In the world
of bits and bytes, the act of stopping hackers and preventing unauthorized
access to data can seem like the highest information security priority. But
physical security of electronic information is just as important—and often
overlooked. It’s not uncommon for organizations to spend lots of time on
information security only to leave rooms with servers and workstations
unlocked—allowing anyone to wander inside.
a smaller city—needs physical security for its onsite technology. Don’t make it
too easy for a disgruntled employee or member of the public to damage or access
information from a server or computer. Your liability greatly increases when you
lack good physical security for your technology.
So what do
you need to do? Physically lock down and prevent unauthorized access to your
technology through the following best practices.
cases, this will be a room with servers that contains some of your city’s most
critical information. You need to house any machines with sensitive data in
a locked room. For example, that means not housing servers in an
office where employees sit at their desks. Employees should only access a
server room through some kind of barrier (or locked door) via a key, key fob,
or key card.
authorized people should access any rooms with servers or other sensitive
electronic information. Create clear policies that outline which employees,
contractors, vendors, and visitors access these rooms. You also need policies
about how you terminate access so that ex-employees or former contractors can’t
continue to enter these rooms.
We all make
mistakes. But with physical security mistakes, you need policies that mitigate
risks from any possible data breaches. Let’s say someone misplaces a key fob
and it might get into unauthorized hands. Your policy may outline procedures
for deactivating the lost key fob, which is much quicker and easier than changing
the locks on a door.
to controlling how people enter and exit rooms containing sensitive technology,
think about the following physical access procedures:
In case of a
disaster, you want to have important physical security protections in place
Taken as a
whole, these best practices will lock down your technology and make it
difficult for a physical data breach to take place. Plus, these best practices
also help with non-human disasters such as fire, flooding, or power outages.
Questions about your technology’s physical security? Reach out to us today.
In our last post,
we talked about network security policy but left wireless security for this
post. It’s not uncommon to see a city overlook the importance of wireless
security. Partly, that’s because it’s easy to treat wireless devices like how
you would set them up at home—buy a wireless router, unbox it, plug it in,
power it on, connect your devices, and go.
surprisingly, technology audits often show that cities have open wireless
access points that make it easy for hackers to access a city’s network. If
wireless devices are not configured, secured, and properly monitored and
maintained by IT professionals, then they can pose major security risks for
considering a wireless security policy, you need to account for the following
You’re not a
home or a small coffee shop. You’re a city. People shouldn’t be able to hop
onto your wireless network without a password and start getting on the
internet. In fact, no unauthorized user should have access to your city’s
wireless network. At the very least, you need to:
visiting city hall or an unauthorized employee wandering through a hallway
should not have access to a city’s wireless device. Yet, many cities often have
wireless access points sitting in the open. These devices are easy to steal,
damage, or reconfigure. To remain safe, any physical wireless hardware needs to
be secured (such as in a locked room or a cabinet accessed only by a key or key
fob) similar to how you would secure servers or your network infrastructure
runs on software that needs to get regularly updated with patches and upgrades.
Bugs, security holes, and performance issues get fixed by these patches and
upgrades. If your city hasn’t applied these updates in a while, then that is a
priority in order to get these wireless devices as secure as possible. Ongoing wireless
patching and upgrading should then become a regular part of your technology
create an inventory of your existing wireless devices. What kind of equipment
are you using? If it’s consumer-grade, then you’re at a big disadvantage.
Business-class wireless hardware is more secure, provides better coverage
throughout your buildings, and better grows along with your city if you need to
add more users. Your wireless security policy should set a minimum requirement
for your city to use business-class hardware with configuration performed by IT
As part of monitoring
and maintaining your network infrastructure, you need to also monitor and
maintain your wireless network. Activities include:
strong wireless security policy that applies the best practices above, you’ll
shore up this often weak security hole at your city. Wireless access is a
convenient, efficient way for employees to access the internet. Make sure that this
access remains safe and secure.
about your wireless security? Reach out to us with any questions.
understand the importance of network security, imagine your technology like it’s
city hall. Inside city hall, you have people, offices, hallways, and assets
like furniture, office supplies, and computers. To gain access to the inside,
parts of city hall may be open to the public—like the unlocked front door from
9-to-5. Other parts may be off-limits directly (such as a locked door) or
indirectly (such as a security officer or a sign that says “keep out”).
on your security setup, unauthorized people may or may not have access to
sensitive information within city hall. Network security works similarly by
preventing unauthorized electronic access to your sensitive information.
understand your network better we’ll define some terms that you may have heard
your IT staff or vendor mention to you.
your network needs to have the right, properly functioning and configured equipment
to keep you secure. Here’s how to get your network security optimized for your
your network security, you need to first identify everything that makes up your
network—computers, servers, switches, routers, firewalls, etc. This
assessment should include non-technical insights (such as information gaps
about what’s on your network) and technical insights (like scans for security
vulnerabilities on existing equipment). Overall, you’re looking for any
security holes that could open you up to a cyberattack.
there are many ways to enter city hall (some legal and some illegal), there are
also many ways to access your network. You’re essentially looking to add locks
to any unlocked doors that you discovered in your network security assessment.
Examples of locking down access points include:
network device configuration (such as using default settings or creating weak
passwords) can leave your city open to security risks. For example, a firewall
contains many ports (or doors) that open up your network to the outside world.
If you leave certain ports open, you could be introducing major security risks—similar
to leaving a city hall door open at night. Even switches and routers can become
security risks if improperly configured. Make sure you have trained IT
professionals set up and configure your network devices.
combination of automated software and trained IT professionals are needed to
monitor your network 24/7/365. Hackers and other unauthorized users are always
a threat to any network—no matter how “insignificant” you feel your network
looks to an outsider. Any city is a ripe target for hackers. When monitoring
network security, your IT staff or vendor will look for suspicious activity,
signs of outside hacking or cyberattacks, and security vulnerabilities in your
great to solidify a lot of the technical underpinnings of your network, you
also need to create a policy that documents both technical and non-technical
network security requirements. That may include quality control related to
network hardware (such as modernizing equipment on a regular schedule),
requirements pertaining to authorized users and remote access, and both
proactive monitoring and testing of your network to eliminate as many security
threats as possible.
you lock the doors of city hall at night, you need to lock the doors of your
network. By assessing your network security, adding the “locks,” and rigorously
monitoring it, you’ll greatly lessen the chance of a cyberattack compromising your
Questions about your network security? Reach out to our municipal IT specialists today.
In the midst
of worrying about cybersecurity threats from viruses and hackers, it’s easy to
overlook security risks from the way you manage vendors and contracts. You
think, “Hey, I’m paying legitimate businesses to oversee my IT needs—and I’ve
got a contract with them. What’s the worry?”
plenty of worry, actually—especially if you haven’t evaluated your vendors or
vendor management process in a while. Here are some tips and best practices to
help you shore up this overlooked security risk.
It’s good to
collect and centralize as much information about your vendors as you can. Make
sure you’re clear on:
performing a simple inventory may surprise you. For example, you may find that
a vendor is wildly unpredictable in their monthly billing or that a certain
vendor hasn’t been living up to a support agreement.
seem like an obvious best practice but many aspects of contract review are
often neglected in organizations. A contract should clearly spell out:
haven’t reviewed existing contracts in a long time, then take time to go
through them. Look for gaps between what the contract says and the services
you’re receiving. From this point forward, make sure (in addition to your city
attorney) that you have a business stakeholder and an experienced technology
professional evaluate all new vendor contracts.
reviewing your contracts, you may notice some anomalies. Perhaps you’re getting
way overcharged for a service. Maybe one vendor hasn’t upgraded their software
or service model for many years. If you have doubts about any particular
service, then shop around. You may just find that a cheaper and/or higher
quality service exists that would benefit your city. If you still want to keep
a vendor, then you may be able to leverage market knowledge to renegotiate your
pricing or get the vendor to provide more services.
We wrote a post about IT procurement a few
years ago that covers the following best practices:
RFP or RFI process, follow a series of steps that help you select the best
vendor. Business stakeholders and IT professionals need to work together to
evaluate all aspects of a vendor for financial stability, the ability to
deliver quality services, the relevancy of the solution, and pricing. Bad
vendors will lead to possible security risks.
are vetted, paid, and serving you, you need a third party with a deep knowledge
of information technology to oversee vendors. Busy, non-technical city staff
can easily overlook issues with vendors such as security concerns, performance
problems, and adherence to a contract. And even the best technology vendors
often have difficulty working with non-technical staff about major issues. IT
professionals will be able to communicate with vendors more efficiently while
also warding off major problems and security risks.
these steps, you will make a lot of progress toward eliminating security risks
related to vendors and their contracts. Going through these steps is also a
great exercise in transparency, finding potential cost savings, and ensuring
higher quality services at your city.
Questions about managing your technology vendors? Reach out to us today.
In part one of this
two-part post, we talked about how cities can better comply with the law
through a set of information security best practices. Now in part two, let’s
look at how specific policies help cities with compliance.
Technology alone won’t protect cities.
Clear, detailed policies document important rules, procedures, and guidelines
to help you comply with federal, state, and local laws.
So, what kinds of policies do you need?
Generally, they will fall into two main areas. For this post, we are using the
structure of Arkansas’s Legislative Audit guidelines as a way to discuss policies
that are relevant to all cities.
The Arkansas Division of Legislative
Audit defines general controls as “mechanisms established to provide reasonable
assurance that the information technology in use by an entity operates as
intended to produce properly authorized, reliable data and that the entity is
in compliance with applicable laws and regulations.”
The key here is that your city’s
technology works properly and correctly while complying with the law. Overall,
it helps to create an operational policy and procedure manual for your
information systems that accounts for:
The Arkansas Division of Legislative
Audit defines application controls as “[relating] to the transactions and data
for each computer-based automation system; they are, therefore, specific to
each such application. Application controls are designed to ensure the
completeness and accuracy of the accounting records and the validity of the
In other words, cities want to make sure
that applications such as accounting software correctly receive, store, and deliver
the right data. Policies related to application controls include:
Arkansas may require cities to implement these kinds of policies as part of its
legislative audit, it’s a good idea for all cities to adopt policies like
these. They cover the essentials of information systems and greatly help to
reduce risk and liability. Plus, such documentation leads to a much more
well-run IT department and helps with transitions (such as IT staff retiring or
a new IT vendor getting hired).
One of this post? Read it here.
Lacking information systems policies at your city that leave your city open to risk? Reach out to us today to talk about policy in more detail.
Over time, information security laws only
grow stronger. As information technology continues to mature, expectations grow
higher that cities will protect their data. When data loss occurs or sensitive
information is stolen, the financial and legal repercussions (along with the
public outrage) may increase.
Most laws center around protecting
sensitive information and ensuring that operational continuity occurs even if a
disaster hits. After all, cities are stewards of public information and use
that information to serve citizens. If a city neglects information security,
they’re not just passing over nice-to-have technology perks. They are
neglecting and compromising their very core mission.
In this two-part article, we’ll discuss
best practices in part one and then address policies in part two. Use this
checklist of best practices to begin assessing your information security.
Weak or no passwords remain one of the
biggest information security holes at most cities. Are you using some of these worst passwords like 123456, Password,
or qwerty? Do your employees write passwords down on sticky notes and attach
them in public view on their computers? Remember, hackers use automated
software to crack passwords. The easiest passwords will get cracked, even if
you consider yourself an unimportant target.
While antivirus software helps protect
your city against viruses, don’t forget that human error often leads to viruses
even if you install antivirus software. Hackers usually fool employees by
getting them to click on funny images, social media quizzes, and online games
on websites and social media. Email attachments with viruses also still work
when employees think they come from a legitimate sender (which is easy for
hackers to spoof).
A virus can really wreck your city by
corrupting, deleting, or stealing your data. Protect yourself with:
Cities with any uncertainty related to data backup need to immediately address
this problem. A data breach or information theft is really bad, but don’t
forget about the risk of permanent data loss. To run a city and serve citizens,
electronic information is essential. Losing data lessens trust between you and
Make sure you can perform onsite data
backups for quick recovery and offsite data backups to recover from theft or
Many cities neglect operating system and
software updates. These updates and patches are delivered by software vendors
to fix bugs and patch up security holes. Studies show that most cyber-outbreaks
can be prevented by keeping computers up to date—and yet most people ignore
messages on their computers about installing updates. Apply patches, ideally
with an IT resource overseeing the process. And because vendors eventually stop
supporting and patching applications, operating systems, and hardware when this technology
gets too old, you need to upgrade these items when they have reached that point.
Physical security remains one of the most
overlooked aspects of information security. It’s easy for a disgruntled
employee to steal or take data from a server or computer. And when you
decommission servers and workstations, be careful—those machines may still have
sensitive information on them if you don’t dispose of them correctly.
Make sure you:
People tend to check out your website
first when they want to learn more about your city—whether it’s exploring
tourist attractions, relocating their business, moving, or inquiring about city
services. Not only do people expect a modern website with fresh content but
they also expect it to be secure and safe. They trust you when they exchange
billing information or click on links. It doesn’t take much for a hacker to
defame a weakly secured website, steal people’s information, or shut that
To make sure your website is safe and
In part two, we’ll talk about some sample
policies that will help enforce and reinforce these best practices across your
Questions about the strength of your information security? Reach out to us today.
Cities face more
challenges than ever with video archiving. As an example, cities are capturing
greater amounts of squad car video and enormous amounts of body camera video
footage. Because of greater public safety scrutiny, more sophisticated body
camera technology, and new laws passed each year holding cities accountable for
retaining this footage, cities are understandably growing more worried and
concerned about their video archiving capabilities.
the dark side of these technology and legal requirements is that
budget-strapped cities struggle with video storage restrictions, costs, and
technology limitations. As a result, it’s tempting to take a shortcut with
video archiving or try to keep doing what you’re doing with aging, obsolete, or
post, we’ll look at seven reasons why you need to modernize the way you archive
your videos—before you run into critical operational or legal problems.
reach a point when your video archiving calms down and stays at the same level.
Your city will grow. You will add police officers. Better technology will help
you generate more footage. And think about it—your public safety department
never stops. You’ll never be able to pause or take a breath. Video constantly
comes in without pause. This situation will continually increase your video storage
needs over time.
Depending on your state,
you will need to legally retain body camera video footage consistent with a
specific law. That means you need a place to archive and retain it. Any risk of
data loss associated with body camera video footage may result in severe fines,
penalties, or lawsuits. Understand how long you need to keep specific footage
depending on the law’s requirements, and then use video archiving tools to help
you adhere to the law.
half the battle if you retain your video footage. After all, you can “retain” a
bunch of your belongings in a garage with no organization—and good luck finding
a power tool or a can of paint when you need it! But if you organize, label,
and structure the contents of your garage, you’ll be able to find and grab
something in seconds. A similar logic works with video archiving. Modern video
archiving tools help you organize your footage with the aim of making it easy
to find specific video when you need it.
paying a low cost for unlimited offsite video storage and retention? If you’re
constantly paying more money for additional storage or capping your total
amount of storage, then you need to look at more modern options immediately.
Storage costs have drastically decreased over the past few years. Yet, many
cities still shell out money for expensive storage because they use outdated
technology or haven’t challenged their existing vendor in a long time.
squad car and body camera video footage captures confidential, private, and
sensitive information, you need to secure the footage. No excuses. Old servers
or software may not have enough security precautions in place. Only authorized
users should access the data—and your IT staff or vendor should be able to
centrally manage this security. The information also needs to be physically
secure if stored on your premises.
with physical security above, you don’t want video footage stored in rooms that
are easy for anyone to access. Servers need to reside in rooms with proper storage
conditions such as air conditioning, ventilation, and a high standard of
cleanliness. If you feel unable to keep up such standards, then consider a data
center or cloud storage.
Data loss is
a nightmare—and even more so for video that includes squad car and body camera
footage. If uncertainty exists with your data backup, then take time to
evaluate your weaknesses. Ask yourself:
Cities—small or large—face a huge responsibility for their video. A
modern video archiving system that addresses all of the concerns above is
essential in order to apply record retention laws and compliance to video
footage. Otherwise, you’re risking data loss or theft that can lead to severe
legal repercussions. Thankfully, there is a low-cost video archiving option that
both modernizes your technology while addressing growing storage costs.
Questions about your video archiving? Reach out to us with any questions.
Each state law differs for body
camera records retention. Let’s take a quick look across some of the states we
Even as states continue to refine
video record retention laws as a result of greater public scrutiny, video data
storage growth will outpace policy changes. That means you need to be prepared. And that
preparation involves some technology investments and a few best practices.
You probably already know that
video files take up a lot of storage space. Well, multiply that storage space many
times over by each officer and each squad car day by day collecting new videos,
and you’ll understand how fast body camera video footage will quickly eat up
your available storage space. You don’t want to get caught running out of available
storage space on your servers, or having unexpected high charges and fees as
you need to procure more local storage devices (or increase hosted storage space).
Work with an IT vendor that offers
unlimited offsite video archiving to eliminate these worries for running out of
storage space and increased cost as your video grows. Plus, the video data is
stored offsite so that it’s retrievable in case of disaster.
Obviously, if you store body
camera footage then you also need to find specific footage when you need it.
Similar to how a document management system helps you label and organize
documents, good body camera software will help you label and organize videos
for later use. Sometimes you’ll need to sift through hours of footage, looking
only for an important few minutes. Make sure that your video software allows
you to quickly and efficiently search for and retrieve information.
You need to adhere to state laws
and city policies for video record retention schedules. Ensure that you’re compliant
for how long you are required to keep footage, dispose of it at the right time,
and follow proper procedures. If you don’t comply, then you could get into a
lot of legal trouble when footage is requested and you don’t have it.
Body cameras capture a lot of
footage that needs to remain secured. A hacker exposing video camera footage to
the public might be disastrous to the privacy of citizens—and you might get
held liable if you did not invest in strong security. Body camera footage works
just like any other city record and needs to be treated as such. Internally,
every city employee should not have access to the video footage or be able to
copy it onto something like a flash drive. Your city needs clear security
policies about authorized access to body camera video footage and an IT vendor
that understands how to manage that security.
Last but not least, it helps to
use modernized technology if you are going to operate body camera equipment and
software. Even if the body camera hardware and software is modern, it may not
work well (if at all) with aging servers, computers, or operating systems.
Also, if your networking equipment (such as routers or firewalls) are not up to
the task, then you could have usability or security issues. Because body camera
video footage may soon become mandatory, it helps to think about modernizing
your technology infrastructure so that you can handle the demands of storing
and accessing lots of video.
Wherever your city is located,
it’s best to start thinking about body camera technology. It’s already here and
will become a standard part of police department operations. If you already
have body cameras, then is your technology up to the task of using them? If
you’re thinking about getting body camera technology, then what other
technology do you need to make sure it works properly?
Questions about how your technology can handle the demands of body cameras? Reach out to us today.
or participate in a pickup game with friends? You play by your own set of
rules. The game might start and stop randomly. You might lose track of the score.
But if you watch a professional game right after your pickup game, you’ll
notice everything that was missing. The rules, the framework, the organization,
and the professional capabilities of the players. While there is room for spontaneity,
a professional game is sleek and efficient—run like a machine, overseen by
officials, and aligned to professional standards.
The same difference
exists between having and not having information systems management best
practices in place. You may have experienced organizations where the
information systems feel more like a pickup football game rather than a
professional football game. It’s only fun until something gets out of hand—and
it seems like something always gets out of hand.
disciplined information systems management to reduce risk, improve operations,
and even help comply with legislative audits such as those that occur in the state of
Arkansas. Here are some best practices that can get you there.
helps to understand the state of your information systems. What do you have?
How old is your hardware and applications? What’s the state of your information
security? Are you backing up your data? Use one of our risk assessments as a starting point and make sure you take a close look at your:
your risks, you can focus on your city’s biggest problems first.
It’s easy to
overlook. Cities may chug along managing their information systems without
asking some key questions about everyone’s roles and responsibilities. Who does
what? Who is responsible for information systems? Who has access to
information? Who is authorized to grant access? What outside vendors have
access to information?
At the very
least, create a list of people and vendors along with their roles and what they
do. For example, a small city may have a simple information systems org chart
that includes the city manager who makes business-related technology decisions,
a city clerk that works with the IT vendor to help them understand business
needs and requirements, and an outside IT vendor that monitors and maintains
all information systems on a day-to-day basis.
might contain some technical information that you need help drafting, your city
needs to have stakeholders create a policy and procedure manual for your
information systems. You will need to define and document important items such
As one of
the most important pieces of information systems management, your city needs a
plan for restoring data and systems in case of a server failure or a major
disaster. Some of the questions you need to address include:
training is important on many, many levels. First, empowering users with
knowledge about your city’s information systems helps with their proficiency and
productivity. If you’re investing in this technology, then training users
allows you to maximize your investment. But secondly, training users also helps
with lessening security risks. Many users may not be aware of the dangers of
malicious websites, email attachments, online quizzes, social media games, and
software that seems innocent. The more you teach users about the possibilities
of your information systems along with some of the security risks that exist,
your efforts will ripple positively across your organization.
city’s information systems like a professional football team, not a pickup game.
By following the five best practices above, you will build a great foundation
for your information systems, reduce risk, increase productivity, and comply
with important laws.
about your information systems management? Contact us today.
Obviously, your city must already
have some kind of records management in place. After all, it’s the law for
cities to keep records, respond to open records requests, and supply
information for audits and investigations. But many cities don’t have a records
management system in place beyond paper and cabinets, or they use a subpar
records management system that frustrates more than it helps.
While a city clerk might not be
able to change an existing records management system overnight, there are a
series of steps they can take to help them modernize and align their city with records
management best practices.
As a baseline, review your
state’s city clerk handbook (if it exists). If you cannot find an official
handbook, then contact your state’s city clerk’s association or municipal
league to see if any equivalent materials are available. Review any sections
related to records management to make sure that your city is—at a minimum—following
the law and any best practices that would be easy to implement. That includes:
In case of an open records
request, you need to provide any public information on demand. How easily can
you do it? Public information includes paper documents, electronic documents,
emails, and other computer-based information. Where is that information stored?
Is it in a cabinet or on a server where authorized personnel have access? Is it
only on one person’s computer? Do you even know? It’s good to make an
assessment of where all public information is located, note any unknowns, and identify
any challenges in case you need to access it.
If going through an open records
request is a time-consuming nightmare, then you need to consider a modern
document management system that helps you organize, access, and retrieve
documents in a more efficient way. Some things to consider include:
Consult with your state’s city
clerk association and municipal league to consider recommended document
management systems that shore up your weaknesses and modernize your technology.
To keep up on new laws, trends,
and best practices, consider receiving ongoing records management training. If
available, take basic courses that lead to certification. Then, take any
ongoing training classes and attend sessions at conferences. In some states,
you will be required as a city clerk to take some records management courses.
Other city clerks will have years
and even decades of experience with records management. Learn from them by
attending city clerk conferences and events. Network with city clerks and give
them a call with questions. In many cases, they will reinforce the points we’ve
made above and also help you dig into deeper detail about what works for them.
For additional information,
consider the following resources:
Our Focus | Products | Resources | Company | Contact | Sitemap | Login
© 2009-2016 Mimsware Corporation, all rights reserved. Sophicity®, "We put the IT in City”, and the Sophicity logo are registered trademarks of Mimsware Corporation d/b/a Sophicity.