Trusted security must be a requirement for all government software tools. Unfortunately, it’s hard for everyone to know what good security and privacy look like. Evaluating privacy and security doesn’t have to be complicated. And it starts with one key question…
What can happen if your security fails?
The simplest reason to have good security is that without it, attackers can access resident contact information and abuse your trusted relationship with them. Attacks can take the form of website defacement, inappropriate messaging, and theft of personally identifiable information.
There is always uncertainty about what could go wrong, and as residents we want our personal data to be kept safe. We want to know that our information will be used for only the purpose we provided it for. Savvy users also want to know that the data won’t be kept forever – but will be responsibly deleted once use is complete.
If that isn’t enough to convince you to have good security, here are some precise threats to the kind of software solutions that ReCollect makes:
Web-Based Embedded Widgets Security
Visitors to the website on pages that use the widget could be subject to attacks if the widgets or service become compromised. These attacks could trick residents or city staff into many inappropriate and harmful activities. These could include:
- Sending inappropriate messages to residents
- Defacing website content
- Taking the trust in the City’s website and abusing it to gain access to other accounts (aka Phishing)
It’s also possible for these widgets to collect Personally identifiable information (PII) and store it in insecure ways that leave it susceptible to theft.
Mobile Apps Security
Without proper security, mobile apps are vulnerable to thefts of personally identifiable information and other sensitive data. This is particularly of concern, because of the nature of mobile devices – they are always with you, and have sensors like GPS, cameras and microphones.
Admin Portal Security
Improper security controls could give attackers access to administrative tools, and could cause inappropriate communications, data theft and data loss.
The risks with technology that collects personal information (a vast swath of technology) are significant, and on the one hand it is scary, but on the other hand, you can choose a vendor with expertise and experience building secure internet facing products.
In addition, the ability to detect and respond to threats quickly is critical. When new vulnerabilities come out (as they often do), vendors need to be in the loop and have the resources and skills to quickly patch their systems.
How can you tell whether a vendor adheres to a good standard for privacy or security?
The easiest way to know if a software is secure? Third party audits.
Before you even look for a quote, we suggest you ask your salesperson if their software has been reviewed in a third party audit, how frequently they audit their systems, and when the last audit was. We suggest you ask for a copy of the conclusions.
ReCollect conducts regular security audits, and can provide these to municipal clients. Also, ReCollect has worked with specific municipalities in the past to conduct joint detailed security audits related to the specific customer implementation.
How do you keep software private? Stay minimalist!
In our Privacy article, we discuss the three different types of data you want to keep private. “Exhaust” data, the analytics that accompany the software, was one of them. Exhaust data are the operational statistics that you can use to guide future use of the app. It can include things like web server logs, which keep IP addresses and raw traffic logs. It’s much easier (and lazier!) to retain exhaust data much longer than necessary, because it’s out of sight and out of mind. However, this sensitive information should be deleted as soon as it’s not being used.
It’s better to have this conversation before you start a vendor relationship.
ReCollect takes a disciplined 90 day stance to balance the interests of operational maintenance and auditability with the interests of user privacy.
How do you keep the data up to date?
By default, ReCollect adopts an aggressive 90 day policy on data retention. ReCollect deletes any Personal or Operational data that is no longer in use after 90 days, and deletes Exhaust Data retained for auditing and debugging after 90 days.
ReCollect is prepared to comply with any requests for custom data exports. Many of these requests can be made by city administrators directly through the administrative dashboard, and if not we’re happy to help get you the data you need.
What is the plan for a data breach? What happens?
The ability for a vendor to respond to a data breach is hard to discern, because it’s easy to say “we’ll notify you,” but it’s hard to validate. You could ask to see their internal process and an example of the last time it was used. In our case we use a 13 step incidence response protocol. If you want an example, we’re willing to share!
ReCollect commits to directly contacting the designated officers/staff (such as a security officer) if it is determined and discovered that we have experienced a data breach. There is default language in our subscription agreement committing us to this.
ReCollect’s Customer Notification Process is used whenever a security or downtime incident happens, however minor. ReCollect Operations Staff follow this process to identify information, perform initial resolution steps, and escalate to the ReCollect Executive Team.
The ReCollect Executive team reviews the incident and communicate the impact and severity of the incident to the data owner, as required by our subscription agreement. This notification happens via email, or phone in the event that the notification is time sensitive. The contact details of the Data Owner are listed in the Subscription Agreement.
ReCollect has never lost customer data or had a security breach. Should such an incident happen, in-kind services would be given in accordance with our Subscription Policy.
Who owns the data?
Who owns “your” data is an incredibly important discussion to have with vendors before you engage them. To learn about the different kinds of data you’ll want to discuss with vendors, see the Privacy section of the buyers guide.
What happens to the data if you terminate a vendor’s contract?
When you move on from working with a vendor, you’ll want confirmation that they will return your data and delete it from their servers. If they cannot confirm this, it is possible that the vendor can legally use the data for their own services in the future.
This is more or less serious depending on the type of data they keep. Do you want to keep exclusive rights to:
- Your operational data including your waste collection schedules, local recycling rules, etc.?
- Users’ personally identifiable information the vendor collects on behalf of your city or department?
- The analytics and reports the vendor offers on app usage?
ReCollect has among the strongest data exiting strategies in the software industry, and we are happy to share our practices with customers. Within 10 business days of the termination of the relationship, ReCollect provides their customers a copy of all personal information and written confirmation of the deletion of all personal information from our systems. We offer deletion of our customers’ operational data, and export analytics and reports at the customer’s request at no charge.
This bears repeating: it’s best practice to hire a security auditor. This should be expected practice for government software vendors.
Altius IT, ReCollect’s systems auditor, is certified by the Information Systems Audit and Control Association (ISACA) as a Certified Information Systems Auditor, certified in Risk and Information Systems Controls (CRISC), and Certified in the Governance of Enterprise IT (CGEIT).
We highly recommend that you ask your technology vendor to supply you with a security audit of their systems. This keeps you and your data safe over time, and ensures you are getting a quality product.