With a population of 70,000 residents you might be prone to think that the IT and compliance challenges of Middlesex County would be negligible compared to those of much larger municipalities.
However, the administrative and privacy concerns of this bustling south western Ontario region are substantial and no less important than those of many businesses and cities that now largely rely on technology and automation. As such, Middlesex, much like other businesses, is burdened with the need to comply with various IT-related compliance regulations and at the same time find ways to cut its IT costs.
A recent overhaul of the country’s security system enabled Middlesex to dramatically reduce its IT operation and compliance costs by as much as 50 per cent. The program included the replacement of the country’s existing network security system and deployment of new tools to protect online assets such as patient health records for the Strathmere Lodge, a not-for-profit long-term care home owned and operated by Middlesex.
Security physical and virtual machines
Prior to the project, Middlesex County relied on a suite of network security solution from McAfee. However, the county’s IT manager was not satisfied with the system’s performance.
“The McAfee solution was not doing its job,” said Gary Reed, technology manager of Middlesex. “Their system was bulky and resource intensive and not reliable enough.”
Reed explained that the county needed a system that could secure computing operations for some 400 employees operating in 22 separate sites, more than 200 desktops and laptops, four physical servers that serve 16 virtual machines.
Their previous security tools handled the networks security needs but unfortunately also slowed down the network, said Reed.
Last year, Reed and several colleagues attended a presentation by NCI Secure Intelligence, a Mississauga, Ont.-based security and compliance consultancy firm. NCI security experts provided Middlesex with some free trial copies of Trend Micro Inc. security software.
Reed was amazed with the software’s performance: “It detected the threats that McAfee had missed and eliminated them from our systems. This saved us from having to rebuild machines.”
NCI sought to secure Middlesex’s endpoints, according to Chad Jesse, sales manager for NCI.
He said they recommended deploying Trend Micro Enterprise Security Suite. “The solutions use cloud-based reputation technology, feedback loops and input from TrendLabsSM researcers to deliver real-time protection against emerging threats,” he said.
Apart from helping in the deployment, Jesse said, NCI also helped the county’s technology team identify other potential vulnerabilities. For example, the county’s data centre was being virtualized. “This required a security solution that would protect virtual machines without introducing additional complexity,” said Jesse.
Compliance was another issue, Reed added. “Strathmere Lodge is growing by leaps and bounds and at the same time, we have to meet the Canadian government’s regulations for patient privacy.”
When it comes to securing the county’s VMware virtualized environment, the Trend Micro tools fit the bill according to Jesse. “Trend Micro Deep Security is perhaps the only solutions that meet the compliance criteria within virtualized data centres,” he said.
The results were satisfactory, according to Reed.
“In the past, security slowed down applications. With Trend Micro, some applications are now loading 50 times faster – that’s a real plus for everyone and we really like seeing those kinds of improvements,” he said.
Three frequently neglected compliance factors
Privacy regulatory compliance has been growing in importance for several years now, notes Claudiu Popa, principal of Informatica, a Toronto-based security and privacy consultancy firm. “As organization move more and more data and operations into the cloud, concerns over security and privacy will increase further,” he said.
While many businesses and municipalities like to think they are secure, he said, there is all too frequently a gap between actual operational procedures and organizational policies.
He said the following are the top three compliance pitfalls:
- Failure to reflect security and privacy operations in official policies. “Many times organization simply deploy privacy policies that were merely copied from other organizations,” Popa said. The problem with this is that organizations operate differently. One company’s privacy and security policy will not necessarily fit another.
- Lack or record management and disposal policies and procedure. “The problem I find with many organizations is that they keep on collecting data but have not policy or set procedures about how to track data and dispose of it when no longer needed,” said Popa.
These result in data being copied multiple times, important information not being updated and personal identifiable information being kept for extended periods and exposed to data breaches.
- Lack of employee awareness. In many organizations, employees handling sensitive documents do not receive proper training on how properly handle and protect the resource. “In the municipal environment, it is possible that client facing workers are not always aware who are the persons they can disclose certain information to,” said Popa.
One of the problems is that the compliance environment has become increasingly complicated in recent years, “Many businesses are not sure which compliance regulation they should concentrate on,” said Popa who recently launched a book entitled: Managing Personal Information: Insights on Corporate Risk and Opportunity for Privacy-Savvy Leaders.
The book comes with section that provides a “basic template” for privacy policies which organizations can adopt to suit their operations said Popa.
Informatica also offers a free risk and compliance assessment tool to help businesses determine their security and compliance posture.
Meanwhile, for Reed of Middlesex County the security revamp couldn’t have come at a better time. He said the country has just come out with a new Web site, a new SAN (storage area network) and cloud services.
“Everything terminates in our data centre. Our challenge moving forward is to help users gain the best possible returns from the new tools and resources while alleviating dependencies on IT,” he said.