In the midst
of worrying about cybersecurity threats from viruses and hackers, it’s easy to
overlook security risks from the way you manage vendors and contracts. You
think, “Hey, I’m paying legitimate businesses to oversee my IT needs—and I’ve
got a contract with them. What’s the worry?”
plenty of worry, actually—especially if you haven’t evaluated your vendors or
vendor management process in a while. Here are some tips and best practices to
help you shore up this overlooked security risk.
It’s good to
collect and centralize as much information about your vendors as you can. Make
sure you’re clear on:
performing a simple inventory may surprise you. For example, you may find that
a vendor is wildly unpredictable in their monthly billing or that a certain
vendor hasn’t been living up to a support agreement.
seem like an obvious best practice but many aspects of contract review are
often neglected in organizations. A contract should clearly spell out:
haven’t reviewed existing contracts in a long time, then take time to go
through them. Look for gaps between what the contract says and the services
you’re receiving. From this point forward, make sure (in addition to your city
attorney) that you have a business stakeholder and an experienced technology
professional evaluate all new vendor contracts.
reviewing your contracts, you may notice some anomalies. Perhaps you’re getting
way overcharged for a service. Maybe one vendor hasn’t upgraded their software
or service model for many years. If you have doubts about any particular
service, then shop around. You may just find that a cheaper and/or higher
quality service exists that would benefit your city. If you still want to keep
a vendor, then you may be able to leverage market knowledge to renegotiate your
pricing or get the vendor to provide more services.
We wrote a post about IT procurement a few
years ago that covers the following best practices:
RFP or RFI process, follow a series of steps that help you select the best
vendor. Business stakeholders and IT professionals need to work together to
evaluate all aspects of a vendor for financial stability, the ability to
deliver quality services, the relevancy of the solution, and pricing. Bad
vendors will lead to possible security risks.
are vetted, paid, and serving you, you need a third party with a deep knowledge
of information technology to oversee vendors. Busy, non-technical city staff
can easily overlook issues with vendors such as security concerns, performance
problems, and adherence to a contract. And even the best technology vendors
often have difficulty working with non-technical staff about major issues. IT
professionals will be able to communicate with vendors more efficiently while
also warding off major problems and security risks.
these steps, you will make a lot of progress toward eliminating security risks
related to vendors and their contracts. Going through these steps is also a
great exercise in transparency, finding potential cost savings, and ensuring
higher quality services at your city.
Questions about managing your technology vendors? Reach out to us today.
In part one of this
two-part post, we talked about how cities can better comply with the law
through a set of information security best practices. Now in part two, let’s
look at how specific policies help cities with compliance.
Technology alone won’t protect cities.
Clear, detailed policies document important rules, procedures, and guidelines
to help you comply with federal, state, and local laws.
So, what kinds of policies do you need?
Generally, they will fall into two main areas. For this post, we are using the
structure of Arkansas’s Legislative Audit guidelines as a way to discuss policies
that are relevant to all cities.
The Arkansas Division of Legislative
Audit defines general controls as “mechanisms established to provide reasonable
assurance that the information technology in use by an entity operates as
intended to produce properly authorized, reliable data and that the entity is
in compliance with applicable laws and regulations.”
The key here is that your city’s
technology works properly and correctly while complying with the law. Overall,
it helps to create an operational policy and procedure manual for your
information systems that accounts for:
The Arkansas Division of Legislative
Audit defines application controls as “[relating] to the transactions and data
for each computer-based automation system; they are, therefore, specific to
each such application. Application controls are designed to ensure the
completeness and accuracy of the accounting records and the validity of the
In other words, cities want to make sure
that applications such as accounting software correctly receive, store, and deliver
the right data. Policies related to application controls include:
Arkansas may require cities to implement these kinds of policies as part of its
legislative audit, it’s a good idea for all cities to adopt policies like
these. They cover the essentials of information systems and greatly help to
reduce risk and liability. Plus, such documentation leads to a much more
well-run IT department and helps with transitions (such as IT staff retiring or
a new IT vendor getting hired).
One of this post? Read it here.
Lacking information systems policies at your city that leave your city open to risk? Reach out to us today to talk about policy in more detail.
Over time, information security laws only
grow stronger. As information technology continues to mature, expectations grow
higher that cities will protect their data. When data loss occurs or sensitive
information is stolen, the financial and legal repercussions (along with the
public outrage) may increase.
Most laws center around protecting
sensitive information and ensuring that operational continuity occurs even if a
disaster hits. After all, cities are stewards of public information and use
that information to serve citizens. If a city neglects information security,
they’re not just passing over nice-to-have technology perks. They are
neglecting and compromising their very core mission.
In this two-part article, we’ll discuss
best practices in part one and then address policies in part two. Use this
checklist of best practices to begin assessing your information security.
Weak or no passwords remain one of the
biggest information security holes at most cities. Are you using some of these worst passwords like 123456, Password,
or qwerty? Do your employees write passwords down on sticky notes and attach
them in public view on their computers? Remember, hackers use automated
software to crack passwords. The easiest passwords will get cracked, even if
you consider yourself an unimportant target.
While antivirus software helps protect
your city against viruses, don’t forget that human error often leads to viruses
even if you install antivirus software. Hackers usually fool employees by
getting them to click on funny images, social media quizzes, and online games
on websites and social media. Email attachments with viruses also still work
when employees think they come from a legitimate sender (which is easy for
hackers to spoof).
A virus can really wreck your city by
corrupting, deleting, or stealing your data. Protect yourself with:
Cities with any uncertainty related to data backup need to immediately address
this problem. A data breach or information theft is really bad, but don’t
forget about the risk of permanent data loss. To run a city and serve citizens,
electronic information is essential. Losing data lessens trust between you and
Make sure you can perform onsite data
backups for quick recovery and offsite data backups to recover from theft or
Many cities neglect operating system and
software updates. These updates and patches are delivered by software vendors
to fix bugs and patch up security holes. Studies show that most cyber-outbreaks
can be prevented by keeping computers up to date—and yet most people ignore
messages on their computers about installing updates. Apply patches, ideally
with an IT resource overseeing the process. And because vendors eventually stop
supporting and patching applications, operating systems, and hardware when this technology
gets too old, you need to upgrade these items when they have reached that point.
Physical security remains one of the most
overlooked aspects of information security. It’s easy for a disgruntled
employee to steal or take data from a server or computer. And when you
decommission servers and workstations, be careful—those machines may still have
sensitive information on them if you don’t dispose of them correctly.
Make sure you:
People tend to check out your website
first when they want to learn more about your city—whether it’s exploring
tourist attractions, relocating their business, moving, or inquiring about city
services. Not only do people expect a modern website with fresh content but
they also expect it to be secure and safe. They trust you when they exchange
billing information or click on links. It doesn’t take much for a hacker to
defame a weakly secured website, steal people’s information, or shut that
To make sure your website is safe and
In part two, we’ll talk about some sample
policies that will help enforce and reinforce these best practices across your
Questions about the strength of your information security? Reach out to us today.
Cities face more
challenges than ever with video archiving. As an example, cities are capturing
greater amounts of squad car video and enormous amounts of body camera video
footage. Because of greater public safety scrutiny, more sophisticated body
camera technology, and new laws passed each year holding cities accountable for
retaining this footage, cities are understandably growing more worried and
concerned about their video archiving capabilities.
the dark side of these technology and legal requirements is that
budget-strapped cities struggle with video storage restrictions, costs, and
technology limitations. As a result, it’s tempting to take a shortcut with
video archiving or try to keep doing what you’re doing with aging, obsolete, or
post, we’ll look at seven reasons why you need to modernize the way you archive
your videos—before you run into critical operational or legal problems.
reach a point when your video archiving calms down and stays at the same level.
Your city will grow. You will add police officers. Better technology will help
you generate more footage. And think about it—your public safety department
never stops. You’ll never be able to pause or take a breath. Video constantly
comes in without pause. This situation will continually increase your video storage
needs over time.
Depending on your state,
you will need to legally retain body camera video footage consistent with a
specific law. That means you need a place to archive and retain it. Any risk of
data loss associated with body camera video footage may result in severe fines,
penalties, or lawsuits. Understand how long you need to keep specific footage
depending on the law’s requirements, and then use video archiving tools to help
you adhere to the law.
half the battle if you retain your video footage. After all, you can “retain” a
bunch of your belongings in a garage with no organization—and good luck finding
a power tool or a can of paint when you need it! But if you organize, label,
and structure the contents of your garage, you’ll be able to find and grab
something in seconds. A similar logic works with video archiving. Modern video
archiving tools help you organize your footage with the aim of making it easy
to find specific video when you need it.
paying a low cost for unlimited offsite video storage and retention? If you’re
constantly paying more money for additional storage or capping your total
amount of storage, then you need to look at more modern options immediately.
Storage costs have drastically decreased over the past few years. Yet, many
cities still shell out money for expensive storage because they use outdated
technology or haven’t challenged their existing vendor in a long time.
squad car and body camera video footage captures confidential, private, and
sensitive information, you need to secure the footage. No excuses. Old servers
or software may not have enough security precautions in place. Only authorized
users should access the data—and your IT staff or vendor should be able to
centrally manage this security. The information also needs to be physically
secure if stored on your premises.
with physical security above, you don’t want video footage stored in rooms that
are easy for anyone to access. Servers need to reside in rooms with proper storage
conditions such as air conditioning, ventilation, and a high standard of
cleanliness. If you feel unable to keep up such standards, then consider a data
center or cloud storage.
Data loss is
a nightmare—and even more so for video that includes squad car and body camera
footage. If uncertainty exists with your data backup, then take time to
evaluate your weaknesses. Ask yourself:
Cities—small or large—face a huge responsibility for their video. A
modern video archiving system that addresses all of the concerns above is
essential in order to apply record retention laws and compliance to video
footage. Otherwise, you’re risking data loss or theft that can lead to severe
legal repercussions. Thankfully, there is a low-cost video archiving option that
both modernizes your technology while addressing growing storage costs.
Questions about your video archiving? Reach out to us with any questions.
Each state law differs for body
camera records retention. Let’s take a quick look across some of the states we
Even as states continue to refine
video record retention laws as a result of greater public scrutiny, video data
storage growth will outpace policy changes. That means you need to be prepared. And that
preparation involves some technology investments and a few best practices.
You probably already know that
video files take up a lot of storage space. Well, multiply that storage space many
times over by each officer and each squad car day by day collecting new videos,
and you’ll understand how fast body camera video footage will quickly eat up
your available storage space. You don’t want to get caught running out of available
storage space on your servers, or having unexpected high charges and fees as
you need to procure more local storage devices (or increase hosted storage space).
Work with an IT vendor that offers
unlimited offsite video archiving to eliminate these worries for running out of
storage space and increased cost as your video grows. Plus, the video data is
stored offsite so that it’s retrievable in case of disaster.
Obviously, if you store body
camera footage then you also need to find specific footage when you need it.
Similar to how a document management system helps you label and organize
documents, good body camera software will help you label and organize videos
for later use. Sometimes you’ll need to sift through hours of footage, looking
only for an important few minutes. Make sure that your video software allows
you to quickly and efficiently search for and retrieve information.
You need to adhere to state laws
and city policies for video record retention schedules. Ensure that you’re compliant
for how long you are required to keep footage, dispose of it at the right time,
and follow proper procedures. If you don’t comply, then you could get into a
lot of legal trouble when footage is requested and you don’t have it.
Body cameras capture a lot of
footage that needs to remain secured. A hacker exposing video camera footage to
the public might be disastrous to the privacy of citizens—and you might get
held liable if you did not invest in strong security. Body camera footage works
just like any other city record and needs to be treated as such. Internally,
every city employee should not have access to the video footage or be able to
copy it onto something like a flash drive. Your city needs clear security
policies about authorized access to body camera video footage and an IT vendor
that understands how to manage that security.
Last but not least, it helps to
use modernized technology if you are going to operate body camera equipment and
software. Even if the body camera hardware and software is modern, it may not
work well (if at all) with aging servers, computers, or operating systems.
Also, if your networking equipment (such as routers or firewalls) are not up to
the task, then you could have usability or security issues. Because body camera
video footage may soon become mandatory, it helps to think about modernizing
your technology infrastructure so that you can handle the demands of storing
and accessing lots of video.
Wherever your city is located,
it’s best to start thinking about body camera technology. It’s already here and
will become a standard part of police department operations. If you already
have body cameras, then is your technology up to the task of using them? If
you’re thinking about getting body camera technology, then what other
technology do you need to make sure it works properly?
Questions about how your technology can handle the demands of body cameras? Reach out to us today.
or participate in a pickup game with friends? You play by your own set of
rules. The game might start and stop randomly. You might lose track of the score.
But if you watch a professional game right after your pickup game, you’ll
notice everything that was missing. The rules, the framework, the organization,
and the professional capabilities of the players. While there is room for spontaneity,
a professional game is sleek and efficient—run like a machine, overseen by
officials, and aligned to professional standards.
The same difference
exists between having and not having information systems management best
practices in place. You may have experienced organizations where the
information systems feel more like a pickup football game rather than a
professional football game. It’s only fun until something gets out of hand—and
it seems like something always gets out of hand.
disciplined information systems management to reduce risk, improve operations,
and even help comply with legislative audits such as those that occur in the state of
Arkansas. Here are some best practices that can get you there.
helps to understand the state of your information systems. What do you have?
How old is your hardware and applications? What’s the state of your information
security? Are you backing up your data? Use one of our risk assessments as a starting point and make sure you take a close look at your:
your risks, you can focus on your city’s biggest problems first.
It’s easy to
overlook. Cities may chug along managing their information systems without
asking some key questions about everyone’s roles and responsibilities. Who does
what? Who is responsible for information systems? Who has access to
information? Who is authorized to grant access? What outside vendors have
access to information?
At the very
least, create a list of people and vendors along with their roles and what they
do. For example, a small city may have a simple information systems org chart
that includes the city manager who makes business-related technology decisions,
a city clerk that works with the IT vendor to help them understand business
needs and requirements, and an outside IT vendor that monitors and maintains
all information systems on a day-to-day basis.
might contain some technical information that you need help drafting, your city
needs to have stakeholders create a policy and procedure manual for your
information systems. You will need to define and document important items such
As one of
the most important pieces of information systems management, your city needs a
plan for restoring data and systems in case of a server failure or a major
disaster. Some of the questions you need to address include:
training is important on many, many levels. First, empowering users with
knowledge about your city’s information systems helps with their proficiency and
productivity. If you’re investing in this technology, then training users
allows you to maximize your investment. But secondly, training users also helps
with lessening security risks. Many users may not be aware of the dangers of
malicious websites, email attachments, online quizzes, social media games, and
software that seems innocent. The more you teach users about the possibilities
of your information systems along with some of the security risks that exist,
your efforts will ripple positively across your organization.
city’s information systems like a professional football team, not a pickup game.
By following the five best practices above, you will build a great foundation
for your information systems, reduce risk, increase productivity, and comply
with important laws.
about your information systems management? Contact us today.
Obviously, your city must already
have some kind of records management in place. After all, it’s the law for
cities to keep records, respond to open records requests, and supply
information for audits and investigations. But many cities don’t have a records
management system in place beyond paper and cabinets, or they use a subpar
records management system that frustrates more than it helps.
While a city clerk might not be
able to change an existing records management system overnight, there are a
series of steps they can take to help them modernize and align their city with records
management best practices.
As a baseline, review your
state’s city clerk handbook (if it exists). If you cannot find an official
handbook, then contact your state’s city clerk’s association or municipal
league to see if any equivalent materials are available. Review any sections
related to records management to make sure that your city is—at a minimum—following
the law and any best practices that would be easy to implement. That includes:
In case of an open records
request, you need to provide any public information on demand. How easily can
you do it? Public information includes paper documents, electronic documents,
emails, and other computer-based information. Where is that information stored?
Is it in a cabinet or on a server where authorized personnel have access? Is it
only on one person’s computer? Do you even know? It’s good to make an
assessment of where all public information is located, note any unknowns, and identify
any challenges in case you need to access it.
If going through an open records
request is a time-consuming nightmare, then you need to consider a modern
document management system that helps you organize, access, and retrieve
documents in a more efficient way. Some things to consider include:
Consult with your state’s city
clerk association and municipal league to consider recommended document
management systems that shore up your weaknesses and modernize your technology.
To keep up on new laws, trends,
and best practices, consider receiving ongoing records management training. If
available, take basic courses that lead to certification. Then, take any
ongoing training classes and attend sessions at conferences. In some states,
you will be required as a city clerk to take some records management courses.
Other city clerks will have years
and even decades of experience with records management. Learn from them by
attending city clerk conferences and events. Network with city clerks and give
them a call with questions. In many cases, they will reinforce the points we’ve
made above and also help you dig into deeper detail about what works for them.
For additional information,
consider the following resources:
With software, cities feel that
they often face a dilemma. Standardized, out-of-the-box software lowers cost
but restricts customization. Customized software better meets the needs of
cities but may increase cost. What to do?
Let’s specifically look at
document management software as an example of resolving this dilemma. Luckily,
document management software has existed for a long time. That means it’s
matured over time and gives cities the best of both worlds—standardization and
customization. Sound too good to be true? Let’s look at both sides in more
Over the years, document
management system creators and practitioners have learned a lot about best
practices that apply to all organizations. These best practices get baked into
the software and you benefit from them without needing to customize. In fact,
many of these standardized benefits feature items you may not have thought to
include if you had created your own document management software
requirements—and they come right out of the box.
While standardized, document management
software also offers customized benefits that are relevant to cities.
With document management
software, you absolutely can have it both ways—customizing it for your city
while enjoying standardized benefits baked into the software. It helps to have
IT staff or a vendor work with you on the technical aspects to make sure that
you’re properly customizing your document management software in a way that
meets your needs and complies with the law.
Questions about document management software? Reach out to us today with questions.
likely have city employees who work at departmental sites that are separate
from your office building. At the very least, they check emails on their
smartphones. Are you finding it difficult to support employees who work across
separate sites? Could it be that your IT staff or vendor hasn’t kept up with
the pace of technology?
heads and staff at these remote sites grow frustrated because their technology
is essentially broken—and responses to technical issues are very slow. A modernized
helpdesk remains inexpensive and yet accommodates the needs of a remote site workforce.
If you’re evaluating whether or not your helpdesk meets these needs, then
consider the following areas where they must succeed.
time comes into play when supporting city workers. It’s not uncommon that staff
need help with their laptops, smartphones, and tablets before and after normal
workday hours. Also, servers may fail at two in the morning or a night shift
officer may need support when encountering an IT issue. An IT helpdesk can’t go
home at the end of a workday and return the next morning. They must remain
available to handle IT problems 24/7/365.
will need help with laptops, smartphones, tablets, printers, and other machines
spanning many devices and operating systems. An IT helpdesk cannot limit itself
to only a select few devices such as workstations in the office. A wide breadth
of knowledge and experience with both old and new devices, operating systems,
and applications is critical in supporting the needs of cities as technology
continues to rapidly change.
IT helpdesk helping remote employees must have security down to a science.
While serving remote sites, your helpdesk can help with making sure:
element of remote help is the use of remote helpdesk sessions. That’s when an
IT engineer will temporarily request access to your computer so that they can
help resolve a specific issue as if they were physically present. Whatever
software your helpdesk chooses with which to conduct remote helpdesk sessions
needs to be secure and non-intrusive so the user remains aware when support is
engaged. Remote sessions can even take place with smartphones and tablets.
taking a look through these four areas you realize that you’ve got some holes
in your IT helpdesk, then work with your IT staff or vendor to address these
gaps. Some of these elements may seem out of your reach or like overkill (such
as a 24/7/365 helpdesk), but they’re really not. IT helpdesks have evolved as
quickly as the technology you now hold in your hands. If you want to better
serve or enable your employees, then a modern IT helpdesk is a must.
Evaluating IT helpdesk options for your city? Reach out to us with any questions.
Our Focus | Products | Resources | Company | Contact | Sitemap | Login
© 2009-2016 Mimsware Corporation, all rights reserved. Sophicity®, "We put the IT in City”, and the Sophicity logo are registered trademarks of Mimsware Corporation d/b/a Sophicity.