We put the IT in city®

CitySmart Blog

Thursday, September 12, 2013
Brian Ocfemia, Technical Account Manager

So you’ve taken the step to get a document management system. Now what? Document management systems fail or are used unproductively not so much from technical reasons, but from business reasons. To make sure you integrate your document management system in your day-to-day city business as quickly as possible, make sure you’re tackling the following questions.

  1. What are your most important documents? Until getting a document management system, you might just go about your day-to-day business creating what documents you need and not really thinking about various degrees of importance. Take the time to do a document audit (even if it’s limited) and ask yourself what documents are most important to your city? Categorize or rank them in whatever way you’d like. The important thing is to prioritize documents that multiple people collaborate on, that have high business impact, that are important for legal reasons, or are often needed for reference.
  2. Who has these documents? This is the point where you get rid of siloes—or people who hold the only access to documents on their individual computers. If there are documents that need to be stored in a document management system where everyone has access, you can’t have a single person or department storing them on their own computers. You should not need to ask or beg a person in your city for a document that should be public. Find out where the most important documents are stored and have those people or departments prepare to scan or upload them into the document management system.
  3. What documents need to be uploaded into the document management system? This is where the rubber meets the road. Once you decide which documents are most important and who has them, plan to upload your most important public-facing documents into the document management system. This step will be guided by both the city and your IT staff or vendor. The city needs to decide what documents will go into the document management system, how they will be organized, and who has access. Your IT resources can help with the technical implementation and any issues that arise as both paper and electronic documents are migrated into the document management system.
  4. Who needs to use and access the document management system on an ongoing basis? A modern document management system allows you a great deal of flexibility in giving people permission to access specific documents, but that means you need to decide a) who can access the document management system at all, and b) what they can access. People will still create files by themselves, and there may be some files created that don’t need to be in the document management system (e.g. working drafts, ongoing research, personal notes, etc.). The document management system should be used for collaboration and the creation of any documents that require transparency. People need to get used to using the document management system when documents need to be public-facing or shared, so training might be required to reinforce this habit within your city.
  5. Who will help maintain your document management system on an ongoing basis? While your IT staff or vendor can help you with technical maintenance and issues, you still need someone from a business viewpoint to help maintain your document management system. That means making sure that:
    • People are using it for documents that need to be shared publicly or collaborated upon.
    • People are labeling and tagging documents appropriately so they are easy to find.
    • People are individually following rules and policies concerning documents.
    • Overall, the city is following legal rules and policies to help with archiving, document retrieval, and open records requests.
    Your IT staff or vendor can only help you so far, and they cannot make business decisions for you. Find an appropriate person to oversee your document management system at your city.

If you answer the above questions, or at least make strides toward answering them, you’re well on your way to maximizing the use of your document management system. With such a great investment in place, you don’t want to leave it sitting out like a new car that you never drive. Integrate your document management system into your environment by prioritizing documents, uploading them, and using the system to increase collaboration and transparency at your city.

To talk more about document management, please contact us.

Friday, September 6, 2013
John Miller, Senior Consultant

With data backup, you often think of worst-case scenarios. What happens if a tornado hits your city? What happens if a server dies? But there are more common scenarios that can affect you on a day-to-day basis, like losing a file or some important data.

In those moments, panic sets in. All you know is that you want your data back as fast as possible. A disaster to you might be losing that important report you worked on all morning, and it can hit you just as hard as a tornado.

Luckily, most backup scenarios recover data in a matter of seconds or minutes. If you’re struggling to recover data in terms of days or weeks for most of these scenarios, then you probably don’t have the right IT infrastructure in place. Ask yourself: How fast can I recover my data in each scenario?

  1. I lost some data within a document or file. With most cloud-based software and document management solutions, your files can be “versioned.” That means if something weird happens and you lose some data within a document, you can go back to a previous version of the document. For example, cloud-based documents (such as a Microsoft Word document) often automatically save changes as you work so that it’s easy to return to a version from just a couple of minutes ago.
  2. I lost a file. Losing an entire file is probably the worst thing that can happen to a person short of their computer crashing. Again, this is where having cloud-based productivity software and document management solutions can help you recover a previous version of the file. Depending on how often your city backs up your files, you should at least be able to find a file if it existed at the time the last backup occurred. For example, if your city performs hourly backups, you should be able to recover your file if it existed at least an hour ago.
  3. My computer crashed. While a single computer crashing still might take some personal files with it, it’s ideal if your city is set up so that all files are stored on servers (either in the cloud or at least on servers hosted privately by the city). If your computer dies, it’s really just an access point dying. Just access your files through another computer, and you’re ready to go. Along with setting up cloud software and data backup, you need to make sure employees save all files in a place where they can access them from any computer—not just their own.
  4. My server died. Now we start getting into real disasters, and yet the time to data recovery should still be relatively short. We recommend that, at a minimum, you set up hourly data backups through a server onsite or in the cloud. For example, if a server fails, the backup server can take over and you can be up and running with your data from at least an hour ago. While you’re waiting for a new server to arrive, you’ve only lost up to an hour’s worth of time and data.
  5. A disaster destroyed our hardware. Even if the worst happens, your time to data recovery should at most be minutes, not hours or days. We recommend that you back up your data offsite in case of a disaster such as a tornado, flooding, fire, or theft. To speed up the backups and recovery time, we recommend that you initially perform a backup of all of your data. After that, daily offsite backups go quickly because you only back up what’s changed (which is usually a small percentage of your overall data). This allows you to keep your offsite daily backups quick and easy to recover in case of disaster. When disaster hits, your data is accessible through any device through which you can access the Internet.

With the cloud and related technologies that make it easier to save, store, back up, and recover data, it becomes harder and harder to really lose important data anymore. However, life is not perfect, and you will occasionally lose data due to human error, software glitches, and hardware failures. When that happens, your chance of quickly recovering your data increases the more you invest in modern technologies that reduce such risk.

So the next time you’re missing a file, you hopefully can at least say, “Let me grab the previous version from a few minutes ago,” grumble a little bit at the few minutes you’ve lost, and move on quickly.

To talk more about data backup, please contact us.

Tuesday, September 3, 2013
Clint Nelms, COO

In our last Website Page by Page blog post, we discussed the important homepage—the public face of your city. One item that keeps people coming back to your homepage is news. What’s happening in your city? Your homepage headlines will lead people to your news page, which might be one of the most visited pages on your site.

Since news will be read by many people and keep them informed about local government, economic development, and community events, you need to make sure the news page stays fresh, readable, and user-friendly. Especially when local newspapers may tell their own side of a story, you want to make sure your news items contain up-to-date information about any important issues in order to counter the impressions caused by second-hand information.

Here are some tips to help improve the quality and readability of your news page.

  1. Plan for news, don’t react to news. Schedule weekly or monthly news items that represent a variety of topics. You don’t have to produce dozens of news items each week (especially if you’re a small city), but you should at least cover major areas such as city business, economic development, department updates, and positive community news. Some city websites only report on dry facts from City Council meetings, or their last news item might be from a few years ago. Plan to create at least a few news items each week to show that you’re an active, vital city.
  2. Vary your news items. When scheduling your news items, try to vary the topics. For example, it will look strange if there are eight parks and recreation news items in a row without any news related to public safety, a city council meeting, or other city departments. You might want to pick a day of the week or month to schedule news that represents a particular topic. That way, you can space out different news topics so that you are reporting on something different each day or week.
  3. Make sure you highlight good news. Some city news pages look incredibly gloomy when they are only populated with bland city council minutes, mandatory public alerts, and legal notices. Spice up your news by highlighting economic development initiatives, downtown beautification projects, public events (such as a movie night), or holiday festivities. While business is important, your city should use its news page to highlight positive activities. You never know when businesses or future residents are checking out your website to help them consider locating to your city.
  4. Write an informative headline. Write a headline that clearly communicates what is to be found in the news item. If you’re vague or unusually catchy without conveying the heart of the message, your headlines can be confusing and cause people not to read them. Weigh on the side of clarity over catchiness when constructing a headline. For example, “City Hosts Annual Main Street Halloween Parade on Thursday, October 31” is a clearer headline than “Join Us for Spooky Halloween Fun.”
  5. Provide a short summary underneath each news item. News pages can get bogged down when they provide the complete text of each news item, making the news pages lengthy and difficult to scroll through. Instead, make sure your news page only shows the headline and a short summary for each news item. That way, people can skim through the page quickly and click on a news item only if they’re interested. The summaries help people glance at your news quickly and provide a great service for readers of your website.

As a bonus, once you’ve got your news content rolling out like a machine, think about sharing your news items on social media outlets such as Twitter and Facebook. Provide links when you share so that people will visit your city’s website. Social media is a great place to extend the reach of your news items to a wider audience.

And remember, keep your news fresh! A city website with no current news really does make you look bad to the public. Your city does many great things—so talk about those things and share your news with the world.

To talk more about website content in more detail, please contact us.

Friday, August 30, 2013
Dave Mims, CEO

If you’re using an IT vendor, one of the most expensive costs to cities is usually onsite visits. Many IT vendors bill by the hour. Not coincidentally, they seem to be at your city quite a lot, fixing something or other.

But IT vendors should not be billing you unpredictably and giving you budgeting difficulties as a result. If you experience unpredictable IT costs due to many onsite visits during the year, something is wrong. We find in case after case that lack of process and professional knowledge about a city’s IT needs is usually at the root of the problem.

However, if you’re used to this kind of IT support and think it’s normal, here are some common pain points that may cause you to reexamine your ideas. And the great news is that these pain points are easily avoided with a more professional, experienced IT vendor.

  1. 24/7/365 coverage is not really 24/7/365 coverage. Many IT vendors sell cities on “24/7/365” coverage. But what does that usually mean? IT vendors often sell you on an extremely cheap monthly or annual fee by telling you that they will be monitoring your IT environment all of the time. But when you need to call someone and get help with a problem, you suddenly find yourself billed by the hour. While the monitoring software is covered under your fee and surely monitoring your IT environment, actually resolving the problem onsite will cost you money.
  2. Many IT vendors simply react to your problems, instead of preventing them. Another way that makes IT support seem cheap for cities is when IT vendors say they will only charge you on a case by case basis, fixing problems only when they occur. But when your IT environment is full of aging equipment that is not monitored or maintained, the problems that result will be horrible and disruptive. And costly. Each time your IT environment is moaning and groaning in pain, your IT vendor comes onsite to put a costly band-aid on problems that really need preventative care. And these costly onsite visits will happen over and over, with no end in sight.
  3. Many IT vendors lack experience and knowledge. Cheap IT vendors stay cheap by hiring inexperienced employees. Because they will not recognize common problems that more experienced professionals can easily handle, these inexperienced employees will make costly onsite visits because they could not recognize a common problem over the phone. More experienced helpdesk professionals means more issue resolution remotely or by phone, and less costly onsite visits.
  4. Unnecessary, obsolete IT tasks add to costly onsite visits. If your IT vendor is spending hours at your city upgrading software on each computer, making tape backup copies of your data, or trying to find a missing file on your computer, then that’s a sign that they aren’t up-to-speed on current technologies—wasting your time and money. If you get a sense that your IT vendor is sending people over for too many mundane visits that last a long time, then something is wrong.
  5. Basic helpdesk issues are escalated too often. Finally, another way that IT vendors like to gouge cities for money is by turning every helpdesk request into a crisis. If your website acts up a bit, if someone lost a single document, or if a computer seems to have frozen, then these simple issues may find you face to face with an engineer sent by your IT vendor. If so, you may be getting bled for more money than you should be paying. IT vendors should have a process that resolves most IT problems a) before they happen, b) remotely or over the phone, and c) onsite as a last resort. “Last resort” is the important phrase, here.

When evaluating your current IT vendor or looking to hire one, make sure they:

  • Clarify what 24/7/365 means—what’s covered, and what’s not.
  • Demonstrate preventative monitoring and maintenance.
  • Follow clear, sensible processes to deal with IT issues.
  • Hire experienced IT professionals.
  • Cover typical onsite visits (ideally) under a predictable monthly fee.

While you may like your IT vendor, they shouldn’t be putting out fires onsite all of the time. Onsite visits should happen under special circumstances, such as a major IT issue or a proactive quarterly checkup. By making sure that you’re not getting taken advantage of, you can cut your costs and end up preventing most IT problems before anyone needs to visit by working with a more process-driven, experienced IT vendor.

To talk more about the cost of onsite visits, please contact us.

Tuesday, August 27, 2013
Alicia Klemola, Account Manager

Cities sometimes ask us about whether they should switch to cloud productivity software—which might include word processing and creating spreadsheets, presentations, databases, and audio/video. If you’ve been using the same productivity software for years, a switch to the cloud becomes a major decision to consider.

No matter what decision you make, you should consider the specific needs of your city and the amount of work it will take to transition to the cloud from whatever version of software you’re using now. That may include a lot of document transfer (including moving data to the cloud), some investments in new technology (depending on the age of your current version of software), and some training for your staff if they are unfamiliar with any new features.

That being said, here are a few aspects to consider about moving your productivity software to the cloud.

  1. Your documents and files will be in the cloud, which eliminates many hardware and data backup needs. Instead of having to manage your own servers and install the software on each workstation, you instead access the software through the cloud. All of your data is stored remotely on the vendor’s servers, which often adhere to some of the highest quality and compliance standards in the industry (making it very government-friendly). That means your data is backed up, upgrades are included on an ongoing basis, and your documents are available wherever you can access the Internet. If greater security is needed, you can set up a private cloud just for your city.
  2. You can add and subtract users with ease, which saves you money. Instead of buying expensive software licenses that may or may not be used over the course of a few years, you can purchase your productivity software on a per-user basis. Adding staff? Just add a few more subscriptions. Need to delete some users? Remove some subscriptions, including the cost of those subscriptions. The ability to scale up and down as needed helps you make sure that you’re only spending money on employees using the software, and not letting unused software waste money.
  3. Cloud productivity software is often made for mobility. Whether employees are working from home or accessing documents on a smartphone, most productivity software is now customized to work well from a variety of mobile devices. On the back end, it’s also easy for your IT staff or vendor to manage this software—even if users are working from home or using a tablet. Most cloud software vendors have made it easy for IT professionals to manage and resolve problems no matter where the user is accessing the software.
  4. You’re now dependent on a high-speed Internet connection. If you’re using onsite versions of your productivity software, you know that if your Internet connection goes out you can still work on your documents. That’s not the case with cloud software. When you have no Internet, you cannot access your documents. Since some areas of the country still have a lack of reliable high-speed Internet, that situation may diminish the benefit you receive from the cloud. Thankfully, Internet access becomes more and more reliable every year. Nevertheless, it may be a problem if access to your documents depends on a connection to the Internet.
  5. There might not be much change in features between your old software and the cloud software. If you’re happy with what you’re already using, an upgrade to the cloud might not necessarily “wow” you with new features. Some cloud software works pretty much the same as on-premise software, so you might not miss out on much if you delay an upgrade. Check to see if any changes between the older and newer versions of your software are significant or something that would positively impact day-to-day use.

As you can see, there are some pros and cons to consider before switching to cloud productivity software. The biggest advantages are mostly technological and relate to the advantages of the cloud. Moving to the cloud also involves serious financial considerations, so a switch may cut your expenses. Talk to an IT professional about analyzing if a switch is best for your situation, and if you’ll be able to save money while also improving the quality of using productivity software for your city staff.

To talk more about switching to cloud productivity software, please contact us.

Friday, August 23, 2013
Nathan Eisner, CMO

In the early wild west days of computers and the Internet, swapping copies of software among friends and family was common. After all, software was easy to copy and share, and who was going to catch you? This habit lingered well into the 2000s, even in businesses, educational institutions, and government entities, until software providers became much stricter about enforcing piracy laws.

However, both from old habits but also the current mentality that many things on the Internet should be free (news, music, videos, etc.), many people at cities sometimes think that using unlicensed software is okay—especially if the justification is to save money.

Whether your software is unlicensed, copied illegally, or purchased from an unauthorized reseller, you actually run a significant risk when you use pirated software. Primarily, you face three major consequences.

  • Your software may not work. First, using unlicensed software brings a practical risk of not working at all. Many software providers have created more and more aggressive software activation processes that protect themselves from piracy. If you try to run software that isn't activated by a certain process or use it beyond whatever free trial period you were allowed, it's not uncommon for that software to stop working altogether. And if you try to activate the same license more than once, you may get denied from using the software.
  • You will not receive any customer or technical support. Having problems with your software? Need to call customer service? Tough luck. Today, software is not just about the hard copy of the program or application. It’s the upgrades, customer service, and ongoing support that most software requires. Even your IT staff or vendor will have trouble helping you if you have problems with your unlicensed software, and they will recommend that you purchase legitimate copies to avoid any technical problems.
  • You open yourself up to lawsuits and fines. This warning may sound extreme, but it’s not. In fact, this issue has become a major legal issue that information technology departments must address for their organizations. Lawsuits and serious fines do result from businesses and cities using pirated software. I worked for a company about 12 years ago that was audited by Microsoft and forced to pay over $800,000 to avoid a lawsuit. The reason? They were using pirated Microsoft software. An executive even got fired over this issue.

If these warnings have you worried about the state of your software, we offer a few tips that address most of the common scenarios that cause cities to accidentally purchase pirated software.

  • Do not copy any software or purchase unlicensed versions. Not much needs to be said here. Copying software or knowingly purchasing unlicensed versions is pirating in its truest form. Only purchase software from the manufacturer or legitimate resellers.
  • Buy and use the correct software version for your needs. Pirating goes beyond simply illegally sharing software with a friend or coworker. For example, if you purchase a student version of the software instead of the regular version in order to save some money, then you are misusing the software. For cities, make sure you buy versions that match your needs (business version, government version, software best suited for a particular number of users, etc.).
  • Pay close attention to software licensing rules. Your IT staff or vendor needs to provide you clear information about the licensing rules for your software. For example, some common software packages allow a licensed user to install their software on up to 5 devices belonging to that specific user. You cross the line into software pirating when you have 5 different users sharing software intended for one user. Follow any rules prescribed by the software provider.
  • Buy new hardware and avoid used hardware. To save money, cities sometimes purchase used servers or computers. But that hardware may contain illegal copies of software. We recently wrote a post about the risks of purchasing used equipment that outlines why it is not only a bad investment but also opens up liability if you’ve unknowingly purchased pirated software.

To save a bit of money, you don’t want to take the risk of a lawsuit or fine by illegally using software. Beyond the risks, it’s simply a better investment to use licensed copies of software. You receive the best quality versions, software upgrades, technical support, and customer service—all of which help make the use of your software more productive. Plus, your IT staff or vendor can easily help you when you run into issues, since they can work with the software vendor to resolve them.

To talk more about unlicensed versus licensed software, please contact us.

Tuesday, August 20, 2013
Brian Ocfemia, Technical Account Manager

If your city unfortunately ever gets a virus or malware attack, it’s easy to panic. That’s exactly what the Economic Development Administration did in a recent report outlining how they made a series of bad decisions in reaction to a malware attack. Those decisions were based on inaccurate information and included destroying IT components (such as keyboards), replacing IT infrastructure, and incorrectly following procedure.

While an extreme case, there are several lessons here that are good for cities to keep in mind during a security crisis. After all, crises are moments to test whether your policies, procedures, and people are well-equipped to handle your most challenging technology problems—such as a virus or malware attack.

  1. Gather and analyze information. Sounds simple, but the Economic Development Administration thought there was a widespread malware infection. There wasn’t. Getting hit with a virus or malware still means you need to breathe, stay calm, and assess the situation. What servers and workstations appear to be infected? What happened to indicate that the city was infected or attacked? What does data from the servers or monitoring software indicate? Take the time to evaluate any data you can glean from the attack.
  2. Isolate the problem. Unlike the Economic Development Administration, you want to isolate where the problem appears. Is the virus or malware infecting one computer? Several computers? Are there any servers and workstations that don’t appear to be infected? If you can isolate the virus or malware to specific machines, then you can focus on just those machines. Otherwise, you might find yourself damaging equipment or losing data unnecessarily.
  3. Surgically eliminate the problem. In some cases, that might mean completely decommissioning a computer. In other cases, an IT professional might need to go into your server’s most sensitive files and eliminate the virus. Like any “surgery,” there could be some collateral damage, which is why it’s important to also have data backup and disaster recovery. Don’t just rely on an antivirus or antimalware program to remove the threat. Viruses and malware are clever enough to often avoid detection and they can linger on computers even after they are supposedly removed.
  4. Follow a process. An IT professional should not go into your network like a gunslinger, do something mysterious, and then tell you the virus is gone. And you should not throw people at the problem, all of whom are working separately, until someone seems to solve the problem. Follow a clear process set by your IT staff or an IT vendor. That should include the steps above along with more detailed steps such as following checklists that instruct where to look for the infection, using scanning processes to thoroughly ensure detection and elimination, and conducting a post-elimination investigation to make sure the threat is really gone.
  5. Report on the virus with full transparency. Without getting into geeky technical details, your IT staff or IT professional needs to report, clearly and concisely:
    • The source or origin of the problem.
    • Why the problem occurred.
    • What equipment (servers, workstations, and software) have been damaged or rendered unusable.
    • How the problem was fixed.
    • Any repercussions to the city.
    • Recommendations on preventing the problem in the future.
    This report may suggest additional training for city employees (especially about why they should not click on suspicious websites and emails), investments in better antivirus software, and updates to security policies.

Overall, cities can be well-prepared to deal with a crisis such as a virus or malware attack. Of course, prevention is best: 24/7 monitoring and alerting, enterprise-level antivirus software, and clear security policies and training for city staff. But if the worst happens, damage can be contained by having experienced IT professionals apply best practices and processes to addressing the problem.

To talk more about dealing with virus and malware threats, please contact us.

Friday, August 16, 2013
John Miller, Network Infrastructure Manager

It’s called antivirus, so it must protect you against all viruses. Right? Don’t we wish.

Unfortunately, there is more to antivirus protection than just installing antivirus software on your personal computer. It’s better than nothing, and having it installed and working on your computer is critical when defending against the worst virus atrocities on the Internet. But simply installing consumer-grade antivirus software on individual computers will not protect you against viruses at your city.

So why isn’t consumer-grade antivirus software good enough? Let’s find out why.

  1. Antivirus software only works when the software provider publishes updated definitions for a virus. What’s a virus definition? It means the antivirus software provider has identified a virus, determined how to prevent it, and provides what’s known as a definition that recognizes the virus if it somehow appears on your computer. That means unless the antivirus software provider stays rigorously up-to-date and constantly pushes updated definitions to your computer, then you may not be protected. Cheap or free consumer-grade antivirus software may not be rigorous enough. Plus, virus definitions are typically a yearly subscription. If you let your subscription lapse, then the definition updates will stop installing.
  2. Virus creators usually outwit basic antivirus software. Those who create viruses are often one step ahead of the antivirus software providers. That’s why even the best antivirus software requires daily definition updates to stay current. But a virus creator’s best weapon is to disguise viruses as software applications or files that your antivirus software will not detect (since they look normal). Most people tend to get viruses by doing things like clicking on an email that looks like their online banking website, or clicking on a software installation file that might be for a game that they uploaded. Many of those links and files will not look suspicious enough to be detected.
  3. Most antivirus software is reactive, not proactive. That means your antivirus software will often not prevent a virus from installing on your computer. Instead, no action is usually taken until the virus is already on your computer. The worst viruses are clever and can disable your antivirus software before taking destructive action on your computer.
  4. Most viruses originate from a person’s voluntary action. Consumer-grade antivirus software definitely protects against common, amateurish viruses that may pop up during normal Internet browsing. Unfortunately, most viruses we see began when a person got fooled—which is exactly what a virus creator wants. Make sure that your city staff is trained on the following basics:
    • Do not open email from somebody you don’t know. Especially do not open attachments or click on links within unknown emails.
    • Do not click on ads you see on websites.
    • Do not download and install free software or games unless it is from a well-known and reputable source.
  5. Consumer-grade antivirus software lacks the rigor needed at cities. Because of the sensitivity and importance of information at a city, enterprise antivirus software is needed to fully protect the city. Installed at the server level (instead of the desktop level), enterprise antivirus software ensures that an IT professional monitors your environment for virus activity at all times and that it’s always up-to-date. Despite people’s best intentions, they are too distracted and focused on their day-to-day jobs to handle antivirus software on their computers.

So, just because you have antivirus software on your computer does not mean you’re protected from viruses. City employees still need to use common sense when opening emails, files, and attachments. And while antivirus software isn’t perfect, the best antivirus software for cities is professionally monitored and kept up-to-date without users having to worry about their individual computers.

A virus can be absolutely destructive, and we’ve seen a single virus originating with just one user threaten to shut down an entire city’s operations until it was removed. Make sure that you are as protected as possible so that your city stays operational.

To talk about antivirus in more detail, please contact us.

Wednesday, August 14, 2013
Clint Nelms, COO

Now that we’ve discussed the key PCI DSS compliance topics (vulnerability management, data protection, network fundamentals, and authorization), what happens next? Once you take care of these important security issues, you need to keep these areas front and center at all times. That means continually monitoring all of your online payment security data, testing your security regularly, and creating an information security policy for your city.

While ongoing monitoring and testing can involve some time, money, and resources, the efforts pay off. In this post, we cover five key areas that you need to stay up on, and why.

  1. Proactive 24/7 security monitoring and alerting. You can’t wait for threats and unauthorized access to happen. When you build or reconfigure your network and set up access, you need to make sure that only the right people are accessing your online payment systems. Account for which employees have access (and which do not), but also keep in mind those who might have temporary or limited access (such as an IT or software vendor). Don’t simply give out admin passwords to whoever needs them. Create specialized usernames and passwords to easily track those with temporary access—and then delete those user profiles when they’re done. Otherwise, you create too many ways for people to access your data from the outside.
  2. Monitor for unauthorized threats and attacks. Obviously, you also need to be on alert for hackers and unauthorized users who want access to your system for malicious reasons. We’re sharing this tip second instead of first. That’s because if you have no proactive policy for knowing which people can access your network, then it’s harder to figure out if you’re being hacked or attacked by an unauthorized user. If you know who is supposed to be accessing the system and can see it clearly in your network logs, then security threats will be more easily identifiable.
  3. Test your security, harshly. Don’t be kind to yourself when you’re testing your online payment security. Remember, you need to be ahead of hackers and those wishing to access your information for malicious reasons. Make sure you look for vulnerabilities with your servers, workstations, networks, software applications, cloud services, and mobile assets. Security testing may include penetration testing, which simulates an attack on your network and analyzes what would happen in the case of a real attack.
  4. Fix and improve any security gaps. Always work to improve your security. While the world of information technology moves fast, security moves even faster. This is an area you don’t want to lag behind. Maybe you need a new firewall, maybe important data is not currently encrypted, or maybe you don’t know the names of all users accessing your data. Take the time to assess the results of any ongoing testing and make fixes along the way. It’s usually when a city has been coasting on the same security assumptions for a long time that something goes seriously wrong.
  5. Create a user-friendly information security policy. Don’t aim for a thick binder that gets filed away and never looked at. Talk to other cities that have created a successful information security policy and use it as a model, but also think about the particular needs of your city. What kind of online payment information do you use? Who needs access to that information? Think about:
    • Document and database access
    • Types of payment information you store
    • Password policies
    • Use of IT resources (such as computers that contain or access sensitive information)
    • Information that employees can and can't share over email or the phone
    • How personal laptops and mobile devices can and can’t be used
    • Any special access privileges.

    Outline laws and the repercussions of breaking those laws. Create a user-friendly document that outlines important points at a high level, and separate out employee information from technical or legal information. Make it easy for employees to go to the sections that pertain to them.

Is this a lot of work? Yes. But since we’re dealing with measures that protect your citizens’ credit card and payment information, the efforts are necessary and worth it.

Read our past articles covering all PCI DSS standards by clicking on any of the links below.

Online Payment Security - Two Network Fundamentals

What It Means to “Protect” Your Data

Securing Your Technology for Online Payments

With Online Payment Access, You Want No Surprises

To talk about online payment security in more detail, please contact us.

Friday, August 9, 2013
Dave Mims, CEO

In a recent study conducted by Evolve IP (and reported in IT Business Edge), the findings from talking to over 1,000 financial decision makers along with IT professionals showed a clear gap of cloud acceptance. For those executives and IT directors who make financial decisions about whether to invest in the cloud, 70% believed that the cloud has value. Only 53% of IT professionals said the same thing.

Why? Should we be concerned that the “IT professionals” value the cloud less?

One significant reason that the IT professionals valued the cloud less was a failure to fully understand the benefits of moving from capital expenses (mostly upfront one-time investments) to operational expenses (such as a monthly fee). They also appeared to have concerns about cloud reliability and performance, which appears to showcase a more technical understanding of the cloud than the executives have.

So should you invest in the cloud? To merge both the insights about the positive financial benefits along with alleviating the technical concerns, we’d like to add to the dialogue about this study by pointing out some important considerations.

  1. You can safely eliminate many expensive capital expenses with the cloud. At this point in time, the cloud has been tested with everything from virtual servers to website hosting. You simply don’t need to buy as much hardware as you did in the past. A big part of IT expenses that hurt cities (or prohibit cities from investing in IT) are the upfront expenses needed to purchase expensive hardware and software licenses. The cloud moves this model to an operational expense model, where you eliminate hardware and pay for services over the Internet like a subscription.
  2. Total cost of ownership goes down. Essentially, total cost of ownership (TCO) is the cost of your IT expenses across the lifetime of your investments. For example, if you buy a server, the TCO would include not only the cost of the machine, but also the software, labor, warranties, electricity used to run it, the cost of downtime if it breaks, the building space it takes up, etc. While it’s overkill for most cities to calculate TCO for IT investments, it’s a real concept that does affect a city’s bottom line. Cloud services simply reduce TCO by eliminating many of the costs associated with purchasing, maintaining, and decommissioning a piece of hardware over a period of 3-5 years.
  3. Cloud services are more reliable than maintaining your own hardware and software. It’s safe to say that IT professionals are a bit self-interested when it comes to accusing the cloud of being unreliable. The reality is that IT professionals who have not embraced the cloud will find their skills obsolete as non-cloud services go away. We’ve discussed in the past that the cloud is even more reliable than what cities can do for themselves. Cloud vendors feature state-of-the-art data centers, plenty of redundancy (which helps with uptime and data backup), and security (both physical and digital).
  4. Cloud service performance has set new industry standards. Sure, occasionally we see an outage now and then from a cloud provider. But they are becoming few and far between—certainly fewer incidents than the performance of traditional IT departments onsite at a city. Much of the cloud’s power emerged when high-speed Internet became the norm. Once that level of service was in place, devices (laptops, smartphones, tablets, etc.) could all stay connected to the Internet and access services easily—much easier than relying on a city’s dedicated servers for services. Add the power of anytime/anywhere access, minimal installation logistics, and near constant uptime, and you see why cloud services outperform most dedicated services that cities could provide by themselves.
  5. Most significant technology vendors are wholeheartedly moving to the cloud. Microsoft, the company that once had a monopoly in the world of PCs in the 1990s and that still dominates the user experiences of most computer users, is shifting most of its services into the cloud. That includes tried and true city software such as Microsoft Exchange for servers and Microsoft Office for desktops. An article from Infoworld in April 2013 lists other heavyweight IT vendors such as IBM, HP, and Oracle that are all moving their software to the cloud. This is not a fringe trend.

The Infoworld article goes on to state that because the cloud has been so effective at reducing costs, less money is being spent on traditional IT hardware and software. Like typical economic spirals in the past, that means the cloud will only become more prevalent as an industry standard while traditional hardware and software eventually will fade away.

Change is often confusing and difficult, but the cloud is for real. As you can see, this is not something to be on the fence about—especially with so many of the leading indicators pointing in one direction. Your city will benefit financially and improve its IT reliability and performance by considering cloud services.

To talk about cloud investments in more detail, please contact us.

| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 |