1.
Issues and Challenges Facing
Municipalities in Data Security
Owen Key
Chief Security Officer
City of Calgary

2.
Oct 27, 2016 Cyber Summit 2016 2
City of Calgary - Corporate Security
Protection of assets
Assist other City of Calgary Business Units in providing public safety
initiatives
Promote organizational resilience through collaborative partnerships
which enable and enhance services provided by The City
Approach is to develop and implement innovative approaches in all
areas of security and risk management.

3.
Oct 27, 2016 Cyber Summit 2016 3
Corporate
Security
Physical
Security
Technical
Operations
Information
Security
Security
Advisory
Investigations

4.
§ City of Calgary has over 500 lines of
business and provides services that
range from recreation to transit to
police
§ Complex environment with numerous
touch points, integration with
business partners and third party or
arms length organizations
§ All services are dependant on IT
infrastructure being highly available
§ Duty to safeguard critical
infrastructure to ensure City services
continue
Oct 27, 2016 Cyber Summit 2016 4
City at a Glance

5.
Stakeholders
11/1/16 Data Breaches: Causes, Prevention and Containment 5
Calgary
CITIZENS
MAYOR AND
COUNCIL
CITY
MANAGER
AND SENIOR
LEADERSHIP
PARTNER
ORGANIZATION
S
DEPARTMENTS
AND BUSINESS
UNITS
CITY AUDITOR

6.
Integration
Oct 27, 2016 Cyber Summit 2016 6

7.
Oct 27, 2016 Cyber Summit 2016 7
• Speed and rate of data creation is
increasing rapidlyData Velocity
• City has multiple discreet data sets in
both structured and unstructured
storage
Data Variety
• Volume of information is explodingData Volume

8.
Risk Based Approach to Security
11/1/16 Presentation 8
Risk Evaluation
Risk
Response
Risk
Governance

9.
Moving Forward – Laying the Foundations
20/09/2016 Data Breaches: Causes, Prevention and Containment 9
Building up the physical and operational security
showed the value of investing in security
Next layer was to build
a fully integrated
security program
which included cyber
and information
security

10.
Implementation – Driving Factors
11/1/16 Presentation 10
Increasingly mobile workforce
Increasing security awareness in key
decision makers
Lack of visibility into our systems
Risk Based approach to business
comes into play
Increasingly interconnected
Increasing public awareness of
Cyber incidents
Increase in Cyber incidents
Calgary experiences large natural
Disaster
Internal Factors External Factors
Need for
Cyber
Security
Program

11.
Security through Design
Oct 27, 2016 Cyber Summit 2016 11
§ Increased investment in information security
tools have provided additional layers of defense
to reduce risk
§ Building security into project design and
ensuring safe integration is key to protect data
and infrastructure
§ Investment in enterprise solutions to provide
additional alerting, reporting and security
protection

12.
Connected Devices
Oct 27, 2016
Cyber Summit 2016 12

13.
City of Calgary - CCTV at a Glance
Oct 27, 2016 Cyber Summit 2016 13
Ø The City of Calgary through Corporate Security,
Calgary Transit, Roads and Calgary Parking Authority
has deployed approximately 3,000 cameras.
Ø Cameras are deployed based on what’s required to
ensure the safety and security of the public,
employees, information, sites and assets.
Ø Regular risk assessments and security audits are
completed on all existing and new City of Calgary
facilities

14.
Oct 27, 2016 Cyber Summit 2016 14
CS
Secure
Storage
Analytics
Calgary
Data
City Network Infrastructure
Corporate Security CCTV Network
DATA
EXCHANGE
RECORDED
VIDEO
City
Business
Units
LIVE
VIDEO
DATA
EXCHANGE

15.
Camera’s as a Sensor
Oct 27, 2016 Cyber Summit 2016 15
§ Cameras are primarily used by The City as
a sensor. They collect video images and
meta data which can be used to enhance
the ability of the recipient to provide
effective assessment and response.
§ The use of a single or limited number of
devices to capture varying data streams
useful to more than one user
§ Sensors as a Service and Common Mode Cameras together allow for
ability to tie in additional data capture points.

16.
Freedom of Information
Oct 27, 2016 Cyber Summit 2016 16
Ø “Personal Information” is defined in section 1(n) of the FOIP Act as
recorded information about an identifiable individual, including: the
individual’s race, colour, national or ethnic origin; the individual’s age or
sex; the individual’s inheritable characteristics; information about an
individual’s physical or mental disability; and any other identifiable
characteristics listed in that section.
Ø “Surveillance System” refers to a mechanical or electronic system or
device that enables continuous or periodic video recording, observing or
monitoring of personal information about individuals in open, public
spaces (including streets, highways, parks), public buildings (including
provincial and local government buildings, libraries, health care facilities,
public housing and educational institutions) or public transportation,
including school and municipal transit buses or other similar vehicles.

17.
§ Authority to use CCTV is granted under
S. 33 of the Freedom of Information and
Protection of Privacy Act
§ Careful consideration is always given to
balance both the privacy of individuals
and ensure personal and public safety
§ Corporate Security continue to meet the
requirements for collecting video under
the Freedom of Information & Protection
of Privacy Act. This includes, providing
a business case for gathering video,
alerting citizens that they are being
recorded and protecting the video.
Oct 27, 2016 Cyber Summit 2016 17
Authority to Collect

18.
Monitoring
Oct 27, 2016 Cyber Summit 2016 18
§ Corporate Security utilizes an
enterprise video management system
to monitor cameras from its Integrated
Security Centre.
§ System provides efficiencies and
effectiveness in monitoring and
response.
§ Reduces the number of ad-hoc
standalone systems that require
manual and onsite review.
§ In order to remotely monitor cameras via the network, streaming is
performed at a lower frame rate and definition than what is recorded at
the edge level.

19.
Security of Data
Oct 27, 2016 Cyber Summit 2016 19
§ City of Calgary Corporate Security
employees are the only persons to have
administrative rights to the DVRs and
NVRs and are responsible for providing
DVDs (read only media and watermarked)
to the Law Department or Calgary Police
Service as directed.
§ Information is stored at the location of the
NVR and is under lock and key.
§ Information is only collected if movement
is detected within the area (incident
based).
§ Audit Logs

20.
Storage and Retention of Video
Oct 27, 2016 Cyber Summit 2016 20
§ Data retention policies are crucial for managing the increase in storage
cost/ Requirements.
§ City retention policy for all video is 14 days or 31 days
§ Storage surplus required for proper function and allowance for
“protecting” video for investigative purposes (25% or more is ideal).
§ Most City of Calgary sites use distributed, edge level recording
1. Bandwidth – The required bandwidth for recording high quality imagery either
exceeds the limitations of the network in remote locations or seriously affects quality
of service for users at the remote site.
2. Autonomy– In the event of failure of the network, edge level recorders continue to
record.

21.
Oct 27, 2016 Cyber Summit 2016 21
Calgary Recreation (Facility Security)
Roads Department
(Traffic Monitoring)
Calgary Parking Authority (parking usage)
Calgary Transit
(BRT, bus performance)
Calgary Police Service
(LPR, incident investigation)
Water
(flood, water level monitoring)
Internal Clients External Clients
Roads Department
(Traffic Monitoring)
University of Calgary
(Utilizes traffic data for research projects)

22.
Data aggregation and correlation
Oct 27, 2016 Cyber Summit 2016 22
Sensor
Data
• Water Sensors
• CCTV
• Traffic sensors
• Access control
• Public/ smart lighting
• WiFi
• Geolocation data
• Traffic control/
intersection camera
feeds
Service
Based Data
• Transactional Data
(PoS)
• Registration/ facility
use
• Land use
• Tax Information
• Permit and
Development
• Parking

23.
Striking the Balance
11/1/16 Presentation 23
Openness Protection
Secure personal
and critical data
Large public facing
presence
Must Remain
Operational
Accessible
Information
Routine Disclosure
Obligations
Open Data
Initiatives

24.
Oct 27, 2016
Presentation
24
Security
Privacy

25.
Oct 27, 2016 Cyber Summit 2016 25
Questions