SlideShare ist ein Scribd-Unternehmen logo

Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers

N
njkyardley

Master's Thesis project. This research examines the current information security management landscape of 9-1-1 public safety communication centers upon the beginning of nationwide Next Generation 9-1-1 initiated through H.R. 3403: New and Emerging Technologies 911 Improvement Act of 2008, which is the implementation of switching analog communication systems to Internet-Protocol (IP) communication systems, . The study draws upon the National Emergency Number Association Next Generation 9-1-1 security standards for a compliance survey for 9-1-1 agency information security and technology management evaluation. Also, a literature review of the implementation of managing Internet-protocol 9-1-1 communication technology and services will be presented. As well as providing the security standards, the study will determined current 9-1-1 agency status in terms of compliance or noncompliance to the of standards, as well as obstacles and challenges agencies face in achieving compliance. The primary finding was that no public safety answering point (PSAP) reported compliance and potentially serious barriers related to funding exist.

TechnologieBildung
1 von 101
Downloaden Sie, um offline zu lesen
NEXT GENERATION 9-1-1: EXAMINATION OF INFORMATION SECURITY MANAGEMENT IN PUBLIC SAFETY COMMUNICATIONS CENTERS by Natalie J. Yardley A Thesis Presented in Partial Fulfillment of the Requirements for the Degree Master of Science University of Advancing Technology March 2012
NEXT GENERATION 9-1-1: EXAMINATION OF INFORMATION SECURITY MANAGEMENT IN PUBLIC SAFETY COMMUNICATION CENTERS by Natalie J. Yardley has been approved March 2012 APPROVED: ROBERT MORSE, Ph.D, Chair GREG MILES, Ph.D, Advisor AL KELLY, Advisor ACCEPTED AND SIGNED: __________________________________________ ADD NAME OF CHAIR, CREDENTIALS (ALL CAPS)
Abstract This research examines the current information security management landscape of 9-1-1 public safety communication centers upon the beginning of nationwide Next Generation 9-1-1 initiated through H.R. 3403: New and Emerging Technologies 911 Improvement Act of 2008, which is the implementation of switching analog communication systems to Internet-Protocol (IP) communication systems, . The study draws upon the National Emergency Number Association Next Generation 9-1-1 security standards for a compliance survey for 9-1-1 agency information security and technology management evaluation. Also, a literature review of the implementation of managing Internet-protocol 9-1-1 communication technology and services will be presented. As well as providing the security standards, the study will determined current 9-1-1 agency status in terms of compliance or noncompliance to the of standards, as well as obstacles and challenges agencies face in achieving compliance. The primary finding was that no public safety answering point (PSAP) reported compliance and potentially serious barriers related to funding exist.
Dedication I would like to dedicate my thesis work to all the very dedicated 9-1-1 professionals, especially from Atchison County Communications Center, Atchison, Kansas. i
Acknowledgments I would like to thank my Thesis Committee, particularly my Chair, Dr. Morse, for continued guidance during the graduate thesis process. Also I want to give many thanks to my family, for their patience with my writing, reading, and proofing marathon sessions behind closed doors. ii
Table of Contents Acknowledgments ii List of Tables v List of Figures vii CHAPTER 1. INTRODUCTION 1 Introduction to the Problem 1 Background of the Study 2 Statement of the Problem 3 Purpose of the Study 3 Research Questions 4 Significance of the Study 4 Definition of Terms 5 Assumptions and Limitations 5 Nature of the Study 6 Organization of the Remainder of the Study 8 CHAPTER 2. LITERATURE REVIEW 9 CHAPTER 3. METHODOLOGY 26 Research Design 26 Sample 27 Setting 28 Instrumentation / Measures 28 Data Collection 29 Data Analysis 30 iii
Validity and Reliability 30 Ethical Considerations 31 CHAPTER 4. RESULTS 32 CHAPTER 5. DISCUSSION, IMPLICATIONS, RECOMMENDATIONS 63 REFERENCES 80 APPENDIX A. PRE-NEXT GENERATION 9-1-1 IMPLEMENATION INFORMATION SECURITY MANAGEMENT SURVEY 85 APPENDIX B. NEXT GENERATION 9-1-1: EXAMINATION OF INFORMATION SECURITY MANAGEMENT PUBLIC SAFETY COMMUNICATIONS CENTER PARTICIPANT INFORMED CONSENT 90 iv
List of Tables Table A. Current agency 9-1-1 status/capability 36 Table B. Job title/role at agency 38 Table C. Current agency IT/Network administration description 41 Table D. Agency anticipation of employing/contracting an IT/Network administrator who currently have none 43 Table E. Reason or obstacles for not employing/contracting IT/Network administration if currently none 44 Table F. Type of IT descriptions and policies (first six categories) 45 Table G. Type of IT descriptions and policies (last six categories) 46 Table H. If Next Generation capable, reasons and/or obstacles for not having the descriptions and policies in Table F.1 and Table F.2 49 Table I. Virus and/or spyware detection software on all servers and end user computers 51 Table J. Reason and/or obstacles for agency not running anti-virus and/or spyware detection software 52 Table K. Current inventory, schematic, and audit documents on file 54 Table L. Reasons or obstacles for not having network inventory, schematic, and/or audit documents 56 Table M. Type of security awareness training and education standards currently in place 57 Table N. Reasons or obstacles for not having staff security training and/or current training/certification for IT administration 60 Table O. Agencies reporting compliance with NG-SEC 66 v
List of Figures Figure 1. The population range of the agency's jurisdiction. 35 Figure 2. Current agency 9-1-1 status/capability. 37 Figure 3. Job title/role for small agencies. 38 Figure 4. Job title/role for medium agencies. 39 Figure 5. Job title/role for large agencies. 40 Figure 6. IT/Network Administration for small agencies. 41 Figure 7. IT/Network Administration for medium agencies. 42 Figure 8. Obstacles for not employing IT administration for small agencies. 44 Figure 9. IT descriptions and policies for small agencies. 47 Figure 10. IT descriptions and policies for medium agencies 47 Figure 11. IT descriptions and policies for large agencies. 48 Figure 12. Obstacles for not having the descriptions/policies for small agencies. 50 Figure 13. Obstacles for not having the descriptions/policies for small agencies. 50 Figure 14. Virus and/or spyware detection software for small agencies. 51 Figure 15. Virus and/or spyware detection software for medium agencies. 52 Figure 16. Obstacles for no anti-virus and/or spyware detection software for small agencies 53 Figure 17. Current IT documentation for small agencies. 54 Figure 18. Current IT documentation for medium agencies. 55 Figure 19. Current IT documentation for large agencies. 55 Figure 20. Obstacles for complete IT documentation for small agencies. 56 Figure 21. Obstacles for complete IT documentation for medium agencies. 57 vi
Figure 22. Security awareness and training for small agencies. 58 Figure 23. Security awareness and training for medium agencies. 58 Figure 24. Security awareness and training for large agencies. 59 Figure 25. Obstacles for security training and education for small agencies. 60 Figure 26. Obstacles for security training and education for medium agencies. 61 Figure 27. Reported NG-SEC compliance by agency size. 66 Figure 28. Part-time or no current network administration by agency size. 69 Figure 29. Obstacles for not having full-time network administration for small agencies. 72 Figure 30. Presence of malware in network traffic (Ponemon, 2009). 74 (Note: Do not remove the section break that follows this paragraph.) vii
CHAPTER 1. INTRODUCTION Introduction to the Problem Technology has expanded the way society communicates, particularly in the last few decades (Barbour, 2008). Today, cell phones are prevalent and have expanded the tools available for individuals to get help from public safety agencies. In addition to voice communications over the telephone wires, individuals can easily conduct voice and video conversations using computers on either wired or wireless Internet networks. People can instantly send and receive text, photos, and video from their cell phones. With the additional communication options available to the public, the technical capabilities of 9-1-1 public safety communications need to expand. Society’s expectations and the reality of what the 9-1-1 systems should be able to handle, are wide apart. One example is the Virginia Tech shooting in April 2007 when students attempted to send text messages to 9-1-1, they were unaware the call center was not equipped to receive such communications (Luna, 2008). Many hearing impaired callers rely on newer modes of communication available on smart phone devices, yet cannot utilize them during an emergency to contact a 9-1-1 system that is analog based (Kimball, 2010). Another example of the need to upgrade capability to meet expectations is the fact legacy 9-1-1 equipment is unable to provide accurate location services. Of course, that service is now widely available and many mobile and social networking services currently provide it according to the National E9-1-1 Implementation Coordination Office (2009). Due to this wide gap of expectation verses capability, the need for public safety communications to upgrade to match consumer technology advancements is vital if the system is to continue to keep citizens safe. 1
In July 2008, H.R. 3403: New and Emerging Technologies 911 Improvement Act of 2008 (also known as the NET 911 Improvement Act of 2008) was signed into law to promote and enhance public safety by facilitating the rapid deployment of IP-enabled 911 and E-911 services, and encouraging the nation’s transition to a national IP-enabled (Internet Protocol) emergency network, and improve 911 and E-911 access to those with disabilities. The initiative of advancing 9-1-1 systems to IP technologies nationwide is known as Next Generation 9-1-1 (or NG9-1-1). Currently, there is no definite date of completion for nationwide NG9-1-1. Also, public safety organizations are independently planning and implementing NG9-1-1 technologies (Kimball, 2011). Because of the vast technological changes and requirement of nationwide standards, this lack raises concern about the way IP-based 9-1-1 systems are managed to maintain their security and integrity, which is also evolving due to converting the closed analog system to a connected Internet system (NENA, 2011). Given the size and scope of the project, there is a need to monitor compliance capability. Background of the Study In the United States, the current 9-1-1 system is going through a transformation from analog based systems to IP-based (Internet Protocol) systems (NENA, 2011). The analog 9-1-1 systems are not compatible with most of the current consumer technologies and converting to digital systems will allow the variety of available consumer communication devices to work within public safety systems. Next Generation 9-1-1 will allow for IP-base communication technologies to be used, such as text messages, voice, photos, and videos over security Internet points. Prior to the introduction of Next Generation 9-1-1, public safety communication systems were not connected to other networks, which provided stronger security barriers from attacks. With Next Generation 9-1-1, the barriers are significantly decreased through the internet- 2
protocol connections, making 9-1-1 a potentially appealing and vulnerable target. Thus, information security management standards were established in February 2010 by the National Emergency Number Association in order to address the technological changes of 9-1-1 communications. The National Emergency Number Association (NENA) Security for Next- Generation 9-1-1 Standards (NENA, 2010) was established and all Next Generation 9-1-1 status agencies are to comply with the standards immediately (NENA, 2010, p. 8). Therefore, the relevance of this research is to establish the progress towards achieving this requirement. In general, potential reasons for noncompliance can range from high costs, privacy issues, business disruption, even though there may be penalties and legal issues, national security, and welfare and safety of citizens. For public safety communications, it is critical for agencies to be and remain compliant to keep communication services available and safeguard lives and information. Statement of the Problem The problem that will be explored in this study is the level of compliance or non- compliance with information security management standards in the public safety communications environment. Purpose of the Study The purpose of the thesis study is to ascertain if public safety answering points (PSAPs) have information security management standards in place that reveal compliance or non- compliance with National Emergency Number Association (NENA) Security for Next- Generation 9-1-1 Standards (NENA, 2010) prior to nationwide Next Generation 9-1-1 implementation and to identify any needed next steps to reach compliance. 3
Research Questions 1. What are the Next Generation 9-1-1 information security management standards and policies? 2. What percentage of agencies have Next Generation 9-1-1 status? 3. What percentage of agencies are compliant or noncompliant? 4. What are the obstacles and/or challenges for public safety answering points (PSAPs) that are not compliant with public safety communication information security standards? Significance of the Study Every project must be planned and, where possible, kept on schedule. 9-1-1 is a vital societal system. The National Emergency Number Association (NENA), estimated in October 2011, 240 million calls were made to 9-1-1 in the United States annually (NENA, 2011, sec. 2, para. 1). From those annual calls, at least one-third are wireless, and it is estimated that 26.6% of all United States households currently rely on wireless communication as their primary services (NENA, 2011, sec. 8). NENA has provided the national security standards and best practices for public safety answering points with the National Emergency Number Association (NENA) Security for Next-Generation 9-1-1 Standards or NG-SEC (NENA, 2010). The next step in the project is to implement those standards so that public safety communications adapt to advancing technology and consumer needs without compromising security. But, projects do not guide themselves. To meet the need for nationwide security standards compliance managers need up- to-date data regularly available. The study of compliance is significant in providing updated data of security readiness as public safety communication agencies move forward, making the 4
transition from closed to open systems with Next Generation 9-1-1 with its ability to continue to provide the emergency services required for citizens. Definition of Terms Next Generation 9-1-1. Next Generation 9-1-1 is an Internet Protocol (IP) based system that will allow 9-1-1 public safety entities to receive and send such communications as text messages, video, photos, and voice through secured Internet points on 9-1-1 communication systems (NENA, 2011). Public Safety Answering Points (PSAPs). Public Safety Answering Points are 9-1-1 emergency call centers that are staffed with trained 9-1-1 operators that receive emergency telephone communications for law enforcement, fire, ambulance, and/or rescue services (NENA, 2011). Data Transience. The explanation that data can be ever changing and provide a momentary snapshot of what may be true at one point in time but not necessarily true the next time data is collected. Assumptions and Limitations The research is a "naturalistic" or applied study. There are assumptions surrounding the questioning technique used in the sample. It was assumed the responders had an appropriate level of knowledge due to being designated as contact points within their organizations. The questioning utilizes vocabulary presented in the National Emergency Number Association (NENA) Security for Next Generation 9-1-1 standards or NG-SEC, which the sample should understand. The questioning links sufficiently to the participant’s experience, again due to utilizing the national standards that were created by 9-1-1 leaders (NENA, 2010). The researcher also assumed that each participant will answer willingly and truthfully since the study did not 5
publish names of contacts or agencies, assuring confidentiality of any information shared. Limitations of the thesis are of practicality, such as, researcher experience, time limit of study, and university rules. Nature of the Study It is vital that Next Generation 9-1-1 technologies are both implemented and accessible nationally to insure the growing demands of consumer technology and consumer mobility for emergency services. However it is also essential for public safety answering points (PSAPs) to be in compliance with security standards because of the openness of the evolving technology. The study revolves around the security standards and data collected from agencies. The thesis is an empirical study. Empirical research can be defined as research gained on experimentation, observation, or experience (Classroom Assessment, 2011). Leedy (2010) points out “the significance of data depends on how the researcher extracts meaning…” and “underlying and unifying any research project is its methodology” (p. 6). The thesis is also an evaluation study. Such studies require a researcher to specify a criteria which in this instance are the National Emergency Number Association (NENA) Security for Next-Generation 9-1-1 Standards or NG-SEC. Measurement will involve collecting data via survey of a cross sectional sample of agencies in the United States and conducting a review of the literature. As Leedy (2010) states, “measurement is ultimately a comparison and it is a tool by which data may be inspected, analyzed and interpreted” (p. 25). The survey utilizes the NG- SEC and serves as the measurement scale for the purpose of comparison and analysis of research questions. The data collected are ever changing and only provide a momentary look at the Next Generation 9-1-1 status and compliance or non-compliance of agencies sampled. Time, evolving 6
technology, consumer needs, agency obstacles, and future laws and standards, will inevitably change data. Therefore, the data are “transient” (Leedy, 2010, p. 89). The objectives of empirical research go beyond reporting observations. They promote an environment for improved understanding, combine extensive research with detailed case study, and prove relevancy of theory by working in a real world environment (Experiment Resources, 2011). The study provides analysis of data collected from public safety answering points (PSAPs) in order to provide an examination of the written standards in real life application. The case study method, as explained by Zainal (2007, p. 1) “enables a research to closely examine the date within a specific context”. Yin (1984) further defines the method “as an empirical inquiry that investigates a contemporary phenomenon within its real-life context” (p. 23) and by utilizing a case study method in this study, not only will the data be explored, but also show complexities of the real-life situations (Zainal, 2007, p. 4). When researching human activities, it is important to capture contextual data and situational complexity. According to Leedy (2010) “research conducted in more naturalistic but invariable more complex environments – is more useful for external validity; that is, it increases the chances that a study’s findings are generalizable to other real-life situations and problems” (p. 100). The field of study may be unique and the human activities in the project require complexity as part of the research. Lorino (2008) explains the situatedness of research in that “it takes place in a specific situation which influences the view of the complex system” (p. 8). The study identified the collective experience of agencies implementing a key technology in the field. Each agency surveyed is itself a potential case study. Thus, there are multiple individual surveys available for analysis. According to replication logic, if findings are replicated through out the different agencies, more confidence can be placed on the findings and 7
generalizing beyond the original participants becomes possible. The rationale for this type of analysis is supported by Yin (2009), who explains that replication logic is where the researcher is looking for congruence that indicates increased confidence in the overall finding. Identifying congruence between a standard and a practice is the heart of criterion referenced evaluation research. Such studies not only provide data on the subject, but to also serve data driven quality improvement reviews used in assessments of the development process. Organization of the Remainder of the Study In the following chapters, the researcher provides a literature review, methodology, presentation of survey results, and concluding study discussion and recommendations. The literature review describes the evolution of 9-1-1 to its current transition of Next Generation 9-1- 1. It also presents and discusses the information security management standard set forth by National Emergency Number Associations (NENA) for public safety communication compliance. In Chapter 3, the researcher provides the survey study methodology in which the data will be collected and analyzed to explore the research questions. Chapter 4 present the results and description of the data collected, following with a conclusion and recommendations based on the researcher’s findings in Chapter 5. 8
CHAPTER 2. LITERATURE REVIEW 9-1-1, in the United States, is the number to call if citizens need help (NENA, 2011). Whether the emergency requires medical, fire, or law enforcement, the three digit number is supposed to be the one Americans contact for a quick response to a particular emergency (Barbour, 2008). For the most part of the last four decades that 9-1-1 has been in existence, the way citizens communicated to emergency services, with the exception of showing up in person, was through the use of pay phones and residential landlines (Barbour, 2008). It was a very straightforward analog system that gradually incorporated the phone number from which the call was coming, the location of the call, and even a list of appropriate emergency response units based on jurisdiction of the call. However, now in the age of the Internet and a mobile lifestyle, this traditional 9-1-1 communication has continued to fall behind in meeting the needs of the consumers. Especially with the increasing disappearance of fixed-line communications (Luna, 2008). A particularly tragic example took place in 2008. A woman from Tampa, Florida was kidnapped and called the local public safety communication center on her mobile phone while the incident was occurring. The public safety communications center’s 9-1-1 was an analog system and her GPS-enabled (global positioning system) phone did not register her location. Later, police found the dead woman’s body in a vacant home in a nearby town (Bruce, Newton, & Vaughan, 2011, p. 8). If the local 9-1-1 system had been equipped with Internet-Protocol technologies, the public safety communications center may have been able to track her location through GPS and her life may have been saved. Certainly, the system did not even permit that possibility. Enter Next Generation 9-1-1, which is based on transforming the currently analog 9-1-1 communications system with an Internet-Protocol or IP-based system to allow 9-1-1 call takers 9
to receive the same location and unit information as they do now with landline or fixed-line telephone systems. Public safety communication personnel would be able to communicate with citizens and emergency respond units via text and mobile, as well as, to exchange photos and videos through Internet Protocol (IP)-based communication (Lipowicz, 2009). The very scope of nationwide Next Generation 9-1-1 implementation will take time and there are obstacles and issues to work around and resolve. In 2008, the state of New York conducted a 911 project to enhance wireless communication with a grant from the United States Department of Transportation and National Highway Traffic Safety Administration. The project found that technology was not the major obstacle in enhanced wireless deployment. Though some technical issues may slow the progress, funding for technological upgrades is the most pressing obstacle (Bailey & Scott, 2008). Of course, this was the year when a major financial problem engulfed many countries so it is understandable the study reported that many public answering points did not have sufficient funds for enhanced wireless communication upgrades. Ultimately this need for finances has prolonged the time needed to complete the project. The New York study provided examples of obstacles for Enhanced Wireless technologies, which involve cellular 9-1-1 communications for Wireless Phase I and Wireless Phase II implementation and not Internet-Protocol technology that are the required for Next Generation 9- 1-1 (Bailey & Scott, 2008). However, the funding comparison can be made for obstacles 9-1-1 entities face in upgrading the national 9-1-1 system. If agencies have issues with funding for cellular wireless technologies of Wireless Phase I and Wireless Phase II, which still utilize the analog systems, they may have same issues with Next Generation 9-1-1 funding. 10
9-1-1: Past and Present In order to understand and discuss the current changes of today’s 9-1-1 systems, it is best to briefly review where and how 9-1-1 began and the current types of 9-1-1 services. Jason Barbour’s article (2008) explained the first official 9-1-1 call was on February 16, 1968 in Haleyville, Alabama and provided an overview of the 40 year history of 9-1-1, from the inception in 1967 to the current day. Mr. Barbour’s historical perspective told how the technological advances through out the years have benefited the profession of saving lives. Barbour also observed that keeping up with consumer technology has always been a challenge and that some of the difficulty has been with the lack of synchronicity between the public and private sectors. It is also important to note the humble beginnings of the first 9-1-1 call in the small town of Haleyville, Alabama. Barbour illustrated the importance of modest technological strides from the thousands of public safety agencies nationwide. According to the National Emergency Number Association or NENA’s website (2011), the different types of 9-1-1 Systems readily used now are Basic, Enhanced, Wireless Phase I, and Wireless Phase II. Basic 9-1-1 is when the three-digit number is used, and either a voice or a Telecommunication Device for the Deaf (TDD) is received by the local public safety answering point (NENA, 2011, sec. 3). Enhanced 9-1-1 builds on the basic service, but additionally provides dispatchers the caller’s location, phone number, and the PSAP responder information for the caller’s address (NENA, 2011, sec. 4). It is important to understand that both Basic and Enhanced 9-1-1 only apply to landline phones, not wireless (NENA, 2011, sec. 4). With wireless, the reality of what is displayed or the information available to the public safety answering point (PSAP) can be different than that of the wireline or landline 9-1-1 call. The National Emergency Number Association’s website (NENA, 2011) continued to explain the 11
next two phases, wireless Phase I and Phase II. Under Wireless Phase I only the cell phone number displays (NENA, 2011, sec. 5) and Wireless Phase II provides the cell phone number and the location of the caller (NENA, 2011, sec. 6). A critical point to remember regarding Wireless Phase II, is that a caller’s location is based on the closest cell towers. Depending if the caller is located in an urban or rural area. In rural areas there can be quite a distance between towers. Voice over Internet Protocol (VoIP) is spreading rapidly with consumers and the 9-1-1 communities have only begun to complete Enhanced 9-1-1 capabilities for VoIP 9-1-1 (NENA, 2011). The Federal Communications Commission or FCC websites’ (2008) discussion of VoIP 9-1-1 services explained that since the communication uses Internet protocol as opposed to traditional analog systems, not all VoIP services connect through 9-1-1. Next Generation 9-1-1 or NG9-1-1 would address the issue of 9-1-1 and VoIP capability since NG9-1-1 provides public safety communication agencies with Internet-Protocol based systems. According to the National Emergency Number Association’s NG9-1-1 Transition Plan (NENA, February 24, 2011), NG9- 1-1 has begun with the prerequisite of deploying IP networks in some areas already occurring and with vendors developing NG9-1-1 equipment. However, the organization does address “NG9-1-1 will be a journey that will be realized at different rates within various parts of North America, based upon state/province, local implementation and stakeholder environments” (p. 15). Current 9-1-1 Usage Current 9-1-1 statistics are provided by the National Emergency Number Association (NENA) website under the category of Public & Media (2011, November 12): United States has 6,130 primary and secondary public safety answering point (PSAP) and 12
3,135 Counties which include parishes, independent cities, boroughs and Census areas. Based on NENA’s preliminary assessment of the most recent FCC quarterly filings: 97.7% of 6,130 PSAPs have some Phase I 96.0% of 6,130 PSAPs have some Phase II 94.1% of 3,135 Counties have some Phase I 91.8% of 3,135 Counties have some Phase II 98.1% of Population with some Phase I 97.4% of Population with some Phase II Phase I and II is not provided 100 percent nationwide. It is estimated that about 20% of households in the United States do not use landline phone services; instead they rely on wireless services only (NENA, 2011, sec. 1). There are a few agencies throughout the United States, such as King County in Washington and Rochester in Monroe County, New York, that use portions of Next Generation 9-1-1 technologies by either working as a test public safety answering point (PSAP) or with a very small percentage of Internet Protocol (IP)-based technologies working alongside the main analog systems (Intelligent Transportation Systems, 2009). Black Hawk County, IA is the first PSAP to allow text messages to be sent directly to 911, though it is only through one wireless provider (Mannion, 2009). Charlotte County Florida received a Florida State grant and is using it to begin implementing different Next Generation 9-1-1 capabilities (Hamilton, 2009). The U.S. Department of Transportation (2009) tested various IP-based technologies with five public safety answering points (PSAPs) who gathered the information that assisted the 9-1-1 communities like National Emergency Number Association (NENA) and Association of Public Safety Officials (APCO), along with the government officials to develop nationwide plans. 13
The United States government is a very important part of the development of regulations for 9-1-1 technologies. From 9-1-1’s first inception in 1967, by the President’s Commission on Law Enforcement Administration of Justice (Barbour, 2008), to continuous active pursuits of legislations, through most recently, the ENHANCE 911 Act of 2004 and NET 911 Improvement Act of 2008, which address the concerns raised by emerging technology and how it affects the services of 9-1-1 (Moore, 2009). It is clear from these governmental actions that it has been working to improve its 9-1-1 services with the evolving technology. In February 2010, National Emergency Number Association (NENA) published the NENA Security for Next-Generation 9-1-1 Standards or NG-SEC (NENA, 2010). Many industry experts from a variety of private and government sectors contributed to the security standards to address the needs of Next Generation 9-1-1 (NG9-1-1) technologies. The standards are in place to “establish the minimal guidelines and requirements for the protection of NG9-1-1 assets or elements within a changing business environment” and to “impact the operations of 9-1-1 systems and PSAPs as standardized security practices” (p. 1). Also, all NG9-1-1 entities will be required to understand, implement and maintain the new standards and requirements, and that requirement is effective immediately. Any vendor who presents devices, future applications or technologies for 9-1-1 systems are also to be in compliance with NG-SEC. In August 2011, the Federal Communications Commission (FCC) announced it still had to consider “how to ensure adequate broadband infrastructure to deliver the bandwidth PSAPs will need to provide NG9-1- 1. As part of the NPRM, the FCC will examine interim solutions for ensuring that carriers/service providers support transmission of text-to-911” (Genachowski, 2011, p. 1). 14
The Future: Next Generation 9-1-1 and Security Issues At the moment, the technologies that may be used for Next Generation 9-1-1 capabilities are Internet protocol (IP) voice, video, instant messaging (IM), short messaging (SMS), data, and telematics (Luna, 2008). Although the Luna article was written in 2008, 9-1-1 systems remain limited. The Federal Communications Commission (FCC, 2008), stated some of the issues with voice-over Internet protocol (VoIP) 9-1-1 are those calls may not connect to the public safety answering point (PSAP), or may improperly ring to the administrative line of the PSAP, which may not be staffed after hours, or by trained 9-1-1 operators. VoIP calls may correctly connect to the PSAP, but not automatically transmit the user’s phone number and/or location information. VoIP service may not work during a power outage, or when the Internet connection fails or becomes overloaded. This can be a problem for citizens, when many times emergencies occur in masses or when the power is out. Because of these issues, there are efforts to include enhanced VoIP (Kim, Song & Schulzrinne, 2006) that address things like language-based call routing, and the ability for 9-1-1 operators to call back a disconnected call (FCC, 2008). Further considerations with voice-over Internet protocol (VoIP) deal with the added security required on networks that will need to accommodate VoIP and not just data-only networks. Added cost to 9-1-1 agencies are the reality for additional power backup systems, firewalls, 9-1-1 answering software for VoIP and other IP based communications. Not only would new equipment and software need to be installed to accommodate IP-based technologies specific to 9-1-1 communications, but also routine testing would need to take place to insure system security and would require adequate staff to manage the systems to allow for 24/7 uptimes (NIST SP 800-58). 9-1-1 entities would need to continue to meet demands of evolving 15
technology for upgrades and possible loss of 9-1-1 service if a disaster were to occur within the 9-1-1 center. In short, there remain technical problems in addition to financing concerns. A view of risk and security issues is through Lynette Luna (2008), who took the social approach on how consumer technologies and the lack of integration with the current 9-1-1 systems, may effect emergency situations. She used well-known incidents, such as the Virginia Tech shootings, to make a strong argument showing the ability of 9-1-1 centers to accept text messages could have possibly saved lives. For the purpose of risk assessments to upgrading to next generation 9-1-1, it is good to have a social perspective of 9-1-1 technologies, because ultimately the point is to provide safety and security to citizens (Luna, 2008). Hilton Collin’s (2008) states that a Next Generation 9-1-1 technology that is attractive to public safety answering points (PSAPs) for cost savings and shared resource solutions is virtualization. 9-1-1 agencies could consolidate servers and desktops, requiring less hardware purchases and conserve energy. It also allows for network administrators to manage upgrades and installs from one console, saving time and money. Also virtualization software can allow for application testing before installing on a live system. This would benefit agencies by not compromising 9-1-1 communication applications and save costs toward network administration that would need to bring system and services back up immediately (TechSoup.org, 2011). It is possible that this is another example of a solution that creates additional problems. The savings imply fewer personnel needs as well. In addition, there are security risks that come with a virtual environment. Hilton Collins (2008) discusses information about virtualized and non-virtualized environments as a whole, as well as some best practices for protecting virtual networks from cyber-attacks. The main concern is that virtualization in government agencies, particularly public safety and law enforcement, will bring greater exposure for exploits and 16
security breaches by introducing “a new layer of software on top of the host machine or system, which creates additional infrastructure to manage and secure” (Collins, 2008, para. 2). The article elaborated the risks involved with virtual networks, like hackers, and illustrates that attackers seek out poorly configured and exposed servers. Collins advised that potentially all systems that are interconnected with the agency could be compromised. It only takes one open network machine to be a possible threat of opening the door to a secured system or systems (Collins, 2008). Costs that could be incurred with one breach of security could be limitless depending on amount of staff to bring critical systems back up, amount and type of data loss, and legal action costs as a few possibilities. Another change from Next Generation 9-1-1 that Douglas (2008) discussed is that dispatchers will need to use a whole other set of sensory skills in addition to what they use now to perform duties. Currently the information received is heard, either by the caller’s actual voice or from a relay service for the hearing impaired. In the future, it will rely more on visual information, rather than audible. The visual format makes completing interactive functions while multitasking by the dispatcher harder because the cognitive load or attention requirements of human beings vary. The additional multitasking from staff can raise training cost and cost to obtain and keep trained staff. Douglas (2008) also touched upon how 9-1-1 Centers will have to re-evaluate their training curriculums and even hiring processes to adapt to the changes. These personnel and training issues could be looked at as vulnerabilities and could then be exploited by individuals or organized groups (Douglas, 2008). Many times the weakest link in security is the people that use the system (Breithaupt & Merkow, 2006). If staff are not trained properly or do not have the required skills to use Next Generation 9-1-1 technology systems and software, this could create a vulnerability to the whole system. 17
Current Information Security Management Information Technology implementation in 9-1-1 public safety communications can be slow in adaptation especially when compared to consumers and the corporate sector (Barbour, 2008). As stated by Chairman Genachowski (2011), “no single governing entity has jurisdiction over NG911…” and “the FCC will work with state 911 authorities, other Federal agencies, and other governing entities to provide technical expertise and develop a coordinated approach to NG911 governance” (sec. 3, para. 4). Lynette Luna (2008) stated in her article that an individual “calling a catalog company to order goods such as clothing, the call-taker would have better tools than the typical 911 call-taker — who is dealing with life and death situations” (p. 4). Luna noted that one reason may be due to budgets and jurisdictional matters, such as funding issues, regulatory amendments, and state regulations that stipulate 9-1-1 component usage. Luna (2008) also mentioned that the transitioning to Next Generation 9-1-1 technologies would be an ongoing process through changes in software, databases, and workers’ procedures. In October 2008 the United States and global economy suffered and it continues to struggle over concerns over American and European debt issues (Arizona State University, 2011). Local governments have tightened their financial belts and the additional cost of upgrading 9-1-1 infrastructures and maintenance, though a necessity, is none too appealing in the current economic climate. With the country’s economic climate and with those changes that Luna mentioned (software, databases, and workers’ procedures), the information security management would seem to also need to adapt to the changes. According to the publication “Principles of Information Security: Principles and Practices”, the major categories of computer crimes are as follows: Military and Intelligence Attacks, Business Attacks, Financial Attacks, Terrorist Attacks, Grudge Attacks, and “Fun” 18
Attacks. To break down each category, their definition (Breithaupt & Merkow, 2006) and how it could apply to 9-1-1 IP systems are accordingly listed: Military and intelligence attacks: Criminals and intelligence agents illegally obtain classified and sensitive military and police files. Business attacks: Increasing competition between companies frequently leads to illegal access of proprietary information. As much as it may be hard to believe, this could include competing public safety venders. Financial attacks: Banks and other financial institutions provide attractive targets (p. 143). Obviously 9-1-1 is not a bank or financial institution in the direct sense, but it is a government- funded entity that could be attacked. Though financial gain would not be the end result, causing significant financial harm could be a motive. Breithaupt & Merkow continue to list and explain major categories of crimes: Terrorist attacks: Terrorist attacks could be executed for either a direct or indirect attack on a 9-1-1 system. An indirect example would be an attack targeted in one geographical area to pull sources away, so the intended target would be vulnerable. It could also involve one system or a large-scale attack of several systems either simultaneously or consecutively. Grudge attacks: This could come in the form of either a disgruntled employee or citizen seeking revenge against the specific agency or even just against law enforcement or government entities in general. Thrill attacks: hackers penetrate the system just for the “fun of it”, bragging rights, or simply for a challenge (2006, p. 143). 19
To conclude the risk portion, there, of course, is the continued threat of viruses and malware as with any IP network. However, instead of only affecting a computer-aided dispatch software program that could quickly be exchanged with an internal closed legacy system or even a paper system for back up purposes, a 9-1-1 communications system would not be as easily replaceable or have much allowances for any down-time, even temporarily, due to a virus or malware issue. Daily vulnerabilities of network infection and system outage on a vital system such as 9-1-1 make any loss of service an issue of public safety. The National Emergency Number Association (NENA, 2011) website had a plethora of documentation, guidelines, requirements and standards that addressed a variety of technology and equipment implementation, connectivity, and functionality issues, which were more appropriate for a systems administrator. Though system administrator policies and standards and practices may include “security controls, information classification, employee management issues, and corresponding administrative controls” (Berithraupt & Merkow, 2006, p. 43), which apply to information security, none were specific to current 9-1-1 public safety communication entities during an initial literature research. However, in February 2010, NENA organized and published a set of national standards specific to Next Generation 9-1-1 security objectives for 9- 1-1 entities, titled National Emergency Number Association (NENA) Security for Next- Generation 9-1-1 Standards (NENA, 2010) or also known as NG-SEC, which will be discussed in more detailed in this chapter. Before the creation of NG-SEC, though, no national standard or policy was in place for 9-1-1 agencies. Next Generation 9-1-1 Information Security Management The researcher investigated the literature specific to Next Generation 9-1-1 information security management standards. The National Emergency Number Association advised the 20
purpose of the National Emergency Number Association (NENA) Security for Next-Generation 9-1-1 Standards was to “establish the minimal guidelines and requirements for the protection of NG9-1-1 (Next Generation 9-1-1) assets or elements within a changing business environment” (NENA, 2010, p. 7). The national public safety communication organization published the document to provide standardized security practices for Next Generation 9-1-1 technologies, but explained that it is a work in progress and the document is in its first version with revisions to come to accommodate future issues (NENA, 2010). Technical requirements, upgrading and/or replacing equipment, will incur costs to agencies. Readiness and available funds may also vary with each 9-1-1 entity. The document scope covered public safety answering points (PSAPs), Next Generation 9-1-1 ESINet, Next Generation 9-1-1 service providers, Next Generation 9-1-1 vendors, contracted services, and any individual or group who use, design, have access to, or are responsible for Next Generation 9-1-1 assets (NENA, 2010). Like Breithaupt and Merkow (2006), the National Emergency Number Association (NENA) document listed roles and responsibilities of individuals specific to NG9-1-1 security and similarly concluded that ultimately security is “everyone’s responsibility” (NENA, 2010, p. 11). When it came to security policies, NENA stated that it is the first step in any effective attempt in the implementation of a security program (NENA, 2010). The National Emergency Number Association (NENA) further explained the minimum standards shall have a senior management statement (or an organizational security statement), functional policies, and procedures. It continued to detail each section, starting with the senior management statement policy. NENA emphasized that “senior management must be engaged and committed to maintain highly effective security so the rest of the staff can be able to do their 21
part” (NENA, 2010, p. 11). As the National Emergency Number Association document stated, security is “everyone’s responsibility” (NENA, 2010, p. 11) and senior management is not exempted. The absolute minimum that should accompany the senior management statement is two items: identify person responsible for security (even though it technically is everyone’s responsibility) and provide a written description of the security goals and objectives of the Next Generation 9-1-1 entity (NENA, 2010). To compare this with information security management standard practices in realms outside of 9-1-1 public safety communications, the book by Breithaupt and Merkow (2006), provided an overview of information security management through security principles and a common body of knowledge used in private and public industry. They explained that “setting a successful security stage” with “effective security policies can rectify many of the weaknesses from failures to understand the business direction and security mission and can help to prevent or eliminate many of the faults and errors caused by a lack of security guidance” (Breithaupt & Merkow, 2006, p. 60). The Next Generation 9-1-1 information security management standards documentation (NENA, NG-SEC, 2010) stated that it is to provide a “deeper level of granularity after creating an executive management statement” (NENA, 2010, p. 12). The document gave a list of some examples of what may be contained in it: “acceptable usage policy, authentication/password polices, data protection policy, wireless policy, physical security policy, remote access policies, hiring practices, security enhancements or technology, baseline configurations for workstations, standards for technology selections, and incident response policy” (NENA, 2010, p. 12). The procedures section included documentation that provided the “method of performing a specific task” (NENA, 2010, p. 12), such as creating new user accounts or how vendors would be 22
allowed access to the server room. This complimented common body of knowledge (Breithaupt & Merkow, 2006) and practices that private and government industries (ISO/IEC 27001, 2005), outside of 9-1-1 public safety communications, utilized for information security management. Obstacles and Solutions for Next Generation 9-1-1 Information Security Management When information was collected for possible standards as they applied to various aspects of Next Generation 9-1-1 operations, a mixture of obstacles and possible solutions were found. In Merrill Douglas’ article (2008), she explained some problematic issues from the 9-1-1 operator’s perspective regarding Next Generation 9-1-1 and now 9-1-1 information will be received in the future. Douglas explained that currently the information received is heard, either by the caller’s actual voice or from a relay service for the hearing impaired. In the future, it will rely more on visual information, rather than audible and a whole set of sensory skills will need to be used and it makes performing interactive functions while multitasking much harder (Douglas, 2008). The article also discussed how 9-1-1 Centers will have to re-evaluate their training curriculums and even hiring processes to adapt to the changes. Lack of training for staff creates vulnerabilities and could then be exploited by individuals or organized groups (NIST SP-800- 50), as well as be related to the risk assessments of the future 9-1-1 systems and that the effects of security are significant because people are usually the weakest link (Douglas, 2008). Mary Rose Roberts (2009) brought up consolidation of Next Generation 9-1-1 enabled public safety answering points (PSAPs) and illustrated both economical and shared resource benefits. She explained that technology improvements are growing exponentially and even though costs were lowering, still it behooved agencies to share resources to save money, as well as the benefit of sharing intelligence. The year before the standards were developed, Robert (2009) was asking, “if it's next generation compliant, what does that mean? We haven't defined 23
what next generation is totally, so how can you be compliant to a standard that may not even exist yet…" and "as a result, we don't believe every PSAP in this country is going to go to an NG911 environment any time in the very near future” (p. 23). Merrill Douglas (2009) also addressed consolidation cost benefits for PSAPs, which then helps with the burden of costs and provides better redundancy by switching to an IP network. Craig Whittington (2009) explored the public's expectations of 9-1-1 services and the difference in what is reality. In his article, he stressed if the public's perception and the reality of 9-1-1 do not agree, it can be more than a public relations problem; it can put lives at risk. From that perception issue, the article illustrated what Next Generation 9-1-1 can provide. Like shared networks, new and different ways to communicate with callers and responders, as well as an increased capacity to transmit and disseminate information. Mr. Whittington additionally emphasizes the most vital part of 9-1-1 systems (now and in the future), are the 9-1-1 Operators and Dispatchers. It is a very important to make sure that personnel are well trained and at ease with the new responsibilities and technologies. Not only will it be a challenge to re-evaluate training curriculums, but also how to do it with continuing decreased budgets. The continued significance of operators in the 9-1-1 center is that they can become the weakest link in the overall network risk management. In order to acquire the benefits discussed earlier, this article illustrates the importance of making sure competent employees are hired and retained, as well as, trained in the most current technologies, important issues in risk assessments (Whittington, 2009). Conclusion As the technology of 9-1-1 continues to evolve into Next Generation 9-1-1 systems, information security management in public safety communications will need to evolve as well to 24
meet the needs of various technologies, consumers, and 9-1-1 staff. Matters of funding, governance, reliability, and security surround the project and the changes that current 9-1-1 public safety answering points (PSAPs) have and will be experiencing in the near future. It provided a summary of the National Emergency Number Association (NENA) Security for Next- Generation 9-1-1 Standards that agencies will be required to be compliant with Internet-protocol based technologies. It also illustrated some challenges PSAPs will have due to the Next Generation 9-1-1 evolution. Against this background the researcher delved into the real-life state in which the PSAPs are currently compliant, either operating at Next Generation 9-1-1 status or before utilizing Internet-protocol technologies. 25
CHAPTER 3. METHODOLOGY Research Design The study was a non-experimental, Mixed Method study because it included both verbal and numerical data. The study had a two stage design. There was secondary data gathered in a review of the literature as well as primary data collected to answer the research questions. The research design was an evaluation study being conducted to evaluate compliance with security standards of Public Safety Answer Points (PSAPs). The study was descriptive and illustrated aspects of agencies considered to be representative. It was also exploratory because the standards used to evaluate compliance were relatively new and the information collected was intended to help develop future more focused understandings of PSAP needs required for support in achieving compliance. The topic was new and little understood, so an exploratory project was appropriate. Published response data for the survey’s questions served as benchmarks for the purpose of comparison and analysis of this study’s questions. Thus, a criterion-based design was used. The standards were the criteria and in this design they provided the hypothesized situation against which this study was performed, as well as the standard of judgment for success or failure, and they provided a stable platform that enabled the researcher to decide whether the conclusions of this and other studies were relevant so that a pattern matching strategy could be employed, as explained by Yin (2009). The study was field based using only publically available online membership contact information of either state or regional chapters of Association of Public-Safety Communications Officials (APCO) and National Emergency Number Association (NENA), both not-for- profit professional organizations for public safety professionals. According to NENA (2011), the 26
United States has 6,130 primary and secondary public safety answering point (PSAP). For the purpose of this study and based on the time and resources available to the researcher, obtaining 6,130 agency contacts would not have be feasible. However, utilizing an Internet search of publically available members of state or regional APCO or NENA chapters to collect at least one or more agency contacts, representing 50 states in order to examine the study nationwide was achievable. The online search produced a list of 225 individual agency contacts, including a name for point of contact, e-mail address, and agency phone number. The study consisted of a one time survey, sent to each 225 agency contact and was a cross sectional study. The survey was self administered by email and the researcher utilized survey services through Survey Gizmo. Sample The study utilized a cluster sampling technique. Leedy (2010) explains this technique is appropriate when “the population of interest is spread out over a large area” (p. 209). The 225 agencies were the population units, i.e. the clusters. They were classified by size of population each agency serves utilizing 2010 United States Census information. The sample was stratified into three segments: small (serving 1-99,999 population), medium (serving 100,000-499,999 population), and large (serving 500,00 or more population). Of the 225 agencies, the following counts and percentages were present in this survey study: small (125 agencies, 55%), medium (71 agencies, 32%), and large (29 agencies, 13%). All survey methods have weaknesses in the survey method. For example, participants may have wanted to reflect compliance, when in fact, they were not, or their responses may have been based on their understanding of the question and standards, which could in fact be a misunderstanding (Colorado State University, 2012). The survey referenced the industry 27
accepted security standards for the survey questions and the researcher had to trust that all agencies were familiar with them and how it applied to their specific agency in order to accurately provide information for the study. Another issue, non-response, was present for possible reasons. (Cooper, 2008, p. 257) For example, the contact information may not have been accurate or been addressed to the person in which the survey would have best able to answer in the context of the compliance survey. Use of an official association was intended to reduce issues related to contact information. Also it was difficult to secure a large amount of the selected agencies to respond to the survey. First, the initial contact was through the e-mailed survey and the researcher and educational institution, not representing a public safety communications organization or government agency, was relatively unknown to the public safety communication centers. Or, there may have been restrictions on the agency the researcher was unaware of. A telephone follow-up to non-responders was used to increase the pool of available responses. Setting The thesis study was conducted as a field setting. The 225 agencies consisted of city, county, or state entities and were subject to a variety of regulations. They have been described elsewhere. Instrumentation / Measures The instrumentation used was an online survey that was emailed to 225 individual agency contacts. Measurement of the current 9-1-1 status/capability was categorical: Basic 9-1-1, Enhanced 9-1-1, Wireless Phase I, Wireless Phase II, and Next Generation 9-1-1. Categorical measurement was made of respondent job title/role within their agency through three categories, 9-1-1 Supervisor (middle management), 9-1-1 Manager (upper management), 9-1-1 IT/Network 28
Administrator (technical management). There was also an “Other” category for main job title/role if the three did not apply to the individual. Other measures focused on compliance standards. The researcher used the National Emergency Number Associations (NENA) Security for Next-Generation 9-1-1 Standards (National Emergency Number Association, 2010) to develop the survey questions in order to gather information about the security landscape of 9-1-1 public safety communication agencies at the dawn of Next Generation 9-1-1 nationwide implementation. The first set of questions, questions 1 through 3, provided population range, current 9-1-1 status/capabilities, and participant’s job tile/role. Questions 4 through 6 focused on the agency’s Network Administration landscape. In questions 7 through 14, the participant selected each security policy and standard that was currently in place at their agency and provided obstacle explanations if applicable. Each security policy and standards question reflected a security standard presented in the National Emergency Number Associations (NENA) Security for Next-Generation 9-1-1 Standards (National Emergency Number Association, 2010). Data Collection Data collection in this study was subject to time constraints. Specifically, data collection was limited to a three week period in November. Data collection included content from the review of literature and survey agency sample. The literature provided the compliance standards with the National Emergency Number Associations (NENA) Security for Next-Generation 9-1-1 Standards (National Emergency Number Association, 2010) and the NENA website of 9-1-1 basic statistics supplying amount of public safety answering points (PSAPs). An email was sent to 225 9-1-1 public safety agencies from the list of Association of Public-Safety Communication Official (APCO) and National Emergency Number Association (NENA) members. The 29
researcher followed up with a phone call to the agencies. The researcher exported survey data from the Survey Gizmo report dashboard of all respondents for data review and analysis. Data Analysis Data was analyzed using both logical reasoning and descriptive statistics. The data presented used a question format. The questions supplied agency size and current agency 9-1-1 status or capability, illustrated by pie charts showing percentage of small, medium, and large agencies and bar graphs for 9-1-1 status. In addition, to various charts and graphs, tables were used to further analyze the data from each survey question and provided total counts and percentages of each agency population size and total agency responses. Validity and Reliability Classroom Assessment (2011) states that “reliability and validity are two concepts that are important for defining and measuring bias and distortion” (sec. C, para. 1) with reliability referring to the “extent in which assessments are consistent” (sec. C, para. 2) and validity as the “accuracy of an assessment” (sec. C, para. 5) even if it does not measure what is to be measured. The survey questions mirrored the compliance standards. This established the content validity of the questions. Another way of determining validity was the use of expert judgment. Therefore, the committee reviewing this research was another check on validity. Another approach of validity was through triangulation. Leedy (2010) describes triangulation as collecting data from multiple sources “with the hope they will all converge to support a particular hypothesis or theory” (p. 99). It is common in qualitative designs to use different sources of data as support for the researcher’s confidence in the conclusions presented in Chapter 5. 30
Ethical Considerations The researcher conducted the survey by questioning individuals managing 9-1-1 communication systems with the following ethical considerations. There are four categories of ethical consideration in research studies (1) Do no harm (2) Informed Consent (3) Right to Privacy (4) Honesty. Do no harm is a broad ethical category. It includes not asking sensitive questions that would possibly injure an individual’s employment status. Security is a sensitive issue and a discussion of security issues under some circumstances might be interpreted as “sensitive”. For that reason data is collected in ways that do not reveal the individual; replies and participants are clearly informed about their right not to participate. Specifically, to meet the need for full disclosure, each 9-1-1 participant was informed of the intention of the study (copy in appendix B), which was to provide an academic snapshot of compliance through literature review and a survey of public safety answering points (PSAPs) to complement existing research and discussions of Next Generation 9-1-1 within the public safety communication realm and provide a platform for further dialogue and study on specific Next Generation 9-1-1 information security management goals and practices. The researcher was aware of the ethical demand for honesty in data collection. In addition, the participants who complete the survey did not have their personal identity or the identity of the agency revealed. None of the questions in the survey requested information that identified a specific person or agency, or put them in any harm. All information collected for the study was confidential to the research through the Survey Gizmo data collection and used only for the purpose of the academic thesis study. 31
CHAPTER 4. RESULTS Introduction This chapter presents the data gathered from the surveys from public safety answering points (PSAPs). The survey was sent to 225 agencies stratified by population size. The purpose of the survey was to gather data needed to answer these questions: 1. What percent of agencies have Next Generation 9-1-1 status? 2. What percent of agencies are compliant or noncompliant with standards? 3. What are the obstacles and/or challenges for public safety answering points (PSAPs) that are not compliant with public safety communication information security standards? Answering these questions will lead to the answer to the main question and reveal compliance or non-compliance of PSAPs that are Next Generation 9-1-1 (NG9-1-1). The survey categorized PSAPs as small (1-99,999), medium (100,000-499,999), and large (500,000 or greater). It is an instrument of analysis to gauge the nationwide landscape of public safety answering points (PSAPs) currently and identify possible issues and obstacles of where it is heading. The methodology the researcher followed entailed contacting 225 agencies by e-mail utilizing Survey Gizmo survey online services. From 225 agencies, 4 agency e-mails were rejected with no other contact information available to the researcher, leaving a total of 221 agencies receiving the survey for response. Of these 221, a total of 56 agencies responded as a result of the survey process. In the first 3 days, 52 agencies responded. Three days after the initial surveys were e-mailed; the researcher sent a reminder with a second wave of the surveys to the 169 agencies that did not respond. According to StatPac, Internet surveys receive 90% of 32
the responses within three days after the e-mail invitation is sent (StatPac, 2011). In this instance that proved a good ballpark estimate because 52/56 is 92%. The reminder did not produce additional responses. The next week, follow up phone calls were made to each of the 169 agencies that did not respond. The researcher directly spoke with 52 agency contacts from those 169 agencies. The 52 contacts the researcher reached by phone, advised they were not sure if they received the email, remembered the survey but had not taken the survey. The 117 agencies that direct contact was not made, the researcher either left a message with the dispatcher or non-emergency personnel answering the phone, or a message was left on the contact’s voicemail. The follow up phone calls produced 4 responses, making the total survey study response 56. Because the non-response rate was 75%, it is necessary to discuss response bias. Israel (2009) notes strategies to deal with response bias with calling back non-respondents, which the researcher did, and to “assume there is no response bias and to generalize the population” (p. 2, para. 4). In addition, Israel suggests that the researcher’s previous public safety communication experience offers expertise needed to make judgments regarding key information others might benefit from and use as part of generalization. In addition, that experience would support their confidence in conclusions drawn in discussion even with this response rate. Interestingly, since the survey generated 56 responses, it is comparable to other results, such as that in Deline, Ko, and Venolia (2007). They reported 55 responses on a sample of 250 (p. 7-8). The total population of this study’s survey was 221 with 56 responses and this comparison supports the decision to consider the response rate sufficient for the analysis and conclusions drawn in this study. Therefore, although there were time limitations on data collection for the project, the researcher during the third week of data collection contacted the 33
agencies about reasons for survey non-responses. Of the 165 non-respondent agencies 33 provided reasons for non-response. During this follow up, three reasons were provided by agencies for their decision. Although some mentioned time constraints, two other reasons provided were: (1) they did not want to participate due to not being familiar with the researcher or the graduate program institution and (2) they were not comfortable in sharing data with non- governmental entities. Given that security really is a sensitive topic, the researcher could have anticipated this response. In an e-mail to the researcher, Dr. Robert Morse confirmed other thesis candidates had been told contracts with security providers restricted the release of data only to authorized agents of that provider (R. Morse, personal communication, January 27, 2012). One additional point mentioned by the Federal Communications Commission Chairman, in August 2011:   We need a comprehensive, multi-pronged approach to NG911 implementation: If we do nothing, to address NG911 requirements, timelines, costs, and governance, we will see uncoordinated patchwork deployment of NG911 over the next five to ten years, leaving much of the U.S. without any NG911 capability (Genachowski, 2011). In other words the FCC chairman was in essence claiming a rudder to steer the project is still needed. That fact and these additional reasons, time constraints on data collection and the cost of multiple calls to agencies were considerations that influenced the decision to stop data collection and make the judgment to report the data as collected. The researcher’s advisors pointed out self- selection bias is always a possibility in this type of research and agreed with the decision to report the results of the survey and follow-up conversations. 34
Data Analysis Data is analyzed using both logical reasoning and statistics. The data is presented using a question format. In addition to various pie charts and graphs, tables will be used to further analyze the data from each survey question survey. There were three possible categories of responses by the size of agency jurisdiction. The distribution of response rates by agency size {small (38 agencies, 68%), medium (16 agencies, 29%), and large (2 agencies, 3%)}. Figure 1. The population range of the agency's jurisdiction. What is interesting is that the categories do not reflect an even distribution. Essentially the three divisions can be considered in terms of x < 500,000 and x > 500,000. Out of the 56 respondents, 2 agencies select the Large category (3%), 16 selected the Medium category (29%), and 38 respondents selected the Small category (68%). If the 16 Medium sized respondents are considered in combination with the 38 small category respondents, then clearly the bulk or 97% of respondents represented service areas of less than 500,000. 35
The next survey question: What is your agency's current 9-1-1 status/capability? This question requested the agency current 9-1-1 status, noting to respond with their most advanced level that applied to their agency. All 56 respondents selected Wireless Phase II as their current 9-1-1 status/capability, which allows for wireless 9-1-1 calls to display both latitude and longitude of the caller’s location. A key finding is that all are at the same level of compliance since all were at the same 9-1-1 status/capability. Table A Current agency 9-1-1 status/capability Agency Size Basic Enhanced Wireless I Wireless II Next % Generation Large 0 0 0 2 0 3% Medium 0 0 0 16 0 29% Small 0 0 0 38 0 68% Totals (%) 0% 0% 0% 100% 0% 100% 36
Figure 2. Current 9-1-1 status/capability. The third survey question: Which best describes your main job title/role at your agency? From the total responses, 23% selected 9-1-1 Supervisor (Middle Management), 61% selected 9- 1-1 Manager (Upper Management), and 8% selected IT/Network Administrator (Technical Management). There were also a four agencies (2 Medium agencies and 2 Small agencies, or 8%) that selected the “Other” category. The descriptions given for “Other” were “Executive Director”, “Communications Training Coordinator”, “Both Manager and IT Administrator”, and “Trainer”. This shows the majority of responses were from upper management as requested with the selection of 9-1-1 managers with the capability and knowledge of the compliance standards and to provide accurate information about their specific agency. 37
Table B Job title/role at agency Size 9-1-1 9-1-1 IT/Network Other % Supervisor Manager Administrator Large 0 1 1 0 3% Medium 1 10 3 2 29% Small 12 23 1 2 68% Totals (%) 23% 61% 8% 8% Shown in Figure 3, the highest job title/role for Small agencies was “9-1-1 Manager”. Second choice was “9-1-1 Supervisor”. The third and fourth selections were “Other” and “IT/Network Administrator”. As with the overall response, the majority selected for job role was 9-1-1 manager category, showing that small agencies have designated and dedicated managers for their entities, signifying upper management responsibilities and knowledge as with other size agencies. Figure 3. Job title/role for small agencies. 38
The Medium agencies selected “9-1-1 Manager” the most, “IT/Network Manager” next, and then “Other” and “9-1-1 Supervisor” for the least two job titles/roles (shown in Figure 4). The medium agencies had 19% of their responses from the IT category. If compared to the small agencies’ 5% (see Figure 3.), this could illustrate small agencies having less network administrative personnel on staff and that the 9-1-1 manager in small agencies could hold IT administrative responsibilities even if it is a secondary role. Medium size agencies show to have more network administration on staff with the higher main role responsibility percentage. Figure 4. Job title/role for medium agencies. Figure 5 illustrates the two choices selected by the Large agencies, which was two total in responding. One selected “9-1-1 Manager” and one selected “IT/Network Administrator”. None selected “9-1-1 Supervisor” or “Other”. Since only two large agencies responded, the division of roles is 50%. What could be concluded is large agencies have levels of staff that are on upper level management and/or have a dedicated network administration department. 39
Figure 5. Job title/role for large agencies. In survey question 4: What best describes your current IT/Network Administration at your agency? The two Large agencies both selected “Full-time internal IT/Network Administrator”. The Medium agencies varied among three categories, 12 for ““Full-time internal IT/Network Administrator”, 1 for “Part-time external IT/Network Administrator, and 3 for “Full- time external IT/Network Administrator. The Small agencies provided a representation for all five categories. For the “Part-time internal IT/Network Administrator”, 2 made that selection, 19 selected “Full-time internal IT/Network Administrator”, 1 selected “Part-time external IT/Network Administrator”, and 13 chose “full-time external IT/Network Administrator”. Finally, 3 Small agencies selected “No IT/Network Administrator”. 40
Table C Current agency IT/Network administration description Size None Part-Time Full-time Part-time Full-time % internal internal external external Large 0 0 2 0 0 3% Medium 0 0 12 1 3 29% Small 3 2 19 1 13 68% Totals (%) 5% 4% 60% 3% 28% The small agencies had at least one selection in each of the current agency IT/Network administration description category. The highest selected was “Full-time internal” and second highest was “Full-time external”. The last three, in order of most selected, were “None”, “Part- time internal”, and “Part-time external” (see Figure 6). Even though it is possible for small agencies to have less budget allocation for a designated IT/Network Administrator, the data illustrates small agencies are not necessarily at a disadvantage at staffing network administration. Figure 6. IT/Network Administration for small agencies. 41
In Figure 7, the Medium agencies selected three total for their current IT/Network administration description types. The most often selected response was “Full-time internal”, the second was “Full-time external”, and the least selected was “Part-time external”. Large agencies selected that their IT/Network administration was full-time, internal staff (see Table C). If comparing all three jurisdiction sizes, it shows that the larger the agency size, the increase of full-time network administrators and those that are internally staffed. But even though smaller agencies have a lower percentage, they are apparently capable of having full-time administrators even if they need to contract externally. Figure 7. IT/Network Administration for medium agencies. For survey question 5: If your agency has "No internal or external IT/Network Administrator" does your agency anticipate in employing or contracting an IT/Network Administrator? As shown in Table C, only 3 small agencies selected this category. The 3 that selected “No internal or external IT/Network Administrator” in question 4 also selected “No” for question 5. However, one agency that selected “Full-time external IT/Network Administrator” in question 4, also selected “No” for question 5. This illustrates that smaller agencies, while some 42
having the ability to have network administration staff full-time as reflected in question 4, there are some that yet need to overcome obstacles which will be explained in question 6 (see Table E). Table D Agency anticipation of employing/contracting an IT/Network administrator who currently have none. Size Yes No % Large 0 0 0% Medium 0 0 0% Small 0 4 100% Totals (%) 0% 100% For survey question 6: If you answered "No" to either question 5, please explain the reason and/or obstacles of why your agency does not anticipate doing so? From Table D, it shows that 4 Small agencies selected “No” and 4 Small agencies selected categories providing a reason for their answers in Table E. Cost was selected by 3 Small agencies and Upper Management had 1 selection. The “Other” category was selected by 2 Small agency with the explanations of “I do it” and “we have a staff member currently enrolled in college to get his degree for our IT, as the County only has 2 full time IT but they are for the entire county and we have to wait on their availability. We have current State and Federal policies in place and try to stay in compliance with NENA/APCO standards”. 43
Table E Reason or obstacles for not employing/contracting IT/Network administration if currently none Size Cost Upper High Lack of Other % management turnover qualified resources Large 0 0 0 0 0 0% Medium 0 0 0 0 0 0% Small 3 1 0 0 2 100% Totals (%) 75% 25% 0% 0% 50% Small agencies are the ones reporting obstacles when it comes to not employing or contracting IT/Network administration, which would affect their compliancy with the established security standards. With “Cost” receiving the majority of the obstacles, this could possibly be elevated through future funding assistance, either by state or federal agencies, to allow them not to be at a disadvantage with the were not have to supply sufficient revue for their budgets. Figure 8. Obstacles for not employing IT administration for small agencies. 44
The survey question 7: What type of Information Technology (IT) descriptions and policies does your agency currently have in place? The selection of all, with the exception of “none apply”, would allow the agency to be compliant under the NENA Security for Next- Generation 9-1-1 Standards or NG-SEC (NENA, 2010). Table F breaks down the first six categories and Table G provides information for the last six of question 7. All but one agency had at least one category selected. The agency that did not select any category was one Small agency, making it a total of 55 responses for this question. Looking at both Table F and G, both the large agencies selected all but two categories, “Wireless Policy” and “Incident Response”. For the medium agencies, all selected “Acceptable Usage”, with many agencies in that category also selecting “Password Policy”, “Data Protection”, “Wireless Policy”, “Physical Security”, “Remote Access”, and “Access Control”. No Small agency had all policies selected, but many agencies selected “Acceptable Usage”, “Password Policy”, and “Physical Security”. Also, one of the large agencies selected everyone choice, including the “None apply” even when they selected all of the previous policies. Table F Type of IT descriptions and policies (first six categories) Size Acceptable Password Information Data Wireless Physical Usage Policy Classification Protection Policy Security Large 2 2 2 2 1 2 Medium 16 15 9 12 13 14 Small 33 34 16 27 17 33 Totals (%) 93% 93% 51% 74% 56% 91% 45
Table G Type of IT descriptions and policies (last six categories) Size Remote Access System System Incident None *% Access Control Control Patching Response Apply Large 2 2 2 2 1 1 4% Medium 13 10 9 8 9 0 29% Small 16 22 6 9 23 1 67% Totals (%) 54% 63% 31% 33% 62% 3% * % both Table F and Table G In Figure 9, it illustrates all of the IT descriptions and policies from both Table F.1 and Table F.2 that were selected by Small agencies. The most selected was “Password Policy”. Following the most, in order, “Acceptable Usage”, “Physical Security”, “Data Protection”, “Incident Response”, “Access Control”, “Wireless Policy”, “Information Classification”, “Remote Access”, “System Patching”, “System Control”, and last, with one agency selection, “None Apply”. If compared to the following figures that illustrate medium and large agency responses (figures 10 and 11), the most difference in IT policies are with system controls, system patching, remote access, information classification, and wireless policies. For small agencies, this lack of policies may be due to network administration staffing or even the capabilities of their current database networks and they do not have those policies in place because it is not applicable to their network yet. However, once they are Next Generation 9-1-1 capable, all categories will need to be in place. 46
Figure 9. IT descriptions and policies for small agencies. The medium agency selections are shown in Figure 11. The most selected was category “Acceptable Usage” and last was “System Patching”. None of the medium agencies selected “None Apply”. The medium agencies seem to have the more in compliance with many of the policies. This may be with more evolved database networks and staffing. Figure 10. IT descriptions and policies for medium agencies. 47
The Large agency selections of IT descriptions and policies from both Table F.1 and Table F.2 are shown in Figure 12. Both Large agencies selected “Acceptable Usage”, “Password Policy”, “Information Classification”, “Data Protection”, “Physical Security”, “Remote Access”, “Access Control”, and “System Control”. However, one agency selected “Wireless Policy” and “Incident Response”. Also, as noted previously, one agency also selected “None Apply”. Surprisingly, incident response and wireless policies were not selected from one of the two large agencies. Many metropolitan public safety communications centers communicate local databases, such as computer aided dispatch (CAD) or records management systems (RMS) wirelessly from laptops in vehicles and other mobile devices. It would also be thought that a large agency would have incident response policies in place in case of natural, terrorist, or technical disaster occurred. Figure 11. IT descriptions and policies for large agencies. The survey questions 8: If your agency is Next Generation 9-1-1 capable and any of the following descriptions and policies listed in question 7 were not selected please select the reason(s) and/or obstacle(s). The data in Table G received 32 survey responses at least one of the 48
selections regardless of all agencies reporting the highest 9-1-1 status/capability of Wireless Phase II. None of the 56 responding agencies reported having Next Generation 9-1-1 status/capabilities for question two of the survey. None of the large agencies made selections for question 8. However, 7 medium agencies and 25 small agencies made at least one selection, making over half (57%) of the 56 total responses to the survey. The two “Other” categories consisted of “IT department prefers to not to release information due to concerns over security” and “we are NG9-1-1 capable, but state law prohibits implementation”. Table H If Next Generation capable, reasons and/or obstacles for not having the descriptions and policies in Table F and Table G Size Cost Time Upper Staff Other % Management Constraints Large 0 0 0 0 0 0% Medium 4 5 0 2 1 22% Small 16 18 1 14 1 78% Totals (%) 68% 75% 3% 53% 6% Even though none of the responding agencies were Next Generation 9-1-1 capable, the responses do shed light on current obstacles agencies face towards compliancy. Cost does reflect over half of the obstacles, but “Time” is selected as 75% of the overall reason and is the highest ranked obstacle in both medium and small agencies. This could indicate that agencies feel they are spread thin in keeping up with standards and evolving technology even if they have the staff and money. 49
Figure 12. Obstacles for not having the descriptions/policies for small agencies. Figure 13. Obstacles for not having the descriptions/policies for medium agencies. For survey question 9: Select the following software your agency currently runs on all servers and end user computers? Anti-virus software and/or spyware detection software. All 56 agencies selected either one or both of the software selections. All agencies currently run Anti- virus software on all servers and end user computers. Only a few in both the medium and small 50
agencies do not currently run Spyware detection software. Reasons where inquired in the following survey question (see Table I). Table I Virus and/or spyware detection software on all servers and end user computers Size Anti-virus Spyware detection % Large 2 2 3% Medium 16 13 29% Small 38 34 68% Totals (%) 100% 88% Figure 14. Virus and/or spyware detection software for small agencies. 51
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers

Empfohlen

Securing e-Government Web Portal Access Using Enhanced Authentication System
Securing e-Government Web Portal Access Using Enhanced Authentication SystemSecuring e-Government Web Portal Access Using Enhanced Authentication System
Securing e-Government Web Portal Access Using Enhanced Authentication SystemHamdi Jaber
 
The Impact of Dynamic Monitoring Interval Adjustment on Power Consumption in ...
The Impact of Dynamic Monitoring Interval Adjustment on Power Consumption in ...The Impact of Dynamic Monitoring Interval Adjustment on Power Consumption in ...
The Impact of Dynamic Monitoring Interval Adjustment on Power Consumption in ...Mark White
 
A study of security in wireless and mobile payments
A study of security in wireless and mobile paymentsA study of security in wireless and mobile payments
A study of security in wireless and mobile paymentsJamal Meselmani
 
HN thesis
HN thesisHN thesis
HN thesisHoward Norton
 
M.Phil Computer Science Wireless Communication Projects
M.Phil Computer Science Wireless Communication ProjectsM.Phil Computer Science Wireless Communication Projects
M.Phil Computer Science Wireless Communication ProjectsVijay Karan
 
Lifi (presentation)
Lifi (presentation)Lifi (presentation)
Lifi (presentation)Aman Durrani
 
Tp 1 transmission de donné inisiallisation à simulink matlab
Tp 1 transmission de donné inisiallisation à simulink matlabTp 1 transmission de donné inisiallisation à simulink matlab
Tp 1 transmission de donné inisiallisation à simulink matlabhamdinho
 
Thesis my documentation
Thesis my documentationThesis my documentation
Thesis my documentationcas123
 

Empfohlen

Securing e-Government Web Portal Access Using Enhanced Authentication System
Securing e-Government Web Portal Access Using Enhanced Authentication SystemSecuring e-Government Web Portal Access Using Enhanced Authentication System
Securing e-Government Web Portal Access Using Enhanced Authentication SystemHamdi Jaber
 
The Impact of Dynamic Monitoring Interval Adjustment on Power Consumption in ...
The Impact of Dynamic Monitoring Interval Adjustment on Power Consumption in ...The Impact of Dynamic Monitoring Interval Adjustment on Power Consumption in ...
The Impact of Dynamic Monitoring Interval Adjustment on Power Consumption in ...Mark White
 
A study of security in wireless and mobile payments
A study of security in wireless and mobile paymentsA study of security in wireless and mobile payments
A study of security in wireless and mobile paymentsJamal Meselmani
 
HN thesis
HN thesisHN thesis
HN thesisHoward Norton
 
M.Phil Computer Science Wireless Communication Projects
M.Phil Computer Science Wireless Communication ProjectsM.Phil Computer Science Wireless Communication Projects
M.Phil Computer Science Wireless Communication ProjectsVijay Karan
 
Lifi (presentation)
Lifi (presentation)Lifi (presentation)
Lifi (presentation)Aman Durrani
 
Tp 1 transmission de donné inisiallisation à simulink matlab
Tp 1 transmission de donné inisiallisation à simulink matlabTp 1 transmission de donné inisiallisation à simulink matlab
Tp 1 transmission de donné inisiallisation à simulink matlabhamdinho
 
Thesis my documentation
Thesis my documentationThesis my documentation
Thesis my documentationcas123
 
Bayo soneye m.ed project
Bayo soneye m.ed projectBayo soneye m.ed project
Bayo soneye m.ed projectBayo Soneye
 
01tr016
01tr01601tr016
01tr016belowring0
 
Learner Analytics: from Buzz to Strategic Role Academic Technologists
Learner Analytics: from Buzz to Strategic Role Academic TechnologistsLearner Analytics: from Buzz to Strategic Role Academic Technologists
Learner Analytics: from Buzz to Strategic Role Academic TechnologistsJohn Whitmer, Ed.D.
 
Whitmer, Fernandes, Kodai CSU Chico Learner Analytics
Whitmer, Fernandes, Kodai CSU Chico Learner AnalyticsWhitmer, Fernandes, Kodai CSU Chico Learner Analytics
Whitmer, Fernandes, Kodai CSU Chico Learner AnalyticsDET/CHE Directors of Educational Technology - California in Higher Education
 
Maturing software engineering knowledge through classifications
Maturing software engineering knowledge through classificationsMaturing software engineering knowledge through classifications
Maturing software engineering knowledge through classificationsimmortalchhetri
 
EDR-8202 Statistics IIWeek 2 Assignment Worksheet C.docx
EDR-8202 Statistics IIWeek 2 Assignment Worksheet C.docxEDR-8202 Statistics IIWeek 2 Assignment Worksheet C.docx
EDR-8202 Statistics IIWeek 2 Assignment Worksheet C.docxtidwellveronique
 
EDR-8202 Statistics IIWeek 2 Assignment Worksheet C.docx
EDR-8202 Statistics IIWeek 2 Assignment Worksheet C.docxEDR-8202 Statistics IIWeek 2 Assignment Worksheet C.docx
EDR-8202 Statistics IIWeek 2 Assignment Worksheet C.docxbudabrooks46239
 
«Руководство по безопасности и защите персональных данных при использовании п...
«Руководство по безопасности и защите персональных данных при использовании п...«Руководство по безопасности и защите персональных данных при использовании п...
«Руководство по безопасности и защите персональных данных при использовании п...Victor Gridnev
 
Effectsplus july event report
Effectsplus july event report Effectsplus july event report
Effectsplus july event report fcleary
 
Leadership style and perceived benefits of electronic data interchange for re...
Leadership style and perceived benefits of electronic data interchange for re...Leadership style and perceived benefits of electronic data interchange for re...
Leadership style and perceived benefits of electronic data interchange for re...rsd kol abundjani
 
AI TESTING: ENSURING A GOOD DATA SPLIT BETWEEN DATA SETS (TRAINING AND TEST) ...
AI TESTING: ENSURING A GOOD DATA SPLIT BETWEEN DATA SETS (TRAINING AND TEST) ...AI TESTING: ENSURING A GOOD DATA SPLIT BETWEEN DATA SETS (TRAINING AND TEST) ...
AI TESTING: ENSURING A GOOD DATA SPLIT BETWEEN DATA SETS (TRAINING AND TEST) ...ijsc
 
The role of online social networks in inter-firm collaborative innovation and...
The role of online social networks in inter-firm collaborative innovation and...The role of online social networks in inter-firm collaborative innovation and...
The role of online social networks in inter-firm collaborative innovation and...Dr. Rob Duncan
 
It competencies a study on malaysian university oke
It competencies a study on malaysian university okeIt competencies a study on malaysian university oke
It competencies a study on malaysian university okeBambang Purwantho
 
Ipol stoa et-2012_488798_en
Ipol stoa et-2012_488798_enIpol stoa et-2012_488798_en
Ipol stoa et-2012_488798_endeselnicu
 
Literature survey andrei_manta_0
Literature survey andrei_manta_0Literature survey andrei_manta_0
Literature survey andrei_manta_0darshanahiren
 
Incident Response in an ICS Environment
Incident Response in an ICS EnvironmentIncident Response in an ICS Environment
Incident Response in an ICS EnvironmentDavid Sweigert
 
Mastering Data Science A Comprehensive Introduction.docx
Mastering Data Science A Comprehensive Introduction.docxMastering Data Science A Comprehensive Introduction.docx
Mastering Data Science A Comprehensive Introduction.docxworkshayesteh
 
THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...
THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...
THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...Bob Radvanovsky
 
Feasibility study outline (final)
Feasibility study outline (final)Feasibility study outline (final)
Feasibility study outline (final)Neeraj Mahajan
 
The skill mismatch challenge - CEDEFOP
The skill mismatch challenge - CEDEFOPThe skill mismatch challenge - CEDEFOP
The skill mismatch challenge - CEDEFOPSHR Moisio
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 

Weitere ähnliche Inhalte

Ähnlich wie Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers

Bayo soneye m.ed project
Bayo soneye m.ed projectBayo soneye m.ed project
Bayo soneye m.ed projectBayo Soneye
 
Learner Analytics: from Buzz to Strategic Role Academic Technologists
Learner Analytics: from Buzz to Strategic Role Academic TechnologistsLearner Analytics: from Buzz to Strategic Role Academic Technologists
Learner Analytics: from Buzz to Strategic Role Academic TechnologistsJohn Whitmer, Ed.D.
 
Maturing software engineering knowledge through classifications
Maturing software engineering knowledge through classificationsMaturing software engineering knowledge through classifications
Maturing software engineering knowledge through classificationsimmortalchhetri
 
EDR-8202 Statistics IIWeek 2 Assignment Worksheet C.docx
EDR-8202 Statistics IIWeek 2 Assignment Worksheet C.docxEDR-8202 Statistics IIWeek 2 Assignment Worksheet C.docx
EDR-8202 Statistics IIWeek 2 Assignment Worksheet C.docxtidwellveronique
 
EDR-8202 Statistics IIWeek 2 Assignment Worksheet C.docx
EDR-8202 Statistics IIWeek 2 Assignment Worksheet C.docxEDR-8202 Statistics IIWeek 2 Assignment Worksheet C.docx
EDR-8202 Statistics IIWeek 2 Assignment Worksheet C.docxbudabrooks46239
 
«Руководство по безопасности и защите персональных данных при использовании п...
«Руководство по безопасности и защите персональных данных при использовании п...«Руководство по безопасности и защите персональных данных при использовании п...
«Руководство по безопасности и защите персональных данных при использовании п...Victor Gridnev
 
Effectsplus july event report
Effectsplus july event report Effectsplus july event report
Effectsplus july event report fcleary
 
Leadership style and perceived benefits of electronic data interchange for re...
Leadership style and perceived benefits of electronic data interchange for re...Leadership style and perceived benefits of electronic data interchange for re...
Leadership style and perceived benefits of electronic data interchange for re...rsd kol abundjani
 
AI TESTING: ENSURING A GOOD DATA SPLIT BETWEEN DATA SETS (TRAINING AND TEST) ...
AI TESTING: ENSURING A GOOD DATA SPLIT BETWEEN DATA SETS (TRAINING AND TEST) ...AI TESTING: ENSURING A GOOD DATA SPLIT BETWEEN DATA SETS (TRAINING AND TEST) ...
AI TESTING: ENSURING A GOOD DATA SPLIT BETWEEN DATA SETS (TRAINING AND TEST) ...ijsc
 
The role of online social networks in inter-firm collaborative innovation and...
The role of online social networks in inter-firm collaborative innovation and...The role of online social networks in inter-firm collaborative innovation and...
The role of online social networks in inter-firm collaborative innovation and...Dr. Rob Duncan
 
It competencies a study on malaysian university oke
It competencies a study on malaysian university okeIt competencies a study on malaysian university oke
It competencies a study on malaysian university okeBambang Purwantho
 
Ipol stoa et-2012_488798_en
Ipol stoa et-2012_488798_enIpol stoa et-2012_488798_en
Ipol stoa et-2012_488798_endeselnicu
 
Literature survey andrei_manta_0
Literature survey andrei_manta_0Literature survey andrei_manta_0
Literature survey andrei_manta_0darshanahiren
 
Incident Response in an ICS Environment
Incident Response in an ICS EnvironmentIncident Response in an ICS Environment
Incident Response in an ICS EnvironmentDavid Sweigert
 
Mastering Data Science A Comprehensive Introduction.docx
Mastering Data Science A Comprehensive Introduction.docxMastering Data Science A Comprehensive Introduction.docx
Mastering Data Science A Comprehensive Introduction.docxworkshayesteh
 
THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...
THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...
THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...Bob Radvanovsky
 
Feasibility study outline (final)
Feasibility study outline (final)Feasibility study outline (final)
Feasibility study outline (final)Neeraj Mahajan
 
The skill mismatch challenge - CEDEFOP
The skill mismatch challenge - CEDEFOPThe skill mismatch challenge - CEDEFOP
The skill mismatch challenge - CEDEFOPSHR Moisio
 

Ähnlich wie Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers (20)

Bayo soneye m.ed project
Bayo soneye m.ed projectBayo soneye m.ed project
Bayo soneye m.ed project
 
01tr016
01tr01601tr016
01tr016
 
Learner Analytics: from Buzz to Strategic Role Academic Technologists
Learner Analytics: from Buzz to Strategic Role Academic TechnologistsLearner Analytics: from Buzz to Strategic Role Academic Technologists
Learner Analytics: from Buzz to Strategic Role Academic Technologists
 
Whitmer, Fernandes, Kodai CSU Chico Learner Analytics
Whitmer, Fernandes, Kodai CSU Chico Learner AnalyticsWhitmer, Fernandes, Kodai CSU Chico Learner Analytics
Whitmer, Fernandes, Kodai CSU Chico Learner Analytics
 
Maturing software engineering knowledge through classifications
Maturing software engineering knowledge through classificationsMaturing software engineering knowledge through classifications
Maturing software engineering knowledge through classifications
 
EDR-8202 Statistics IIWeek 2 Assignment Worksheet C.docx
EDR-8202 Statistics IIWeek 2 Assignment Worksheet C.docxEDR-8202 Statistics IIWeek 2 Assignment Worksheet C.docx
EDR-8202 Statistics IIWeek 2 Assignment Worksheet C.docx
 
EDR-8202 Statistics IIWeek 2 Assignment Worksheet C.docx
EDR-8202 Statistics IIWeek 2 Assignment Worksheet C.docxEDR-8202 Statistics IIWeek 2 Assignment Worksheet C.docx
EDR-8202 Statistics IIWeek 2 Assignment Worksheet C.docx
 
«Руководство по безопасности и защите персональных данных при использовании п...
«Руководство по безопасности и защите персональных данных при использовании п...«Руководство по безопасности и защите персональных данных при использовании п...
«Руководство по безопасности и защите персональных данных при использовании п...
 
Effectsplus july event report
Effectsplus july event report Effectsplus july event report
Effectsplus july event report
 
Leadership style and perceived benefits of electronic data interchange for re...
Leadership style and perceived benefits of electronic data interchange for re...Leadership style and perceived benefits of electronic data interchange for re...
Leadership style and perceived benefits of electronic data interchange for re...
 
AI TESTING: ENSURING A GOOD DATA SPLIT BETWEEN DATA SETS (TRAINING AND TEST) ...
AI TESTING: ENSURING A GOOD DATA SPLIT BETWEEN DATA SETS (TRAINING AND TEST) ...AI TESTING: ENSURING A GOOD DATA SPLIT BETWEEN DATA SETS (TRAINING AND TEST) ...
AI TESTING: ENSURING A GOOD DATA SPLIT BETWEEN DATA SETS (TRAINING AND TEST) ...
 
The role of online social networks in inter-firm collaborative innovation and...
The role of online social networks in inter-firm collaborative innovation and...The role of online social networks in inter-firm collaborative innovation and...
The role of online social networks in inter-firm collaborative innovation and...
 
It competencies a study on malaysian university oke
It competencies a study on malaysian university okeIt competencies a study on malaysian university oke
It competencies a study on malaysian university oke
 
Ipol stoa et-2012_488798_en
Ipol stoa et-2012_488798_enIpol stoa et-2012_488798_en
Ipol stoa et-2012_488798_en
 
Literature survey andrei_manta_0
Literature survey andrei_manta_0Literature survey andrei_manta_0
Literature survey andrei_manta_0
 
Incident Response in an ICS Environment
Incident Response in an ICS EnvironmentIncident Response in an ICS Environment
Incident Response in an ICS Environment
 
Mastering Data Science A Comprehensive Introduction.docx
Mastering Data Science A Comprehensive Introduction.docxMastering Data Science A Comprehensive Introduction.docx
Mastering Data Science A Comprehensive Introduction.docx
 
THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...
THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...
THE EFFECT OF NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION CRITICAL INFRAS...
 
Feasibility study outline (final)
Feasibility study outline (final)Feasibility study outline (final)
Feasibility study outline (final)
 
The skill mismatch challenge - CEDEFOP
The skill mismatch challenge - CEDEFOPThe skill mismatch challenge - CEDEFOP
The skill mismatch challenge - CEDEFOP
 

Kürzlich hochgeladen

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 

Kürzlich hochgeladen (20)

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 

Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers

  • 1. NEXT GENERATION 9-1-1: EXAMINATION OF INFORMATION SECURITY MANAGEMENT IN PUBLIC SAFETY COMMUNICATIONS CENTERS by Natalie J. Yardley A Thesis Presented in Partial Fulfillment of the Requirements for the Degree Master of Science University of Advancing Technology March 2012
  • 2. NEXT GENERATION 9-1-1: EXAMINATION OF INFORMATION SECURITY MANAGEMENT IN PUBLIC SAFETY COMMUNICATION CENTERS by Natalie J. Yardley has been approved March 2012 APPROVED: ROBERT MORSE, Ph.D, Chair GREG MILES, Ph.D, Advisor AL KELLY, Advisor ACCEPTED AND SIGNED: __________________________________________ ADD NAME OF CHAIR, CREDENTIALS (ALL CAPS)
  • 3. Abstract This research examines the current information security management landscape of 9-1-1 public safety communication centers upon the beginning of nationwide Next Generation 9-1-1 initiated through H.R. 3403: New and Emerging Technologies 911 Improvement Act of 2008, which is the implementation of switching analog communication systems to Internet-Protocol (IP) communication systems, . The study draws upon the National Emergency Number Association Next Generation 9-1-1 security standards for a compliance survey for 9-1-1 agency information security and technology management evaluation. Also, a literature review of the implementation of managing Internet-protocol 9-1-1 communication technology and services will be presented. As well as providing the security standards, the study will determined current 9-1-1 agency status in terms of compliance or noncompliance to the of standards, as well as obstacles and challenges agencies face in achieving compliance. The primary finding was that no public safety answering point (PSAP) reported compliance and potentially serious barriers related to funding exist.
  • 4. Dedication I would like to dedicate my thesis work to all the very dedicated 9-1-1 professionals, especially from Atchison County Communications Center, Atchison, Kansas. i
  • 5. Acknowledgments I would like to thank my Thesis Committee, particularly my Chair, Dr. Morse, for continued guidance during the graduate thesis process. Also I want to give many thanks to my family, for their patience with my writing, reading, and proofing marathon sessions behind closed doors. ii
  • 6. Table of Contents Acknowledgments ii List of Tables v List of Figures vii CHAPTER 1. INTRODUCTION 1 Introduction to the Problem 1 Background of the Study 2 Statement of the Problem 3 Purpose of the Study 3 Research Questions 4 Significance of the Study 4 Definition of Terms 5 Assumptions and Limitations 5 Nature of the Study 6 Organization of the Remainder of the Study 8 CHAPTER 2. LITERATURE REVIEW 9 CHAPTER 3. METHODOLOGY 26 Research Design 26 Sample 27 Setting 28 Instrumentation / Measures 28 Data Collection 29 Data Analysis 30 iii
  • 7. Validity and Reliability 30 Ethical Considerations 31 CHAPTER 4. RESULTS 32 CHAPTER 5. DISCUSSION, IMPLICATIONS, RECOMMENDATIONS 63 REFERENCES 80 APPENDIX A. PRE-NEXT GENERATION 9-1-1 IMPLEMENATION INFORMATION SECURITY MANAGEMENT SURVEY 85 APPENDIX B. NEXT GENERATION 9-1-1: EXAMINATION OF INFORMATION SECURITY MANAGEMENT PUBLIC SAFETY COMMUNICATIONS CENTER PARTICIPANT INFORMED CONSENT 90 iv
  • 8. List of Tables Table A. Current agency 9-1-1 status/capability 36 Table B. Job title/role at agency 38 Table C. Current agency IT/Network administration description 41 Table D. Agency anticipation of employing/contracting an IT/Network administrator who currently have none 43 Table E. Reason or obstacles for not employing/contracting IT/Network administration if currently none 44 Table F. Type of IT descriptions and policies (first six categories) 45 Table G. Type of IT descriptions and policies (last six categories) 46 Table H. If Next Generation capable, reasons and/or obstacles for not having the descriptions and policies in Table F.1 and Table F.2 49 Table I. Virus and/or spyware detection software on all servers and end user computers 51 Table J. Reason and/or obstacles for agency not running anti-virus and/or spyware detection software 52 Table K. Current inventory, schematic, and audit documents on file 54 Table L. Reasons or obstacles for not having network inventory, schematic, and/or audit documents 56 Table M. Type of security awareness training and education standards currently in place 57 Table N. Reasons or obstacles for not having staff security training and/or current training/certification for IT administration 60 Table O. Agencies reporting compliance with NG-SEC 66 v
  • 9. List of Figures Figure 1. The population range of the agency's jurisdiction. 35 Figure 2. Current agency 9-1-1 status/capability. 37 Figure 3. Job title/role for small agencies. 38 Figure 4. Job title/role for medium agencies. 39 Figure 5. Job title/role for large agencies. 40 Figure 6. IT/Network Administration for small agencies. 41 Figure 7. IT/Network Administration for medium agencies. 42 Figure 8. Obstacles for not employing IT administration for small agencies. 44 Figure 9. IT descriptions and policies for small agencies. 47 Figure 10. IT descriptions and policies for medium agencies 47 Figure 11. IT descriptions and policies for large agencies. 48 Figure 12. Obstacles for not having the descriptions/policies for small agencies. 50 Figure 13. Obstacles for not having the descriptions/policies for small agencies. 50 Figure 14. Virus and/or spyware detection software for small agencies. 51 Figure 15. Virus and/or spyware detection software for medium agencies. 52 Figure 16. Obstacles for no anti-virus and/or spyware detection software for small agencies 53 Figure 17. Current IT documentation for small agencies. 54 Figure 18. Current IT documentation for medium agencies. 55 Figure 19. Current IT documentation for large agencies. 55 Figure 20. Obstacles for complete IT documentation for small agencies. 56 Figure 21. Obstacles for complete IT documentation for medium agencies. 57 vi
  • 10. Figure 22. Security awareness and training for small agencies. 58 Figure 23. Security awareness and training for medium agencies. 58 Figure 24. Security awareness and training for large agencies. 59 Figure 25. Obstacles for security training and education for small agencies. 60 Figure 26. Obstacles for security training and education for medium agencies. 61 Figure 27. Reported NG-SEC compliance by agency size. 66 Figure 28. Part-time or no current network administration by agency size. 69 Figure 29. Obstacles for not having full-time network administration for small agencies. 72 Figure 30. Presence of malware in network traffic (Ponemon, 2009). 74 (Note: Do not remove the section break that follows this paragraph.) vii
  • 11. CHAPTER 1. INTRODUCTION Introduction to the Problem Technology has expanded the way society communicates, particularly in the last few decades (Barbour, 2008). Today, cell phones are prevalent and have expanded the tools available for individuals to get help from public safety agencies. In addition to voice communications over the telephone wires, individuals can easily conduct voice and video conversations using computers on either wired or wireless Internet networks. People can instantly send and receive text, photos, and video from their cell phones. With the additional communication options available to the public, the technical capabilities of 9-1-1 public safety communications need to expand. Society’s expectations and the reality of what the 9-1-1 systems should be able to handle, are wide apart. One example is the Virginia Tech shooting in April 2007 when students attempted to send text messages to 9-1-1, they were unaware the call center was not equipped to receive such communications (Luna, 2008). Many hearing impaired callers rely on newer modes of communication available on smart phone devices, yet cannot utilize them during an emergency to contact a 9-1-1 system that is analog based (Kimball, 2010). Another example of the need to upgrade capability to meet expectations is the fact legacy 9-1-1 equipment is unable to provide accurate location services. Of course, that service is now widely available and many mobile and social networking services currently provide it according to the National E9-1-1 Implementation Coordination Office (2009). Due to this wide gap of expectation verses capability, the need for public safety communications to upgrade to match consumer technology advancements is vital if the system is to continue to keep citizens safe. 1
  • 12. In July 2008, H.R. 3403: New and Emerging Technologies 911 Improvement Act of 2008 (also known as the NET 911 Improvement Act of 2008) was signed into law to promote and enhance public safety by facilitating the rapid deployment of IP-enabled 911 and E-911 services, and encouraging the nation’s transition to a national IP-enabled (Internet Protocol) emergency network, and improve 911 and E-911 access to those with disabilities. The initiative of advancing 9-1-1 systems to IP technologies nationwide is known as Next Generation 9-1-1 (or NG9-1-1). Currently, there is no definite date of completion for nationwide NG9-1-1. Also, public safety organizations are independently planning and implementing NG9-1-1 technologies (Kimball, 2011). Because of the vast technological changes and requirement of nationwide standards, this lack raises concern about the way IP-based 9-1-1 systems are managed to maintain their security and integrity, which is also evolving due to converting the closed analog system to a connected Internet system (NENA, 2011). Given the size and scope of the project, there is a need to monitor compliance capability. Background of the Study In the United States, the current 9-1-1 system is going through a transformation from analog based systems to IP-based (Internet Protocol) systems (NENA, 2011). The analog 9-1-1 systems are not compatible with most of the current consumer technologies and converting to digital systems will allow the variety of available consumer communication devices to work within public safety systems. Next Generation 9-1-1 will allow for IP-base communication technologies to be used, such as text messages, voice, photos, and videos over security Internet points. Prior to the introduction of Next Generation 9-1-1, public safety communication systems were not connected to other networks, which provided stronger security barriers from attacks. With Next Generation 9-1-1, the barriers are significantly decreased through the internet- 2
  • 13. protocol connections, making 9-1-1 a potentially appealing and vulnerable target. Thus, information security management standards were established in February 2010 by the National Emergency Number Association in order to address the technological changes of 9-1-1 communications. The National Emergency Number Association (NENA) Security for Next- Generation 9-1-1 Standards (NENA, 2010) was established and all Next Generation 9-1-1 status agencies are to comply with the standards immediately (NENA, 2010, p. 8). Therefore, the relevance of this research is to establish the progress towards achieving this requirement. In general, potential reasons for noncompliance can range from high costs, privacy issues, business disruption, even though there may be penalties and legal issues, national security, and welfare and safety of citizens. For public safety communications, it is critical for agencies to be and remain compliant to keep communication services available and safeguard lives and information. Statement of the Problem The problem that will be explored in this study is the level of compliance or non- compliance with information security management standards in the public safety communications environment. Purpose of the Study The purpose of the thesis study is to ascertain if public safety answering points (PSAPs) have information security management standards in place that reveal compliance or non- compliance with National Emergency Number Association (NENA) Security for Next- Generation 9-1-1 Standards (NENA, 2010) prior to nationwide Next Generation 9-1-1 implementation and to identify any needed next steps to reach compliance. 3
  • 14. Research Questions 1. What are the Next Generation 9-1-1 information security management standards and policies? 2. What percentage of agencies have Next Generation 9-1-1 status? 3. What percentage of agencies are compliant or noncompliant? 4. What are the obstacles and/or challenges for public safety answering points (PSAPs) that are not compliant with public safety communication information security standards? Significance of the Study Every project must be planned and, where possible, kept on schedule. 9-1-1 is a vital societal system. The National Emergency Number Association (NENA), estimated in October 2011, 240 million calls were made to 9-1-1 in the United States annually (NENA, 2011, sec. 2, para. 1). From those annual calls, at least one-third are wireless, and it is estimated that 26.6% of all United States households currently rely on wireless communication as their primary services (NENA, 2011, sec. 8). NENA has provided the national security standards and best practices for public safety answering points with the National Emergency Number Association (NENA) Security for Next-Generation 9-1-1 Standards or NG-SEC (NENA, 2010). The next step in the project is to implement those standards so that public safety communications adapt to advancing technology and consumer needs without compromising security. But, projects do not guide themselves. To meet the need for nationwide security standards compliance managers need up- to-date data regularly available. The study of compliance is significant in providing updated data of security readiness as public safety communication agencies move forward, making the 4
  • 15. transition from closed to open systems with Next Generation 9-1-1 with its ability to continue to provide the emergency services required for citizens. Definition of Terms Next Generation 9-1-1. Next Generation 9-1-1 is an Internet Protocol (IP) based system that will allow 9-1-1 public safety entities to receive and send such communications as text messages, video, photos, and voice through secured Internet points on 9-1-1 communication systems (NENA, 2011). Public Safety Answering Points (PSAPs). Public Safety Answering Points are 9-1-1 emergency call centers that are staffed with trained 9-1-1 operators that receive emergency telephone communications for law enforcement, fire, ambulance, and/or rescue services (NENA, 2011). Data Transience. The explanation that data can be ever changing and provide a momentary snapshot of what may be true at one point in time but not necessarily true the next time data is collected. Assumptions and Limitations The research is a "naturalistic" or applied study. There are assumptions surrounding the questioning technique used in the sample. It was assumed the responders had an appropriate level of knowledge due to being designated as contact points within their organizations. The questioning utilizes vocabulary presented in the National Emergency Number Association (NENA) Security for Next Generation 9-1-1 standards or NG-SEC, which the sample should understand. The questioning links sufficiently to the participant’s experience, again due to utilizing the national standards that were created by 9-1-1 leaders (NENA, 2010). The researcher also assumed that each participant will answer willingly and truthfully since the study did not 5
  • 16. publish names of contacts or agencies, assuring confidentiality of any information shared. Limitations of the thesis are of practicality, such as, researcher experience, time limit of study, and university rules. Nature of the Study It is vital that Next Generation 9-1-1 technologies are both implemented and accessible nationally to insure the growing demands of consumer technology and consumer mobility for emergency services. However it is also essential for public safety answering points (PSAPs) to be in compliance with security standards because of the openness of the evolving technology. The study revolves around the security standards and data collected from agencies. The thesis is an empirical study. Empirical research can be defined as research gained on experimentation, observation, or experience (Classroom Assessment, 2011). Leedy (2010) points out “the significance of data depends on how the researcher extracts meaning…” and “underlying and unifying any research project is its methodology” (p. 6). The thesis is also an evaluation study. Such studies require a researcher to specify a criteria which in this instance are the National Emergency Number Association (NENA) Security for Next-Generation 9-1-1 Standards or NG-SEC. Measurement will involve collecting data via survey of a cross sectional sample of agencies in the United States and conducting a review of the literature. As Leedy (2010) states, “measurement is ultimately a comparison and it is a tool by which data may be inspected, analyzed and interpreted” (p. 25). The survey utilizes the NG- SEC and serves as the measurement scale for the purpose of comparison and analysis of research questions. The data collected are ever changing and only provide a momentary look at the Next Generation 9-1-1 status and compliance or non-compliance of agencies sampled. Time, evolving 6
  • 17. technology, consumer needs, agency obstacles, and future laws and standards, will inevitably change data. Therefore, the data are “transient” (Leedy, 2010, p. 89). The objectives of empirical research go beyond reporting observations. They promote an environment for improved understanding, combine extensive research with detailed case study, and prove relevancy of theory by working in a real world environment (Experiment Resources, 2011). The study provides analysis of data collected from public safety answering points (PSAPs) in order to provide an examination of the written standards in real life application. The case study method, as explained by Zainal (2007, p. 1) “enables a research to closely examine the date within a specific context”. Yin (1984) further defines the method “as an empirical inquiry that investigates a contemporary phenomenon within its real-life context” (p. 23) and by utilizing a case study method in this study, not only will the data be explored, but also show complexities of the real-life situations (Zainal, 2007, p. 4). When researching human activities, it is important to capture contextual data and situational complexity. According to Leedy (2010) “research conducted in more naturalistic but invariable more complex environments – is more useful for external validity; that is, it increases the chances that a study’s findings are generalizable to other real-life situations and problems” (p. 100). The field of study may be unique and the human activities in the project require complexity as part of the research. Lorino (2008) explains the situatedness of research in that “it takes place in a specific situation which influences the view of the complex system” (p. 8). The study identified the collective experience of agencies implementing a key technology in the field. Each agency surveyed is itself a potential case study. Thus, there are multiple individual surveys available for analysis. According to replication logic, if findings are replicated through out the different agencies, more confidence can be placed on the findings and 7
  • 18. generalizing beyond the original participants becomes possible. The rationale for this type of analysis is supported by Yin (2009), who explains that replication logic is where the researcher is looking for congruence that indicates increased confidence in the overall finding. Identifying congruence between a standard and a practice is the heart of criterion referenced evaluation research. Such studies not only provide data on the subject, but to also serve data driven quality improvement reviews used in assessments of the development process. Organization of the Remainder of the Study In the following chapters, the researcher provides a literature review, methodology, presentation of survey results, and concluding study discussion and recommendations. The literature review describes the evolution of 9-1-1 to its current transition of Next Generation 9-1- 1. It also presents and discusses the information security management standard set forth by National Emergency Number Associations (NENA) for public safety communication compliance. In Chapter 3, the researcher provides the survey study methodology in which the data will be collected and analyzed to explore the research questions. Chapter 4 present the results and description of the data collected, following with a conclusion and recommendations based on the researcher’s findings in Chapter 5. 8
  • 19. CHAPTER 2. LITERATURE REVIEW 9-1-1, in the United States, is the number to call if citizens need help (NENA, 2011). Whether the emergency requires medical, fire, or law enforcement, the three digit number is supposed to be the one Americans contact for a quick response to a particular emergency (Barbour, 2008). For the most part of the last four decades that 9-1-1 has been in existence, the way citizens communicated to emergency services, with the exception of showing up in person, was through the use of pay phones and residential landlines (Barbour, 2008). It was a very straightforward analog system that gradually incorporated the phone number from which the call was coming, the location of the call, and even a list of appropriate emergency response units based on jurisdiction of the call. However, now in the age of the Internet and a mobile lifestyle, this traditional 9-1-1 communication has continued to fall behind in meeting the needs of the consumers. Especially with the increasing disappearance of fixed-line communications (Luna, 2008). A particularly tragic example took place in 2008. A woman from Tampa, Florida was kidnapped and called the local public safety communication center on her mobile phone while the incident was occurring. The public safety communications center’s 9-1-1 was an analog system and her GPS-enabled (global positioning system) phone did not register her location. Later, police found the dead woman’s body in a vacant home in a nearby town (Bruce, Newton, & Vaughan, 2011, p. 8). If the local 9-1-1 system had been equipped with Internet-Protocol technologies, the public safety communications center may have been able to track her location through GPS and her life may have been saved. Certainly, the system did not even permit that possibility. Enter Next Generation 9-1-1, which is based on transforming the currently analog 9-1-1 communications system with an Internet-Protocol or IP-based system to allow 9-1-1 call takers 9
  • 20. to receive the same location and unit information as they do now with landline or fixed-line telephone systems. Public safety communication personnel would be able to communicate with citizens and emergency respond units via text and mobile, as well as, to exchange photos and videos through Internet Protocol (IP)-based communication (Lipowicz, 2009). The very scope of nationwide Next Generation 9-1-1 implementation will take time and there are obstacles and issues to work around and resolve. In 2008, the state of New York conducted a 911 project to enhance wireless communication with a grant from the United States Department of Transportation and National Highway Traffic Safety Administration. The project found that technology was not the major obstacle in enhanced wireless deployment. Though some technical issues may slow the progress, funding for technological upgrades is the most pressing obstacle (Bailey & Scott, 2008). Of course, this was the year when a major financial problem engulfed many countries so it is understandable the study reported that many public answering points did not have sufficient funds for enhanced wireless communication upgrades. Ultimately this need for finances has prolonged the time needed to complete the project. The New York study provided examples of obstacles for Enhanced Wireless technologies, which involve cellular 9-1-1 communications for Wireless Phase I and Wireless Phase II implementation and not Internet-Protocol technology that are the required for Next Generation 9- 1-1 (Bailey & Scott, 2008). However, the funding comparison can be made for obstacles 9-1-1 entities face in upgrading the national 9-1-1 system. If agencies have issues with funding for cellular wireless technologies of Wireless Phase I and Wireless Phase II, which still utilize the analog systems, they may have same issues with Next Generation 9-1-1 funding. 10
  • 21. 9-1-1: Past and Present In order to understand and discuss the current changes of today’s 9-1-1 systems, it is best to briefly review where and how 9-1-1 began and the current types of 9-1-1 services. Jason Barbour’s article (2008) explained the first official 9-1-1 call was on February 16, 1968 in Haleyville, Alabama and provided an overview of the 40 year history of 9-1-1, from the inception in 1967 to the current day. Mr. Barbour’s historical perspective told how the technological advances through out the years have benefited the profession of saving lives. Barbour also observed that keeping up with consumer technology has always been a challenge and that some of the difficulty has been with the lack of synchronicity between the public and private sectors. It is also important to note the humble beginnings of the first 9-1-1 call in the small town of Haleyville, Alabama. Barbour illustrated the importance of modest technological strides from the thousands of public safety agencies nationwide. According to the National Emergency Number Association or NENA’s website (2011), the different types of 9-1-1 Systems readily used now are Basic, Enhanced, Wireless Phase I, and Wireless Phase II. Basic 9-1-1 is when the three-digit number is used, and either a voice or a Telecommunication Device for the Deaf (TDD) is received by the local public safety answering point (NENA, 2011, sec. 3). Enhanced 9-1-1 builds on the basic service, but additionally provides dispatchers the caller’s location, phone number, and the PSAP responder information for the caller’s address (NENA, 2011, sec. 4). It is important to understand that both Basic and Enhanced 9-1-1 only apply to landline phones, not wireless (NENA, 2011, sec. 4). With wireless, the reality of what is displayed or the information available to the public safety answering point (PSAP) can be different than that of the wireline or landline 9-1-1 call. The National Emergency Number Association’s website (NENA, 2011) continued to explain the 11
  • 22. next two phases, wireless Phase I and Phase II. Under Wireless Phase I only the cell phone number displays (NENA, 2011, sec. 5) and Wireless Phase II provides the cell phone number and the location of the caller (NENA, 2011, sec. 6). A critical point to remember regarding Wireless Phase II, is that a caller’s location is based on the closest cell towers. Depending if the caller is located in an urban or rural area. In rural areas there can be quite a distance between towers. Voice over Internet Protocol (VoIP) is spreading rapidly with consumers and the 9-1-1 communities have only begun to complete Enhanced 9-1-1 capabilities for VoIP 9-1-1 (NENA, 2011). The Federal Communications Commission or FCC websites’ (2008) discussion of VoIP 9-1-1 services explained that since the communication uses Internet protocol as opposed to traditional analog systems, not all VoIP services connect through 9-1-1. Next Generation 9-1-1 or NG9-1-1 would address the issue of 9-1-1 and VoIP capability since NG9-1-1 provides public safety communication agencies with Internet-Protocol based systems. According to the National Emergency Number Association’s NG9-1-1 Transition Plan (NENA, February 24, 2011), NG9- 1-1 has begun with the prerequisite of deploying IP networks in some areas already occurring and with vendors developing NG9-1-1 equipment. However, the organization does address “NG9-1-1 will be a journey that will be realized at different rates within various parts of North America, based upon state/province, local implementation and stakeholder environments” (p. 15). Current 9-1-1 Usage Current 9-1-1 statistics are provided by the National Emergency Number Association (NENA) website under the category of Public & Media (2011, November 12): United States has 6,130 primary and secondary public safety answering point (PSAP) and 12
  • 23. 3,135 Counties which include parishes, independent cities, boroughs and Census areas. Based on NENA’s preliminary assessment of the most recent FCC quarterly filings: 97.7% of 6,130 PSAPs have some Phase I 96.0% of 6,130 PSAPs have some Phase II 94.1% of 3,135 Counties have some Phase I 91.8% of 3,135 Counties have some Phase II 98.1% of Population with some Phase I 97.4% of Population with some Phase II Phase I and II is not provided 100 percent nationwide. It is estimated that about 20% of households in the United States do not use landline phone services; instead they rely on wireless services only (NENA, 2011, sec. 1). There are a few agencies throughout the United States, such as King County in Washington and Rochester in Monroe County, New York, that use portions of Next Generation 9-1-1 technologies by either working as a test public safety answering point (PSAP) or with a very small percentage of Internet Protocol (IP)-based technologies working alongside the main analog systems (Intelligent Transportation Systems, 2009). Black Hawk County, IA is the first PSAP to allow text messages to be sent directly to 911, though it is only through one wireless provider (Mannion, 2009). Charlotte County Florida received a Florida State grant and is using it to begin implementing different Next Generation 9-1-1 capabilities (Hamilton, 2009). The U.S. Department of Transportation (2009) tested various IP-based technologies with five public safety answering points (PSAPs) who gathered the information that assisted the 9-1-1 communities like National Emergency Number Association (NENA) and Association of Public Safety Officials (APCO), along with the government officials to develop nationwide plans. 13
  • 24. The United States government is a very important part of the development of regulations for 9-1-1 technologies. From 9-1-1’s first inception in 1967, by the President’s Commission on Law Enforcement Administration of Justice (Barbour, 2008), to continuous active pursuits of legislations, through most recently, the ENHANCE 911 Act of 2004 and NET 911 Improvement Act of 2008, which address the concerns raised by emerging technology and how it affects the services of 9-1-1 (Moore, 2009). It is clear from these governmental actions that it has been working to improve its 9-1-1 services with the evolving technology. In February 2010, National Emergency Number Association (NENA) published the NENA Security for Next-Generation 9-1-1 Standards or NG-SEC (NENA, 2010). Many industry experts from a variety of private and government sectors contributed to the security standards to address the needs of Next Generation 9-1-1 (NG9-1-1) technologies. The standards are in place to “establish the minimal guidelines and requirements for the protection of NG9-1-1 assets or elements within a changing business environment” and to “impact the operations of 9-1-1 systems and PSAPs as standardized security practices” (p. 1). Also, all NG9-1-1 entities will be required to understand, implement and maintain the new standards and requirements, and that requirement is effective immediately. Any vendor who presents devices, future applications or technologies for 9-1-1 systems are also to be in compliance with NG-SEC. In August 2011, the Federal Communications Commission (FCC) announced it still had to consider “how to ensure adequate broadband infrastructure to deliver the bandwidth PSAPs will need to provide NG9-1- 1. As part of the NPRM, the FCC will examine interim solutions for ensuring that carriers/service providers support transmission of text-to-911” (Genachowski, 2011, p. 1). 14
  • 25. The Future: Next Generation 9-1-1 and Security Issues At the moment, the technologies that may be used for Next Generation 9-1-1 capabilities are Internet protocol (IP) voice, video, instant messaging (IM), short messaging (SMS), data, and telematics (Luna, 2008). Although the Luna article was written in 2008, 9-1-1 systems remain limited. The Federal Communications Commission (FCC, 2008), stated some of the issues with voice-over Internet protocol (VoIP) 9-1-1 are those calls may not connect to the public safety answering point (PSAP), or may improperly ring to the administrative line of the PSAP, which may not be staffed after hours, or by trained 9-1-1 operators. VoIP calls may correctly connect to the PSAP, but not automatically transmit the user’s phone number and/or location information. VoIP service may not work during a power outage, or when the Internet connection fails or becomes overloaded. This can be a problem for citizens, when many times emergencies occur in masses or when the power is out. Because of these issues, there are efforts to include enhanced VoIP (Kim, Song & Schulzrinne, 2006) that address things like language-based call routing, and the ability for 9-1-1 operators to call back a disconnected call (FCC, 2008). Further considerations with voice-over Internet protocol (VoIP) deal with the added security required on networks that will need to accommodate VoIP and not just data-only networks. Added cost to 9-1-1 agencies are the reality for additional power backup systems, firewalls, 9-1-1 answering software for VoIP and other IP based communications. Not only would new equipment and software need to be installed to accommodate IP-based technologies specific to 9-1-1 communications, but also routine testing would need to take place to insure system security and would require adequate staff to manage the systems to allow for 24/7 uptimes (NIST SP 800-58). 9-1-1 entities would need to continue to meet demands of evolving 15
  • 26. technology for upgrades and possible loss of 9-1-1 service if a disaster were to occur within the 9-1-1 center. In short, there remain technical problems in addition to financing concerns. A view of risk and security issues is through Lynette Luna (2008), who took the social approach on how consumer technologies and the lack of integration with the current 9-1-1 systems, may effect emergency situations. She used well-known incidents, such as the Virginia Tech shootings, to make a strong argument showing the ability of 9-1-1 centers to accept text messages could have possibly saved lives. For the purpose of risk assessments to upgrading to next generation 9-1-1, it is good to have a social perspective of 9-1-1 technologies, because ultimately the point is to provide safety and security to citizens (Luna, 2008). Hilton Collin’s (2008) states that a Next Generation 9-1-1 technology that is attractive to public safety answering points (PSAPs) for cost savings and shared resource solutions is virtualization. 9-1-1 agencies could consolidate servers and desktops, requiring less hardware purchases and conserve energy. It also allows for network administrators to manage upgrades and installs from one console, saving time and money. Also virtualization software can allow for application testing before installing on a live system. This would benefit agencies by not compromising 9-1-1 communication applications and save costs toward network administration that would need to bring system and services back up immediately (TechSoup.org, 2011). It is possible that this is another example of a solution that creates additional problems. The savings imply fewer personnel needs as well. In addition, there are security risks that come with a virtual environment. Hilton Collins (2008) discusses information about virtualized and non-virtualized environments as a whole, as well as some best practices for protecting virtual networks from cyber-attacks. The main concern is that virtualization in government agencies, particularly public safety and law enforcement, will bring greater exposure for exploits and 16
  • 27. security breaches by introducing “a new layer of software on top of the host machine or system, which creates additional infrastructure to manage and secure” (Collins, 2008, para. 2). The article elaborated the risks involved with virtual networks, like hackers, and illustrates that attackers seek out poorly configured and exposed servers. Collins advised that potentially all systems that are interconnected with the agency could be compromised. It only takes one open network machine to be a possible threat of opening the door to a secured system or systems (Collins, 2008). Costs that could be incurred with one breach of security could be limitless depending on amount of staff to bring critical systems back up, amount and type of data loss, and legal action costs as a few possibilities. Another change from Next Generation 9-1-1 that Douglas (2008) discussed is that dispatchers will need to use a whole other set of sensory skills in addition to what they use now to perform duties. Currently the information received is heard, either by the caller’s actual voice or from a relay service for the hearing impaired. In the future, it will rely more on visual information, rather than audible. The visual format makes completing interactive functions while multitasking by the dispatcher harder because the cognitive load or attention requirements of human beings vary. The additional multitasking from staff can raise training cost and cost to obtain and keep trained staff. Douglas (2008) also touched upon how 9-1-1 Centers will have to re-evaluate their training curriculums and even hiring processes to adapt to the changes. These personnel and training issues could be looked at as vulnerabilities and could then be exploited by individuals or organized groups (Douglas, 2008). Many times the weakest link in security is the people that use the system (Breithaupt & Merkow, 2006). If staff are not trained properly or do not have the required skills to use Next Generation 9-1-1 technology systems and software, this could create a vulnerability to the whole system. 17
  • 28. Current Information Security Management Information Technology implementation in 9-1-1 public safety communications can be slow in adaptation especially when compared to consumers and the corporate sector (Barbour, 2008). As stated by Chairman Genachowski (2011), “no single governing entity has jurisdiction over NG911…” and “the FCC will work with state 911 authorities, other Federal agencies, and other governing entities to provide technical expertise and develop a coordinated approach to NG911 governance” (sec. 3, para. 4). Lynette Luna (2008) stated in her article that an individual “calling a catalog company to order goods such as clothing, the call-taker would have better tools than the typical 911 call-taker — who is dealing with life and death situations” (p. 4). Luna noted that one reason may be due to budgets and jurisdictional matters, such as funding issues, regulatory amendments, and state regulations that stipulate 9-1-1 component usage. Luna (2008) also mentioned that the transitioning to Next Generation 9-1-1 technologies would be an ongoing process through changes in software, databases, and workers’ procedures. In October 2008 the United States and global economy suffered and it continues to struggle over concerns over American and European debt issues (Arizona State University, 2011). Local governments have tightened their financial belts and the additional cost of upgrading 9-1-1 infrastructures and maintenance, though a necessity, is none too appealing in the current economic climate. With the country’s economic climate and with those changes that Luna mentioned (software, databases, and workers’ procedures), the information security management would seem to also need to adapt to the changes. According to the publication “Principles of Information Security: Principles and Practices”, the major categories of computer crimes are as follows: Military and Intelligence Attacks, Business Attacks, Financial Attacks, Terrorist Attacks, Grudge Attacks, and “Fun” 18
  • 29. Attacks. To break down each category, their definition (Breithaupt & Merkow, 2006) and how it could apply to 9-1-1 IP systems are accordingly listed: Military and intelligence attacks: Criminals and intelligence agents illegally obtain classified and sensitive military and police files. Business attacks: Increasing competition between companies frequently leads to illegal access of proprietary information. As much as it may be hard to believe, this could include competing public safety venders. Financial attacks: Banks and other financial institutions provide attractive targets (p. 143). Obviously 9-1-1 is not a bank or financial institution in the direct sense, but it is a government- funded entity that could be attacked. Though financial gain would not be the end result, causing significant financial harm could be a motive. Breithaupt & Merkow continue to list and explain major categories of crimes: Terrorist attacks: Terrorist attacks could be executed for either a direct or indirect attack on a 9-1-1 system. An indirect example would be an attack targeted in one geographical area to pull sources away, so the intended target would be vulnerable. It could also involve one system or a large-scale attack of several systems either simultaneously or consecutively. Grudge attacks: This could come in the form of either a disgruntled employee or citizen seeking revenge against the specific agency or even just against law enforcement or government entities in general. Thrill attacks: hackers penetrate the system just for the “fun of it”, bragging rights, or simply for a challenge (2006, p. 143). 19
  • 30. To conclude the risk portion, there, of course, is the continued threat of viruses and malware as with any IP network. However, instead of only affecting a computer-aided dispatch software program that could quickly be exchanged with an internal closed legacy system or even a paper system for back up purposes, a 9-1-1 communications system would not be as easily replaceable or have much allowances for any down-time, even temporarily, due to a virus or malware issue. Daily vulnerabilities of network infection and system outage on a vital system such as 9-1-1 make any loss of service an issue of public safety. The National Emergency Number Association (NENA, 2011) website had a plethora of documentation, guidelines, requirements and standards that addressed a variety of technology and equipment implementation, connectivity, and functionality issues, which were more appropriate for a systems administrator. Though system administrator policies and standards and practices may include “security controls, information classification, employee management issues, and corresponding administrative controls” (Berithraupt & Merkow, 2006, p. 43), which apply to information security, none were specific to current 9-1-1 public safety communication entities during an initial literature research. However, in February 2010, NENA organized and published a set of national standards specific to Next Generation 9-1-1 security objectives for 9- 1-1 entities, titled National Emergency Number Association (NENA) Security for Next- Generation 9-1-1 Standards (NENA, 2010) or also known as NG-SEC, which will be discussed in more detailed in this chapter. Before the creation of NG-SEC, though, no national standard or policy was in place for 9-1-1 agencies. Next Generation 9-1-1 Information Security Management The researcher investigated the literature specific to Next Generation 9-1-1 information security management standards. The National Emergency Number Association advised the 20
  • 31. purpose of the National Emergency Number Association (NENA) Security for Next-Generation 9-1-1 Standards was to “establish the minimal guidelines and requirements for the protection of NG9-1-1 (Next Generation 9-1-1) assets or elements within a changing business environment” (NENA, 2010, p. 7). The national public safety communication organization published the document to provide standardized security practices for Next Generation 9-1-1 technologies, but explained that it is a work in progress and the document is in its first version with revisions to come to accommodate future issues (NENA, 2010). Technical requirements, upgrading and/or replacing equipment, will incur costs to agencies. Readiness and available funds may also vary with each 9-1-1 entity. The document scope covered public safety answering points (PSAPs), Next Generation 9-1-1 ESINet, Next Generation 9-1-1 service providers, Next Generation 9-1-1 vendors, contracted services, and any individual or group who use, design, have access to, or are responsible for Next Generation 9-1-1 assets (NENA, 2010). Like Breithaupt and Merkow (2006), the National Emergency Number Association (NENA) document listed roles and responsibilities of individuals specific to NG9-1-1 security and similarly concluded that ultimately security is “everyone’s responsibility” (NENA, 2010, p. 11). When it came to security policies, NENA stated that it is the first step in any effective attempt in the implementation of a security program (NENA, 2010). The National Emergency Number Association (NENA) further explained the minimum standards shall have a senior management statement (or an organizational security statement), functional policies, and procedures. It continued to detail each section, starting with the senior management statement policy. NENA emphasized that “senior management must be engaged and committed to maintain highly effective security so the rest of the staff can be able to do their 21
  • 32. part” (NENA, 2010, p. 11). As the National Emergency Number Association document stated, security is “everyone’s responsibility” (NENA, 2010, p. 11) and senior management is not exempted. The absolute minimum that should accompany the senior management statement is two items: identify person responsible for security (even though it technically is everyone’s responsibility) and provide a written description of the security goals and objectives of the Next Generation 9-1-1 entity (NENA, 2010). To compare this with information security management standard practices in realms outside of 9-1-1 public safety communications, the book by Breithaupt and Merkow (2006), provided an overview of information security management through security principles and a common body of knowledge used in private and public industry. They explained that “setting a successful security stage” with “effective security policies can rectify many of the weaknesses from failures to understand the business direction and security mission and can help to prevent or eliminate many of the faults and errors caused by a lack of security guidance” (Breithaupt & Merkow, 2006, p. 60). The Next Generation 9-1-1 information security management standards documentation (NENA, NG-SEC, 2010) stated that it is to provide a “deeper level of granularity after creating an executive management statement” (NENA, 2010, p. 12). The document gave a list of some examples of what may be contained in it: “acceptable usage policy, authentication/password polices, data protection policy, wireless policy, physical security policy, remote access policies, hiring practices, security enhancements or technology, baseline configurations for workstations, standards for technology selections, and incident response policy” (NENA, 2010, p. 12). The procedures section included documentation that provided the “method of performing a specific task” (NENA, 2010, p. 12), such as creating new user accounts or how vendors would be 22
  • 33. allowed access to the server room. This complimented common body of knowledge (Breithaupt & Merkow, 2006) and practices that private and government industries (ISO/IEC 27001, 2005), outside of 9-1-1 public safety communications, utilized for information security management. Obstacles and Solutions for Next Generation 9-1-1 Information Security Management When information was collected for possible standards as they applied to various aspects of Next Generation 9-1-1 operations, a mixture of obstacles and possible solutions were found. In Merrill Douglas’ article (2008), she explained some problematic issues from the 9-1-1 operator’s perspective regarding Next Generation 9-1-1 and now 9-1-1 information will be received in the future. Douglas explained that currently the information received is heard, either by the caller’s actual voice or from a relay service for the hearing impaired. In the future, it will rely more on visual information, rather than audible and a whole set of sensory skills will need to be used and it makes performing interactive functions while multitasking much harder (Douglas, 2008). The article also discussed how 9-1-1 Centers will have to re-evaluate their training curriculums and even hiring processes to adapt to the changes. Lack of training for staff creates vulnerabilities and could then be exploited by individuals or organized groups (NIST SP-800- 50), as well as be related to the risk assessments of the future 9-1-1 systems and that the effects of security are significant because people are usually the weakest link (Douglas, 2008). Mary Rose Roberts (2009) brought up consolidation of Next Generation 9-1-1 enabled public safety answering points (PSAPs) and illustrated both economical and shared resource benefits. She explained that technology improvements are growing exponentially and even though costs were lowering, still it behooved agencies to share resources to save money, as well as the benefit of sharing intelligence. The year before the standards were developed, Robert (2009) was asking, “if it's next generation compliant, what does that mean? We haven't defined 23
  • 34. what next generation is totally, so how can you be compliant to a standard that may not even exist yet…" and "as a result, we don't believe every PSAP in this country is going to go to an NG911 environment any time in the very near future” (p. 23). Merrill Douglas (2009) also addressed consolidation cost benefits for PSAPs, which then helps with the burden of costs and provides better redundancy by switching to an IP network. Craig Whittington (2009) explored the public's expectations of 9-1-1 services and the difference in what is reality. In his article, he stressed if the public's perception and the reality of 9-1-1 do not agree, it can be more than a public relations problem; it can put lives at risk. From that perception issue, the article illustrated what Next Generation 9-1-1 can provide. Like shared networks, new and different ways to communicate with callers and responders, as well as an increased capacity to transmit and disseminate information. Mr. Whittington additionally emphasizes the most vital part of 9-1-1 systems (now and in the future), are the 9-1-1 Operators and Dispatchers. It is a very important to make sure that personnel are well trained and at ease with the new responsibilities and technologies. Not only will it be a challenge to re-evaluate training curriculums, but also how to do it with continuing decreased budgets. The continued significance of operators in the 9-1-1 center is that they can become the weakest link in the overall network risk management. In order to acquire the benefits discussed earlier, this article illustrates the importance of making sure competent employees are hired and retained, as well as, trained in the most current technologies, important issues in risk assessments (Whittington, 2009). Conclusion As the technology of 9-1-1 continues to evolve into Next Generation 9-1-1 systems, information security management in public safety communications will need to evolve as well to 24
  • 35. meet the needs of various technologies, consumers, and 9-1-1 staff. Matters of funding, governance, reliability, and security surround the project and the changes that current 9-1-1 public safety answering points (PSAPs) have and will be experiencing in the near future. It provided a summary of the National Emergency Number Association (NENA) Security for Next- Generation 9-1-1 Standards that agencies will be required to be compliant with Internet-protocol based technologies. It also illustrated some challenges PSAPs will have due to the Next Generation 9-1-1 evolution. Against this background the researcher delved into the real-life state in which the PSAPs are currently compliant, either operating at Next Generation 9-1-1 status or before utilizing Internet-protocol technologies. 25
  • 36. CHAPTER 3. METHODOLOGY Research Design The study was a non-experimental, Mixed Method study because it included both verbal and numerical data. The study had a two stage design. There was secondary data gathered in a review of the literature as well as primary data collected to answer the research questions. The research design was an evaluation study being conducted to evaluate compliance with security standards of Public Safety Answer Points (PSAPs). The study was descriptive and illustrated aspects of agencies considered to be representative. It was also exploratory because the standards used to evaluate compliance were relatively new and the information collected was intended to help develop future more focused understandings of PSAP needs required for support in achieving compliance. The topic was new and little understood, so an exploratory project was appropriate. Published response data for the survey’s questions served as benchmarks for the purpose of comparison and analysis of this study’s questions. Thus, a criterion-based design was used. The standards were the criteria and in this design they provided the hypothesized situation against which this study was performed, as well as the standard of judgment for success or failure, and they provided a stable platform that enabled the researcher to decide whether the conclusions of this and other studies were relevant so that a pattern matching strategy could be employed, as explained by Yin (2009). The study was field based using only publically available online membership contact information of either state or regional chapters of Association of Public-Safety Communications Officials (APCO) and National Emergency Number Association (NENA), both not-for- profit professional organizations for public safety professionals. According to NENA (2011), the 26
  • 37. United States has 6,130 primary and secondary public safety answering point (PSAP). For the purpose of this study and based on the time and resources available to the researcher, obtaining 6,130 agency contacts would not have be feasible. However, utilizing an Internet search of publically available members of state or regional APCO or NENA chapters to collect at least one or more agency contacts, representing 50 states in order to examine the study nationwide was achievable. The online search produced a list of 225 individual agency contacts, including a name for point of contact, e-mail address, and agency phone number. The study consisted of a one time survey, sent to each 225 agency contact and was a cross sectional study. The survey was self administered by email and the researcher utilized survey services through Survey Gizmo. Sample The study utilized a cluster sampling technique. Leedy (2010) explains this technique is appropriate when “the population of interest is spread out over a large area” (p. 209). The 225 agencies were the population units, i.e. the clusters. They were classified by size of population each agency serves utilizing 2010 United States Census information. The sample was stratified into three segments: small (serving 1-99,999 population), medium (serving 100,000-499,999 population), and large (serving 500,00 or more population). Of the 225 agencies, the following counts and percentages were present in this survey study: small (125 agencies, 55%), medium (71 agencies, 32%), and large (29 agencies, 13%). All survey methods have weaknesses in the survey method. For example, participants may have wanted to reflect compliance, when in fact, they were not, or their responses may have been based on their understanding of the question and standards, which could in fact be a misunderstanding (Colorado State University, 2012). The survey referenced the industry 27
  • 38. accepted security standards for the survey questions and the researcher had to trust that all agencies were familiar with them and how it applied to their specific agency in order to accurately provide information for the study. Another issue, non-response, was present for possible reasons. (Cooper, 2008, p. 257) For example, the contact information may not have been accurate or been addressed to the person in which the survey would have best able to answer in the context of the compliance survey. Use of an official association was intended to reduce issues related to contact information. Also it was difficult to secure a large amount of the selected agencies to respond to the survey. First, the initial contact was through the e-mailed survey and the researcher and educational institution, not representing a public safety communications organization or government agency, was relatively unknown to the public safety communication centers. Or, there may have been restrictions on the agency the researcher was unaware of. A telephone follow-up to non-responders was used to increase the pool of available responses. Setting The thesis study was conducted as a field setting. The 225 agencies consisted of city, county, or state entities and were subject to a variety of regulations. They have been described elsewhere. Instrumentation / Measures The instrumentation used was an online survey that was emailed to 225 individual agency contacts. Measurement of the current 9-1-1 status/capability was categorical: Basic 9-1-1, Enhanced 9-1-1, Wireless Phase I, Wireless Phase II, and Next Generation 9-1-1. Categorical measurement was made of respondent job title/role within their agency through three categories, 9-1-1 Supervisor (middle management), 9-1-1 Manager (upper management), 9-1-1 IT/Network 28
  • 39. Administrator (technical management). There was also an “Other” category for main job title/role if the three did not apply to the individual. Other measures focused on compliance standards. The researcher used the National Emergency Number Associations (NENA) Security for Next-Generation 9-1-1 Standards (National Emergency Number Association, 2010) to develop the survey questions in order to gather information about the security landscape of 9-1-1 public safety communication agencies at the dawn of Next Generation 9-1-1 nationwide implementation. The first set of questions, questions 1 through 3, provided population range, current 9-1-1 status/capabilities, and participant’s job tile/role. Questions 4 through 6 focused on the agency’s Network Administration landscape. In questions 7 through 14, the participant selected each security policy and standard that was currently in place at their agency and provided obstacle explanations if applicable. Each security policy and standards question reflected a security standard presented in the National Emergency Number Associations (NENA) Security for Next-Generation 9-1-1 Standards (National Emergency Number Association, 2010). Data Collection Data collection in this study was subject to time constraints. Specifically, data collection was limited to a three week period in November. Data collection included content from the review of literature and survey agency sample. The literature provided the compliance standards with the National Emergency Number Associations (NENA) Security for Next-Generation 9-1-1 Standards (National Emergency Number Association, 2010) and the NENA website of 9-1-1 basic statistics supplying amount of public safety answering points (PSAPs). An email was sent to 225 9-1-1 public safety agencies from the list of Association of Public-Safety Communication Official (APCO) and National Emergency Number Association (NENA) members. The 29
  • 40. researcher followed up with a phone call to the agencies. The researcher exported survey data from the Survey Gizmo report dashboard of all respondents for data review and analysis. Data Analysis Data was analyzed using both logical reasoning and descriptive statistics. The data presented used a question format. The questions supplied agency size and current agency 9-1-1 status or capability, illustrated by pie charts showing percentage of small, medium, and large agencies and bar graphs for 9-1-1 status. In addition, to various charts and graphs, tables were used to further analyze the data from each survey question and provided total counts and percentages of each agency population size and total agency responses. Validity and Reliability Classroom Assessment (2011) states that “reliability and validity are two concepts that are important for defining and measuring bias and distortion” (sec. C, para. 1) with reliability referring to the “extent in which assessments are consistent” (sec. C, para. 2) and validity as the “accuracy of an assessment” (sec. C, para. 5) even if it does not measure what is to be measured. The survey questions mirrored the compliance standards. This established the content validity of the questions. Another way of determining validity was the use of expert judgment. Therefore, the committee reviewing this research was another check on validity. Another approach of validity was through triangulation. Leedy (2010) describes triangulation as collecting data from multiple sources “with the hope they will all converge to support a particular hypothesis or theory” (p. 99). It is common in qualitative designs to use different sources of data as support for the researcher’s confidence in the conclusions presented in Chapter 5. 30
  • 41. Ethical Considerations The researcher conducted the survey by questioning individuals managing 9-1-1 communication systems with the following ethical considerations. There are four categories of ethical consideration in research studies (1) Do no harm (2) Informed Consent (3) Right to Privacy (4) Honesty. Do no harm is a broad ethical category. It includes not asking sensitive questions that would possibly injure an individual’s employment status. Security is a sensitive issue and a discussion of security issues under some circumstances might be interpreted as “sensitive”. For that reason data is collected in ways that do not reveal the individual; replies and participants are clearly informed about their right not to participate. Specifically, to meet the need for full disclosure, each 9-1-1 participant was informed of the intention of the study (copy in appendix B), which was to provide an academic snapshot of compliance through literature review and a survey of public safety answering points (PSAPs) to complement existing research and discussions of Next Generation 9-1-1 within the public safety communication realm and provide a platform for further dialogue and study on specific Next Generation 9-1-1 information security management goals and practices. The researcher was aware of the ethical demand for honesty in data collection. In addition, the participants who complete the survey did not have their personal identity or the identity of the agency revealed. None of the questions in the survey requested information that identified a specific person or agency, or put them in any harm. All information collected for the study was confidential to the research through the Survey Gizmo data collection and used only for the purpose of the academic thesis study. 31
  • 42. CHAPTER 4. RESULTS Introduction This chapter presents the data gathered from the surveys from public safety answering points (PSAPs). The survey was sent to 225 agencies stratified by population size. The purpose of the survey was to gather data needed to answer these questions: 1. What percent of agencies have Next Generation 9-1-1 status? 2. What percent of agencies are compliant or noncompliant with standards? 3. What are the obstacles and/or challenges for public safety answering points (PSAPs) that are not compliant with public safety communication information security standards? Answering these questions will lead to the answer to the main question and reveal compliance or non-compliance of PSAPs that are Next Generation 9-1-1 (NG9-1-1). The survey categorized PSAPs as small (1-99,999), medium (100,000-499,999), and large (500,000 or greater). It is an instrument of analysis to gauge the nationwide landscape of public safety answering points (PSAPs) currently and identify possible issues and obstacles of where it is heading. The methodology the researcher followed entailed contacting 225 agencies by e-mail utilizing Survey Gizmo survey online services. From 225 agencies, 4 agency e-mails were rejected with no other contact information available to the researcher, leaving a total of 221 agencies receiving the survey for response. Of these 221, a total of 56 agencies responded as a result of the survey process. In the first 3 days, 52 agencies responded. Three days after the initial surveys were e-mailed; the researcher sent a reminder with a second wave of the surveys to the 169 agencies that did not respond. According to StatPac, Internet surveys receive 90% of 32
  • 43. the responses within three days after the e-mail invitation is sent (StatPac, 2011). In this instance that proved a good ballpark estimate because 52/56 is 92%. The reminder did not produce additional responses. The next week, follow up phone calls were made to each of the 169 agencies that did not respond. The researcher directly spoke with 52 agency contacts from those 169 agencies. The 52 contacts the researcher reached by phone, advised they were not sure if they received the email, remembered the survey but had not taken the survey. The 117 agencies that direct contact was not made, the researcher either left a message with the dispatcher or non-emergency personnel answering the phone, or a message was left on the contact’s voicemail. The follow up phone calls produced 4 responses, making the total survey study response 56. Because the non-response rate was 75%, it is necessary to discuss response bias. Israel (2009) notes strategies to deal with response bias with calling back non-respondents, which the researcher did, and to “assume there is no response bias and to generalize the population” (p. 2, para. 4). In addition, Israel suggests that the researcher’s previous public safety communication experience offers expertise needed to make judgments regarding key information others might benefit from and use as part of generalization. In addition, that experience would support their confidence in conclusions drawn in discussion even with this response rate. Interestingly, since the survey generated 56 responses, it is comparable to other results, such as that in Deline, Ko, and Venolia (2007). They reported 55 responses on a sample of 250 (p. 7-8). The total population of this study’s survey was 221 with 56 responses and this comparison supports the decision to consider the response rate sufficient for the analysis and conclusions drawn in this study. Therefore, although there were time limitations on data collection for the project, the researcher during the third week of data collection contacted the 33
  • 44. agencies about reasons for survey non-responses. Of the 165 non-respondent agencies 33 provided reasons for non-response. During this follow up, three reasons were provided by agencies for their decision. Although some mentioned time constraints, two other reasons provided were: (1) they did not want to participate due to not being familiar with the researcher or the graduate program institution and (2) they were not comfortable in sharing data with non- governmental entities. Given that security really is a sensitive topic, the researcher could have anticipated this response. In an e-mail to the researcher, Dr. Robert Morse confirmed other thesis candidates had been told contracts with security providers restricted the release of data only to authorized agents of that provider (R. Morse, personal communication, January 27, 2012). One additional point mentioned by the Federal Communications Commission Chairman, in August 2011:   We need a comprehensive, multi-pronged approach to NG911 implementation: If we do nothing, to address NG911 requirements, timelines, costs, and governance, we will see uncoordinated patchwork deployment of NG911 over the next five to ten years, leaving much of the U.S. without any NG911 capability (Genachowski, 2011). In other words the FCC chairman was in essence claiming a rudder to steer the project is still needed. That fact and these additional reasons, time constraints on data collection and the cost of multiple calls to agencies were considerations that influenced the decision to stop data collection and make the judgment to report the data as collected. The researcher’s advisors pointed out self- selection bias is always a possibility in this type of research and agreed with the decision to report the results of the survey and follow-up conversations. 34
  • 45. Data Analysis Data is analyzed using both logical reasoning and statistics. The data is presented using a question format. In addition to various pie charts and graphs, tables will be used to further analyze the data from each survey question survey. There were three possible categories of responses by the size of agency jurisdiction. The distribution of response rates by agency size {small (38 agencies, 68%), medium (16 agencies, 29%), and large (2 agencies, 3%)}. Figure 1. The population range of the agency's jurisdiction. What is interesting is that the categories do not reflect an even distribution. Essentially the three divisions can be considered in terms of x < 500,000 and x > 500,000. Out of the 56 respondents, 2 agencies select the Large category (3%), 16 selected the Medium category (29%), and 38 respondents selected the Small category (68%). If the 16 Medium sized respondents are considered in combination with the 38 small category respondents, then clearly the bulk or 97% of respondents represented service areas of less than 500,000. 35
  • 46. The next survey question: What is your agency's current 9-1-1 status/capability? This question requested the agency current 9-1-1 status, noting to respond with their most advanced level that applied to their agency. All 56 respondents selected Wireless Phase II as their current 9-1-1 status/capability, which allows for wireless 9-1-1 calls to display both latitude and longitude of the caller’s location. A key finding is that all are at the same level of compliance since all were at the same 9-1-1 status/capability. Table A Current agency 9-1-1 status/capability Agency Size Basic Enhanced Wireless I Wireless II Next % Generation Large 0 0 0 2 0 3% Medium 0 0 0 16 0 29% Small 0 0 0 38 0 68% Totals (%) 0% 0% 0% 100% 0% 100% 36
  • 47. Figure 2. Current 9-1-1 status/capability. The third survey question: Which best describes your main job title/role at your agency? From the total responses, 23% selected 9-1-1 Supervisor (Middle Management), 61% selected 9- 1-1 Manager (Upper Management), and 8% selected IT/Network Administrator (Technical Management). There were also a four agencies (2 Medium agencies and 2 Small agencies, or 8%) that selected the “Other” category. The descriptions given for “Other” were “Executive Director”, “Communications Training Coordinator”, “Both Manager and IT Administrator”, and “Trainer”. This shows the majority of responses were from upper management as requested with the selection of 9-1-1 managers with the capability and knowledge of the compliance standards and to provide accurate information about their specific agency. 37
  • 48. Table B Job title/role at agency Size 9-1-1 9-1-1 IT/Network Other % Supervisor Manager Administrator Large 0 1 1 0 3% Medium 1 10 3 2 29% Small 12 23 1 2 68% Totals (%) 23% 61% 8% 8% Shown in Figure 3, the highest job title/role for Small agencies was “9-1-1 Manager”. Second choice was “9-1-1 Supervisor”. The third and fourth selections were “Other” and “IT/Network Administrator”. As with the overall response, the majority selected for job role was 9-1-1 manager category, showing that small agencies have designated and dedicated managers for their entities, signifying upper management responsibilities and knowledge as with other size agencies. Figure 3. Job title/role for small agencies. 38
  • 49. The Medium agencies selected “9-1-1 Manager” the most, “IT/Network Manager” next, and then “Other” and “9-1-1 Supervisor” for the least two job titles/roles (shown in Figure 4). The medium agencies had 19% of their responses from the IT category. If compared to the small agencies’ 5% (see Figure 3.), this could illustrate small agencies having less network administrative personnel on staff and that the 9-1-1 manager in small agencies could hold IT administrative responsibilities even if it is a secondary role. Medium size agencies show to have more network administration on staff with the higher main role responsibility percentage. Figure 4. Job title/role for medium agencies. Figure 5 illustrates the two choices selected by the Large agencies, which was two total in responding. One selected “9-1-1 Manager” and one selected “IT/Network Administrator”. None selected “9-1-1 Supervisor” or “Other”. Since only two large agencies responded, the division of roles is 50%. What could be concluded is large agencies have levels of staff that are on upper level management and/or have a dedicated network administration department. 39
  • 50. Figure 5. Job title/role for large agencies. In survey question 4: What best describes your current IT/Network Administration at your agency? The two Large agencies both selected “Full-time internal IT/Network Administrator”. The Medium agencies varied among three categories, 12 for ““Full-time internal IT/Network Administrator”, 1 for “Part-time external IT/Network Administrator, and 3 for “Full- time external IT/Network Administrator. The Small agencies provided a representation for all five categories. For the “Part-time internal IT/Network Administrator”, 2 made that selection, 19 selected “Full-time internal IT/Network Administrator”, 1 selected “Part-time external IT/Network Administrator”, and 13 chose “full-time external IT/Network Administrator”. Finally, 3 Small agencies selected “No IT/Network Administrator”. 40
  • 51. Table C Current agency IT/Network administration description Size None Part-Time Full-time Part-time Full-time % internal internal external external Large 0 0 2 0 0 3% Medium 0 0 12 1 3 29% Small 3 2 19 1 13 68% Totals (%) 5% 4% 60% 3% 28% The small agencies had at least one selection in each of the current agency IT/Network administration description category. The highest selected was “Full-time internal” and second highest was “Full-time external”. The last three, in order of most selected, were “None”, “Part- time internal”, and “Part-time external” (see Figure 6). Even though it is possible for small agencies to have less budget allocation for a designated IT/Network Administrator, the data illustrates small agencies are not necessarily at a disadvantage at staffing network administration. Figure 6. IT/Network Administration for small agencies. 41
  • 52. In Figure 7, the Medium agencies selected three total for their current IT/Network administration description types. The most often selected response was “Full-time internal”, the second was “Full-time external”, and the least selected was “Part-time external”. Large agencies selected that their IT/Network administration was full-time, internal staff (see Table C). If comparing all three jurisdiction sizes, it shows that the larger the agency size, the increase of full-time network administrators and those that are internally staffed. But even though smaller agencies have a lower percentage, they are apparently capable of having full-time administrators even if they need to contract externally. Figure 7. IT/Network Administration for medium agencies. For survey question 5: If your agency has "No internal or external IT/Network Administrator" does your agency anticipate in employing or contracting an IT/Network Administrator? As shown in Table C, only 3 small agencies selected this category. The 3 that selected “No internal or external IT/Network Administrator” in question 4 also selected “No” for question 5. However, one agency that selected “Full-time external IT/Network Administrator” in question 4, also selected “No” for question 5. This illustrates that smaller agencies, while some 42
  • 53. having the ability to have network administration staff full-time as reflected in question 4, there are some that yet need to overcome obstacles which will be explained in question 6 (see Table E). Table D Agency anticipation of employing/contracting an IT/Network administrator who currently have none. Size Yes No % Large 0 0 0% Medium 0 0 0% Small 0 4 100% Totals (%) 0% 100% For survey question 6: If you answered "No" to either question 5, please explain the reason and/or obstacles of why your agency does not anticipate doing so? From Table D, it shows that 4 Small agencies selected “No” and 4 Small agencies selected categories providing a reason for their answers in Table E. Cost was selected by 3 Small agencies and Upper Management had 1 selection. The “Other” category was selected by 2 Small agency with the explanations of “I do it” and “we have a staff member currently enrolled in college to get his degree for our IT, as the County only has 2 full time IT but they are for the entire county and we have to wait on their availability. We have current State and Federal policies in place and try to stay in compliance with NENA/APCO standards”. 43
  • 54. Table E Reason or obstacles for not employing/contracting IT/Network administration if currently none Size Cost Upper High Lack of Other % management turnover qualified resources Large 0 0 0 0 0 0% Medium 0 0 0 0 0 0% Small 3 1 0 0 2 100% Totals (%) 75% 25% 0% 0% 50% Small agencies are the ones reporting obstacles when it comes to not employing or contracting IT/Network administration, which would affect their compliancy with the established security standards. With “Cost” receiving the majority of the obstacles, this could possibly be elevated through future funding assistance, either by state or federal agencies, to allow them not to be at a disadvantage with the were not have to supply sufficient revue for their budgets. Figure 8. Obstacles for not employing IT administration for small agencies. 44
  • 55. The survey question 7: What type of Information Technology (IT) descriptions and policies does your agency currently have in place? The selection of all, with the exception of “none apply”, would allow the agency to be compliant under the NENA Security for Next- Generation 9-1-1 Standards or NG-SEC (NENA, 2010). Table F breaks down the first six categories and Table G provides information for the last six of question 7. All but one agency had at least one category selected. The agency that did not select any category was one Small agency, making it a total of 55 responses for this question. Looking at both Table F and G, both the large agencies selected all but two categories, “Wireless Policy” and “Incident Response”. For the medium agencies, all selected “Acceptable Usage”, with many agencies in that category also selecting “Password Policy”, “Data Protection”, “Wireless Policy”, “Physical Security”, “Remote Access”, and “Access Control”. No Small agency had all policies selected, but many agencies selected “Acceptable Usage”, “Password Policy”, and “Physical Security”. Also, one of the large agencies selected everyone choice, including the “None apply” even when they selected all of the previous policies. Table F Type of IT descriptions and policies (first six categories) Size Acceptable Password Information Data Wireless Physical Usage Policy Classification Protection Policy Security Large 2 2 2 2 1 2 Medium 16 15 9 12 13 14 Small 33 34 16 27 17 33 Totals (%) 93% 93% 51% 74% 56% 91% 45
  • 56. Table G Type of IT descriptions and policies (last six categories) Size Remote Access System System Incident None *% Access Control Control Patching Response Apply Large 2 2 2 2 1 1 4% Medium 13 10 9 8 9 0 29% Small 16 22 6 9 23 1 67% Totals (%) 54% 63% 31% 33% 62% 3% * % both Table F and Table G In Figure 9, it illustrates all of the IT descriptions and policies from both Table F.1 and Table F.2 that were selected by Small agencies. The most selected was “Password Policy”. Following the most, in order, “Acceptable Usage”, “Physical Security”, “Data Protection”, “Incident Response”, “Access Control”, “Wireless Policy”, “Information Classification”, “Remote Access”, “System Patching”, “System Control”, and last, with one agency selection, “None Apply”. If compared to the following figures that illustrate medium and large agency responses (figures 10 and 11), the most difference in IT policies are with system controls, system patching, remote access, information classification, and wireless policies. For small agencies, this lack of policies may be due to network administration staffing or even the capabilities of their current database networks and they do not have those policies in place because it is not applicable to their network yet. However, once they are Next Generation 9-1-1 capable, all categories will need to be in place. 46
  • 57. Figure 9. IT descriptions and policies for small agencies. The medium agency selections are shown in Figure 11. The most selected was category “Acceptable Usage” and last was “System Patching”. None of the medium agencies selected “None Apply”. The medium agencies seem to have the more in compliance with many of the policies. This may be with more evolved database networks and staffing. Figure 10. IT descriptions and policies for medium agencies. 47
  • 58. The Large agency selections of IT descriptions and policies from both Table F.1 and Table F.2 are shown in Figure 12. Both Large agencies selected “Acceptable Usage”, “Password Policy”, “Information Classification”, “Data Protection”, “Physical Security”, “Remote Access”, “Access Control”, and “System Control”. However, one agency selected “Wireless Policy” and “Incident Response”. Also, as noted previously, one agency also selected “None Apply”. Surprisingly, incident response and wireless policies were not selected from one of the two large agencies. Many metropolitan public safety communications centers communicate local databases, such as computer aided dispatch (CAD) or records management systems (RMS) wirelessly from laptops in vehicles and other mobile devices. It would also be thought that a large agency would have incident response policies in place in case of natural, terrorist, or technical disaster occurred. Figure 11. IT descriptions and policies for large agencies. The survey questions 8: If your agency is Next Generation 9-1-1 capable and any of the following descriptions and policies listed in question 7 were not selected please select the reason(s) and/or obstacle(s). The data in Table G received 32 survey responses at least one of the 48
  • 59. selections regardless of all agencies reporting the highest 9-1-1 status/capability of Wireless Phase II. None of the 56 responding agencies reported having Next Generation 9-1-1 status/capabilities for question two of the survey. None of the large agencies made selections for question 8. However, 7 medium agencies and 25 small agencies made at least one selection, making over half (57%) of the 56 total responses to the survey. The two “Other” categories consisted of “IT department prefers to not to release information due to concerns over security” and “we are NG9-1-1 capable, but state law prohibits implementation”. Table H If Next Generation capable, reasons and/or obstacles for not having the descriptions and policies in Table F and Table G Size Cost Time Upper Staff Other % Management Constraints Large 0 0 0 0 0 0% Medium 4 5 0 2 1 22% Small 16 18 1 14 1 78% Totals (%) 68% 75% 3% 53% 6% Even though none of the responding agencies were Next Generation 9-1-1 capable, the responses do shed light on current obstacles agencies face towards compliancy. Cost does reflect over half of the obstacles, but “Time” is selected as 75% of the overall reason and is the highest ranked obstacle in both medium and small agencies. This could indicate that agencies feel they are spread thin in keeping up with standards and evolving technology even if they have the staff and money. 49
  • 60. Figure 12. Obstacles for not having the descriptions/policies for small agencies. Figure 13. Obstacles for not having the descriptions/policies for medium agencies. For survey question 9: Select the following software your agency currently runs on all servers and end user computers? Anti-virus software and/or spyware detection software. All 56 agencies selected either one or both of the software selections. All agencies currently run Anti- virus software on all servers and end user computers. Only a few in both the medium and small 50
  • 61. agencies do not currently run Spyware detection software. Reasons where inquired in the following survey question (see Table I). Table I Virus and/or spyware detection software on all servers and end user computers Size Anti-virus Spyware detection % Large 2 2 3% Medium 16 13 29% Small 38 34 68% Totals (%) 100% 88% Figure 14. Virus and/or spyware detection software for small agencies. 51