Blog

Introduction to Information Security for City Council Members

The other night I attended an Association of California Cities – Orange County event focused on information security. A panel of experts from the FBI, local agencies and the private sector discussed their roles and general observations about information security, cyber crime and structuring an organization to address information security.

The presentation had every opportunity to be boring and lose the crowd of primarily non-tech-savvy elected officials, but at the end, the elected leaders were fully engaged and indeed worried. For many attending, the presentation was difficult to understand and high up on the nerd Richter scale, but the underlying tone was evident: cyber crime is increasing and organizations – including cities – are at risk.

Many in attendance were left wondering what they were supposed to do next. What do they ask of their city managers to ensure that information security is being addressed?

It is a great question.

Start with Governance

First, your city manager or staff is likely already aware of and has thought about the matter. Information security is a growing concern within the government management ranks, and panels on information security take place at many professional conferences. But elected leaders also need to have a general sense of their city’s information security practices so that council budget priorities can appropriately align with the needs of the municipality.

A good first step is to examine the oversight and reporting structure for information security. This is often referred to as governance.

Questions to ask about information security include:

1. Is there one person who is responsible for information security? Do they know they are responsible?
2. Can the responsible party report directly to the city manager and bypass all other levels of management?
3. Do any reports exist from internal staff or third parties that have reviewed or tested the information security of the city’s systems? Who reads those reports?

The critical point here is that an elected official is not likely to be well-versed in information security, but the concept of governance will be familiar territory.

Inquire About Best Practices

Having determined (hopefully) that there is a governance structure in place, the next series of questions would highlight some best practices. Asking them should provide a sense of the maturity level of the city’s information security efforts.

1. Is there documentation around an information security plan or methodology?
2. Have the more secure and sensitive system and data resources been identified specifically as target risks?
3. Are there any policies or procedures in place to provide ongoing education and engagement of staff about information security? Does the city recognize that the internal staff are, by way of proximity and technical inexperience, the biggest security risk of the organization (just like in the private sector)?
4. When an employee leaves the organization, is there a clear process to remove that employee’s ability to access information systems?
5. Do all the project plans within the IT operation include a line item to review information security management risks related to the project? Is a specific person responsible for asking this question?
6. Have systems been prioritized to identify those that have the greatest impact on residents if affected by an information security breach?
7. Does the city have a firewall in place to separate the Internet from the internal network of the city? Do the logs on the firewall get stored for at least a couple months and reviewed more frequently?
8. Has the city deployed wireless network access and is the access encrypted? Provided outside of the firewall? Not broadcasting its network name?
9. Are there aggressive password policies in place? Are default passwords changed or the related default accounts eliminated? Must users change their passwords every 60 days?
10. Are there policies in place to destroy old electronic data? What happens to old computers and their hard drives? What happens to old copy and fax machines? What happens to old backup tapes?
11. How difficult is it to physically touch the city’s servers, particularly assets that hold confidential information? As a council member, can I gain access to touch the servers?

Information security is a constant battle. The rules change daily and risks fluctuate. There is no perfect security solution. If a city spent money as if it was possible to be totally secure, the city would run out of funds for police, fire, street sweeping and dog catchers. Therefore, elected officials must have reasonable expectations.

Conclusion

It is the role of the city council to set policy direction and provide guidance and vision to the city manager and staff. It is the job of the city manager and staff to help the council make informed decisions and then execute the decisions handed down by the council (for a great series of interviews where city managers discuss their respective roles, see the California City Management Foundation “Meet Your City Manager” series). In the context of a city’s information security, the council’s main responsibility is to be informed about the city’s overall information security program and to provide resources and policy direction to staff on just how high a priority information security should be.