Complying with the Law Through Information Security Policies

October 26, 2016

Nathan Eisner, COO, Sophicity

This article is posted with permission from Sophicity’s CitySmart blog and shares non-technical, municipal-relevant insights about critical technology issues, focusing on how technology reduces costs, helps better serve citizens, and lessens cybersecurity risks. Sophicity is solely responsible for the article’s content.
This article originally appeared on Sophicity's CitySmart blog. 

In part one of this two-part post, we talked about how cities can better comply with the law through a set of information security best practices. Now in part two, let’s look at how specific policies help cities with compliance.

Technology alone won’t protect cities. Clear, detailed policies document important rules, procedures, and guidelines to help you comply with federal, state, and local laws.

So, what kinds of policies do you need? Generally, they will fall into two main areas. For this post, we are using the structure of Arkansas’s Legislative Audit guidelines as a way to discuss policies that are relevant to all cities.

General Controls
The Arkansas Division of Legislative Audit defines general controls as “mechanisms established to provide reasonable assurance that the information technology in use by an entity operates as intended to produce properly authorized, reliable data and that the entity is in compliance with applicable laws and regulations.”

The key here is that your city’s technology works properly and correctly while complying with the law. Overall, it helps to create an operational policy and procedure manual for your information systems that accounts for:
  • Contract / Vendor Management: Your policy should require clear, consistent contracts with all vendors along with procedures to enforce and review contracts on a regular basis.
  • Network Security: This policy should address all information security risks through your network and how your city mitigates those risks such as through monitoring, antivirus software, restricting user behavior, and procedures in case a security breach occurs.
  • Wireless Network Security: Make sure your policy covers the encryption of wireless data along with proper wireless network usage and access. The policy should specifically address wireless security related to employee laptops and mobile devices.
  • Physical Access Security: People should not have unauthorized access to machines storing electronic information. Your physical access security policy will define who has authorized physical access to equipment and how they access it.
  • Logical Access Security: Wikipedia defines logical access controls as “tools and protocols used for identification, authentication, authorization, and accountability in computer information systems.” Basically, this specific policy ensures that only authorized people have access to your city’s information.
  • Disaster Recovery / Business Continuity: This policy describes what happens in the event of a disaster (from a server failure to a major disaster like a tornado) and how you plan on continuing to access your city’s electronic information after such a disaster.

Application Controls
The Arkansas Division of Legislative Audit defines application controls as “[relating] to the transactions and data for each computer-based automation system; they are, therefore, specific to each such application. Application controls are designed to ensure the completeness and accuracy of the accounting records and the validity of the entries made.”

In other words, cities want to make sure that applications such as accounting software correctly receive, store, and deliver the right data. Policies related to application controls include:
  • Data Input: This means exactly what it says—a policy related to how data is inputted into software applications.
  • Data Processing: This policy should cover how data is processed once entered into the system so that you lessen the risk of data errors—whether that data is manually or automatically processed.
  • Data Output: This policy should cover the accuracy and security of data that is delivered to an end user—covering everything from accounting software data that a city employee sees to online payment information that citizens may view on a city’s website.
  • Application Level General Controls: This policy covers security, configuration, and contingency planning related to applications.
While Arkansas may require cities to implement these kinds of policies as part of its legislative audit, it’s a good idea for all cities to adopt policies like these. They cover the essentials of information systems and greatly help to reduce risk and liability. Plus, such documentation leads to a much more well-run IT department and helps with transitions (such as IT staff retiring or a new IT vendor getting hired).

Back to Listing