In Part One, we talked about warning signs such as lack of data backup, aging hardware, and non-technical staff handling IT issues. In Part Two, we discuss five more warning signs that may lead your city toward a disaster.
One of the most overlooked security risks is simply not
knowing the total amount of hardware and software you own. And even if you do
know that you own something, you may not know where it’s located. You can only
secure what you can locate.
Disaster: On a
two-year-old spreadsheet that lists 20 laptops, you can only track down the
location of 17. You had not updated this spreadsheet in a while and you are not
sure if a former employee walked off with the laptops. Because the laptops
contained sensitive information, you may have a potential data breach on your
of asset management includes monitoring and maintaining any “live” hardware,
software, and networking equipment. If you’re not using an asset anymore, then
it needs to be decommissioned by an IT professional. Asset management also
includes technology-related warranties, licenses, and upgrades.
Imagine someone arrived at your house every week to make
continual bare bones fixes to your roof, floors, or plumbing. You barely keep
leaks, pests, and the outside elements at bay. Would you consider that a proper
home? Instead, if a major problem occurs then you likely eliminate it once and
for all by addressing the root cause. Yet, many cities put up with reactive IT
support that never fixes the root cause of serious problems.
After a lot of publicity, you offer a new payment system on your city’s website
for citizens. Within weeks of its debut, the website continually crashes. For
months and months, your reactive IT support vendor makes temporary fixes but
the root problem keeps occurring. Citizens grow frustrated and complain to city
council about wasted taxpayer dollars going to online services that don’t work.
Ongoing, proactive IT support not only more quickly addresses technology issues
but it also involves IT professionals implementing modern technology and best
practices to eliminate issues before they occur. In the case of our website
example, a proactive IT support team might upgrade an aging website or revisit
what vendor hosts the website.
Network hardware helps ensure that your technology is
secure, connects you to the Internet, and ties together technology between various
city buildings and departments. When IT professionals don’t oversee the setup
of firewalls, switches, routers, and other networking equipment, then you can
open yourself up to major security threats.
non-technical city employee buys a firewall and sets it up. While the employee
has a bit of amateur technology savviness, they improperly configure the firewall.
Ports are open that allow hackers to easily gain access to city servers and
Trained IT professionals need to configure all network hardware so that it
works properly and keeps you secure. Then they need to monitor, maintain,
upgrade, and replace network hardware as part of your ongoing technology
While related to the reactive IT support point above, this
problem still often appears even when some “proactive” IT vendors serve cities.
Technology monitoring and maintaining includes patching, upgrading, and threat
employee keeps complaining that their computer has gotten slower and slower and
slower over a period of six months. The IT vendor checks some type of
diagnostics and says things look fine. They even suggest that the Internet
service provider might be having issues. One day, the employee clicks on a
malicious website by accident and gets a virus that leads to a data breach.
After a virus cleanup and audit, an IT professional notices that the computer
had not been patched in six months—including various important security patches
that would have prevented the virus from getting accessed or downloaded.
Ongoing patching, upgrading, and threat monitoring allows IT professionals to
detect anomalies and address problems before they become disruptions. Keeping
technology updated often fixes major security and functionality issues.
Servers in offices where anyone can wander in. Computers
left on so anyone can sit down and access sensitive information. Wireless
routers left out in the open. These are signs of weak physical security for
technology. Often overlooked in lieu of information security, data breaches
related to physical security are just as important to prevent.
After hours, a disgruntled employee sits down at another employee’s computer to
steal confidential personnel information about staff on the city’s payroll. The
data breach is later deduced through security camera footage.
recently talked at length about physical security policies. At a high level, you need to lock up core
technology (such as servers and networking equipment) in secure rooms, escort
any visitors, and require employee computers to lock after a few minutes and
request a password to log back in.
Use these 10 warning signs (including those from Part One) as a self-assessment to see if
you’re headed for a disaster. If you notice any weak points, don’t wait to fix
them. Waiting until a technology disaster is like leaving your door unlocked at
home or going without car insurance. The costs of a technology-related disaster
at a city can seriously harm your operations, employees, citizens, and bottom
Reach out to us today if any of these warning signs worry you.
until a disruption or disaster should not be the moment when you take action.
Think about how you act proactively when dealing with many aspects of your life.
technology at a city often gets treated like a beater car you’re driving into
the ground, a person never exercising and eating whatever they want, or a house
that you just let decay and rot over time with minimal upkeep. Why?
times, we see cities only take action when a disruption or disaster hits.
That’s way, way too late. Let’s look at some scenarios that might strike a
chord with your city. If any of these scenarios speak to you, then you need to
If you have
data backup and you’re not regularly testing it, then you may be in for a
Disaster: Your city has some kind of data
backup process but rarely or never tests it. A server fails containing all of
your financial data. You grab your tape, external hard drive, or other form of
data backup and attempt to restore the data. It doesn’t work. It’s gone.
Prevention: Every city needs a combination of
both onsite and offsite data backup to recover from both small events (like a
server failure) and bigger disasters (like a tornado). Then you need real-time
monitoring to identity issues and (at a minimum) test your data backup quarterly.
cities still find themselves in situations where a third party webmaster is the
only person with knowledge about the city’s website hosting. Another common
situation is when the city surprisingly learns the vendor is no longer
available or not even there.
Disaster: A webmaster gets angry at the city
and holds the website hosting information hostage. The city cannot access its
website on the back end to make changes or regain administrative control. In
this situation, the angry webmaster could even shut the website down.
Prevention: IT professionals can help cities
acquire and manage a city domain name, set up website hosting with a reputable
service provider, and give administrative access to authorized city staff to
avoid “hostage” situations.
long-lasting physical assets, technology assets often have relatively short
lifespans. Hardware and software often needs replacing every three to five
years because it gets old and outdated, is no longer supported by the vendor, and
Disaster: A 15-year-old server critical to
running city operations fails (such as your accounting and financial system).
Prevention: Cities need to follow a hardware
and software lifecycle management policy that mandates modernizing technology
(such as upgrading servers at least every five years).
consumer-grade antivirus software isn’t adequate for protecting a city. Plus,
it’s often “maintained” by individual employees who don’t keep the software
up-to-date on their computers.
Disaster: An employee clicks on an email
attachment that seems like it comes from their boss. Because the antivirus
software hasn’t been updated for a few months, the email attachment initiates a
virus that gives a hacker access to sensitive city information. A massive data
Prevention: Cities need enterprise-grade
antivirus software that’s monitored and maintained by IT professionals. This
ensures that it’s always up-to-date and preventing as many virus threats as
As a way for
cities to save money and quickly handle operational items, non-technical
employees sometimes step in to handle IT problems. But that lack of expertise
makes their actions risky and dangerous—even if they have good intentions.
Disaster: A non-technical employee sets up a
wireless router incorrectly. Through the security holes in the router, a major
data breach ensues when hackers are able to access confidential information on
the city’s network.
Prevention: Trained IT professionals need to
handle the intricacies of technology—from data backup to configuring hardware
such as a wireless router. Just because you can buy consumer-grade equipment
from a retail store doesn’t mean that it’s appropriate for your city.
In Part 2,
we’ll talk about five more disasters that are waiting to happen. If you feel
vulnerable and you don’t want to wait to fix these vulnerabilities, then reach out to us today.
your city relies on applications to perform various jobs. Your employees may
use basic applications such as a web browser or a word processor to perform
common tasks. Other people with more specific duties may use specialized
applications such as accounting software or a records management system.
what kind of application you use, the security of that application must be rock
solid to avoid a data breach. Never simply assume an out-of-the-box application
is secure or that a software vendor has made the right security choices for you.
While application security is a complex topic, we present five important areas
that your city must consider with its policies.
even includes what your software application vendors may access. Just because
they sold you accounting software doesn’t mean that the vendor’s employees can
look at all of your city’s payroll data. Work with your IT staff or vendor to
oversee user access and authorization—including for third party vendors and
necessary, you need applications to encrypt data. Even a basic web browser
should encrypt web pages containing sensitive information. When creating
documents and reports (such as PDFs), an application should allow you to encrypt
particularly sensitive information so that unauthorized users cannot read it.
And of course, any sophisticated application dealing with financial, public
safety, or other sensitive and confidential data needs encryption.
A chain is
only as strong as its weakest link—and that is true of applications. It doesn’t
matter if your financial application’s security is airtight. If it’s connected
to another application within your city or to a third party application, then
security holes within those other applications and increase the risk of a data
breach for your application. Make sure your IT staff or vendor assesses where
your applications are connecting and ensures that your information is treated
with the same care when it’s exchanged with another party.
a citizen getting access to an application through your website or an
entry-level employee accessing basic information to do their job, those people should
not be able to destroy or disrupt applications. For example, let’s say an
employee accesses a part of your document management system to “view” the
employee handbook to see information about paid time off or sick leave. Since
they only have “view” rights and privileges, they should not be able to delete or
make changes to the document such as increasing the city's paid time off or sick leave policies. Only
the person with “edit” (or greater) rights should be allowed to alter the
document. And only trained IT professionals and software vendors with
authorization should be able to access the “guts” of your applications to
configure and administer them.
Many of your
applications not only store sensitive data but also help run your city
operations. First, you need a plan to back up your data so that it’s not
forever lost. You can accomplish that through a data backup plan that includes
both onsite data backup (for quick time to recovery after an onsite incident)
and offsite data backup (for disaster recovery). Second, and just as important,
is your business continuity. Some applications—such as your public safety
software or city’s website—may serve such a critical role that you need them up
and running within minutes or hours after an outage. Your application security
policy needs to outline the minimum length of an outage for each application
and a plan for restoring functionality in case of a disaster.
applications often form the lifeblood of a city. Many operational activities
and citizen services are conducted through applications. Because they store and
share such sensitive data, you need to protect those applications. Strengthen
the five areas we discussed above and document your high standards in an
application security policy for your city.
about your application security? Reach
out to us today.
most cities use a form of software for accounting activities. But imagine if your
entire city accounting system is run on a bunch of simple electronic
spreadsheets. You open one up and start entering data. What could go wrong?
just thought about many things.
goodness you have that accounting software instead of a bunch of spreadsheets.
Yet, the Arkansas Division of Legislative Audit reports that “data integrity”
is the number one information security issue they found in the audits they
performed. They define data integrity as the “ability of employees to change
receipt or disbursement information after issuance or to edit or delete records
without proper approval.”
despite using software in many cases, cities still struggle with data integrity
issues like the ones that could happen in a simple spreadsheet. Let’s look at a
few ways to assess, fix, and overcome some common data integrity issues.
state requires an audit or not, it’s helpful to audit your financial systems to
identify data integrity issues. An experienced third party can evaluate overall
processes and issues with who may input, change, and delete data. On a technical
level, the auditor should also look at the underlying rules, code, and logic
that allow for data input.
something will come up in the audit that needs fixing. You may also find that
the auditor recommends modernizing with a new system (especially if an older
system lacks appropriate data integrity measures). Arkansas doesn’t mince words
when it says, “We recommend that application users work with the application
vendor to modify the software to include the data input edits that would
eliminate vulnerabilities.” Whichever route you go, work with experienced IT
professionals and application vendors to oversee any fixes, changes, or implementations
of new applications.
fixing your current application or using a new application, you want to ensure
that it has the proper controls and processes in place to prevent the chance of
data input errors or fraud. For example, once paychecks go out, an employee
shouldn’t be able to change payroll data after the fact or delete the record of
transaction—such as issuing a payment or deleting a record—must require a
higher-level access to accomplish. Too many systems allow any employee at any
authorization level to make changes. That increases the chance of major errors
and increases the risk for fraud. Exceptions will happen, but those exceptions
need to be inputted by authorized people with higher-level access and logged.
day-to-day data input risks lower data integrity if fields aren’t set up and
restricted in appropriate ways. For example, in a payroll application you may
reduce errors if:
integrity is an overlooked area of security. You’re typically on the lookout
for hackers and data breaches, but a lack of data integrity—missing
information, no controls over data, and making it easy to change or delete
data—can sneak up on you and lead to serious problems. Don’t wait until an
audit to find these issues. Address them by taking a hard look at your current
applications with a trained third party and fix any issues that you find.
this three-part series about application policy and security addresses input, processing, and output. You can
use these three articles as a checklist to see if you’re matching up to data
security best practices.
about data integrity? Reach out to us today.
As a follow-up to my post about data processing, this post discusses data output. For those who are not data-savvy or immersed in the world of data, it might seem like output is just output, right? No need to worry about output if you do input and processing correctly, right?
case! Data output offers up some unique security risks and challenges that you
need to fend off. Here are a few data output areas to assess.
output gets seen or delivered to a person—whether it’s city staff looking at a
paper report or a citizen using your city’s website—that data must not reveal
confidential information. For example, it should never be easy to see a social
security number online with only a few data inputs. Or, personnel records
should not be made available in a paper report that may get passed around to
unauthorized people. Place controls over who sees outputted data.
employees and citizens who need to see certain information, data output needs
to be highly available. That means your hardware and software needs to perform
at a high standard. Lack of availability to data affects the jobs of your
employees and interferes with citizen services (such as paying property taxes
Ever run a
report and get a spreadsheet full of gobbledygook and unstructured, unformatted
data. Outputted data is not helpful if it can’t be read or interpreted. The end
result of data input and processing must be understandable and usable. Work
with your software vendors and IT staff or vendor to ensure that you receive
data output in a digestible, user-friendly form.
our suggestions for data input and data processing, it’s always a good idea to
monitor data output. Not only do you help quality control by detecting errors
and anomalies but you also stay alert for security risks and breaches.
to security and usability, cities must also ensure that they comply with all
federal and state laws. This includes laws that balance privacy (such as
keeping personal information like social security numbers private) with freedom
of information. Data breaches can occur and lead to fines and lawsuits when
outputted data gets in the wrong hands as a result of careless policies and
these best practices, it’s clear that a few patterns emerge.
about securing your data? Reach out
to us today.
processing is a complex topic involving lots of technical know-how. Experts
have written books about it and IT professionals spend their entire careers staying
up on its developments. For this post about data, we’ll focus on a few key
critical data processing concepts that especially impact security and need to
be addressed in your application controls policy.
your data processing is the bridge between your data input and output. Now
let’s look at some important data processing aspects.
record all electronic information about transactions that take place within an
application. For example, you may enter payroll information each week into your
accounting application for each employee. Each completed set of data that you
input for each employee counts as a transaction if the data is processed
between, for example, your system and a bank.
logs must match what are known as “source documents.” For example, payroll
information may originate from a timesheet (either on paper or sent electronically).
If the timesheet and the paycheck doesn’t match, then there may be a
transaction error. Experiencing many transaction errors may indicate a problem
with your application or with the way your employees are using it.
note incorrect information, incomplete information, and errors about
transactions. It’s important to run these reports for your most critical
applications to make sure that transactions are accurate. For example, edit
reports are useful when you’re sending out paychecks, tax information, or
utility bills. You can then note any errors and make fixes before officially completing
are designed to accurately capture information and ensure high data quality.
Your override procedures need to be strict and for exceptions only. Don’t abuse
an override function just to get around inconveniences. In addition, and as a
security precaution, it helps to monitor overrides along with all other logging
information to look for patterns and possible security violations.
In case of a
power outage, a data interruption, or lags between different applications, your
applications need to reconcile inputted transactions with your database. For
example, if 10 users submit utility billing information onto your website while
you’re having a server outage, those 10 transactions should reconcile to your
database once your server is back up. Also, reconciliation applies from an accounting
perspective. You need reconciliation processes in place to ensure that your
general and subsidiary ledgers match up.
IT professionals should monitor everything related to your data processing such
processing policy needs to be reviewed by business and application stakeholders
to make sure you are complying with the law and using best practices. In a
future post, we’ll look at data output—the final stage of data after it’s
inputted and processed.
about the security of your data processing? Reach out to us today.
true, I had a flash of insight during a recent experience renovating a bathroom
in my house. As with any project (just like technology), I’ve experienced both
little issues and big issues along the way. However, the two biggest issues
occurred when I ordered a sink and when I experienced a big leak. In hindsight,
these two experiences jumped out at me because they clearly paralleled the many
stories I’ve heard from cities about good and bad IT vendors.
look at the bad experience—and see if you can relate.
this sink before the contractor started working on the renovation. So just to
be doubly and triply assured that the sink would arrive on time, I ordered it
online from a large home improvement store more than three weeks before the contractor would arrive. The store gave me a
delivery date of one week from the time I ordered it. “Good,” I thought.
“That’s about two weeks before the contractor gets here. And that gives me two
weeks of buffer time in case anything goes wrong with the delivery.”
delivery date came and went. No sink.
contacted the store about the issue. I could not reach a human. Instead, the
store ignored my emails and voicemails.
passed. No sink. No answers from the store. No communication from the store. I
still couldn’t reach a human being to get an explanation of the problem and how
it would get addressed.
passed. The contractor started work. Still no sink!
By this point,
I did receive a couple of very vague and generic emails from the store about
the sink. Basically, all they could tell me was, “We’re looking into it.” No
estimated time of arrival. No set expectations. And no follow up.
got to my boiling point and started calling supervisors, managers, and even the
store’s corporate office. Finally, a human being talked to me. Yet, still no sink ever arrived!
conversation with the corporate office produced no sink, I cancelled my order.
This store lost my business and I bought a sink from a competitor.
vendors make these kinds of mistakes when serving cities.
Now let’s look
at what could have been a disaster in my house and see how a professional turned
a crisis into an example of amazing customer service.
Keep in mind
that my house is 75 years old. As a result, this renovation involved tearing
the bathroom down to the studs. On the contractor’s first day, he focused on
redoing some plumbing and wrapped up the day without incident.
evening, I walked into the bathroom to inspect the progress and found a pipe
spewing water everywhere. After some quick triage to contain the water, I
called the contractor in a panic. Remember my story with the sink and imagine
if that large home improvement store were on the other end of the line!
here’s what happened:
the contractor and his crew arrived bright and early the next morning just like
they promised. After briefly explaining the problem to me, he completely fixed
the leak within two hours.
the difference? Values that I hold dear as an IT professional.
it’s redoing a bathroom or serving a city’s technology needs, issues will
always crop up. That’s why you need the right IT vendor—one that is responsive,
communicative, and results-driven. And you know they’re good when they manage
even earth-shattering crises—the equivalent of a major leak—with calm
Looking for a municipal IT partner who is responsive, communicates, and delivers results? Reach out to us today.
when the worst happens? As an important city policy that should not be
neglected, a disaster recovery and business continuity policy outlines how to
recover electronic data after a catastrophe. Because cities cannot predict when
a disaster such as a fire, flooding, or tornado will occur, it’s essential that
a disaster recovery plan is in place.
So what do
you need to cover in your policy? Here are five essential elements to help get
data volume and priorities may be different. It helps your policy if you
outline risks specific to your city such as:
probably the most important aspect of your disaster recovery and business
continuity policy. What exactly will you do when a disaster strikes? You will
want to outline:
words, who will do what? You have multiple people who need to be clear about
their roles. Focusing on people, processes, documentation, and a plan helps
everyone become aware of their roles. And you must prepare for the worst
because, sadly, not everyone may make it through a disaster event.
Any sound disaster
recovery plan needs onsite and offsite storage capabilities.
Don’t be the
city that sets up a wonderful data backup and disaster recovery solution—and
then never test it. How do you know it will work? Your policy should include
regular testing. Quarterly is ideal, but annual should be an absolute minimum.
IT professionals should also regularly monitor your data backups to look for
problems, errors, and data corruption.
find that reviewing these elements helps them realize they need to upgrade and
modernize their data backup and disaster recovery solution. Common weak areas
usually include no offsite data backup, manual (instead of automated) data
backups, and a lack of IT professionals overseeing data backup. While creating
a policy, you want to make sure you can carry out the most important aspects of
effective disaster recovery and business continuity.
about your disaster recovery policy or solution? Reach out to us today.
We’ve recently talked about many kinds of security—physical, wireless, and network. Now we come to “logical access security.” What does that even mean? It’s a technical term that’s actually quite simple to define.
physical security, you’re physically preventing people from accessing equipment
that stores sensitive information. With logical security, you’re electronically
preventing people from accessing sensitive information. In other words, logical
access security is all about the security of information accessed 100% in the
physical security, you can’t lock bits and bytes behind doors. So how do you
lock your electronic information down? Here are four important areas where you
access electronic information through passwords. Just think about what you
access every day with a password: your email, your software applications, or
your online website applications. Unfortunately, many organizations have
extremely weak password policies that leave the door open to hackers and
You need a
password policy that includes:
At the IT
administration level, you need experienced internal staff or a vendor to manage
and monitor user accounts. It’s at the administrative level that IT
professionals—following your city’s policies—will assign new user accounts,
make changes to user accounts (such as assigning new passwords or updating access
privileges), delete user accounts, and watch for any unauthorized user access.
If no one performs this monitoring and maintenance on a regular basis, then you
risk unauthorized users (such as ex-employees) using your systems and accessing
No, we don’t
mean making an employee sit in the corner! Timeouts are when a computer gets
locked for a period of time (such as 15 minutes) as a result of policies that protect
against unauthorized access (such as hackers). After the period expires, the
user can then attempt to log back into their computer. This requirement
especially helps with computer security in an office where someone could easily
sit at another person’s computer and steal information. With a timeout policy,
you can make sure computers are more inaccessible to unauthorized people
regardless of whether those people are physically present or somewhere across
We’ve written more extensively about logging in the past, so we’ll just summarize a few high points here. Basically,
logging is a technical activity that IT professionals conduct to both diagnose
issues and document who accesses your data. For security, logging is important
to track things such as suspicious web surfing activity or users remotely
accessing your data. Without logging, you may not know if unauthorized users
are viewing or stealing sensitive information until it’s too late.
As you can
see, logical access security is...well, quite logical. We’re sure Star Trek’s Dr. Spock would agree! By
locking down your electronic information as well as your physical technology
equipment, you mitigate the risk of hacking attempts, data breaches, or stolen
about your logical access security policies? Reach out to us today.
In the world
of bits and bytes, the act of stopping hackers and preventing unauthorized
access to data can seem like the highest information security priority. But
physical security of electronic information is just as important—and often
overlooked. It’s not uncommon for organizations to spend lots of time on
information security only to leave rooms with servers and workstations
unlocked—allowing anyone to wander inside.
a smaller city—needs physical security for its onsite technology. Don’t make it
too easy for a disgruntled employee or member of the public to damage or access
information from a server or computer. Your liability greatly increases when you
lack good physical security for your technology.
So what do
you need to do? Physically lock down and prevent unauthorized access to your
technology through the following best practices.
cases, this will be a room with servers that contains some of your city’s most
critical information. You need to house any machines with sensitive data in
a locked room. For example, that means not housing servers in an
office where employees sit at their desks. Employees should only access a
server room through some kind of barrier (or locked door) via a key, key fob,
or key card.
authorized people should access any rooms with servers or other sensitive
electronic information. Create clear policies that outline which employees,
contractors, vendors, and visitors access these rooms. You also need policies
about how you terminate access so that ex-employees or former contractors can’t
continue to enter these rooms.
We all make
mistakes. But with physical security mistakes, you need policies that mitigate
risks from any possible data breaches. Let’s say someone misplaces a key fob
and it might get into unauthorized hands. Your policy may outline procedures
for deactivating the lost key fob, which is much quicker and easier than changing
the locks on a door.
to controlling how people enter and exit rooms containing sensitive technology,
think about the following physical access procedures:
In case of a
disaster, you want to have important physical security protections in place
Taken as a
whole, these best practices will lock down your technology and make it
difficult for a physical data breach to take place. Plus, these best practices
also help with non-human disasters such as fire, flooding, or power outages.
Questions about your technology’s physical security? Reach out to us today.
Our Focus | Products | Resources | Company | Contact | Sitemap | Login
© 2009-2017 Mimsware Corporation, all rights reserved. Sophicity®, "We put the IT in City”, and the Sophicity logo are registered trademarks of Mimsware Corporation d/b/a Sophicity.