We put the IT in city®

CitySmart Blog

Thursday, October 27, 2016
Brandon Bell, Network Infrastructure Consultant

Brandon BellWe’ve recently talked about many kinds of security—physical, wireless, and network. Now we come to “logical access security.” What does that even mean? It’s a technical term that’s actually quite simple to define.

With physical security, you’re physically preventing people from accessing equipment that stores sensitive information. With logical security, you’re electronically preventing people from accessing sensitive information. In other words, logical access security is all about the security of information accessed 100% in the digital “cyberworld.”

Unlike physical security, you can’t lock bits and bytes behind doors. So how do you lock your electronic information down? Here are four important areas where you can start.

1. Setting a Strong Password Policy

Most people access electronic information through passwords. Just think about what you access every day with a password: your email, your software applications, or your online website applications. Unfortunately, many organizations have extremely weak password policies that leave the door open to hackers and unauthorized access.

You need a password policy that includes:

  • Strong password requirements: Studies show that many people at organizations still use simple, easy-to-hack passwords. You need to use long or complex passwords consisting of a mix of letters, numbers, and special characters.
  • Regularly changing passwords. People shouldn’t use the same password for years and years. Set a policy that forces users to change their password on a semi-regular basis (such as once a quarter). Also make sure that users create new passwords each time—instead of just flipping back and forth between two passwords.
  • Locking out users when they (or someone) makes multiple, incorrect log-in attempts. This is to protect a user’s account in case a hacker attempts to crack a password. For example, after three failed log-in attempts an authorized user may get locked out for a period of time or even be required to contact an administrator before they are unlocked.

2. Monitoring and Controlling User Accounts

At the IT administration level, you need experienced internal staff or a vendor to manage and monitor user accounts. It’s at the administrative level that IT professionals—following your city’s policies—will assign new user accounts, make changes to user accounts (such as assigning new passwords or updating access privileges), delete user accounts, and watch for any unauthorized user access. If no one performs this monitoring and maintenance on a regular basis, then you risk unauthorized users (such as ex-employees) using your systems and accessing sensitive information.

3. Requiring Timeouts

No, we don’t mean making an employee sit in the corner! Timeouts are when a computer gets locked for a period of time (such as 15 minutes) as a result of policies that protect against unauthorized access (such as hackers). After the period expires, the user can then attempt to log back into their computer. This requirement especially helps with computer security in an office where someone could easily sit at another person’s computer and steal information. With a timeout policy, you can make sure computers are more inaccessible to unauthorized people regardless of whether those people are physically present or somewhere across the globe.

4. Logging and tracking user activity.

We’ve written more extensively about logging in the past, so we’ll just summarize a few high points here. Basically, logging is a technical activity that IT professionals conduct to both diagnose issues and document who accesses your data. For security, logging is important to track things such as suspicious web surfing activity or users remotely accessing your data. Without logging, you may not know if unauthorized users are viewing or stealing sensitive information until it’s too late.

As you can see, logical access security is...well, quite logical. We’re sure Star Trek’s Dr. Spock would agree! By locking down your electronic information as well as your physical technology equipment, you mitigate the risk of hacking attempts, data breaches, or stolen information.

Questions about your logical access security policies? Reach out to us today.

Thursday, October 20, 2016
Jabari Massey, Network Infrastructure Consultant

Jabari MasseyIn the world of bits and bytes, the act of stopping hackers and preventing unauthorized access to data can seem like the highest information security priority. But physical security of electronic information is just as important—and often overlooked. It’s not uncommon for organizations to spend lots of time on information security only to leave rooms with servers and workstations unlocked—allowing anyone to wander inside.

Any city—even a smaller city—needs physical security for its onsite technology. Don’t make it too easy for a disgruntled employee or member of the public to damage or access information from a server or computer. Your liability greatly increases when you lack good physical security for your technology.

So what do you need to do? Physically lock down and prevent unauthorized access to your technology through the following best practices.

1. Prevent access to any rooms with machines that hold sensitive information.

In many cases, this will be a room with servers that contains some of your city’s most critical information. You need to house any machines with sensitive data in a locked room. For example, that means not housing servers in an office where employees sit at their desks. Employees should only access a server room through some kind of barrier (or locked door) via a key, key fob, or key card.

2. Control and oversee access to these rooms.

Only authorized people should access any rooms with servers or other sensitive electronic information. Create clear policies that outline which employees, contractors, vendors, and visitors access these rooms. You also need policies about how you terminate access so that ex-employees or former contractors can’t continue to enter these rooms.

3. Reconfigure physical access if you suspect a possible security weakness or breach.

We all make mistakes. But with physical security mistakes, you need policies that mitigate risks from any possible data breaches. Let’s say someone misplaces a key fob and it might get into unauthorized hands. Your policy may outline procedures for deactivating the lost key fob, which is much quicker and easier than changing the locks on a door.

4. Create additional procedures to monitor physical access.

In addition to controlling how people enter and exit rooms containing sensitive technology, think about the following physical access procedures:

  • Sign in and sign out: Know who enters your technology rooms by having everyone sign in and identify themselves.
  • Escort visitors: Do not let a visitor—such as a contractor or vendor—wander around your buildings without an escort. They are not employees and they need to be monitored. You may handle visitors differently depending on their role (such as a one-time visitor versus a long-time trusted vendor), but you need an escort policy for each kind of visitor.
  • Install security cameras: Cameras are more of a reactive security device but they help provide information and evidence in case of a physical security threat or breach. If it’s unclear how a physical breach occurred or a person disputes an incident, security camera footage can help provide answers.

5. Mitigate data breaches, sabotage, and disasters with physical security protections.

In case of a disaster, you want to have important physical security protections in place such as:

  • Data backup and disaster recovery: In case of server failure, deleted information, or physical damage to equipment, a data backup and disaster recovery solution will ensure you don’t lose any sensitive data.
  • Fire suppression: This includes smoke detectors and sprinkler systems.
  • Anti-flood prevention: Consider locating server rooms in places where it’s likely not to flood. Avoid basements or rooms located near low ground, and raise servers off the ground. Technology also exists to detect the presence of water within your building.
  • Redundant power supply: In case of a power outage, your technology should shift to backup power so that it keeps running.

Taken as a whole, these best practices will lock down your technology and make it difficult for a physical data breach to take place. Plus, these best practices also help with non-human disasters such as fire, flooding, or power outages.

Questions about your technology’s physical security? Reach out to us today.

Thursday, October 13, 2016
John Miller, Senior Consultant
John Miller

In our last post, we talked about network security policy but left wireless security for this post. It’s not uncommon to see a city overlook the importance of wireless security. Partly, that’s because it’s easy to treat wireless devices like how you would set them up at home—buy a wireless router, unbox it, plug it in, power it on, connect your devices, and go.

Not surprisingly, technology audits often show that cities have open wireless access points that make it easy for hackers to access a city’s network. If wireless devices are not configured, secured, and properly monitored and maintained by IT professionals, then they can pose major security risks for cities.

When considering a wireless security policy, you need to account for the following elements.

1. Secure and lock down all wireless devices.

You’re not a home or a small coffee shop. You’re a city. People shouldn’t be able to hop onto your wireless network without a password and start getting on the internet. In fact, no unauthorized user should have access to your city’s wireless network. At the very least, you need to:

  • Set strong, complex passwords for all wireless access users (including administrators).
  • Ensure that all wireless users are known and authorized.

2. Remove physical wireless access hardware from the public or unauthorized employees.

A citizen visiting city hall or an unauthorized employee wandering through a hallway should not have access to a city’s wireless device. Yet, many cities often have wireless access points sitting in the open. These devices are easy to steal, damage, or reconfigure. To remain safe, any physical wireless hardware needs to be secured (such as in a locked room or a cabinet accessed only by a key or key fob) similar to how you would secure servers or your network infrastructure devices.

3. Apply patches and upgrades to wireless devices.

Wireless hardware runs on software that needs to get regularly updated with patches and upgrades. Bugs, security holes, and performance issues get fixed by these patches and upgrades. If your city hasn’t applied these updates in a while, then that is a priority in order to get these wireless devices as secure as possible. Ongoing wireless patching and upgrading should then become a regular part of your technology maintenance.

4. Use appropriate wireless hardware and configure it properly.

Assess and create an inventory of your existing wireless devices. What kind of equipment are you using? If it’s consumer-grade, then you’re at a big disadvantage. Business-class wireless hardware is more secure, provides better coverage throughout your buildings, and better grows along with your city if you need to add more users. Your wireless security policy should set a minimum requirement for your city to use business-class hardware with configuration performed by IT professionals.

5. Monitor and maintain your wireless network for security breaches.

As part of monitoring and maintaining your network infrastructure, you need to also monitor and maintain your wireless network. Activities include:

  • Watching for hacking and unauthorized access attempts.
  • Monitoring wireless data usage and network traffic to proactively identify internet access issues.
  • Applying security patches and software upgrades.
  • Ensuring compliance with legal and technical security standards.
  • Enforcing security policies and applying best practices.

With a strong wireless security policy that applies the best practices above, you’ll shore up this often weak security hole at your city. Wireless access is a convenient, efficient way for employees to access the internet. Make sure that this access remains safe and secure.

Questions about your wireless security? Reach out to us with any questions.

Thursday, October 6, 2016
Ryan Warrick, Network Infrastructure Consultant

Ryan WarrickTo understand the importance of network security, imagine your technology like it’s city hall. Inside city hall, you have people, offices, hallways, and assets like furniture, office supplies, and computers. To gain access to the inside, parts of city hall may be open to the public—like the unlocked front door from 9-to-5. Other parts may be off-limits directly (such as a locked door) or indirectly (such as a security officer or a sign that says “keep out”).

Depending on your security setup, unauthorized people may or may not have access to sensitive information within city hall. Network security works similarly by preventing unauthorized electronic access to your sensitive information.

First, to understand your network better we’ll define some terms that you may have heard your IT staff or vendor mention to you.

  • Computers and servers: Your city’s computers and servers are the most well-known, visible part of your network. They are the machines that connect users to their applications and the internet.
  • Switch: When your city has many computers and servers, a switch is like a “Grand Central Station” for your network. Like a busy airport directing flights, a switch directs information and data in an efficient way to each computer and server.
  • Router: Your city might have multiple networks. For example, city hall may have one network with its own computers, servers, and switches. The police department may have its own separate network. A router helps these different networks communicate with one another as well as connect your networks to an additional global network—the internet.
  • Cables: Cables are the wiring that connects all of these devices together.
  • Firewall: Probably the most important part of your network, a firewall is like your locked doors at city hall. When internet information from the outside tries to enter your city’s network, your firewall decides which information to let in and which information to keep out.

Altogether, your network needs to have the right, properly functioning and configured equipment to keep you secure. Here’s how to get your network security optimized for your city.

1. Perform a network security assessment.

To assess your network security, you need to first identify everything that makes up your network—computers, servers, switches, routers, firewalls, etc. This assessment should include non-technical insights (such as information gaps about what’s on your network) and technical insights (like scans for security vulnerabilities on existing equipment). Overall, you’re looking for any security holes that could open you up to a cyberattack.

2. Lock down access points to your network.

Just as there are many ways to enter city hall (some legal and some illegal), there are also many ways to access your network. You’re essentially looking to add locks to any unlocked doors that you discovered in your network security assessment. Examples of locking down access points include:

  • Configuring your firewall properly in order to restrict information coming into your network.
  • Preventing people from using unauthorized external devices (like a flash drive) on your network so that they don’t introduce a virus or commit a data breach.
  • Restricting how employees, vendors, and other third parties remotely access your network—whether through a virtual private network (VPN) or another kind of remote access software.

3. Set up and configure your network devices properly.

Improper network device configuration (such as using default settings or creating weak passwords) can leave your city open to security risks. For example, a firewall contains many ports (or doors) that open up your network to the outside world. If you leave certain ports open, you could be introducing major security risks—similar to leaving a city hall door open at night. Even switches and routers can become security risks if improperly configured. Make sure you have trained IT professionals set up and configure your network devices.

4. Continually monitor your network.

Ideally, a combination of automated software and trained IT professionals are needed to monitor your network 24/7/365. Hackers and other unauthorized users are always a threat to any network—no matter how “insignificant” you feel your network looks to an outsider. Any city is a ripe target for hackers. When monitoring network security, your IT staff or vendor will look for suspicious activity, signs of outside hacking or cyberattacks, and security vulnerabilities in your network.

5. Create a documented network security policy.

While it’s great to solidify a lot of the technical underpinnings of your network, you also need to create a policy that documents both technical and non-technical network security requirements. That may include quality control related to network hardware (such as modernizing equipment on a regular schedule), requirements pertaining to authorized users and remote access, and both proactive monitoring and testing of your network to eliminate as many security threats as possible.

Just as you lock the doors of city hall at night, you need to lock the doors of your network. By assessing your network security, adding the “locks,” and rigorously monitoring it, you’ll greatly lessen the chance of a cyberattack compromising your city.

Questions about your network security? Reach out to our municipal IT specialists today.

Thursday, September 29, 2016
Dave Mims, CEO

Dave MimsIn the midst of worrying about cybersecurity threats from viruses and hackers, it’s easy to overlook security risks from the way you manage vendors and contracts. You think, “Hey, I’m paying legitimate businesses to oversee my IT needs—and I’ve got a contract with them. What’s the worry?”

There’s plenty of worry, actually—especially if you haven’t evaluated your vendors or vendor management process in a while. Here are some tips and best practices to help you shore up this overlooked security risk.

1. Perform a vendor inventory.

It’s good to collect and centralize as much information about your vendors as you can. Make sure you’re clear on:

  • Total number of vendors.
  • What services those vendors provide. (Look for vendors that provide duplicate services.)
  • Where those vendors operate.
  • Total cost, frequency of payment, and predictable/unpredictable billing.
  • Contracts, support agreements, and warranties.

Just performing a simple inventory may surprise you. For example, you may find that a vendor is wildly unpredictable in their monthly billing or that a certain vendor hasn’t been living up to a support agreement.

2. Review all contracts.

This may seem like an obvious best practice but many aspects of contract review are often neglected in organizations. A contract should clearly spell out:

  • A Service Level Agreement that details services rendered.
  • Requirements for any technology-related project.
  • How a product customized to your city specifically helps solve a business problem.
  • Support that’s included in the price.

If you haven’t reviewed existing contracts in a long time, then take time to go through them. Look for gaps between what the contract says and the services you’re receiving. From this point forward, make sure (in addition to your city attorney) that you have a business stakeholder and an experienced technology professional evaluate all new vendor contracts.

3. Renegotiate contracts, if possible.

After reviewing your contracts, you may notice some anomalies. Perhaps you’re getting way overcharged for a service. Maybe one vendor hasn’t upgraded their software or service model for many years. If you have doubts about any particular service, then shop around. You may just find that a cheaper and/or higher quality service exists that would benefit your city. If you still want to keep a vendor, then you may be able to leverage market knowledge to renegotiate your pricing or get the vendor to provide more services.

4. Overhaul your vendor evaluation process.

We wrote a post about IT procurement a few years ago that covers the following best practices:

  • Spend time defining what you need. (Also known as “requirements.”)
  • Shop around and know your industry. (This helps you benchmark pricing and services.)
  • Know your government pricing. (No need to pay full price, right?)
  • Don’t just settle on lowest price. (Many cities still evaluate IT in terms of pure cost, which is a big mistake.)
  • Look out for indirect costs. (For example, some vendors claim to provide 24/7 support or an easy installation—but the fine print says otherwise.)

During an RFP or RFI process, follow a series of steps that help you select the best vendor. Business stakeholders and IT professionals need to work together to evaluate all aspects of a vendor for financial stability, the ability to deliver quality services, the relevancy of the solution, and pricing. Bad vendors will lead to possible security risks.

5. Hire IT professionals to manage vendors.

Once vendors are vetted, paid, and serving you, you need a third party with a deep knowledge of information technology to oversee vendors. Busy, non-technical city staff can easily overlook issues with vendors such as security concerns, performance problems, and adherence to a contract. And even the best technology vendors often have difficulty working with non-technical staff about major issues. IT professionals will be able to communicate with vendors more efficiently while also warding off major problems and security risks.

By following these steps, you will make a lot of progress toward eliminating security risks related to vendors and their contracts. Going through these steps is also a great exercise in transparency, finding potential cost savings, and ensuring higher quality services at your city.

Questions about managing your technology vendors? Reach out to us today.

Thursday, September 15, 2016
Nathan Eisner, COO

Nathan EisnerIn part one of this two-part post, we talked about how cities can better comply with the law through a set of information security best practices. Now in part two, let’s look at how specific policies help cities with compliance.

Technology alone won’t protect cities. Clear, detailed policies document important rules, procedures, and guidelines to help you comply with federal, state, and local laws.

So, what kinds of policies do you need? Generally, they will fall into two main areas. For this post, we are using the structure of Arkansas’s Legislative Audit guidelines as a way to discuss policies that are relevant to all cities.

General Controls

The Arkansas Division of Legislative Audit defines general controls as “mechanisms established to provide reasonable assurance that the information technology in use by an entity operates as intended to produce properly authorized, reliable data and that the entity is in compliance with applicable laws and regulations.”

The key here is that your city’s technology works properly and correctly while complying with the law. Overall, it helps to create an operational policy and procedure manual for your information systems that accounts for:

  • Contract / Vendor Management: Your policy should require clear, consistent contracts with all vendors along with procedures to enforce and review contracts on a regular basis.
  • Network Security: This policy should address all information security risks through your network and how your city mitigates those risks such as through monitoring, antivirus software, restricting user behavior, and procedures in case a security breach occurs.
  • Wireless Network Security: Make sure your policy covers the encryption of wireless data along with proper wireless network usage and access. The policy should specifically address wireless security related to employee laptops and mobile devices.
  • Physical Access Security: People should not have unauthorized access to machines storing electronic information. Your physical access security policy will define who has authorized physical access to equipment and how they access it.
  • Logical Access Security: Wikipedia defines logical access controls as “tools and protocols used for identification, authentication, authorization, and accountability in computer information systems.” Basically, this specific policy ensures that only authorized people have access to your city’s information.
  • Disaster Recovery / Business Continuity: This policy describes what happens in the event of a disaster (from a server failure to a major disaster like a tornado) and how you plan on continuing to access your city’s electronic information after such a disaster.

Application Controls

The Arkansas Division of Legislative Audit defines application controls as “[relating] to the transactions and data for each computer-based automation system; they are, therefore, specific to each such application. Application controls are designed to ensure the completeness and accuracy of the accounting records and the validity of the entries made.”

In other words, cities want to make sure that applications such as accounting software correctly receive, store, and deliver the right data. Policies related to application controls include:

  • Data Input: This means exactly what it says—a policy related to how data is inputted into software applications.
  • Data Processing: This policy should cover how data is processed once entered into the system so that you lessen the risk of data errors—whether that data is manually or automatically processed.
  • Data Output: This policy should cover the accuracy and security of data that is delivered to an end user—covering everything from accounting software data that a city employee sees to online payment information that citizens may view on a city’s website.
  • Application Level General Controls: This policy covers security, configuration, and contingency planning related to applications.

While Arkansas may require cities to implement these kinds of policies as part of its legislative audit, it’s a good idea for all cities to adopt policies like these. They cover the essentials of information systems and greatly help to reduce risk and liability. Plus, such documentation leads to a much more well-run IT department and helps with transitions (such as IT staff retiring or a new IT vendor getting hired).

Miss Part One of this post? Read it here.

Lacking information systems policies at your city that leave your city open to risk? Reach out to us today to talk about policy in more detail.

Thursday, September 8, 2016
Nathan Eisner, COO

Nathan EisnerOver time, information security laws only grow stronger. As information technology continues to mature, expectations grow higher that cities will protect their data. When data loss occurs or sensitive information is stolen, the financial and legal repercussions (along with the public outrage) may increase.

Most laws center around protecting sensitive information and ensuring that operational continuity occurs even if a disaster hits. After all, cities are stewards of public information and use that information to serve citizens. If a city neglects information security, they’re not just passing over nice-to-have technology perks. They are neglecting and compromising their very core mission.

In this two-part article, we’ll discuss best practices in part one and then address policies in part two. Use this checklist of best practices to begin assessing your information security.

1. Create and use strong passwords.

Weak or no passwords remain one of the biggest information security holes at most cities. Are you using some of these worst passwords like 123456, Password, or qwerty? Do your employees write passwords down on sticky notes and attach them in public view on their computers? Remember, hackers use automated software to crack passwords. The easiest passwords will get cracked, even if you consider yourself an unimportant target.

  • Use long, strong passwords with a variety of letters, numbers, and symbols.
  • Discourage employees from saving passwords to websites and applications, and don’t use the same password for all IT systems.
  • Change passwords regularly.

2. Protect yourself against viruses with software and staff training.

While antivirus software helps protect your city against viruses, don’t forget that human error often leads to viruses even if you install antivirus software. Hackers usually fool employees by getting them to click on funny images, social media quizzes, and online games on websites and social media. Email attachments with viruses also still work when employees think they come from a legitimate sender (which is easy for hackers to spoof).

A virus can really wreck your city by corrupting, deleting, or stealing your data. Protect yourself with:

  • Business class antivirus software
  • Regular audits to ensure that antivirus software installation and definitions are up-to-date
  • Staff training to educate employees about email attachments and other ways that hackers fool people

3. Back up your data.

Cities with any uncertainty related to data backup need to immediately address this problem. A data breach or information theft is really bad, but don’t forget about the risk of permanent data loss. To run a city and serve citizens, electronic information is essential. Losing data lessens trust between you and citizens.

Ask yourself:

  • Are we backing up our data? At a minimum, you need to perform daily data backups.
  • What data is critical to the city? All of it? If in doubt, back it up!
  • How will the city be affected if data cannot be accessed for extended periods of time?
  • What needs to be recovered first?
  • When did we last test our data to show that we can recover it?

Make sure you can perform onsite data backups for quick recovery and offsite data backups to recover from theft or disasters.

4. Apply all relevant security updates to software and operating systems.

Many cities neglect operating system and software updates. These updates and patches are delivered by software vendors to fix bugs and patch up security holes. Studies show that most cyber-outbreaks can be prevented by keeping computers up to date—and yet most people ignore messages on their computers about installing updates. Apply patches, ideally with an IT resource overseeing the process. And because vendors eventually stop supporting and patching applications, operating systems, and hardware when this technology gets too old, you need to upgrade these items when they have reached that point.

5. Physically secure your technology.

Physical security remains one of the most overlooked aspects of information security. It’s easy for a disgruntled employee to steal or take data from a server or computer. And when you decommission servers and workstations, be careful—those machines may still have sensitive information on them if you don’t dispose of them correctly.

Make sure you:

  • Mandate that employees lock their computers when away from their desk.
  • Ensure that servers, network equipment, and external media are locked up, with no direct access available.
  • Have IT professionals permanently and securely wipe data from any retired equipment.

6. Don’t forget the security of your city’s website.

People tend to check out your website first when they want to learn more about your city—whether it’s exploring tourist attractions, relocating their business, moving, or inquiring about city services. Not only do people expect a modern website with fresh content but they also expect it to be secure and safe. They trust you when they exchange billing information or click on links. It doesn’t take much for a hacker to defame a weakly secured website, steal people’s information, or shut that website down.

To make sure your website is safe and secure:

  • Ensure your website is hosted by a reputable provider.
  • Know where your city website is hosted.
  • Ask your website’s hosting provider if they have been audited for potential security risks by a third party.

In part two, we’ll talk about some sample policies that will help enforce and reinforce these best practices across your organization.

Questions about the strength of your information security? Reach out to us today.

Thursday, September 1, 2016
Brian Ocfemia, Technical Account Manager

Brian OcfemiaCities face more challenges than ever with video archiving. As an example, cities are capturing greater amounts of squad car video and enormous amounts of body camera video footage. Because of greater public safety scrutiny, more sophisticated body camera technology, and new laws passed each year holding cities accountable for retaining this footage, cities are understandably growing more worried and concerned about their video archiving capabilities.

Of course, the dark side of these technology and legal requirements is that budget-strapped cities struggle with video storage restrictions, costs, and technology limitations. As a result, it’s tempting to take a shortcut with video archiving or try to keep doing what you’re doing with aging, obsolete, or ill-equipped technology.

In this post, we’ll look at seven reasons why you need to modernize the way you archive your videos—before you run into critical operational or legal problems.

1. Your video storage needs will only increase. They will not decrease or remain the same.

You’ll never reach a point when your video archiving calms down and stays at the same level. Your city will grow. You will add police officers. Better technology will help you generate more footage. And think about it—your public safety department never stops. You’ll never be able to pause or take a breath. Video constantly comes in without pause. This situation will continually increase your video storage needs over time.

2. You need to legally retain video footage.

Depending on your state, you will need to legally retain body camera video footage consistent with a specific law. That means you need a place to archive and retain it. Any risk of data loss associated with body camera video footage may result in severe fines, penalties, or lawsuits. Understand how long you need to keep specific footage depending on the law’s requirements, and then use video archiving tools to help you adhere to the law.

3. You need to locate video footage.

It’s only half the battle if you retain your video footage. After all, you can “retain” a bunch of your belongings in a garage with no organization—and good luck finding a power tool or a can of paint when you need it! But if you organize, label, and structure the contents of your garage, you’ll be able to find and grab something in seconds. A similar logic works with video archiving. Modern video archiving tools help you organize your footage with the aim of making it easy to find specific video when you need it.

4. Your existing storage costs might be too expensive, so revisit them!

Are you paying a low cost for unlimited offsite video storage and retention? If you’re constantly paying more money for additional storage or capping your total amount of storage, then you need to look at more modern options immediately. Storage costs have drastically decreased over the past few years. Yet, many cities still shell out money for expensive storage because they use outdated technology or haven’t challenged their existing vendor in a long time.

5. You need rigorous security.

Because squad car and body camera video footage captures confidential, private, and sensitive information, you need to secure the footage. No excuses. Old servers or software may not have enough security precautions in place. Only authorized users should access the data—and your IT staff or vendor should be able to centrally manage this security. The information also needs to be physically secure if stored on your premises.

6. Your storage conditions must reach a high standard.

As noted with physical security above, you don’t want video footage stored in rooms that are easy for anyone to access. Servers need to reside in rooms with proper storage conditions such as air conditioning, ventilation, and a high standard of cleanliness. If you feel unable to keep up such standards, then consider a data center or cloud storage.

7. Your onsite and offsite video backup must easily recover data in case of a disaster.

Data loss is a nightmare—and even more so for video that includes squad car and body camera footage. If uncertainty exists with your data backup, then take time to evaluate your weaknesses. Ask yourself:

  • Will I be able to recover video quickly after a server failure or power outage?
  • Will I be able to recover my video footage in case of a disaster such as a fire, flooding, or tornado?
  • Do I test my data backup so that I know it works?

Cities—small or large—face a huge responsibility for their video. A modern video archiving system that addresses all of the concerns above is essential in order to apply record retention laws and compliance to video footage. Otherwise, you’re risking data loss or theft that can lead to severe legal repercussions. Thankfully, there is a low-cost video archiving option that both modernizes your technology while addressing growing storage costs.

Questions about your video archiving? Reach out to us with any questions.

Thursday, August 25, 2016
John Miller, Senior Consultant

John MillerEach state law differs for body camera records retention. Let’s take a quick look across some of the states we serve:

  • Georgia: This year, Georgia passed a law that changed the body camera records retention law from a blanket requirement of five years to one of 3 possibilities: 180 days minimum, 30 months for recordings that are part of a criminal investigation or incident (e.g. accident, arrest, or use of force), or until final adjudication for recordings that go to litigation.
  • Kentucky: Kentucky follows its state records retention schedule which says that the footage must be kept for 60 days unless it’s needed for a criminal investigation, pending litigation, or open records request.
  • Arkansas: Cities tend to build their non-evidentiary body worn video recording policies around the Arkansas Freedom of Information Act, the Arkansas General Records Retention Schedule, and court decisions. For body camera video related to criminal or civil cases, police departments follow state laws for handling evidence. They must retain the video as a record (ACA 14-2-204) and keep it for three years or until the legal proceeding is resolved (including all appeals).

Even as states continue to refine video record retention laws as a result of greater public scrutiny, video data storage growth will outpace policy changes. That means you need to be prepared. And that preparation involves some technology investments and a few best practices.

1. Video Archiving

You probably already know that video files take up a lot of storage space. Well, multiply that storage space many times over by each officer and each squad car day by day collecting new videos, and you’ll understand how fast body camera video footage will quickly eat up your available storage space. You don’t want to get caught running out of available storage space on your servers, or having unexpected high charges and fees as you need to procure more local storage devices (or increase hosted storage space).

Work with an IT vendor that offers unlimited offsite video archiving to eliminate these worries for running out of storage space and increased cost as your video grows. Plus, the video data is stored offsite so that it’s retrievable in case of disaster.

2. Access and findability

Obviously, if you store body camera footage then you also need to find specific footage when you need it. Similar to how a document management system helps you label and organize documents, good body camera software will help you label and organize videos for later use. Sometimes you’ll need to sift through hours of footage, looking only for an important few minutes. Make sure that your video software allows you to quickly and efficiently search for and retrieve information.

3. Adhering to retention policies

You need to adhere to state laws and city policies for video record retention schedules. Ensure that you’re compliant for how long you are required to keep footage, dispose of it at the right time, and follow proper procedures. If you don’t comply, then you could get into a lot of legal trouble when footage is requested and you don’t have it.

4. Security and authorized access

Body cameras capture a lot of footage that needs to remain secured. A hacker exposing video camera footage to the public might be disastrous to the privacy of citizens—and you might get held liable if you did not invest in strong security. Body camera footage works just like any other city record and needs to be treated as such. Internally, every city employee should not have access to the video footage or be able to copy it onto something like a flash drive. Your city needs clear security policies about authorized access to body camera video footage and an IT vendor that understands how to manage that security.

5. Modernized technology hardware and infrastructure.

Last but not least, it helps to use modernized technology if you are going to operate body camera equipment and software. Even if the body camera hardware and software is modern, it may not work well (if at all) with aging servers, computers, or operating systems. Also, if your networking equipment (such as routers or firewalls) are not up to the task, then you could have usability or security issues. Because body camera video footage may soon become mandatory, it helps to think about modernizing your technology infrastructure so that you can handle the demands of storing and accessing lots of video.

Wherever your city is located, it’s best to start thinking about body camera technology. It’s already here and will become a standard part of police department operations. If you already have body cameras, then is your technology up to the task of using them? If you’re thinking about getting body camera technology, then what other technology do you need to make sure it works properly?

Questions about how your technology can handle the demands of body cameras? Reach out to us today.

Thursday, August 18, 2016
Anthony Fantino, Network Infrastructure Consultant

Anthony FantinoEver watch or participate in a pickup game with friends? You play by your own set of rules. The game might start and stop randomly. You might lose track of the score. But if you watch a professional game right after your pickup game, you’ll notice everything that was missing. The rules, the framework, the organization, and the professional capabilities of the players. While there is room for spontaneity, a professional game is sleek and efficient—run like a machine, overseen by officials, and aligned to professional standards.

The same difference exists between having and not having information systems management best practices in place. You may have experienced organizations where the information systems feel more like a pickup football game rather than a professional football game. It’s only fun until something gets out of hand—and it seems like something always gets out of hand.

Cities need disciplined information systems management to reduce risk, improve operations, and even help comply with legislative audits such as those that occur in the state of Arkansas. Here are some best practices that can get you there.

1. Start with an information systems risk assessment.

First, it helps to understand the state of your information systems. What do you have? How old is your hardware and applications? What’s the state of your information security? Are you backing up your data? Use one of our risk assessments as a starting point and make sure you take a close look at your:

  • Website
  • Data backup and disaster recovery
  • Ease of finding information and responding to open records requests
  • Hardware, software, and network equipment
  • Issues getting IT problems resolved

By assessing your risks, you can focus on your city’s biggest problems first.

2. Create clear roles and responsibilities for people involved with information systems.

It’s easy to overlook. Cities may chug along managing their information systems without asking some key questions about everyone’s roles and responsibilities. Who does what? Who is responsible for information systems? Who has access to information? Who is authorized to grant access? What outside vendors have access to information?

At the very least, create a list of people and vendors along with their roles and what they do. For example, a small city may have a simple information systems org chart that includes the city manager who makes business-related technology decisions, a city clerk that works with the IT vendor to help them understand business needs and requirements, and an outside IT vendor that monitors and maintains all information systems on a day-to-day basis.

3. Create a policy and procedure manual.

While it might contain some technical information that you need help drafting, your city needs to have stakeholders create a policy and procedure manual for your information systems. You will need to define and document important items such as:

  • Information access and authorization
  • Business processes related to information systems
  • Physical security
  • Data backup and disaster recovery
  • Document workflows
  • Website rules and requirements

4. Back up your data and systems to provide for disaster recovery.

As one of the most important pieces of information systems management, your city needs a plan for restoring data and systems in case of a server failure or a major disaster. Some of the questions you need to address include:

  • What data do you need to back up?
  • What’s the most important data?
  • Who is responsible for data backup?
  • How often are you backing up data?
  • What happens in case of an onsite data loss event (such as a server failure)?
  • What happens in case of a full disaster (tornado, flooding, fire, etc.)?
  • Who is testing your data backup?
  • Are you documenting your data backup processes and following all laws?

5. Train users.

User training is important on many, many levels. First, empowering users with knowledge about your city’s information systems helps with their proficiency and productivity. If you’re investing in this technology, then training users allows you to maximize your investment. But secondly, training users also helps with lessening security risks. Many users may not be aware of the dangers of malicious websites, email attachments, online quizzes, social media games, and software that seems innocent. The more you teach users about the possibilities of your information systems along with some of the security risks that exist, your efforts will ripple positively across your organization.

Manage your city’s information systems like a professional football team, not a pickup game. By following the five best practices above, you will build a great foundation for your information systems, reduce risk, increase productivity, and comply with important laws.

Questions about your information systems management? Contact us today.

| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 |