muniBLOG: Administration

What type of testing is right for your website – Understanding the difference in website testing

In the last few weeks there has been a rise in reported malware and malicious attacks on small municipalities. Testing of three small municipality websites in recent weeks by our team has resulted in failures on all sites basic security parameters. We often hear small organizations saying they don’t need to worry about attacks, they aren’t “big enough” but anyone can be a target.

Regular testing your website for known vulnerabilities and emerging threats should become a part of your Cyber Security Road Map. The first step is identifying the type of web testing that is right for your infrastructure. Here are a few key questions to consider;

1) Where is your website hosted – do you host it yourself? Is it hosted by a third-party?
2) Who is responsible for the security of the host system, the operating system?
3) Do you have a web application firewall such as CloudFlare in front of your website?
4) Is your website a static page with content?
5) Do you have a login and if so what type of data is behind the login? Customer, pricing, private personal?
6) Do you have any API interactions with other applications?

When you start down the road of testing your website you want to consider the host operating system and the application. There are two key types of testing available, fully automated scanning and manual testing. Fully automated scanning is used for both host operating systems and web applications. The host operating system scan will scan for all currently known vulnerabilities affecting that operation system. It will report back on the CVE, the risk and usually suggested remediation tips. The same is true for the web application scanning. The fully automated web application scanner will scan your website at a minimum for the OWASP top 10 vulnerabilities and report back on risks and remediation. https://owasp.org/www-project-top-ten/.

Manual testing means that you have an actual person who is using various methods to determine the security of a host or the application and If the rules of the engagement permit, they will attempt to exploit a vulnerability and gain access, modify content or download information. There are varying degrees of manual testing, the simplest is one tester and one day and the more extensive 2 testers and 5 days of testing.

The type of test that is required for your website really depends on two main factors –

 

1. Have the host and application ever been tested before?

2. What is the criticality of the data being processed or stored on this site?

 

For example, if you have a very static page of content that is hosted by a third party, chances are a good OWASP 10 scan of you site will be sufficient to let you know if you have any glaring misconfigurations that could lead to a website defacement or potential attack on your site. If your website has a login and you allow users to sign up for accounts and host dynamic content, you would want to make sure you consider a manual test at least for the first test. Once a thorough baseline has been established for the site, testing can become more routine and automated.

We recommend you develop a plan for testing and make sure to include the above considerations. There might be special notifications you have to give in writing to a third party before you test an application, you might have to have a testing IP whitelisted in a web application firewall, you may need special accounts set up in the application for testing.

If you are unsure what type of test is right for your website, reach out to us and we will be glad to discuss options with you.

http://www.mi613.ca

Share

The Importance of Third Party Vendor Assessments

Lessons learned from Cyber Incident Response

We are finding many companies that have experienced a Cyber Incident are not performing even the most basic Third Party Vendor Risk Assessment.

It is absolutely imperative that if you engage with a vendor you understand the associated risks.

5 simple questions can lead you to be a better understanding of your Vendor risks and a quicker recovery from an Incident:

 

  1. Is there an identifiable Leadership team?
    • Who is accountable?
    • Would you be able to escalate or contact them?
    • Where are they located?
  2. Do they have an Incident Response plan and Reporting Structure?
    • Do they have a response plan?
    • Are there dedicated phone numbers or emails for reporting incidents?
    • Are ticket numbers assigned and tracked?
  3. Who is responsible for security within their Organization?
    • Is there someone who is responsible for security?
    • Is there a defined role or is it an off the side of the desk of another role?
    • Does the company reside in a country that has Breach Reporting responsibilities?
  4. Do you have a Service Level Agreement for responding to incidents?
    • Do you have a defined Incident/Severity matrix with set response times?
    • How do you escalate an Incident?
    • What is your communication cadence?
  5. Can they demonstrate their current level of Cyber Security Compliance?
    • Can they demonstrate the framework they adhere to? (NIST/CIS)
    • Do they disclose if and when they do vulnerability/penetration testing?
    • Do they have any risk reports (SOC 1, SOC 2, PCI or DSS) they can share?
    • Do they have patch management?

It is important to develop a Third Party Cyber Security Screening Assessment before engaging in a new contract. We can walk you through the process and helping you to understand your Cyber Risks.

 

Let’s talk Cyber!

http://www.mi613.ca

Share

You will never change my mind in a negotiation

I’ve been negotiating contracts for so long now that it’s impossible for me to remember every moment in every negotiation

 

But there’s one thing I remember vividly from every single negotiation, because it’s probably the one thing that’s remained constant through all these years

 

I’ve never had my mind changed in a negotiation

 

I’ve agreed to things and made compromises, all for the sake of getting a deal done, but no one’s ever convinced me that they were right and I was wrong…about anything

 

And likewise, I’ve never changed anyone’s mind in a negotiation, because that’s not the purpose of a negotiation

 

Our goal as negotiators is to compromise, give and take, until we arrive at a deal that’s mutually beneficial…that makes good business sense for both sides

 

However, too often I see negotiators become preachers who start lecturing the other side on the “truth of the matter”

 

Well the truth of the matter is that if I come into a negotiation believing a supplier’s software was worth no more than $10K, there’s absolutely nothing they can say that’ll convince me it’s worth a penny more than that

 

Now I may agree to pay more than $10K, but not because I’ve seen the error of my wicked ways and repented for doubting the honesty of a software vendor

 

I’ll pay more because there’s other factors impacting my decision

 

Maybe I know that they’ll never sell me the software for $10K so I’ll try to get other things thrown into the deal…longer warranty period, better indemnities, a cap on annual increases

 

The point is, I’m not focused on convincing them that I’m right and they’re wrong in a negotiation

 

The “truth of the matter” is that I couldn’t care less what they believe, as long as I get everything I need to make this a good deal for my organization

 

And I realize that’s a lot easier said than done. We’re human beings and we’re constantly looking for validation of our beliefs

 

Just turn on the news and see what’s going on in the world…right vs. left, liberal vs. conservative, republican vs. democrat

 

People yelling and screaming, lying and acting violently…just to show that they’re right and the other side’s wrong

 

Thankfully no one’s ever been violent with me in a negotiation, but I’ve been yelled at and I’m constantly being lied to

 

But none of that’s going to change my mind

 

I may walk away from a deal if I find out I’m being lied to, but more often I’ll use that as leverage in the negotiations

 

And the minute someone raises their voice it’s like they flipped on a flashing neon sign that says “I have no more valid arguments so I’m just going to start screaming like a petulant 5 year old”

 

So how do we achieve that zen-like state where we can just tune out the noise and focus on getting a good deal?

 

Well, the first thing you need to do is define what a “good deal” means for your organization…what’s your BATNA?

 

Is it driven by price… does have to be less than a certain dollar amount or you’ll walk away from the deal?

 

Is it driven by timelines… does it have to be done by a certain date or you’ll walk away?

 

Is it driven by features and functionality… it has to do these things or there’s no deal

 

Next, you need to set your threshold of acceptability, like how much you’re willing to compromise on certain terms and conditions

 

Or how much screaming and lying are you willing to put up with

 

All of these things create the foundation for a strong negotiating strategy and, when you have that, the rest is just noise

 

Now all of the things I’ve just talked about, and much more, are covered in the Sourcing Essentials Course my colleague, Mark Morrissey, and I launched a few months ago (https://oneviewnow.com/training)

 

And I truly believe that anyone who gets involved in Procurement, Vendor Management or Negotiations for their organization would benefit from this course

 

But it doesn’t matter what I believe, it only matters what you and your organization need right now

 

So I’m not going to try convincing you to believe me…instead, I’ll show you

 

In January of 2020 I launched a course called the “7 Skills of the Elite Negotiator” and I made it free

 

Almost 250 procurement professionals, legal professionals and senior executives took the course

 

I’ve reopened that course for 90 days, you can sign up here -> https://mop.mykajabi.com/7-skills-signup

 

So if you’re on the fence about the Sourcing Essentials Course, sign up for the free one and decide for yourself whether or not this type of training is for you

 

And when you’re ready to take the Sourcing Essentials Course, feel free to reach out to me directly at [email protected] to learn about our corporate group rate

 

Mohammed Faridy

CEO, OneView

 

 

 

 

 

 

 

Share

Are you a Winner or a Learner?

It seems to me that most of us are happy to just be agreeable when it comes to our perspective about how the world works. As individuals we find some sense of mental peace knowing that we think like the rest of a group.  

But I’ve always looked at things differently.  Sometimes I’m right and sometimes I’m wrong.  And when I am wrong, I’m never afraid to admit it.  I forgive myself and accept it as a learning experience.

As Lionel Ritchie recently told a contestant on American Idol, “When you win, you win.  When you lose, you learn.” 

It’s one thing to allow yourself this flexibility, but as a Manager or Leader do you extend this same flexibility to your team’s innovative ideas?   And, perhaps more importantly, if an idea fails, do you offer the same “forgiveness” for your team as you would for yourself?

Continue reading

Share

Key Considerations for Local Government Software Adoption

When it comes to adopting new software, local governments have historically been somewhat cautious. And you can understand why. Government authorities face a number of unique challenges and must operate under certain constraints that do not always apply to others.

For instance, local government systems that are public-facing must be highly reliable because they have to be online 24/7/365. They must also be private and secure, particularly where personally identifiable information for residents comes into play.

Furthermore, they must have the ability to serve a large number of users. Unlike commercial businesses, a local authority’s target audience is the entire population of a region. Meaning systems have to be capable of supporting multiple languages and accessibility needs and be able to withstand unexpected surges in demand.

Civic Pulse recently conducted a survey asking local officials what they look for in government software. In order of importance, their top criteria included affordability, low “total cost of ownership”, and local government fit. Ease of use was important too, as were strong service and support.

The results indicate a clear pattern. Local governments are not averse and, in fact, are looking to implement better software. But successful solutions must easily adapt to existing processes, constraints, and practices. Otherwise, most local officials will be reticent to implement them.

Local Government Fit

Local governments want software that provides them with extra “capabilities” but that doesn’t necessitate massive changes to existing processes. However, unless they are built from the ground up with municipalities in mind, off-the-shelf solutions rarely mesh well with existing municipal operations and often fail during implementation. And even if they can be customized to do what is necessary, the amount of work, risk and cost usually increases to the point of being untenable – particularly for smaller municipalities.

The problem is this: local governments can’t make do with one-size-fits-all software anymore. As the Civic Pulse research shows, local authorities differ from each other significantly across multiple dimensions.

Total Cost of Ownership (TCO)

More than ever, municipalities are dealing with severe budget constraints. COVID-19 continues to affect our communities in terms of public-health, socially and economically, and local governments are bearing the brunt of this. Reduced revenues coupled with the need to maintain existing services and direct more money to public health have come at a significant cost.

Not surprisingly municipalities are looking for ways to control their expenses, including how they are choosing to implement new software solutions.

What is TCO?

Simple: it’s the sum of all direct and indirect costs associated with buying, implementing and managing the software over its duration of use.

There is a wide range of factors that impact TCO. For instance, easy-to-use software lowers TCO because staff time to learn and use the software is reduced. Software with exceptional vendor service and support also has a lower TCO because resolution of software issues or response to user queries happens quickly.

Software vendors that will appeal to local government brands feature comprehensive knowledge bases for self-help, online training, and dedicated remote support capabilities. Increasingly, vendors are moving to show government departments their return on software investments in real-time. Measuring the TCO against labour-saved by the solution gives local governments the data they need to justify continued spending.

Affordability

Affordability is perhaps the biggest constraint for government departments looking to purchase software. Local governments need to keep their infrastructure costs low to continue providing high-quality, front-line services to the public.

Consistent with what is happening in the private sector, local governments are embracing cloud-based solutions that minimize large capital purchases and the need for additional in-house IT resources. This has the added benefit of allowing the infrastructure to scale with demand, ensuring that any unnecessary spend on infrastructure is avoided. Flexible pricing models that allow local governments to choose the capabilities they need a la carte are also attractive.

AccessE11 – Built for Local Government

A large number of local governments have selected AccessE11’s citizen request software precisely for the reasons described above. With AccessE11, local governments get a solution that is:

• Created with municipal operations in mind

• Extremely simple to adopt and use

• Adaptable to each municipality’s unique needs without costly software development

• Cloud-based and accessible from anywhere on any device

• Affordable for municipalities of any size

Share

How have the pandemic adaptations affected your Physical Security?

Well into the COVID19 pandemic, organizations, governments big and small have had to take measures and make changes to their environments to adapt to the needs of their staff, customers, their service delivery model, requirements of health science, government agency regulations and perhaps “new” industry best practices and of course the ever-changing virus.

These measures have evolved into many different things. We’re going to specifically focus on physical security devices.

Two of the pervasive items that have been introduced in many environments are plexiglass and signage.

Organizations have installed plexiglass barriers at intersection points of personnel as they have the potential to interact with other personnel, customers, vendors, etc.

Informative signage itemizing physical distancing rules, self assessment health protocols have been placed all around in both strategic and random locations within the environment to ensure every opportunity for personnel and visitors to be informed.

Funny thing about all of this plexiglass barriers and signage.

In some cases, not all, we have inadvertently defeated some or many of the installed security devices functionality and purpose. That is, their ability to monitor, detect and alert (alarm).

  • Motion detectors blocked, unable to provide proper coverage
  • Cameras experiencing sun flare reflection off plexiglass
  • Nuisance alarms due to swinging signage on the increase
  • And other unforeseen affects

There are incidents where this is enough of this added material, that areas, although devices are active and functioning as per specifications, are unable to detect properly – leaving areas with no security detection or proper monitoring.

We have the answers.

Let’s go for a (physically distanced) walk and have a conversation.

Your security risk plans are more than just a motion detector or even a strategic camera placement.

We can Help.

Plan the Work. Work the Plan.

Should your Municipality need assistance, contact Michael White Group today, and we will be happy to answer your questions or provide quotations.

Share

$31 million Canada Healthy Community Initiative – open for proposals

The Government of Canada announced that the Community Foundations of Canada with the Canadian Urban Institute are open to receive and review your proposal for access to $31 million under the Healthy Communities Initiative.

https://youtu.be/1smdTfZF-zE

 

I attended the Canada Healthy Community Initiative launch webinar February 9 and reviewed the applicant guide which is focused on the increased recognition of social and digital infrastructure that contributes to healthy community outcomes. The applicant guide makes it easy to understand if your organization can apply.

 

The projects eligible for funding need to serve the public or a community disproportionately impacted by Covid19 and fall within three healthy community initiative themes, one of them being community projects that use innovative data and technology solutions to connect people and support healthy communities. Community projects that use digital technologies and solutions to encourage citizen engagement, use open data, online platforms or physical digital devices for public benefit.

All budget items must be project related and expenses occur between April 1 2020 and June 30 2022. Details on how anticipated expenses are outlined in the budget are included in the applicant guide.

You need to demonstrate community engagement. Planned continued engagement with the community to receive feedback on the project may also demonstrate the role of the community in delivering the project. Your team can also elaborate on your equity approach and principles for the project and how it relates to community outreach and feedback.

All projects focusing on the theme of digital solutions and any project that handles public data should demonstrate best practices of digital design and responsible data management. The good news for you and your organization is that Athena Software meets the needs for inclusive design and data management.

 

Athena can provide details on data management considerations including:

Collection – who can collect the data

Access – who can access the data

Use – Who can use the data

Openness – What data is attributed to an individual

Compliance – PIPEDA

Minimum funding is $5000. Maximum funding is $250,000

 

All budget items must be project related and incurred April 1 2020 to June 30 2022. The government provided a budget template in excel. We created a proposal for the Canada Healthy Community Initiative and integrated it with the budget template to help give you a head start on filling out the form. Let me know if you are interested in the proposal and excel budget template and we will send you the forms to begin the process.

 

The first round of funding opened February 9 2021 and will close March 9 2021 5 PM PST. Review committees begin making decisions March 10. All applicants will receive results by April 30 2021.

The second round of funding opens May 14 2021 9:00 AM AST and closes June 25 2021 at 5 PM PST. Applicants that did not receive funding in round one can apply for funding in round two. Review committees begin making decisions June 26. All applicants will receive results by August 13 2021.

 

You will need to check which region your project is in before you apply with the link to the map in the application guide. You will also identify the amount you are applying for. Any project over $100,000 will be reviewed at the national level.

 

Your application will be evaluated with many others in each community. Your application must meet the basic eligibility criteria including project rationale, community engagement, outcomes, project implementation and readiness fulfilling all of the following criteria:

 

  • Submitted by an eligible organization, and provides documentation
  • Responds to needs arising from COVID-19
  • Creates or adapts public spaces, or programming or services for public spaces in the public interest
  • Demonstrates consideration of and connections within the community
  • Serves the general public or a community disproportionately impacted by COVID-19
  • Falls within the Healthy Communities Initiative theme(s)
  • Submitted with a complete budget
  • Is requesting between $5,000 and $250,000
  • Incurs expenses between April 1 2020 to June 30 2022

Please join me March 5 at 1 PM EST for a hands-on webinar as we share ideas from communities that use Penelope to assist those most affected by Covid 19 and review proposals for new and current agencies using Penelope. You can find the registration page on our Athena web site. Hope to see you there. If you have questions before then call or email. Until then stay safe. We will see you soon.

Share

The Management Trilogy

During the Covid-19 Pandemic, managers have been hard-pressed to pivot to a virtual style of leading their teams. Even where the work of their teams does not lend itself to ‘work at home’ strategies, nevertheless a greater reliance on the use of virtual tools has emerged. So how are you doing with that?

Managers have to provide leadership for their teams across three domains. We call this The Management Trilogy, consisting of three overlapping areas:

Daily Management is a set of management processes whereby you and your team control and improve your mission-critical processes and cultivate your team values. This is where you, as a manager, LEAD WITH VALUES.

Crisis Management is a set of management processes whereby you and your team plan for, deal with and manage the aftermath of disruptive and unexpected events. These events threaten to harm the organization, its staff, customers and stakeholders, and the communities it serves. This is where you, as a manager, LEAD WITH VALOR.

Strategic Management is a set of management processes whereby you and your team plan for, move towards, and create your future. This is where you, as a manager, LEAD WITH VISION.

Of course, it’s rarely as simple as that. Whilst engaging in Daily Management, you can be hit with a crisis or indeed crises, such as Covid-19 and more. And at the same time, your team’s vision of a desirable future gets shelved until things ‘get back to normal’, whatever that is! And you have to manage all of this virtually!

It’s simple, but not easy. Here are a few tips to help you navigate these challenges:

TIP #!: Know yourself – in the intersection of these three domains, you will experience many different emotions. Managing your emotions will be key, as will leading with values. Knowing your personal and professional values will create a strong foundation for helping others understand their emotions and values.

Tip #2: Know your team members – Understanding what motivates your team members, and how they deal with the pressures and conflicts that arise between you, they and other team members will be crucial to maintaining a balanced and cohesive team.

Tip #3: Know your manager – Understanding your manager and their stressors will go a long way towards creating a strong working relationship between the two of you, which will stand you in good stead when you need your manager’s support.

If you would like to learn more about The Management Trilogy and the tools and techniques you can utilize virtually to achieve success, contact me at [email protected] or by calling 1-877-432-8182 (local in Edmonton 780-432-8182).

Brian Ward,

CEO, Affinity Consulting and Training

Edmonton

 

Share

Code Enforcement with AccessE11

The mandate of municipal government is to provide access to civic amenities and to ensure that residents follow the local laws and ordinances adopted by City Council.

In general, there are operating processes in place to monitor and enforce these municipal codes. However, it is often the residents themselves that witness and report code violations, at which point the municipality’s responsibility is to initiate an investigation and resolve the situation. When this occurs, there are additional complexities involved, with many municipalities struggling to track and meet their service targets to address citizen-initiated complaints. Any departments responsible for code enforcement must triage citizen complaints across a diverse range of property maintenance, parking, noise, nuisance and other issues. Then, activities must be coordinated with officers in the field, all actions tracked, and any documents consolidated until compliance is reached.

Using the AccessE11 service request management platform, multiple municipalities have streamlined and automated their code enforcement approach, making it effortless for staff to capture citizen complaints, assign the right team, resolve the underlying issues, institute centralized tracking and record keeping, and easily report on issues individually or on an aggregated basis.

Capturing Code Issues

Increasingly, residents expect to be able to interact with their municipality in the same way they do private-sector organizations via multiple channels, and this applies equally to code enforcement.

In light of this, AccessE11 has created a platform that allows citizens to report their concerns online, by email, and using integrated mobile apps. Categorization of each violation by category (permit issue, graffiti, trash & debris, noise etc.) is completely flexible, and geolocation of the issue and inclusion of pictures/other details is simple.

Once reported, the software automatically creates a case to track the issue, acknowledges receipt to the citizen, sets follow-up and due dates, and routes the case to a specific staff member. Moreover, it immediately makes the information available in configurable dashboards, embedded maps and reports to provide a centralized, cohesive view of all past and ongoing code enforcement activities.

Processing Citizen Issues

Inspections are an integral part of the resolution process and, to that end, code enforcement officers are provided with an up to date and prioritized view of the complaints they need to follow-up with the AccessE11 mobile app for staff. Depending on whether or not a violation is observed, an officer on location can close the case immediately, or further document it with corrective actions and a date for a follow-up inspection if required.

Some municipalities also use code sweeps within delimited geographical areas as a proactive means of enhancing the safety, cleanliness and conditions of a neighbourhood. In this scenario, officers can create cases for tracking purposes directly using the mobile app. All relevant information is seamlessly and centrally logged with no need for the officer to visit the municipal office simply to enter data.

From the time an issue is reported through to closure, departmental managers, assigned staff and, to an appropriate extent, the reporting citizen are kept informed with automated, real-time notifications. Code enforcement teams are able to work seamlessly and avoid crossed wires. The reporting citizen can also get updates on their concern at any time by visiting AccessE11’s citizen-facing portal.

Operational Effectiveness

Citizens demand services from municipalities, but they also expect them to use tax dollars wisely. Authorities have a duty to avoid waste wherever possible and act in the public interest.

To that end, they need systems that allow them to make informed decisions and measure the success of their activities. AccessE11’s platform allows code enforcement departments to visualize and report on valuable data, letting them make evidence-based decisions. Managers can prioritize tasks, collect data on current and historic trends, measure against service targets, and gauge the effectiveness of the municipality’s response to issues. This data-driven approach enables managers to get a better handle on the overall efficacy of their teams, as well as the productivity of individual members.

Share

Ontario State of Emergency Returns – What You Need to Know

Municipal Employer Update – State of Emergency Returns

Further to Premier Ford’s announcement January 12th, the Province is returning to a State of Emergency, effective Thursday, January 14th. Though public health measures and restrictions have been in place throughout the pandemic, Ontario has not been in a State of Emergency since July 24, 2020.

 

We note below only the changes that will come into place Thursday (all current Grey Zone lockdown measures remain in effect as now).  These measures will continue until at least February 11, 2021: 

  1. Employers must ensure that employees who can complete their work from home do so.  Employees are not to attend work unless the nature of their work requires them to be on-site at the workplace (for example manufacturers, retailers offering curbside pick-up etc.)
  2. For employees that must attend work, face masks are mandatory in all workplaces even in instances where physical distancing can be maintained.  Masks must be worn outdoors if the workplace does not allow for 2m (6’) of distancing.
  3. Outdoor gatherings are reduced from a maximum of 10 people to 5 people.
  4. Schools will remain closed until February 10 in Windsor, Toronto, Peel, York and Hamilton regions.
  5. Previously announced school re-openings remain as scheduled until further notice.
  6. Daycares remain open to non-school age children.
  7. Retailer and restaurants may provide services as they do now but may only remain open from 7am to 8pm (liquor, beer stores, 9am to 8pm).  Reduced capacity restrictions are being applied to big box stores.
  8. The 7 a.m. to 8 p.m. restriction does not apply to grocery stores, pharmacies and health care facilities.
  9. Car dealers may remain open by appointment only (as now) but only between 7am and 8pm.
  10. Non-essential construction is restricted, including below-grade construction, except for surveying.

Importantly, Ontario has not imposed a general curfew on citizens (as Quebec elected to do by forbidding citizens from being outside their home after 8pm without an essential reason).



As always, if you have questions or need assistance, please contact our offices anytime (while we are working virtually, emails and phones are being monitored at all times).  New developments are expected and we will continue to keep you updated.



SHRP LIMITED

925-550 Skyway Drive (Airport Road)

Peterborough,  Ontario  K9J 0E7

705-400-714 | [email protected]

www.savinohrp.ca | www.hrlive.ca

Share