As a follow-up to my post about data processing, this post discusses data output. For those who are not data-savvy or immersed in the world of data, it might seem like output is just output, right? No need to worry about output if you do input and processing correctly, right?
case! Data output offers up some unique security risks and challenges that you
need to fend off. Here are a few data output areas to assess.
output gets seen or delivered to a person—whether it’s city staff looking at a
paper report or a citizen using your city’s website—that data must not reveal
confidential information. For example, it should never be easy to see a social
security number online with only a few data inputs. Or, personnel records
should not be made available in a paper report that may get passed around to
unauthorized people. Place controls over who sees outputted data.
employees and citizens who need to see certain information, data output needs
to be highly available. That means your hardware and software needs to perform
at a high standard. Lack of availability to data affects the jobs of your
employees and interferes with citizen services (such as paying property taxes
Ever run a
report and get a spreadsheet full of gobbledygook and unstructured, unformatted
data. Outputted data is not helpful if it can’t be read or interpreted. The end
result of data input and processing must be understandable and usable. Work
with your software vendors and IT staff or vendor to ensure that you receive
data output in a digestible, user-friendly form.
our suggestions for data input and data processing, it’s always a good idea to
monitor data output. Not only do you help quality control by detecting errors
and anomalies but you also stay alert for security risks and breaches.
to security and usability, cities must also ensure that they comply with all
federal and state laws. This includes laws that balance privacy (such as
keeping personal information like social security numbers private) with freedom
of information. Data breaches can occur and lead to fines and lawsuits when
outputted data gets in the wrong hands as a result of careless policies and
these best practices, it’s clear that a few patterns emerge.
about securing your data? Reach out
to us today.
processing is a complex topic involving lots of technical know-how. Experts
have written books about it and IT professionals spend their entire careers staying
up on its developments. For this post about data, we’ll focus on a few key
critical data processing concepts that especially impact security and need to
be addressed in your application controls policy.
your data processing is the bridge between your data input and output. Now
let’s look at some important data processing aspects.
record all electronic information about transactions that take place within an
application. For example, you may enter payroll information each week into your
accounting application for each employee. Each completed set of data that you
input for each employee counts as a transaction if the data is processed
between, for example, your system and a bank.
logs must match what are known as “source documents.” For example, payroll
information may originate from a timesheet (either on paper or sent electronically).
If the timesheet and the paycheck doesn’t match, then there may be a
transaction error. Experiencing many transaction errors may indicate a problem
with your application or with the way your employees are using it.
note incorrect information, incomplete information, and errors about
transactions. It’s important to run these reports for your most critical
applications to make sure that transactions are accurate. For example, edit
reports are useful when you’re sending out paychecks, tax information, or
utility bills. You can then note any errors and make fixes before officially completing
are designed to accurately capture information and ensure high data quality.
Your override procedures need to be strict and for exceptions only. Don’t abuse
an override function just to get around inconveniences. In addition, and as a
security precaution, it helps to monitor overrides along with all other logging
information to look for patterns and possible security violations.
In case of a
power outage, a data interruption, or lags between different applications, your
applications need to reconcile inputted transactions with your database. For
example, if 10 users submit utility billing information onto your website while
you’re having a server outage, those 10 transactions should reconcile to your
database once your server is back up. Also, reconciliation applies from an accounting
perspective. You need reconciliation processes in place to ensure that your
general and subsidiary ledgers match up.
IT professionals should monitor everything related to your data processing such
processing policy needs to be reviewed by business and application stakeholders
to make sure you are complying with the law and using best practices. In a
future post, we’ll look at data output—the final stage of data after it’s
inputted and processed.
about the security of your data processing? Reach out to us today.
true, I had a flash of insight during a recent experience renovating a bathroom
in my house. As with any project (just like technology), I’ve experienced both
little issues and big issues along the way. However, the two biggest issues
occurred when I ordered a sink and when I experienced a big leak. In hindsight,
these two experiences jumped out at me because they clearly paralleled the many
stories I’ve heard from cities about good and bad IT vendors.
look at the bad experience—and see if you can relate.
this sink before the contractor started working on the renovation. So just to
be doubly and triply assured that the sink would arrive on time, I ordered it
online from a large home improvement store more than three weeks before the contractor would arrive. The store gave me a
delivery date of one week from the time I ordered it. “Good,” I thought.
“That’s about two weeks before the contractor gets here. And that gives me two
weeks of buffer time in case anything goes wrong with the delivery.”
delivery date came and went. No sink.
contacted the store about the issue. I could not reach a human. Instead, the
store ignored my emails and voicemails.
passed. No sink. No answers from the store. No communication from the store. I
still couldn’t reach a human being to get an explanation of the problem and how
it would get addressed.
passed. The contractor started work. Still no sink!
By this point,
I did receive a couple of very vague and generic emails from the store about
the sink. Basically, all they could tell me was, “We’re looking into it.” No
estimated time of arrival. No set expectations. And no follow up.
got to my boiling point and started calling supervisors, managers, and even the
store’s corporate office. Finally, a human being talked to me. Yet, still no sink ever arrived!
conversation with the corporate office produced no sink, I cancelled my order.
This store lost my business and I bought a sink from a competitor.
vendors make these kinds of mistakes when serving cities.
Now let’s look
at what could have been a disaster in my house and see how a professional turned
a crisis into an example of amazing customer service.
Keep in mind
that my house is 75 years old. As a result, this renovation involved tearing
the bathroom down to the studs. On the contractor’s first day, he focused on
redoing some plumbing and wrapped up the day without incident.
evening, I walked into the bathroom to inspect the progress and found a pipe
spewing water everywhere. After some quick triage to contain the water, I
called the contractor in a panic. Remember my story with the sink and imagine
if that large home improvement store were on the other end of the line!
here’s what happened:
the contractor and his crew arrived bright and early the next morning just like
they promised. After briefly explaining the problem to me, he completely fixed
the leak within two hours.
the difference? Values that I hold dear as an IT professional.
it’s redoing a bathroom or serving a city’s technology needs, issues will
always crop up. That’s why you need the right IT vendor—one that is responsive,
communicative, and results-driven. And you know they’re good when they manage
even earth-shattering crises—the equivalent of a major leak—with calm
Looking for a municipal IT partner who is responsive, communicates, and delivers results? Reach out to us today.
when the worst happens? As an important city policy that should not be
neglected, a disaster recovery and business continuity policy outlines how to
recover electronic data after a catastrophe. Because cities cannot predict when
a disaster such as a fire, flooding, or tornado will occur, it’s essential that
a disaster recovery plan is in place.
So what do
you need to cover in your policy? Here are five essential elements to help get
data volume and priorities may be different. It helps your policy if you
outline risks specific to your city such as:
probably the most important aspect of your disaster recovery and business
continuity policy. What exactly will you do when a disaster strikes? You will
want to outline:
words, who will do what? You have multiple people who need to be clear about
their roles. Focusing on people, processes, documentation, and a plan helps
everyone become aware of their roles. And you must prepare for the worst
because, sadly, not everyone may make it through a disaster event.
Any sound disaster
recovery plan needs onsite and offsite storage capabilities.
Don’t be the
city that sets up a wonderful data backup and disaster recovery solution—and
then never test it. How do you know it will work? Your policy should include
regular testing. Quarterly is ideal, but annual should be an absolute minimum.
IT professionals should also regularly monitor your data backups to look for
problems, errors, and data corruption.
find that reviewing these elements helps them realize they need to upgrade and
modernize their data backup and disaster recovery solution. Common weak areas
usually include no offsite data backup, manual (instead of automated) data
backups, and a lack of IT professionals overseeing data backup. While creating
a policy, you want to make sure you can carry out the most important aspects of
effective disaster recovery and business continuity.
about your disaster recovery policy or solution? Reach out to us today.
We’ve recently talked about many kinds of security—physical, wireless, and network. Now we come to “logical access security.” What does that even mean? It’s a technical term that’s actually quite simple to define.
physical security, you’re physically preventing people from accessing equipment
that stores sensitive information. With logical security, you’re electronically
preventing people from accessing sensitive information. In other words, logical
access security is all about the security of information accessed 100% in the
physical security, you can’t lock bits and bytes behind doors. So how do you
lock your electronic information down? Here are four important areas where you
access electronic information through passwords. Just think about what you
access every day with a password: your email, your software applications, or
your online website applications. Unfortunately, many organizations have
extremely weak password policies that leave the door open to hackers and
You need a
password policy that includes:
At the IT
administration level, you need experienced internal staff or a vendor to manage
and monitor user accounts. It’s at the administrative level that IT
professionals—following your city’s policies—will assign new user accounts,
make changes to user accounts (such as assigning new passwords or updating access
privileges), delete user accounts, and watch for any unauthorized user access.
If no one performs this monitoring and maintenance on a regular basis, then you
risk unauthorized users (such as ex-employees) using your systems and accessing
No, we don’t
mean making an employee sit in the corner! Timeouts are when a computer gets
locked for a period of time (such as 15 minutes) as a result of policies that protect
against unauthorized access (such as hackers). After the period expires, the
user can then attempt to log back into their computer. This requirement
especially helps with computer security in an office where someone could easily
sit at another person’s computer and steal information. With a timeout policy,
you can make sure computers are more inaccessible to unauthorized people
regardless of whether those people are physically present or somewhere across
We’ve written more extensively about logging in the past, so we’ll just summarize a few high points here. Basically,
logging is a technical activity that IT professionals conduct to both diagnose
issues and document who accesses your data. For security, logging is important
to track things such as suspicious web surfing activity or users remotely
accessing your data. Without logging, you may not know if unauthorized users
are viewing or stealing sensitive information until it’s too late.
As you can
see, logical access security is...well, quite logical. We’re sure Star Trek’s Dr. Spock would agree! By
locking down your electronic information as well as your physical technology
equipment, you mitigate the risk of hacking attempts, data breaches, or stolen
about your logical access security policies? Reach out to us today.
In the world
of bits and bytes, the act of stopping hackers and preventing unauthorized
access to data can seem like the highest information security priority. But
physical security of electronic information is just as important—and often
overlooked. It’s not uncommon for organizations to spend lots of time on
information security only to leave rooms with servers and workstations
unlocked—allowing anyone to wander inside.
a smaller city—needs physical security for its onsite technology. Don’t make it
too easy for a disgruntled employee or member of the public to damage or access
information from a server or computer. Your liability greatly increases when you
lack good physical security for your technology.
So what do
you need to do? Physically lock down and prevent unauthorized access to your
technology through the following best practices.
cases, this will be a room with servers that contains some of your city’s most
critical information. You need to house any machines with sensitive data in
a locked room. For example, that means not housing servers in an
office where employees sit at their desks. Employees should only access a
server room through some kind of barrier (or locked door) via a key, key fob,
or key card.
authorized people should access any rooms with servers or other sensitive
electronic information. Create clear policies that outline which employees,
contractors, vendors, and visitors access these rooms. You also need policies
about how you terminate access so that ex-employees or former contractors can’t
continue to enter these rooms.
We all make
mistakes. But with physical security mistakes, you need policies that mitigate
risks from any possible data breaches. Let’s say someone misplaces a key fob
and it might get into unauthorized hands. Your policy may outline procedures
for deactivating the lost key fob, which is much quicker and easier than changing
the locks on a door.
to controlling how people enter and exit rooms containing sensitive technology,
think about the following physical access procedures:
In case of a
disaster, you want to have important physical security protections in place
Taken as a
whole, these best practices will lock down your technology and make it
difficult for a physical data breach to take place. Plus, these best practices
also help with non-human disasters such as fire, flooding, or power outages.
Questions about your technology’s physical security? Reach out to us today.
In our last post,
we talked about network security policy but left wireless security for this
post. It’s not uncommon to see a city overlook the importance of wireless
security. Partly, that’s because it’s easy to treat wireless devices like how
you would set them up at home—buy a wireless router, unbox it, plug it in,
power it on, connect your devices, and go.
surprisingly, technology audits often show that cities have open wireless
access points that make it easy for hackers to access a city’s network. If
wireless devices are not configured, secured, and properly monitored and
maintained by IT professionals, then they can pose major security risks for
considering a wireless security policy, you need to account for the following
You’re not a
home or a small coffee shop. You’re a city. People shouldn’t be able to hop
onto your wireless network without a password and start getting on the
internet. In fact, no unauthorized user should have access to your city’s
wireless network. At the very least, you need to:
visiting city hall or an unauthorized employee wandering through a hallway
should not have access to a city’s wireless device. Yet, many cities often have
wireless access points sitting in the open. These devices are easy to steal,
damage, or reconfigure. To remain safe, any physical wireless hardware needs to
be secured (such as in a locked room or a cabinet accessed only by a key or key
fob) similar to how you would secure servers or your network infrastructure
runs on software that needs to get regularly updated with patches and upgrades.
Bugs, security holes, and performance issues get fixed by these patches and
upgrades. If your city hasn’t applied these updates in a while, then that is a
priority in order to get these wireless devices as secure as possible. Ongoing wireless
patching and upgrading should then become a regular part of your technology
create an inventory of your existing wireless devices. What kind of equipment
are you using? If it’s consumer-grade, then you’re at a big disadvantage.
Business-class wireless hardware is more secure, provides better coverage
throughout your buildings, and better grows along with your city if you need to
add more users. Your wireless security policy should set a minimum requirement
for your city to use business-class hardware with configuration performed by IT
As part of monitoring
and maintaining your network infrastructure, you need to also monitor and
maintain your wireless network. Activities include:
strong wireless security policy that applies the best practices above, you’ll
shore up this often weak security hole at your city. Wireless access is a
convenient, efficient way for employees to access the internet. Make sure that this
access remains safe and secure.
about your wireless security? Reach out to us with any questions.
understand the importance of network security, imagine your technology like it’s
city hall. Inside city hall, you have people, offices, hallways, and assets
like furniture, office supplies, and computers. To gain access to the inside,
parts of city hall may be open to the public—like the unlocked front door from
9-to-5. Other parts may be off-limits directly (such as a locked door) or
indirectly (such as a security officer or a sign that says “keep out”).
on your security setup, unauthorized people may or may not have access to
sensitive information within city hall. Network security works similarly by
preventing unauthorized electronic access to your sensitive information.
understand your network better we’ll define some terms that you may have heard
your IT staff or vendor mention to you.
your network needs to have the right, properly functioning and configured equipment
to keep you secure. Here’s how to get your network security optimized for your
your network security, you need to first identify everything that makes up your
network—computers, servers, switches, routers, firewalls, etc. This
assessment should include non-technical insights (such as information gaps
about what’s on your network) and technical insights (like scans for security
vulnerabilities on existing equipment). Overall, you’re looking for any
security holes that could open you up to a cyberattack.
there are many ways to enter city hall (some legal and some illegal), there are
also many ways to access your network. You’re essentially looking to add locks
to any unlocked doors that you discovered in your network security assessment.
Examples of locking down access points include:
network device configuration (such as using default settings or creating weak
passwords) can leave your city open to security risks. For example, a firewall
contains many ports (or doors) that open up your network to the outside world.
If you leave certain ports open, you could be introducing major security risks—similar
to leaving a city hall door open at night. Even switches and routers can become
security risks if improperly configured. Make sure you have trained IT
professionals set up and configure your network devices.
combination of automated software and trained IT professionals are needed to
monitor your network 24/7/365. Hackers and other unauthorized users are always
a threat to any network—no matter how “insignificant” you feel your network
looks to an outsider. Any city is a ripe target for hackers. When monitoring
network security, your IT staff or vendor will look for suspicious activity,
signs of outside hacking or cyberattacks, and security vulnerabilities in your
great to solidify a lot of the technical underpinnings of your network, you
also need to create a policy that documents both technical and non-technical
network security requirements. That may include quality control related to
network hardware (such as modernizing equipment on a regular schedule),
requirements pertaining to authorized users and remote access, and both
proactive monitoring and testing of your network to eliminate as many security
threats as possible.
you lock the doors of city hall at night, you need to lock the doors of your
network. By assessing your network security, adding the “locks,” and rigorously
monitoring it, you’ll greatly lessen the chance of a cyberattack compromising your
Questions about your network security? Reach out to our municipal IT specialists today.
In the midst
of worrying about cybersecurity threats from viruses and hackers, it’s easy to
overlook security risks from the way you manage vendors and contracts. You
think, “Hey, I’m paying legitimate businesses to oversee my IT needs—and I’ve
got a contract with them. What’s the worry?”
plenty of worry, actually—especially if you haven’t evaluated your vendors or
vendor management process in a while. Here are some tips and best practices to
help you shore up this overlooked security risk.
It’s good to
collect and centralize as much information about your vendors as you can. Make
sure you’re clear on:
performing a simple inventory may surprise you. For example, you may find that
a vendor is wildly unpredictable in their monthly billing or that a certain
vendor hasn’t been living up to a support agreement.
seem like an obvious best practice but many aspects of contract review are
often neglected in organizations. A contract should clearly spell out:
haven’t reviewed existing contracts in a long time, then take time to go
through them. Look for gaps between what the contract says and the services
you’re receiving. From this point forward, make sure (in addition to your city
attorney) that you have a business stakeholder and an experienced technology
professional evaluate all new vendor contracts.
reviewing your contracts, you may notice some anomalies. Perhaps you’re getting
way overcharged for a service. Maybe one vendor hasn’t upgraded their software
or service model for many years. If you have doubts about any particular
service, then shop around. You may just find that a cheaper and/or higher
quality service exists that would benefit your city. If you still want to keep
a vendor, then you may be able to leverage market knowledge to renegotiate your
pricing or get the vendor to provide more services.
We wrote a post about IT procurement a few
years ago that covers the following best practices:
RFP or RFI process, follow a series of steps that help you select the best
vendor. Business stakeholders and IT professionals need to work together to
evaluate all aspects of a vendor for financial stability, the ability to
deliver quality services, the relevancy of the solution, and pricing. Bad
vendors will lead to possible security risks.
are vetted, paid, and serving you, you need a third party with a deep knowledge
of information technology to oversee vendors. Busy, non-technical city staff
can easily overlook issues with vendors such as security concerns, performance
problems, and adherence to a contract. And even the best technology vendors
often have difficulty working with non-technical staff about major issues. IT
professionals will be able to communicate with vendors more efficiently while
also warding off major problems and security risks.
these steps, you will make a lot of progress toward eliminating security risks
related to vendors and their contracts. Going through these steps is also a
great exercise in transparency, finding potential cost savings, and ensuring
higher quality services at your city.
Questions about managing your technology vendors? Reach out to us today.
In part one of this
two-part post, we talked about how cities can better comply with the law
through a set of information security best practices. Now in part two, let’s
look at how specific policies help cities with compliance.
Technology alone won’t protect cities.
Clear, detailed policies document important rules, procedures, and guidelines
to help you comply with federal, state, and local laws.
So, what kinds of policies do you need?
Generally, they will fall into two main areas. For this post, we are using the
structure of Arkansas’s Legislative Audit guidelines as a way to discuss policies
that are relevant to all cities.
The Arkansas Division of Legislative
Audit defines general controls as “mechanisms established to provide reasonable
assurance that the information technology in use by an entity operates as
intended to produce properly authorized, reliable data and that the entity is
in compliance with applicable laws and regulations.”
The key here is that your city’s
technology works properly and correctly while complying with the law. Overall,
it helps to create an operational policy and procedure manual for your
information systems that accounts for:
The Arkansas Division of Legislative
Audit defines application controls as “[relating] to the transactions and data
for each computer-based automation system; they are, therefore, specific to
each such application. Application controls are designed to ensure the
completeness and accuracy of the accounting records and the validity of the
In other words, cities want to make sure
that applications such as accounting software correctly receive, store, and deliver
the right data. Policies related to application controls include:
Arkansas may require cities to implement these kinds of policies as part of its
legislative audit, it’s a good idea for all cities to adopt policies like
these. They cover the essentials of information systems and greatly help to
reduce risk and liability. Plus, such documentation leads to a much more
well-run IT department and helps with transitions (such as IT staff retiring or
a new IT vendor getting hired).
One of this post? Read it here.
Lacking information systems policies at your city that leave your city open to risk? Reach out to us today to talk about policy in more detail.
Our Focus | Products | Resources | Company | Contact | Sitemap | Login
© 2009-2017 Mimsware Corporation, all rights reserved. Sophicity®, "We put the IT in City”, and the Sophicity logo are registered trademarks of Mimsware Corporation d/b/a Sophicity.