6 Information Security Best Practices to Help Cities Comply with the Law

September 26, 2016

Nathan Eisner, COO, Sophicity

This article is posted with permission from Sophicity’s CitySmart blog and shares non-technical, municipal-relevant insights about critical technology issues, focusing on how technology reduces costs, helps better serve citizens, and lessens cybersecurity risks. Sophicity is solely responsible for the article’s content.
This article originally appeared on Sophicity's CitySmart blog. 

Over time, information security laws only grow stronger. As information technology continues to mature, expectations grow higher that cities will protect its data. When data loss occurs or sensitive information is stolen, the financial and legal repercussions (along with the public outrage) may increase.

Most laws center around protecting sensitive information and ensuring that operational continuity occurs even if a disaster hits. After all, cities are stewards of public information and use that information to serve citizens. If a city neglects information security, they’re not just passing over nice-to-have technology perks. They are neglecting and compromising their very core mission.

In this two-part article, we’ll discuss best practices in part one and then address policies in part two. Use this checklist of best practices to begin assessing your information security.

1. Create and use strong passwords
Weak or no passwords remain one of the biggest information security holes at most cities. Are you using some of these worst passwords like 123456, Password, or qwerty? Do your employees write passwords down on sticky notes and attach them in public view on their computers? Remember, hackers use automated software to crack passwords. The easiest passwords will get cracked, even if you consider yourself an unimportant target.
  • Use long, strong passwords with a variety of letters, numbers, and symbols.
  • Discourage employees from saving passwords to websites and applications, and don’t use the same password for all IT systems.
  • Change passwords regularly.

2. Protect yourself against viruses with software and staff training
While antivirus software helps protect your city against viruses, don’t forget that human error often leads to viruses even if you install antivirus software. Hackers usually fool employees by getting them to click on funny images, social media quizzes, and online games on websites and social media. Email attachments with viruses also still work when employees think they come from a legitimate sender (which is easy for hackers to spoof).

A virus can really wreck your city by corrupting, deleting, or stealing your data. Protect yourself with:
  • Business class antivirus software
  • Regular audits to ensure that antivirus software installation and definitions are up-to-date
  • Staff training to educate employees about email attachments and other ways that hackers fool people

3. Back up your data
Cities with any uncertainty related to data backup need to immediately address this problem. A data breach or information theft is really bad, but don’t forget about the risk of permanent data loss. To run a city and serve citizens, electronic information is essential. Losing data lessens trust between you and citizens.

Ask yourself:
  • Are we backing up our data? At a minimum, you need to perform daily data backups.
  • What data is critical to the city? All of it? If in doubt, back it up!
  • How will the city be affected if data cannot be accessed for extended periods of time?
  • What needs to be recovered first?
  • When did we last test our data to show that we can recover it?
Make sure you can perform onsite data backups for quick recovery and offsite data backups to recover from theft or disasters.

4. Apply all relevant security updates to software and operating systems
Many cities neglect operating system and software updates. These updates and patches are delivered by software vendors to fix bugs and patch up security holes. Studies show that most cyber-outbreaks can be prevented by keeping computers up to date—and yet most people ignore messages on their computers about installing updates. Apply patches, ideally with an IT resource overseeing the process. And because vendors eventually stop supporting and patching applications, operating systems, and hardware when this technology gets too old, you need to upgrade these items when they have reached that point.


5. Physically secure your technology
Physical security remains one of the most overlooked aspects of information security. It’s easy for a disgruntled employee to steal or take data from a server or computer. And when you decommission servers and workstations, be careful—those machines may still have sensitive information on them if you don’t dispose of them correctly.

Make sure you:

  • Mandate that employees lock their computers when away from their desk.
  • Ensure that servers, network equipment, and external media are locked up, with no direct access available.
  • Have IT professionals permanently and securely wipe data from any retired equipment.

6. Don’t forget the security of your city’s website
People tend to check out your website first when they want to learn more about your city—whether it’s exploring tourist attractions, relocating their business, moving, or inquiring about city services. Not only do people expect a modern website with fresh content but they also expect it to be secure and safe. They trust you when they exchange billing information or click on links. It doesn’t take much for a hacker to defame a weakly secured website, steal people’s information, or shut that website down.

To make sure your website is safe and secure:

  • Ensure your website is hosted by a reputable provider.
  • Know where your city website is hosted.
  • Ask your website’s hosting provider if they have been audited for potential security risks by a third party.
In part two, we’ll talk about some sample policies that will help enforce and reinforce these best practices across your organization.

Back to Listing