The following is an excerpt from the LMC information memo, Computer and Network Loss Control. Members of the League of Minnesota Cities Insurance Trust’s property/casualty program wishing to increase their coverage limit from the standard $250,000 aggregate for first-party cyber coverage will be asked during their 2021-2022 coverage renewal to attest to reading this information before higher limits are granted. Additional loss control protocols for securing higher limits will be required in future years.

Reducing computer security risks

General security

Security of a city’s network needs to be addressed in three areas: physical, data, and personnel.

Servers, switches, computers, laptops, and other data devices should all be secured from physical threats such as theft or environmental damage.

Data should be secured by granting rights only to people who require access to the data. Whenever possible, grant access with minimal capabilities. For example, some users need rights to only read data. Control closely who needs access to move, write, or delete data. This is usually done through a system of folders and sub-folders, with appropriate security applied. This is called data mapping and is covered later in this document.

Employees should always have their own unique computer accounts granting them access to only the data they require to complete their duties. When staff leave employment, their accounts should either be deleted or, if it’s an account that will be moved to a new staff person, the password should be changed. Passwords should be required for all accounts and should be complex passwords or passphrases. Complex passwords or passphrases include spaces, numbers, special characters, and other symbols.

Shared and administrative passwords should be changed, at the minimum, annually, or when an employee or vendor who has access to the password has an employment change. It is very important to change system default account names and the corresponding passwords to unique and complex passwords or passphrases. Default settings for account names and passwords are often used by monitoring or other equipment connected to the internet (often referred to as the Internet of Things, or IoT). Using default account names and passwords is a security risk because that information is published in the equipment instruction manuals.

City staff and elected officials are also key to computer security. Social engineering — the psychological manipulation of people into performing actions or divulging confidential information — is quickly becoming one of the easiest ways for hackers to gain access to networks. City staff should be made aware of the methods used and be trained in simple security measures such as not sharing passwords, not writing them down and keeping them close to the computer, not emailing them, and not giving them out to anyone other than verified support personnel.

See Wikipedia, Social Engineering (Security) for current examples of social engineering

Antivirus software

Ensure all devices used for city business (including devices at home if used to do city work) have current, updated antivirus software installed. There are many vendors that offer antivirus products, and the choice of which software is the best to use will vary from city to city. A reputable company that provides support in the event of a virus outbreak should be chosen. Some vendors offer “free” antivirus software such as AVG or Microsoft. These free programs are usually only free for personal use so, in theory, cities will have to pay for the product if they choose to use it.

Firewalls

Any connection to the internet should be protected by a firewall. Hardware firewalls are usually provided by your internet service provider. However, these are often simple firewalls that offer only basic protection. Cities should consider purchasing their own firewall and having a technology professional configure it to meet their needs.

The default configuration of a firewall should never be used. A default configured or misconfigured firewall is almost as bad as not having one.

In addition to a firewall at the point of connection to the internet, individual computers should also have a software firewall configured. This is especially important for tablet and laptop computers, since they will most likely be using internet connections not controlled by the city (e.g., hotels, coffee shops, and home connections).

Data encryption

While the majority of city data is public, encryption is critical for private data. Any mobile device or laptop that contains private information should have its storage media encrypted. Examples would include a smartphone with private emails, or a laptop containing private data.

Servers generally do not require encrypted media since they should be stored in a secure physical location. However, it is becoming best practice to encrypt server data. While less critical than securing end-user devices, it’s another layer of protection for city data.

External connections, such as a VPN, cloud services, or webmail, should also be encrypted.

For additional information about encryption, see Wikipedia, Encryption

Wireless security

No wireless access point should ever be considered secure. Even “secured” access points that require passwords and that are encrypted can be compromised by hackers. City staff should be trained to not transmit private data over wireless networks.

Cloud computing

Before storing any city data in a cloud-based application, it is paramount to first review the usage agreement for the service to ensure data is stored appropriately. You also want to make sure that, if you are required to produce data under a data practices or e-discovery request, it will not cost too much for the city to retrieve the data. This is especially important for how the data is backed up. In some cases, backups of data were considered accessible data and needed to be produced.

Staffing

Appropriate and trained staff should be responsible for maintaining a city’s network and computers. Most cities cannot afford a full-time technology professional and will need to rely on consultants. Regardless of whether that person is a contractor or city employee, a city must make sure the person has passed an appropriate background check.

Most reputable technology vendors require background checks and, upon request, will provide documentation that they performed the check. Using a high school student or relative of a city official is not a good idea unless they are a true technology professional.

Any staff responsible for maintaining a city network should also be aware of data practices issues and should understand the concept of the city’s records retention schedule.

Technology staff should generally not be the people tasked with records retention duties but should be familiar enough with the process to advise a city on storage methodologies.

Data mapping

Data mapping is the process of creating data connections (mappings) between two distinct data components. Mapping assists in understanding the relationship between different data. It is critical to keeping a network organized and reducing costs of e-discovery and data practices requests. All city staff should be aware of the data mapping architecture.

In smaller cities, this may be as simple as a few folders on a computer such as “Public Data,” “Private Data,” and “City Council Information.” Security should be applied to these folders as well. For example, personnel data should be stored in a different folder where only city staff tasked with HR responsibilities can access it. Less sensitive data could then be stored in a separate folder with less restrictive access.

Whenever possible, grant access with minimal capabilities. For example, some users need rights to only read data. Closely control who needs access to move, write, or delete data. How this is set up may vary from city to city. However, having an overall plan for where data is stored is critical. Failure to protect private data appropriately is a violation of state statute.

By law, cities must establish security measures to help ensure that non-public data are only accessible to persons whose work assignment reasonably requires access to the data and is only being accessed by those persons for purposes described in the procedure (see Minn. Stat. § 13.05, subd. 5).

In the event of a breach, cities must conform with the disclosure and notice statutes regarding the breach (see Minn. Stat. § 13.055, subd. 1-6). Accessing non-public data without authorization is a misdemeanor. A willful violation by a public employee is just cause for suspension without pay, or dismissal (see Minn. Stat. § 13.09).

Read the Minnesota Department of Administration Data Practices Office sample, Policy for Ensuring the Security of Not Public Data (pdf)

Patches, service packs, and upgrades

Patches, services packs, and upgrades need to be applied regularly to all operating systems, antivirus clients, networking equipment, software applications, and any embedded equipment that connects to the internet such as water/wastewater systems or security systems. If possible, updates to end-user equipment should be automated, and end users should not be given a choice of running the updates.

Updating embedded systems will often require more vendor interaction and cost, so the risks of not updating the systems should be weighed against the cost of potential breach. For example, the malicious turning off of the pump in a lift station may be a greater risk than the malicious shutdown of the system that handles the lawn sprinklers for the library.

Data backup

Regularly back up the data on the city’s computers and conduct tests to ensure backups are not corrupted to protect city data from natural disaster, failed hardware, viruses, or hacker attacks. Cities need a plan in the event that the device performing the backups is damaged or out of order. Backup media should be stored in a secure, climate-controlled, off-site location.

The location should be far enough away such that a natural disaster, such as a flood or tornado, would not be likely to take out both the equipment being backed up and the off-site storage location. Storing backup media in the back of a public works shed would probably not fit the definition of a secure, climate-controlled, off-site location.

The city should establish a regular backup schedule addressing frequency of backups and retention of backup media. Backups should be done daily. A complete monthly backup should be maintained on a 12-month rotating schedule. Ultimately, the type of schedule really depends on the size of the city and the kind of operations housed in the system.

Address how email, and backups containing email, are handled in the city’s records retention schedule. Cities should backup email separately so that it is not retained indefinitely along with other city data requiring longer retention. A separate email backup also ensures archived electronic city records do not need to be searched as part of a discovery or data practices request.

Computer use and social media policies

Adopt a computer use policy and ensure all staff members are aware of the policy. Make sure the policy includes the use of social media for personal and professional purposes. Decide whether the city has an official presence on social media platforms. If so, decide whether the city will adopt a centralized or decentralized strategy for interacting on social media platforms. Make sure city employees are aware of the policy and consistently enforce it. Consider voluntary policy language to govern elected officials’ use of city-owned technology, social media, and other electronic communications.

Website and social media policies

Think about the kind of information posted on the city’s website. Make sure that private data is not posted. Public data should be accurate and accessible, according to the Americans with Disabilities Act. Even if data is legally public (e.g., the location, size, and design of your water system), it may not be a good idea to post it on the website.

Only post information that is legitimately useful to citizens and constituents.

Social media is largely perceived as a less formal method of communication than a website. Cities that are using social media to communicate official city-sponsored messages should be managing that official social media content in much the same way they manage the city newsletter or website. The following model policies are recommendations to help cities avoid problems related to social media: