We put the IT in city®

CitySmart Blog

Tuesday, December 13, 2016
Dave Mims, CEO

Dave MimsEvery day, your city relies on applications to perform various jobs. Your employees may use basic applications such as a web browser or a word processor to perform common tasks. Other people with more specific duties may use specialized applications such as accounting software or a records management system.

No matter what kind of application you use, the security of that application must be rock solid to avoid a data breach. Never simply assume an out-of-the-box application is secure or that a software vendor has made the right security choices for you. While application security is a complex topic, we present five important areas that your city must consider with its policies.

1. Third party access to your applications

Yes, this even includes what your software application vendors may access. Just because they sold you accounting software doesn’t mean that the vendor’s employees can look at all of your city’s payroll data. Work with your IT staff or vendor to oversee user access and authorization—including for third party vendors and contractors.

2. Encrypting data

When necessary, you need applications to encrypt data. Even a basic web browser should encrypt web pages containing sensitive information. When creating documents and reports (such as PDFs), an application should allow you to encrypt particularly sensitive information so that unauthorized users cannot read it. And of course, any sophisticated application dealing with financial, public safety, or other sensitive and confidential data needs encryption.

3. Closing up security gaps when applications integrate and interact with each other

A chain is only as strong as its weakest link—and that is true of applications. It doesn’t matter if your financial application’s security is airtight. If it’s connected to another application within your city or to a third party application, then security holes within those other applications and increase the risk of a data breach for your application. Make sure your IT staff or vendor assesses where your applications are connecting and ensures that your information is treated with the same care when it’s exchanged with another party.

4. Locking down access to application data by unauthorized users

Whether it’s a citizen getting access to an application through your website or an entry-level employee accessing basic information to do their job, those people should not be able to destroy or disrupt applications. For example, let’s say an employee accesses a part of your document management system to “view” the employee handbook to see information about paid time off or sick leave. Since they only have “view” rights and privileges, they should not be able to delete or make changes to the document such as increasing the city's paid time off or sick leave policies. Only the person with “edit” (or greater) rights should be allowed to alter the document. And only trained IT professionals and software vendors with authorization should be able to access the “guts” of your applications to configure and administer them.

5. Preparing for the worst through a data backup and a disaster recovery plan

Many of your applications not only store sensitive data but also help run your city operations. First, you need a plan to back up your data so that it’s not forever lost. You can accomplish that through a data backup plan that includes both onsite data backup (for quick time to recovery after an onsite incident) and offsite data backup (for disaster recovery). Second, and just as important, is your business continuity. Some applications—such as your public safety software or city’s website—may serve such a critical role that you need them up and running within minutes or hours after an outage. Your application security policy needs to outline the minimum length of an outage for each application and a plan for restoring functionality in case of a disaster.

Nowadays, applications often form the lifeblood of a city. Many operational activities and citizen services are conducted through applications. Because they store and share such sensitive data, you need to protect those applications. Strengthen the five areas we discussed above and document your high standards in an application security policy for your city.

Questions about your application security? Reach out to us today.