In our last online payments post, we discussed firewalls and passwords as two foundational aspects of protecting sensitive online payment data. Next on the list of PCI DSS requirements is the somewhat vague category of “protecting cardholder data.” What does it mean to protect data?
Protecting data really means paying attention. Where does sensitive data come from? Where does it go? Where is it stored? If you cannot account for data during its entire lifecycle, from user entry to deletion, then your data might not be protected.
Here are four things you need to think about as you take a more serious look at data protection.
Data protection really amounts to having a forest-level overview of your data so that you see it in its entirety, combined with a tree-level awareness of where each piece of data originates, moves to, and resides. Usually, a data breach with sensitive information occurs where you least expect it—a stolen laptop, an unsecure wireless network, or an external backup hard drive. But by ensuring your sensitive online payment data is protected, no matter where it resides, you will have prevented most problems from occurring. Your online payment vendor should also be able to answer most of these questions for you and provide you with guidance about ensuring the highest level data protection.
To talk about data protection in more detail, please contact us.
Budgeting season has arrived for most cities, and information technology is a critical part of a city’s annual spend. Yet, we find that many cities often don’t know where to begin when specifying their IT budget, or even if they should include it at all (other than in a lump sum line item).
We find that it’s important for cities to flesh out a fairly detailed IT budget to help uncover inefficiencies, save money, and better execute business and operational goals. In our multi-part series, we’ll look at how you can use your IT budgeting process to help fix what’s broken, find ways to save money in the long-term, and work to help execute your city’s strategic vision.
While it might seem like broken technology has little to do with city budgeting, your IT budget can actually reveal how obsolete hardware or underinvestment might be costing you money each year. Bad technology impacts your bottom line every day, and it’s often a hidden source of lost city revenue.
For a great place to begin analyzing your IT budget, ask yourself the following questions about your technology.
By examining these important questions first, you’ll often find low hanging fruit and ways to slash your IT budget immediately. These reductions can often be significant, even for smaller cities where it might not seem like you’re spending a lot on IT. Whether it’s reexamining telecom contracts or replacing broken hardware, there is plenty of opportunity on a first pass to see if you can both fix your technology issues and save some money in the process.
In our Part II post, we will look more at the long-term investment side of technology, and how you can budget to maximize the money that you’re spending.
Lengthy telecom contracts – those giant documents that mostly go unread – often contain language and conditions that work against your city’s best interests. In most cases, telecom works much like a utility. You purchase it once, become accustomed to its quality of service (good or bad), and rarely think of it again.
When beginning our work with a new city, we usually find old telecom contracts and technical setups that are expensive, low quality, and relying on outdated technology. All this despite new technology existing that works better, faster, and cheaper. For less cost, cities could experience a quantum leap in quality of telecom service.
But where to begin? Here are some common questions to ask when starting to sift through your telecom contracts and services.
We’ve been amazed that so many cases exist where cities are simply paying too much for inferior technology and poor service. If you haven’t examined your telecom services in a long time, you have the opportunity to save a great deal of money. These situations apply to rural and non-metro cities too, especially with the advent of increased high-speed broadband connections and mobile services. Whether you’re a large metro city or a small rural city, it’s worth taking a critical look at your telecom contracts.
To discuss your telecom contracts in more detail, please contact us.
While more and more government organizations are moving their email to the cloud, backed up by significant examples that it is one of the safest places for your email, we still see many cities clinging to old or obsolete email hosting methods. Unfortunately, hosting your email improperly or through a method that is no longer a best practice can put your city at risk.
Those risks can involve security, compliance, retention, and responsiveness to open records requests. Poor email hosting jeopardizes the safety of your emails and opens your city up to legal troubles—especially if people need to find and retrieve specific emails in response to an official request.
Here are five things to look out for with bad email hosting. If any of these situations applies to you, it is imperative that you begin to consider enterprise cloud email hosting.
Cloud email hosting from experienced, widely used vendors (e.g. Microsoft) eliminates these problems by offering enterprise level service and support, documented security and compliance policies and procedures, and data backup. And with a lean, scalable model (usually per user) that does not require expensive onsite hardware, software, and licenses, that means you can pay (like a utility) for exactly how much email hosting you need.
Especially on the cyber liability side, considering cloud email hosting becomes less of a “nice to have” service and more of a required service. If you cannot guarantee that you are following essential security and compliance related to your email hosting, then you need to leave it up to experts that regularly host email for many government institutions.
To talk more about email hosting, please contact us.
“Metadata” is an intimidating word, often sounding very technical and from the complex world of search engines. Quite simply, metadata is data about data. Let’s say books are data. How would you describe and order groups of books? Probably by genre, by author (A to Z), and maybe even by “most popular” or “bestsellers.” Those categories of genre, author, and “most popular” are metadata, and that metadata helps you navigate through a bookstore—instead of just sifting through a giant pile of books.
In a document management system, you probably know the feeling of sifting through information when it is poorly labeled and organized. You search over and over for something, you get too many search results in return, and it seems like keyword searches just don’t work right. Those kinds of document management systems often have poor metadata.
So where you do start if you’re a metadata novice? While we recommend also talking to someone technically conversant with your document management system (and if you’re a large city, you might want to have an information architecture expert in the mix), we focus here on some metadata basics that we notice when we help cities with their document management systems.
Our advice in this article focuses primarily on the business side of metadata, and less on the technical side. For most cities we work with, they just need to be using metadata on a basic level so that users can more easily find documents. With larger cities, document management and metadata grow much more complex, and we recommend bringing in more technical expertise at that level. Otherwise, as long as you can get your users labeling and categorizing documents consistently, and in a way that makes them easy to find, then you’re on the right track.
To discuss document management and metadata in more detail, please contact us.
When we sit down to talk with cities about vendor relationships, many of the war stories center around how vendors waste a city’s time. An important part of any vendor relationship boils down to two things: expertise and communication. Can the vendor do the job, and can they communicate about issues and problems effectively?
To this day, we are still amazed at some of the stories we hear. You would think that vendors would learn from the best in the business or listen to the feedback that municipalities regularly share at events and conferences. Many vendors unfortunately prey on cities, secure the deal, and then take a hands off approach to the engagement.
Cities need to understand that wasted time equals wasted money. Here are some warning signs to look out for.
The shame about these issues is that problems often do not emerge until you start working with a vendor. If you are researching IT vendors, make sure you have a senior experienced IT person at the table. Have them ask tough questions about the vendor’s experience, processes, and problem resolution. Talk to customers who work with that vendor. And if you’re seeing too many of these negative signs with your current IT vendor, then it’s time to start looking for a new IT vendor.
If you want to discuss these vendor management problems in more detail, please contact us.
While very large cities and other large organizations find website design an expensive but necessary proposition, expensive website design is something small- to medium-sized cities should avoid. It’s tempting to read the press about what the latest government websites should offer, but the press usually reports on very large government entities that use cutting-edge social media, big data and open data applications, and extensive mapping software.
From our experience, budget-conscious small and medium cities need essential website functionality and a professional appearance, but they often lose money when website vendors oversell them on supposedly “must have” features and custom design. Here’s a quick list of what small and medium sized-cities need and don’t need in their website design.
These tips give you a quick idea about what you need and don’t need in website design. As you can see, in most cases website vendors are good at upselling design aspects that small or medium cities just don’t need. Sure, some of these aspects do create great-looking websites. There are some great custom website designers out there, and some slick features and apps that can really enhance a website. But those features really only start to make sense once thousands and thousands of people start to visit a website, usually at large cities over 100,000 people.
To discuss website design in more detail, please contact us.
One of the most common yet overlooked tasks of anyone taking care of servers and workstations is basic hardware maintenance. That includes monitoring hardware, applying patches, and upgrading software. Like a car, basic maintenance ensures that your investments run smoothly from purchase to decommission.
However, in our many network assessments over the years, we’ve found that lack of server and workstation maintenance often crops up as a critical problem at many cities. The city’s IT staff might be inexperienced or strapped for time, or the city’s IT vendor might not be maintaining equipment at a professional level. The result? Slow servers, poor computer performance, unhappy employees, and city operations interrupted.
While hardware maintenance involves many complex technical aspects, we are providing a high level overview of five basic activities that your IT staff or vendor must perform to keep your hardware optimally running.
When you buy a car, you can decide to worry about maintenance only when it breaks down. But you know that your car performs better when you have your oil changed every three months, tires rotated every six months, and a full inspection at least every year. Server and workstation maintenance works similarly, although much more frequently. With 24x7 monitoring and maintenance by experienced IT professionals, a data backup and disaster recovery plan, and a hardware lifecycle replacement strategy in place, your hardware investment will be maximized and run in the most optimal fashion.
To talk more about hardware monitoring and maintenance, please contact us.
Even at smaller cities, it’s easy for your IT assets to get out of hand. Servers and workstations accrue, software lingers after being purchased many years ago, and data backup media piles up. A good question to always ask about your IT assets is, “Am I using them?”
Taking a look through your existing assets can be enlightening, and sometimes shocking. Often, valuable real estate, power, and IT staff time is consumed maintaining assets you don’t need. Here, we take a look at some common IT infrastructure assets and offer ways to eliminate or trim them down.
IT infrastructure is expensive, so you want to make sure you are using all of your assets wisely. Even hardware and equipment that you bought three to five years ago can potentially be reduced or eliminated by newer cloud services. And any organization, unless you’re rigorously auditing your IT assets on a regular basis, can find itself with too many servers, workstations, printers, and other equipment that is excessive or lies unused. Cities can’t waste a penny, and so it might be time for your city to do some IT spring cleaning.
To talk more about reducing your IT infrastructure clutter, please contact us.
As cities transition to an online payment system or reevaluate their online payment vendor, it’s good to look at the basics of what makes a city’s online payment information safe and secure. In this multi-part series, we will cover the basic Payment Card Industry Data Security Standard (PCI DSS) requirements one by one, teaching you about what a city and its online payment vendor needs to be compliant.
The basics of secure online payments starts at the network level, and the PCI DSS requirements begin by examining firewall and password policies. These best practices also correspond to many other IT-related services and provide good questions for other aspects of your city business.
Both you and your online payment vendor need at least an enterprise-level firewall to handle sensitive payment data. Coupled with enterprise-level antivirus, this essential network configuration creates strict access for outside sources wishing to communicate with you.
As you may know, firewalls work rather like a border crossing or airport security. Only specific approved information is allowed inside your network. When you’re dealing with sensitive online payment data, it’s imperative that any information requests are authentic—both inbound and outbound. Hackers are always trying to access valuable data, and payment data is worth more to them than many other kinds of data. Not only must your online payment vendor have sufficient firewalls, but you should also make sure your firewalls match their high standards if possible—especially since it’s likely that online payment data will cross in and out of your environment (e.g. in your accounting software, on your website, etc.). Hackers look for gaps to exploit, and it would be unfortunate if your network was their way into your online payment data.
You may have had the experience of accessing online payment websites and...suddenly the experience changes. There are different passwords. Maybe a passkey, or another kind of user authentication. The URL on your browser switches to a higher level of security and encryption. That’s because the level of authentication needs to be higher when sensitive online payment data is involved. That means password best practices that include:
If your online payment vendor cannot confirm the rigor and security of these two items to your IT staff or vendor, then that lack of information should raise a red flag. But know that even if your online payment vendor can handle these requirements, you should also close the loop by providing your city with at least an enterprise-level firewall and a strong password policy. These two items form the basic foundation of securing a network from most common hacking and unauthorized access to data.
Having a strong firewall and password policy is like having locks on your doors and windows, along with personal security to make sure that only authorized people enter your house.
In our next online payments post, we will discuss encryption and other ways to protect data. If you want to talk about online payment security in more detail, please contact us.
Our Focus | Products | Resources | Company | Contact | Sitemap | Login
© 2009-2015 Sophicity, all rights reserved. Sophicity®, "We put the IT in City”, and the Sophicity logo are registered trademarks of Sophicity.