCRRA’s cloud productivity and licensing environment, Storage Area Network (SAN), servers, firewalls, switches, routers, and cybersecurity tools such as antivirus and antispam. 3. End-user Services – manages all end-user needs such as setup, maintenance, provisioning, and configuration of desktops, laptops, mobile phones, desk phones, user accounts, conference rooms, and output peripherals such as printers, plotters and fax machines. • Positive Train Control Network Control Operations (PTC NCO) – responsible for design, installation, maintenance, and retirement of Metrolink Operations’ Network and Infrastructure in support of dispatch and train control operations. PTC NCO also serves as Tier 2/3 Support to the PTC Helpdesk for Dispatch and Field Applications, PTC Backoffice Applications and PTC Business Applications.

SCRRA will keep all IDTS polices current and relevant. Therefore, from time to time it will be necessary to modify and amend some sections of the policies or add new policies.

IDTS-1 – Business Continuity Policy Page 4 Any suggestions, recommendations or feedback on the policies are welcomed.

IDTS-1 – Business Continuity Policy Page 5

Southern California Regional Rail Authority Integrated Digital & Technology Services Policies

TITLE: Business Continuity Policy NO. IDTS – 1

ORIGINATING UNIT: Integrated Digital & Technology Services

EFFECTIVE DATE: February 26, 2021 REVISION: 10.0

PURPOSE

APPLICATION

POLICY STATEMENT

It is the responsibility of SCRRA to identify and protect data in the organization to ensure it can be recovered or restored in the event it is deleted, lost or corrupted. There are various locations that hold SCRRA owned data that must be backed up according to IDTS backup procedure. These locations include:

IDTS-1 – Business Continuity Policy Page 6

• 2704 North Garey Avenue, Pomona, CA 91768 (DOC) • 2558 Supply Street, Pomona, CA 91767 (MOC) • 2700 Melbourne Avenue, Pomona, CA 91768 (MSF) • 7375 Lindell Road, Las Vegas, Nevada 89139 (Switch co-location “CL1”) • Microsoft Azure Cloud (US-West and US-West1)

SCRRA IDTS is responsible for the following:

• Production data residing on servers such as databases and file servers must be backed up regularly and have replicated copies stored at alternate location, see Data Backup and Retention section for details • Production data backup must be retained for a period of time, see Data Backup and Retention section for details • Production data backup restoration must be routinely tested • Having a Disaster Recovery Plan and Procedures document readily available to execute and must be tested at least annually, the procedure must include the following details: o Authorized personnel that can declare a disaster o Roles and responsibilities of IT and PTC NCO staff during a disaster o Recovery Time Objective (RTO) o Recovery Point Objective (RPO) o Recovery test history o Procedure document revision history • Protect against equipment failure, intentional destruction of data, or disaster.

1.0 DATA BACKUP AND RETENTION

IT PTC NCO Data Minimum Minimum Minimum Classification Frequency Retention Retention Virtual machine Upon system change 2 copies kept 2 copies kept template Current Year File and print server Daily 3 months + 2 Years

IDTS-1 – Business Continuity Policy Page 7 Current Year SQL database Daily 2 weeks + 2 Years 2 weeks & 3 Oracle database Daily and monthly N/A months Varies based on criticality Current Year Other server 1 month and data change rate + 2 Years

2.0 DATA DESTRUCTION

SCRRA data residing on any hardware storage needing to be decommissioned will require a certificate of the actual physical destruction of the hardware or proper data wipe using industry standards.

3.0 COLOCATION

4.0 DISASTER RECOVERY

SCRRA IDTS must maintain Disaster Recovery Procedure documents and have it tested at least annually for accuracy and revision as needed.

5.0 COMMUNICATIONS AND ESCALATIONS

Disaster Recovery Procedure document must identify the specific communication and escalation channels but in essence should include the following: • Authorized IDTS personnel that can declare a disaster. • Communicate disaster details such as impact, data loss (if any), estimated recovery time to Chief Technology Officer. • Chief Technology Officer will share necessary details to Executive Leadership Team. • IDTS will communicate information and periodic updates to staff.

EXCLUSIONS

Data that is not backed up includes all data not listed in this policy such as: • Data contained on users’ Microsoft OneDrive or other cloud-based storage • Data contained on any type of removable media (IE: Flash drive, external hard drive, CD/DVD)

IDTS-1 – Business Continuity Policy Page 8 • Data stored locally (IE: Laptop, desktop, tablet, mobile phone, etc.) • Data contained on servers not managed by IDTS

DEFINITION OF TERMS

see IDTS-DF Definition of Terms

REFERENCES

None

POLICY HISTORY

Approvals Chief Technology Officer Legal Counsel Chief Executive Officer

IDTS-2 – Acceptable Use Policy Page 9

Southern California Regional Rail Authority Integrated Digital & Technology Services Policies

TITLE: Acceptable Use Policy NO. IDTS – 2

ORIGINATING UNIT: Integrated Digital & Technology Services

EFFECTIVE DATE: February 26, 2021 REVISION: 10.0

PURPOSE

APPLICATION

POLICY STATEMENT

IDTS-2 – Acceptable Use Policy Page 10 and location – used to support the operation of SCRRA and its contractors. The policy also applies to internet access provided by SCRRA.

1.0 General Access and Use

The following activities are strictly prohibited, with no exception. The list below is by no means exhaustive but is an attempt to provide a framework for activities which fall into the category of unacceptable use or conflicts with the management’s ability to provide a computing environment that is controlled and secured. The following is also intended to enhance the productivity of all users. • Accessing, viewing, or distributing inappropriate or pornographic material. • Online gambling, including real time gambling sites as well as other sites that allow for the ability to place wagers. • Online gaming such as live interactive games, peer-to-peer games, or games that are based off external websites. • Accessing any website that allows access to peer-to-peer network sharing of music files, movies, programs, or other information. • Downloading or installing any unauthorized programs or files from the internet. • Listening to or viewing, for any non-business-related activity, any live or real time streaming media files. • Unauthorized port scanning, network probing or security scanning. • Uploading or downloading personal or company information from any Internet- based personal network storage and backup sites, unless specifically authorized by IDTS. Examples would be Box.com, Xdrive.com, Dropbox.com, Snapfish.com, Shutterfly.com, or other externally hosted sites. • Connecting any devices to network ports or computers at any SCRRA facility without prior authorization from IDTS.

IDTS-2 – Acceptable Use Policy Page 11 • Posting business related information on publicly accessible information systems, websites, social networking and blogging unless approved by management and/or posted by appointed staff only. • Transmit or forward unprofessional or unsolicited commercial or personal electronic mail, including chain email. • Sharing of individual passwords and credentials used for accessing systems. • Excessive time on the internet not related to authorized business function. • Unauthorized used or reproduction of copyrighted software and use of unlicensed software or hardware. • Attempt to access the information systems, files or directories of other users without proper authorization and a clear business purpose.

2.0 Acceptable Use of Personally Identifiable Information (PII). • PII information for Customers (e.g. Names, Addresses, Credit Cards, Emails, Phone- Numbers), Vendors, Employees, Contractors and government officials associated with SCRRA will be protected, secured and used as authorized for business purposes only and by authorized staff and contractors.

3.0 Monitoring • When using SCRRA assets or devices, employees and contractors should have no expectation of privacy for any information they store, send, receive, or access via the company network. Content monitoring of email, internet traffic, encrypted login credentials and other forms of digital transmission may occur preemptively by digital agents, spam filters and other mechanisms to ensure viruses and malware are not carried in digital transmissions. • Other monitoring, including but not limited to, internet activity, email content, volume or size, and other forms of electronic data exchange may occur in response to authorized requests from chiefs or the Office of the Legal Counsel. • SCRRA issued mobile phones are equipped with Mobile Data Management tools to monitor acceptable use, limit the applications installed on the phone and data theft prevention.

4.0 Termination • At the termination of employment or contract, employee or contractor shall return all SCRRA issued equipment to IT, PTC NCO or to HR. Failure to do so, may result in the SCRRA holding the employee or contractor liable for the replacement cost of the unreturned equipment.

All authorized users must adhere to SCRRA policies and procedures related to information resources and all applicable federal, state and local laws, statutes and regulations governing electronic communications. Employees who violate this policy may be subject to disciplinary

IDTS-2 – Acceptable Use Policy Page 12 action in accordance with the Positive Discipline Policy (HR–5.3). Violations of this policy by contractors or consultants may result in termination of the users’ access or other actions as the contract may allow. Some intentional actions that violate these policies may constitute computer crimes and may result in criminal and/or civil liability.

POLICY HISTORY

Approvals Chief Technology Officer Legal Counsel Chief Executive Officer

IDTS-3 – Change Management Policy Page 13

Southern California Regional Rail Authority Integrated Digital & Technology Services Policies

TITLE: Change Management Policy NO. IDTS – 3

ORIGINATING UNIT: Integrated Digital & Technology Services

EFFECTIVE DATE: February 26, 2021 REVISION: 10.0

PURPOSE

APPLICATION

POLICY STATEMENT

IDTS-3 – Change Management Policy Page 14 Changes require planning to consider their impact on users and SCRRA. Careful monitoring and follow-up evaluation must be part of the planning process to reduce any negative impacts that may result from the change process. It is the intent of this policy to manage changes in a rational and predictable manner so that management and staff can plan accordingly. This policy is designed to control, and document changes made to the software, configurations, databases hardware, networking components and other elements that support a production application (collectively known as the IDTS Environment). Notable changes requiring Change Management are:

• Installation, removal, configuration, reconfiguration, patches and updates of infrastructure hardware onto SCRRA network. • Standard maintenance on servers (e.g. server operating system security patches). • Enterprise application updates, upgrades, deployments, patches, and reconfigurations. • Group policy deployments.

Changes described above are subject to the following:

1.0 Timing of Changes o IT will have a 24-hour window each weekend for system maintenance where most changes will be implemented. Systems and services impacted or unavailable during this maintenance window will be communicated to all impacted users at least 3 (three) business days prior to performing the change o PTC NCO will perform system maintenance quarterly during windows of time that do not interfere with train operations. o Additional windows for system maintenance for urgent, small changes or changes requiring more than 24 hours can be requested outside of business hours at a mutually agreed upon time between IDTS and the impacted users. o Emergency changes that impact business continuity can be made during business hours after approval from: . Head of the responsible IDTS Departments or their designee . Chief or their designee of impacted group(s)

3.0 Change Management Environments

IDTS-3 – Change Management Policy Page 15 o A minimum of 2 environments, Production and Development, and optionally a Quality Assurance (QA) and/or User Acceptance Testing (UAT) environment must be established for each application system. Changes must be first developed and tested in the Development environment and then migrated to the QA and/or UAT environment, and finally to the Production environment after securing the approvals for the change. A provision for falling back to the current version in the event that the new version experiences unforeseen issues must be planned for every change. o If establishing multiple environments are not practicable, and the changes are implemented directly in the production environment, change management will include a test in the production environment to be executed to ensure the change functions as desired. A provision for reversing the change in the event that the new version experiences unforeseen issues must be planned for every change. o Source codes or configuration files supporting the Agency’s information systems must have versioning control for proper tracking of changes and for contingency planning.

DEFINITION OF TERMS see IDTS – DF Definition of Terms

REFERENCES

1) Site HelpDesk Overview Guide 2) IDTS-5 Security Policy 3) IDTS-2 Acceptable Use Policy 4) SCRRA PTC Safety Plan

POLICY HISTORY

March 21, 2008 – New Policy and Procedures document approved October 2, 2011 – Policy revised and expanded November 13, 2019 – Separated procedures and updated policy June 26, 2020 – presented to Executive Committee, awaiting Board approval on July 24

IDTS-3 – Change Management Policy Page 16 July 24, 2020 – New policy document was approved by the Board December 29 – incorporated PTC Network Control Operations into IT Policy that is now known as the IDTS Policy

Approvals Chief Technology Officer Legal Counsel Chief Executive Officer

IDTS-4 – Asset Management Policy Page 17

Southern California Regional Rail Authority Integrated Digital & Technology Services Policies

TITLE: Asset Management Policy NO. IDTS – 4

ORIGINATING UNIT: Integrated Digital & Technology Services

EFFECTIVE DATE: February 26, 2021 REVISION: 10.0

PURPOSE

• Maximize asset operability and service life; • Avoid redundant maintenance and warranty coverage; • Fulfill SCRRA’s legal, statutory and audit requirements for hardware and software; • Facilitate the management of planning, acquiring and disposal tasks for hardware and software. SCRRA-owned computing and communications equipment is assigned to employees, temporary employees and contractors for company business only. While employees and contractors may return their equipment directly to IT and PTC NCO as applicable, hiring managers are ultimately responsible for the collection and return of equipment to the Information Technology Department (IT) and PTC Network Control Operations (NCO) immediately after any user is terminated or reassigned, voluntarily and involuntarily. Computing equipment is only assigned to a designated user or usage by IDTS ,who is responsible for the inventory and control of this equipment.

APPLICATION

IDTS-4 – Asset Management Policy Page 18

The Policy applies to all SCRRA entities and third parties who use computing devices or data owned by SCRRA.

POLICY STATEMENT

• Equipment Request – all new equipment requests exceeding value of $100 must be submitted using Equipment Request Form (ERF) from the appropriate IDTS Department(s) and subject to availability of budget funding. • Equipment Acquisition – all IDTS hardware and software are purchased consistent with established procurement policies. All equipment exceeding value of $500 must have an asset tag and tracked in the Asset Management Solution. • Equipment Disposal – all IDTS hardware and software to be disposed will be in accordance with established procurement policies. SCRRA data residing on any storage hardware being disposed will require a certificate of the actual physical destruction of the hardware or proper data wipe using industry standards. • Equipment Assignment and Release – all assigned and unassigned equipment with asset tags must be reflected in the Asset Management System to ensure accurate tracking of assets. • Equipment Management – Hardware and software assets must comply with federal and state regulations, as well as applicable licensing and copyright laws. Software license assignment and renewal information will be maintained. • Loaned Equipment – IDTS equipment that are loaned or temporarily assigned to users do not require updates to Asset Management System but instead will be tracked in the Helpdesk Ticketing System. • Lost or Stolen Equipment – any lost or stolen equipment must be reported to IDTS immediately. User of lost or stolen equipment may be held liable for its replacement value at the sole discretion of IDTS. Replacement chargeback may be excused with proof of a police report. • Equipment Installation – IDTS equipment is to be installed and configured by the appropriate IDTS Department unless exceptions are made and approved by IDTS. Any software installed on SCRRA device without prior approval can be uninstalled and subject

IDTS-4 – Asset Management Policy Page 19 to data loss. Any hardware installed on SCRRA network without prior approval is subject to immediate removal. • Equipment Lifecycle – all equipment in Asset Management System should include an anticipated end-of-life date to allow SCRRA to identify if and when equipment should be replaced. • Annual Audit – the ITDS department will perform annual physical audit of all active equipment in the Asset Management Solution. DEFINITION OF TERMS

See IDTS-DF Definition of Terms

REFERENCES

IDTS-2 IT Acceptable Use Policy IDTS-6 IT Governance Policy

POLICY HISTORY

Approvals Chief Technology Officer Legal Counsel Chief Executive Officer

IDTS-5 – IDTS Security Policy Page 20

Southern California Regional Rail Authority Integrated Digital & Technology Services Policies

TITLE: IDTS Security Policy NO. IDTS – 5

ORIGINATING UNIT: Integrated Digital & Technology Services

EFFECTIVE DATE: February 26, 2021 REVISION: 10.0

PURPOSE

APPLICATION

The IDTS Security Policy applies to all SCRRA entities and third parties who use computing devices owned, leased or connected to SCRRA’s network. Additionally, it applies to those who process or store critical data owned by SCRRA.

POLICY STATEMENT

• Protects the infrastructure against the inappropriate use of data; • Prevents users from gaining access rights that they are not qualified to receive; • Prevents applications from intrusion, malware, virus attacks, data loss, etc.; and • Protects against equipment failure, intentional destruction of data, or disaster.

1.0 USER PRIVILEGES

• Usernames and Passwords o User access privileges are authorized based on need and are provided only with an approved System Request Form (SRF) from the appropriate IDTS Department(s). An SRF must be authorized by the employee or contractor’s manager or above. o Every user has a unique username assigned by IDTS and a user-selected password that provides access to SCRRA’s computers, networks and applications connected to the network. o A user is not permitted to use a non-authenticated (no password) User ID or an ID that is not associated with that user. Shared or group User IDs are NOT permitted for user-level access, exceptions may be made where practicable but subject to IDTS approval. Service accounts may also be created and used under IDTS’s supervision and approval. o Passwords must be changed at a minimum of 180 days. • Account Expiry o Human Resources are to notify IDTS of employee accounts to be disabled due to the user’s departure from SCRRA within 24 hours of such termination being effective. Similarly, hiring managers, or above, of contractors are to notify IDTS of user accounts to be disabled when a contractor separates from SCRRA. Such notification is submitted using the SRF. In the case of an extended leave of absence, Human Resources or the hiring manager may request that a user account be suspended, during which time the account is disabled and cannot be used until enabled. o User Account expiration dates for contract and/or temporary employees is determined by a termination date reflecting the end of the contractor’s assignment with SCRRA. A termination date is required on all non-SCRRA employee SRF’s and cannot exceed 12 months ahead. Upon account expiration, the account’s sponsor is required to submit a new SRF to renew the expired account.

At a minimum frequency of every 180 days, IDTS will perform an audit of inactive and/or terminated employees and contractors and ensure that their access has been revoked from all systems.

2.0 USER ACCESS LIMITATIONS

• Internet access is a privilege which is controlled and limited to those business uses that are being performed by the requestor. SCRRA reserves the right to monitor internal usage and to limit access to restricted content and sites. • Internet access to restricted sites can be enabled after the approval of the user’s manager with appropriate business justification . • User access to external resources is limited to standard port 80 and 443 only, unless other provisions have been made.

3.0 NETWORK (ACTIVE DIRECTORY) SECURITY POLICY

• Active Directory passwords are a minimum of ten (10) characters in length. Passwords must contain at least one lower case letter, at least one upper case letter, at least one numeral and one special character. Passwords must also not contain SCRRA references, common dictionary words or fragments. • Each user is prompted to create a new User Password at least every one hundred eighty (180) days. • Users may not reuse their last 10 previous passwords. • Sharing of passwords is strictly prohibited and users doing so will be liable to having their account access revoked. • If a password is forgotten by its user, the user must arrange with the IDTS HelpDesk for corporate IT access or PTC NCO for train control access to create a new password. • If five (5) consecutive User login attempts fail, THEN the system will lock the account for fifteen (15) minutes. IDTS will unlock the account after the user’s identity is verified. • When the unauthorized use of a User-ID is confirmed or suspected, IDTS must disable the account and coordinate with user to change their password.

4.0 DATABASE SECURITY POLICY

• Users have limited or no direct access to database servers. Access may be granted with approval from user’s manager and with business justification via SRF, subject to IDTS approval. • Database servers are not exposed beyond any firewall. • Database servers are configured to accept only connections from trusted IP addresses.

IDTS-5 – IDTS Security Policy Page 23 • Connections to database servers from secured applications/application servers shall be properly configured. Connections shall use trusted IP addresses only. • Only Database Administrators and the Chief Technology Officer (or designee) may grant access to update the database system. • Database Administrator (DBA) accounts are secured with non-default passwords. The new passwords are recorded by the Network Engineer and the Database Administrator and stored in a secure location. • Database Server Passwords and Database Passwords comply with the criteria listed in this policy.

5.0 NETWORK EQUIPMENT SECURITY POLICY

• Access to SCRRA routers, switches and any network devices are restricted to authorized IDTS employee or contractor personnel. • Any network devices with default passwords are changed upon receipt of a new or replacement router. New administrator passwords are assigned and documented. • IDTS will establish and manage Demilitarized Zones (DMZs), as necessary, to separate external-facing devices from internal networks. • Any network changes and configurations are to be documented and stored in a secured location. All changes must be tested and validated by network team. • IDTS manages firewall rules that govern access to servers, network, websites, applications and other traffic. Any requests to modify the configurations must be submitted via Helpdesk Ticketing System and approved by IT for the corporate IT network, and via Train Control Ticketing System and approved by NCO for Train Control network. • VPN tunnel connections are limited to authorized outside entities, only.

6.0 NETWORK ATTACHED DEVICE POLICY

• Network-based and host-based security programs are employed to detect malicious activity, protect systems and data, and support incident response efforts. • IDTS must approve and reserves the right to remove any device connecting to the SCRRA network. • Change Management process approves and releases security patches and update files to all connected workstations. • Network attached devices must use an enterprise licensed antivirus with a current signature file, updates and definitions. • All networked workstations are configured for automatic update of security related patches.

IDTS-5 – IDTS Security Policy Page 24 • All remote workstations (laptops) must be connected to the network at least once a month to receive security patches and current policies.

7.0 PHYSICAL ACCESS POLICY

• Physical access controls restrict the entry and exit of personnel, equipment, and media from SCRRA locations including locations that contain system hardware, wiring used to connect elements of the system, electric power, backup media and other elements of the SCRRA operating network. • Access to locations such as but not limited to data centers, inventory storage locations, Intermediate Distribution Facilities (IDFs) and Main Distribution Facilities (MDFs) are controlled through approved badge access. Access to these locations is audited and monitored on a periodic basis to prevent unauthorized access to these locations. • For more information on Data Center access please see Data Center and Colocation Policy.

8.0 REMOTE ACCESS POLICY

• Remote access may be granted to any employee or contractor, all remote access requests subject to approval from the user’s manager via the SRF for the appropriate IDTS Departments (i.e. IT for corporate IT VPN, PTC NCO for Train Control VPN). • Remote access shall be granted and secured through virtual private networking (VPN). • VPN access will require multifactor authentication such as Active Directory credentials, user certificates, and/or token authentication. • VPN access logs will be maintained for all successful and failed login attempts; as well as the dates and times each user connected and disconnected in each user session.

9.0 INTERNET SECURITY POLICY

• Internet access is a privilege which is controlled and limited to those business uses that are being performed by the Requestor. SCRRA reserves the right to monitor internal usage and to limit access to restricted content and sites. • IDTS maintains a White-List of approved sites that may be accessed. • IDTS maintains a restricted access list of sites and employs a site filter that blocks access to: o Adult orientated sites; o Pornographic and sexually explicit sites; o Terrorist or criminal skills sites; o Gambling or Gaming Sites; o Violence or Weapon sites;

• Streaming protocols are disabled by default. Access to streaming sites will be allowed with the approval of the Chief Technology Officer only or their designee. • Access to “Chat” sites are disabled by default.

10.0 EMAIL SECURITY POLICY

• Email access is a privilege which is controlled and limited to those business uses being performed by the Requestor. SCRRA reserves the right to monitor internal usage and to limit access to restricted content and sites. Email systems are managed and protected across SCRRA in accordance with common standards and procedures. • Attachment Type Limitations - Email attachments received by SCRRA Email servers are filtered to exclude specific filename extensions (e.g. .exe, .com) as may be determined to be a security threat by IT. • Attachment Size Limitations – Email attachments sent from and/or received by SCRRA Email servers are subject to a file size limit determined by IT based on bandwidth and user requirements. • Conveyance of Confidential or Sensitive Information - Users of all SCRRA Email systems must be informed that information that originated in, or was received through, Email messages is probably not encrypted and should not be considered as confidential or unaltered. Unencrypted Email will not be used for the conveyance of personal or sensitive information. • Email Relay - All SCRRA hosted Email systems are configured to prevent use by third parties as Email relay platforms unless authorized by IT. • Email Systems - SCRRA IT operates centrally managed Email systems that to support the needs of staff and contractors. No other Email servers shall be permitted on the network. • SMTP Protocol - SCRRA Email systems are only permitted to send and receive Simple Mail Transfer Protocol (SMTP) traffic to and from the Internet. All other devices are blocked (for SMTP traffic) at the Internet Router. • Encryption of Web-based Access - Client read access to Email must utilize a minimum of 256-bit encryption for authentication to protect account passwords. Web clients may use a secure web server utilizing the HTTPS and SSL protocols. POP and IMAP clients may use

IDTS-5 – IDTS Security Policy Page 26 secure POP or IMAP protocols with SSL connections. Clients with direct Linux or Unix shell client software may use a secure encrypted protocol such as SSH to login to the server. • Patch Management - Servers must be updated with new security patches for both the Operating System and mail server applications as those patches are released by vendors. • Virus Detection and Removal - Active anti-virus detection and quarantine software or services protect all servers. Where possible, these anti-virus applications are configured for the automatic update of virus signatures. Additionally, anti-virus gateways are used to scan inbound and outbound messages. • Compromised Account - When the unauthorized use of a User-ID is confirmed or suspected, IT must disable the account and coordinate with user to change their password.

11.0 CONFIDENTIALITY DISCLOSURE AGREEMENT

• System administrators are specialized users that have unique access to systems, software services and data. These specialized roles allow for the support and administration of software packages, supporting computer architectures and underlying networks. Only specifically qualified staff are designated as Systems Administrators and granted System Administrator Authorities. Granting of such authority must be approved in advanced by the system owner and the Chief Technology Officer at the sole discretion of the Chief Technology Officer. All staff designated as System Administrators must complete and have on file a current Confidentiality Discloure Agreements (CDA) or equivalent such as Non-Disclosure Agreement (NDA), which confirm that the designated System Administrator understands the responsibilities and accountability of the role. • Any IDTS personnel, whether employee or contractor, that are not system administrators but still have any level of exposure to SCRRA’s infrastructure, technology or proprietary information may still be subject to completing the CDA or NDA.

12.0 SOCIAL MEDIA POLICY

• One of the primary ways that the SCRRA communicates with its customers, employees and other stakeholders is through its external and internal websites via the Internet and Intranet, respectively. • SCRRA believes in fostering a robust online community that supports agency objectives by engaging in constructive and informative dialogue with customers and employees through blogs, social networking, wikis, and other web-based social media. SCRRA’s ability to reach its customers, employees, and other stakeholders directly is crucial to adequate dissemination of information. • In order to maximize and maintain SCRRA’s messaging and branding and limit its liability, it is critical that all web communications and online postings to official SCRRA websites

IDTS-5 – IDTS Security Policy Page 27 for external audiences be authorized and approved by SCRRA’s Communications department. • Only individuals authorized by the Chief of Marketing and Communications Officer (CMCO) or designee are permitted to create, maintain and participate in an official SCRRA blog, social networking and / or social media site on behalf of the CEO. No other person or department is authorized to engage in online discourse to external audiences without the specific consent of the CMCO.

13.0 ALERT AND LOG MANAGEMENT POLICY

• Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing audits, identifying operational trend and long-term problems. • Logs will be periodically reviewed to proactively detect suspicious or malicious activity. • Systems will be configured and monitored for the following events: o Server/Device restarts/resets; o Loss of time-sync between devices; o Access and configuration changes; o IP and denial of service attacks; o Virus detection, quarantine and removal; o Malware and spyware attacks.

14.0 THIRD PARTY CONTRACTOR SERVICE SECURITY POLICY

• Contractors are employed by the IDTS departments to augment the work performed by the agency employees. Contractors have access to privileged access to information and systems. All contractors employed by the IDTS departments must have a background check performed before they can begin work at the agency. In the event a contractor is hired to perform time-sensitive tasks on critical projects, a background check must be performed within 3 (three) weeks of the contractor joining the IDTS team.

15.0 DATA INTEGRITY POLICY

• Access shall be granted based on the principle of least privilege, which means that each program and user will be granted the fewest privileges necessary to complete their tasks.

IDTS-5 – IDTS Security Policy Page 28 • Access to data categorized as “Confidential” or “Sensitive” under Security Information Categories shall be limited to authorized persons whose job responsibilities require it as determined by Human Resources Department and/or the user’s manager.

16.0 USER CYBERSECURITY TRAINING POLICY

• All new hires that are provided with a SCRRA email address, whether an employee or contractor, is required to attend and pass cybersecurity training course provided by IDTS. • All personnel with a SCRRA email address are also subject to attend and pass annual cybersecurity training provided by IDTS. • Personnel that do not have a SCRRA email address but with access to SCRRA network may still be required to partake in cybersecurity training as determined by IDTS.

DEFINITION OF TERMS

See IDTS-DF Definition of Terms

REFERENCES

1) Critical data is defined as data that when absent or compromised will interfere with the daily operations of SCRRA. 2) Payment Card Industry Data Security Standard (PCI DSS) - PCI DSS applies to organizations that “store, process or transmit cardholder data” for credit cards. 3) The IDTS Data Classification Guidelines document further identifies the type of data that belong under particular Security Information Categories (Confidential, Restricted, Private, Public). 4) IDTS-2 Acceptable Use Policy 5) IDTS-7 Data Center Policy

POLICY HISTORY

March 21, 2008 – Security Policy document approved October 3, 2011 – Security Policy updated and revised November 13, 2019 – Security Procedures separated from Policy, and updates to Policy June 26, 2020 – presented to Executive Committee, awaiting Board approval on July 24 July 24, 2020 – New policy document was approved by the Board December 29 – incorporated PTC Network Control Operations into IT Policy that is now known as the IDTS Policy

IDTS-5 – IDTS Security Policy Page 29

Approvals Chief Technology Officer Legal Counsel Chief Executive Officer

IDTS-6 – IDTS Governance Policy Page 30

Southern California Regional Rail Authority Integrated Digital & Technology Services Policies

TITLE: IDTS Governance Policy NO. IDTS – 6

ORIGINATING UNIT: Integrated Digital & Technology Services

EFFECTIVE DATE: February 26, 2021 REVISION: 10.0

PURPOSE

APPLICATION

This policy applies to any new project that may change or affect one or more of the environments that the SCRRA network users and customers rely on to conduct normal business operations.

POLICY STATEMENT

IDTS-6 – IDTS Governance Policy Page 31 these new technologies. Managing these changes is a critical part of providing a robust and valuable information resources infrastructure.

1.0 Technology Steering Committee

• A Technology steering committee will be established comprising of a subset of members of the executive leadership (by rotation) and the Chief Technology Officer. The role of the Technology Steering Committee will be to: o Assign priorities for large technology-related projects. Large projects are those that involve new technology or changes to technology involving multiple user departments. o Ensure that technology projects are adequately funded. o Review and approve project scope and plans for all new technology-related projects. o Ensure that appropriate business process protocols are considered during any implementation. o Resolve scope or process issues encountered during implementation of technology projects. • The Technology Steering Committee will meet at least once a quarter with the provision of holding an ad-hoc meeting should one be needed or requested. • At each meeting, IDTS will present projects with business case, anticipated costs and timelines, as well as key project staff to the Technology Steering Committee for their consideration. In addition, IDTS will also present compatibility with existing systems, adherence to technology standards and future technology considerations where applicable.

2.0 Project Management

• IDTS will engage with the business users and teams to learn about new projects and requirements. IDTS will engage business users when rolling out a new technology discussing new business need, issues with an existing technology solution, or existing system upgrade. • IDTS will leverage the IDTS Project Management document as a framework that outlines the applicable steps in the lifecycle of a project including: o Stakeholder identification o Stakeholder buy-in o Project staffing - both IDTS and business resources o Business process analysis

IDTS-6 – IDTS Governance Policy Page 32 o Scope definition o Testing and environment plan o Development and deployment processes o Training plan o Systems documentation and end-user guides o Project timeline and funding plan

3.0 Call Management

Information Technology (IT) • It is the policy to staff a HelpDesk dedicated to capturing, tracking, escalating and coordinating the resolution of issues related to the Authority’s Information Technology systems and assets. The HelpDesk is supported by an issue tracking and management solution (HelpDesk system) that is used to collect, track and provide reporting on the type, disposition, work performed and ultimate resolution to issues reported. • The HelpDesk is available to support end user requests both during business hours from 8:00am PST to 5:00pm PST Monday through Friday (except company holidays) by calling 213-452-0411, as well as outside these hours and holidays for urgent requests by calling 213-452-0412. The HelpDesk can also be contacted via email at [email protected]. • Helpdesk staff will attempt to resolve the issue based on priority and may transfer the issue to another member of the IT staff if specialized application or infrastructure resolution is needed. • Upon resolution of an issue, users will be notified by an email from the HelpDesk system, with a request for comments and service rating on the quality of service delivered. • Response time, open tickets and user comments will be monitored by IT management as a Key Performance Indicator (KPI).

PTC Network Control Operations (PTC NCO) • It is the policy to staff Train Control HelpDesk dedicated to capturing, tracking, escalating and coordinating the resolution of issues related to the Authority’s Train Control systems and assets. The Train Control HelpDesk is supported by an issue tracking and management system that is used to collect, track and provide reporting on the type, disposition, work performed and ultimate resolution to issues reported. • The Train Control HelpDesk is available to support end user requests 24x7 by calling 888.446.9720. The Train Control HelpDesk can also be contacted via email at [email protected] • Train Control Helpdesk staff will attempt to resolve the issue based on priority and may transfer the issue to another member of the PTC NCO staff if specialized application or infrastructure resolution is needed.

IDTS-6 – IDTS Governance Policy Page 33 4.0 Incident Response

• Level 3 Incident o IDTS will support the Agency’s Incident Response Plan (IRP) for incidents categorized as Level 3 incidents defined as “Major incidents or accidents to Metrolink trains, which result in injuries or deaths to passengers or crew members.” o IDTS’s response to a Level 3 incident is detailed in the Incident Response Plan (IRP) document in the section titled Organization and Assignment of Responsibilities Section under Information Technology and Positive Train Control C&S Systems Team, where applicable. o IDTS will support mock drills to simulate a Level 3 incident and ensure preparedness of the IDTS team to mitigate such an incident. • Cybersecurity Incident IDTS will prepare a Cybersecurity Incident Response plan to outline the steps needed to mitigate and recover a cybersecurity incident examples of which are detailed below: o Loss or theft of SCRRA customers’ Personally Identifiable Information (PII) or Credit Card information. o Denial of Service (or similar) attack that prevents use of the Agency’s website(s) by the general public, or the agency’s customers. o Loss, theft, breach or compromised integrity of business application or infrastructure caused by malicious or suspicious third parties using email, virus, malware, or other means. • Disaster Recovery Incident o IDTS will prepare a Disaster Recovery and Business Continuity plan to outline steps to deal with the loss of major system(s) or service(s). o The plan will leverage redundant or standby infrastructure to establish systems and services as a stop-gap arrangement while the original system is recovered. The plan determines recovery point objectives (RPO) and recovery time objectives (RTO) for each system and service, based on the criticality of the system or service to the business. o The Disaster Recovery and Business Continuity plan is used in conjunction with the Level 3 incident and/or Cybersecurity Incident if the cause of the disaster is a Level 3 incident or a Cybersecurity Incident. o Disaster recovery will comply with IDTS-1 Business Continuity Policy.

IDTS-6 – IDTS Governance Policy Page 34 DEFINITION OF TERMS

See IDTS-DF Definition of Terms

REFERENCES

. IDTS-1 Business Continuity Policy. . IDTS-5 Security Policy . Incident Response Plan (IRP) . IDTS Project Management

POLICY HISTORY

Approvals Chief Technology Officer Legal Counsel Chief Executive Officer

IDTS-7 – IDTS Data Center Policy Page 35

Southern California Regional Rail Authority Integrated Digital & Technology Services Policies

TITLE: IDTS Data Center and Colocation Policy NO. IDTS – 7

ORIGINATING UNIT: Integrated Digital & Technology Services

EFFECTIVE DATE: February 26, 2021 REVISION: 10.0

PURPOSE

APPLICATION

This policy applies to all Southern California Regional Rail Authority (SCRRA) owned or leased data centers.

POLICY STATEMENT

The IT department, in collaboration with PTC manages several data centers that houses critical technical infrastructure such as servers, switches, routers, HVAC systems, power systems, etc. The policies described herein are the responsibility of IDTS Departments, with the Director of each team accountable for their implementation.

1.0 Physical Access

Physical access to data centers and supporting infrastructure facilities (e.g. MPOE – Minimum Point of Entry, MDF – Main Distribution Frame, IDF – Intermediate

100

IDTS-7 – IDTS Data Center Policy Page 36 Distribution Frame, etc.) will be provided through electronic access cards to IDTS- authorized personnel only. Access privileges will be granted to individuals who have a legitimate business need to be in the data center and supporting infrastructure facilities on a regular basis. Anyone without authorized access (e.g. vendor, employee, contractor) must be accompanied by an authorized access card holder at all times. Physical access must be monitored periodically to detect any unauthorized access. All issued identification must be worn at all times while in the data center and supporting infrastructure facilities.

Any access card may be used only by the individual to whom it has been issued for obtaining access. Access cards may not be loaned or exchanged between individuals for any reason. Abuse or misuse of access cards may result in removal from the Building and denial of future access. Data center doors should be locked at all times.

2.0 Fire and Hazardous Materials Protection

Data centers must be equipped with approved temperature and smoke detection and fire suppression systems. Data centers must be equipped with fire extinguishers. Fire extinguishers must be inspected 2 times a year. All cabling used must meet national electrical and fire standards. No exposed cables shall be installed under raised flooring. The following items are not permitted in the building: alcohol, controlled substances, explosives, flammable liquids, gases or chemicals, chemical agents, weapons of any kind, wet cell batteries and all similar equipment and materials. Should any hazardous materials be released in or around the premises, the IDTS department heads should be promptly notified, and corrective action taken immediately.

3.0 Data Center Etiquette

• Smoking, eating or drinking inside the data center is not permitted. No food or drink is allowed on the data center premises. To further maintain a clean environment, no packing materials can be brought into the data center. Alcohol and illegal controlled substances shall not be allowed on the premises. No person under the influence of these substances is permitted on the premises. • Unless otherwise expressly permitted by IDTS in writing, non-essential, refuse and/or packing materials and items are prohibited from entering data centers and

101

IDTS-7 – IDTS Data Center Policy Page 37 supporting infrastructure facilities such as, but not limited to: boxes, crates, corrugated paper, plastic, foam packing materials. • Under no circumstances should anyone action any of the following without prior knowledge, consent, and oversight of the Technology Steering Committee: a) Change the configuration within the data center b) Tamper with or interfere with the normal function of the transformers or Power Distribution Units (PDU) c) Tamper with or interfere with the normal function of the Air Conditioning units. D) Plug any device into another cabinet power supply. E). Remove any cables or power connections from equipment other than those covered by an approved change order.

4.0 Data Center Design and Maintenance

• UPS systems in the data center must be sized to meet current and future needs, with sufficient battery backup to allow for a controlled shutdown of primary servers in case of a power outage. UPS systems must be designed, installed and maintained by authorized electricians and technicians and housed in a secure location. UPS systems follow manufacturer’s recommended maintenance schedule. UPS systems must have bypass capability to allow for periodic maintenance. • HVAC - Cooling and related equipment must be sized to account for - The size of the cooling load of all equipment, the size of the cooling load of the building (lighting, power equipment, personnel, building envelope). Sizing should account for appropriate future growth projections. All cooling equipment must be designed, installed, and maintained by qualified technicians that meet local and state codes. All cooling equipment must follow the vendor’s recommended maintenance schedule. Air filtration media should be installed at air intake points. • Technology Infrastructure Installation and Maintenance - All equipment in the data center must be clearly labelled and inventoried. New equipment installation or removal must follow Change Management Policy, IDTS-3.

DEFINITION OF TERMS

See IDTS – DF Definition of Terms

REFERENCES

IDTS-3 Change Management Policy

POLICY HISTORY

102

IDTS-7 – IDTS Data Center Policy Page 38

Approvals Chief Technology Officer Legal Counsel Chief Executive Officer

103 TITLE: Definition of Terms NO. IDTS- DF

ORIGINATING UNIT: Integrated Digital & Technology Services

EFFECTIVE DATE: October 03, 2011 REVISION: 3.0

1.0 DEFINITION OF TERMS

Access – The ability to read, write, modify or communicate data/information or otherwise use any system resource.

Access Controls – Rules for limiting access to safeguard systems and data at all times and under all conditions.

Agency – For purposes of the IDTS Policies and Procedures, the Agency or the Authority is SCRRA.

Asset – All IDTS assets are those computers, servers, single user applications, network applications, database application and other network attached hardware or software owned by the SCRRA, listed on the balance sheet with a debit balance.

Asset Management – The method used to track fixed assets including tracking the physical location of the IDTS assets, managing the demand for them and accounting for them as described in this Policy.

Audit Log – Captures the computer user’s actions while logged on to a system and saves the information to a database table or formatted file.

Authentication – Process of verifying the identity of an entity that is either providing or requesting resources, information, data, or documents.

Authorization – Process of establishing and enforcing an entity’s rights and privileges to access or provide specified resources, information, data or documents.

104

Bandwidth – A measure of the amount of data that can be passed by a communication channel in a given amount of time.

Computer Security Log Management – Log management for computer security log data only.

Computer Services – Computer time, data processing, storage functions and all types of communication functions.

Computer Software – Set of computer programs, procedures, and associated documentation concerned with the operation of a computer system.

Computer System – Set of related, connected or unconnected computer equipment, devices and software, including storage, media and peripheral devices.

Cybersecurity – is the practice of protecting systems, networks, and programs from digital attacks. These cyberattacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes.

105 Database – An organized collection of information that can be searched, retrieved, changed, and sorted using a collection of programs known as a database management system.

Database Administrator – A person with a high degree of technical expertise who is responsible for the design and management of an organization’s database.

Demilitarized Zone (DMZ) – A host or network segment inserted as a “neutral zone” between an organization’s private network and the Internet.

Disabled Account – The process of preventing a user from authenticating to the network for purposes of access, usually a manual process performed by an administrator.

Disaster – any event that makes an organization unable to provide critical business functions for a pre-determined period of time.

Domain Controllers – A primary server that contains information about user’s accounts and network configuration. Primarily used in reference to the Microsoft network architecture. Download – To transfer (data or programs) from a central computer to a peripheral computer or device.

File Transfer Protocol (FTP) – The TCP/IP protocol enabling users to copy files between systems and perform file management functions such as renaming or deleting files.

106 Firewall – A network node set up as a boundary to prevent traffic from one segment to cross over to another. Firewalls are used to improve network traffic, as well as for security purposes.

Hardware – A computer, its components, its peripherals, and other associated equipment – any physical object this is part of a computer system.

Information System – A discrete set of information resources organized for the collection, processing, maintenance, use sharing, dissemination, or disposition of information.

Interface – A shared boundary defined by common physical interconnection characteristics, signal characteristics, and meanings of interchanged signals or data.

107 Local Area Network (LAN) – A data communications system confined to a limited geographic area. The area served may consist of a single building, a cluster of buildings or a campus-type arrangement. The network uses some type of switching technology and does not use common carrier circuits (although it may have gateways or bridges to other public or private networks). This communications network is made up of servers, workstations, a network operating system and a communication link that serves users within this geographical area.

Locked Account – The process used to prevent a user from authenticating to the network for purposes of access, usually an automatic process.

Log – A record of the events occurring within an organization’s systems and networks.

Log Analysis – Studying log entries to identify events of interest or suppress log entries for insignificant events.

Log Archival – Retaining logs for an extended period of time, typically on removable media, a storage area network (SAN), or a specialized log archival appliance or software.

Log Clearing – Removing all entries from a log that precede a certain date and time.

Log File Integrity Checking – Comparing the current message digest for a log file to the original message digest to determine if the log file has been modified

Log Management – The process for generating, transmitting, storing, analyzing, and disposing of log data.

Log Retention – Archiving of logs on a regular basis as part of standard operational activities.

Log Rotation – Closing a log file and opening a new log file when the first log file is considered to be complete.

108

Main Distribution Frame (MDF) – is a signal distribution frame or cable rack used in telephony to interconnect and manage telecommunication wiring between itself and any number of intermediate distribution frames and cabling from the telephony network it supports.

Network Topology – The physical and logical relationship of modes in a network. The schematic arrangement of the links and modes of a network. Networks typically have a star, ring, tree, or bus topology, or some combination.

Operational Controls – The security controls (i.e. safeguards or countermeasures) for an information system that primarily are implemented and executed by people (as opposed to systems).

Physical Access – The measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media.

Protocol – A formal set of conventions governing the formatting and relative timing of message exchange between two communicating systems.

109 Physical Security – the protection of building sites and equipment and all other information and software contained within from theft, vandalism, natural disaster, man-made catastrophes and accidental damage

Public Information – Data that is made generally available without specific custodian approval and that has not been explicitly and authoritatively classified as confidential.

Positive Train Control (PTC) – is a system designed to prevent train-to train collisions, over- speed derailments, incursions into established work zones, and movements of trains.

Quality Assurance (QA) – the process of or an environment that enables users to test a system in a controlled environment to validate and verify changes to the system ahead of deployment to User Acceptance Testing (UAT) or production environment. It may also be an environment exclusively configured to mirror production for support and troubleshooting purposes.

RDBMS – Relational Data Base Management System

Remote Access – Access by users (or information systems) communicating from an external source to an information system behind a secured firewall.

Remote Maintenance – Maintenance activities conducted by individuals communicating from an external source to an information system behind a secured firewall.

Restore – The process of bringing stored data back from the offline media and putting it on an online storage system such as a file server.

Router – A LAN/WAN device operating at Layers 1 (physical), 2(data link), and 3(network) of the OSI 7 Layer Reference Model.

110 SDLC – System Development Life Cycle, see Life Cycle

Server – A shared computer that supports the processing, communications, or file management of other computers on a network.

Server Room – A secure room that houses a computer or processor holding applications, files, or memory shared by users on a network.

Service Pack – A collection of patches integrated into a single large update.

Simple Mail Transfer Protocol (SMTP) – A most commonly used mail transfer agent protocol.

Software – The programs, programming languages, and data that control the functioning of the hardware and direct its operations – systems software and applications.

111

Software License – A legal agreement between the developer and the user of software that specifies the conditions for distributing, storing, and using that software.

Software Testing – A process used to help identify the correctness, completeness, security and quality of developed computer software.

Software Upgrade – To replace a software program with a more recently released version.

Spam – Unsolicited bulk commercial email messages.

Standard – A directive or specification whose compliance is mandatory and whose implementation is deemed achievable, measurable, and auditable for compliance.

Subsystem – A major subdivision or component of an information system consisting of information, information technology, and personnel that perform one or more specific functions.

SQL – Structured Query Language

Testing – The process of executing a program or application with the intent of finding errors. It is criticism or comparison, comparing the actual value with an expected one.

Testing and Revision – A documented process of periodic testing of written contingency plans to discover weaknesses and the subsequent process of revising the documentation if necessary.

Train Control Systems – Are a collection of hardware and software equipment that monitor train locations and movements in order to ensure system safety.

User – Individual or (system) process authorized to access an information system.

112

Web Page – A single page displayed by a Web browser

White List – An access list maintained by IT for the purposes of allowing access to internet sites that have been approved by the Agency.

113 ITEM 6.C

ITEM ID: 2020-207-0

TRANSMITTAL DATE: February 5, 2021

MEETING DATE: February 12, 2021

TO: Executive Committee

FROM: Stephanie Wiggins, Chief Executive Officer

SUBJECT: Small Business Partnership Policy

Issue

Recommendation

It is recommended that the Committee recommend the Board approve the addition of a Small Business Partnership Policy (Attachment A) to the Procurement and Contracts Policy.

Strategic Commitment

This report aligns with the strategic commitments of:

Connecting and Leveraging Partnerships: We will forge new and enhanced relationships with our public and private partners to integrate and coordinate connecting services, providing residents throughout Southern California with better, seamless, sustainable alternatives to driving. The Small Business Partnership Policy will provide small businesses access to capital and capacity building resources through external partnerships with key entities. Modernizing Business Practices: We will improve our operational efficiency through

114 transparency, objective metrics and streamlined governance, reducing over-reliance on subsidy while bringing our system into a state of good repair and investing in the development of our employees. The Small Business Partnership Policy will allow Metrolink to benefit from an increase in competitive procurements, cost efficiencies, and innovation. Advancing Key Regional Goals: We will grow the role of regional rail in addressing climate change, air quality, and other pressing issues by advancing toward zero emissions, making rail a compelling alternative to single-occupant automobiles and advancing equity-focused opportunities for all communities throughout Southern California. The Small Business Partnership Policy will remove barriers by addressing institutional policies and procedures that may limit small business participation and/or growth. The policy will assist with generating jobs and providing local economic opportunity.

Background

Metrolink’s Contract and Contracting Policies, approved by the Board in November 2019, includes the agency’s DBE policy. The DBE policy ensures that minority-owned, women- owned and other disadvantaged small businesses can fairly compete for federally funded contracts and allows the Authority to establish and administer a DBE program. A key component of the program allows for the agency to establish DBE participation goals on federally funded contracts. For the period of July 2017 through October 2020, Metrolink awarded a total of $593.8M in contracts of which 79.6%, or $472.5M were federally funded. In Federal Fiscal Year 2020, the Authority set a 12% DBE goal and attained 22.8% participation on federally funded contracts.

However, the Authority does not have a policy to ensure that small businesses can fairly compete for non-federally funded contracts. During the same July 2017 through October 2020 time period, on average, 20.3% of Metrolink awards were to non-federalized contracts which equated to $120.8M. In order to achieve equity, using the same benchmark as federalized DBE awards of 22.8%, $27.5M of non-federalized contracts could have been awarded to small businesses over the last three fiscal years.

The Recovery Plan “New Normal” Framework, adopted by the Board in September 2020, includes the Triple Bottom Line of Economy, Environment, and Equity. The Triple Bottom Line contains a commitment to strengthening our relationship with the business community.

Discussion

115 Metrolink staff held focus groups and discussion forums with a cross section of stakeholders over the last few months, including:

Executive-level and senior leaders across the agency; Local small business owners and advocates; A local governmental agency; A contractor representing the Prime community; and A local community-based organization that provides resources to small businesses.

The stakeholders identified key elements that should be incorporated into a policy that allows for a small business program that is robust, supportive, and sustainable.

Policy Objective

Metrolink’s proposed Small Business Partnership Policy will allow for a Program that deepens the agency’s commitment to the sustainability of small businesses by expanding resources for all contracts. The Program defines a small business using the Small Business Administration’s criteria based primarily on the average annual receipts or the average employment of a company.

The Policy’s objective is to support local small businesses in their long-term growth by providing resources and opportunities for small business to effectively and equitably compete for Metrolink federally funded and non-federally funded contracts. As a result, Metrolink benefits from an increase in competitive bidding and cost efficiency, and businesses and communities in the six-county Metrolink service area are strengthened through economic growth and job creation.

Key Components

Stakeholder input and staff research resulted in the following four key components of the Small Business Partnership Policy:

Expanding Business Building Opportunities. Opportunities may include establishing small business goals for non-federalized contracts, and authorizing the use of equity methods for non-federalized contract bidding, e.g. bond relief, adjusting insurance requirements for small businesses, etc. Implementing a Local Preference Program. Provide opportunities for local small businesses within the Metrolink service area. A local small business being defined as

116 having a principal office within the six-county Metrolink service area, thus serving as a catalyst for re-building the local economy and creating jobs in the Southern California mega region. This will be accomplished by utilizing equity methods for non-federalized contracts such as local small business prime contracts, assigning local preference points to proposals or bids that are submitted in response to contracting opportunities, etc. Supporting Prompt Payment. Document payment terms to accelerate the Finance Department's prompt payment to small businesses, such as payments are remitted within 15 days “net 15” for approved invoices. This minimizes cash flow delays, which can be a barrier to entry for small businesses. Encouraging Accountability. Institutionalize the Small Business Partnership Policy by incorporating it into the Board-approved Procurement Policy. The CEO will assign Key Performance Indicators (KPIs) for departments/specialty areas to report progress and goal attainment.

Proposed Program Approach

The Small Business Partnership Program will be offered using a comprehensive, wrap-around approach for addressing the three most common barriers to long-term small business growth – the access to opportunity, capital, and capacity.

The Authority will provide opportunity by means of adding SBE goals to non-federalized procurements. Access to capital and capacity will be provided through a partnership with external local entities that specialize in removing those barriers for small businesses such as Lendistry and The Center by Lendistry (The Center).

Lendistry is a minority owned small business lender that is certified as both a Community Development Financial Institution and a Community Development Entity. Lendistry is in a unique position to assist small businesses with accessing resources required to best compete for contracts, e.g. loans. The Center, a non-profit division of Lendistry, provides services throughout the Metrolink service area and can provide assessment tools and training resources that small businesses may need in order to obtain and execute their Metrolink contract successfully.

Although small business firms are not required to participate in the Small Business Partnership Program, if they choose to participate and complete The Center’s technical training, the firm will be designated as “Contract Ready”. A firm that is designated “Contract Ready” can take advantage of the incentive methods that will be applied to non-federalized contracts, e.g. adding five (5) preference points to the evaluation score of a proposal received from a firm. A firm can still compete for Metrolink contracts without participating in the program, however, those firms will not be eligible for the incentive methods that will be applied to non-federalized contracts.

Budget Impact

There is no budgetary impact as a result of adopting the Small Business Partnership Policy.

117 Alternatives Considered

The Board may choose to adopt specific Small Business Partnership Policy objectives, e.g. the Authority will implement procedures that accelerate prompt payment only, the Authority will implement a local preference program only, etc. The policy as presented is holistic in that it addresses many of the challenges and barriers that small businesses face. Adopting specific objectives may diminish the policy’s impact on small businesses.

The Board may choose to not adopt a Small Business Partnership Policy. However, Metrolink’s long term success is dependent upon the sustainability of small businesses. Pre- COVID-19, 85% of Metrolink riders were employed and small businesses employ nearly 50% of California’s workforce.

Next Steps

Upon approval of the policy, staff anticipates implementing a multi-phased program launch beginning in March 2021. The intent of Phase 1 of the program is to increase program awareness. Therefore, staff will engage in education and outreach efforts that results in supporting at least 50 firms during the first phase of the program.

The program will be expanded in scope and capacity, with full program implementation planned for July 2021.

Prepared by: Vida Mannings, Director, Special Projects

Approved by: Stephanie Wiggins, Chief Executive Officer

Attachment(s)

Attachment A - Small Business Partnership Policy-final

118

Attachment A. Section 13 Small Business Partnership Program Policy In order to provide economic opportunity for small businesses, and to stimulate economic development in communities served by the Southern California Regional Rail Authority (Authority), it is the policy of the Authority to ensure that small business enterprises (SBEs), as defined by the Small Business Administration and local small business enterprises with a principal office within the Authority’s six-county service area, have equitable opportunity to participate in the agency’s procurement of all goods, materials and services. As a separate and distinct program, the objectives of the proposed Small Business Partnership Policy are: 1. To ensure nondiscrimination in the award and administration of non-federally funded contracts; 2. To create a level playing field on which SBEs can compete fairly for non-federally funded contracts; 3. To ensure that firms fully meet certified eligibility standards as determined by federal, state, or local agencies, or an agreed upon, third-party certifying entity; 4.To expand business building opportunities by establishing specific and distinct business building opportunities for SBEs participating in non-federally funded contracts; 5. To help remove barriers to the participation of SBEs in non-federally funded contracts. Barriers to be removed may include but not be limited to adjusting contract requirements related to bonding and insurance requirements; 6. To support improved cash flow for SBEs by documenting prompt payment terms; and 7. To provide local small businesses non-federally funded contract incentives such as set aside programs and local preference points.

119 ITEM 6.D

ITEM ID: 2020-239-0

TRANSMITTAL DATE: February 5, 2021

MEETING DATE: February 12, 2021

TO: Executive Committee

FROM: Stephanie Wiggins, Chief Executive Officer

SUBJECT: Promotional Fares for COVID-19 Vaccinated Riders

Issue

Recommendation

The Committee may receive and file this item.

Strategic Commitment

This item aligns with the Strategic Business Plan commitment of:

Customers Are Our Business: We respect and value our customers, putting them at the heart of all we do, and work hard to attract and retain new customers by understanding their needs and finding new and innovative ways to bring them on board. Promotional fares serve as a tool to attract and retain riders.

Background

The spread of a third wave of COVID-19 cases across California starting in November 2020

120 has negatively impacted the pace of Metrolink’s ridership recovery. An April 2020 survey of Metrolink riders surfaced that 13% who had stopped riding due to COVID-19 would wait until after a vaccine or treatment is available to ride again. The availability of vaccinations for the elderly and some essential workers across Southern California is encouraging news for the health of Southern California and the ultimate return of riders to Metrolink.

Per adopted policy, the Board delegated the authority for promotional fares to the CEO. When determining to move forward with a promotional fare, staff considers potential ridership and revenue growth impact, feasibility of implementation (logistically and financially), and equity.

Discussion

An initial review by staff of the feasibility of offering free or discounted fares for those who have been vaccinated against COVID-19 found the following:

Proof of eligibility is a challenge: Riders taking advantage of a Metrolink fare discount are required to provide proof of eligibility. In this case, the proof would be a vaccine card that individuals are issued upon receiving their COVID-19 vaccination. Because there is not one standard form to prove vaccination, it would be difficult – or impossible – for Conductors to authenticate these materials and verify eligibility during fare inspection. Vaccination cards have no serial number and may easily be forged. Additionally, the Authority is unlikely to be exempted from HIPAA privacy rules to ask for this information, making verification virtually impossible. Ridership and equity challenges exist with a general promotional discount campaign directly offered to vaccinated riders: At this time, the vaccine is available only to small segments of the population. According to a story in ABC7 News, As of January 27, “California ranks 38th in the nation -- tied with Massachusetts, Hawaii, and Arizona. These states have vaccinated 6.9 percent of the population over 16 with the first dose.” Some riders may perceive the discount as discriminatory against individuals not yet eligible to receive the vaccine, or those who may not be able to receive the vaccine due to medical reasons. Transportation is Important for Access to the Vaccine – The Pew Trust reports that transportation to vaccination sites often poses a challenge to receiving a vaccination for the poor and the elderly. There is potential to facilitate the increase of the vaccinated population, specifically by pursuing opportunities to provide promotional discount codes that vaccination sites can provide to their customers when they make their vaccination appointment. Currently, there are 85 authorized vaccination sites within five miles of a Metrolink station. (Attachment A)

Next Steps

Staff will pursue partnerships with vaccination sites to distribute promotional discount codes with appointment confirmation and will include status reports in the monthly Recovery

121 Framework Status Update to the Board.

Prepared by: Henning Eichler, Market Insights and Analytics Manager, Customer Experience Mary Riemer, Director, Customer Experience Jennifer Vides, Chief Customer Experience Officer

Approved by: Jennifer Vides, Chief Customer Experience Officer

Attachment(s)

Attachment A - Vaccination Sites.pdf

122 VACCINATION SITES

!17 La nca ster Legend !21 ! Vaccination Sites

53 ! ! Pa lm da le ( Metrolink Sta tions 91/Perris Va lley Line

Vincent Antelope Va lley Line Gra de/Acton Inla nd Em pire-O ra ng e County Line !22 !27 Sa nta Cla rita O ra ng e County Line !2 !12 Riverside Line !42 Via Princessa Newh a ll Sa n Berna rdino Line Sylm a r/Sa n Ferna ndo Ventura County Line Sim i Va lley 82 !81 26 !59 ! Moorpa rk ! !56 !61 Redla nds Extension !79 !78 !39 !48 Ch a tsworth 3 ! Va nBurb a nk Ventura ! 80 Nuys AirportSun Va lley - Ea st ! Ca m a rillo North ridg e !83 O xna rd !41 - North (AV Line) Burb a nk - !84 !31 !40 Downtown !77 !4 Bu!r3b8a nk Airport Sa n !24 Berna rdino !33 - South !23 67 !37 47 !52 Pom ona ! (VC Line) !57 ! 55 !20 50 !72 Depot ! !51 ! 73 71 68 Glenda le !2530 Ba ldwin !18 - North !69! Ria lto ! !291469 ! !1 ! !66 ! 19 Pa rk !15 Upla nd Fonta na Sa n Berna rdino 9 5 ! !45 Covina Cla rem oMntontcla ir Ra nch o 35 !58 !! El Monte 14 65 - Downtown 28! !60 !85 Ca l Sta te L.A. ! ! Cuca m ong a ! Pom ona 1-3 7 !32 ! ! L.A. Union Downtown O nta rio Riverside - Sta tion !44 Riverside - !11 !70 - Ea st Downtown Hunter Pa rk/UCR !6 Monteb ello/Com m erce Industry !8 Com m erce Jurupa Va lley/Pedley !36 34 !46 Riverside - ! La Sierra Norwa lk/Sa nta !10 Corona - W est Moreno Fe Spring s Fullerton !75 Va lley/Ma rch 43 Corona - Field 74 !54 ! Buena Ana h eim Ca nyon ! Pa rk North Ma in Ana h eim (ARTIC) !62 Perris O ra ng e Perris - - South Vaccination Sites within 5 miles of a Metrolink Station Downtown Sa nta Ana 1 - Pom ona Fa irplex 22 - Alb erton's Ph a rm a rcy 43 - Ra lph 's Ph a rm a cy 65 - O nta rio Hea lth Center !76 2 - Ma g ic Mounta in 23 - Pa vilion's Ph a rm a cy 44 - Rite Aid Ph a rm a cy 66 - Sa n Berna rdino Hea lth Center Tustin 3 - Ca l Sta te North ridg e 24 - Pa vilion's Ph a rm a cy 45 - Rite Aid Ph a rm a cy 67 - ARMC Fa m ily Hea lth Center-McKee 4 - Ba lb oa Sports Com plex 25 - Pa vilion's Ph a rm a cy 46 - Von's Ph a rm a cy 68 - ARMC Fa m ily Hea lth Center-W estside Clinic 5 - El Sereno Recrea tion Center 26 - Ra lph 's Ph a rm a cy 47 - Von's Ph a rm a cy 69 - Sa n Antonio Reg iona l Hospita l Irvine 6 - St. Joh ns-Dr. Kenneth W illia m s Hea lth Center 27 - Ra lph 's Ph a rm a cy 48 - Von's Ph a rm a cy 70 - Sa v-O n Ph a rm a cy 7 - St Joh ns-Ma g nolia Hea lth Center 28 - Ra lph 's Ph a rm a cy 49 - Von's Ph a rm a cy 71 - Sa v-O n Ph a rm a cy La g una 8 - St. Joh ns-Ava lon Hea lth Center 29 - Ra lph 's Ph a rm a cy 50 - Von's Ph a rm a cy 72 - Sa v-O n Ph a rm a cy Nig uel/Mission 9 - St. Joh n�s W ell Ch ild a nd Fa m ily-Lincoln 30 - Ra lph 's Ph a rm a cy 51 - Von's Ph a rm a cy 73 - Sa v-O n Ph a rm a cy !63 Viejo 10 - JW CH W esley Hea lth Center-Bellflower 31 - Ra lph 's Ph a rm a cy 52 - Von's Ph a rm a cy 75 - Corona Hig h Sch ool 11 - Kedren Com m unity Hea lth Center 32 - Ra lph 's Ph a rm a cy 53 - Von's Ph a rm a cy 76 - Herita g e Hig h Sch ool Sa n Jua n 12 - Henry Ma yo Newh a ll Hospita l 33 - Ra lph 's Ph a rm a cy 54 - Von's Ph a rm a cy 77 - South O xna rd Pub lic Hea lth Ca pistra no 13 - Ea st Va lley Com m unity Hea lth Center-Pom ona 34 - Ra lph 's Ph a rm a cy 55 - Von's Ph a rm a cy 78 - Alb ertsons Sa n Clem ente 14 - Ea st Va lley Com m unity Hea lth Center 35 - Ra lph 's Ph a rm a cy 56 - Von's Ph a rm a cy 79 - Von's Ph a rm a cy 15 - Ea st Va lley Com m unity Hea lth Center- Covina 36 - Ra lph 's Ph a rm a cy 57 - Von's Ph a rm a cy 80 - Von's Ph a rm a cy Sa n 16 - CHA Hollywood Presb yteria n Medica l Center 37 - Ra lph 's Ph a rm a cy 58 - Dodg er Sta dium 81 - Von's Ph a rm a cy Clem ente 17 - JW CH W esley Hea lth Center-La nca ster 38 - Ra lph 's Ph a rm a cy 59 - Sa n Ferna ndo Clinic 82 - Von's Ph a rm a cy Pier 18 - Alb erton's Ph a rm a rcy 39 - Ra lph 's Ph a rm a cy 60 - Lincoln Pa rk Clinic 83 - Von's Ph a rm a cy 19 - Alb erton's Ph a rm a rcy 40 - Ra lph 's Ph a rm a cy 61 - Ha nsen Da m Recrea tiona l Center 84 - Von's Ph a rm a cy 20 - Alb erton's Ph a rm a rcy 41 - Ra lph 's Ph a rm a cy 62 - Disneyla nd Resort 85 - Ca l Sta te Los Ang eles 21 - Alb erton's Ph a rm a rcy 42 - Ra lph 's Ph a rm a cy 63 - Soka University ± 0 5 10 20 Miles 123 Upda!t6e4d February 2021 O cea nside ITEM 6.E

ITEM ID: 2020-192-0

TRANSMITTAL DATE: February 5, 2021

MEETING DATE: February 12, 2021

TO: Executive Committee

FROM: Stephanie Wiggins, Chief Executive Officer

SUBJECT: Metrolink's Locomotive Fleet Modernization Study Update

Issue

Recommendation

The Committee may receive and file this report.

Strategic Commitment

This report aligns with the Strategic Business Plan commitment of: Advancing Key Regional Goals: We will grow the role of regional rail in addressing climate change, air quality, and other pressing issues by advancing toward zero emissions, making rail a compelling alternative to single-occupant automobiles and advancing equity-focused opportunities for all communities throughout Southern California. The investments explored through the Locomotive Fleet Modernization Study allows Metrolink to advance towards a zero emissions future while ensuring continued reliable service delivery on which our customers depend. The Fleet Study will identify strategies for the reduction in emissions and demonstrates Metrolink's commitment to

124 environmental stewardship.

Background

Metrolink’s active locomotive fleet consists of 39 recently procured F125 Tier 4 “low emission” diesel locomotives and 15 2008 MP36 Tier 2 “moderate emission” diesel locomotives. Starting in 2017, Metrolink has seen a great improvement in its fleet's diesel emissions as the new Tier 4 locomotives were put in revenue service and Tier 0 fleet was decommissioned. Metrolink strives to continue reducing diesel emissions from its locomotive fleet, and leading the path toward zero emissions.

Both the MP36 Tier 2 diesel locomotive fleet and F125 Tier 4 fleet are critical to Metrolink’s core service and must be reliable, available and maintainable (RAMS) and operate within justifiable levels of emissions. In conjunction with the Recovery Plan Framework, Metrolink is currently operating under reduced COVID-19 service levels of 108 weekday trains with 35 trainsets but is anticipated to return to a position of 160-170 weekday trains supported with 40 trainsets after FY21. Assuming pre-COVID-19 service levels and patterns, and factoring in locomotive RAMS, an active locomotive fleet consisting of 48 to 52 locomotives is required to operate 40 trainsets.

In 2019, staff identified an initial backlog of overhaul needs for the 15 older MP36 locomotives as well as the need to address the Tier 2 locomotive emissions. These locomotives are under increased scrutiny by the state and regional air resources boards, communities and others concerned with diesel locomotive emissions and interested in transitioning to zero emissions.

Funding for the Fleet Study was placed on the FY20 annual rehabilitation project list as a high priority and funding was subsequently approved. With the approval of the funding, a task order request targeted at the MP36 locomotive RAMs and overhaul and emission reduction/clean energy alternatives was submitted to the rolling stock consultant bench on November 2019. After a competitive process, a task order was awarded to Hatch LTK in March 2020. The scope required the consultant to deliver the Fleet Study within 12 months.

The Locomotive Study is nearing completion and the draft final report scheduled to be completed in early 2021. This first report will provide an introduction and approach for the Fleet Study; the second will summarize the results of the Fleet Study and include recommendations. The timing of these reports may be fortuitous as the report scope, cost estimates and benefits will support Metrolink's efforts to apply for potential grant funding targeted to lower or zero emissions, clean sustainable energy related projects.

Discussion

The objective of the Fleet Study is two-fold: first, determine an investment plan to keep the 15 MP36 locomotives operating with favorable standards for RAMS; and, second, looking further ahead to accelerate zero emission, clean energy concepts and technologies to power Metrolink’s locomotive fleet.

Additionally, the Fleet Study, in conjunction with the internal stakeholders and the Fleet Management Plan Update team, will explore the following questions:

125

Overall Locomotive Fleet Needs How many locomotives are needed to operate the assumed daily service levels today and in the next 10 years, factoring in planned inspection and servicing, preventive maintenance, RAMs, and unplanned events?

MP36 Locomotive Fleet Overhaul and Investment Strategy How does the MP36 overhaul investment fit into Metrolink’s future zero emission fleet strategy? What are the risks and durations associated with the various overhaul and new locomotive alternatives? What is the likely locomotive service life and RAMs of the various overhaul scenarios? What are the short, mid and long-term consequences if the MP36 locomotives are not overhauled or replaced? How does the MP36 overhaul or new locomotive procurement investment fit into potential investment in multiple units (e.g. zero emissions multiple units (ZEMUs) and diesel multiple units (DMUs)? How do the newly proposed CARB standards affect the locomotive overhaul or new procurement decision? What is the likelihood and timing of implementation of new CARB standards?

Zero Emissions Transition Strategy Can alternative fuels such as renewable diesel be used to achieve lower or zero emission goals for both Tier 2 and Tier 4 engines? How much and what type grant funding are forecasted to be available to support the overhaul or purchase of new locomotives?

MP36 Locomotive Fleet Overhaul and Investment Strategy

The Fleet Study will provide Metrolink with an MP36 overhaul investment strategy. The Tier 2 MP36 fleet of 15 locomotives was deployed in 2008-2009 and is now approaching its mid- life and the RAMs metrics are trending down as expected for locomotives at this age and use. To stabilize and improve RAMs in line with industry standards, diesel locomotives commonly undergo mid-life overhaul by the 15th year (corresponding to a diesel locomotive average 30- year useful life). The mid-life overhaul is intended to restore the locomotive to a state of good repair and bring RAMs metrics to established industry standard levels. The overhaul may include the upgrade of the main and head-end power (HEP) engines to a higher emissions tier (e.g. Tier 4), removal of trucks, cooling systems, and other critical systems for refurbishment, as well as addressing body damage and exterior repainting. Between January 1, 2017 and January 24, 2021, there have been 616 delays and 6,439 minutes of delay attributed to mechanical issues with the MP36 fleet. Over the coming years based on industry consensus around fleet reliability, without an overhaul program Metrolink can expect to see increased delays and terminations as well as increased materials expenditures to make unforeseen repairs.

Delay Cause January 1, 2017 - Delays Minutes of Delay January 24, 2021

126 Brake System 97 805 Head End Power (HEP) 41 317 Main Engine 175 1,983 Mechanical Locomotive 16 226 No Load/Electrical 134 1,107 Running Gear 54 311 Air System 45 481 Termination 54 1,209 Total 616 6,439

The Fleet Study explores a range of options including:

life extension overhaul (Tier 2) locally performed with the local equipment maintenance contractor off-site overhaul to Tier 2+ with a specialty overhaul contractor off-site overhaul and Tier 4 conversion with a specialty overhaul contractor purchase of new commercially available Tier 4 locomotives.

A high-level benefit- cost analysis (BCA) was developed to provide insight into the MP36 overhaul investment options. The BCA factors in the capital costs, life-cycle maintenance costs, emissions/health benefits and grant funding scenarios.

To underscore the importance of mid-life overhaul planning and investment, most of Metrolink’s legacy fleet of F59PH and PHI locomotives did not undergo the mid-life overhaul that would have occurred around 2007-2008. The locomotives continued to perform reliably in the years shortly after mid-life, but the oldest of the locomotives started experiencing an increasing number of breakdowns due to failures of key components such as crankshafts, turbochargers, HEP engines, and main engines. These failures led to impacts on service reliability.

Given the time required to identify and secure funding, and the duration to complete procurement activities and then execute the selected overhaul option, there is an immediate need to evaluate the alternatives and develop a plan for overhaul. The consultant, Hatch LTK is working with staff to identify available overhaul solutions and vendors, assess component condition, develop cost estimates, schedules and life cycle costs. The detailed scope of this overhaul will be finalized as funding solidifies and as the project transitions into the procurement document development phase after the Fleet Study concludes.

In the past 10 months, Hatch LTK has also assisted staff in identifying rolling stock procurement lessons learned. Additionally, Hatch LTK and staff are monitoring the California Air Resources Board (CARB) proposed concepts for in-use locomotive regulation which would require Metrolink to set aside funding on an annual basis for operating equipment that is not zero emissions. The greatest spending account contributions would be for Tier 3 and under. If approved as currently proposed, this CARB regulation would result in a significant impact on the Metrolink’s MP36 overhaul investment decision-making.

In October, November, December 2020 and January 2021, presentations about the condition of the MP36 fleet and need for overhaul planning were made to the Member Agency Advisory

127 Committee (MAAC). Staff plan to return to the Board with overhaul recommendations in spring 2021.

Transition to a Zero Emissions Locomotive Fleet

The Fleet Study will also determine the feasibility and will develop recommendations regarding the application of zero emission technologies and the potential conversion of older legacy F59PH/PHI (decommissioned locomotive hulks retired with the new F-125 Tier 4 procurement) to alternate propulsion. One of the first Fleet Study deliverables developed an alternative technology matrix. The matrix has continued to be refined throughout the study.

Staff have viewed presentations from several manufacturers offering battery electric and battery hybrid locomotive retrofit concepts. Hatch LTK has performed simulations of battery and hydrogen fuel cell locomotives for the Perris Valley Line, the Antelope Valley Line and by the end of the study, the San Bernardino Line. The initial results suggest that 100 percent zero emission production locomotive solutions such as battery electric and hydrogen fuel cell- battery will not currently meet Metrolink’s daily train consist duty cycle in the five to ten-year time horizon for operations with locomotive hauled 4 to 6 car trainsets.

Interest in the development of zero emission technologies for passenger locomotives is accelerating given the impetus for clean energy sustainable transportation modes. Pilot versions of the zero-emission locomotive hauled technology are anticipated to be feasible for the near term, however, the technology will be both risky and costly. Commercially available versions are expected to start to become available in the next 10 to 15 years. Ultimately, the Fleet Study will provide zero emissions recommendations, cost estimates, schedule, facility impacts and maintainability assessments. We will be returning to the Board in March 2021 with more information about the simulation results and next steps.

Given the high cost and nascent technology maturity of zero emission locomotives, staff are also exploring options to reduce emissions in the near-term. These transitional technologies include exploring renewable diesel and on-board systems that provide remote data collection of engine operation and fuel consumption.

Staff are currently working across multiple departments to develop a renewable diesel demonstration plan for a Metrolink MP36 Tier 2 locomotive for the demonstration. Renewable diesel (RD) is usable both blended with petroleum diesel and used as a stand-alone fuel. Owing to a higher cetane number, it is a much cleaner burning fuel and promises lower exhaust emissions. The demonstration under development will include a test plan to determine the success of effort. The test plan will require fuel consumption, reliability and performance data collection to determine if there are any changes to fuel consumption and if there any impacts on performance, the engine and other systems. Staff will procure renewable diesel for the one locomotive demonstration under the existing fuel contract. The demonstration will commence once the test plan has been approved and processes to monitor the fuel consumption, reliability and performance are in place. Staff will continue to provide status reports to the Board on this effort.

Study Deliverables and Working Groups

The Fleet Study deliverables include a series of technical memos, PowerPoint presentations and the alternative propulsion matrix, which will be referenced in the Fleet Management Plan

128 Update. Additionally, cost estimates and schedules are being developed to facilitate the implementation of the Fleet Study recommendations.

A technical working group for the Fleet Study was established and includes key staff in the Equipment department. The Planning department and director of sustainability have also been key stakeholders as the study progressed. The internal stakeholder team reviewed the zero- emissions technology matrix and preliminary simulation results for the Perris Valley, San Bernardino, and Antelope Valley Lines, as well as information about various MP36 overhaul options.

Community Coordination

Staff planned to meet with the CMF community in spring 2020 to discuss the Fleet Study, provide updates and solicit feedback. Due to the COVID-19 pandemic, the spring CMF Community Meeting did not take place. Following the initiation of the studies, the next CMF Community Meeting was held virtually in September 2020. An update about the Locomotive Fleet Modernization Study was presented.

Coordination Between Fleet Study and Other Planning Efforts

Since the initiation of the Locomotive Fleet Modernization Study and the CMF Modernization Study, there has been periodic cross-study coordination. For instance, as draft zero emission simulation results became available from the Locomotive Fleet Modernization Study, the Hatch LTK team presented the potential facilities impacts to support zero emissions technology to WSP. The coordination will continue throughout the Studies.

Additionally, the Fleet Study is being coordinated with the Fleet Management Plan Update team through bi-weekly meetings, as well as other agencies' efforts underway, including the Transit Asset Management Plan (TAM), and Metrolink Strategic Business Plan, as well as external efforts such as the Caltrans-led Rail-Fleet Consortium.

Next Steps

Staff will return in March 2021 with the recommendations from the Locomotive Fleet Modernization Study.

Prepared by: Michelle Stewart, Fleet and Facilities Modernization Project Manager

Approved by: Darrell Maxey, Chief, Mobilization, Transition and Special Projects

Attachment(s)

Locomotive Fleet Modernization Study Presentation

129 Investing in Metrolink’s Future

Locomotive Fleet Modernization Study • February 2021

130 Overview of Fleet Study

Study Objectives •Key Areas of Study Timeline of Study

• Protecting • 15 MP36 Tier 2 • Board Approved Metrolink’s locomotives Rehabilitation investment in Overhaul Budget 2019 existing locomotive • Zero emission • Study initiated in fleet technologies and spring 2020 • Modernizing transition • Board to be briefed Metrolink’s aging technologies and on study progress in locomotive fleet fuels February 2021 • Making Metrolink • Staff to provide competitive for more detailed funding recommendations opportunities in Spring 2021

2 131 Locomotive Fleet Modernization Study Areas of Study

MP36 MID-LIFE ZERO EMISSIONS ZERO EMISSIONS OVERHAUL STRATEGY LOCOMOTIVE FEASIBILITY TRANSITION STRATEGY

3 132 Fleet size of 15 Tier 2 Locomotives MP36 Locomotive Overhaul

MP36 fleet has operated Workhorse for SCRRA over 7.5 million miles since 2008

4 133 MP36 Road Failures

Road Failures - Terminations & Other Mechanical Failures 30

0 7 7 8 8 7 9 9 8 0 0 9 0 7 8 7 7 9 8 7 8 7 7 7 7 7 0 9 8 9 8 8 8 8 8 0 9 0 9 9 9 9 9 0 1 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 1 2 1 1 1 1 1 1 1 1 1 1 2 1 1 1 1 1 2 1 2 1 1 2 2 2 2 ------l l l l t t t t r r r r r r r r c c c c y y v y v y v v g g g g p b n p b n n p b n n p b n n n n c u c u c u c u a a a a p p p p e e e e a a a a o o o o u u u u a a a a a e e e e e e e e u u u u J J J J J J J J J J J J J O O O O A A A A S F S F S F S F D D D D A A A A N N N N M M M M M M M M 5

134 MP36 Delays and Minutes of Delay 107 hours of delay since 2017

Since 2017 Delay Cause Delays Minutes of Delay BRAKE SYSTEM 97 805 HEP 41 317 MAIN ENGINE 175 1,983 MECHANICAL LOCO 16 226 NO LOAD/ELECTRICAL 134 1,107 RUNNING GEAR 54 311 AIR SYSTEM 45 481 TERMINATION 54 1,209 Total 616 6,439

*Data January 1, 2017 – January 24, 2021

6 135 Areas Under Study • Alternative Technology Zero Comparisons Emissions • Battery Electric & • Hydrogen Fuel Cell Other • Hybrid Solutions Emissions • Transition Strategies Reduction • Convert exist excess diesel Initiatives locomotives for zero emissions/hybrid demonstration • Renewable Diesel • On-Board Systems

7 136 Next Steps

01 02 03 Complete Fleet Study Present study results Timing is important – memos in early 2021 to Board in Spring findings could help 2021 make Metrolink competitive for new funding opportunities at the Federal level

8 137 ITEM 6.F

ITEM ID: 2020-205-0

TRANSMITTAL DATE: February 5, 2021

MEETING DATE: February 12, 2021

TO: Executive Committee

FROM: Stephanie Wiggins, Chief Executive Officer

SUBJECT: February Legislative Update

Issue

Staff will provide an update on current legislative affairs.

Recommendation

The Committee may receive and file this report.

Strategic Commitment

This report aligns with the Strategic Business Plan commitments of: Connecting and Leveraging Partnerships: We will forge new and enhanced relationships with our public and private partners to integrate and coordinate connecting services, providing residents throughout Southern California with better, seamless, sustainable alternatives to driving. This commitment is met by sharing news, information and the Authority’s legislative priorities with elected officials. Advancing Key Regional Goals: We will grow the role of regional rail in addressing climate change, air quality, and other pressing issues by advancing toward zero emissions, making rail a compelling alternative to single-occupant automobiles and advancing equity-focused opportunities for all communities throughout Southern California. This commitment is met by encouraging federal, state and local support for Authority priorities.

Background

138 The Metrolink Board of Directors approved the 2021 Legislative Program in January, which provides direction to staff regarding local, state and federal policies and priorities. Staff continues to engage with government officials and community relations stakeholders relating to Metrolink service and 2021 Legislative Program items.

Discussion

Local Update

The Metrolink Community Relations team held three virtual SCORE environmental outreach meetings in January and is planning the virtual community outreach meeting for the incorporation of the Kids Ride Free and 5-Day Flex Pass promotional fares into Metrolink’s regular fare structure.

On January 27th and 28th the Community Relations team held virtual community meetings regarding the El Monte Siding Extension Project and Rancho Cucamonga Rancho Cucamonga Siding Extension Project. As these projects are considered Statutory Exemptions one outreach meeting will be held in each area so that community questions regarding the project can be addressed.

On February 11, 2021 Metrolink Community Relations will hold a virtual meeting to allow community members the opportunity to share their thoughts on the proposed changes to the existing fare structure. As a result of the pandemic, Metrolink introduced the Kids Ride Free with an Adult on the weekend fare and the 5-Day Flex Pass that allows workers who are working remotely an opportunity to use Metrolink in a more realistic manner. The latter product allows Metrolink to recapture market share that pre-COVID were part of the monthly pass sales. A public hearing at the January 22, 2021 Board meeting opened the public outreach period. The public meeting will take place on February 11, 2021 and comments will be presented; the public outreach period will close on February 26, 2021. At that time the Metrolink Board will decide if these two temporary fares will become part of the Metrolink permanent fare structure.

Metrolink will hold its regularly scheduled quarterly meeting with our CMF neighbors on February 27, 2021. This virtual meeting will provide an opportunity to update them on the progress made with the CMF Facilities Modernization Study, the updates to the Tier 4’s and other improvements at the CMF facility.

State Update

California Governor Gavin Newsom submitted a proposal for the 2021-2022 State Budget to

139 the Legislature on January 8, 2021. Included in the budget is a plan for “Equitable Recovery for California’s Businesses and Jobs”. These workforce recovery elements include $4.5 billion in spending to accelerate the state’s economic activity related to the COVID-19 pandemic. The workforce spending includes $1.5 billion for clean trucks, vehicles, buses and off-road freight equipment to accelerate zero-emission vehicle adoption. Budget hearings have begun in the Legislature in advance of updated budget scenarios presented as part of the May Revise. Staff will continue to seek opportunities for robust investments in transportation, emissions reduction technologies and related infrastructure.

Though Metrolink is not directly eligible for identified funding, current budget proposals advance infrastructure improvements for the transportation ecosystem. The Legislature may also seek alternative or complimentary budget proposals through Senate and Assembly budget hearings and budget trailer bills that provide indirect or direct benefit to Metrolink. Staff will continue to follow the state budget development process for opportunities to extend eligibility for projects that mutually benefit regional rail service.

Overall, the budget included increases in the State Transit Assistance and Local Transportation Fund relative to the 2020 May Budget Revise, though funding remains lower than the 2020 January Budget Request.

The Legislature delayed reconvening until Monday, January 11. Throughout the month, Legislators continued preparing legislative proposals and conducted budget oversight hearings. Bill requests were accepted by Legislative Counsel through January 22 in the Senate and Assembly.

In late January, Governor Gavin Newsom announced a transition from sector-based distribution of the COVID-19 vaccine distribution to an age-based approach. This change was initiated to increase the pace of vaccination, make it easier for residents to know when they are eligible and to accelerate the pace of vaccine distribution. The California Transit Association (CTA) expressed concerns with deviating from a sector-approach that prioritized essential business sectors at heightened risk of COVID-19, including transit workers. Statewide vaccination guidelines are subject to approval from local public health agencies, which ultimately implement the recommendations. Staff continue to encourage prioritization for transit workers to the greatest extent possible to ensure the continuity of essential transportation services.

The California Transportation Commission met on January 27-28, 2021 to consider regular business. During the meeting, the commission considered approval of a $5 million allocation request for previously awarded 2018 Transit and Intercity Rail Capital Program (TIRCP) funding. The allocation before the Commission includes five Southern California Optimized Rail Expansion (SCORE) projects: Chatsworth Station Improvements, El Monte Siding and Station Improvements, Serra Siding Extension, Burbank Junction Speed Improvements and the Control Point Atwood to Orange Project. These projects are made possible with support from local, state and federal stakeholders.

140

The California Air Resources Board (CARB) similarly continued work on air quality items, including developing potential locomotive regulations. Staff continue to monitor upcoming milestones in the coming year while drafts are prepared.

The Chief Executive Officer participated in a joint welcome reception hosted by Mobility 21 and the Los Angeles Area Chamber of Commerce to congratulate Senator Lena Gonzalez and Assemblywoman Laura Friedman on their chairing the Senate and Assembly Transportation Committees, respectively. The appointment of Chairs reflects a critical opportunity for Southern California to advance key regional and state mobility goals. Staff will continue to coordinate and providing information to both offices regarding the agency’s approved 2021 Legislative Program.

Federal Update

Developments in Congress and Washington, D.C. remain fluid during the transition to the 117th Congress and the Biden Administration. With the results of the Georgia run-off election, the Democratic party has a majority in both branches of Congress. The Biden Administration is expected to focus on COVID-19 relief and economic stimulus, which includes opportunities for infrastructure investments. In the 116th Congress, the House of Representatives approved H.R. 2, a $494 billion, five-year transportation authorization bill which could serve as a model for future discussion.

At the end of 2020, the rail industry achieved a successful milestone in deploying Positive Train Control (PTC) technology across the nation. During January, the National Transportation Safety Board (NTSB) held a virtual event to commemorate the important milestone. Metrolink’s commitment to safety and early deploying of PTC provided a national model.

The United States Department of Transportation awarded the agency $14.78 million in federal competitive grant funding under the Commuter Authority Rail Safety Improvement (CARSI) Program for the San Bernardino Line (SBL) El Monte Station Grade Crossing Safety Improvements: Tyler Avenue & Cogswell Road Project. The safety improvements at the high- volume at-grade crossings will reduce fatalities, serious injuries and vehicular accidents. The grant announcement reflects the agency’s strong partnership with federal and local stakeholders to bring public railway-highway crossings to current Metrolink standards.

President Biden announced the American Rescue Plan in late January in response to the COVID-19 pandemic. The $1.9 trillion relief proposal includes a combination of direct assistance, extended unemployment benefits, emergency response funding and additional assistance for impacted business sectors – including $20 billion in funding for public transportation to ensure continuity of services and the availability of an essential transit workforce. The Administration is negotiating with both houses of Congress in order to gain bipartisan support on a path forward. To date, Congress has approved $3.5 trillion in aid and emergency spending – including $39 billion for transit agencies. It appears that once an

141 additional relief bill is passed, attention will turn to a stimulus / recovery package and then to longer-term infrastructure and transportation reauthorization bills. The current surface transportation authorization is set to expire September 30, 2021.

On February 9, the Board Chair, Vice Chair and Chief Executive Officer participated in advocacy meetings with federal delegation offices regarding the agency’s 2021 Legislative Program. During the meetings with key delegation offices on the Appropriations, Transportation and Infrastructure, Ways and Means Committees and leadership positions, the agency voiced support for public transportation in response to COVID-19 and advancing national priorities. Additionally, the Chief Executive Officer spoke on an infrastructure panel organized to host officials from the Biden Administration, where she conveyed the importance of Metrolink regional rail service to Southern California and highlighted the ongoing need for federal support for the SCORE Program.

Staff will provide regular updates to the Board of any relevant developments.

Next Steps

Staff will continue to work with Member Agency legislative staff, the Southern California Legislative Roundtable and local, state and federal delegation offices to advance the priorities of the Board.

Prepared by: Alex Davis, Senior Manager, Government Relations Sylvia Novoa, Public Affairs Manager, Government & Community Relations Jesus Garcia, Management Analyst II, Government Relations

Approved by: Todd McIntyre, Chief Strategy Officer

Attachment(s)

Appendix A - 2021 Bill Matrix Presentation

142 Appendix A: Legislative Matrix

Bill Number Bill Status Action Senate Bill 44 (Allen) Introduced to No recommended action This bill would establish a streamlined Committee at this time judicial review process for environmental on Rules on leadership transit projects led by a public 12/7/2020 for agency under CEQA. assignment ACA 1 (Asm. Aguiar – Curry, Asm. No recommended action Gonzalez, Asm. Chiu, Sen. Wiener) at this time This constitutional amendment would lower the voter-threshold for the imposition, extension, or increase of a special tax by a Introduced local government or special district to fund on 12/7/2020 the construction, reconstruction, rehabilitation, or replacement of public infrastructure or affordable housing projects, from two-thirds to 55 percent.

143 February Legislative Update February 12, 2021

144 Recommendation

The Committee may receive and file this report.

2 145 Local Update

 SCORE Project Meetings  Title VI and Central Maintenance Facility Public Meetings

State Update

 2021-2022 Budget Development  2021-2022 Legislative Session

Federal Update

 COVID-19 Relief Legislation  Legislative Engagement Meetings

3 146 ITEM 6.G

ITEM ID: 2020-231-0

TRANSMITTAL DATE: February 5, 2021

MEETING DATE: February 12, 2021

TO: Executive Committee

FROM: Stephanie Wiggins, Chief Executive Officer

SUBJECT: Quarterly Compensation Report 2nd Quarter FY21 - October 1, 2020 through December 31, 2020

Issue

In compliance with HR Policy No. 2.1, Wage and Salary Administration – Salary Program Administration, staff is required to make quarterly and annual reports to the Board on compensation matters.

Recommendation

The Committee may receive and file the report.

Strategic Commitment

This report aligns with the Strategic Business Plan commitment of:

Modernizing Business Practices: We will improve our operational efficiency through transparency, objective metrics and streamlined governance, reducing over-reliance on subsidy while bringing our system into a state of good repair and investing in the development of our employees. As required by the HR Policy No. 2.1, Wage and Salary Administration – Salary Program Administration, staff is required to make quarterly reports to the Board on all compensation matters to maintain transparency.

Background

147 In accordance with the HR Policy No. 2.1, Wage and Salary Administration – Salary Program Administration, the Board requires the Chief, Human Resources to report all salary placements for new hires, promotions, demotions, reclassifications and other changes in employee compensation to the Board on a quarterly basis.

Discussion

There were 43 compensation transactions that occurred during the second (2nd) quarter of fiscal year 2020-21, October 1, 2020 through December 31, 2020. The compensation transactions are summarized below and in Attachment A and described in detail in Attachment B:

3 New Hires 2 Promotions 1 Acting Pay 3 Additional Pay - Temporary 2 Return from Acting/Additional Pay 32 ATU Salary Increases

New Hires

The following provides justification for the three (3) new hires :

Director, Contracts, Procurement & Materials Management - Effective October 26, 2020

This position is designated as mission critical by the CEO to provide leadership and oversee the procurement of materials, equipment and professional services. The position is designated as the Purchasing Agent. The position fills a vacant position.

IT Architect II - Effective November 2, 2020

This position is designated as mission critical by the CEO to provide critical support to PTC Network Control Operations, the new Train Control Network & Infrastructure implementation, and also the next generation of Positive Train Control. This position fills a vacant position.

Maintenance Technician II - Effective November 3, 2020

The position is designated as mission critical by the CEO to provide various preventive and corrective repairs for Authority facilities and yards agency wide. The position fills a

148 vacant position.

Promotions

In accordance with the HR Policy No. 2.1, Section 1.5 – Promotions:

“A promotion is awarded when an employee moves from his/her current job classification to another when the new job classification is at least one salary grade higher than the previous job classification. The following factors may be taken into consideration in determining a promotional increase:

The employee’s new salary shall not be less than the minimum of the new salary range. The salaries and qualifications of employees in the same or similar positions and/or the same grade shall be taken into consideration to ensure internal equity. Demonstrated past performance and strength of experience and qualifications shall be considered in relation to the salary placement.”

A salary increase of 32.79% was authorized by the CEO to maintain the internal equity within the salary grade for the position. The minimum qualification for this position is 10 years of related experience. The selected candidate possesses 20 years of experience. Additionally, the average salary for employees in the salary grade is $174,500; hence the annual salary offered of $168,500 reflects a reasonable and appropriate increase for the selected employee. Please see table below for salary details.

Effective November 16, 2020:

Type of Change Current Information Promotion Information Job Title: Planning Manager I Director, Grants Salary Grade / Range: Grade K / $81,201 - $126,892 Grade P / $123,344 - $192,735 Annual Salary: $126,892 $168,500

Additionally, a salary increase of 12.55 percent was authorized by the CEO, pursuant to the Collective Bargaining Agreement (CBA) between the Southern California Regional Rail Authority and the Amalgamated Transit Union (ATU), Local 1277. The selected candidate went through the competitive recruitment process and the offered salary was in accordance with the CBA. Please see table below for salary details.

Effective December 27, 2020:

149 Type of Change Current Information Promotion Information Job Title: Train Dispatcher Supervisor, Dispatching Operations Annual Salary: $101,751.31 $114,517.78

ATU Pay Increases

Pursuant to the Collective Bargaining Agreement between Management and the Amalgamated Transit Union (ATU), Local 1277, dated February 8, 2019, Article 20, members received a pay increase effective December 27, 2020, which was the beginning of the pay period that included January 1, 2021.

Next Steps

Record quarterly compensation data.

Prepared by: Agavni Bagdasarian, Senior Human Resources Analyst

Roxanne Randolph, Interim Chief, Human Resources

Approved by: Roxanne Randolph, Interim Chief, Human Resources

Attachment(s)

Attachment A - Board Compensation Summary - FY21 2nd Quarter Attachment B - Board Compensation Report FY21 2nd Quarter

150 ATTACHMENT A COMPENSATION REPORT SUMMARY - SECOND QUARTER FY 21 - 10/1/2020 THROUGH 12/31/2020 Category based on H.R. Policy 2.1 Requirements Total Number

Salary Placement for New Hire 3 Salary Placement for Promotion 2 Other Changes In Compensation Acting Pay 1 Additional Pay - Temporary 3 ATU Salary Increase 32 Return From Acting/Additional Pay 2

TOTAL TRANSACTIONS 43

151 ATTACHMENT B - COMPENSATION REPORT SECOND QUARTER FY21

SALARY RATE POSITION/CLASSIFICATION EFFECTIVE TYPE OF SALARY PERCENT (Bi-Weekly/ ADJUSTMENT DATE PLACEMENT Hourly Rate)

A.New Hire

1 Director, Contracts, Procurement & Mtrls Mgmt10/26/2020 Initial Compensation $6,923.08 NA

2 IT Architect II 11/02/2020 Initial Compensation $4,311.77 NA

3 Maintenance Technician II 11/03/2020 Initial Compensation $29.33 NA

B.Promotion

1 Director, Grants 11/16/2020 Promotion $6,480.77 32.79%

2 Supervisor, Dispatching Operations 12/27/2020 Promotion $4,404.53 12.55%

C.Other Changes In Compensation

1 Customer Relations Representative I 10/26/2020 Acting Pay $22.59 15%

2 Marketing Manager II 11/23/2020 Additional Pay - Temporary $4,989.43 2.5%

3 Supervisor, Customer Relations 11/23/2020 Additional Pay - Temporary $3,362.02 2.5%

4 Chief Safety, Security & Compliance Officer 12/21/2020 Additional Pay - Temporary $8,367.29 5%

5 Communications Coordinator 12/27/2020 ATU Salary Increase $31.38 2%

6 Communications Coordinator 12/27/2020 ATU Salary Increase $31.38 2%

7 Communications Coordinator 12/27/2020 ATU Salary Increase $31.38 2%

8 Communications Coordinator 12/27/2020 ATU Salary Increase $31.38 2%

9 Communications Coordinator 12/27/2020 ATU Salary Increase $31.38 2%

10 Communications Coordinator 12/27/2020 ATU Salary Increase $31.38 2%

11 Communications Coordinator 12/27/2020 ATU Salary Increase $31.38 2%

12 Supervisor, Dispatching Operations 12/27/2020 ATU Salary Increase $4,693.84 2%

13 Supervisor, Dispatching Operations 12/27/2020 ATU Salary Increase $4,893.93 1%

14 Supervisor, Dispatching Operations 12/27/2020 ATU Salary Increase $4,693.84 2%

15 Supervisor, Dispatching Operations 12/27/2020 ATU Salary Increase $4,693.84 2%

16 Supervisor, Dispatching Operations 12/27/2020 ATU Salary Increase $4,893.93 1%

17 Train Dispatcher 12/27/2020 ATU Salary Increase $51.52 1%

18 Train Dispatcher 12/27/2020 ATU Salary Increase $51.52 1%

19 Train Dispatcher 12/27/2020 ATU Salary Increase $52.83 1%

20 Train Dispatcher 12/27/2020 ATU Salary Increase $49.90 2%

21 Train Dispatcher 12/27/2020 ATU Salary Increase $49.90 2%

Page 1 of 2 152 SALARY RATE POSITION/CLASSIFICATION EFFECTIVE TYPE OF SALARY PERCENT (Bi-Weekly/ ADJUSTMENT DATE PLACEMENT Hourly Rate)

22 Train Dispatcher 12/27/2020 ATU Salary Increase $54.65 1%

23 Train Dispatcher 12/27/2020 ATU Salary Increase $51.52 1%

24 Train Dispatcher 12/27/2020 ATU Salary Increase $49.90 2%

25 Train Dispatcher 12/27/2020 ATU Salary Increase $49.90 2%

26 Train Dispatcher 12/27/2020 ATU Salary Increase $51.52 1%

27 Train Dispatcher 12/27/2020 ATU Salary Increase $49.90 2%

28 Train Dispatcher 12/27/2020 ATU Salary Increase $51.52 1%

29 Train Dispatcher 12/27/2020 ATU Salary Increase $49.90 2%

30 Train Dispatcher 12/27/2020 ATU Salary Increase $51.52 1%

31 Train Dispatcher 12/27/2020 ATU Salary Increase $49.90 2%

32 Train Dispatcher 12/27/2020 ATU Salary Increase $49.90 2%

33 Train Dispatcher 12/27/2020 ATU Salary Increase $53.24 1%

34 Train Dispatcher 12/27/2020 ATU Salary Increase $49.90 2%

35 Train Dispatcher 12/27/2020 ATU Salary Increase $51.52 1%

36 Train Dispatcher 12/27/2020 ATU Salary Increase $51.52 1%

37 Budget Analyst II 11/01/2020 Return From Acting/Additional Pay $3,424.62 -4.76%

38 Capital Budget Analyst 11/01/2020 Return From Acting/Additional Pay $4,121.82 -4.76%

RB-HR-100.1 Page 2 of 2 153 ITEM 6.H

ITEM ID: 2020-232-0

TRANSMITTAL DATE: February 5, 2021

MEETING DATE: February 12, 2021

TO: Executive Committee

FROM: Stephanie Wiggins, Chief Executive Officer

SUBJECT: External Disadvantaged Business Enterprise (DBE) and Labor Compliance Services

Issue

This report is an update on the External Disadvantaged Business Enterprise and Labor Compliance Services bench contract.

Recommendation

The Committee may receive and file this report.

Strategic Commitment

This report aligns with the strategic commitment of: Modernizing Business Practices: We will improve our operational efficiency through transparency, objective metrics and streamlined governance, reducing over-reliance on subsidy while bringing our system into a state of good repair and investing in the development of our employees. The bench contract ensures Metrolink's compliance with statutory and regulatory DBE and Labor Compliance requirements associated with receiving state and federal grant funding.

Background

During the January 24, 2020 Board Meeting, the Board awarded bench contract QM161R-20 for External Disadvantaged Business Enterprise and Labor Compliance Services to the

154 following firms:

GCAP Services, Inc. (GCAP) Padilla and Associates, Inc. TSG Enterprises, Inc. dba The Solis Group

During the meeting, Director Do requested a report back on which firms received contract task orders and the type of work, including the firm’s qualifications, during 2020.

Discussion

Firm Qualifications

The firms' qualifications are as follows:

GCAP Services, Inc. (GCAP)

GCAP Services, Inc. (GCAP) is a California-based professional consulting firm that was founded in 1997 and is certified as both an Small Business Enterprise (SBE) and DBE. GCAP supports the public sector including highway, rail, transit, airport, and energy projects by delivering practical, cost-effective solutions for business and administrative challenges. GCAP provides innovative and technology-based solutions to many of their clients. Since its founding, GCAP has successfully delivered over one hundred seventy (170) high-quality consulting engagements to federal, state, county, and local government agencies. GCAP offers experienced consultants and technical experts in multiple areas, including DBE and Labor Compliance Support Services.

Padilla & Associates

Padilla & Associates, Inc. brings in excess of 25 years of direct and relevant firm experience serving as a prime consultant in DBE, SBE and Labor Compliance Program (LCP) administration within the passenger rail service industry. Padilla & Associates developed the Authority’s first DBE program and original LCP. The firm has several notable achievements including assisting the Authority and other like agencies in providing innovative approaches and strategic implementation strategies in support of their DBE, SBE and LC Program requirements.

The Solis Group (TSG)

The Solís Group has provided professional compliance consulting services to public agencies with a focus on the transportation sector for more than 26 years. Their suite of services includes the design, development, customization, and implementation of labor compliance and DBE/SBE programs. TSG assists public agency clients with maintaining compliance with federal, state and local public policy program requirements, while increasing the participation of disadvantaged and small businesses in their procurement activities and fostering positive

155 small business community relations.

Work Assignments

Work is assigned to the bench contractors by assigning work orders. Work orders associated with pre-award contract services to include establishing the contractual DBE goal and participating in pre-proposal/bid meetings are assigned to GCAP and TSG. Work order assignments are based on the pre-award contract scope of work and the fee estimate for GCAP or TSG to complete the task(s). Also, assignments are examined to assure equity with assigning work orders to both bench contractors. In those instances when TSG has declined a work order citing a conflict of interest, that work order is then assigned to GCAP.

During the reporting period, 18 work orders were assigned to GCAP totaling approximately $21,000. TSG was assigned 10 work orders and 5 were declined (and assigned to GCAP). The amount of the 5 work orders accepted by TSG total approximately $15,000 (see Attachment A).

While work orders are assigned to GCAP and TSG on a per-contract basis, work orders are assigned to Padilla and Associates for a specific time period, usually for 4-6 months in duration. Currently Padilla and Associates is responsible for post-contract award activities to include evaluating, monitoring, and the reporting required for DBE and Labor Compliance on more than 600 active contracts. During the reporting period, the total amount of work orders issued to Padilla and Associates is approximately $858,000.

Prepared by: Vida Mannings, Director, Special Projects

Approved by: Stephanie Wiggins, Chief Executive Officer

Attachment(s)

Work Order Issuance Log-Board Report

156 Attachment A. - QM161R-20 - Work Order Issuance Log - Year 1

Work Order Contract Title Work Order Amount $ GCAP WO 1 Operator Services $ 2,535.00 GCAP WO 2 Concrete and Fiberglass Pull Boxes $ 435.00 GCAP WO 3 Communications and Signal Equipment and Materials $ 1,785.00 GCAP WO 4 Purchase of New CradlePoint Modems $ 435.00 GCAP WO 5 Marketing and Communications Support Services $ 500.00 GCAP WO 6 Network Switch Rehabilitation - Phase II $ 435.00 GCAP WO 7 Locomotive & Cab Car Camera & HEVRS Replacement $ 685.00 GCAP WO 8 Signal Chargers $ 685.00 GCAP WO 9 Track Rehabilitation Services $ 1,250.00 GCAP WO 10 Other Track Materials $ 2,070.00 GCAP WO 11 Track and Signal Maintenance Support Services - Cancelled $ - GCAP WO 12 TOA Sole Source $ 935.00 GCAP WO 13 Railcar Lift Jacks $ 835.00 GCAP WO 14 Hy-Rail Lift $ 835.00 GCAP WO 15 DBE Services - Track and Signal Maintenance Support Services $ 4,952.00 GCAP WO 16 LC Services - Track and Signal Maintenance Support Services $ 1,260.00 GCAP WO 17 Nimble SAN Upgrade $ 435.00 GCAP WO 18 Public Affairs & Community Relations Support Services $ 435.00 Total Amount of Work Orders $ 20,502.00

Communication and Signal Equipment and Materials - Consultant declined work citing Solis WO 1 conflict of interest $ - PTC 4G Material Procurement CradlePoint - Consultant declined work citing conflict Solis WO 2 of interest $ - Solis WO 3 Website Support Services $ 5,000.00 Locomotive & Cab Car Camera & HEVRS Replacement - Consultant declined work Solis WO 4 citing conflict of interest $ - Solis WO 5 Signal Chargers - Consultant declined work citing conflict of interest $ - Solis WO 6 Other Track Materials - Consultant declined work citing conflict of interest $ -

157 Solis WO 7 CP Dayton Signal House $ 2,500.00 Solis WO 8 LAUS Switch Machines $ 2,500.00 Solis WO 9 Purchase of 4 Support Vehicles $ 2,500.00 Solis WO 10 IT Technical Support Services $ 2,500.00 Total Amount of Work Orders $ 15,000.00

Padilla WO 1 DBE Monitoring Services for Existing Contracts - April-October 2020 $ 397,635.00 Padilla WO 2 LC Monitoring Services for Existing Contracts - April-October 2020 $ 149,764.00 Padilla WO 3 2020 DBE Semi-Annual Report $ 4,986.00 Padilla WO 4 DBE Monitoring Services for Existing Contracts - October 2020 - January 2021 $ 236,139.00 Padilla WO 5 LC Monitoring Services for Existing Contracts - October 2020 - January 2021 $ 73,911.00 Total Amount of Work Orders $ 862,435.00

158 ITEM 6.I

ITEM ID: 2020-238-0

TRANSMITTAL DATE: February 5, 2021

MEETING DATE: February 12, 2021

TO: Executive Committee

FROM: Stephanie Wiggins, Chief Executive Officer

SUBJECT: FY2020-2021 Marketing Update - Quarter Ending December 31, 2020 and Upcoming Q3 2020-2021 Programs and Campaigns

Issue

Staff is updating the Board on Marketing activities for FY 2020-21 for the Quarter ending December 31, 2020, and upcoming activities in Q3 2020-2021.

Recommendation

The Committee may receive and file this report.

Strategic Commitment

This report aligns with the Strategic Business Plan commitment of: Customers Are Our Business: We respect and value our customers, putting them at the heart of all we do, and work hard to attract and retain new customers by understanding their needs and finding new and innovative ways to bring them on board. We use a customer-first approach for our marketing efforts to ensure that we are meeting the needs of our customer and providing them with reasons to continue riding with us.

Background

Staff is providing a summary of Q2 2020-2021 marketing activities and an overview of marketing activities planned for Q3 2020-2021.

159

Discussion

Loyalty Program (October 14, 2020) - Metrolink launched the SoCal Explorer loyalty program to riders. With the COVID-19 pandemic halting daily commuter travel for many Southern Californians, retention of riders has become a key focus for the Metrolink Customer Experience team. Results from the launch exceeded expectations. As of December 31, 2020 there were 9,200 loyalty program members with a program adoption rate of 24% (goal was 18% per loyalty program industry standards).

Shop Small Holiday Campaign (November/December 2020) - As part of the Metrolink holiday campaign, the Agency partnered with American Express for its #ShopSmall program on November 28. The campaign reinforced support of Southern California's small business community with a focus on SoCal Explorer loyalty program partners. Metrolink partners were featured on the Agency's social media channels as well as in internal communications with a "#ShopSmall" highlight.

Metrolink Online Store (December 17, 2020) - Metrolink launched the Metrolink Store with curated, Metrolink-branded products for women, men, children, home and accessories. Products range from letterman jackets to throw blankets to t-shirts and baby one pieces. The Metrolink Online Store offers loyalty program members 10% off their first purchase. As of December 31, 2020, Metrolink has had 53 transactions totaling $2,408.47 in sales. Top selling items are the mug, black & white train unisex t-shirt and the all-over print tote bag.

Upcoming Q3 2020-2021 Activities Customer Appreciation Week (February 1-19, 2021) - In previous years, Metrolink marked February 14 (Valentine's Day) as a day to thank and celebrate its riders. Last year, Metrolink thanked riders with a dedicated email campaign and in-person candy giveaways at stations across our system, which included greetings from Board Members.

In 2021, Metrolink will continue this tradition by celebrating riders who have continued to ride with us during the COVID-19 pandemic and highlight essential workers who have kept our region functioning. Shifting from one day to one week, this year's campaign will thank our current riders in friendly, engaging and personalized ways and reinforce the reasons why Metrolink riders choose to take the train. Program tactics will include email, social media posts, special offers from the Metrolink Store, and "surprise and delight" hand sanitizer and face mask giveaways for those currently riding the system.

Year in Review (March 2021) - Metrolink will use the anniversary of California's first stay-at home orders to demonstrate its industry leadership in safety and customer service. From health & safety advancements and testing new fares that promote equity for all riders, Metrolink quickly pivoted from long-standing ways of doing business to new innovative measures and ridership programs that helped the Agency become a smarter, better regional rail service that is essential to the Southern California region. Program tactics will include an interactive timeline of key milestones, a follow-up survey to riders, proactive executive thought leadership and media outreach, social media posts and a year-in-review video.

160 In addition to the above mentioned program, the Customer Experience team will also implement social media campaigns for Black History Month, Lunar New Year, Presidents' Day, and International Women's Month.

Next Steps

Staff will present its next quarterly update to the Executive Committee in April 2021.

Prepared by: Monica Bouldin, Director, Marketing & Partnerships

Approved by: Jennifer Vides, Chief Customer Experience Officer

161