IT Governance Discovery & Enagement Report
Lake County Public Library · Prepared by Cardinal Point Technologies
Engagement Leads
Grant Andres · Zak Konway
Discovery Period
December 1, 2025 – April 30, 2026
Prepared For
Carol Daumer Gutjahr, Library Director
John Brock, CFO
Document Status
DRAFT — Internal Working Document · Report Date: April 30, 2026

This is a working draft. Sections marked [PLACEHOLDER] contain internal notes for the team on additional detail required before final delivery. All sections represent findings from the discovery engagement — not project statuses.

Confidential

Executive Summary
Over five months of active discovery across nine Lake County Public Library locations, Cardinal Point Technologies conducted a comprehensive IT Governance Needs Assessment following the departure of LCPL's IT Director. What the engagement revealed was an environment that had grown organically over many years — technically functional in many respects, but operating without documentation, without formal backup coverage, and with a significant number of systems that are either past end-of-life or approaching it. The institutional knowledge that held these systems together had walked out the door, and the risks that had been quietly accumulating were now fully exposed.
The environment as we found it is best characterized as a legacy-managed state: systems are running, staff are working, and services are being delivered — but the margin for error is narrow. Multiple hardware failures during the engagement period (Merlot-2 HDD, SAFE-2 degraded RAID, DNS outage) occurred in an environment with no backup safety net beneath them. Each was recoverable. A more severe or simultaneous failure may not have been.
🔴 Critical Risks
  • Server 2008 R2 / 2012 in production
  • On-prem Exchange / iMail past EOL
  • No confirmed backup strategy
🟠 High Risks
  • DNS single point of failure
  • No MFA on most systems
  • No formal security policies
  • Windows 10 EOL endpoints
🟡 Medium Risks
  • GPO replication not functioning
  • Network infrastructure EOL / unmanaged
  • Undocumented infrastructure
The recommended path forward is a phased, tiered modernization program executed under a structured vCIO engagement model. Tier 1 addresses the most urgent operational and security risks — backup, DNS, AD modernization, email migration, and network modernization — within the first ten months. Tier 2 builds the security and management layer on top of that foundation. Tier 3 delivers long-term operational maturity. The investment structure reflects the elevated engagement level of the current environment and scales as stability is achieved.

Confidential

1

About This Engagement
How We Got Here
In late 2025, the Lake County Public Library found itself at a critical juncture. The departure of the organization's IT Director left LCPL without strategic IT leadership, without documentation, and without a clear picture of the technology environment supporting nine locations across Lake County. The systems in place had grown organically over many years, and the institutional knowledge that held them together had walked out the door.
Cardinal Point Technologies was approached to step in as a virtual CIO — not simply as an outside advisor, but as an embedded strategic partner capable of understanding the environment, identifying the risks, and building a clear, fundable plan to modernize it. In November 2025, CPT and LCPL executed Service Order SO-LCPL-11042025-DISCOVERY, formalizing an IT Governance Needs Assessment. The engagement was subsequently extended through April 30, 2026, reflecting the complexity and scope of what we found.
Nine Discovery Workstreams
01
WS-01
Network & Infrastructure
02
WS-02
Servers & Active Directory
03
WS-03
Email & Collaboration
04
WS-04
Backup & Disaster Recovery
05
WS-05
Endpoint Management
06
WS-06
Security & Compliance
07
WS-07
Application & Service Catalog
08
WS-08
Staff Development & Knowledge Transfer
09
WS-09
DNS Architecture
Engagement Team
What This Report Provides
  • Current-state inventory and findings across all nine workstreams
  • Identification of unsupported, end-of-life, and undocumented systems
  • A prioritized IT roadmap with tiered recommendations
  • Hardware lifecycle plan aligned to realistic budget cycles
  • 3–5 year budget projection for IT investment
  • Recommended ongoing vCIO engagement model and formal service proposal

Confidential

2

What We Encountered Along the Way
The original discovery engagement was scoped as an assessment — a structured period of observation, data collection, and analysis. What we found was an environment that could not simply be observed from the outside. Critical systems were undocumented. Infrastructure that appeared to be functioning had silent failure modes. Staff were managing workarounds that masked underlying instability. CPT was regularly pulled from planned discovery workstreams to address active issues that surfaced during the assessment — issues that could not be deferred without operational risk to the library.
Completed During Engagement
Mail Server / HDD Failure (Merlot-2)
Hard drive failure diagnosed and resolved; mail continuity maintained
Website Migration & DNS Management
Website successfully migrated; DNS management transitioned
HVAC Access Issue — Merrillville
Credential and access issue resolved for facilities team
SMTP Infrastructure — Polaris & Book Scanner
Outbound mail relay stabilized for Polaris ILS and scanning systems
Degraded RAID — SAFE-2
RAID array degradation detected and addressed before data loss
DNS Outage — Emergency Response
April 9 outage resolved; root cause identified as SOA misconfiguration
🔄 In Progress at Time of Report
DNS Migration to Cloudflare (DNS-01)
Approved $6,450 · Signed April 16, 2026 · Actively in progress
EZProxy — Outage Response & Remediation
~4–6 hours remaining; informal approval from CFO
VPN / Firewall Cutover — ENA
~2–4 hours remaining; pending AT&T segment resolution
Backup / DR — Strategy & Implementation
Parts on order; Veeam/NAS hardware delivery expected July 2026
E-Rate FY2026 — Network Modernization
Vendor selected (Zayo); pending E-Rate award notification
iMail Backup Configuration
In progress; prerequisite to EMAIL-01 migration
Hardware — Server Cleanup & Consolidation
Active and ongoing through the engagement period
Software Compliance & Licensing Audit
Identified; scoping in progress

All items above have been formally tracked in CPT's ticketing system (Syncro) and are reflected in the hours summary in Section 7. This is not an exhaustive list of all engagement activity — it represents issues that surfaced outside the planned workstream structure and required active CPT response.

Confidential

3

Discovery Findings — Key Workstreams
The following summarizes critical findings from the highest-priority workstreams assessed during the discovery period. These are observations that directly inform the roadmap. Each workstream finding maps to one or more actionable roadmap items detailed in Section 5.
WS-03: Email & Collaboration
LCPL's email runs on on-premises IPSwitch iMail v12.5.5.115 with 205 active users. iMail is past end-of-vendor-support — no patches, no security updates. No Microsoft 365 tenant exists. The November 2025 Merlot-2 HDD failure was a near-miss: had the full RAID array failed, mail data would have been permanently unrecoverable. Proofpoint SPAM filtering is in place but cannot compensate for the underlying platform's EOL status.
Roadmap: EMAIL-01 — iMail → M365 Migration (Tier 1) · IMAIL-01 — iMail Backup (prerequisite)
WS-04: Backup & Disaster Recovery
At engagement start, no formal backup strategy existed for any LCPL system. No RPO or RTO targets had been defined. No disaster recovery plan had been documented. Two hardware failures during discovery — Merlot-2 HDD and SAFE-2 RAID degradation — both occurred without any data protection layer. Recovery was possible in both cases, but the margin was narrower than acceptable. CPT scoped a Veeam/Dell/NAS solution; hardware is on order with July 2026 delivery expected.
Roadmap: BACKUP-01 — Backup & DR Implementation (Tier 1 · In Progress)
WS-05: Endpoint Management
LCPL operates a mixed Windows 10 and Windows 11 environment across nine locations. Windows 10 reached end-of-support October 14, 2025 — a significant portion of the fleet receives no security patches. No standard workstation build exists. No centralized software deployment. No hardware lifecycle tracking. RMM coverage is currently partial; full endpoint inventory is pending deployment completion across all locations.
Roadmap: ENDPT-01 — Endpoint Standardization Program (Tier 2 · Requires AD-01)
WS-06: Security & Compliance
No formal IT security policies exist at LCPL. No acceptable use policy, no data handling policy, no incident response plan. MFA has not been deployed on most systems — a single compromised credential provides full domain access. CIPA compliance, required for E-Rate eligibility, has not been formally verified or documented. Symantec endpoint protection is confirmed in place. GPO replication failure means Group Policy security settings may not be applying consistently across the domain.
Roadmap: SEC-01 — MFA Rollout · SEC-02 — Security Policy Development · SEC-03 — CIPA Compliance
WS-08: Staff Development & Knowledge Transfer
LCPL's internal IT team consists of four Tier 1 staff and one individual with limited Tier 2 capability in legacy technologies. No formal role definitions, no cross-training program, and minimal documented procedures exist. The institutional knowledge previously held by the former IT Director was not transferred prior to departure. CPT's goal is to progressively build the internal team's capability to own more of day-to-day operations over time — cross-training is built into every CPT-led project as a requirement, not an afterthought.
Roadmap: STAFF-01 — Knowledge Base Establishment (Tier 1) · STAFF-02 — Structured Cross-Training (Tier 3)
WS-09: DNS Architecture
LCPL's DNS ran on a primary/secondary configuration (DONUTS1/DONUTS2). The April 9, 2026 outage revealed a critical flaw: the SOA expiry value was set to 3,600 seconds (one hour) — appropriate for test environments, not production. When DONUTS1 went offline due to a bad cable, DONUTS2 stopped serving DNS exactly one hour later as designed. Industry standard SOA expiry is 604,800–1,209,600 seconds (1–2 weeks). The root cause was a misconfiguration baked into the original setup and undetected until failure. DNS-01 migration to Cloudflare was approved April 16, 2026 at $6,450 (signed).
Roadmap: DNS-01 — Cloudflare Migration (Tier 1 · Approved · In Progress)

Confidential

4

IT Roadmap
Every project below flows directly from a specific finding in Section 4. The tier structure reflects the sequence in which initiatives should be executed to reduce risk systematically and build effectively on each other. DNS-01 and BACKUP-01 are the only projects with signed SOWs at time of report publication. All other project-based items will receive individual SOWs with detailed scope, timeline, and pricing prior to execution.
Tier 1 — Immediate (0–10 Months)
Tier 2 — Near-Term (10–24 Months)
Tier 3 — Strategic Enhancements (24–36 Months)

Confidential

5

vCIO Engagement Model & Deliverables
A virtual CIO engagement from Cardinal Point Technologies is not a help desk subscription or a break-fix contract. It is a strategic leadership relationship. CPT functions as LCPL's IT leadership layer — responsible for the direction of the technology environment, the integrity of the roadmap, the management of vendors and projects, and the progressive development of LCPL's internal IT capacity. For an organization the size of LCPL, a fractional CIO model provides access to senior-level IT strategy and execution expertise at a cost calibrated to what the library actually needs.
Strategic Planning & Roadmap Stewardship
  • Ownership and ongoing maintenance of the LCPL IT Roadmap
  • Annual roadmap review aligned to budget planning calendar
  • Technology trend monitoring for public library environments
  • Initiative prioritization updates as the environment evolves
Stakeholder Advisory & Governance
  • Monthly standing meetings with Library Director and CFO
  • Board-ready IT reporting on a quarterly basis
  • Budget planning support — capital and operational forecasting
  • Policy development and governance documentation
Vendor & Contract Management
  • Oversight of all IT vendor relationships (ENA/Zayo, AT&T, Comcast)
  • Contract review, renewal tracking, and negotiation support
  • E-Rate program continuity with AdTec and network vendor
  • New vendor evaluation as needed
IT Operations Oversight
  • Internal IT staff oversight and mentorship
  • Tier 2/3 escalation coverage beyond internal staff capability
  • Incident management and post-incident review
  • Change management coordination for significant modifications
Reporting & Accountability Cadence
1
Monthly IT Status Report
Delivered within first two weeks of following month. Open project status, incident summary, roadmap progress, vendor activity, upcoming decisions.
2
Quarterly Business Review
Formal meeting with Carol, John, and relevant stakeholders. Roadmap progress, budget actuals vs. forecast, strategic priorities, risk posture update.
3
Annual IT Report
Board-ready document summarizing year's IT activity, investments made, risks mitigated, and strategic plan for the year ahead. Supports annual budget cycle and board reporting.

The Knowledge Base & Documentation Program and Staff Development initiatives are embedded into every CPT-led project by design — not treated as separate events. All documentation remains LCPL's property regardless of engagement status.

Confidential

6

Hours Summary — Discovery Period
All data sourced directly from Syncro via per-ticket timer pull, current through April 17, 2026. September and October 2025 entries are pre-engagement timers logged prior to formal SO execution. The 241.62 hours invested represent the actual labor cost of the discovery engagement across the CPT team.
Engagement Totals by Technician
143.6h
Zak Konway
59.4% of total engagement hours
85.5h
Grant Andres
35.4% of total engagement hours
241.6h
Grand Total
Across all technicians and tickets
Monthly Distribution
Hours by Ticket

The original engagement was quoted at $24,750 (3-month) or $33,000 (4-month) at $8,250/month. The discovery period was extended through April 30, 2026, reflecting the scope and complexity encountered. Invoice/payment summary details against SO-LCPL-11042025-DISCOVERY to be confirmed with Zak and billing before client delivery.

Confidential

7

Service Proposal
This section transitions the engagement from the discovery period into ongoing vCIO services and scoped project work. The proposal reflects the operational reality of the LCPL environment as understood after five months of active discovery. All project-based items are scoped and billed separately via individual SOWs presented for approval prior to execution.
Phase 1 — vCIO Retainer
$8,750 / month
Term: 8 months from engagement start
Total Commitment: $70,000
Phase 1 pricing reflects the elevated engagement level of an environment actively transitioning from no IT governance to a managed state. RAID failures, DNS outages, EZProxy failures, VPN cutovers — CPT direct involvement will be required alongside proactive roadmap execution throughout this period.
Phase 2 — vCIO Retainer
$7,200 / month
Term: Month-to-month following Phase 1
Annual Value: $86,400
After eight months, CPT expects the environment to reach a materially more stable baseline. Tier 1 projects complete. Staff operating documented procedures. Knowledge base established. Unplanned reactive work significantly reduced. Phase 2 pricing reflects that matured posture.
Project-Based Services — Current Estimates

Confidential

8

Agreement Terms & Acceptance
Proposal Details
Key Terms
Retainer Commencement
vCIO retainer commences on [DATE] and supersedes the discovery SO upon execution.
Payment Terms
Monthly retainer invoices due upon receipt. Project invoices: 50% at SOW execution, 50% upon completion.
Cancellation
Either party may terminate the retainer with 30 days written notice. Projects billed per individual SOW cancellation terms.
Annual Review
Rate and scope reviewed annually with 60 days written notice of proposed adjustments before anniversary date.
Limitation of Liability
CPT's liability is limited to the cost of remediation. Not liable for incidental, consequential, or punitive damages.
Client Acceptance
By signing below, the undersigned authorized representative of Lake County Public Library accepts the terms of this engagement proposal and authorizes Cardinal Point Technologies to proceed.
Signed By: Carol Daumer Gutjahr
Title: Library Director
Email: cdaumer@lcplin.org
Date: ___________________
MSA Number: [MSA NUMBER]
Accepted By: Cardinal Point Technologies
Prepared By: Grant Andres · Zak Konway
Contact: gandres@cardinalpoint.tech
This agreement, together with any applicable MSA, constitutes the full agreement between the parties. All services are performed on fully licensed, supported operating systems and hardware. LCPL is responsible for maintaining compliance with all software and hardware licensing requirements.

Cardinal Point Technologies · LCPL IT Governance Discovery Report & Engagement Proposal · Confidential
Report generated April 2026 · Questions: Grant Andres — gandres@cardinalpoint.tech

Confidential

9