If you ask your typical firefighter, “What does security mean to you?” you will likely get a variety of answers. To some it may be having good turnout gear; to others it’s knowing that the “two-in/two-out” rule is uniformly enforced and that a rapid intervention team is routinely assigned to structural calls.
But if you talk more about securing assets, some answers may also point to that responsibility as belonging to our brothers and sisters in blue. Sure, we no longer leave the station doors open when we respond to calls; in fact, some departments can even control access to their quarters remotely. And, if you look closely, you’ll see that those nice chrome handles on our compartment doors frequently sport a lock and key.
But in 2012, security is much, much more than a lock and key. That’s because the most precious non-human asset a fire company or department has is its information.
Sharing information
In the past few decades, a significant number of records have been converted from paper to electronic media. Run cards are now part of a computer-aided dispatch (CAD) system. Pre-plans have migrated from a notebook to a mobile data terminal (MDT) or personal digital assistant (PDA). Incident reports once laboriously completed on a typewriter or by hand are now submitted electronically. At this point, the most antiquated pieces of fire equipment may be the pen and pencil.
- This article was recently published in Firehouse Magazine and is being offered as a "free-view" for Firehouse.com readers. To see more articles from the magazine archives, you can subscribe to Firehouse Magazine or the MembersZone.
There is no doubt that computers make data sharing more efficient. Consider the fact that changes in an electronic map can now be made instantaneously available to all. Compare this to the former process of having to correct and distribute numerous paper maps or running with outdated map books until the new ones were published. While centralized storage makes sharing of information between authorized personnel easier, it also makes unauthorized access easier, as well. That’s why the most critical pre-plan a fire department can develop involves the security of its data.
This plan should be reviewed at least once a year, but some of the action items should be carried out every day. If your department relies on anything other than dedicated circuits, you run the risk of data being hacked. If you have an Internet presence – and, according to the National Fire Protection Association (NFPA), 84% of fire departments did in 2010 – you are exposed to malware, Trojan horses, viruses, hackers and other attacks. That’s why, first and foremost, a good firewall must be installed to repel unwanted prying. In conjunction with this, anti-virus software should be installed agency-wide, with updates applied as soon as released. This applies to security fixes for all software, as well. Some vendors offer “enterprise” solutions that let several machines be bundled under the same license. It should be noted, however, that some public safety applications may not be compatible with all such software, and it is advisable to contact your current vendors before purchases are made.
Protecting data
Standard operating procedures (SOPs) must also be developed to provide guidance to personnel. These should include, at minimum, requirements for strong passwords and the changing of passwords every three months. User accounts of all personnel leaving employ must immediately be disabled. Workstations should never be left logged on unattended and all sensitive printed data should be thoroughly shredded.
When computers are decommissioned, their hard drives should be removed or erased using a program that meets Defense Department standards. Policies must also include the prohibition of uploading data or programs from personal devices such as laptops, CDs or memory cards. This ban on connectivity should also apply to the affiliation of personal devices to the fire department network, as all of the activities above offer an opportunity for introduction of malware.
Regular security audits must be held to ensure that data is being delivered only to authorized persons, with your system administrator being automatically and immediately notified of any activity that suggests attempts at unauthorized access or attack. Keep in mind that while a system may be internally secure, any connection to any device that connects to the outside world is a vulnerability. Even seemingly harmless activities such as a departmental web site may offer an inroad, as will Next Generation 911 through its interface to myriad smart consumer devices.
Proper records
What information does your department have that it needs to protect or that others might want? If you respond to emergency medical calls, for example, you may have hundreds or thousands of digital patient records. And what about personnel files?
Depending on state and local policy, there are any number of items that may be confidential. For a career or paid-on-call department, consider the implications of a breach of payroll data. Not only will Social Security numbers be compromised, but so might bank account and routing information associated with direct deposits. Access to Social Security numbers may also be a concern to volunteers as these may be used for training or tax and pension records where such benefits are provided.
Add to this list purchasing information that contains credit or gas card numbers, pre-plans that pinpoint the location of exotic materials and keypad codes for secured properties and you have something for everyone. However, with some forethought and compliance you can keep this critical data secure.
BARRY FUREY, a Firehouse® contributing editor, is director of the Raleigh-Wake Emergency Communications Center in North Carolina. During his 35-year public safety career, he has managed 911 centers and served as a volunteer fire officer in three other states. In 2005, Furey received a life membership in the Association of Public-safety Communications Officials (APCO) International for his continued work in emergency communications.