Date post: | 11-Jan-2017 |
Category: |
Technology |
Upload: | cybera-inc |
View: | 45 times |
Download: | 0 times |
Issues and Challenges Facing Municipalities in Data Security
Owen Key Chief Security Officer City of Calgary
Oct 27, 2016 Cyber Summit 2016 2
City of Calgary - Corporate Security
Protection of assets Assist other City of Calgary Business Units in providing public safety initiatives Promote organizational resilience through collaborative partnerships which enable and enhance services provided by The City Approach is to develop and implement innovative approaches in all areas of security and risk management.
Oct 27, 2016 Cyber Summit 2016 3
Corporate Security
Physical Security
Technical
Operations
Information Security
Security Advisory
Investigations
§ City of Calgary has over 500 lines of business and provides services that range from recreation to transit to police
§ Complex environment with numerous touch points, integration with business partners and third party or arms length organizations
§ All services are dependant on IT infrastructure being highly available
§ Duty to safeguard critical infrastructure to ensure City services continue
Oct 27, 2016 Cyber Summit 2016 4
City at a Glance
Stakeholders
11/1/16 Data Breaches: Causes, Prevention and Containment 5
Calgary
CITIZENS
MAYOR AND COUNCIL
CITY MANAGER
AND SENIOR LEADERSHIP
PARTNER ORGANIZATION
S
DEPARTMENTS AND BUSINESS
UNITS
CITY AUDITOR
Oct 27, 2016 Cyber Summit 2016 7
• Speed and rate of data creation is increasing rapidly Data Velocity
• City has multiple discreet data sets in both structured and unstructured storage
Data Variety
• Volume of information is exploding Data Volume
Risk Based Approach to Security
11/1/16 Presentation 8
Risk Evaluation
Risk Response
Risk Governance
Moving Forward – Laying the Foundations
20/09/2016 Data Breaches: Causes, Prevention and Containment 9
Building up the physical and operational security showed the value of investing in security
Next layer was to build a fully integrated security program which included cyber and information security
Implementation – Driving Factors
11/1/16 Presentation 10
Increasingly mobile workforce
Increasing security awareness in key decision makers
Lack of visibility into our systems
Risk Based approach to business comes into play
Increasingly interconnected
Increasing public awareness of Cyber incidents
Increase in Cyber incidents
Calgary experiences large natural Disaster
Internal Factors External Factors
Need for Cyber
Security Program
Security through Design
Oct 27, 2016 Cyber Summit 2016 11
§ Increased investment in information security
tools have provided additional layers of defense to reduce risk
§ Building security into project design and ensuring safe integration is key to protect data and infrastructure
§ Investment in enterprise solutions to provide additional alerting, reporting and security protection
City of Calgary - CCTV at a Glance
Oct 27, 2016 Cyber Summit 2016 13
Ø The City of Calgary through Corporate Security, Calgary Transit, Roads and Calgary Parking Authority has deployed approximately 3,000 cameras.
Ø Cameras are deployed based on what’s required to ensure the safety and security of the public, employees, information, sites and assets.
Ø Regular risk assessments and security audits are completed on all existing and new City of Calgary facilities
Oct 27, 2016 Cyber Summit 2016 14
CS Secure Storage
Analytics Calgary
Data
City Network Infrastructure
Corporate Security CCTV Network
DATA EXCHANGE
RECORDED VIDEO City
Business Units
LIVE VIDEO DATA
EXCHANGE
Camera’s as a Sensor
Oct 27, 2016 Cyber Summit 2016 15
§ Cameras are primarily used by The City as a sensor. They collect video images and meta data which can be used to enhance the ability of the recipient to provide effective assessment and response.
§ The use of a single or limited number of devices to capture varying data streams useful to more than one user
§ Sensors as a Service and Common Mode Cameras together allow for ability to tie in additional data capture points.
Freedom of Information
Oct 27, 2016 Cyber Summit 2016 16
Ø “Personal Information” is defined in section 1(n) of the FOIP Act as recorded information about an identifiable individual, including: the individual’s race, colour, national or ethnic origin; the individual’s age or sex; the individual’s inheritable characteristics; information about an individual’s physical or mental disability; and any other identifiable characteristics listed in that section.
Ø “Surveillance System” refers to a mechanical or electronic system or device that enables continuous or periodic video recording, observing or monitoring of personal information about individuals in open, public spaces (including streets, highways, parks), public buildings (including provincial and local government buildings, libraries, health care facilities, public housing and educational institutions) or public transportation, including school and municipal transit buses or other similar vehicles.
§ Authority to use CCTV is granted under S. 33 of the Freedom of Information and Protection of Privacy Act
§ Careful consideration is always given to balance both the privacy of individuals and ensure personal and public safety
§ Corporate Security continue to meet the requirements for collecting video under the Freedom of Information & Protection of Privacy Act. This includes, providing a business case for gathering video, alerting citizens that they are being recorded and protecting the video.
Oct 27, 2016 Cyber Summit 2016 17
Authority to Collect
Monitoring
Oct 27, 2016 Cyber Summit 2016 18
§ Corporate Security utilizes an enterprise video management system to monitor cameras from its Integrated Security Centre.
§ System provides efficiencies and effectiveness in monitoring and response.
§ Reduces the number of ad-hoc standalone systems that require manual and onsite review.
§ In order to remotely monitor cameras via the network, streaming is performed at a lower frame rate and definition than what is recorded at the edge level.
Security of Data
Oct 27, 2016 Cyber Summit 2016 19
§ City of Calgary Corporate Security employees are the only persons to have administrative rights to the DVRs and NVRs and are responsible for providing DVDs (read only media and watermarked) to the Law Department or Calgary Police Service as directed.
§ Information is stored at the location of the NVR and is under lock and key.
§ Information is only collected if movement is detected within the area (incident based).
§ Audit Logs
Storage and Retention of Video
Oct 27, 2016 Cyber Summit 2016 20
§ Data retention policies are crucial for managing the increase in storage
cost/ Requirements.
§ City retention policy for all video is 14 days or 31 days
§ Storage surplus required for proper function and allowance for
“protecting” video for investigative purposes (25% or more is ideal).
§ Most City of Calgary sites use distributed, edge level recording
1. Bandwidth – The required bandwidth for recording high quality imagery either
exceeds the limitations of the network in remote locations or seriously affects quality
of service for users at the remote site.
2. Autonomy– In the event of failure of the network, edge level recorders continue to
record.
Oct 27, 2016 Cyber Summit 2016 21
Calgary Recreation (Facility Security)
Roads Department (Traffic Monitoring)
Calgary Parking Authority (parking usage)
Calgary Transit (BRT, bus performance)
Calgary Police Service (LPR, incident investigation)
Water (flood, water level monitoring)
Internal Clients External Clients
Roads Department (Traffic Monitoring)
University of Calgary (Utilizes traffic data for research projects)
Data aggregation and correlation
Oct 27, 2016 Cyber Summit 2016 22
Sensor Data
• Water Sensors • CCTV • Traffic sensors • Access control • Public/ smart lighting • WiFi • Geolocation data • Traffic control/
intersection camera feeds
Service Based Data
• Transactional Data (PoS)
• Registration/ facility use
• Land use • Tax Information • Permit and
Development • Parking
Striking the Balance
11/1/16 Presentation 23
Openness Protection
Secure personal and critical data
Large public facing presence
Must Remain Operational
Accessible Information
Routine Disclosure Obligations
Open Data Initiatives