We put the IT in city®

CitySmart Blog

Thursday, December 22, 2016
John Miller, Senior Consultant

John MillerWaiting until a disruption or disaster should not be the moment when you take action. Think about how you act proactively when dealing with many aspects of your life.

  • Car service and maintenance to lessen the chance of an accident.
  • Health checkups, exercise, and a good diet to lessen the chance of a heart attack or stroke.
  • Repairs and maintenance on your house to prevent the effects of flooding, thunderstorms, leaks, or safety hazards.

Yet, technology at a city often gets treated like a beater car you’re driving into the ground, a person never exercising and eating whatever they want, or a house that you just let decay and rot over time with minimal upkeep. Why?

Too many times, we see cities only take action when a disruption or disaster hits. That’s way, way too late. Let’s look at some scenarios that might strike a chord with your city. If any of these scenarios speak to you, then you need to act. Now.

Warning Sign #1: No data backup testing.

If you have data backup and you’re not regularly testing it, then you may be in for a surprise.

Disaster: Your city has some kind of data backup process but rarely or never tests it. A server fails containing all of your financial data. You grab your tape, external hard drive, or other form of data backup and attempt to restore the data. It doesn’t work. It’s gone.

Prevention: Every city needs a combination of both onsite and offsite data backup to recover from both small events (like a server failure) and bigger disasters (like a tornado). Then you need real-time monitoring to identity issues and (at a minimum) test your data backup quarterly.

Warning Sign #2: No policy and procedures involving website hosting.

Too many cities still find themselves in situations where a third party webmaster is the only person with knowledge about the city’s website hosting. Another common situation is when the city surprisingly learns the vendor is no longer available or not even there.

Disaster: A webmaster gets angry at the city and holds the website hosting information hostage. The city cannot access its website on the back end to make changes or regain administrative control. In this situation, the angry webmaster could even shut the website down.

Prevention: IT professionals can help cities acquire and manage a city domain name, set up website hosting with a reputable service provider, and give administrative access to authorized city staff to avoid “hostage” situations.

Warning Sign #3: Aging hardware and software.

Unlike other long-lasting physical assets, technology assets often have relatively short lifespans. Hardware and software often needs replacing every three to five years because it gets old and outdated, is no longer supported by the vendor, and becomes unsecure.

Disaster: A 15-year-old server critical to running city operations fails (such as your accounting and financial system).

Prevention: Cities need to follow a hardware and software lifecycle management policy that mandates modernizing technology (such as upgrading servers at least every five years).

Warning Sign #4: Free or consumer-grade antivirus software.

Free or consumer-grade antivirus software isn’t adequate for protecting a city. Plus, it’s often “maintained” by individual employees who don’t keep the software up-to-date on their computers.

Disaster: An employee clicks on an email attachment that seems like it comes from their boss. Because the antivirus software hasn’t been updated for a few months, the email attachment initiates a virus that gives a hacker access to sensitive city information. A massive data breach occurs.

Prevention: Cities need enterprise-grade antivirus software that’s monitored and maintained by IT professionals. This ensures that it’s always up-to-date and preventing as many virus threats as possible.

Warning Sign #5: Non-technical staff handling IT problems.

As a way for cities to save money and quickly handle operational items, non-technical employees sometimes step in to handle IT problems. But that lack of expertise makes their actions risky and dangerous—even if they have good intentions.

Disaster: A non-technical employee sets up a wireless router incorrectly. Through the security holes in the router, a major data breach ensues when hackers are able to access confidential information on the city’s network.

Prevention: Trained IT professionals need to handle the intricacies of technology—from data backup to configuring hardware such as a wireless router. Just because you can buy consumer-grade equipment from a retail store doesn’t mean that it’s appropriate for your city.

In Part 2, we’ll talk about five more disasters that are waiting to happen. If you feel vulnerable and you don’t want to wait to fix these vulnerabilities, then reach out to us today.

Tuesday, December 13, 2016
Dave Mims, CEO

Dave MimsEvery day, your city relies on applications to perform various jobs. Your employees may use basic applications such as a web browser or a word processor to perform common tasks. Other people with more specific duties may use specialized applications such as accounting software or a records management system.

No matter what kind of application you use, the security of that application must be rock solid to avoid a data breach. Never simply assume an out-of-the-box application is secure or that a software vendor has made the right security choices for you. While application security is a complex topic, we present five important areas that your city must consider with its policies.

1. Third party access to your applications

Yes, this even includes what your software application vendors may access. Just because they sold you accounting software doesn’t mean that the vendor’s employees can look at all of your city’s payroll data. Work with your IT staff or vendor to oversee user access and authorization—including for third party vendors and contractors.

2. Encrypting data

When necessary, you need applications to encrypt data. Even a basic web browser should encrypt web pages containing sensitive information. When creating documents and reports (such as PDFs), an application should allow you to encrypt particularly sensitive information so that unauthorized users cannot read it. And of course, any sophisticated application dealing with financial, public safety, or other sensitive and confidential data needs encryption.

3. Closing up security gaps when applications integrate and interact with each other

A chain is only as strong as its weakest link—and that is true of applications. It doesn’t matter if your financial application’s security is airtight. If it’s connected to another application within your city or to a third party application, then security holes within those other applications and increase the risk of a data breach for your application. Make sure your IT staff or vendor assesses where your applications are connecting and ensures that your information is treated with the same care when it’s exchanged with another party.

4. Locking down access to application data by unauthorized users

Whether it’s a citizen getting access to an application through your website or an entry-level employee accessing basic information to do their job, those people should not be able to destroy or disrupt applications. For example, let’s say an employee accesses a part of your document management system to “view” the employee handbook to see information about paid time off or sick leave. Since they only have “view” rights and privileges, they should not be able to delete or make changes to the document such as increasing the city's paid time off or sick leave policies. Only the person with “edit” (or greater) rights should be allowed to alter the document. And only trained IT professionals and software vendors with authorization should be able to access the “guts” of your applications to configure and administer them.

5. Preparing for the worst through a data backup and a disaster recovery plan

Many of your applications not only store sensitive data but also help run your city operations. First, you need a plan to back up your data so that it’s not forever lost. You can accomplish that through a data backup plan that includes both onsite data backup (for quick time to recovery after an onsite incident) and offsite data backup (for disaster recovery). Second, and just as important, is your business continuity. Some applications—such as your public safety software or city’s website—may serve such a critical role that you need them up and running within minutes or hours after an outage. Your application security policy needs to outline the minimum length of an outage for each application and a plan for restoring functionality in case of a disaster.

Nowadays, applications often form the lifeblood of a city. Many operational activities and citizen services are conducted through applications. Because they store and share such sensitive data, you need to protect those applications. Strengthen the five areas we discussed above and document your high standards in an application security policy for your city.

Questions about your application security? Reach out to us today.

Thursday, December 8, 2016
Brian Ocfemia, Technical Account Manager

Brian OcfemiaObviously, most cities use a form of software for accounting activities. But imagine if your entire city accounting system is run on a bunch of simple electronic spreadsheets. You open one up and start entering data. What could go wrong?

You probably just thought about many things.

  • Errors left unchecked.
  • A risk of deleting data that others have inputted.
  • A risk of someone changing mathematical formulas that compute results.

Thank goodness you have that accounting software instead of a bunch of spreadsheets. Yet, the Arkansas Division of Legislative Audit reports that “data integrity” is the number one information security issue they found in the audits they performed. They define data integrity as the “ability of employees to change receipt or disbursement information after issuance or to edit or delete records without proper approval.”

So even despite using software in many cases, cities still struggle with data integrity issues like the ones that could happen in a simple spreadsheet. Let’s look at a few ways to assess, fix, and overcome some common data integrity issues.

1. Audit your data input processes and assess the feedback.

Whether your state requires an audit or not, it’s helpful to audit your financial systems to identify data integrity issues. An experienced third party can evaluate overall processes and issues with who may input, change, and delete data. On a technical level, the auditor should also look at the underlying rules, code, and logic that allow for data input.

2. If needed, fix or modernize your application.

Usually, something will come up in the audit that needs fixing. You may also find that the auditor recommends modernizing with a new system (especially if an older system lacks appropriate data integrity measures). Arkansas doesn’t mince words when it says, “We recommend that application users work with the application vendor to modify the software to include the data input edits that would eliminate vulnerabilities.” Whichever route you go, work with experienced IT professionals and application vendors to oversee any fixes, changes, or implementations of new applications.

3. Set up proper controls and processes.

Whether fixing your current application or using a new application, you want to ensure that it has the proper controls and processes in place to prevent the chance of data input errors or fraud. For example, once paychecks go out, an employee shouldn’t be able to change payroll data after the fact or delete the record of that payment.

4. Limit access to critical transactions.

Any critical transaction—such as issuing a payment or deleting a record—must require a higher-level access to accomplish. Too many systems allow any employee at any authorization level to make changes. That increases the chance of major errors and increases the risk for fraud. Exceptions will happen, but those exceptions need to be inputted by authorized people with higher-level access and logged.

5. Put field edit checks in place to reduce errors.

Even normal day-to-day data input risks lower data integrity if fields aren’t set up and restricted in appropriate ways. For example, in a payroll application you may reduce errors if:

  • Important fields are required (and you can’t leave them blank)
  • Fields autocorrect (such as hours worked or a check routing number)
  • Fields autofill (such as employee name, hourly wage, or settings that stay the same every week)

Data integrity is an overlooked area of security. You’re typically on the lookout for hackers and data breaches, but a lack of data integrity—missing information, no controls over data, and making it easy to change or delete data—can sneak up on you and lead to serious problems. Don’t wait until an audit to find these issues. Address them by taking a hard look at your current applications with a trained third party and fix any issues that you find.

In total, this three-part series about application policy and security addresses input, processing, and output. You can use these three articles as a checklist to see if you’re matching up to data security best practices.

Questions about data integrity? Reach out to us today.

Thursday, December 1, 2016
Brian Ocfemia, Technical Account Manager

Brian OcfemiaAs a follow-up to my post about data processing, this post discusses data output. For those who are not data-savvy or immersed in the world of data, it might seem like output is just output, right? No need to worry about output if you do input and processing correctly, right?

Not the case! Data output offers up some unique security risks and challenges that you need to fend off. Here are a few data output areas to assess.

1. Access to confidential information

When data output gets seen or delivered to a person—whether it’s city staff looking at a paper report or a citizen using your city’s website—that data must not reveal confidential information. For example, it should never be easy to see a social security number online with only a few data inputs. Or, personnel records should not be made available in a paper report that may get passed around to unauthorized people. Place controls over who sees outputted data.

2. Availability of data output

For employees and citizens who need to see certain information, data output needs to be highly available. That means your hardware and software needs to perform at a high standard. Lack of availability to data affects the jobs of your employees and interferes with citizen services (such as paying property taxes online).

3. Formatting, reports, and analysis

Ever run a report and get a spreadsheet full of gobbledygook and unstructured, unformatted data. Outputted data is not helpful if it can’t be read or interpreted. The end result of data input and processing must be understandable and usable. Work with your software vendors and IT staff or vendor to ensure that you receive data output in a digestible, user-friendly form.

4. Monitoring

Similar to our suggestions for data input and data processing, it’s always a good idea to monitor data output. Not only do you help quality control by detecting errors and anomalies but you also stay alert for security risks and breaches.

5. Compliance

In addition to security and usability, cities must also ensure that they comply with all federal and state laws. This includes laws that balance privacy (such as keeping personal information like social security numbers private) with freedom of information. Data breaches can occur and lead to fines and lawsuits when outputted data gets in the wrong hands as a result of careless policies and procedures.

When considering these best practices, it’s clear that a few patterns emerge.

  • Rely on monitoring and automation to eliminate errors.
  • Seek help from IT professionals and software vendor support.
  • Create clear policies and procedures to comply with the law and lessen security risks.

Questions about securing your data? Reach out to us today.

Friday, November 18, 2016
Brian Ocfemia, Technical Account Manager

Brian OcfemiaData processing is a complex topic involving lots of technical know-how. Experts have written books about it and IT professionals spend their entire careers staying up on its developments. For this post about data, we’ll focus on a few key critical data processing concepts that especially impact security and need to be addressed in your application controls policy.

Overall, your data processing is the bridge between your data input and output. Now let’s look at some important data processing aspects.

Transaction Logs

These logs record all electronic information about transactions that take place within an application. For example, you may enter payroll information each week into your accounting application for each employee. Each completed set of data that you input for each employee counts as a transaction if the data is processed between, for example, your system and a bank.

Transaction logs must match what are known as “source documents.” For example, payroll information may originate from a timesheet (either on paper or sent electronically). If the timesheet and the paycheck doesn’t match, then there may be a transaction error. Experiencing many transaction errors may indicate a problem with your application or with the way your employees are using it.

Edit Reports

Edit reports note incorrect information, incomplete information, and errors about transactions. It’s important to run these reports for your most critical applications to make sure that transactions are accurate. For example, edit reports are useful when you’re sending out paychecks, tax information, or utility bills. You can then note any errors and make fixes before officially completing the transactions.


Applications are designed to accurately capture information and ensure high data quality. Your override procedures need to be strict and for exceptions only. Don’t abuse an override function just to get around inconveniences. In addition, and as a security precaution, it helps to monitor overrides along with all other logging information to look for patterns and possible security violations.


In case of a power outage, a data interruption, or lags between different applications, your applications need to reconcile inputted transactions with your database. For example, if 10 users submit utility billing information onto your website while you’re having a server outage, those 10 transactions should reconcile to your database once your server is back up. Also, reconciliation applies from an accounting perspective. You need reconciliation processes in place to ensure that your general and subsidiary ledgers match up.


Experienced IT professionals should monitor everything related to your data processing such as:

  • Transactions and processing
  • Errors and incorrect information
  • Overrides
  • Unauthorized use of the application (especially when it appears that someone is altering data or ignoring/tampering with processes)
  • Reconciliations
  • Application performance (such as after a power outage or server failure)

Any data processing policy needs to be reviewed by business and application stakeholders to make sure you are complying with the law and using best practices. In a future post, we’ll look at data output—the final stage of data after it’s inputted and processed.

Questions about the security of your data processing? Reach out to us today.

Thursday, November 10, 2016
Nathan Eisner, COO

Nathan EisnerStrange but true, I had a flash of insight during a recent experience renovating a bathroom in my house. As with any project (just like technology), I’ve experienced both little issues and big issues along the way. However, the two biggest issues occurred when I ordered a sink and when I experienced a big leak. In hindsight, these two experiences jumped out at me because they clearly paralleled the many stories I’ve heard from cities about good and bad IT vendors.

First, let’s look at the bad experience—and see if you can relate.

1. I ordered a sink. It never arrived.

I needed this sink before the contractor started working on the renovation. So just to be doubly and triply assured that the sink would arrive on time, I ordered it online from a large home improvement store more than three weeks before the contractor would arrive. The store gave me a delivery date of one week from the time I ordered it. “Good,” I thought. “That’s about two weeks before the contractor gets here. And that gives me two weeks of buffer time in case anything goes wrong with the delivery.”

The one-week delivery date came and went. No sink.

Hmmm. I contacted the store about the issue. I could not reach a human. Instead, the store ignored my emails and voicemails.

Another week passed. No sink. No answers from the store. No communication from the store. I still couldn’t reach a human being to get an explanation of the problem and how it would get addressed.

Another week passed. The contractor started work. Still no sink!

By this point, I did receive a couple of very vague and generic emails from the store about the sink. Basically, all they could tell me was, “We’re looking into it.” No estimated time of arrival. No set expectations. And no follow up.

I finally got to my boiling point and started calling supervisors, managers, and even the store’s corporate office. Finally, a human being talked to me. Yet, still no sink ever arrived!

After the conversation with the corporate office produced no sink, I cancelled my order. This store lost my business and I bought a sink from a competitor.

Many IT vendors make these kinds of mistakes when serving cities.

  • Failure to simply just do their job. You’re contracted to do something. You do it. We’ve seen many cities paying for services that are not delivered.
  • Lack of communication. Vendors often don’t communicate clearly (or at all) with cities when issues arise. Emails and voicemails go unanswered.
  • Lack of expectations. Even if you do talk to a vendor, many give vague responses. “We’re working on it.” “We’re looking into it.” “We’re investigating the issue.” That only infuriates you. When will it be resolved? What exactly is the issue? What consequences to city business should you expect while the issue is getting resolved?

Now let’s look at what could have been a disaster in my house and see how a professional turned a crisis into an example of amazing customer service.

2. After the first day of the contractor doing the plumbing, disaster struck that evening.

Keep in mind that my house is 75 years old. As a result, this renovation involved tearing the bathroom down to the studs. On the contractor’s first day, he focused on redoing some plumbing and wrapped up the day without incident.

Later that evening, I walked into the bathroom to inspect the progress and found a pipe spewing water everywhere. After some quick triage to contain the water, I called the contractor in a panic. Remember my story with the sink and imagine if that large home improvement store were on the other end of the line!

Instead, here’s what happened:

  1. The contractor answered his phone—in person—after hours.
  2. He reassured me the leak would be addressed as soon as possible.
  3. He said he could arrive first thing the next morning.

Sure enough, the contractor and his crew arrived bright and early the next morning just like they promised. After briefly explaining the problem to me, he completely fixed the leak within two hours.

What made the difference? Values that I hold dear as an IT professional.

  • Prompt response. The contractor answered the phone on the first ring. We pride ourselves on our 24/7/365 U.S.-based helpdesk staffed with humans who will respond to you immediately.
  • Clear communication. The contractor helped me understand what was going on and made me feel comfortable that my problem was in the right hands. Similarly, we communicate with city staff in non-technical language. If we’re onsite, then we also communicate about the status of any work upon arriving and leaving.
  • Expectations set and met. The answer to an issue isn’t “We’re working on it.” That’s not helpful. Instead, we explain the problem, the next steps, and an estimated timeframe within which it will be fixed. If things change, then we update the city.

So whether it’s redoing a bathroom or serving a city’s technology needs, issues will always crop up. That’s why you need the right IT vendor—one that is responsive, communicative, and results-driven. And you know they’re good when they manage even earth-shattering crises—the equivalent of a major leak—with calm professionalism.

Looking for a municipal IT partner who is responsive, communicates, and delivers results? Reach out to us today.

Thursday, November 3, 2016
Mike Smith, Network Infrastructure Consultant

Mike SmithWhat happens when the worst happens? As an important city policy that should not be neglected, a disaster recovery and business continuity policy outlines how to recover electronic data after a catastrophe. Because cities cannot predict when a disaster such as a fire, flooding, or tornado will occur, it’s essential that a disaster recovery plan is in place.

So what do you need to cover in your policy? Here are five essential elements to help get you started.

1. Risk Assessment

Each city’s data volume and priorities may be different. It helps your policy if you outline risks specific to your city such as:

  • Data loss: What happens if you permanently lose city data? Some city departments may be able to take a greater hit more than others, but some data is mission critical. Just imagine losing utility customer billing records, information about cemetery plots, police video records associated with an active case currently under investigation, or emails about city business subject to an active open records request.
  • Downtime: Even if you back up your electronic data, some data needs to be up and running much sooner than other data. For each type of data, ask yourself how long you can be down? For example, you will likely want to restore public safety data before you restore your cultural events data.
  • Costs: After a disaster, another way to look at risks involves examining costs. You may look at the costs (such as fines or lawsuits) related to losing critical data subject to open records requests or police video records needed as evidence in active cases or trials. Or, you may look at painful, indirect costs related to losing customer payment data related to taxes or utilities.

2. Planning

This is probably the most important aspect of your disaster recovery and business continuity policy. What exactly will you do when a disaster strikes? You will want to outline:

  • How you will get your technology up and running—from your most basic operating systems to your most critical applications.
  • Which data you will restore, in what order. This gives your IT staff or vendor a sequence of data to restore that they will follow to make sure your most critical systems get recovered first.
  • Contingency plans while data is inaccessible. While your city doesn’t have access to data, what will you do? Depending on the type of data, you may need to manually capture data for a period of time until systems are back up. Then, you may need to input that data into your systems once they are back online in order to make sure you are up-to-date.

3. Responsibilities

In other words, who will do what? You have multiple people who need to be clear about their roles. Focusing on people, processes, documentation, and a plan helps everyone become aware of their roles. And you must prepare for the worst because, sadly, not everyone may make it through a disaster event.

  • Business decision makers: City managers, city clerks, police chiefs, department heads, and elected officials may all make important decisions about restoring and accessing data in the wake of a disaster.
  • IT staff and/or vendors. Clarifying ahead of time what your hired IT professionals will do after a disaster will help them jump into action immediately. They need empowerment and a clear plan in order to best help. Staff and vendors also need to know how they will coordinate together.
  • Non-technical roles: This includes any non-technical stakeholders with a critical role in helping recover, restore, access, and operate systems during and after a disaster.

4. Storage

Any sound disaster recovery plan needs onsite and offsite storage capabilities.

  • Onsite data storage: For small disasters like a server failure, something like frequent backups with an onsite data backup service will help cities recover data quickly.
  • Offsite data storage: Most important after a serious disaster that takes out buildings housing your onsite data, your offsite storage is the way you recover that data. Offsite data backup doesn’t mean storing that data down the block or even within your county. Your policy should include a requirement that your data is stored far from your geographical location.

5. Testing and Monitoring

Don’t be the city that sets up a wonderful data backup and disaster recovery solution—and then never test it. How do you know it will work? Your policy should include regular testing. Quarterly is ideal, but annual should be an absolute minimum. IT professionals should also regularly monitor your data backups to look for problems, errors, and data corruption.

Many cities find that reviewing these elements helps them realize they need to upgrade and modernize their data backup and disaster recovery solution. Common weak areas usually include no offsite data backup, manual (instead of automated) data backups, and a lack of IT professionals overseeing data backup. While creating a policy, you want to make sure you can carry out the most important aspects of effective disaster recovery and business continuity.

Questions about your disaster recovery policy or solution? Reach out to us today.

Thursday, October 27, 2016
Brandon Bell, Network Infrastructure Consultant

Brandon BellWe’ve recently talked about many kinds of security—physical, wireless, and network. Now we come to “logical access security.” What does that even mean? It’s a technical term that’s actually quite simple to define.

With physical security, you’re physically preventing people from accessing equipment that stores sensitive information. With logical security, you’re electronically preventing people from accessing sensitive information. In other words, logical access security is all about the security of information accessed 100% in the digital “cyberworld.”

Unlike physical security, you can’t lock bits and bytes behind doors. So how do you lock your electronic information down? Here are four important areas where you can start.

1. Setting a Strong Password Policy

Most people access electronic information through passwords. Just think about what you access every day with a password: your email, your software applications, or your online website applications. Unfortunately, many organizations have extremely weak password policies that leave the door open to hackers and unauthorized access.

You need a password policy that includes:

  • Strong password requirements: Studies show that many people at organizations still use simple, easy-to-hack passwords. You need to use long or complex passwords consisting of a mix of letters, numbers, and special characters.
  • Regularly changing passwords. People shouldn’t use the same password for years and years. Set a policy that forces users to change their password on a semi-regular basis (such as once a quarter). Also make sure that users create new passwords each time—instead of just flipping back and forth between two passwords.
  • Locking out users when they (or someone) makes multiple, incorrect log-in attempts. This is to protect a user’s account in case a hacker attempts to crack a password. For example, after three failed log-in attempts an authorized user may get locked out for a period of time or even be required to contact an administrator before they are unlocked.

2. Monitoring and Controlling User Accounts

At the IT administration level, you need experienced internal staff or a vendor to manage and monitor user accounts. It’s at the administrative level that IT professionals—following your city’s policies—will assign new user accounts, make changes to user accounts (such as assigning new passwords or updating access privileges), delete user accounts, and watch for any unauthorized user access. If no one performs this monitoring and maintenance on a regular basis, then you risk unauthorized users (such as ex-employees) using your systems and accessing sensitive information.

3. Requiring Timeouts

No, we don’t mean making an employee sit in the corner! Timeouts are when a computer gets locked for a period of time (such as 15 minutes) as a result of policies that protect against unauthorized access (such as hackers). After the period expires, the user can then attempt to log back into their computer. This requirement especially helps with computer security in an office where someone could easily sit at another person’s computer and steal information. With a timeout policy, you can make sure computers are more inaccessible to unauthorized people regardless of whether those people are physically present or somewhere across the globe.

4. Logging and tracking user activity.

We’ve written more extensively about logging in the past, so we’ll just summarize a few high points here. Basically, logging is a technical activity that IT professionals conduct to both diagnose issues and document who accesses your data. For security, logging is important to track things such as suspicious web surfing activity or users remotely accessing your data. Without logging, you may not know if unauthorized users are viewing or stealing sensitive information until it’s too late.

As you can see, logical access security is...well, quite logical. We’re sure Star Trek’s Dr. Spock would agree! By locking down your electronic information as well as your physical technology equipment, you mitigate the risk of hacking attempts, data breaches, or stolen information.

Questions about your logical access security policies? Reach out to us today.

Thursday, October 20, 2016
Jabari Massey, Network Infrastructure Consultant

Jabari MasseyIn the world of bits and bytes, the act of stopping hackers and preventing unauthorized access to data can seem like the highest information security priority. But physical security of electronic information is just as important—and often overlooked. It’s not uncommon for organizations to spend lots of time on information security only to leave rooms with servers and workstations unlocked—allowing anyone to wander inside.

Any city—even a smaller city—needs physical security for its onsite technology. Don’t make it too easy for a disgruntled employee or member of the public to damage or access information from a server or computer. Your liability greatly increases when you lack good physical security for your technology.

So what do you need to do? Physically lock down and prevent unauthorized access to your technology through the following best practices.

1. Prevent access to any rooms with machines that hold sensitive information.

In many cases, this will be a room with servers that contains some of your city’s most critical information. You need to house any machines with sensitive data in a locked room. For example, that means not housing servers in an office where employees sit at their desks. Employees should only access a server room through some kind of barrier (or locked door) via a key, key fob, or key card.

2. Control and oversee access to these rooms.

Only authorized people should access any rooms with servers or other sensitive electronic information. Create clear policies that outline which employees, contractors, vendors, and visitors access these rooms. You also need policies about how you terminate access so that ex-employees or former contractors can’t continue to enter these rooms.

3. Reconfigure physical access if you suspect a possible security weakness or breach.

We all make mistakes. But with physical security mistakes, you need policies that mitigate risks from any possible data breaches. Let’s say someone misplaces a key fob and it might get into unauthorized hands. Your policy may outline procedures for deactivating the lost key fob, which is much quicker and easier than changing the locks on a door.

4. Create additional procedures to monitor physical access.

In addition to controlling how people enter and exit rooms containing sensitive technology, think about the following physical access procedures:

  • Sign in and sign out: Know who enters your technology rooms by having everyone sign in and identify themselves.
  • Escort visitors: Do not let a visitor—such as a contractor or vendor—wander around your buildings without an escort. They are not employees and they need to be monitored. You may handle visitors differently depending on their role (such as a one-time visitor versus a long-time trusted vendor), but you need an escort policy for each kind of visitor.
  • Install security cameras: Cameras are more of a reactive security device but they help provide information and evidence in case of a physical security threat or breach. If it’s unclear how a physical breach occurred or a person disputes an incident, security camera footage can help provide answers.

5. Mitigate data breaches, sabotage, and disasters with physical security protections.

In case of a disaster, you want to have important physical security protections in place such as:

  • Data backup and disaster recovery: In case of server failure, deleted information, or physical damage to equipment, a data backup and disaster recovery solution will ensure you don’t lose any sensitive data.
  • Fire suppression: This includes smoke detectors and sprinkler systems.
  • Anti-flood prevention: Consider locating server rooms in places where it’s likely not to flood. Avoid basements or rooms located near low ground, and raise servers off the ground. Technology also exists to detect the presence of water within your building.
  • Redundant power supply: In case of a power outage, your technology should shift to backup power so that it keeps running.

Taken as a whole, these best practices will lock down your technology and make it difficult for a physical data breach to take place. Plus, these best practices also help with non-human disasters such as fire, flooding, or power outages.

Questions about your technology’s physical security? Reach out to us today.

Thursday, October 13, 2016
John Miller, Senior Consultant
John Miller

In our last post, we talked about network security policy but left wireless security for this post. It’s not uncommon to see a city overlook the importance of wireless security. Partly, that’s because it’s easy to treat wireless devices like how you would set them up at home—buy a wireless router, unbox it, plug it in, power it on, connect your devices, and go.

Not surprisingly, technology audits often show that cities have open wireless access points that make it easy for hackers to access a city’s network. If wireless devices are not configured, secured, and properly monitored and maintained by IT professionals, then they can pose major security risks for cities.

When considering a wireless security policy, you need to account for the following elements.

1. Secure and lock down all wireless devices.

You’re not a home or a small coffee shop. You’re a city. People shouldn’t be able to hop onto your wireless network without a password and start getting on the internet. In fact, no unauthorized user should have access to your city’s wireless network. At the very least, you need to:

  • Set strong, complex passwords for all wireless access users (including administrators).
  • Ensure that all wireless users are known and authorized.

2. Remove physical wireless access hardware from the public or unauthorized employees.

A citizen visiting city hall or an unauthorized employee wandering through a hallway should not have access to a city’s wireless device. Yet, many cities often have wireless access points sitting in the open. These devices are easy to steal, damage, or reconfigure. To remain safe, any physical wireless hardware needs to be secured (such as in a locked room or a cabinet accessed only by a key or key fob) similar to how you would secure servers or your network infrastructure devices.

3. Apply patches and upgrades to wireless devices.

Wireless hardware runs on software that needs to get regularly updated with patches and upgrades. Bugs, security holes, and performance issues get fixed by these patches and upgrades. If your city hasn’t applied these updates in a while, then that is a priority in order to get these wireless devices as secure as possible. Ongoing wireless patching and upgrading should then become a regular part of your technology maintenance.

4. Use appropriate wireless hardware and configure it properly.

Assess and create an inventory of your existing wireless devices. What kind of equipment are you using? If it’s consumer-grade, then you’re at a big disadvantage. Business-class wireless hardware is more secure, provides better coverage throughout your buildings, and better grows along with your city if you need to add more users. Your wireless security policy should set a minimum requirement for your city to use business-class hardware with configuration performed by IT professionals.

5. Monitor and maintain your wireless network for security breaches.

As part of monitoring and maintaining your network infrastructure, you need to also monitor and maintain your wireless network. Activities include:

  • Watching for hacking and unauthorized access attempts.
  • Monitoring wireless data usage and network traffic to proactively identify internet access issues.
  • Applying security patches and software upgrades.
  • Ensuring compliance with legal and technical security standards.
  • Enforcing security policies and applying best practices.

With a strong wireless security policy that applies the best practices above, you’ll shore up this often weak security hole at your city. Wireless access is a convenient, efficient way for employees to access the internet. Make sure that this access remains safe and secure.

Questions about your wireless security? Reach out to us with any questions.

| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 |