News & Events
Newsletter
May 2005
Data Security
Paying lip service to data security is no longer an option for utility managers. So there are decisions to be made: does paper-based data management still cut it, or is an electronic system an option? Is internal management the way to go, or should outsourcing be considered? Can an ASP (application service provider) offer the necessary resources, or are there risks inherent in it?
Physical aspects of security, such as a robust and well-practiced disaster recovery plan, are important elements of data management, but policies and procedures are the most vital and overlooked aspects of information security. If you don't have a security policy, you have no rules and procedures by which you can shape the behavior of people and control access to data.
The first policy decision is not a difficult one. Electronic management--if it is affordable--offers obvious benefits over paper. The question then arises whether internal IT resources (if available) can do the job. If not, is outsourcing an option that can hold the line on costs while keeping your data secure?
Security authorities have much to say on the issue. Anup Ghosh, author of "E-Commerce Security--Weak Links, Best Defenses" and "Security and Privacy for E-Business," says a good argument can be made that it’s better to use ASPs which have good security policies and controls than rely on your own internal personnel and systems.
"The ASP will have people whose sole job is to worry about security and who have the most up-to-the-minute information to do this," he says.
Ian Poynter, President of a Cambridge, Mass.-based security consulting firm, Jerboa Inc. agrees that it may be better to outsource to a company that has experience and really understands security--because it’s a matter of business survival to them--than try to develop it internally.
Many utilities may not even have IT departments, or may be in competition for IT resources with internal departments. And, even if they have IT departments it’s unlikely there will be a person who possesses the entire spectrum of skills required to put a proper security system in place and maintain it at all times.
So can you just get by? That may mean allocating IT responsibility to an individual who has the most PC expertise or obvious interest. The problems are that few of these individuals have formal training and that they have other job responsibilities beyond the delegated responsibility for IT security.
The ASP, by contrast, lives or dies by the internet-based services it offers to its customers.
Acknowledging that an electronic data management system is an improvement over paper-based data management, consider whether one that is web-based can offer added advantages, such as networking key stakeholders for collaboration or consultation should a crisis arise; and enhancing communication strategy by providing the additional capability of quickly and accurately disseminating information to officials and, if necessary, the public.
The crucial question is whether proper security can not only be maintained but markedly improved when the responsibility is outsourced. The answer is clearly affirmative, but it requires a different kind of oversight than when your servers and network are in your own environment--a setting where you have direct control over the infrastructure, the staff and the security processes.
As a start, when selecting an ASP, compare the capabilities of software providers that started out as web-based businesses to those of providers who migrated old legacy systems onto the Web. The former have generally taken a holistic approach to developing their security measures. "Security needs to be built in from the ground up," says Mr. Ghosh. "And this is especially important for hosted applications."
Software developers in an ASP start thinking about security from the very beginning within the code they are writing. Security built into applications is more reliable and much less expensive than fixing software after the fact. ASPs that pay a great deal of attention to security may be far more secure places to store data than internal, legacy computer systems that were designed long before the internet or security considerations were factors.
As you approach a determination on what is good for your utility, your stakeholders and your staff, you must first review the fundamentals: basic security standards, secure firewalls, authentication systems, anti-virus software and securely built infrastructure. In carrying out this process, some questions to ask are these:
PHYSICAL SECURITY
How physically secure is the data centre?
Who has physical access to the servers?
What power, connection, and fire security is provided?
NETWORK SECURITY
Are current industry standard firewalls deployed?
Does the ASP keep the software for the firewalls current?
What protocols and services are allowed to traverse the network and firewall?
SYSTEMS SECURITY
How are the operating systems updated?
Are audit logs implemented on all systems that store or process critical information?
What hardware redundancy is in place?
STAFF SECURITY
What are the credentials of the system administration staff?
Are hosting staff onsite or on-call 24/7?
SECURITY POLICY
What is the user account and password policy?
How are accounts closed after termination?
Who owns the data?
DISASTER RECOVERY
Is storage media backed up regularly? How often?
Where are backup media stored, and how is it transported?
Is disaster recovery routinely tested and proven?
We are making our newsletters available by email. The WaterTrax Newsletter contains information on water and wastewater quality and regulatory issues, client stories, and WaterTrax service features. Please click the "signup for our Newsletter" button above and fill out the form. You will then be sent an email with a confirmation link, please click the link to be added to our email list and to receive our quarterly newsletter.
Free Web Seminar
Attend this seminar to discover an easier way to manage your water or wastewater data efficiently.
Request for Information
Sign up for our newsletter, request someone to contact you to discuss how WaterTrax can help you with your data management, or set up a personal, detailed demonstration of the WaterTrax service.