Author Archives: Maria Koblish

Knowing what your organization needs in order to maintain CJIS compliance is difficult enough, but actually putting the necessary procedures into practice is an altogether different feat.

Since it’s critical to maintain the CJIS security policy protocols and requirements to access sensitive information, understanding what exactly the Criminal Justice Information Services is and what its thirteen security policies mean for your business is essential! Let’s dive in.

What is CJIS?

Known as CJIS, the Criminal Justice Information Services division of the FBI is a high-tech intelligence hub established in 1992. Linking nearly 18,000 law enforcement agencies across the country to a massive database of crime reports, fingerprints, and other agency data, the CJIS allows law enforcement, national security, and intelligence community partners to access the information they need to protect the United States, while preserving civil liberties.

As the largest division of the FBI, the CJIS comprises several departments such as the National Crime Information Center (NCIC), Integrated Automated Fingerprint Identification System (IAFIS), and the National Instant Criminal Background Check System (NICS). Due to the ever changing rate and sophistication of cybersecurity threats, CJIS has developed security standards for organizations to follow for utmost protection.

Which Industries Must Maintain CJIS Compliance?

Essentially, Criminal Justice Management and Law Enforcement Agencies. But, others that maintain similar types of data as those agencies, and the IT providers that serve them must adhere to CJIS compliance standards as well  to make sure best security practices are being upheld for data encryption, multiple-step authentication, remote access, and wireless networks.

If your agency must ensure CJIS compliance, then it’s imperative you understand the thirteen CJIS security policy areas. Meeting these key requirements is necessary to satisfy CJIS compliance needs.

Understanding the 13 CJIS Security Policy Areas

There are thirteen policy areas which CJIS compliant organizations must be aware of and uphold. These include:

1. Information Exchange Agreements

Organizations sharing criminal justice information (CJI) with another such organization or agency must establish a formal agreement with each other to ensure that they are complying with CJIS security standards. These written agreements should document what compliance safeguards should be in place to ensure safety.

2. Security Awareness Training

All employees who have access to CJI will be required to have basic security awareness training within six months of initial assignment. Training should be conducted annually for all personnel with access to CJI information.

3. Incident Response

Organizations must have an Incident Response Plan (IRP) in place in the event of a malicious attack. This includes capabilities in order to identify, contain, analyze, and recover from a data breach or attack in a timely manner. Any incidents must be tracked and documented to be reported to the Justice Department.

4. Auditing and Accountability

Organizations must be capable of generating audit records of all systems for defined events. This includes monitoring all access to CJI, such as who is accessing it, when they are accessing it, and why the user is accessing that data. Access to files, folders, privileged mailbox accounts, login attempts, permission changes, password modifications, and similar should be monitored by administrators.

5. Access Control

Access Control is the practice of securing and managing certain users’ access to information and systems within the network. For organizations, this will look like implementing Role-Based Access Control (RBAC), and enact other controls for Wi-Fi and Bluetooth, for example.

6. Identification and Authentication

Users must comply with CJIS authentication standards to access sensitive data. This includes using multi-factor authentication (MFA), which uses two or more factors to authenticate users. According to CJIS requirements, a maximum of five unsuccessful login attempts are allowed per user, after which their credentials will need to be reset. Passwords should reset periodically using best security practices.

7. Configuration Management

Only authorized users are allowed to make configuration changes to systems with sensitive CJI data. This includes configuring changes to software updates, and adding or removing hardware. During any changes to configurations, all procedures must be documented and protected from unauthorized access.

8. Media Protection

Organizations with CJIS must ensure the protection and safe disposal of CJI when they are no longer in use.

9. Physical Protection

All physical locations of CJIS must have physical and personnel security control to protect the CJI data. This may look like server rooms secured with cameras, locks, and alarms.

10. Systems and Communications Protection and Information Integrity

This policy area refers to an organization’s overall network security and related components. Pervasive perimeter security solutions must be implemented by organizations handling CJIS, such as firewalls, anti-virus software, encryption, and Intrusion Prevention Systems (IPS). All CJI must be encrypted at certain standards. For instance, organizations must use a minimum of 128 bit encryption with decryption keys that are at least 10 characters long with a combination of upper and lowercase letters, numbers, and special characters.

11. Formal Audits

All CJIS compliant organizations will be subjected to formal security audits once every three years to ensure all CJIS security measures are being followed. These audits will either be enacted by the CJIS Audit Unit (CAU) or the CJIS Systems Agency (CSA).

12. Personnel Security

Organizations must provide security screenings for all employees, contractors and vendors that will have access to CJI. This includes a state of residence and national fingerprint-based record checks with the Integrated Automated Fingerprint Identification System (IAFIS).

13. Mobile Devices

All mobile devices, including smartphones, laptops, or tablets with access to CJI, must adhere to “acceptable use policy” and may include additional security policies including the pre-existing security measures for on-premise devices. For instance, this may mean there are certain restrictions regarding applications that employees can install or websites they can access with mobile devices. Or, this may look like requiring employees to use Virtual Private Network (VPN), to maintain that all data transmissions are encrypted.

How a CJIS Data Center Can Simplify Maintaining Compliance

While ensuring CJIS compliance may seem like a difficult feat, many of these necessary policy areas can be simplified with the right tools and solutions. One of the most effective ways to ensure your organization is upholding CJIS security standards is by working with a CJIS compliant data center.

Data centers who maintain CJIS compliance are experts who understand the ins and outs of compliance policy areas. This ensures that your organization maintains the right protocols, while allowing your internal team to focus on more pressing tasks at hand instead of devoting time to compliance.

Failing to be CJIS compliant can be a critical blow to your organization or agency – as well as jeopardize sensitive information. Finding a data center you can trust can be an effective long-term solution for organizations looking to streamline your CJIS compliance efforts without devoting the time and money to the necessary infrastructure and energy needed to follow all necessary requirements.

Turn to Thrive CJIS-Compliant Data Centers!

If you’re considering migrating your data to a CJIS-compliant data center, look no further than Thrive. As the only private disaster recovery data center contracted by the State of Florida, you can experience peace of mind in our security solutions! We ensure strict security protocols, 99.99%+ uptime, and meet compliance requirements for CJIS, HIPAA, PCI, SOC, and more.

Learn more about the Thrive cloud difference here, or contact one of our IT experts today for a free consultation.

Don’t Trust Your Company’s Critical Data To Just Anyone! 

This Advisory Guide Will Show You 11 Revealing Questions You Should Ask an IT Consultant Before Giving Them Access to Your Company’s Computer Network. Read This To Discover:

• The “secret” of the IT industry that most don’t know and will never be told by their IT guy (knowing these 11 questions to ask ALONE could save you untold aggravation and from wasting tons of money when choosing to outsource your IT support).
• 11 questions that, when asked, will help you instantly spot an incompetent computer technician quickly.
• 2 important misconceptions business owners have about required computer maintenance, one of which you’ll want to know about BEFORE picking up the phone.
• What you’ll want to know to protect yourself from viruses, worms, spyware and hackers.
• 3 major mistakes you’ll need to avoid when choosing a computer consultant.
• Why the “cheap” Managed Service Providers aren’t the bargain they appear to be.
• The one glaring sign that you should run – not walk – away from an IT firm.

Choosing an IT support company isn’t the easiest thing to do. There is never a shortage of horror stories about inept computer repair “gurus” causing MORE problems than they solve. Talk to anyone, and you will get an earful of the unfortunate experiences many have encountered.

Why is this? Because the computer repair and consulting industry is not regulated and requires no certification to call yourself a computer technician. So there is no way for you to determine whether the “technician” knows what they are doing or not. While there are some repair guys out to steal your money, more often, it’s simply because they lack the skills to do the job properly. Of course, they won’t tell you that up front, and we know this exists in abundance because of the multitude of customers that have come to us to clean up the disasters these “technicians” have caused.

Dentists, accountants, automotive repair shops, electricians, plumbers, lawyers, realtors, and doctors are all heavily regulated to protect consumers. However, the computer industry is mostly unregulated, and there aren’t any laws in place to protect consumers – which is why you’ll need to arm yourself with the information contained in this report.

Right now anyone can call themselves a computer technician. Most people are honestly trying to do a good job for you. However, their inexperience can cost you heavily in terms of your network’s speed, security, and reliability. That is why we wrote this report. We want to give YOU useful information to help you guard against the lack of competence of some companies and technicians.

11 Questions You Should Ask Your Next IT Company Before Hiring Them To Support Your Network

Q1: Are their phones answered live, or do you have to leave a voice mail and wait for a callback? 

Our Answer: Our phones are answered live from 7:00 a.m. to 6:00 p.m. All clients get an emergency after-hours tech support number to call if they have a problem that can’t wait until normal business hours. Why? Many CEOs and executives find they are more productive after hours. If they can’t get logged in to the network and can’t get IT help, it’s seriously frustrating.

Q2: Do their technicians learn on your dime or do they maintain current vendor certifications and ongoing training?

Our Answer: Thrive is listed in CRN’s Tech Elite top 250 IT companies with the most industry certifications. Our technicians are required to stay certified in all the software and hardware we support, including Microsoft and Dell. 

Q3: Do they proactively look for ways to improve IT performance, or wait until you have a serious issue and only then make recommendations?

Our Answer: We are in contact with our clients on a regular basis to look for new ways to improve operations, increase productivity, lower costs, and solve problems that may arise. 

 Q4: Are detailed invoices provided that clearly show what you are paying for?

Our Answer: Our invoices show exactly what work has been done, when, and why, so you’ll never be guessing what you are paying for. Also, should you ever have a question about a bill, our accounting team is just a phone call away and can get you the answers you need. 

Q5: Are projects guaranteed on budget and on time?

Our Answer: All projects have a fixed priced. They are guaranteed to be completed on time and for the price agreed on. This is imperative as there are incompetent and even unethical IT companies that will only quote “time and materials,” which allows them to take as much time as they want on completing a project and forcing you to pay the bill.

Q6: Do they protect you by having workers’ compensation insurance?

Our Answer: If a technician gets hurt at your office, who pays? These days, you’ll need to make sure any company you hire is insured with both errors and omissions insurance AND workers’ compensation. Be sure to insist on seeing proof of insurance. 

Q7: Will your network be monitored 24-7-365, keeping critical security patches, virus definitions, and security patches up-to-date on your line-of-business applications, not just Windows. PREVENTING problems from turning into lost data and downtime?  

Our Answer: Thrive’s network monitoring system keeps a watchful eye over your network, continually looking for problems and security issues that could be developing, addressing them BEFORE they turn into more significant matters.

Q8: Will a monthly report that shows all security patches, updates, and the status of every single machine on your network be provided, so you’ll know for SURE that your systems have been patched and updated?

Our Answer: Each month, our clients receive a customized Thrive report showing patches, updates, and other important network information (like hard drive space, speed, and performance, etc.). This report not only shows us what computers have problems, but it also allows YOU to see how your money is spent and hold us accountable for our work!

Q9: Is an “all-inclusive” support plan offered? Is it TRULY all-inclusive, or are there hidden fees in the fine print? 

Our Answer: Our Thrive support plan is just that – all-inclusive. This is our most popular service plan. It includes all hardware with no upfront cost, saving you money upfront and in the long run. With other service providers, you’ll want to make sure you consider a few things:

• Will help desk support be included or is it extra?
• What about network upgrades?
• What about moving or adding users?
• Is hardware included?
• What about your line-of-business, 3rd-party software support (accounting package, Office, etc.)? 
• If you’re not happy with their services, how do you get out of the contract?
• Do they include off-site backups? Are they backing up the data only or the entire server? Can the server run in the cloud?
• If you have a disaster, do they charge you for restoring your network, or is it included in the service?
• Are on-site support calls included? 
• Are home PCs that can be used to access the company network included or are they extra?
• Are they scanning the Dark Web proactively to protect your credentials?
• Do they include all of the hardware you need to keep your company safe?

Q10: Do they have a US-based help desk or is it outsourced to a third-party overseas company?

Our Answer:  We provide our own in-house help desk support headquartered in Birmingham, AL, and make sure that our team is local, friendly, and helpful. We feel this one of our most important aspects of customer service, plus it’s important for keeping your data secure.

Q11: Do their technicians take the time to answer your questions, and explain what they are doing and in plain English (not geek-speak), or do they make you feel uncomfortable for asking basic questions?

Our Answer: Thrive technicians are trained to take time to answer your questions and explain everything in simple terms.  

At Thrive, we’re passionate about helping organizations take stock of their cyber risks and manage those risks across the complex landscape of technology, business, and people.

Cybersecurity is a Corporate Fiduciary Responsibility

The risks associated with cybersecurity and data privacy protection are well recognized in today’s world. Several high-profile cyber breaches have emerged recently, affecting millions of customers and employees and resulting in unprecedented losses for businesses through direct costs in responding to the breaches, business disruption, regulatory penalties, reputational damage, loss of shareholder value, and lawsuits brought by customers and business partners.

Yet, despite the extent of cyber risk in organizations of all sizes, some degree of confusion exists regarding the corporate fiduciary duties that company directors and executives have regarding cybersecurity. Many companies struggle with addressing it as a top-line risk and ensuring their directors and executives fulfill any relevant fiduciary duties under the law.

Cybersecurity is a Fiduciary Duty

Shareholders rely on the Board of Directors to protect a company’s assets. Directors owe fiduciary duties to their shareholders and have a significant role in overseeing the company’s risk management.

Though fiduciary duties vary by state, under Delaware law – the operative law for many US companies – directors have fiduciary duties of care and loyalty to the company. They need to exercise reasonable care in all decision-making without placing unnecessary risks on the organization. In the cybersecurity and privacy context, duty of care requires that corporate management keep themselves informed of corporate audit and risk committee findings.

When it comes to duty of loyalty, executives and directors have a corporate fiduciary duty to their stakeholders to act in the company’s best interests and protect stockholder investments. Cybersecurity and privacy risks can expose a company to regulatory and contractual losses, which may result in adverse impacts on the company’s financial health. When the directors fail to oversee cybersecurity, it breaches this fundamental fiduciary duty.

Consequences of Cyber Risk

The company’s Board of Directors has primary oversight responsibility and corporate fiduciary duty regarding cybersecurity and data privacy. This oversight includes responsibility for ensuring that their enterprise risk management program assesses, monitors, and reports on cybersecurity and privacy risks, including their potential impacts on the company’s bottom line. When directors fail to institute or monitor cybersecurity measures or consciously disregard red flags that they have a fiduciary duty to address, shareholders may bring claims to hold directors personally liable.

While directors may invoke the business judgment rule to excuse poor business decisions, this rule will fail to justify choices if available information was not incorporated into appropriate business decisions. Failing to make use of this information is generally perceived as negligence of corporate fiduciary duty. In the 2015 ruling in the Tibble v. Edison International, the United States Supreme Court held that “because a fiduciary normally has a continuing duty to monitor investments and remove imprudent ones, a plaintiff may allege that a fiduciary breached a duty of prudence by failing to monitor investments properly and remove imprudent ones.”

The Harvard Law School Forum on Corporate Governance article, Risk Management and the Board of Directors, further highlights this – noting that board processes and decision-making may still be questioned where there are specific allegations that directors ignored “red flags.”

Cybersecurity Risk Management

The best way to protect yourself and the company is by elevating cybersecurity to an enterprise-level risk management issue that must be evaluated, documented, and addressed/mitigated, according to the company’s risk profile and economic realities. When cybersecurity and data privacy risks remain down in the IT trenches, risk treatment options are rarely part of Board discussions. In fact, Board members may not even be aware that critical business processes are at risk, leaving them blindsided and the company vulnerable to litigation and fines.

The good news is that there are several practical steps executives and directors can take to minimize cybersecurity risks to their organizations and protect themselves from personal liability.

• Understand the laws and regulations relating to data security and privacy that apply to your organization by consulting with the appropriate experts. Be aware of which regulatory bodies have authority over the organization.
• Understand the impact of cyber risk: Boards must ensure that they understand the implications of cyber risk and have plans in place to deal with it. Undertake a thorough analysis of the company’s most valuable assets and determine the risk that each might present in the event of a cyber breach or loss. Determine which risks to prioritize, avoid and mitigate. It’s also vital to factor in the risk associated with partnering with third parties, as they may have their own vulnerabilities. Consider cyber insurance to mitigate risk – ask about their policy limits and exclusions and whether they cover both first and third-party data losses.
• Incorporate cybersecurity expertise into board governance: Consider appointing a director with experience in cybersecurity who will have primary responsibility for cyber risk management. Such a person should check that the board understands the company’s critical assets, its current strengths, and weaknesses and that it operates a robust cybersecurity policy addressing each of these factors, among others. Also, seek out third-party advisers and assessors who report to the board regularly to update the group on recent cyber incidents, trends, vulnerabilities, and risk predictions. This helps to ensure effective oversight of management.
• Assess current cybersecurity practices: Ensure that your organization has cybersecurity policies tailored to your risk profile, and those policies are adequately implemented, enforced, and regularly updated. Implement a management response plan to potential cybersecurity breaches. The plan should identify who will be responsible for making decisions when a breach occurs and what actions the company will take in the event of a breach.
• Cybersecurity training: Ensure that the company’s cyber policy provides regular cybersecurity training to employees. It should contain a practical and efficient incident response plan that will help mitigate any damage caused by a cyber-attack. Everyone in the organization needs to participate in the employee cybersecurity training, including directors and executives.
• Consider hiring outside cybersecurity experts to evaluate the company’s level of preparedness for a breach. Many companies lack the internal security expertise to manage through a cyber-security program. You can bring in outside experts to review red flags and adequacy of insurance, conduct stress-testing, implement an effective cybersecurity policy, and craft and test a practical incident response plan. Additionally, having brought in an outside expert can pay off later in the event of a breach. If you can show on record that you’ve had experts assess your IT infrastructure, then you have a paper trail documenting your preparedness efforts.

Bottom Line

Enterprises face cyber threats and attacks every day. In fact, it’s not a matter of if a cyber breach will occur, but when and how significant the breach will be. As such, directors and officers must fulfill their fiduciary duties by ensuring the company has an adequate and tested cybersecurity program in place and is prepared to respond to a data breach quickly and adequately. This will not only help protect them from potential personal liability, but it will also protect the organization, its customers, employees, and shareholders.

At Thrive, we’re passionate about helping organizations take stock of their cyber risks and manage those risks across the complex landscape of technology, business, and people. We can improve your organization’s cyber risk posture by performing information security risk assessments, working alongside CIOs & CISOs to set and communicate strategic security priorities, and advising board members on effective governance of cyber risks. Contact us today to schedule a consultation with our cybersecurity experts.

Digital technologies have already had an enormous impact on the way we work, shop and communicate. Every day, we see first-hand the value of the digital experience with 24×7 access to services and an experience that is personalised to our specific needs and preferences.

Digitisation has great power to transform the social housing sector, streamlining processes for field operatives, transforming engagement with tenants, and helping to deliver a more proactive approach to housing management and maintenance.

While researching our recent report on The Future of Technology within Social Housing, a number of consistent themes emerged around how digitalisation is set to, and in some cases is already, transforming the sector. We have pulled out the top five of these trends to make some predictions for the digital future of social housing.

1. Tenants Can Help Themselves

While the drive to encourage tenants to use voice or web-based portals has existed for several years, recent circumstances have accelerated the shift to digital channels. Digital adoption has increased as more tenants become tech-savvy, and since the pandemic has restricted access to face-to-face interaction, tenants are readier to accept self-service options. Although a proportion of tenants still rely on person-to-person support, a growing number of tenants prefer to manage their own accounts through apps or online portals which make it easier to check rent payments, report maintenance issues or simply update personal details.

2. Smarter Systems Will Add Value

The Internet of Things (IoT) is at the heart of digital transformation, allowing property managers to connect any device to the internet and gather real time data in centralised systems. IoT devices can help to optimise energy usage and reduce the carbon footprint of homes through better control over heating and other energy uses. Many housing organisations are already using intelligent sensors to monitor environmental factors such as heat, humidity and carbon monoxide, allowing them to proactively take care of both their properties and residents. Smart and wearable technology can even digitally connect vulnerable tenants to support services, whether they are at home or out-and-about.

3. Data Management Will Be Digitally Streamlined

Digital channels not only connect tenants to landlords; mobile devices provide field workers with real-time access to information and systems. By automating many processes and creating a digital thread across the organisation, social housing can remove many time-consuming manual processes, avoid duplication of administrative tasks, and reduce the delay in responding to tenant requirements. The digitisation of information will enable housing providers to collect and leverage data, creating a single consolidated view of tenants and properties and providing invaluable insights to better inform decision making.

4. Digitalisation Will Enable Us To Be Proactive

Social Housing has traditionally operated in a reactive rather than proactive manner, only responding to events such as a reported repair issue or a tenant falling into arrears after they occur. This often results in somewhat unstructured and inefficient action to remedy the problem, where an earlier intervention could perhaps have prevented the issue occurring and saved money.

The great wealth of data that comes with digitisation offers a great opportunity for housing providers to fundamentally shift their working practices. Tapping into data from IoT sensors can flag potential maintenance issues and enables more efficient asset management. Big data and analytics can help housing providers identify and spot the characteristics that indicate a tenant is struggling to pay rent so they can take action to prevent them falling into arrears.

5. IT Infrastructure Will Become More Agile

One of the key factors limiting digital transformation in social housing is the underlying IT infrastructure. Updating systems may be seen as a ‘nice to have’ expense but maintaining outdated IT infrastructure could actually be costing organisations more money. Digital methods of working require infrastructure that can handle large volumes of data in real time, that can adapt to changing levels of workload, and provide high levels of security to protect customers’ personal data and business critical applications.

To reap the benefits of digital transformation, organisations need to create an agile IT environment that leverages cloud infrastructure to provide limitless compute and storage capacity on demand and a dynamic software-defined network environment that automatically adjusts to the demands being placed on it.

There is no doubt that the future of social housing lies in greater adoption of digital technologies, from cloud infrastructure to communications channels, smart sensors to mobile payments. The only question is how quickly social housing providers will be able to embrace new skills and implement technologies that enable this transformation.

Microsoft Azure is helping organisations to build greater agility into their IT infrastructure with unlimited capacity and scalability, the ability to consume infrastructure as a cost-effective operating expense, and access to ready-made environments and services that can be spun-up at lightening-speed.

Microsoft Azure provides you with one of the most comprehensive ranges of public cloud services, however, with such breadth of services also comes complexity. How do you ensure you are utilising the service plans that are best aligned to your needs? Are you leveraging all of the capabilities that would deliver value to you? Is your environment configured in a way to deliver the best possible performance?

Continually Optimising MS Azure is Essential

With any IT environment it is essential that you continually review the services that it provides and align these to changing business needs. With a platform like MS Azure that itself is continually evolving and offering new capabilities and services, keeping abreast of what options are available and optimising your subscribed services is key to driving the best possible value for money.

In our experience of utilising, managing and optimising Microsoft Azure, there are five key areas that organisations should be reviewing on a periodic basis to ensure they are maximising their investment in this public cloud.

Infrastructure Services

With Microsoft constantly introducing new servers at better price points, you need to be making the best use of these. When was the last time you reviewed your use of servers to ensure you are gaining the best possible performance from virtual machines?

You need to be looking at your usage of Availability Sets and Availability Zones to ensure that critical services are replicated over multiple servers and if required, multiple sites to ensure maximum availability and continuity. You should also be reviewing your usage of managed and unmanaged disks, aligning your needs to the best possible cost options, as well as ensuring you are taking full advantage of encryption at rest.

Platforms

If you are using platform services such as App Services, SQL Services or Data Services, you need to be reviewing these in order to get the best possible performance and have these configured in the right way to provide the continuity and availability that you require.

Networking

The networking aspects of your MS Azure environment including virtual networks, subnets, VNet peering, user defined routes and virtual network gateways all contribute significantly to performance. Ensuring these are configured correctly and continually optimised is essential. In a similar manner, you should be reviewing the sizing of ExpressRoute circuits and Metered Bandwidth to ensure that this is optimised against your requirements and usage.

Security

As part of your mitigation of risk within your public cloud environment, you need to continually review your Network Security. You should review Network Security Groups in MS Azure to ensure that these are being assigned at the right level. If you are using a Firewall in Azure any security rules should be reviewed and if you are not using a Firewall you may want to consider this as a central way to manage Azure Network Security. You should be following best practices in terms of public IP addresses, Azure AD Connect, Subscription Permissions and diligently remove users who have left the business.

Microsoft is continually introducing additional security services to help protect your environment such as Azure Threat Protection and there are significant benefits of utilising these services.

Monitoring & Management

The way you monitor and manage your MS Azure environment is also something you should be reviewing at regular intervals to ensure you are doing this in the best way possible. What alerts do you have in place and how are you utilising Log Analytics to support operational management?

It is key that you not only have the required housekeeping in order, including patch and software update management, but have tight controls over the costs and services that you are consuming.

We’re Here If You Need Us

With extensive expertise and experience across Microsoft Azure services, the team at Thrive are helping many of our customers to continually review and optimise their MS Azure environment delivering the best of both worlds: improved performance and reduced cost.

We offer a Microsoft Azure Optimisation Service where we review all of the areas outlined above as well as many more to ensure that you are maximising your investment and delivering the performance and services required by your business. We also offer a range of Lifecyle Service for MS Azure to ensure best practice management of your platform and continual optimisation and alignment of your subscribed services.

As we enter a new decade, and naturally a time of reflection on where we have been and where we are headed, it’s impossible to not notice that the last decade was marred by significant natural disasters on a scale we had not yet seen. It is the expectation of citizens and the role of government to oversee disaster relief and assistance during the aftermath. In order to do so, government agencies must ensure that their data is secure and that a disaster recovery plan is in place should their facilities be located at the nexus of a natural disaster.

In 2020, we saw an increase in the demand for services during the Coronavirus pandemic. It’s more clear now than ever that a disaster recovery plan is essential in ensuring services are not interrupted. When coupled with those who’d seek to take advantage of an overwhelmed system and exploit any vulnerabilities, protecting data and ensuring continuity should be focal points of any disaster recovery plan.

What is Disaster Recovery?

For many years, disaster recovery strategies focused predominantly on the procedures required to ensure that the physical infrastructure of a network or system would remain intact and/or recoverable should there be a disaster, whether natural or caused by humans. However, as technology services have grown and expanded, including the introduction of cloud computing which means physical infrastructure may be off-premises, disaster recovery plans have similarly grown to encompass much more.

In short, disaster recovery includes all plans, procedures, people, and tools needed to ensure that technological systems, both physical and logical networks, that are required to maintain critical infrastructure are capable of either continuing to run or be fully recovered should a disaster strike.

Components of an Effective Disaster Recovery Plan

In creating a disaster recovery plan, it’s essential to include all aspects of what makes your system run, what puts it at risk, and who needs to be involved.

1. Create your disaster recovery team.

Identify organizational leaders who have knowledge of both your IT infrastructure as well as government critical systems and processes. While your IT professionals are a critical component of this team, you’ll also want to be sure you include individuals who are skilled at managing teams during a crisis, prioritizing and delegating tasks, effectively communicating next steps and needs, and both identifying and removing obstacles to progress. Further, you want to include someone whose focus is strategic to ensure organizational continuity. And finally, you want to make sure you have enough skilled team members to implement plans.

2. Identify risks in your organization.

It’s hard to develop a plan if you don’t know what you’re up against. First, you’ll want to consider potential natural disaster risks; this is especially true if your organization or the data center it partners with is located in a high risk area. However, your plan should also consider potential human-caused disasters as well as catastrophic technology failures. Each potential risk will require different responses and will likely be feasible within different timeframes.

3. Identify top priority systems, data, applications, and resources.

The first part of your plan, if continuity of service is possible, is to ensure access to these critical resources remains open so the organization can continue to perform its duties. This is vital for government organizations who, in many cases, must continue to provide services to citizens in need in the case of a widespread disaster. In contrast, if those applications cannot run, the data is not accessible, and systems are not running, it is vital that there be a plan to not only restore their function, but potentially fully recover them as well.

4. Determine data backup procedures.

In order to restore and recover, you’ll need to determine the 4 w’s of your critical infrastructure. What gets backed up? By whom? Where? When (how often)?  You’ll want to make sure the appropriate team members have access to this information and that those backup facilities also have a disaster plan in place. Ensuring that this backup process is followed, regardless of how secure a system feels, is vital.

5. Maintain, update, test.

A disaster recovery plan is only as effective as an organization’s maintenance of that plan. That means you’ll need to test it to analyze where there are vulnerabilities and gaps in the communication or even the plan itself. Regular reviews and testing will allow your organization to update your plan as needed.

Why Government Agencies Need a Disaster Recovery Plan Now More Than Ever

Rampaging wildfires. Violent hurricanes. Unprecedented flooding. A worldwide pandemic. All of these disasters have happened within the last 5 years, and have been responsible for significant destruction of not just buildings and homes, but entire communities. In fact, from 2015-2018 alone, 15 different disasters resulted in over a billion dollars worth of damage. And FEMA asserts that now is the time for us to take proactive measures. This includes your disaster recovery plan, especially as a government agency upon which many people rely.

While natural disasters can happen anywhere, there are places that are more prone to them, including California, one the United States’ most populous states and home to Silicon Valley, the epicenter of much of America’s technology. While we can predict the likelihood of disasters and are getting better at forecasting risks, 2020’s global pandemic taught us that we are fallible. That in the face of predictions, we were still susceptible and so we must be prepared.

With the economy grinding to a halt, critical health infrastructure on overload, supply chain interruptions, and an increased demand on government agencies overseeing those sectors as well as social safety nets, many caught a glimpse of what load agencies could bear and would need to bear. It was, for many, a quick lesson in what critical organizational needs would need to be part of a comprehensive disaster recovery plan.

But that’s not the only threat out there. The Solarwinds Orion Supply Chain attack demonstrated how vulnerable even government systems can be to hackers and those who seek to disrupt services by a DDoS attack. When coupled with statistics that suggest ransomware attacks increased by 715% in 2020, being prepared for all disasters, natural and manmade, is essential.

What is DRaaS?

Disaster Recovery as a Service (DRaaS) is when at least a portion of your disaster recovery is outsourced to a service provider who has considerable expertise in overseeing continuity plans as well as recovery for critical systems and infrastructure. Using a managed cloud infrastructure, your partner ensures essential and valuable tools and resources are replicated in the cloud so, when needed, you can shift your operations to a full backup and keep working through the disaster, when people need you most.

Top 3 Reasons Government Agencies Should Leverage DRaaS

While one of the primary reasons is obvious (having a reliable partner who has expertise in backup and recovery offers peace of mind), there are a few other great reasons for government agencies to use DRaaS to ensure that critical government information and services are able to continue to perform when they’re needed.

1. Reduce Overall IT Costs

It’s no secret that budgets are tight across the board, whether you’re an NGO or government agency, and being able to prioritize funding for the areas that need it most should be mission critical. Therefore, the likely expenditure required to fully replicate your system, in a safe off-site location, is expensive. Further, there’s the maintenance and upkeep of that facility that’s likely a much larger drain on a budget than a monthly service fee charged by a provider, which also moves that budget spend from CAPEX to OPEX.

2. Increase Data Recovery Speeds And Efficiency

With today’s DRaaS models, organizations can be brought back up and running in no time, to ensure quick data recovery whether facing an attack from malware or Mother Nature. A hosted cloud backup can run continuously, ensuring the integrity and accuracy of your backups. Similarly, when you need to recover, you can do so quickly.

3. Free Up Your Valuable IT Resources

Time is valuable. As noted above, disaster recovery and your disaster recovery plan must be exhaustive and that takes time, effort, and resources, including human resources. It’s likely that your IT team, as well as your leadership team, have other priorities and this frees them up to focus on those. There’s no need to worry about a secondary site, backups, or the infrastructure and expenditures to manage those. Allow your team to prioritize your mission, while your provider prioritizes your disaster recovery.

How DRaaS Can Prevent Government Breaches and DDoS Attacks

In talking about disaster recovery, we tend to focus on catastrophic natural events and potential infrastructure events (power outages) that could impact systems and networks. However, one of the biggest threats before any IT department is a malicious actor desirous of taking out or taking down a system. Unfortunately, we’ve learned recently that even adherence to government compliance rules doesn’t secure your data or systems. Malware, ransomware, breaches and DDoS attacks can have the same impact as a natural disaster, costing you valuable time, money, and resources. In fact, more and more security breaches and attacks are being classified as disasters.

For nearly half of the business sector respondents, the service disruption caused by a cyberattack is the biggest impact. So, what’s the best way to prevent this disruption? Having in place a secure, reliable, and efficient backup that moves into service when you need it, regardless of the cause.

Additionally, with DRaaS providers, you get the service, but you also get the expertise of IT professionals who can provide you with security advice, government compliance concerns, and best practices to secure your data. Further, these partners can likely provide data protection as well as looking at your existing environment to help you identify potential vulnerabilities. Further, that backup data is secured and supported by policies, procedures, and network infrastructure that ensure its integrity and safety.

Transform Security in Your Government Agency With Thrive’s Industry-Leading DRaaS Solutions

The most important element of your disaster recovery strategy, when you choose DRaaS, is knowing that your partner has the expertise to support and advise your team. You want to know that the solutions and services available can be tailored to your needs and still deliver the reliability and efficiency you require.

If the dangers of the modern IT landscape, whether natural, man-made, or malicious, are a concern for your organization, get in touch with us today so we can talk about how to protect your critical data today, tomorrow, and into the future, whatever challenges that might bring.

Thrive – your cybersecurity experts in Miami. Helping local businesses with PCI compliance and other security needs. Call now.

Why Is PCI Compliance Necessary?

The payment card industry understands the need for security like perhaps no other industry. Cardholder data is the most sensitive information about an individual, essentially a digital identity. Without proper security protections, leaked cardholder data can all too easily grant unauthorized access and lead to identity theft and credit card fraud.

With all the players in the payment card industry, maintaining security standards is the greatest challenge faced by all. Over the years, the payment card industry has experienced repeated major evolutions, from antiquated manual imprinters with paper receipts – no phone line necessary – to an eCommerce-driven economy with online transactions.

Why the Internet Challenges the Payment Card Industry

Leveraging state-of-the-art technology, the payment card industry relies on digital communication in a delicately balanced technology ecosystem. This ecosystem requires sophisticated security measures to provide cybersecurity for cardholder data. The dependency on the Internet and the variety of players involved in each transaction are exactly why cybersecurity measures are so crucial.

From the days of dial-up transmitting data over legacy telephone lines – “landlines” – to more advanced processes today involving dedicated networks with regulated protocols to protect digital data, payment card transactions pose unique risks that require unique solutions.

What Does PCI Compliance Involve?

Technology is at the core of modern payment card transactions, from vendors and merchants to payment processing networks and credit card companies. The more parties that are involved, the greater the need for heightened security to offset the risks of unauthorized access at just one of the endpoints.

In 2006, the major credit card companies agreed to an oversight body that would drive innovation and technology with regards to security standards, forming the Payment Card Industry Security Standards Council with the focus of protecting cardholder financial account information, establishing uniform security guidelines that minimize the risk of exposure of cardholder data.

The Council operates based on a set of security guidelines, the Payment Card Industry Data Security Standards (PCI DSS) detailing how cardholder data should be safeguarded throughout payment card transactions. The PCI DSS requirements direct how this data needs to be protected, including how the data is stored, accessed, and processed. These requirements focus on the technology in the payment card industry player ecosystem, addressing cardholder financial account information security in key areas:

• IT systems and networks
• Encrypt cardholder Information
• Check often for security updates, and install promptly
• Limit access to sensitive information
• Track and log all network activity to prevent unauthorized access
• Establish a formal information security policy for all users, and enforce protocols

Why Should You Want to Become PCI Compliant?

The areas outlined here focus on a common theme: advanced technology needs advanced security. Advanced security for your technology has the added benefit of protecting other areas of your business to prevent unauthorized access and data breaches.

Businesses that process payment card transactions and fail to become PCI compliant also face large penalties and fines for negligence. The risk of potentially exposing cardholder data to identity theft and credit card fraud is just too great a cost.

When law enforcement and government agencies share data and intelligence, the ability to track criminals, solve crimes, find missing people, and provide a better standard of public service becomes much more effective. This sounds like an obvious win, so how come law enforcement agencies have been slow to embrace cloud computing and the collaboration benefits it provides? To understand their hesitation, it helps to look at the history of Criminal Justice Information Services (CJIS).

What is CJIS?

Established in 1992, the Criminal Justice Information Services (CJIS) division of the FBI, is a high-tech intelligence hub housed in the hills of West Virginia. Linking nearly 18,000 law enforcement agencies across the country to a massive database of crime reports, fingerprints, and other agency data, the CJIS gives law enforcement, national security, and intelligence community partners the information they need to protect the United States, while preserving civil liberties.

History of the CJIS Compliance

CJIS policies cover best practices in wireless networking, remote access, data encryption, and multiple authentication. For CJIS security policy to be effective, however, cooperation across various levels of government is required. Complicating matters further, there is no nationwide, uniform certification system for CJIS compliance. Instead, each states’ government manages CJIS compliance semi-independently through a state-appointed CJIS Systems Officer (CSO) who administers policy for computers, networks, and other parts of the CJIS infrastructure. The CSO is also tasked with ensuring that organizations are obeying CJIS regulations, documenting compliance, and reporting back to the FBI. This hodge-podge of similar-but-different rules being used across the country, and other government red tape surrounding CJIS compliance, has deterred many law enforcement organizations from sharing data in order to keep their nose clean.

Challenges Concerning CJIS Compliance for Government Agencies

If law enforcement and government agencies are encouraged to share data, even across jurisdictions, why does CJIS compliance make it so difficult to accomplish? Obviously, Criminal Justice Information (CJI) is highly sensitive, so organizations running within a CJIS-compliant cloud need robust cloud computing security policies in place governing those that have access to data—from the cloud provider to internal clerical and IT support staff. That’s not all; data-at-rest and data-in-motion also need to be CJIS compliant. Meaning all organizations must use at least 128-bit encryption to protect digital intelligence while in storage or transit so hackers and spies cannot employ deciphering techniques.

How Can Your Government Agency Maintain CJIS Compliance?

One of the best ways to ensure your government agency is consistently maintaining CJIS compliance is to work with a trusted, CJIS compliant cloud provider and employ an effective CJIS policy for your organization. Having experts on your side who know the ins and outs of CJIS compliance regulations means your internal team can focus on more important tasks instead of worrying about compliance! When considering cloud solutions, CJIS-bound agencies must look for cloud storage providers with heightened security following all CJIS compliance requirements, along with flexible, budget-friendly options.

Tips for Choosing a CJIS-Compliant Cloud Provider for Your Government Agency

Choosing a reputable cloud services provider is crucial for government and law enforcement agencies migrating to the cloud. To minimize risk and maintain the security of critical CJI and other sensitive data, be sure that your potential provider has been audited by the state’s CJIS Systems Agency (CSA) which will ensure that at a minimum they perform each of the following as outlined by the CJIS:

• Limits access to intelligence based on employee job assignment, network address, location, and time of day.
• Employs restriction measures to prevent unauthorized users from accessing information they don’t need to perform job duties.
• Limits login attempts to five tries, after which users will be locked out until they contact an administrator.
• Employs a session lock timer which engages after 30 minutes to prevent unauthorized users from accessing data should a user forget to logout.
• Performs ongoing monitoring and automatic recording of various activities (such as password changes) and maintains these logs for at least one year.
• Uses multi-factor authentication for highly-sensitive data (for example, a software application may generate a unique, one-time password at timed intervals which adds a second level of complexity to logging in, but provides another barrier of entry against ransomware and data thieves).
• Maintains division between physical and virtual servers that store intelligence, and those that can be accessed by the public through webpages and internet portals.
• Performs criminal background checks on all employees with access to unencrypted intelligence, and performs ongoing and frequent employee training on CJIS best practices with ample documentation and knowledge sharing.

Powering Government Agencies With Compliance and Efficiency

If you’re considering migrating your data to the cloud, consider Thrive. We ensure strict security protocols, 99.99%+ uptime, and a complete compliance package, meeting requirements for CJIS, HIPAA, PCI, SOC, and so on. Learn more about the Thrive difference here, or contact one of our IT experts today for a free consultation.

The internet has gone on a permanent ride-along. It wasn’t long ago when gathering information and getting online meant that police officers and other law enforcement officials needed to get to a secure desktop computer at HQ, logon through a car-mounted device, or rely on radio information from a dispatcher connected at the station. But today, just like nearly 80% of Americans, law enforcement officials are performing many of their job functions on a mobile device. While this offers a host of benefits, it does leave concerns regarding Criminal Justice Information Services (CJIS) compliance.

Benefits of Mobile Devices for Government and Law Enforcement

By utilizing their smartphone or other handheld technologies, police officers and law enforcement officials can stay connected, even after leaving the confines of their office or vehicle. They’re able to maintain access to critical information, in addition to being able to engage with the general public and solve challenges much more effectively. Some of the ways that mobile devices improve law enforcement effectiveness and efficiency include:

• Capturing photos, video, or audio
• Access to Computer-Aided Dispatch (CAD) applications
• Access to departmental policies and resources
• Issuing electronic citations
• Identifying individuals through biometrics (facial recognition, fingerprinting, or iris scanning)
• Language translation
• Drug identification
• License plate scanning and identification
• Driver’s license scanning and verification
• Breathalyzing suspects (no need for a separate unit)
• Two-way communication with fellow officers

That’s not all. Mobile devices can also improve situational awareness through location services, improving officer safety (it can also be used for officer in duress alerts, i.e. SOS messaging).

Tips for Implementing a Law Enforcement Mobile Program

When accessed in the cloud through a mobile device, criminal justice information needs to be properly secured. While some smaller agencies may have a “bring your own device” (BYOD) policy, it can often be a recipe for disaster. BYOD may be acceptable for the most basic phone functions, but it simply is not secure enough to meet most CJIS compliance regulations regarding the access of sensitive government information. Instead, law enforcement agencies should provide agency-issued phones connected to a strong enterprise mobility management (EMM) infrastructure that operates through a secure virtual private cloud (VPC). This requires a few steps:

1. Software Assessment. A review of existing software components and their compatibility with mobile devices.
2. Mobile Carrier. “No service” is not acceptable! Agencies need to find a carrier that offers the “three C’s”—coverage, customer support, and cost benefits.
3. Cloud Provider. Agencies will want to find a provider offering high levels of security and complete CJIS compliance.

Once these steps have been taken, agencies can begin their rollout (possibly utilizing a test group before deploying mobile technology department-wide). Devices will need to be properly configured, and PINs, passwords, and biometrics will need to be installed to unlock certain functions in compliance with CJIS regulations. A written policy explaining the benefits of the mobile program and expectations (what is and what is not allowed) should also be provided to each user. Training to provide an understanding of cybersecurity and data breaches is also a must, as individual’s understanding of these potential threats may vary.

What is CJIS Compliance?

Criminal Justice Information Services, or CJIS, is a division of the FBI that monitors criminal activities in local and international communities using analytics and statistics provided by law enforcement. The CJIS databases provide a centralized source of criminal justice information (CJI) to agencies nationwide. The mission of CJIS is, “To equip our law enforcement, national security, and intelligence community partners with the criminal justice information they need to protect the United States while preserving civil liberties.” CJIS policies cover best practices in wireless networking, remote access, data encryption, and multiple authentication.

How Do CJIS Compliance Regulations Impact Mobile Device Programs for Government and Law Enforcement?

CJIS regulations affect almost every aspect of data management within law enforcement agencies; and compliance is mandatory when accessing CJIS-controlled databases. Despite its relative newness, strict protocols are already in place regarding the use of mobile devices. This is to protect the criminal justice database systems and the sensitive data associated with personal information, such as an individual’s criminal and identity history, biometrics, and property possession.

Understanding CJIS Policy Section 5.13

When rolling out a mobile program and selecting software, mobile carrier, and cloud provider, agency administrators should pay close attention to CJIS Policy Section 5.13, which specifically covers mobile cellular devices. Within this section, the following minimum standard requirements are detailed. Mobile devices must have the following capabilities:

• Remote wiping of device
• Remote locking of device
• Setting and locking device configuration
• Detection of “rooted” and “jailbroken” devices
• Enforcement of folder- or disk-level encryption
• Application of mandatory policy settings on the device
• Detection of unauthorized configurations
• Detection of unauthorized software or applications
• Ability to determine the location of agency-controlled devices
• Prevention of unpatched devices from accessing CJIS systems
• Automatic device wiping after a specified number of failed access attempts

CJIS Compliance for Cloud Usage in Government Agencies and Law Enforcement

CJIS compliance also gets specific when it comes to the use of the cloud and cloud storage within CJIS Security Policy Section 5.10. Despite the abundance of cloud providers out there, law enforcement organizations taking advantage of the cloud’s storage capacity benefits will want to find a provider that meets CJIS requirements. Be wary of providers claiming they are “CJIS certified,” as no central certification or accreditation exists for CJIS. A good rule of thumb is to find a provider that has services available for purchase through a General Services Administration (GSA) contract. The GSA was established in 1949 and helps support the basic functions of federal agencies.

Today’s smartphones and mobile devices offer a wealth of benefits for police officers and other law enforcement officials, but it’s important to remain CJIS compliant to protect yourself, the agency, and the public at large. By working with carriers and cloud providers that meet CJIS requirements, and remaining on top of their ever-changing regulations, government agencies and law enforcement organizations can take advantage of the benefits and avoid negative consequences.

Ensure CJIS Compliance in Your Government or Law Enforcement Agency With Thrive!

Considering a mobile program rollout within your organization? Then consider Thrive. We ensure strict security protocols, 99.99%+ uptime, and a complete compliance package, meeting the requirements for CJIS. Learn more about the Thrive difference here, or contact one of our IT experts today for a free consultation.

It’s a new year. And the scam emails are already coming again.

In fact, they never stopped.

Thrive HQ has received some of these. Since awareness of these threats is one of the best forms of protection, we’d like to share one of the latest.

One of the biggest giveaways of a scam email is jagged English. The subject of this email is “Today Expiration Date.” From the get-go, the recipient knew something was fishy, er… phish-y.

“Many cyber scammers are foreigners,” said Aaron Allen. “An email coming from a big-name company like Microsoft or Apple or Amazon is going to be polished. When you see awkward phrasing, misspelled words, or missing punctuation, you have a big indicator that something is not right.”

Once inside the actual email, there are other signs this is a malicious email.

“The presence of convoluted and really long URL’s is another indicator of a scam,” continued Allen. “Oftentimes, the sender’s email (or any hyperlinks within the document) lead to URL’s that have nothing to do with the supposed company sending the email.”

Indeed, in this email, the sender’s address is ultra-long. It has Microsoft terminology sprinkled in (msonline, outlook), but it even has a mistake when trying to show the presence of Exchange (echange).

One final thing to examine with this email is the logic. Check out the call-to-action:

“Time to change your password or keep current password to avoid unauthorized access…”

OK, what is it? Do you need to change to keep the password?

“Illogical action items or statements are par for the course with malicious emails,” explained Allen. “Once you see something like this, take a hard look at the email. If you think it might actually be legitimate, you can try contacting the sender via phone or a fresh email to a confirmed email address.”

It’s a new year. Be sure being cyber aware is one of your resolutions.