Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers

  • 220 views
Uploaded on

Master's Thesis project. This research examines the current information security management landscape of 9-1-1 public safety communication centers upon the beginning of nationwide Next Generation …

Master's Thesis project. This research examines the current information security management landscape of 9-1-1 public safety communication centers upon the beginning of nationwide Next Generation 9-1-1 initiated through H.R. 3403: New and Emerging Technologies 911 Improvement Act of 2008, which is the implementation of switching analog communication systems to Internet-Protocol (IP) communication systems, . The study draws upon the National Emergency Number Association Next Generation 9-1-1 security standards for a compliance survey for 9-1-1 agency information security and technology management evaluation. Also, a literature review of the implementation of managing Internet-protocol 9-1-1 communication technology and services will be presented. As well as providing the security standards, the study will determined current 9-1-1 agency status in terms of compliance or noncompliance to the of standards, as well as obstacles and challenges agencies face in achieving compliance. The primary finding was that no public safety answering point (PSAP) reported compliance and potentially serious barriers related to funding exist.

More in: Technology , Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
220
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
5
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. NEXT GENERATION 9-1-1: EXAMINATION OF INFORMATION SECURITY MANAGEMENT IN PUBLIC SAFETY COMMUNICATIONS CENTERS by Natalie J. Yardley A Thesis Presented in Partial Fulfillment of the Requirements for the Degree Master of Science University of Advancing Technology March 2012
  • 2. NEXT GENERATION 9-1-1: EXAMINATION OF INFORMATION SECURITY MANAGEMENT IN PUBLIC SAFETY COMMUNICATION CENTERS by Natalie J. Yardley has been approved March 2012APPROVED: ROBERT MORSE, Ph.D, Chair GREG MILES, Ph.D, Advisor AL KELLY, AdvisorACCEPTED AND SIGNED: __________________________________________ ADD NAME OF CHAIR, CREDENTIALS (ALL CAPS)
  • 3. AbstractThis research examines the current information security management landscape of 9-1-1 publicsafety communication centers upon the beginning of nationwide Next Generation 9-1-1 initiatedthrough H.R. 3403: New and Emerging Technologies 911 Improvement Act of 2008, which isthe implementation of switching analog communication systems to Internet-Protocol (IP)communication systems, . The study draws upon the National Emergency Number AssociationNext Generation 9-1-1 security standards for a compliance survey for 9-1-1 agency informationsecurity and technology management evaluation. Also, a literature review of the implementationof managing Internet-protocol 9-1-1 communication technology and services will be presented.As well as providing the security standards, the study will determined current 9-1-1 agencystatus in terms of compliance or noncompliance to the of standards, as well as obstacles andchallenges agencies face in achieving compliance. The primary finding was that no public safetyanswering point (PSAP) reported compliance and potentially serious barriers related to fundingexist.
  • 4. DedicationI would like to dedicate my thesis work to all the very dedicated 9-1-1 professionals, especiallyfrom Atchison County Communications Center, Atchison, Kansas. i
  • 5. AcknowledgmentsI would like to thank my Thesis Committee, particularly my Chair, Dr. Morse, for continuedguidance during the graduate thesis process. Also I want to give many thanks to my family, fortheir patience with my writing, reading, and proofing marathon sessions behind closed doors. ii
  • 6. Table of Contents Acknowledgments ii List of Tables v List of Figures viiCHAPTER 1. INTRODUCTION 1 Introduction to the Problem 1 Background of the Study 2 Statement of the Problem 3 Purpose of the Study 3 Research Questions 4 Significance of the Study 4 Definition of Terms 5 Assumptions and Limitations 5 Nature of the Study 6 Organization of the Remainder of the Study 8CHAPTER 2. LITERATURE REVIEW 9CHAPTER 3. METHODOLOGY 26 Research Design 26 Sample 27 Setting 28 Instrumentation / Measures 28 Data Collection 29 Data Analysis 30 iii
  • 7. Validity and Reliability 30 Ethical Considerations 31CHAPTER 4. RESULTS 32CHAPTER 5. DISCUSSION, IMPLICATIONS, RECOMMENDATIONS 63REFERENCES 80APPENDIX A. PRE-NEXT GENERATION 9-1-1 IMPLEMENATION INFORMATION SECURITY MANAGEMENT SURVEY 85APPENDIX B. NEXT GENERATION 9-1-1: EXAMINATION OF INFORMATION SECURITY MANAGEMENT PUBLIC SAFETY COMMUNICATIONS CENTER PARTICIPANT INFORMED CONSENT 90 iv
  • 8. List of TablesTable A. Current agency 9-1-1 status/capability 36Table B. Job title/role at agency 38Table C. Current agency IT/Network administration description 41Table D. Agency anticipation of employing/contracting an IT/Network administrator who currently have none 43Table E. Reason or obstacles for not employing/contracting IT/Network administration if currently none 44Table F. Type of IT descriptions and policies (first six categories) 45Table G. Type of IT descriptions and policies (last six categories) 46Table H. If Next Generation capable, reasons and/or obstacles for not having the descriptions and policies in Table F.1 and Table F.2 49Table I. Virus and/or spyware detection software on all servers and end user computers 51Table J. Reason and/or obstacles for agency not running anti-virus and/or spyware detection software 52Table K. Current inventory, schematic, and audit documents on file 54Table L. Reasons or obstacles for not having network inventory, schematic, and/or audit documents 56Table M. Type of security awareness training and education standards currently in place 57Table N. Reasons or obstacles for not having staff security training and/or current training/certification for IT administration 60Table O. Agencies reporting compliance with NG-SEC 66 v
  • 9. List of FiguresFigure 1. The population range of the agencys jurisdiction. 35Figure 2. Current agency 9-1-1 status/capability. 37Figure 3. Job title/role for small agencies. 38Figure 4. Job title/role for medium agencies. 39Figure 5. Job title/role for large agencies. 40Figure 6. IT/Network Administration for small agencies. 41Figure 7. IT/Network Administration for medium agencies. 42Figure 8. Obstacles for not employing IT administration for small agencies. 44Figure 9. IT descriptions and policies for small agencies. 47Figure 10. IT descriptions and policies for medium agencies 47Figure 11. IT descriptions and policies for large agencies. 48Figure 12. Obstacles for not having the descriptions/policies for small agencies. 50Figure 13. Obstacles for not having the descriptions/policies for small agencies. 50Figure 14. Virus and/or spyware detection software for small agencies. 51Figure 15. Virus and/or spyware detection software for medium agencies. 52Figure 16. Obstacles for no anti-virus and/or spyware detection software for small agencies 53Figure 17. Current IT documentation for small agencies. 54Figure 18. Current IT documentation for medium agencies. 55Figure 19. Current IT documentation for large agencies. 55Figure 20. Obstacles for complete IT documentation for small agencies. 56Figure 21. Obstacles for complete IT documentation for medium agencies. 57 vi
  • 10. Figure 22. Security awareness and training for small agencies. 58Figure 23. Security awareness and training for medium agencies. 58Figure 24. Security awareness and training for large agencies. 59Figure 25. Obstacles for security training and education for small agencies. 60Figure 26. Obstacles for security training and education for medium agencies. 61Figure 27. Reported NG-SEC compliance by agency size. 66Figure 28. Part-time or no current network administration by agency size. 69Figure 29. Obstacles for not having full-time network administration for small agencies. 72Figure 30. Presence of malware in network traffic (Ponemon, 2009). 74(Note: Do not remove the section break that follows this paragraph.) vii
  • 11. CHAPTER 1. INTRODUCTION Introduction to the Problem Technology has expanded the way society communicates, particularly in the last fewdecades (Barbour, 2008). Today, cell phones are prevalent and have expanded the tools availablefor individuals to get help from public safety agencies. In addition to voice communications overthe telephone wires, individuals can easily conduct voice and video conversations usingcomputers on either wired or wireless Internet networks. People can instantly send and receivetext, photos, and video from their cell phones. With the additional communication optionsavailable to the public, the technical capabilities of 9-1-1 public safety communications need toexpand. Society’s expectations and the reality of what the 9-1-1 systems should be able to handle,are wide apart. One example is the Virginia Tech shooting in April 2007 when studentsattempted to send text messages to 9-1-1, they were unaware the call center was not equipped toreceive such communications (Luna, 2008). Many hearing impaired callers rely on newer modesof communication available on smart phone devices, yet cannot utilize them during anemergency to contact a 9-1-1 system that is analog based (Kimball, 2010). Another example of the need to upgrade capability to meet expectations is the fact legacy9-1-1 equipment is unable to provide accurate location services. Of course, that service is nowwidely available and many mobile and social networking services currently provide it accordingto the National E9-1-1 Implementation Coordination Office (2009). Due to this wide gap ofexpectation verses capability, the need for public safety communications to upgrade to matchconsumer technology advancements is vital if the system is to continue to keep citizens safe. 1
  • 12. In July 2008, H.R. 3403: New and Emerging Technologies 911 Improvement Act of 2008(also known as the NET 911 Improvement Act of 2008) was signed into law to promote andenhance public safety by facilitating the rapid deployment of IP-enabled 911 and E-911 services,and encouraging the nation’s transition to a national IP-enabled (Internet Protocol) emergencynetwork, and improve 911 and E-911 access to those with disabilities. The initiative ofadvancing 9-1-1 systems to IP technologies nationwide is known as Next Generation 9-1-1 (orNG9-1-1). Currently, there is no definite date of completion for nationwide NG9-1-1. Also,public safety organizations are independently planning and implementing NG9-1-1 technologies(Kimball, 2011). Because of the vast technological changes and requirement of nationwidestandards, this lack raises concern about the way IP-based 9-1-1 systems are managed tomaintain their security and integrity, which is also evolving due to converting the closed analogsystem to a connected Internet system (NENA, 2011). Given the size and scope of the project,there is a need to monitor compliance capability. Background of the Study In the United States, the current 9-1-1 system is going through a transformation fromanalog based systems to IP-based (Internet Protocol) systems (NENA, 2011). The analog 9-1-1systems are not compatible with most of the current consumer technologies and converting todigital systems will allow the variety of available consumer communication devices to workwithin public safety systems. Next Generation 9-1-1 will allow for IP-base communicationtechnologies to be used, such as text messages, voice, photos, and videos over security Internetpoints. Prior to the introduction of Next Generation 9-1-1, public safety communication systemswere not connected to other networks, which provided stronger security barriers from attacks.With Next Generation 9-1-1, the barriers are significantly decreased through the internet- 2
  • 13. protocol connections, making 9-1-1 a potentially appealing and vulnerable target. Thus,information security management standards were established in February 2010 by the NationalEmergency Number Association in order to address the technological changes of 9-1-1communications. The National Emergency Number Association (NENA) Security for Next-Generation 9-1-1 Standards (NENA, 2010) was established and all Next Generation 9-1-1 statusagencies are to comply with the standards immediately (NENA, 2010, p. 8). Therefore, therelevance of this research is to establish the progress towards achieving this requirement. Ingeneral, potential reasons for noncompliance can range from high costs, privacy issues, businessdisruption, even though there may be penalties and legal issues, national security, and welfareand safety of citizens. For public safety communications, it is critical for agencies to be andremain compliant to keep communication services available and safeguard lives and information. Statement of the Problem The problem that will be explored in this study is the level of compliance or non-compliance with information security management standards in the public safetycommunications environment. Purpose of the Study The purpose of the thesis study is to ascertain if public safety answering points (PSAPs)have information security management standards in place that reveal compliance or non-compliance with National Emergency Number Association (NENA) Security for Next-Generation 9-1-1 Standards (NENA, 2010) prior to nationwide Next Generation 9-1-1implementation and to identify any needed next steps to reach compliance. 3
  • 14. Research Questions 1. What are the Next Generation 9-1-1 information security management standards and policies? 2. What percentage of agencies have Next Generation 9-1-1 status? 3. What percentage of agencies are compliant or noncompliant? 4. What are the obstacles and/or challenges for public safety answering points (PSAPs) that are not compliant with public safety communication information security standards? Significance of the Study Every project must be planned and, where possible, kept on schedule. 9-1-1 is a vitalsocietal system. The National Emergency Number Association (NENA), estimated in October2011, 240 million calls were made to 9-1-1 in the United States annually (NENA, 2011, sec. 2,para. 1). From those annual calls, at least one-third are wireless, and it is estimated that 26.6% ofall United States households currently rely on wireless communication as their primary services(NENA, 2011, sec. 8). NENA has provided the national security standards and best practices forpublic safety answering points with the National Emergency Number Association (NENA)Security for Next-Generation 9-1-1 Standards or NG-SEC (NENA, 2010). The next step in theproject is to implement those standards so that public safety communications adapt to advancingtechnology and consumer needs without compromising security. But, projects do not guidethemselves. To meet the need for nationwide security standards compliance managers need up-to-date data regularly available. The study of compliance is significant in providing updated dataof security readiness as public safety communication agencies move forward, making the 4
  • 15. transition from closed to open systems with Next Generation 9-1-1 with its ability to continue toprovide the emergency services required for citizens. Definition of TermsNext Generation 9-1-1. Next Generation 9-1-1 is an Internet Protocol (IP) based system that will allow 9-1-1 public safety entities to receive and send such communications as text messages, video, photos, and voice through secured Internet points on 9-1-1 communication systems (NENA, 2011).Public Safety Answering Points (PSAPs). Public Safety Answering Points are 9-1-1 emergency call centers that are staffed with trained 9-1-1 operators that receive emergency telephone communications for law enforcement, fire, ambulance, and/or rescue services (NENA, 2011).Data Transience. The explanation that data can be ever changing and provide a momentary snapshot of what may be true at one point in time but not necessarily true the next time data is collected. Assumptions and Limitations The research is a "naturalistic" or applied study. There are assumptions surrounding thequestioning technique used in the sample. It was assumed the responders had an appropriatelevel of knowledge due to being designated as contact points within their organizations. Thequestioning utilizes vocabulary presented in the National Emergency Number Association(NENA) Security for Next Generation 9-1-1 standards or NG-SEC, which the sample shouldunderstand. The questioning links sufficiently to the participant’s experience, again due toutilizing the national standards that were created by 9-1-1 leaders (NENA, 2010). The researcheralso assumed that each participant will answer willingly and truthfully since the study did not 5
  • 16. publish names of contacts or agencies, assuring confidentiality of any information shared.Limitations of the thesis are of practicality, such as, researcher experience, time limit of study,and university rules. Nature of the Study It is vital that Next Generation 9-1-1 technologies are both implemented and accessiblenationally to insure the growing demands of consumer technology and consumer mobility foremergency services. However it is also essential for public safety answering points (PSAPs) tobe in compliance with security standards because of the openness of the evolving technology.The study revolves around the security standards and data collected from agencies. The thesis isan empirical study. Empirical research can be defined as research gained on experimentation,observation, or experience (Classroom Assessment, 2011). Leedy (2010) points out “thesignificance of data depends on how the researcher extracts meaning…” and “underlying andunifying any research project is its methodology” (p. 6). The thesis is also an evaluation study. Such studies require a researcher to specify acriteria which in this instance are the National Emergency Number Association (NENA) Securityfor Next-Generation 9-1-1 Standards or NG-SEC. Measurement will involve collecting data viasurvey of a cross sectional sample of agencies in the United States and conducting a review ofthe literature. As Leedy (2010) states, “measurement is ultimately a comparison and it is a toolby which data may be inspected, analyzed and interpreted” (p. 25). The survey utilizes the NG-SEC and serves as the measurement scale for the purpose of comparison and analysis of researchquestions. The data collected are ever changing and only provide a momentary look at the NextGeneration 9-1-1 status and compliance or non-compliance of agencies sampled. Time, evolving 6
  • 17. technology, consumer needs, agency obstacles, and future laws and standards, will inevitablychange data. Therefore, the data are “transient” (Leedy, 2010, p. 89). The objectives of empirical research go beyond reporting observations. They promote anenvironment for improved understanding, combine extensive research with detailed case study,and prove relevancy of theory by working in a real world environment (Experiment Resources,2011). The study provides analysis of data collected from public safety answering points(PSAPs) in order to provide an examination of the written standards in real life application. Thecase study method, as explained by Zainal (2007, p. 1) “enables a research to closely examinethe date within a specific context”. Yin (1984) further defines the method “as an empiricalinquiry that investigates a contemporary phenomenon within its real-life context” (p. 23) and byutilizing a case study method in this study, not only will the data be explored, but also showcomplexities of the real-life situations (Zainal, 2007, p. 4). When researching human activities, itis important to capture contextual data and situational complexity. According to Leedy (2010)“research conducted in more naturalistic but invariable more complex environments – is moreuseful for external validity; that is, it increases the chances that a study’s findings aregeneralizable to other real-life situations and problems” (p. 100). The field of study may beunique and the human activities in the project require complexity as part of the research. Lorino(2008) explains the situatedness of research in that “it takes place in a specific situation whichinfluences the view of the complex system” (p. 8). The study identified the collective experience of agencies implementing a key technologyin the field. Each agency surveyed is itself a potential case study. Thus, there are multipleindividual surveys available for analysis. According to replication logic, if findings are replicatedthrough out the different agencies, more confidence can be placed on the findings and 7
  • 18. generalizing beyond the original participants becomes possible. The rationale for this type ofanalysis is supported by Yin (2009), who explains that replication logic is where the researcher islooking for congruence that indicates increased confidence in the overall finding. Identifyingcongruence between a standard and a practice is the heart of criterion referenced evaluationresearch. Such studies not only provide data on the subject, but to also serve data driven qualityimprovement reviews used in assessments of the development process. Organization of the Remainder of the Study In the following chapters, the researcher provides a literature review, methodology,presentation of survey results, and concluding study discussion and recommendations. Theliterature review describes the evolution of 9-1-1 to its current transition of Next Generation 9-1-1. It also presents and discusses the information security management standard set forth byNational Emergency Number Associations (NENA) for public safety communicationcompliance. In Chapter 3, the researcher provides the survey study methodology in which thedata will be collected and analyzed to explore the research questions. Chapter 4 present theresults and description of the data collected, following with a conclusion and recommendationsbased on the researcher’s findings in Chapter 5. 8
  • 19. CHAPTER 2. LITERATURE REVIEW 9-1-1, in the United States, is the number to call if citizens need help (NENA, 2011).Whether the emergency requires medical, fire, or law enforcement, the three digit number issupposed to be the one Americans contact for a quick response to a particular emergency(Barbour, 2008). For the most part of the last four decades that 9-1-1 has been in existence, theway citizens communicated to emergency services, with the exception of showing up in person,was through the use of pay phones and residential landlines (Barbour, 2008). It was a very straightforward analog system that gradually incorporated the phonenumber from which the call was coming, the location of the call, and even a list of appropriateemergency response units based on jurisdiction of the call. However, now in the age of theInternet and a mobile lifestyle, this traditional 9-1-1 communication has continued to fall behindin meeting the needs of the consumers. Especially with the increasing disappearance of fixed-linecommunications (Luna, 2008). A particularly tragic example took place in 2008. A woman fromTampa, Florida was kidnapped and called the local public safety communication center on hermobile phone while the incident was occurring. The public safety communications center’s 9-1-1was an analog system and her GPS-enabled (global positioning system) phone did not registerher location. Later, police found the dead woman’s body in a vacant home in a nearby town(Bruce, Newton, & Vaughan, 2011, p. 8). If the local 9-1-1 system had been equipped withInternet-Protocol technologies, the public safety communications center may have been able totrack her location through GPS and her life may have been saved. Certainly, the system did noteven permit that possibility. Enter Next Generation 9-1-1, which is based on transforming the currently analog 9-1-1communications system with an Internet-Protocol or IP-based system to allow 9-1-1 call takers 9
  • 20. to receive the same location and unit information as they do now with landline or fixed-linetelephone systems. Public safety communication personnel would be able to communicate withcitizens and emergency respond units via text and mobile, as well as, to exchange photos andvideos through Internet Protocol (IP)-based communication (Lipowicz, 2009). The very scope of nationwide Next Generation 9-1-1 implementation will take time andthere are obstacles and issues to work around and resolve. In 2008, the state of New Yorkconducted a 911 project to enhance wireless communication with a grant from the United StatesDepartment of Transportation and National Highway Traffic Safety Administration. The projectfound that technology was not the major obstacle in enhanced wireless deployment. Thoughsome technical issues may slow the progress, funding for technological upgrades is the mostpressing obstacle (Bailey & Scott, 2008). Of course, this was the year when a major financialproblem engulfed many countries so it is understandable the study reported that many publicanswering points did not have sufficient funds for enhanced wireless communication upgrades.Ultimately this need for finances has prolonged the time needed to complete the project. TheNew York study provided examples of obstacles for Enhanced Wireless technologies, whichinvolve cellular 9-1-1 communications for Wireless Phase I and Wireless Phase IIimplementation and not Internet-Protocol technology that are the required for Next Generation 9-1-1 (Bailey & Scott, 2008). However, the funding comparison can be made for obstacles 9-1-1entities face in upgrading the national 9-1-1 system. If agencies have issues with funding forcellular wireless technologies of Wireless Phase I and Wireless Phase II, which still utilize theanalog systems, they may have same issues with Next Generation 9-1-1 funding. 10
  • 21. 9-1-1: Past and Present In order to understand and discuss the current changes of today’s 9-1-1 systems, it is bestto briefly review where and how 9-1-1 began and the current types of 9-1-1 services. JasonBarbour’s article (2008) explained the first official 9-1-1 call was on February 16, 1968 inHaleyville, Alabama and provided an overview of the 40 year history of 9-1-1, from theinception in 1967 to the current day. Mr. Barbour’s historical perspective told how thetechnological advances through out the years have benefited the profession of saving lives.Barbour also observed that keeping up with consumer technology has always been a challengeand that some of the difficulty has been with the lack of synchronicity between the public andprivate sectors. It is also important to note the humble beginnings of the first 9-1-1 call in thesmall town of Haleyville, Alabama. Barbour illustrated the importance of modest technologicalstrides from the thousands of public safety agencies nationwide. According to the National Emergency Number Association or NENA’s website (2011),the different types of 9-1-1 Systems readily used now are Basic, Enhanced, Wireless Phase I, andWireless Phase II. Basic 9-1-1 is when the three-digit number is used, and either a voice or aTelecommunication Device for the Deaf (TDD) is received by the local public safety answeringpoint (NENA, 2011, sec. 3). Enhanced 9-1-1 builds on the basic service, but additionallyprovides dispatchers the caller’s location, phone number, and the PSAP responder informationfor the caller’s address (NENA, 2011, sec. 4). It is important to understand that both Basic andEnhanced 9-1-1 only apply to landline phones, not wireless (NENA, 2011, sec. 4). With wireless, the reality of what is displayed or the information available to the publicsafety answering point (PSAP) can be different than that of the wireline or landline 9-1-1 call.The National Emergency Number Association’s website (NENA, 2011) continued to explain the 11
  • 22. next two phases, wireless Phase I and Phase II. Under Wireless Phase I only the cell phonenumber displays (NENA, 2011, sec. 5) and Wireless Phase II provides the cell phone numberand the location of the caller (NENA, 2011, sec. 6). A critical point to remember regardingWireless Phase II, is that a caller’s location is based on the closest cell towers. Depending if thecaller is located in an urban or rural area. In rural areas there can be quite a distance betweentowers. Voice over Internet Protocol (VoIP) is spreading rapidly with consumers and the 9-1-1communities have only begun to complete Enhanced 9-1-1 capabilities for VoIP 9-1-1 (NENA,2011). The Federal Communications Commission or FCC websites’ (2008) discussion of VoIP9-1-1 services explained that since the communication uses Internet protocol as opposed totraditional analog systems, not all VoIP services connect through 9-1-1. Next Generation 9-1-1or NG9-1-1 would address the issue of 9-1-1 and VoIP capability since NG9-1-1 provides publicsafety communication agencies with Internet-Protocol based systems. According to the NationalEmergency Number Association’s NG9-1-1 Transition Plan (NENA, February 24, 2011), NG9-1-1 has begun with the prerequisite of deploying IP networks in some areas already occurringand with vendors developing NG9-1-1 equipment. However, the organization does address“NG9-1-1 will be a journey that will be realized at different rates within various parts of NorthAmerica, based upon state/province, local implementation and stakeholder environments” (p.15). Current 9-1-1 Usage Current 9-1-1 statistics are provided by the National Emergency Number Association(NENA) website under the category of Public & Media (2011, November 12): United States has 6,130 primary and secondary public safety answering point (PSAP) and 12
  • 23. 3,135 Counties which include parishes, independent cities, boroughs and Census areas. Based on NENA’s preliminary assessment of the most recent FCC quarterly filings: 97.7% of 6,130 PSAPs have some Phase I 96.0% of 6,130 PSAPs have some Phase II 94.1% of 3,135 Counties have some Phase I 91.8% of 3,135 Counties have some Phase II 98.1% of Population with some Phase I 97.4% of Population with some Phase IIPhase I and II is not provided 100 percent nationwide. It is estimated that about 20% ofhouseholds in the United States do not use landline phone services; instead they rely on wirelessservices only (NENA, 2011, sec. 1). There are a few agencies throughout the United States, such as King County inWashington and Rochester in Monroe County, New York, that use portions of Next Generation9-1-1 technologies by either working as a test public safety answering point (PSAP) or with avery small percentage of Internet Protocol (IP)-based technologies working alongside the mainanalog systems (Intelligent Transportation Systems, 2009). Black Hawk County, IA is the firstPSAP to allow text messages to be sent directly to 911, though it is only through one wirelessprovider (Mannion, 2009). Charlotte County Florida received a Florida State grant and is using itto begin implementing different Next Generation 9-1-1 capabilities (Hamilton, 2009). The U.S.Department of Transportation (2009) tested various IP-based technologies with five public safetyanswering points (PSAPs) who gathered the information that assisted the 9-1-1 communities likeNational Emergency Number Association (NENA) and Association of Public Safety Officials(APCO), along with the government officials to develop nationwide plans. 13
  • 24. The United States government is a very important part of the development of regulationsfor 9-1-1 technologies. From 9-1-1’s first inception in 1967, by the President’s Commission onLaw Enforcement Administration of Justice (Barbour, 2008), to continuous active pursuits oflegislations, through most recently, the ENHANCE 911 Act of 2004 and NET 911 ImprovementAct of 2008, which address the concerns raised by emerging technology and how it affects theservices of 9-1-1 (Moore, 2009). It is clear from these governmental actions that it has beenworking to improve its 9-1-1 services with the evolving technology. In February 2010, National Emergency Number Association (NENA) published theNENA Security for Next-Generation 9-1-1 Standards or NG-SEC (NENA, 2010). Many industryexperts from a variety of private and government sectors contributed to the security standards toaddress the needs of Next Generation 9-1-1 (NG9-1-1) technologies. The standards are in placeto “establish the minimal guidelines and requirements for the protection of NG9-1-1 assets orelements within a changing business environment” and to “impact the operations of 9-1-1systems and PSAPs as standardized security practices” (p. 1). Also, all NG9-1-1 entities will berequired to understand, implement and maintain the new standards and requirements, and thatrequirement is effective immediately. Any vendor who presents devices, future applications ortechnologies for 9-1-1 systems are also to be in compliance with NG-SEC. In August 2011, theFederal Communications Commission (FCC) announced it still had to consider “how to ensureadequate broadband infrastructure to deliver the bandwidth PSAPs will need to provide NG9-1-1. As part of the NPRM, the FCC will examine interim solutions for ensuring thatcarriers/service providers support transmission of text-to-911” (Genachowski, 2011, p. 1). 14
  • 25. The Future: Next Generation 9-1-1 and Security Issues At the moment, the technologies that may be used for Next Generation 9-1-1 capabilitiesare Internet protocol (IP) voice, video, instant messaging (IM), short messaging (SMS), data, andtelematics (Luna, 2008). Although the Luna article was written in 2008, 9-1-1 systems remainlimited. The Federal Communications Commission (FCC, 2008), stated some of the issues withvoice-over Internet protocol (VoIP) 9-1-1 are those calls may not connect to the public safetyanswering point (PSAP), or may improperly ring to the administrative line of the PSAP, whichmay not be staffed after hours, or by trained 9-1-1 operators. VoIP calls may correctly connect tothe PSAP, but not automatically transmit the user’s phone number and/or location information.VoIP service may not work during a power outage, or when the Internet connection fails orbecomes overloaded. This can be a problem for citizens, when many times emergencies occur inmasses or when the power is out. Because of these issues, there are efforts to include enhancedVoIP (Kim, Song & Schulzrinne, 2006) that address things like language-based call routing, andthe ability for 9-1-1 operators to call back a disconnected call (FCC, 2008). Further considerations with voice-over Internet protocol (VoIP) deal with the addedsecurity required on networks that will need to accommodate VoIP and not just data-onlynetworks. Added cost to 9-1-1 agencies are the reality for additional power backup systems,firewalls, 9-1-1 answering software for VoIP and other IP based communications. Not onlywould new equipment and software need to be installed to accommodate IP-based technologiesspecific to 9-1-1 communications, but also routine testing would need to take place to insuresystem security and would require adequate staff to manage the systems to allow for 24/7uptimes (NIST SP 800-58). 9-1-1 entities would need to continue to meet demands of evolving 15
  • 26. technology for upgrades and possible loss of 9-1-1 service if a disaster were to occur within the9-1-1 center. In short, there remain technical problems in addition to financing concerns. A view of risk and security issues is through Lynette Luna (2008), who took the socialapproach on how consumer technologies and the lack of integration with the current 9-1-1systems, may effect emergency situations. She used well-known incidents, such as the VirginiaTech shootings, to make a strong argument showing the ability of 9-1-1 centers to accept textmessages could have possibly saved lives. For the purpose of risk assessments to upgrading tonext generation 9-1-1, it is good to have a social perspective of 9-1-1 technologies, becauseultimately the point is to provide safety and security to citizens (Luna, 2008). Hilton Collin’s (2008) states that a Next Generation 9-1-1 technology that is attractive topublic safety answering points (PSAPs) for cost savings and shared resource solutions isvirtualization. 9-1-1 agencies could consolidate servers and desktops, requiring less hardwarepurchases and conserve energy. It also allows for network administrators to manage upgradesand installs from one console, saving time and money. Also virtualization software can allow forapplication testing before installing on a live system. This would benefit agencies by notcompromising 9-1-1 communication applications and save costs toward network administrationthat would need to bring system and services back up immediately (TechSoup.org, 2011). It is possible that this is another example of a solution that creates additional problems.The savings imply fewer personnel needs as well. In addition, there are security risks that comewith a virtual environment. Hilton Collins (2008) discusses information about virtualized andnon-virtualized environments as a whole, as well as some best practices for protecting virtualnetworks from cyber-attacks. The main concern is that virtualization in government agencies,particularly public safety and law enforcement, will bring greater exposure for exploits and 16
  • 27. security breaches by introducing “a new layer of software on top of the host machine or system,which creates additional infrastructure to manage and secure” (Collins, 2008, para. 2). Thearticle elaborated the risks involved with virtual networks, like hackers, and illustrates thatattackers seek out poorly configured and exposed servers. Collins advised that potentially allsystems that are interconnected with the agency could be compromised. It only takes one opennetwork machine to be a possible threat of opening the door to a secured system or systems(Collins, 2008). Costs that could be incurred with one breach of security could be limitlessdepending on amount of staff to bring critical systems back up, amount and type of data loss, andlegal action costs as a few possibilities. Another change from Next Generation 9-1-1 that Douglas (2008) discussed is thatdispatchers will need to use a whole other set of sensory skills in addition to what they use nowto perform duties. Currently the information received is heard, either by the caller’s actual voiceor from a relay service for the hearing impaired. In the future, it will rely more on visualinformation, rather than audible. The visual format makes completing interactive functions whilemultitasking by the dispatcher harder because the cognitive load or attention requirements ofhuman beings vary. The additional multitasking from staff can raise training cost and cost toobtain and keep trained staff. Douglas (2008) also touched upon how 9-1-1 Centers will have tore-evaluate their training curriculums and even hiring processes to adapt to the changes. Thesepersonnel and training issues could be looked at as vulnerabilities and could then be exploited byindividuals or organized groups (Douglas, 2008). Many times the weakest link in security is thepeople that use the system (Breithaupt & Merkow, 2006). If staff are not trained properly or donot have the required skills to use Next Generation 9-1-1 technology systems and software, thiscould create a vulnerability to the whole system. 17
  • 28. Current Information Security Management Information Technology implementation in 9-1-1 public safety communications can beslow in adaptation especially when compared to consumers and the corporate sector (Barbour,2008). As stated by Chairman Genachowski (2011), “no single governing entity has jurisdictionover NG911…” and “the FCC will work with state 911 authorities, other Federal agencies, andother governing entities to provide technical expertise and develop a coordinated approach toNG911 governance” (sec. 3, para. 4). Lynette Luna (2008) stated in her article that an individual“calling a catalog company to order goods such as clothing, the call-taker would have better toolsthan the typical 911 call-taker — who is dealing with life and death situations” (p. 4). Luna notedthat one reason may be due to budgets and jurisdictional matters, such as funding issues,regulatory amendments, and state regulations that stipulate 9-1-1 component usage. Luna (2008)also mentioned that the transitioning to Next Generation 9-1-1 technologies would be an ongoingprocess through changes in software, databases, and workers’ procedures. In October 2008 theUnited States and global economy suffered and it continues to struggle over concerns overAmerican and European debt issues (Arizona State University, 2011). Local governments havetightened their financial belts and the additional cost of upgrading 9-1-1 infrastructures andmaintenance, though a necessity, is none too appealing in the current economic climate. Withthe country’s economic climate and with those changes that Luna mentioned (software,databases, and workers’ procedures), the information security management would seem to alsoneed to adapt to the changes. According to the publication “Principles of Information Security: Principles andPractices”, the major categories of computer crimes are as follows: Military and IntelligenceAttacks, Business Attacks, Financial Attacks, Terrorist Attacks, Grudge Attacks, and “Fun” 18
  • 29. Attacks. To break down each category, their definition (Breithaupt & Merkow, 2006) and how itcould apply to 9-1-1 IP systems are accordingly listed: Military and intelligence attacks: Criminals and intelligence agents illegally obtain classified and sensitive military and police files. Business attacks: Increasing competition between companies frequently leads to illegal access of proprietary information. As much as it may be hard to believe, this could include competing public safety venders. Financial attacks: Banks and other financial institutions provide attractive targets (p. 143).Obviously 9-1-1 is not a bank or financial institution in the direct sense, but it is a government-funded entity that could be attacked. Though financial gain would not be the end result, causingsignificant financial harm could be a motive. Breithaupt & Merkow continue to list and explainmajor categories of crimes: Terrorist attacks: Terrorist attacks could be executed for either a direct or indirect attack on a 9-1-1 system. An indirect example would be an attack targeted in one geographical area to pull sources away, so the intended target would be vulnerable. It could also involve one system or a large-scale attack of several systems either simultaneously or consecutively. Grudge attacks: This could come in the form of either a disgruntled employee or citizen seeking revenge against the specific agency or even just against law enforcement or government entities in general. Thrill attacks: hackers penetrate the system just for the “fun of it”, bragging rights, or simply for a challenge (2006, p. 143). 19
  • 30. To conclude the risk portion, there, of course, is the continued threat of viruses andmalware as with any IP network. However, instead of only affecting a computer-aided dispatchsoftware program that could quickly be exchanged with an internal closed legacy system or evena paper system for back up purposes, a 9-1-1 communications system would not be as easilyreplaceable or have much allowances for any down-time, even temporarily, due to a virus ormalware issue. Daily vulnerabilities of network infection and system outage on a vital systemsuch as 9-1-1 make any loss of service an issue of public safety. The National Emergency Number Association (NENA, 2011) website had a plethora ofdocumentation, guidelines, requirements and standards that addressed a variety of technologyand equipment implementation, connectivity, and functionality issues, which were moreappropriate for a systems administrator. Though system administrator policies and standards andpractices may include “security controls, information classification, employee managementissues, and corresponding administrative controls” (Berithraupt & Merkow, 2006, p. 43), whichapply to information security, none were specific to current 9-1-1 public safety communicationentities during an initial literature research. However, in February 2010, NENA organized andpublished a set of national standards specific to Next Generation 9-1-1 security objectives for 9-1-1 entities, titled National Emergency Number Association (NENA) Security for Next-Generation 9-1-1 Standards (NENA, 2010) or also known as NG-SEC, which will be discussedin more detailed in this chapter. Before the creation of NG-SEC, though, no national standard orpolicy was in place for 9-1-1 agencies. Next Generation 9-1-1 Information Security Management The researcher investigated the literature specific to Next Generation 9-1-1 informationsecurity management standards. The National Emergency Number Association advised the 20
  • 31. purpose of the National Emergency Number Association (NENA) Security for Next-Generation9-1-1 Standards was to “establish the minimal guidelines and requirements for the protection ofNG9-1-1 (Next Generation 9-1-1) assets or elements within a changing business environment”(NENA, 2010, p. 7). The national public safety communication organization published thedocument to provide standardized security practices for Next Generation 9-1-1 technologies, butexplained that it is a work in progress and the document is in its first version with revisions tocome to accommodate future issues (NENA, 2010). Technical requirements, upgrading and/orreplacing equipment, will incur costs to agencies. Readiness and available funds may also varywith each 9-1-1 entity. The document scope covered public safety answering points (PSAPs), Next Generation9-1-1 ESINet, Next Generation 9-1-1 service providers, Next Generation 9-1-1 vendors,contracted services, and any individual or group who use, design, have access to, or areresponsible for Next Generation 9-1-1 assets (NENA, 2010). Like Breithaupt and Merkow(2006), the National Emergency Number Association (NENA) document listed roles andresponsibilities of individuals specific to NG9-1-1 security and similarly concluded thatultimately security is “everyone’s responsibility” (NENA, 2010, p. 11). When it came tosecurity policies, NENA stated that it is the first step in any effective attempt in theimplementation of a security program (NENA, 2010). The National Emergency Number Association (NENA) further explained the minimumstandards shall have a senior management statement (or an organizational security statement),functional policies, and procedures. It continued to detail each section, starting with the seniormanagement statement policy. NENA emphasized that “senior management must be engagedand committed to maintain highly effective security so the rest of the staff can be able to do their 21
  • 32. part” (NENA, 2010, p. 11). As the National Emergency Number Association document stated,security is “everyone’s responsibility” (NENA, 2010, p. 11) and senior management is notexempted. The absolute minimum that should accompany the senior management statement istwo items: identify person responsible for security (even though it technically is everyone’sresponsibility) and provide a written description of the security goals and objectives of the NextGeneration 9-1-1 entity (NENA, 2010). To compare this with information security management standard practices in realmsoutside of 9-1-1 public safety communications, the book by Breithaupt and Merkow (2006),provided an overview of information security management through security principles and acommon body of knowledge used in private and public industry. They explained that “setting asuccessful security stage” with “effective security policies can rectify many of the weaknessesfrom failures to understand the business direction and security mission and can help to prevent oreliminate many of the faults and errors caused by a lack of security guidance” (Breithaupt &Merkow, 2006, p. 60). The Next Generation 9-1-1 information security management standards documentation(NENA, NG-SEC, 2010) stated that it is to provide a “deeper level of granularity after creatingan executive management statement” (NENA, 2010, p. 12). The document gave a list of someexamples of what may be contained in it: “acceptable usage policy, authentication/passwordpolices, data protection policy, wireless policy, physical security policy, remote access policies,hiring practices, security enhancements or technology, baseline configurations for workstations,standards for technology selections, and incident response policy” (NENA, 2010, p. 12). Theprocedures section included documentation that provided the “method of performing a specifictask” (NENA, 2010, p. 12), such as creating new user accounts or how vendors would be 22
  • 33. allowed access to the server room. This complimented common body of knowledge (Breithaupt& Merkow, 2006) and practices that private and government industries (ISO/IEC 27001, 2005),outside of 9-1-1 public safety communications, utilized for information security management. Obstacles and Solutions for Next Generation 9-1-1 Information Security Management When information was collected for possible standards as they applied to various aspectsof Next Generation 9-1-1 operations, a mixture of obstacles and possible solutions were found.In Merrill Douglas’ article (2008), she explained some problematic issues from the 9-1-1operator’s perspective regarding Next Generation 9-1-1 and now 9-1-1 information will bereceived in the future. Douglas explained that currently the information received is heard, eitherby the caller’s actual voice or from a relay service for the hearing impaired. In the future, it willrely more on visual information, rather than audible and a whole set of sensory skills will need tobe used and it makes performing interactive functions while multitasking much harder (Douglas,2008). The article also discussed how 9-1-1 Centers will have to re-evaluate their trainingcurriculums and even hiring processes to adapt to the changes. Lack of training for staff createsvulnerabilities and could then be exploited by individuals or organized groups (NIST SP-800-50), as well as be related to the risk assessments of the future 9-1-1 systems and that the effectsof security are significant because people are usually the weakest link (Douglas, 2008). Mary Rose Roberts (2009) brought up consolidation of Next Generation 9-1-1 enabledpublic safety answering points (PSAPs) and illustrated both economical and shared resourcebenefits. She explained that technology improvements are growing exponentially and eventhough costs were lowering, still it behooved agencies to share resources to save money, as wellas the benefit of sharing intelligence. The year before the standards were developed, Robert(2009) was asking, “if its next generation compliant, what does that mean? We havent defined 23
  • 34. what next generation is totally, so how can you be compliant to a standard that may not evenexist yet…" and "as a result, we dont believe every PSAP in this country is going to go to anNG911 environment any time in the very near future” (p. 23). Merrill Douglas (2009) alsoaddressed consolidation cost benefits for PSAPs, which then helps with the burden of costs andprovides better redundancy by switching to an IP network. Craig Whittington (2009) explored the publics expectations of 9-1-1 services and thedifference in what is reality. In his article, he stressed if the publics perception and the reality of9-1-1 do not agree, it can be more than a public relations problem; it can put lives at risk. Fromthat perception issue, the article illustrated what Next Generation 9-1-1 can provide. Like sharednetworks, new and different ways to communicate with callers and responders, as well as anincreased capacity to transmit and disseminate information. Mr. Whittington additionallyemphasizes the most vital part of 9-1-1 systems (now and in the future), are the 9-1-1 Operatorsand Dispatchers. It is a very important to make sure that personnel are well trained and at easewith the new responsibilities and technologies. Not only will it be a challenge to re-evaluatetraining curriculums, but also how to do it with continuing decreased budgets. The continuedsignificance of operators in the 9-1-1 center is that they can become the weakest link in theoverall network risk management. In order to acquire the benefits discussed earlier, this articleillustrates the importance of making sure competent employees are hired and retained, as well as,trained in the most current technologies, important issues in risk assessments (Whittington,2009). Conclusion As the technology of 9-1-1 continues to evolve into Next Generation 9-1-1 systems,information security management in public safety communications will need to evolve as well to 24
  • 35. meet the needs of various technologies, consumers, and 9-1-1 staff. Matters of funding,governance, reliability, and security surround the project and the changes that current 9-1-1public safety answering points (PSAPs) have and will be experiencing in the near future. Itprovided a summary of the National Emergency Number Association (NENA) Security for Next-Generation 9-1-1 Standards that agencies will be required to be compliant with Internet-protocolbased technologies. It also illustrated some challenges PSAPs will have due to the NextGeneration 9-1-1 evolution. Against this background the researcher delved into the real-life statein which the PSAPs are currently compliant, either operating at Next Generation 9-1-1 status orbefore utilizing Internet-protocol technologies. 25
  • 36. CHAPTER 3. METHODOLOGY Research Design The study was a non-experimental, Mixed Method study because it included both verbaland numerical data. The study had a two stage design. There was secondary data gathered in areview of the literature as well as primary data collected to answer the research questions. Theresearch design was an evaluation study being conducted to evaluate compliance with securitystandards of Public Safety Answer Points (PSAPs). The study was descriptive and illustratedaspects of agencies considered to be representative. It was also exploratory because the standardsused to evaluate compliance were relatively new and the information collected was intended tohelp develop future more focused understandings of PSAP needs required for support inachieving compliance. The topic was new and little understood, so an exploratory project wasappropriate. Published response data for the survey’s questions served as benchmarks for the purposeof comparison and analysis of this study’s questions. Thus, a criterion-based design was used.The standards were the criteria and in this design they provided the hypothesized situationagainst which this study was performed, as well as the standard of judgment for success orfailure, and they provided a stable platform that enabled the researcher to decide whether theconclusions of this and other studies were relevant so that a pattern matching strategy could beemployed, as explained by Yin (2009). The study was field based using only publically available online membership contactinformation of either state or regional chapters of Association of Public-Safety CommunicationsOfficials (APCO) and National Emergency Number Association (NENA), both not-for- profitprofessional organizations for public safety professionals. According to NENA (2011), the 26
  • 37. United States has 6,130 primary and secondary public safety answering point (PSAP). For thepurpose of this study and based on the time and resources available to the researcher, obtaining6,130 agency contacts would not have be feasible. However, utilizing an Internet search ofpublically available members of state or regional APCO or NENA chapters to collect at least oneor more agency contacts, representing 50 states in order to examine the study nationwide wasachievable. The online search produced a list of 225 individual agency contacts, including aname for point of contact, e-mail address, and agency phone number. The study consisted of aone time survey, sent to each 225 agency contact and was a cross sectional study. The surveywas self administered by email and the researcher utilized survey services through SurveyGizmo. Sample The study utilized a cluster sampling technique. Leedy (2010) explains this technique isappropriate when “the population of interest is spread out over a large area” (p. 209). The 225agencies were the population units, i.e. the clusters. They were classified by size of populationeach agency serves utilizing 2010 United States Census information. The sample was stratifiedinto three segments: small (serving 1-99,999 population), medium (serving 100,000-499,999population), and large (serving 500,00 or more population). Of the 225 agencies, the followingcounts and percentages were present in this survey study: small (125 agencies, 55%), medium(71 agencies, 32%), and large (29 agencies, 13%). All survey methods have weaknesses in the survey method. For example, participants mayhave wanted to reflect compliance, when in fact, they were not, or their responses may have beenbased on their understanding of the question and standards, which could in fact be amisunderstanding (Colorado State University, 2012). The survey referenced the industry 27
  • 38. accepted security standards for the survey questions and the researcher had to trust that allagencies were familiar with them and how it applied to their specific agency in order toaccurately provide information for the study. Another issue, non-response, was present forpossible reasons. (Cooper, 2008, p. 257) For example, the contact information may not havebeen accurate or been addressed to the person in which the survey would have best able toanswer in the context of the compliance survey. Use of an official association was intended toreduce issues related to contact information. Also it was difficult to secure a large amount of theselected agencies to respond to the survey. First, the initial contact was through the e-mailedsurvey and the researcher and educational institution, not representing a public safetycommunications organization or government agency, was relatively unknown to the public safetycommunication centers. Or, there may have been restrictions on the agency the researcher wasunaware of. A telephone follow-up to non-responders was used to increase the pool of availableresponses. Setting The thesis study was conducted as a field setting. The 225 agencies consisted of city,county, or state entities and were subject to a variety of regulations. They have been describedelsewhere. Instrumentation / Measures The instrumentation used was an online survey that was emailed to 225 individual agencycontacts. Measurement of the current 9-1-1 status/capability was categorical: Basic 9-1-1,Enhanced 9-1-1, Wireless Phase I, Wireless Phase II, and Next Generation 9-1-1. Categoricalmeasurement was made of respondent job title/role within their agency through three categories,9-1-1 Supervisor (middle management), 9-1-1 Manager (upper management), 9-1-1 IT/Network 28
  • 39. Administrator (technical management). There was also an “Other” category for main jobtitle/role if the three did not apply to the individual. Other measures focused on compliancestandards. The researcher used the National Emergency Number Associations (NENA) Security forNext-Generation 9-1-1 Standards (National Emergency Number Association, 2010) to developthe survey questions in order to gather information about the security landscape of 9-1-1 publicsafety communication agencies at the dawn of Next Generation 9-1-1 nationwideimplementation. The first set of questions, questions 1 through 3, provided population range,current 9-1-1 status/capabilities, and participant’s job tile/role. Questions 4 through 6 focused onthe agency’s Network Administration landscape. In questions 7 through 14, the participantselected each security policy and standard that was currently in place at their agency andprovided obstacle explanations if applicable. Each security policy and standards questionreflected a security standard presented in the National Emergency Number Associations (NENA)Security for Next-Generation 9-1-1 Standards (National Emergency Number Association, 2010). Data Collection Data collection in this study was subject to time constraints. Specifically, data collectionwas limited to a three week period in November. Data collection included content from thereview of literature and survey agency sample. The literature provided the compliance standardswith the National Emergency Number Associations (NENA) Security for Next-Generation 9-1-1Standards (National Emergency Number Association, 2010) and the NENA website of 9-1-1basic statistics supplying amount of public safety answering points (PSAPs). An email was sentto 225 9-1-1 public safety agencies from the list of Association of Public-Safety CommunicationOfficial (APCO) and National Emergency Number Association (NENA) members. The 29
  • 40. researcher followed up with a phone call to the agencies. The researcher exported survey datafrom the Survey Gizmo report dashboard of all respondents for data review and analysis. Data Analysis Data was analyzed using both logical reasoning and descriptive statistics. The datapresented used a question format. The questions supplied agency size and current agency 9-1-1status or capability, illustrated by pie charts showing percentage of small, medium, and largeagencies and bar graphs for 9-1-1 status. In addition, to various charts and graphs, tables wereused to further analyze the data from each survey question and provided total counts andpercentages of each agency population size and total agency responses. Validity and Reliability Classroom Assessment (2011) states that “reliability and validity are two concepts thatare important for defining and measuring bias and distortion” (sec. C, para. 1) with reliabilityreferring to the “extent in which assessments are consistent” (sec. C, para. 2) and validity as the“accuracy of an assessment” (sec. C, para. 5) even if it does not measure what is to be measured.The survey questions mirrored the compliance standards. This established the content validity ofthe questions. Another way of determining validity was the use of expert judgment. Therefore,the committee reviewing this research was another check on validity. Another approach of validity was through triangulation. Leedy (2010) describestriangulation as collecting data from multiple sources “with the hope they will all converge tosupport a particular hypothesis or theory” (p. 99). It is common in qualitative designs to usedifferent sources of data as support for the researcher’s confidence in the conclusions presentedin Chapter 5. 30
  • 41. Ethical Considerations The researcher conducted the survey by questioning individuals managing 9-1-1communication systems with the following ethical considerations. There are four categories ofethical consideration in research studies (1) Do no harm (2) Informed Consent (3) Right toPrivacy (4) Honesty. Do no harm is a broad ethical category. It includes not asking sensitive questionsthat would possibly injure an individual’s employment status. Security is a sensitive issueand a discussion of security issues under some circumstances might be interpreted as “sensitive”.For that reason data is collected in ways that do not reveal the individual; replies and participantsare clearly informed about their right not to participate. Specifically, to meet the need for full disclosure, each 9-1-1 participant was informed ofthe intention of the study (copy in appendix B), which was to provide an academic snapshot ofcompliance through literature review and a survey of public safety answering points (PSAPs) tocomplement existing research and discussions of Next Generation 9-1-1 within the public safetycommunication realm and provide a platform for further dialogue and study on specific NextGeneration 9-1-1 information security management goals and practices. The researcher wasaware of the ethical demand for honesty in data collection. In addition, the participants who complete the survey did not have their personal identityor the identity of the agency revealed. None of the questions in the survey requested informationthat identified a specific person or agency, or put them in any harm. All information collected forthe study was confidential to the research through the Survey Gizmo data collection and usedonly for the purpose of the academic thesis study. 31
  • 42. CHAPTER 4. RESULTS Introduction This chapter presents the data gathered from the surveys from public safety answeringpoints (PSAPs). The survey was sent to 225 agencies stratified by population size. The purposeof the survey was to gather data needed to answer these questions: 1. What percent of agencies have Next Generation 9-1-1 status? 2. What percent of agencies are compliant or noncompliant with standards? 3. What are the obstacles and/or challenges for public safety answering points (PSAPs) that are not compliant with public safety communication information security standards? Answering these questions will lead to the answer to the main question and revealcompliance or non-compliance of PSAPs that are Next Generation 9-1-1 (NG9-1-1). The surveycategorized PSAPs as small (1-99,999), medium (100,000-499,999), and large (500,000 orgreater). It is an instrument of analysis to gauge the nationwide landscape of public safetyanswering points (PSAPs) currently and identify possible issues and obstacles of where it isheading. The methodology the researcher followed entailed contacting 225 agencies by e-mailutilizing Survey Gizmo survey online services. From 225 agencies, 4 agency e-mails wererejected with no other contact information available to the researcher, leaving a total of 221agencies receiving the survey for response. Of these 221, a total of 56 agencies responded as aresult of the survey process. In the first 3 days, 52 agencies responded. Three days after theinitial surveys were e-mailed; the researcher sent a reminder with a second wave of the surveysto the 169 agencies that did not respond. According to StatPac, Internet surveys receive 90% of 32
  • 43. the responses within three days after the e-mail invitation is sent (StatPac, 2011). In this instancethat proved a good ballpark estimate because 52/56 is 92%. The reminder did not produceadditional responses. The next week, follow up phone calls were made to each of the 169 agencies that did notrespond. The researcher directly spoke with 52 agency contacts from those 169 agencies. The 52contacts the researcher reached by phone, advised they were not sure if they received the email,remembered the survey but had not taken the survey. The 117 agencies that direct contact wasnot made, the researcher either left a message with the dispatcher or non-emergency personnelanswering the phone, or a message was left on the contact’s voicemail. The follow up phonecalls produced 4 responses, making the total survey study response 56. Because the non-response rate was 75%, it is necessary to discuss response bias. Israel(2009) notes strategies to deal with response bias with calling back non-respondents, which theresearcher did, and to “assume there is no response bias and to generalize the population” (p. 2,para. 4). In addition, Israel suggests that the researcher’s previous public safety communicationexperience offers expertise needed to make judgments regarding key information others mightbenefit from and use as part of generalization. In addition, that experience would support theirconfidence in conclusions drawn in discussion even with this response rate. Interestingly, since the survey generated 56 responses, it is comparable to other results,such as that in Deline, Ko, and Venolia (2007). They reported 55 responses on a sample of 250(p. 7-8). The total population of this study’s survey was 221 with 56 responses and thiscomparison supports the decision to consider the response rate sufficient for the analysis andconclusions drawn in this study. Therefore, although there were time limitations on datacollection for the project, the researcher during the third week of data collection contacted the 33
  • 44. agencies about reasons for survey non-responses. Of the 165 non-respondent agencies 33provided reasons for non-response. During this follow up, three reasons were provided byagencies for their decision. Although some mentioned time constraints, two other reasonsprovided were: (1) they did not want to participate due to not being familiar with the researcheror the graduate program institution and (2) they were not comfortable in sharing data with non-governmental entities. Given that security really is a sensitive topic, the researcher could haveanticipated this response. In an e-mail to the researcher, Dr. Robert Morse confirmed other thesiscandidates had been told contracts with security providers restricted the release of data only toauthorized agents of that provider (R. Morse, personal communication, January 27, 2012). One additional point mentioned by the Federal Communications Commission Chairman,in August 2011:   We need a comprehensive, multi-pronged approach to NG911 implementation: If we do nothing, to address NG911 requirements, timelines, costs, and governance, we will see uncoordinated patchwork deployment of NG911 over the next five to ten years, leaving much of the U.S. without any NG911 capability (Genachowski, 2011).In other words the FCC chairman was in essence claiming a rudder to steer the project is stillneeded. That fact and these additional reasons, time constraints on data collection and the cost ofmultiple calls to agencies were considerations that influenced the decision to stop data collectionand make the judgment to report the data as collected. The researcher’s advisors pointed out self-selection bias is always a possibility in this type of research and agreed with the decision toreport the results of the survey and follow-up conversations. 34
  • 45. Data Analysis Data is analyzed using both logical reasoning and statistics. The data is presented using aquestion format. In addition to various pie charts and graphs, tables will be used to furtheranalyze the data from each survey question survey. There were three possible categories of responses by the size of agency jurisdiction. Thedistribution of response rates by agency size {small (38 agencies, 68%), medium (16 agencies,29%), and large (2 agencies, 3%)}. Figure 1. The population range of the agencys jurisdiction. What is interesting is that the categories do not reflect an even distribution. Essentiallythe three divisions can be considered in terms of x < 500,000 and x > 500,000. Out of the 56respondents, 2 agencies select the Large category (3%), 16 selected the Medium category (29%),and 38 respondents selected the Small category (68%). If the 16 Medium sized respondents areconsidered in combination with the 38 small category respondents, then clearly the bulk or 97%of respondents represented service areas of less than 500,000. 35
  • 46. The next survey question: What is your agencys current 9-1-1 status/capability? Thisquestion requested the agency current 9-1-1 status, noting to respond with their most advancedlevel that applied to their agency. All 56 respondents selected Wireless Phase II as their current9-1-1 status/capability, which allows for wireless 9-1-1 calls to display both latitude andlongitude of the caller’s location. A key finding is that all are at the same level of compliancesince all were at the same 9-1-1 status/capability.Table ACurrent agency 9-1-1 status/capabilityAgency Size Basic Enhanced Wireless I Wireless II Next % GenerationLarge 0 0 0 2 0 3%Medium 0 0 0 16 0 29%Small 0 0 0 38 0 68%Totals (%) 0% 0% 0% 100% 0% 100% 36
  • 47. Figure 2. Current 9-1-1 status/capability. The third survey question: Which best describes your main job title/role at your agency?From the total responses, 23% selected 9-1-1 Supervisor (Middle Management), 61% selected 9-1-1 Manager (Upper Management), and 8% selected IT/Network Administrator (TechnicalManagement). There were also a four agencies (2 Medium agencies and 2 Small agencies, or8%) that selected the “Other” category. The descriptions given for “Other” were “ExecutiveDirector”, “Communications Training Coordinator”, “Both Manager and IT Administrator”, and“Trainer”. This shows the majority of responses were from upper management as requested withthe selection of 9-1-1 managers with the capability and knowledge of the compliance standardsand to provide accurate information about their specific agency. 37
  • 48. Table BJob title/role at agencySize 9-1-1 9-1-1 IT/Network Other % Supervisor Manager AdministratorLarge 0 1 1 0 3%Medium 1 10 3 2 29%Small 12 23 1 2 68%Totals (%) 23% 61% 8% 8% Shown in Figure 3, the highest job title/role for Small agencies was “9-1-1 Manager”.Second choice was “9-1-1 Supervisor”. The third and fourth selections were “Other” and“IT/Network Administrator”. As with the overall response, the majority selected for job role was9-1-1 manager category, showing that small agencies have designated and dedicated managersfor their entities, signifying upper management responsibilities and knowledge as with other sizeagencies. Figure 3. Job title/role for small agencies. 38
  • 49. The Medium agencies selected “9-1-1 Manager” the most, “IT/Network Manager” next,and then “Other” and “9-1-1 Supervisor” for the least two job titles/roles (shown in Figure 4).The medium agencies had 19% of their responses from the IT category. If compared to the smallagencies’ 5% (see Figure 3.), this could illustrate small agencies having less networkadministrative personnel on staff and that the 9-1-1 manager in small agencies could hold ITadministrative responsibilities even if it is a secondary role. Medium size agencies show to havemore network administration on staff with the higher main role responsibility percentage. Figure 4. Job title/role for medium agencies. Figure 5 illustrates the two choices selected by the Large agencies, which was two total inresponding. One selected “9-1-1 Manager” and one selected “IT/Network Administrator”. Noneselected “9-1-1 Supervisor” or “Other”. Since only two large agencies responded, the division ofroles is 50%. What could be concluded is large agencies have levels of staff that are on upperlevel management and/or have a dedicated network administration department. 39
  • 50. Figure 5. Job title/role for large agencies. In survey question 4: What best describes your current IT/Network Administration atyour agency? The two Large agencies both selected “Full-time internal IT/NetworkAdministrator”. The Medium agencies varied among three categories, 12 for ““Full-time internalIT/Network Administrator”, 1 for “Part-time external IT/Network Administrator, and 3 for “Full-time external IT/Network Administrator. The Small agencies provided a representation for allfive categories. For the “Part-time internal IT/Network Administrator”, 2 made that selection, 19selected “Full-time internal IT/Network Administrator”, 1 selected “Part-time externalIT/Network Administrator”, and 13 chose “full-time external IT/Network Administrator”.Finally, 3 Small agencies selected “No IT/Network Administrator”. 40
  • 51. Table CCurrent agency IT/Network administration descriptionSize None Part-Time Full-time Part-time Full-time % internal internal external externalLarge 0 0 2 0 0 3%Medium 0 0 12 1 3 29%Small 3 2 19 1 13 68%Totals (%) 5% 4% 60% 3% 28% The small agencies had at least one selection in each of the current agency IT/Networkadministration description category. The highest selected was “Full-time internal” and secondhighest was “Full-time external”. The last three, in order of most selected, were “None”, “Part-time internal”, and “Part-time external” (see Figure 6). Even though it is possible for smallagencies to have less budget allocation for a designated IT/Network Administrator, the dataillustrates small agencies are not necessarily at a disadvantage at staffing network administration. Figure 6. IT/Network Administration for small agencies. 41
  • 52. In Figure 7, the Medium agencies selected three total for their current IT/Networkadministration description types. The most often selected response was “Full-time internal”, thesecond was “Full-time external”, and the least selected was “Part-time external”. Large agenciesselected that their IT/Network administration was full-time, internal staff (see Table C). Ifcomparing all three jurisdiction sizes, it shows that the larger the agency size, the increase offull-time network administrators and those that are internally staffed. But even though smalleragencies have a lower percentage, they are apparently capable of having full-time administratorseven if they need to contract externally. Figure 7. IT/Network Administration for medium agencies. For survey question 5: If your agency has "No internal or external IT/NetworkAdministrator" does your agency anticipate in employing or contracting an IT/NetworkAdministrator? As shown in Table C, only 3 small agencies selected this category. The 3 thatselected “No internal or external IT/Network Administrator” in question 4 also selected “No” forquestion 5. However, one agency that selected “Full-time external IT/Network Administrator” inquestion 4, also selected “No” for question 5. This illustrates that smaller agencies, while some 42
  • 53. having the ability to have network administration staff full-time as reflected in question 4, thereare some that yet need to overcome obstacles which will be explained in question 6 (see TableE).Table DAgency anticipation of employing/contracting an IT/Network administrator who currently havenone.Size Yes No %Large 0 0 0%Medium 0 0 0%Small 0 4 100%Totals (%) 0% 100% For survey question 6: If you answered "No" to either question 5, please explain thereason and/or obstacles of why your agency does not anticipate doing so? From Table D, itshows that 4 Small agencies selected “No” and 4 Small agencies selected categories providing areason for their answers in Table E. Cost was selected by 3 Small agencies and UpperManagement had 1 selection. The “Other” category was selected by 2 Small agency with theexplanations of “I do it” and “we have a staff member currently enrolled in college to get hisdegree for our IT, as the County only has 2 full time IT but they are for the entire county and wehave to wait on their availability. We have current State and Federal policies in place and try tostay in compliance with NENA/APCO standards”. 43
  • 54. Table EReason or obstacles for not employing/contracting IT/Network administration if currently noneSize Cost Upper High Lack of Other % management turnover qualified resourcesLarge 0 0 0 0 0 0%Medium 0 0 0 0 0 0%Small 3 1 0 0 2 100%Totals (%) 75% 25% 0% 0% 50% Small agencies are the ones reporting obstacles when it comes to not employing orcontracting IT/Network administration, which would affect their compliancy with the establishedsecurity standards. With “Cost” receiving the majority of the obstacles, this could possibly beelevated through future funding assistance, either by state or federal agencies, to allow them notto be at a disadvantage with the were not have to supply sufficient revue for their budgets. Figure 8. Obstacles for not employing IT administration for small agencies. 44
  • 55. The survey question 7: What type of Information Technology (IT) descriptions andpolicies does your agency currently have in place? The selection of all, with the exception of“none apply”, would allow the agency to be compliant under the NENA Security for Next-Generation 9-1-1 Standards or NG-SEC (NENA, 2010). Table F breaks down the first sixcategories and Table G provides information for the last six of question 7. All but one agencyhad at least one category selected. The agency that did not select any category was one Smallagency, making it a total of 55 responses for this question. Looking at both Table F and G, boththe large agencies selected all but two categories, “Wireless Policy” and “Incident Response”.For the medium agencies, all selected “Acceptable Usage”, with many agencies in that categoryalso selecting “Password Policy”, “Data Protection”, “Wireless Policy”, “Physical Security”,“Remote Access”, and “Access Control”. No Small agency had all policies selected, but manyagencies selected “Acceptable Usage”, “Password Policy”, and “Physical Security”. Also, one ofthe large agencies selected everyone choice, including the “None apply” even when they selectedall of the previous policies.Table FType of IT descriptions and policies (first six categories)Size Acceptable Password Information Data Wireless Physical Usage Policy Classification Protection Policy SecurityLarge 2 2 2 2 1 2Medium 16 15 9 12 13 14Small 33 34 16 27 17 33Totals (%) 93% 93% 51% 74% 56% 91% 45
  • 56. Table GType of IT descriptions and policies (last six categories)Size Remote Access System System Incident None *% Access Control Control Patching Response ApplyLarge 2 2 2 2 1 1 4%Medium 13 10 9 8 9 0 29%Small 16 22 6 9 23 1 67%Totals (%) 54% 63% 31% 33% 62% 3%* % both Table F and Table G In Figure 9, it illustrates all of the IT descriptions and policies from both Table F.1 andTable F.2 that were selected by Small agencies. The most selected was “Password Policy”.Following the most, in order, “Acceptable Usage”, “Physical Security”, “Data Protection”,“Incident Response”, “Access Control”, “Wireless Policy”, “Information Classification”,“Remote Access”, “System Patching”, “System Control”, and last, with one agency selection,“None Apply”. If compared to the following figures that illustrate medium and large agencyresponses (figures 10 and 11), the most difference in IT policies are with system controls, systempatching, remote access, information classification, and wireless policies. For small agencies,this lack of policies may be due to network administration staffing or even the capabilities oftheir current database networks and they do not have those policies in place because it is notapplicable to their network yet. However, once they are Next Generation 9-1-1 capable, allcategories will need to be in place. 46
  • 57. Figure 9. IT descriptions and policies for small agencies. The medium agency selections are shown in Figure 11. The most selected was category“Acceptable Usage” and last was “System Patching”. None of the medium agencies selected“None Apply”. The medium agencies seem to have the more in compliance with many of thepolicies. This may be with more evolved database networks and staffing. Figure 10. IT descriptions and policies for medium agencies. 47
  • 58. The Large agency selections of IT descriptions and policies from both Table F.1 andTable F.2 are shown in Figure 12. Both Large agencies selected “Acceptable Usage”, “PasswordPolicy”, “Information Classification”, “Data Protection”, “Physical Security”, “Remote Access”,“Access Control”, and “System Control”. However, one agency selected “Wireless Policy” and“Incident Response”. Also, as noted previously, one agency also selected “None Apply”.Surprisingly, incident response and wireless policies were not selected from one of the two largeagencies. Many metropolitan public safety communications centers communicate localdatabases, such as computer aided dispatch (CAD) or records management systems (RMS)wirelessly from laptops in vehicles and other mobile devices. It would also be thought that alarge agency would have incident response policies in place in case of natural, terrorist, ortechnical disaster occurred. Figure 11. IT descriptions and policies for large agencies. The survey questions 8: If your agency is Next Generation 9-1-1 capable and any of thefollowing descriptions and policies listed in question 7 were not selected please select thereason(s) and/or obstacle(s). The data in Table G received 32 survey responses at least one of the 48
  • 59. selections regardless of all agencies reporting the highest 9-1-1 status/capability of WirelessPhase II. None of the 56 responding agencies reported having Next Generation 9-1-1status/capabilities for question two of the survey. None of the large agencies made selections forquestion 8. However, 7 medium agencies and 25 small agencies made at least one selection,making over half (57%) of the 56 total responses to the survey. The two “Other” categoriesconsisted of “IT department prefers to not to release information due to concerns over security”and “we are NG9-1-1 capable, but state law prohibits implementation”.Table HIf Next Generation capable, reasons and/or obstacles for not having the descriptions and policiesin Table F and Table GSize Cost Time Upper Staff Other % Management ConstraintsLarge 0 0 0 0 0 0%Medium 4 5 0 2 1 22%Small 16 18 1 14 1 78%Totals (%) 68% 75% 3% 53% 6% Even though none of the responding agencies were Next Generation 9-1-1 capable, theresponses do shed light on current obstacles agencies face towards compliancy. Cost does reflectover half of the obstacles, but “Time” is selected as 75% of the overall reason and is the highestranked obstacle in both medium and small agencies. This could indicate that agencies feel theyare spread thin in keeping up with standards and evolving technology even if they have the staffand money. 49
  • 60. Figure 12. Obstacles for not having the descriptions/policies for small agencies. Figure 13. Obstacles for not having the descriptions/policies for medium agencies. For survey question 9: Select the following software your agency currently runs on allservers and end user computers? Anti-virus software and/or spyware detection software. All 56agencies selected either one or both of the software selections. All agencies currently run Anti-virus software on all servers and end user computers. Only a few in both the medium and small 50
  • 61. agencies do not currently run Spyware detection software. Reasons where inquired in thefollowing survey question (see Table I).Table IVirus and/or spyware detection software on all servers and end user computersSize Anti-virus Spyware detection %Large 2 2 3%Medium 16 13 29%Small 38 34 68%Totals (%) 100% 88% Figure 14. Virus and/or spyware detection software for small agencies. 51
  • 62. Figure 15. Virus and/or spyware detection software for medium agencies. Survey question 10 asked: If you did not select one or both of the choices in question 10,please advise the reason(s) and/or obstacle(s) your agency has for not running anti-virus and/orspyware detection software on all server and end user computers? Table J show agencyresponses.Table JReason and/or obstacles for agency not running anti-virus and/or spyware detection softwareSize Cost Time Upper Staff Other % Management ConstraintsLarge 0 0 0 0 0 0%Medium 0 0 0 0 0 0%Small 0 1 0 1 0 1%Totals (%) 0% 2% 0% 2% 0% Only 1 small agency responded regarding a reason for not currently running a Spywaredetection program (see Table J). The two reasons selected were “Time” and “Staff constraints”. 52
  • 63. Unlike previous obstacles for not complying with standards, this did not include “Cost”.However, this may not be an initial cost concern, but with time and staff constraints, indirectcosts related to monitoring network traffic on a daily basis for smaller agencies by having to hireor contract services to fulfill this requirement. Figure 16. Obstacles for no anti-virus and/or spyware detection software for small agencies. Question 11 asked: Does the agency have the following on file: current inventory, schematic, and audit documents?Both of the large agencies reported having all three items on file. The other size agenciesresponded with 15 medium and 36 small, making a total of 53 responses shown in Table J. Mostmedium agencies had a current network inventory and many had a current network schematic.Many small agencies reported having current network inventory and/or current networkschematic. Both medium and small agencies had some current annual internal audits on file.Even both large agencies reported having all the required IT documentation; medium and smallagencies were not too far behind with network inventory and schematics. 53
  • 64. Table KCurrent inventory, schematic, and audit documents on fileSize Network Network Annual internal % inventory schematic auditsLarge 2 2 2 3%Medium 15 13 9 28%Small 21 17 9 67%Totals (%) 71% 60% 38% Figure 17. Current IT documentation for small agencies. 54
  • 65. Figure 18. Current IT documentation for medium agencies. Figure 19. Current IT documentation for large agencies. For survey questions 12: If you did not select any of the choices in question 11, pleaseadvise the reason(s) and/or obstacle(s). There were 15 responses, both from Medium (7) andSmall (8) agencies. The two agency sizes responding selected “Cost”, “Time”, and/or “Staffconstraints”. Again, though cost may not be a direct obstacle, with medium and small agencies 55
  • 66. reporting time and staff constraints, in direct cost could occur with hiring more staff to alleviatethose obstacles.Table LReasons or obstacles for not having network inventory, schematic, and/or audit documentsSize Cost Time Upper Staff Other % Management ConstraintsLarge 0 0 0 0 0 0%Medium 3 2 0 3 0 46%Small 2 4 0 5 0 53%Totals (%) 33% 40% 0% 53% 0% Figure 20. Obstacles for complete IT documentation for small agencies. 56
  • 67. Figure 21. Obstacles for complete IT documentation for medium agencies. The survey question 13: What type of security awareness training and educationstandards does your agency currently require? Almost all agencies responded to question 13,with a total of 54 responses. Most agencies reported having “Annual staff security training”and/or “current training/certification for IT administration”. A few Medium and Small agenciesreported having “no staff training policy”.Table MType of security awareness training and education standards currently in place Size Annual Current No staff No % staff training/certification training training/certification security for IT policy for IT training administration administration Large 1 2 0 0 6% Medium 11 12 2 0 43% Small 11 12 3 0 51% Total (%) 41% 46% 10% 0% 57
  • 68. Figure 22. Security awareness and training for small agencies.Figure 23. Security awareness and training for medium agencies. 58
  • 69. Figure 24. Security awareness and training for large agencies The final survey question, 14: If you did not select any of the choices in question 13,please advise the reason(s) and/or obstacle(s). Ten agencies responded to question 14 with themajority of responses from the small (9) agencies. Most of the selections were from the “Time”and “Staff constraints” categories. The two “Other” explanations provided, both from two smallagencies, were “IT Department prefers not to release information due to concerns over security”and “we have State and Federal forms and training to keep us in compliance”. The indirect costof both time and staff constraints could still be an obstacle for small and medium agencies. In thecase of the one response that state and federal forms and training keep the agency compliant,even if the cost is free of charge for the training, they still may have to apply overtime to covershifts or staff shortage for employees to attend training and certification, as well as, if travel costmay be involved. 59
  • 70. Table NReasons or obstacles for not having staff security training and/or current training/certificationfor IT administrationSize Cost Time Upper Staff Other % Management ConstraintsLarge 0 0 0 0 0 0%Medium 0 1 0 1 0 10%Small 3 6 0 4 2 90%Totals (%) 30% 70% 0% 50% 20% Figure 25. Obstacles for security training and education for small agencies. 60
  • 71. Figure 26. Obstacles for security training and education for medium agencies. Conclusion The purpose of the research was to reveal compliance or non-compliance of public safetyanswering points (PSAPs) that are Next Generation 9-1-1 (NG9-1-1). Based on the survey, allPSAPs were compliant at the Wireless II stage, Additionally, based on the job titles, respondentagencies were primarily represented by management personnel who would be in a position tocomment on plans, policies, and obstacles as requested by the survey. Another finding was that ahigh percentage of PSAPs had full time network support available. However, 12% had relied onpart time support. From a security perspective this seems to be an important finding. The followup question revealed there was no intent to hire and that expense was a key factor in that decisionfor small service areas. Although agencies generally had policies for acceptable usage andpassword protection, agencies were much less likely to have a wireless policy or an informationclassification policy. The data showed that 12% of the agencies did not have a spyware policy.Spyware can transmit and collect personal identifiable information and with 9-1-1 becomingInternet-based, the public’s privacy and safety could be compromised if spyware detection 61
  • 72. software is not only installed, but also monitored properly. Time constraints were also reportedby small, 40%, and medium, 50%, agencies as obstacles for security training and education.Though sample responses did not report they were NG9-1-1 status yet, agencies working towardscompliance before rolling NG9-1-1 technologies would strengthen the security of the transitionof providing those technologies to the public they serve. This data shows a sample snap shot ofthat transition to compliance. 62
  • 73. CHAPTER 5. DISCUSSION, IMPLICATIONS, RECOMMENDATIONS The purpose of this thesis was to ascertain the status of public safety answering points(PSAPs) have information security management standards in place prior to Next Generation 9-1-1 and reveal compliance or non-compliance of National Emergency Number Association(NENA) Security for Next-Generation 9-1-1 Standards (NENA, 2010) nationwide NextGeneration 9-1-1 implementation. Although all were compliant to Wireless II, the category justbelow NG9-1-1, the clear answer to the primary research question is “no”. In the previouschapters, the researcher presented the current literature on information security management forNext Generation 9-1-1 and the results of a survey study from public safety answering points(PSAPs) utilizing the National Emergency Number Association (NENA) Security for Next-Generation 9-1-1 Standards or NG-SEC with reports of obstacles and reasons for certain areas ofnoncompliance. This chapter offers an answer to each research question, provides implicationsand contributions, and makes recommendations for future research in the field. Discussion of Research Findings The research questions presented in Chapter 1 asked: 1. What are the Next Generation 9-1-1 information security management standards and policies? 2. What percent of agencies have Next Generation 9-1-1 status? 3. What percent of agencies are compliant or noncompliant? 4. What are the obstacles and/or challenges for public safety answering points (PSAPs) that are not compliant with public safety communication information security standards? 63
  • 74. In Chapter 2, the Next Generation 9-1-1 information security management compliantstandards were discussed with a summary of the National Emergency Number Association(NENA) Security for Next-Generation 9-1-1 Standards. These standards provided the basiccontent for the survey. Question 1: What are the Next Generation 9-1-1 information security management standards and policies? The study found the Next Generation 9-1-1 information security management standardsand policies were established through the National Emergency Number Association (NENA)Security for Next-Generation 9-1-1 Standards (NENA, 2010) or also known as NG-SEC andexpected compliance effective immediately to any agency with Next Generation 9-1-1 status.The standards were presented and discussed in Chapter 2 literature review. Question 2: What percent of agencies have Next Generation 9-1-1 status? The study found that the sample population was not Next Generation 9-1-1 yet. Theliterature review illustrated that for the past couple of years, some NG9-1-1 technologies wherein the process and that agencies were to begin implementation. Question 3: What percent of agencies are compliant or noncompliant? The study found the criteria of compliance in the NG-SEC standards and the surveymirrored that criteria. Though agencies were not Next Generation 9-1-1 status yet, and notexplicitly required to comply with the NG-SEC standards, the results presented in Chapter 4illustrate that some were either already compliant or were compliant in specific standardrequirements. It also showed areas in which they were not and provided reasons for not meetingthe standards. 64
  • 75. Question 4: What are the obstacles and/or challenges for public safety answering points (PSAPs) that are not compliant with public safety communication information security standards? The study found the areas in which agencies did not meet NG-SEC standards, cost, time,and staff constraints were the majority of reported obstacles. Overall, the information collected illustrated that agencies are still working on the NextGeneration 9-1-1 implementation with the majority not at compliant status with current NationalEmergency Number Association (NENA) Security for Next-Generation 9-1-1 Standards (NENA,2010) or also known as NG-SEC. All agencies reported their current 9-1-1 status was WirelessPhase II and not Next Generation 9-1-1. As noted by in Chapter 2, the outpacing of consumertechnology and needs to 9-1-1 capabilities and the sample illustrates that continued gap(Barbour, 2008). However, the data shows some are already meeting standards or specificsecurity standards before they have Next Generation 9-1-1 status. This is an encouraging sign ofagencies beginning to think and act upon security policies before they are absolutely requiredcompliance when they open up their 9-1-1 systems to IP-based communications. In Table O it shows the amount of compliant and noncompliant from each agency size.The highest responding agencies were small, but only two reported they were compliant. In thetwo other categories, 4 out of 16 total responses from medium sized agencies and 1 out of 2 largeagencies reported to be compliant. It also provides the percentage by each size and from theoverall sample response. Percentage wise, both medium and large agencies responded morecompliancy. This could be due to agencies already have network administration security policieswell established from years of computer-aided dispatch and records management databasenetworks and having more financial and staffing resources than agencies covering less populated 65
  • 76. areas. Out of 56 agencies, 13% reported compliance. While it is a low percentage, again, this isbefore agencies report Next Generation 9-1-1 status. From the 7 (13%) that reported compliance,Figure 27 shows the percentage that responded from each agency size. Here it can be seen thatmedium (57%) has over the majority of the compliance responses. This could illustrate thatmedium agencies already have the funding, staff, and policies laid out from previous networkadministration standards, either self imposed or state mandated, and they may be able to progressquicker with Next Generation 9-1-1 security standards than the other populations because thetechnology projects may not be as laboring or costly as larger entities, but yet they may havelocal revenue sources and staffing capabilities that smaller entities may not.Table OAgencies reporting compliance with NG-SECAgency Size Compliant Noncompliant % Compliant by SizeLarge 1 1 50%Medium 4 12 25%Small 2 36 5%Total % 13% 87% 66
  • 77. Figure 27. Reported NG-SEC compliance by agency size. In Chapter 2, the researcher illustrated risk and attack exposures 9-1-1 entities are morevulnerable through transforming from a closed analog system to an open Internet-Protocol basedsystems. According to the publication “Principles of Information Security: Principles andPractices”, some major categories of attacks are Military and Intelligence Attacks, BusinessAttacks, Financial Attacks, Terrorist Attacks, Grudge Attacks, and “Fun” Attacks. There is alsothe continued threat of malware as with any IP network. However, instead of only affecting acomputer-aided dispatch software program that could quickly be exchanged with an internalclosed legacy system or even a paper system for back up purposes, a 9-1-1 communicationssystem would not be as easily replaceable or have much allowances for any down-time, eventemporarily, due to a malware issue. Again, the burden could be greater for small agencies, whowould be required interconnectivity and comply with security standards due to financial and staffresources. . Security is only as good as your weakest link. The sample of 225 agencies was stratified into three segments by agency size. The rangeof agencies within a group varied. Of the 225 agencies, the following number and percentages 67
  • 78. were represented in the three segments, small (125 agencies, 55%), medium (71 agencies, 32%),and large (29 agencies, 13%). Numerically most of the agencies serve smaller populations of lessthan 100,000 than the larger agencies. Funding of upgrading and maintaining the current 9-1-1infrastructures could impact smaller agencies more that may not have the financial resources.The availability of staff, both time and amount of employees, could also impact the smalleragencies more. Also, as indicated in Chapter 4, the large agencies had a low response rate (15%)of the large agency strata and 3% of the sample responses. This contrasted sharply with the smallsample strata. In chapter 2, it was pointed out that since public safety agencies are connected toextremely sensitive information such as criminal and medical records and filed or on-goinginvestigation reports, there is a tremendous need for confidentially to protect data, citizens, andpublic safety officials. This can extend to providing security procedural information, regardlessof anonymity, for research study. Even though 9-1-1 is a public service, sharing information toanyone outside known and trusted entities can be preceded with caution and the results of fewresponses, this was a factor in the survey study. When considering just the large agencies, there was an interesting result on question 7.Only one selected all compliant standards and policies in the survey. However, on question 7,that agency in addition to selecting all of the information technology (IT) descriptions andpolicies, the agency also selected the last choice, “None apply, agency does not have ITdescriptions and policies”. Perhaps, that the agency simply selected the last choice by mistakebut it could have been purposeful to make all selections suspect. It is not possible to know forsure. As for the other agencies, 4 Medium agencies and 2 Small agencies showed compliance. In question 4 of the survey, all 56 respondents chose the category that best described theircurrent information technology (IT) or Network Administration. Majority selected “Full-time 68
  • 79. internal” (60%) and the second most selected was “Full-time external” (28%), making full-timenetwork administration coverage 88% for agencies. Of the 12% that do not have full-time or nocurrent network administration, majority are small agencies. As the Michigan Next Generation 9-1-1 Feasibility Study conducted by L.R. Kimball notes, “network management of an IP-based 9-1-1 network is crucial in providing the level of service expected by the residents of PSAPs” andit will be these networks will require an uptime of 99.999% availability or better (Kimball,2010). Figure 30 below shows the percentage of the agencies that reported part-time or nocurrent network administration. Figure 28. Part-time or no current network administration by agency size. By the results, both large and medium size agencies have some type of internal orexternal IT/Network Administration, either part-time or full-time. A few small agencies (5%)still have no type of IT/Network Administration, however, from all three strata sizes, smallagencies replied the most (86%) to either part-time or no current network administration. It couldbe concluded that small agencies are not able to have full-time network administration by boththe lack of financial and staff resources. 69
  • 80. Most reported obstacles for areas not in line with NG-SEC were costs, time, and staffconstraints. Time and staff constraints could also be viewed as an indirect cost issue. Since it isunlikely more demanding technology requirements would not alleviate time and staff issues,more staff would need to be hired or services employed which again, amounts to cost. Asdiscussed in chapter 2, the New York state study involving Wireless Phase 1 and Wireless PhaseII cellular 9-1-1 communications showed funding as the biggest hurdle for technologicalupgrades for their Enhanced Wireless technologies 9-1-1- project (Bailey & Scott, 2008). Andwith the United States still recovering from the 2008 economic crisis, funding for the initialtransition of 9-1-1 technologies to Next Generation 9-1-1 and the continued expenditure formaintenance and upgrading, cost factors heavily for public safety agencies. In a 2009 article, Mary Rose Roberts discussed consolidation of Next Generation 9-1-1enabled public safety answering points (PSAPs) and illustrated both economical and sharedresource benefits. She explained that technology improvements are growing exponentially andeven though costs were lowering in the consumer markets, still it behooved agencies to shareresources to save money, as well as the benefit of sharing intelligence. But it is still yet to remainif cost for transitioning 9-1-1 systems and continued upgrades will be economically feasible foragencies since each 9-1-1 entities needs vary, as well as their means for paying for all direct andindirect costs. Also with sharing resources, agencies that may have political differences may notfind this alternative attractive, despite possible economic savings. In question 6 of the survey, information was collected of the obstacles or reasons foragencies not hiring network administration employees or services. The same four agencies thatresponded to question 6, selected three categories, which were “Cost” (75%), “Other” (50%),and “Upper Management” (25%). It is not surprising to see that “Cost” was selected the most. 70
  • 81. Small agencies may have a difficult time with financial resources for network administrationservices with smaller government budgets and the survey responses show promise that smallagencies are finding ways to provide this service. The “Other” category was selected twice andthe explanations for each were, “I do it” and “we have a staff member currently enrolled incollege to get his degree for our IT, as the County only has 2 full time IT but they are for theentire county and we have to wait on their availability. We have current State and Federalpolicies in place and try to stay in compliance with NENA/APCO standards”. The agency thatresponded as “I do it” also responded to their role at the 9-1-1 Manager/Upper Management.This illustrates that one person is fulfilling two roles, both 9-1-1 center manager and networkadministration services. It could also be categorized as another cost or staff issue due having oneperson doing two separate job roles. This could be problematic since both roles can be full timeresponsibilities for an agency. The second “Other” response shows the agency has a 9-1-1 staffmember receiving technology educations to remedy their issue of not having a dedicated 9-1-1network administrator. This is a forward thinking approach to the possible demands of networkadministration once Next Generation 9-1-1 is full implemented. Figure 29 shows the percentagesof small agency responses to the obstacles and/or reasons for not having full-time networkadministration on their systems. 71
  • 82. Figure 29. Obstacles for not having full-time network administration for small agencies. The information technology (IT) descriptions and policies questions generated a lot ofvariety of responses. There were a few that selected all and a few who advised they currently donot have any IT policies. The two categories selected the least were, (with the exception of“None apply”), “System Control” (31%) and “System Patching” (33%). The NationalEmergency Number Association (NENA) Security for Next-Generation 9-1-1 Standards (NENA,2010), defines System Control is controlling changes and status within the system, hardware,software, and backups (NENA, 2010, p. 46). NENA explains System Patching as updatingoperating systems, other software, or hardware devices to address critical security vulnerabilities(NENA, 2010, p. 46-47). All other categories had at least a 51% or higher response. The top twocategories selected were “Acceptable Usage” and “Password Policy” (both 93%). Not onecategory had all 56 agencies responses. But the results did show that the 2 Large agenciesselected almost all categories, compared to the Medium and Small agencies. The “WirelessPolicy” and “Incident Response” category was the only one from a large agency that was not 72
  • 83. selected. Even though only two large agency responded to the entire survey responses, it couldbe shown with further research, that large agencies fulfill the IT description and policies forNENA. However again, another study with more or all public safety answering points (PSAPs)would need to be surveyed for further analysis. The next question asked if an agency was Next Generation 9-1-1 capable and any of thefollowing descriptions and policies listed in question 7 were not selected please select thereason(s) and/or obstacle(s). As the researcher already stated, all agencies advised their currenthighest/most advanced status/capability was Wireless Phase II in question 1. None selected NextGeneration 9-1-1 status/capability. Yet in question 8, thirty-two agencies made one or moreselections to report obstacles. The majority of these responding were small agencies (78%) and22% were from medium agencies. None of the large agencies responded. It is unclear to theresearcher why several of the agencies responded to this question when all had stated they werenot Next Generation 9-1-1 status and did not have to respond at all. It brings another uncertaintyof accuracy to the answers within the survey from the respondents, either from not reading thequestions completely, the questions not being worded properly, or not providing consistentinformation, either intentionally or unintentionally. Question 9 and 10 requested information about detection software and obstacles if bothwere not currently used at the agency. All 56 agencies responded and selected they werecurrently running Anti-virus software on all servers and end user computers. Spyware detectionsoftware usage received an 88% response, with 81% of medium agencies and 90% ofsmall agencies selecting the category, leaving only 10-20% not utilizing anti-spyware software.The obstacles and/or reasons stated were “Time” and “Staff Constraints”. Yet only one smallagency responded to that particular question. The other six did not reply. 73
  • 84. In a study by Ponemon Institute in 2009, a summary of information security assessmentsfrom 754 corporate respondents of network traffic for the presence of malware. The presence ofactive malware infections showed to be 100%, Internet Relay Chat bots, 72%, network worms,42%, generic malware 81% and information stealing malware, 56%. Figure 32 shows the bargraph illustration of the study (Ponemon, 2009). Figure 30. Presence of malware in network traffic (Ponemon, 2009). Malware is a problem in corporate settings as shown the above figure, however, having9-1-1 systems exposed to this type of malware problem can cause some serious issues to not onlythe systems themselves, but to public safety. The medium and small agencies that responded tonot having either anti-virus and/or spyware detection already installed on their non-9-1-1 systemnetworks, are exposing their emergency networks to great risks. It can also be mentioned thateven with anti-malware software installed, the risk is there, especially since the corporationsinvolved in the Ponemon study were running anti-malware software on their systems. Another set of inquiries dealt with current network inventory, schematics, and auditdocumentation on file. A total of 53 agencies responded with both Large agencies having allthree documents on file. Network inventory documentation had the highest response (71%), with 74
  • 85. the second most reported of network schematic (60%), and least selected, annual internal auditdocumentation (38%). The obstacles and reasons provided by Medium and Small agencies as tonot have one or more of the three categories of documentation were mostly explained by “Staffconstraints (53%), “Time” (40%), and “Cost” (33%). With these responses, it could beconcluded that agency jurisdiction size under 500,000, have less staff to dedicate or funding toprovide and keep annually these type of documents. The last two questions in the survey dealt with security training for both technical andnon-technical staff. Question 13 inquired what type of security awareness training and educationstandards does the agency currently require and question 14 requested reasons and/or obstacles ifone or more of the categories in question 13 were not selected. None of the agencies selected“No training/certification for IT administration”. Only 10% (2 from Medium and 3 from Smallagencies) selected “No staff training policy”. Many of the agencies responding reported theyconducted either or both annual staff security training and their network administrationemployees or contractors were current with annual training and certifications. Limitations There are limitations to this thesis study. Some limitations have been presented inChapter 1. One limitation of the thesis is due to the study arrives at the genesis of NextGeneration 9-1-1 standards and implementation providing limitation in shared studies toNational Emergency Number Association (NENA) Security for Next-Generation 9-1-1Standards (NENA, 2010) or NG-SEC compliance. Another limitation is the amount of NextGeneration 9-1-1 status entities nationwide. Specific to information technology (IT)management, a limitation of the study is the wide scope of examining nationwide NextGeneration 9-1-1 IT management. An additional limitation is the population sampled was only a 75
  • 86. small sample of the entire public safety answering points (PSAPs) in the nation. The amount ofresponses was another limitation and the feedback received for lack of survey participation wasdue to agencies not being familiar with the researcher or the school and not wanting to shareinformation with non-government or outside sources. The survey dealt with compliance of NG-SEC standards and policies and possible participate bias with some respondents choosing moreor all compliant selections. Implications and Contributions The thesis study focused on National Emergency Number Association (NENA) Securityfor Next-Generation 9-1-1 Standards (NENA, 2010). The overall responses resulted in some ofthe questions producing very straightforward selections and feedback. Others generatedconflicting data. The most reported obstacles and/or reasons were cost and time for the notselecting a particular standard section. With the current economy presenting financialconstraints, employee cutbacks or hiring freezes, along with continued added responsibilities to9-1-1 and information technology management placed on public safety communication agenciesthe obstacles do not appear to be relieved anytime soon. This may perhaps be the slowing of thenationwide implementation of Next Generation 9-1-1 technologies in general and may prolongthe full implementation for several more years than expected. In an announcement made by theFederal Communications Commission in November 2011, they identified seven states that diverta portion of 9-1-1 fees for non 9-1-1 purposes in 2010. The report shows a decline from previousyears and that in future the federal government will require states to collect even more detailed 9-1-1 collection fees in order to pay for Next Generation 9-1-1 technologies. Receiving accurateinformation will also help in not only transparency, but making sure 9-1-1 entities that do not 76
  • 87. have the capability to keep up with technologies based on their fees collected, may receive someassistance in order to provide the same 9-1-1 services throughout the nation. There is no specific public study at the time of this thesis examining compliance or non-compliance of the National Emergency Number Association (NENA) Security for Next-Generation 9-1-1 Standards (NG-SEC) and this research provides a study on this specific topic.The findings also present the obstacles of why agencies are not compliant with NG-SECstandards and policies. The results of the survey data analysis show some agencies are compliantand or have some standards and policies already in place, despite having Wireless Phase II statusand not Next Generation 9-1-1 status. The thesis study is a foundation of further research, eitherstudying compliance and non-compliance in for public safety communication agencies orexamining more specific areas of compliance within each of the National Emergency NumberAssociation (NENA) Security for Next-Generation 9-1-1 standards. Recommendation for Future Research This thesis study focused on the National Emergency Number Association (NENA)Security for Next-Generation 9-1-1 Standards compliance and non-compliance on a small scalein which 225 public safety answering points (PSAPs) were contacted from a total of 6,130primary and secondary PSAPs (NENA, 2011, October). A study that surveyed the entire publicagency population and allowed a better comparison of large, medium, and small agencies wouldbe beneficial. Also as stated previously, examining more specific areas of compliance within theNENA Security for Next-Generation 9-1-1 standards, such as examining national or regionalphysical security, acceptable usage, or incident response policies. Future studies comparingcompliance between agency size segments, rural verses metropolitan entities, or regionalsections within the United States (East, South, Midwest, Southwest, Pacific Northwest, West 77
  • 88. state regions). Another recommendation would be to examine survey styles that work best withgovernment and/or public safety entities to allow a higher response rate. This study could also berepeated in a few years time to see if any differences or changes have occurred. Conclusion Traditional 9-1-1 communications has continued to fall beyond in the needs of theconsumers’ Internet and mobile lifestyle and the increasing disappearance of fixed-linecommunication (Luna, 2008). Next Generation 9-1-1 will transform the current analog 9-1-1communications systems with an Internet-Protocol or IP-based systems to allow 9-1-1 call takersto receive the same location and unit information as they do now with landline or fixed-linetelephone systems, as well as communicate with citizens and emergency response units via textand mobile. Next Generation will also provide the capability to exchange photos and videosthrough Internet Protocol (IP)-based communication (Lipowicz, 2009). This research examined the current information security management landscape of 9-1-1public safety communication centers upon the beginning stages of Next Generation 9-1-1, whichis the implementation of switching analog communication systems to Internet-Protocol (IP)communication systems. The study utilized the National Emergency Number Association(NENA) Security for Next-Generation 9-1-1 Standards for public safety communicationinformation security management policy and procedure compliance examination. The researcherprovided a literature review in Chapter 2 describing the evolution of 9-1-1, Next Generation 9-1-1 technologies, and National Emergency Number Association (NENA) Security for Next-Generation 9-1-1 Standards. In Chapter 3, the researcher provided a methodology for the surveystudy of compliance and presented the results in Chapter 4. Conclusions of the result findingswere examined in Chapter 5, along with limitations and recommendations for further research. 78
  • 89. This thesis serves to add to a body of work specifically targeted at Next Generation 9-1-1’sinformation security management, both now and in the future. 79
  • 90. REFERENCESArizona State University (2011, October 25). Debt crisis: Similarities, differences and lessons learned from the U.S. and Europe. Retrieved from http://knowledge.wpcarey.asu.edu/pdf.cfm?aid=1095.Bailey, B., & Scott, J. (2008). The New York state wireless enhanced 911 project: lessons learned. Informally published manuscript, Department of Emergency Medicine, Upstate Medical University, Syracuse, New York.Barbour, J. (2008, March 1). What a 40 years it has been. Urgent Communications. Retrieved from http://urgentcomm.com/mag/radio_years/Breithaupt, J., & Merkow, M. (2006). Principles of information security: Principles and practices. Upper Saddle River, NJ: Pearson Education, Inc.Bruce, G., Newton, J., & Vaughan, E. (2011). Next generation networks for public safety: Build locally to achieve nationally. Digital Communities. Folsom, CA.Classroom Assessment. (2011). Reliability and validity. Retrieved from http://fcit.usf.edu/assessment/basic/basicc.htmlCollins, H. (2008, April 18). Virtualization raises new cyber-security questions for government. Government Technology. Retrieved from http://www.govtech.com/gt/381048Colorado State University (2012). Advantages and disadvantages of the survey method. Retrieved from http://writing.colostate.edu/guides/research/survey/com2d1.cfmDeLine, R., Ko, A., & Venolia, G. (2007). Information needs in collocated software development teams. Microsoft Research. Retrieved from http://faculty.washington.edu/ajko/talks/ICSE2007InformationNeeds.pdfDouglas, M. (2008, September 1). Not to worry. Urgent Communications. Retrieved from http://urgentcomm.com/psap/mag/radio_not_worry/Douglas, M. (2009, June 1). Route and roll. Urgent Communications. Retrieved from http://urgentcomm.com/networks_and_systems/mag/psap-ip-technology-progress- 200906/.Experiment-Resources (2011). Retrieved from http://www.experiment-resources.com/empirical- research.htmlFederal Communications Commission. (2008, September 17). FCC consumer advisory for VoIP and 911 services. Retrieved from http://www.fcc.gov/cgb/consumerfacts/voip911.html 80
  • 91. Federal Communications Commission (2011, November 8). FCC releases third annual report to congress on state collection and distribution of 911 and enhanced 911 fees and charges. Retrieved from http://transition.fcc.gov/Daily_Releases/Daily_Business/2011/db1108/DOC- 310895A1.pdfFederal Information Processing Standards Publication. (1994, November 9). Guideline for the analysis local area network security (FIPS PUB 191). Washington, DC: U.S. Government Printing Office.Gagner, Jr., R. P. (2005). Voice over internet protocol: Secure or not recommendations to the business and private sector. (Informally published by Department of Management Information Systems, Bowie State University, Bowie, Maryland.) Retrieved from http://74.125.155.132/scholar?q=cache:hVNP3pz7Y4AJ:scholar.google.com/+9-1- 1+VoIP&hl=enGenachowski, J., (2011). Proceedings from 2011 APCO Conference August 20: Five step action plan to improve the deployment of next generation 9-1-1(NG911). Philadelphia, PA. Retrieved from http://www.fcc.gov/document/fact-sheet-five-step-action-plan-improve- deployment-next-generation-9-1-1-ng911Hamilton, J. (2009, April 22). Florida county uses next-generation 911 system to enhance public safety. Emergency Management. Retrieved from http://www.emergencymgmt.com/safety/Florida-County-Uses-Next-Generation.htmlH.R. 3403. 110th Congress: NET 911 Improvement Act of 2008. (2007). In GovTrack.us (database of federal legislation). Retrieved November 17, 2011, from http://www.govtrack.us/congress/bill.xpd?bill=h110-3403International Organization for Standardization. (2005, October 15). Information technology- security techniques-information security management systems-requirements. (ISO/IEC 27001). Geneva, Switzerland. Retrieved from http://webstore.iec.ch/preview/info_isoiec27001%7Bed1.0%7Den.pdfIntelligent Transportation Systems. (2009). Next generation 9-1-1 (NG 9-1-1) system initiative: Proof of concept testing report. Retrieved from http://www.its.dot.gov/ng911/pubs/NG911_POC_TestReport_FINAL091708.htmIsrael, G. (2009). Sampling issues: Nonresponse. University of Florida. Retrieved from http://edis.ifas.ufl.edu/pdffiles/PD/PD00800.pdfKim, J. Y., Song, W., & Schulzrinne, H. (2006). An enhanced VoIP emergency services prototype. Retrieved from http://74.125.155.132/scholar?q=cache:-FXMTV-40UUJ:scholar.google.com/+9-1- 1+VoIP&hl=en 81
  • 92. Kimball, L. (2010). Next generation 9-1-1 feasibility study. Retrieved from http://www.michigan.gov/documents/msp/Michigan_Next_Generation_9-1- 1_Feasibility_Study_304211_7.pdf.Kimball, L. (2011). The critical role of GIS in NG9-1-1. (White Paper CT.T79.2011-07.WP014) Retrieved from http://www.lrkimball.com/forms/download.aspx?d=CT&at=WP&an=The%20Critical%2 0Role%20of%20GIS%20in%20NG9-1-1&e=457&r=/index.aspx&n=&m=M14,&cg=62,Kotapati, K. (2008). Assessing security of mobile telecommunication networks. The Pennsylvania State University. ProQuest Dissertations and Theses, Retrieved from http://search.proquest.com/docview/807444193?accountid=38189Leedy, P. (2010). Practical research: planning and design. Upper Saddle River, NJ: Pearson Education, Inc.Lipowicz, A. (2009, August 11). Nextgen 911 shows versatility. Federal Computer Week. Retrieved from http://www.fcw.com/Articles/2009/08/11/Vendor-demonstration-NextGen-911-calls.aspxLorino, P., (2008). Pragmatism-inspired methods for the study of complex situations: A dialogical and mediated inquiry approach. Retrieved from http://egosnet.org/jart/prj3/egosnet/data/uploads/OS_2008/W-102.doc.Luna, L. (2008, August 1). Interlocking pieces. Urgent Communications. Retrieved from http://urgentcomm.com/mag/radio_interlocking_pieces/index.htmlMannion, A. (2009, September 1). The next generation of 911. The American City & County 124(9), 14.Mary, R. R. (2010). Cyber breaches threaten next-gen 911. Fire Chief. Retrieved from http://search.proquest.com/docview/216135858?accountid=38189Moore, L. K. (2009, June 16). Emergency communications: The future of 911. Congressional Research Service. Retrieved from http://pdf.911dispatch.com.s3.amazonaws.com/crs_911_june2009.pdfNational Emergency Number Association. (2011, November 12). NG 9-1-1 project: Overall NG9-1-1 status. Retrieved from http://www.nena.org/?page=NG911_OverallStatusNational Emergency Number Association. (2010, February 6). Nena security for next-generation 9-1-1 standards. Retrieved from http://www.nena.org/standard/NG9-1-1_Security 82
  • 93. National Emergency Number Association. (2011, February 24). Nena ng9-1-1 transition plan considerations. Retrieved from http://www.nena.org/?page=NG911_TransPlanningNational Emergency Number Association (2011, November 12). 9-1-1 statistics. Retrieved from http://www.nena.org/?page=911StatisticsNational Institute of Standards and Technology. (2003). Building an information technology security awareness and training program (NIST SP-800-50). Washington, DC: U.S. Government Printing Office.National Institute of Standards and Technology. (2005). Security considerations for voice over IP systems (NIST SP 800-58). Washington, DC: U.S. Government Printing Office.Oscarson, P. (2007). Actual and perceived information systems security. (Doctoral dissertation, Retrieved from http://sh.diva-portal.org/smash/get/diva2:16984/FULLTEXT01.Parker, S., & Wisely, S. (2009). Guide to information sharing and data interoperability for local communication centers. Proceedings of the Apco international 75th annual conference (pp. 1-45). Washington, DC.Peerbolte, S. (2010). A quantitative study of critical thinking skills amongst local emergency managers. Retrieved from ProQuest Digital Dissertations http://search.proquest.com/docview/305222946?accountid=38189Ponemon Institute. (2009). Anatomy of data-stealing malware: a study of enterprise security & it security practitioners. Retrieved from http://www.trendmicro.com/cloud- content/us/pdfs/business/white-papers/wp_data-stealing-malware.pdf.Roberts, M. R. (2009, March 1). Under one roof. Urgent Communications. Retrieved from http://urgentcomm.com/policy_and_law/mag/economy-drive-psap-consolidation- 0301/index.htmlSalkind, N. (2010). Statistics for people who (think they) hate statistics: Excel 2007 edition. Thousand Oaks, CA: SAGE Publications, Inc.StatPac. (2011). Survey design, hosting, & analysis. Retrieved from http://www.statpac.com/tab- house.htmStrebe, M. (2004). Network security foundations: Technology fundatmentals for it success. Alameda, CA: Sybex.TechSoup.org. (2011, January 19). Virtualization 101. Retrieved from http://www.techsoup.org/learningcenter/software/page4826.cfm 83
  • 94. Tejay, G. (2008). Shaping strategic information systems security initiatives in organizations. (Doctoral dissertation). Virginia Commonwealth University. Richmond.The National E9-1-1 Implementation Coordination Office. (2009). A national plan for migrating to ip-enabled 9-1-1 systems. Washington, DC: Government Printing Office. Retrieved from www.911.gov/pdf/National_NG911_Migration_Plan_FINAL.pdfUnited States Census (2010). Retrieved from http://2010.census.gov/2010census/Whittington, C. (2009, June 1). Money well spent. Urgent Communications. Retrieved from http://urgentcomm.com/networks_and_systems/commentary/ng-911-training-200906/Yin, R. K., (1984). Case study research: Design and methods. Beverly Hills, CA: Sage Publications.Zainal, Z. (2007). Case study as a research method. Retrieved from http://eprints.utm.my/8221/1/ZZainal2007-Case_study_as_a_Research.pdf. 84
  • 95. APPENDIX A. PRE-NEXT GENERATION 9-1-1 IMPLEMENTATION INFORMATION SECURITY MANAGEMENT SURVEY 1. What is the population range of your agencys jurisdiction? (Select ONE): [ ]1-99,999 [ ] 100,000-499,999 [ ] 500,000 or greater 2. What is your agencys current 9-1-1 status/capability? (Select ONLY the highest/most advanced that applies to your agency): [ ] Basic 9-1-1 [ ] Enhanced 9-1-1 [ ] Wireless Phase I [ ] Wireless Phase II [ ] Next Generation 9-1-1 3. Which BEST describes your main job title/role at your agency? (Select ONE): [ ] 9-1-1 Supervisor (middle management) [ ] 9-1-1 Manager (upper management) [ ] 9-1-1 IT/Network Administrator (technical management) [ ] Other, explain 4. What BEST describes your current IT/Network Administration at your agency? (Select ONE): [ ] No internal or external IT/Network Administrator [ ] Agency has a part-time (non-24/7/365) internal IT/Network Administrator [ ] Agency has a full-time (24/7/365) internal IT/Network Administrator 85
  • 96. [ ] Agency has a part-time (non-24/7/365) external IT/Network Administrator[ ] Agency has a full-time (24/7/365) external IT/Network Administrator5. If your agency has "No internal or external IT/Network Administrator" does youragency anticipate in employing or contracting an IT/Network Administrator?[ ] Yes[ ] No6. If you answered "No" to either question 5, please explain the reason and/orobstacles of why your agency does not anticipate doing so?[ ] Cost[ ] Upper management[ ] High turnover[ ] Lack of qualified resources[ ] Other, explain7. What type of Information Technology (IT) descriptions and policies does your agencycurrently have in place? (Select ALL that apply):[ ] Acceptable Usage Policy[ ] Password Policy[ ] Information Classification Policy[ ] Data Protection Policy[ ] Wireless Policy[ ] Physical Security Policy[ ] Remote Access Policy[ ] Access Control/Least Privilege Policy 86
  • 97. [ ] System Change Policy[ ] System Patching Policy[ ] Incident Response Policy[ ] None apply, agency does not have IT descriptions and policies8. If your agency is Next Generation 9-1-1 capable and any of the followingdescriptions and policies listed in question 7 were not selected please select thereason(s) and/or obstacle(s). (Select ALL that apply):[ ] Cost[ ] Time[ ] Upper management[ ] Staff constraints[ ] Other, explain9. Select the following software your agency currently runs on all servers and end usercomputers?[ ] Anti-virus software[ ] Spyware detection software10. If you did not select one or both of the choices in question 10, please advise thereason(s) and/or obstacle(s) your agency has for not running anti-virus and/or spywaredetection software on all server and end user computers?[ ] Cost[ ] Time[ ] Upper management[ ] Staff constraints 87
  • 98. [ ] Other, explain11. Does the agency have the following on file (Select ALL that apply):[ ] Current network inventory[ ] Current network schematic[ ] Current annual internal network audits12. If you did not select any of the choices in question 11, please advise the reason(s)and/or obstacle(s. (Select ALL that apply):[ ] Cost[ ] Time[ ] Upper management[ ] Staff constraints[ ] Other, explain13. What type of security awareness training and education standards does your agencycurrently require? (Select ALL that apply):[ ] Employees engage in annual security awareness training[ ] Employees or contracted individuals responsible for system and securityadministration receive current security training and certification on their assignedsystem(s)[ ] Agency does not have a security awareness training policy for employees[ ] Agency does not have a security training and certification for employees or contractedindividuals responsible for assigned systems.14. If you did not select any of the choices in question 13, please advise the reason(s)and/or obstacle(s). (Select ALL that apply): 88
  • 99. [ ] Cost[ ] Time[ ] Upper management[ ] Staff constraints[ ] Other, explain 89
  • 100. APPENDIX B. NEXT GENERATION 9-1-1: EXAMINIATION OF INFORMATION SECURITY MANAGEMENT PUBLIC SAFETY COMMUNICATIONS CENTERS Principal Investigator Natalie Yardley PARTICIPANT INFORMED CONSENT October 2011Please read the following material that explains this research study. Completing this survey formwill indicate that you have been informed about the study and that you want to participate. Wewant you to understand what you are being asked to do and what risks and benefits—if any—areassociated with the study. This should help you decide whether or not you want to participate inthe study.You are being asked to take part in a research project conducted by Natalie Yardley, a graduatestudent in the University of Advancing Technology program of Information Assurance. Thisproject is being done under the direction of Dr. Robert Morse, Program of Thesis Studies.Natalie Yardley can be reached at 913-426-5328 or natyardl@uat.edu.Project Description:This research study is about examining information security management in public safetycenters. The survey will collect information from 9-1-1 center managers in the United Statesabout the current information security management landscape for public safety answering points(PSAPs). The researcher will analyze the answers provided with the National EmergencyNumber Association (NENA) Security for Next-Generation 9-1-1 Standards. The informationgathered will provide valuable data about the current information security management posturefor 9-1-1 centers at the dawn of a nationwide Next-Generation 9-1-1 implementation.You are being asked to be in this study because of your leadership and management position atyour agency. Your name and contact information was collected through your local Associationof Public-Safety Communication Officials (APCO) chapter public website. It is entirely yourchoice whether or not to participate in this study. The benefit of your answers will provide vitalinformation to the research.If you agree to take part in this study, you will be asked to click the SurveyMonkey.com linkprovided in the email and answer a set of 10 questions. The questions will consist of eithermultiple choice or Yes or No answers. You be required to answer all of the 10 questions tocomplete the survey. Once you have answered all questions, click the Done button at the bottomto submit your survey answers. 90
  • 101. Participating should take approximately 10 minutes of your time. You will be asked questionsabout your agency’s 9-1-1 status/capabilities (e.g. Basic 9-1-1, Enhanced 9-1-1, Wireless PhaseI) and if you have a designated IT/Network Administrator. The survey will ask if your agencyhas a written network security policy, computer security education training for employees, runsanti-virus and spyware software, conduct network back ups, and has a disaster plan.The answers you provide will be collected anonymously through SurveyMonkey.com and willnot be associated with your agency or your name. The answers collected from the survey will beused for the purpose of the study described in the Project Description.Questions?If you have any questions regarding your participation in this research, you should ask theinvestigator before completing the survey. If you should have questions or concerns during orafter your participation, please contact Natalie Yardley at 913-426-5328 or natyardl@uat.edu.Authorization:I have read this project description about the study or it was read to me. I know that being in thisstudy is voluntary. I choose to be in this study. I know that I can withdraw at any time.Thank you very much for consideration and participation. It is greatly appreciated. 91