If you ask your typical firefighter, “What does security mean to you?” you will likely get a variety of answers. To some it may be having good turnout gear; to others it’s knowing that the “two-in/two-out” rule is uniformly enforced and that a rapid intervention team is routinely assigned to structural calls.
But in 2012, security is much, much more than a lock and key. That’s because the most precious non-human asset a fire company or department has is its information.
In the past few decades, a significant number of records have been converted from paper to electronic media. Run cards are now part of a computer-aided dispatch (CAD) system. Pre-plans have migrated from a notebook to a mobile data terminal (MDT) or personal digital assistant (PDA). Incident reports once laboriously completed on a typewriter or by hand are now submitted electronically. At this point, the most antiquated pieces of fire equipment may be the pen and pencil.
There is no doubt that computers make data sharing more efficient. Consider the fact that changes in an electronic map can now be made instantaneously available to all. Compare this to the former process of having to correct and distribute numerous paper maps or running with outdated map books until the new ones were published. While centralized storage makes sharing of information between authorized personnel easier, it also makes unauthorized access easier. That’s why the most critical pre-plan a fire department can develop involves the security of its data.
This plan should be reviewed at least once a year, but some of the action items should be carried out every day. If your department relies on anything other than dedicated circuits, you run the risk of data being hacked. If you have an Internet presence – and, according to the National Fire Protection Association (NFPA), 84% of fire departments did in 2010 – you are exposed to malware, Trojan horses, viruses, hackers and other attacks. That’s why, first and foremost, a good firewall must be installed to repel unwanted prying. In conjunction with this, anti-virus software should be installed agency-wide, with updates applied as soon as they are released. This applies to security fixes for all software, as well. Some vendors offer “enterprise” solutions that let several machines be bundled under the same license. It should be noted, however, that some public safety applications may not be compatible with all such software, and it is advisable to contact your current vendors before purchases are made.
Standard operating procedures (SOPs) must also be developed to provide guidance to personnel. These should include, at minimum, requirements for strong passwords and the changing of passwords every three months. User accounts of all personnel leaving employ must immediately be disabled. Workstations should never be left logged on unattended and all sensitive printed data should be shredded.
Regular security audits must be held to ensure that data is being delivered only to authorized persons, with your system administrator being automatically and immediately notified of any activity that suggests attempts at unauthorized access or attack. Keep in mind that while a system may be internally secure, any connection to any device that connects to the outside world is a vulnerability.
What information does your department have that it needs to protect or others may want? If you respond to emergency medical calls, for example, you may have hundreds or thousands of digital patient records. And what about personnel files? Depending on state and local policy, there are any number of items that may be confidential. For a career or paid-on-call department, consider the implications of a breach of payroll data. Not only will Social Security numbers be compromised, but so may bank account and routing information associated with direct deposits. Access to Social Security numbers may also be a concern to volunteers, as these may be used for training or tax and pension records where such benefits are provided.