CitySmart Blog

Thursday, December 01, 2016
Brian Ocfemia, Technical Account Manager

Brian OcfemiaAs a follow-up to my post about data processing, this post discusses data output. For those who are not data-savvy or immersed in the world of data, it might seem like output is just output, right? No need to worry about output if you do input and processing correctly, right?

Not the case! Data output offers up some unique security risks and challenges that you need to fend off. Here are a few data output areas to assess.

1. Access to confidential information

When data output gets seen or delivered to a person—whether it’s city staff looking at a paper report or a citizen using your city’s website—that data must not reveal confidential information. For example, it should never be easy to see a social security number online with only a few data inputs. Or, personnel records should not be made available in a paper report that may get passed around to unauthorized people. Place controls over who sees outputted data.

2. Availability of data output

For employees and citizens who need to see certain information, data output needs to be highly available. That means your hardware and software needs to perform at a high standard. Lack of availability to data affects the jobs of your employees and interferes with citizen services (such as paying property taxes online).

3. Formatting, reports, and analysis

Ever run a report and get a spreadsheet full of gobbledygook and unstructured, unformatted data. Outputted data is not helpful if it can’t be read or interpreted. The end result of data input and processing must be understandable and usable. Work with your software vendors and IT staff or vendor to ensure that you receive data output in a digestible, user-friendly form.

4. Monitoring

Similar to our suggestions for data input and data processing, it’s always a good idea to monitor data output. Not only do you help quality control by detecting errors and anomalies but you also stay alert for security risks and breaches.

5. Compliance

In addition to security and usability, cities must also ensure that they comply with all federal and state laws. This includes laws that balance privacy (such as keeping personal information like social security numbers private) with freedom of information. Data breaches can occur and lead to fines and lawsuits when outputted data gets in the wrong hands as a result of careless policies and procedures.


When considering these best practices, it’s clear that a few patterns emerge.

  • Rely on monitoring and automation to eliminate errors.
  • Seek help from IT professionals and software vendor support.
  • Create clear policies and procedures to comply with the law and lessen security risks.

Questions about securing your data? Reach out to us today.

Friday, November 18, 2016
Brian Ocfemia, Technical Account Manager

Brian OcfemiaData processing is a complex topic involving lots of technical know-how. Experts have written books about it and IT professionals spend their entire careers staying up on its developments. For this post about data, we’ll focus on a few key critical data processing concepts that especially impact security and need to be addressed in your application controls policy.

Overall, your data processing is the bridge between your data input and output. Now let’s look at some important data processing aspects.

Transaction Logs

These logs record all electronic information about transactions that take place within an application. For example, you may enter payroll information each week into your accounting application for each employee. Each completed set of data that you input for each employee counts as a transaction if the data is processed between, for example, your system and a bank.

Transaction logs must match what are known as “source documents.” For example, payroll information may originate from a timesheet (either on paper or sent electronically). If the timesheet and the paycheck doesn’t match, then there may be a transaction error. Experiencing many transaction errors may indicate a problem with your application or with the way your employees are using it.

Edit Reports

Edit reports note incorrect information, incomplete information, and errors about transactions. It’s important to run these reports for your most critical applications to make sure that transactions are accurate. For example, edit reports are useful when you’re sending out paychecks, tax information, or utility bills. You can then note any errors and make fixes before officially completing the transactions.

Overrides

Applications are designed to accurately capture information and ensure high data quality. Your override procedures need to be strict and for exceptions only. Don’t abuse an override function just to get around inconveniences. In addition, and as a security precaution, it helps to monitor overrides along with all other logging information to look for patterns and possible security violations.

Reconciliations

In case of a power outage, a data interruption, or lags between different applications, your applications need to reconcile inputted transactions with your database. For example, if 10 users submit utility billing information onto your website while you’re having a server outage, those 10 transactions should reconcile to your database once your server is back up. Also, reconciliation applies from an accounting perspective. You need reconciliation processes in place to ensure that your general and subsidiary ledgers match up.

Monitoring

Experienced IT professionals should monitor everything related to your data processing such as:

  • Transactions and processing
  • Errors and incorrect information
  • Overrides
  • Unauthorized use of the application (especially when it appears that someone is altering data or ignoring/tampering with processes)
  • Reconciliations
  • Application performance (such as after a power outage or server failure)

Any data processing policy needs to be reviewed by business and application stakeholders to make sure you are complying with the law and using best practices. In a future post, we’ll look at data output—the final stage of data after it’s inputted and processed.

Questions about the security of your data processing? Reach out to us today.

Thursday, November 10, 2016
Nathan Eisner, COO

Nathan EisnerStrange but true, I had a flash of insight during a recent experience renovating a bathroom in my house. As with any project (just like technology), I’ve experienced both little issues and big issues along the way. However, the two biggest issues occurred when I ordered a sink and when I experienced a big leak. In hindsight, these two experiences jumped out at me because they clearly paralleled the many stories I’ve heard from cities about good and bad IT vendors.

First, let’s look at the bad experience—and see if you can relate.

1. I ordered a sink. It never arrived.

I needed this sink before the contractor started working on the renovation. So just to be doubly and triply assured that the sink would arrive on time, I ordered it online from a large home improvement store more than three weeks before the contractor would arrive. The store gave me a delivery date of one week from the time I ordered it. “Good,” I thought. “That’s about two weeks before the contractor gets here. And that gives me two weeks of buffer time in case anything goes wrong with the delivery.”

The one-week delivery date came and went. No sink.

Hmmm. I contacted the store about the issue. I could not reach a human. Instead, the store ignored my emails and voicemails.

Another week passed. No sink. No answers from the store. No communication from the store. I still couldn’t reach a human being to get an explanation of the problem and how it would get addressed.

Another week passed. The contractor started work. Still no sink!

By this point, I did receive a couple of very vague and generic emails from the store about the sink. Basically, all they could tell me was, “We’re looking into it.” No estimated time of arrival. No set expectations. And no follow up.

I finally got to my boiling point and started calling supervisors, managers, and even the store’s corporate office. Finally, a human being talked to me. Yet, still no sink ever arrived!

After the conversation with the corporate office produced no sink, I cancelled my order. This store lost my business and I bought a sink from a competitor.

Many IT vendors make these kinds of mistakes when serving cities.

  • Failure to simply just do their job. You’re contracted to do something. You do it. We’ve seen many cities paying for services that are not delivered.
  • Lack of communication. Vendors often don’t communicate clearly (or at all) with cities when issues arise. Emails and voicemails go unanswered.
  • Lack of expectations. Even if you do talk to a vendor, many give vague responses. “We’re working on it.” “We’re looking into it.” “We’re investigating the issue.” That only infuriates you. When will it be resolved? What exactly is the issue? What consequences to city business should you expect while the issue is getting resolved?

Now let’s look at what could have been a disaster in my house and see how a professional turned a crisis into an example of amazing customer service.

2. After the first day of the contractor doing the plumbing, disaster struck that evening.

Keep in mind that my house is 75 years old. As a result, this renovation involved tearing the bathroom down to the studs. On the contractor’s first day, he focused on redoing some plumbing and wrapped up the day without incident.

Later that evening, I walked into the bathroom to inspect the progress and found a pipe spewing water everywhere. After some quick triage to contain the water, I called the contractor in a panic. Remember my story with the sink and imagine if that large home improvement store were on the other end of the line!

Instead, here’s what happened:

  1. The contractor answered his phone—in person—after hours.
  2. He reassured me the leak would be addressed as soon as possible.
  3. He said he could arrive first thing the next morning.

Sure enough, the contractor and his crew arrived bright and early the next morning just like they promised. After briefly explaining the problem to me, he completely fixed the leak within two hours.

What made the difference? Values that I hold dear as an IT professional.

  • Prompt response. The contractor answered the phone on the first ring. We pride ourselves on our 24/7/365 U.S.-based helpdesk staffed with humans who will respond to you immediately.
  • Clear communication. The contractor helped me understand what was going on and made me feel comfortable that my problem was in the right hands. Similarly, we communicate with city staff in non-technical language. If we’re onsite, then we also communicate about the status of any work upon arriving and leaving.
  • Expectations set and met. The answer to an issue isn’t “We’re working on it.” That’s not helpful. Instead, we explain the problem, the next steps, and an estimated timeframe within which it will be fixed. If things change, then we update the city.

So whether it’s redoing a bathroom or serving a city’s technology needs, issues will always crop up. That’s why you need the right IT vendor—one that is responsive, communicative, and results-driven. And you know they’re good when they manage even earth-shattering crises—the equivalent of a major leak—with calm professionalism.

Looking for a municipal IT partner who is responsive, communicates, and delivers results? Reach out to us today.

Thursday, November 03, 2016
Mike Smith, Network Infrastructure Consultant

Mike SmithWhat happens when the worst happens? As an important city policy that should not be neglected, a disaster recovery and business continuity policy outlines how to recover electronic data after a catastrophe. Because cities cannot predict when a disaster such as a fire, flooding, or tornado will occur, it’s essential that a disaster recovery plan is in place.

So what do you need to cover in your policy? Here are five essential elements to help get you started.

1. Risk Assessment

Each city’s data volume and priorities may be different. It helps your policy if you outline risks specific to your city such as:

  • Data loss: What happens if you permanently lose city data? Some city departments may be able to take a greater hit more than others, but some data is mission critical. Just imagine losing utility customer billing records, information about cemetery plots, police video records associated with an active case currently under investigation, or emails about city business subject to an active open records request.
  • Downtime: Even if you back up your electronic data, some data needs to be up and running much sooner than other data. For each type of data, ask yourself how long you can be down? For example, you will likely want to restore public safety data before you restore your cultural events data.
  • Costs: After a disaster, another way to look at risks involves examining costs. You may look at the costs (such as fines or lawsuits) related to losing critical data subject to open records requests or police video records needed as evidence in active cases or trials. Or, you may look at painful, indirect costs related to losing customer payment data related to taxes or utilities.

2. Planning

This is probably the most important aspect of your disaster recovery and business continuity policy. What exactly will you do when a disaster strikes? You will want to outline:

  • How you will get your technology up and running—from your most basic operating systems to your most critical applications.
  • Which data you will restore, in what order. This gives your IT staff or vendor a sequence of data to restore that they will follow to make sure your most critical systems get recovered first.
  • Contingency plans while data is inaccessible. While your city doesn’t have access to data, what will you do? Depending on the type of data, you may need to manually capture data for a period of time until systems are back up. Then, you may need to input that data into your systems once they are back online in order to make sure you are up-to-date.

3. Responsibilities

In other words, who will do what? You have multiple people who need to be clear about their roles. Focusing on people, processes, documentation, and a plan helps everyone become aware of their roles. And you must prepare for the worst because, sadly, not everyone may make it through a disaster event.

  • Business decision makers: City managers, city clerks, police chiefs, department heads, and elected officials may all make important decisions about restoring and accessing data in the wake of a disaster.
  • IT staff and/or vendors. Clarifying ahead of time what your hired IT professionals will do after a disaster will help them jump into action immediately. They need empowerment and a clear plan in order to best help. Staff and vendors also need to know how they will coordinate together.
  • Non-technical roles: This includes any non-technical stakeholders with a critical role in helping recover, restore, access, and operate systems during and after a disaster.

4. Storage

Any sound disaster recovery plan needs onsite and offsite storage capabilities.

  • Onsite data storage: For small disasters like a server failure, something like frequent backups with an onsite data backup service will help cities recover data quickly.
  • Offsite data storage: Most important after a serious disaster that takes out buildings housing your onsite data, your offsite storage is the way you recover that data. Offsite data backup doesn’t mean storing that data down the block or even within your county. Your policy should include a requirement that your data is stored far from your geographical location.

5. Testing and Monitoring

Don’t be the city that sets up a wonderful data backup and disaster recovery solution—and then never test it. How do you know it will work? Your policy should include regular testing. Quarterly is ideal, but annual should be an absolute minimum. IT professionals should also regularly monitor your data backups to look for problems, errors, and data corruption.


Many cities find that reviewing these elements helps them realize they need to upgrade and modernize their data backup and disaster recovery solution. Common weak areas usually include no offsite data backup, manual (instead of automated) data backups, and a lack of IT professionals overseeing data backup. While creating a policy, you want to make sure you can carry out the most important aspects of effective disaster recovery and business continuity.

Questions about your disaster recovery policy or solution? Reach out to us today.

Thursday, October 27, 2016
Brandon Bell, Network Infrastructure Consultant

Brandon BellWe’ve recently talked about many kinds of security—physical, wireless, and network. Now we come to “logical access security.” What does that even mean? It’s a technical term that’s actually quite simple to define.

With physical security, you’re physically preventing people from accessing equipment that stores sensitive information. With logical security, you’re electronically preventing people from accessing sensitive information. In other words, logical access security is all about the security of information accessed 100% in the digital “cyberworld.”

Unlike physical security, you can’t lock bits and bytes behind doors. So how do you lock your electronic information down? Here are four important areas where you can start.

1. Setting a Strong Password Policy

Most people access electronic information through passwords. Just think about what you access every day with a password: your email, your software applications, or your online website applications. Unfortunately, many organizations have extremely weak password policies that leave the door open to hackers and unauthorized access.

You need a password policy that includes:

  • Strong password requirements: Studies show that many people at organizations still use simple, easy-to-hack passwords. You need to use long or complex passwords consisting of a mix of letters, numbers, and special characters.
  • Regularly changing passwords. People shouldn’t use the same password for years and years. Set a policy that forces users to change their password on a semi-regular basis (such as once a quarter). Also make sure that users create new passwords each time—instead of just flipping back and forth between two passwords.
  • Locking out users when they (or someone) makes multiple, incorrect log-in attempts. This is to protect a user’s account in case a hacker attempts to crack a password. For example, after three failed log-in attempts an authorized user may get locked out for a period of time or even be required to contact an administrator before they are unlocked.

2. Monitoring and Controlling User Accounts

At the IT administration level, you need experienced internal staff or a vendor to manage and monitor user accounts. It’s at the administrative level that IT professionals—following your city’s policies—will assign new user accounts, make changes to user accounts (such as assigning new passwords or updating access privileges), delete user accounts, and watch for any unauthorized user access. If no one performs this monitoring and maintenance on a regular basis, then you risk unauthorized users (such as ex-employees) using your systems and accessing sensitive information.

3. Requiring Timeouts

No, we don’t mean making an employee sit in the corner! Timeouts are when a computer gets locked for a period of time (such as 15 minutes) as a result of policies that protect against unauthorized access (such as hackers). After the period expires, the user can then attempt to log back into their computer. This requirement especially helps with computer security in an office where someone could easily sit at another person’s computer and steal information. With a timeout policy, you can make sure computers are more inaccessible to unauthorized people regardless of whether those people are physically present or somewhere across the globe.

4. Logging and tracking user activity.

We’ve written more extensively about logging in the past, so we’ll just summarize a few high points here. Basically, logging is a technical activity that IT professionals conduct to both diagnose issues and document who accesses your data. For security, logging is important to track things such as suspicious web surfing activity or users remotely accessing your data. Without logging, you may not know if unauthorized users are viewing or stealing sensitive information until it’s too late.


As you can see, logical access security is...well, quite logical. We’re sure Star Trek’s Dr. Spock would agree! By locking down your electronic information as well as your physical technology equipment, you mitigate the risk of hacking attempts, data breaches, or stolen information.

Questions about your logical access security policies? Reach out to us today.

Thursday, October 20, 2016
Jabari Massey, Network Infrastructure Consultant

Jabari MasseyIn the world of bits and bytes, the act of stopping hackers and preventing unauthorized access to data can seem like the highest information security priority. But physical security of electronic information is just as important—and often overlooked. It’s not uncommon for organizations to spend lots of time on information security only to leave rooms with servers and workstations unlocked—allowing anyone to wander inside.

Any city—even a smaller city—needs physical security for its onsite technology. Don’t make it too easy for a disgruntled employee or member of the public to damage or access information from a server or computer. Your liability greatly increases when you lack good physical security for your technology.

So what do you need to do? Physically lock down and prevent unauthorized access to your technology through the following best practices.

1. Prevent access to any rooms with machines that hold sensitive information.

In many cases, this will be a room with servers that contains some of your city’s most critical information. You need to house any machines with sensitive data in a locked room. For example, that means not housing servers in an office where employees sit at their desks. Employees should only access a server room through some kind of barrier (or locked door) via a key, key fob, or key card.

2. Control and oversee access to these rooms.

Only authorized people should access any rooms with servers or other sensitive electronic information. Create clear policies that outline which employees, contractors, vendors, and visitors access these rooms. You also need policies about how you terminate access so that ex-employees or former contractors can’t continue to enter these rooms.

3. Reconfigure physical access if you suspect a possible security weakness or breach.

We all make mistakes. But with physical security mistakes, you need policies that mitigate risks from any possible data breaches. Let’s say someone misplaces a key fob and it might get into unauthorized hands. Your policy may outline procedures for deactivating the lost key fob, which is much quicker and easier than changing the locks on a door.

4. Create additional procedures to monitor physical access.

In addition to controlling how people enter and exit rooms containing sensitive technology, think about the following physical access procedures:

  • Sign in and sign out: Know who enters your technology rooms by having everyone sign in and identify themselves.
  • Escort visitors: Do not let a visitor—such as a contractor or vendor—wander around your buildings without an escort. They are not employees and they need to be monitored. You may handle visitors differently depending on their role (such as a one-time visitor versus a long-time trusted vendor), but you need an escort policy for each kind of visitor.
  • Install security cameras: Cameras are more of a reactive security device but they help provide information and evidence in case of a physical security threat or breach. If it’s unclear how a physical breach occurred or a person disputes an incident, security camera footage can help provide answers.

5. Mitigate data breaches, sabotage, and disasters with physical security protections.

In case of a disaster, you want to have important physical security protections in place such as:

  • Data backup and disaster recovery: In case of server failure, deleted information, or physical damage to equipment, a data backup and disaster recovery solution will ensure you don’t lose any sensitive data.
  • Fire suppression: This includes smoke detectors and sprinkler systems.
  • Anti-flood prevention: Consider locating server rooms in places where it’s likely not to flood. Avoid basements or rooms located near low ground, and raise servers off the ground. Technology also exists to detect the presence of water within your building.
  • Redundant power supply: In case of a power outage, your technology should shift to backup power so that it keeps running.

Taken as a whole, these best practices will lock down your technology and make it difficult for a physical data breach to take place. Plus, these best practices also help with non-human disasters such as fire, flooding, or power outages.

Questions about your technology’s physical security? Reach out to us today.

Thursday, October 13, 2016
John Miller, Senior Consultant
John Miller

In our last post, we talked about network security policy but left wireless security for this post. It’s not uncommon to see a city overlook the importance of wireless security. Partly, that’s because it’s easy to treat wireless devices like how you would set them up at home—buy a wireless router, unbox it, plug it in, power it on, connect your devices, and go.

Not surprisingly, technology audits often show that cities have open wireless access points that make it easy for hackers to access a city’s network. If wireless devices are not configured, secured, and properly monitored and maintained by IT professionals, then they can pose major security risks for cities.

When considering a wireless security policy, you need to account for the following elements.

1. Secure and lock down all wireless devices.

You’re not a home or a small coffee shop. You’re a city. People shouldn’t be able to hop onto your wireless network without a password and start getting on the internet. In fact, no unauthorized user should have access to your city’s wireless network. At the very least, you need to:

  • Set strong, complex passwords for all wireless access users (including administrators).
  • Ensure that all wireless users are known and authorized.

2. Remove physical wireless access hardware from the public or unauthorized employees.

A citizen visiting city hall or an unauthorized employee wandering through a hallway should not have access to a city’s wireless device. Yet, many cities often have wireless access points sitting in the open. These devices are easy to steal, damage, or reconfigure. To remain safe, any physical wireless hardware needs to be secured (such as in a locked room or a cabinet accessed only by a key or key fob) similar to how you would secure servers or your network infrastructure devices.

3. Apply patches and upgrades to wireless devices.

Wireless hardware runs on software that needs to get regularly updated with patches and upgrades. Bugs, security holes, and performance issues get fixed by these patches and upgrades. If your city hasn’t applied these updates in a while, then that is a priority in order to get these wireless devices as secure as possible. Ongoing wireless patching and upgrading should then become a regular part of your technology maintenance.

4. Use appropriate wireless hardware and configure it properly.

Assess and create an inventory of your existing wireless devices. What kind of equipment are you using? If it’s consumer-grade, then you’re at a big disadvantage. Business-class wireless hardware is more secure, provides better coverage throughout your buildings, and better grows along with your city if you need to add more users. Your wireless security policy should set a minimum requirement for your city to use business-class hardware with configuration performed by IT professionals.

5. Monitor and maintain your wireless network for security breaches.

As part of monitoring and maintaining your network infrastructure, you need to also monitor and maintain your wireless network. Activities include:

  • Watching for hacking and unauthorized access attempts.
  • Monitoring wireless data usage and network traffic to proactively identify internet access issues.
  • Applying security patches and software upgrades.
  • Ensuring compliance with legal and technical security standards.
  • Enforcing security policies and applying best practices.

With a strong wireless security policy that applies the best practices above, you’ll shore up this often weak security hole at your city. Wireless access is a convenient, efficient way for employees to access the internet. Make sure that this access remains safe and secure.

Questions about your wireless security? Reach out to us with any questions.

Thursday, October 06, 2016
Ryan Warrick, Network Infrastructure Consultant

Ryan WarrickTo understand the importance of network security, imagine your technology like it’s city hall. Inside city hall, you have people, offices, hallways, and assets like furniture, office supplies, and computers. To gain access to the inside, parts of city hall may be open to the public—like the unlocked front door from 9-to-5. Other parts may be off-limits directly (such as a locked door) or indirectly (such as a security officer or a sign that says “keep out”).

Depending on your security setup, unauthorized people may or may not have access to sensitive information within city hall. Network security works similarly by preventing unauthorized electronic access to your sensitive information.

First, to understand your network better we’ll define some terms that you may have heard your IT staff or vendor mention to you.

  • Computers and servers: Your city’s computers and servers are the most well-known, visible part of your network. They are the machines that connect users to their applications and the internet.
  • Switch: When your city has many computers and servers, a switch is like a “Grand Central Station” for your network. Like a busy airport directing flights, a switch directs information and data in an efficient way to each computer and server.
  • Router: Your city might have multiple networks. For example, city hall may have one network with its own computers, servers, and switches. The police department may have its own separate network. A router helps these different networks communicate with one another as well as connect your networks to an additional global network—the internet.
  • Cables: Cables are the wiring that connects all of these devices together.
  • Firewall: Probably the most important part of your network, a firewall is like your locked doors at city hall. When internet information from the outside tries to enter your city’s network, your firewall decides which information to let in and which information to keep out.

Altogether, your network needs to have the right, properly functioning and configured equipment to keep you secure. Here’s how to get your network security optimized for your city.

1. Perform a network security assessment.

To assess your network security, you need to first identify everything that makes up your network—computers, servers, switches, routers, firewalls, etc. This assessment should include non-technical insights (such as information gaps about what’s on your network) and technical insights (like scans for security vulnerabilities on existing equipment). Overall, you’re looking for any security holes that could open you up to a cyberattack.

2. Lock down access points to your network.

Just as there are many ways to enter city hall (some legal and some illegal), there are also many ways to access your network. You’re essentially looking to add locks to any unlocked doors that you discovered in your network security assessment. Examples of locking down access points include:

  • Configuring your firewall properly in order to restrict information coming into your network.
  • Preventing people from using unauthorized external devices (like a flash drive) on your network so that they don’t introduce a virus or commit a data breach.
  • Restricting how employees, vendors, and other third parties remotely access your network—whether through a virtual private network (VPN) or another kind of remote access software.

3. Set up and configure your network devices properly.

Improper network device configuration (such as using default settings or creating weak passwords) can leave your city open to security risks. For example, a firewall contains many ports (or doors) that open up your network to the outside world. If you leave certain ports open, you could be introducing major security risks—similar to leaving a city hall door open at night. Even switches and routers can become security risks if improperly configured. Make sure you have trained IT professionals set up and configure your network devices.

4. Continually monitor your network.

Ideally, a combination of automated software and trained IT professionals are needed to monitor your network 24/7/365. Hackers and other unauthorized users are always a threat to any network—no matter how “insignificant” you feel your network looks to an outsider. Any city is a ripe target for hackers. When monitoring network security, your IT staff or vendor will look for suspicious activity, signs of outside hacking or cyberattacks, and security vulnerabilities in your network.

5. Create a documented network security policy.

While it’s great to solidify a lot of the technical underpinnings of your network, you also need to create a policy that documents both technical and non-technical network security requirements. That may include quality control related to network hardware (such as modernizing equipment on a regular schedule), requirements pertaining to authorized users and remote access, and both proactive monitoring and testing of your network to eliminate as many security threats as possible.


Just as you lock the doors of city hall at night, you need to lock the doors of your network. By assessing your network security, adding the “locks,” and rigorously monitoring it, you’ll greatly lessen the chance of a cyberattack compromising your city.

Questions about your network security? Reach out to our municipal IT specialists today.

Thursday, September 29, 2016
Dave Mims, CEO

Dave MimsIn the midst of worrying about cybersecurity threats from viruses and hackers, it’s easy to overlook security risks from the way you manage vendors and contracts. You think, “Hey, I’m paying legitimate businesses to oversee my IT needs—and I’ve got a contract with them. What’s the worry?”

There’s plenty of worry, actually—especially if you haven’t evaluated your vendors or vendor management process in a while. Here are some tips and best practices to help you shore up this overlooked security risk.

1. Perform a vendor inventory.

It’s good to collect and centralize as much information about your vendors as you can. Make sure you’re clear on:

  • Total number of vendors.
  • What services those vendors provide. (Look for vendors that provide duplicate services.)
  • Where those vendors operate.
  • Total cost, frequency of payment, and predictable/unpredictable billing.
  • Contracts, support agreements, and warranties.

Just performing a simple inventory may surprise you. For example, you may find that a vendor is wildly unpredictable in their monthly billing or that a certain vendor hasn’t been living up to a support agreement.

2. Review all contracts.

This may seem like an obvious best practice but many aspects of contract review are often neglected in organizations. A contract should clearly spell out:

  • A Service Level Agreement that details services rendered.
  • Requirements for any technology-related project.
  • How a product customized to your city specifically helps solve a business problem.
  • Support that’s included in the price.

If you haven’t reviewed existing contracts in a long time, then take time to go through them. Look for gaps between what the contract says and the services you’re receiving. From this point forward, make sure (in addition to your city attorney) that you have a business stakeholder and an experienced technology professional evaluate all new vendor contracts.

3. Renegotiate contracts, if possible.

After reviewing your contracts, you may notice some anomalies. Perhaps you’re getting way overcharged for a service. Maybe one vendor hasn’t upgraded their software or service model for many years. If you have doubts about any particular service, then shop around. You may just find that a cheaper and/or higher quality service exists that would benefit your city. If you still want to keep a vendor, then you may be able to leverage market knowledge to renegotiate your pricing or get the vendor to provide more services.

4. Overhaul your vendor evaluation process.

We wrote a post about IT procurement a few years ago that covers the following best practices:

  • Spend time defining what you need. (Also known as “requirements.”)
  • Shop around and know your industry. (This helps you benchmark pricing and services.)
  • Know your government pricing. (No need to pay full price, right?)
  • Don’t just settle on lowest price. (Many cities still evaluate IT in terms of pure cost, which is a big mistake.)
  • Look out for indirect costs. (For example, some vendors claim to provide 24/7 support or an easy installation—but the fine print says otherwise.)

During an RFP or RFI process, follow a series of steps that help you select the best vendor. Business stakeholders and IT professionals need to work together to evaluate all aspects of a vendor for financial stability, the ability to deliver quality services, the relevancy of the solution, and pricing. Bad vendors will lead to possible security risks.

5. Hire IT professionals to manage vendors.

Once vendors are vetted, paid, and serving you, you need a third party with a deep knowledge of information technology to oversee vendors. Busy, non-technical city staff can easily overlook issues with vendors such as security concerns, performance problems, and adherence to a contract. And even the best technology vendors often have difficulty working with non-technical staff about major issues. IT professionals will be able to communicate with vendors more efficiently while also warding off major problems and security risks.

By following these steps, you will make a lot of progress toward eliminating security risks related to vendors and their contracts. Going through these steps is also a great exercise in transparency, finding potential cost savings, and ensuring higher quality services at your city.

Questions about managing your technology vendors? Reach out to us today.

Thursday, September 15, 2016
Nathan Eisner, COO

Nathan EisnerIn part one of this two-part post, we talked about how cities can better comply with the law through a set of information security best practices. Now in part two, let’s look at how specific policies help cities with compliance.

Technology alone won’t protect cities. Clear, detailed policies document important rules, procedures, and guidelines to help you comply with federal, state, and local laws.

So, what kinds of policies do you need? Generally, they will fall into two main areas. For this post, we are using the structure of Arkansas’s Legislative Audit guidelines as a way to discuss policies that are relevant to all cities.

General Controls

The Arkansas Division of Legislative Audit defines general controls as “mechanisms established to provide reasonable assurance that the information technology in use by an entity operates as intended to produce properly authorized, reliable data and that the entity is in compliance with applicable laws and regulations.”

The key here is that your city’s technology works properly and correctly while complying with the law. Overall, it helps to create an operational policy and procedure manual for your information systems that accounts for:

  • Contract / Vendor Management: Your policy should require clear, consistent contracts with all vendors along with procedures to enforce and review contracts on a regular basis.
  • Network Security: This policy should address all information security risks through your network and how your city mitigates those risks such as through monitoring, antivirus software, restricting user behavior, and procedures in case a security breach occurs.
  • Wireless Network Security: Make sure your policy covers the encryption of wireless data along with proper wireless network usage and access. The policy should specifically address wireless security related to employee laptops and mobile devices.
  • Physical Access Security: People should not have unauthorized access to machines storing electronic information. Your physical access security policy will define who has authorized physical access to equipment and how they access it.
  • Logical Access Security: Wikipedia defines logical access controls as “tools and protocols used for identification, authentication, authorization, and accountability in computer information systems.” Basically, this specific policy ensures that only authorized people have access to your city’s information.
  • Disaster Recovery / Business Continuity: This policy describes what happens in the event of a disaster (from a server failure to a major disaster like a tornado) and how you plan on continuing to access your city’s electronic information after such a disaster.

Application Controls

The Arkansas Division of Legislative Audit defines application controls as “[relating] to the transactions and data for each computer-based automation system; they are, therefore, specific to each such application. Application controls are designed to ensure the completeness and accuracy of the accounting records and the validity of the entries made.”

In other words, cities want to make sure that applications such as accounting software correctly receive, store, and deliver the right data. Policies related to application controls include:

  • Data Input: This means exactly what it says—a policy related to how data is inputted into software applications.
  • Data Processing: This policy should cover how data is processed once entered into the system so that you lessen the risk of data errors—whether that data is manually or automatically processed.
  • Data Output: This policy should cover the accuracy and security of data that is delivered to an end user—covering everything from accounting software data that a city employee sees to online payment information that citizens may view on a city’s website.
  • Application Level General Controls: This policy covers security, configuration, and contingency planning related to applications.

While Arkansas may require cities to implement these kinds of policies as part of its legislative audit, it’s a good idea for all cities to adopt policies like these. They cover the essentials of information systems and greatly help to reduce risk and liability. Plus, such documentation leads to a much more well-run IT department and helps with transitions (such as IT staff retiring or a new IT vendor getting hired).

Miss Part One of this post? Read it here.

Lacking information systems policies at your city that leave your city open to risk? Reach out to us today to talk about policy in more detail.

| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 |
Contact
Contact a Sophicity Consultant Now To Find Out How We Can Help Reduce Your IT Costs Go
bottom