next generation 9-1-1: examination of information security management in public safety...
DESCRIPTION
Master's Thesis project. This research examines the current information security management landscape of 9-1-1 public safety communication centers upon the beginning of nationwide Next Generation 9-1-1 initiated through H.R. 3403: New and Emerging Technologies 911 Improvement Act of 2008, which is the implementation of switching analog communication systems to Internet-Protocol (IP) communication systems, . The study draws upon the National Emergency Number Association Next Generation 9-1-1 security standards for a compliance survey for 9-1-1 agency information security and technology management evaluation. Also, a literature review of the implementation of managing Internet-protocol 9-1-1 communication technology and services will be presented. As well as providing the security standards, the study will determined current 9-1-1 agency status in terms of compliance or noncompliance to the of standards, as well as obstacles and challenges agencies face in achieving compliance. The primary finding was that no public safety answering point (PSAP) reported compliance and potentially serious barriers related to funding exist.TRANSCRIPT
NEXT GENERATION 9-1-1: EXAMINATION OF INFORMATION SECURITY
MANAGEMENT IN PUBLIC SAFETY COMMUNICATIONS CENTERS
by
Natalie J. Yardley
A Thesis Presented in Partial Fulfillment
of the Requirements for the Degree
Master of Science
University of Advancing Technology
March 2012
NEXT GENERATION 9-1-1: EXAMINATION OF INFORMATION SECURITY
MANAGEMENT IN PUBLIC SAFETY COMMUNICATION CENTERS
by
Natalie J. Yardley
has been approved
March 2012
APPROVED:
ROBERT MORSE, Ph.D, Chair
GREG MILES, Ph.D, Advisor
AL KELLY, Advisor
ACCEPTED AND SIGNED:
__________________________________________ ADD NAME OF CHAIR, CREDENTIALS (ALL CAPS)
Abstract
This research examines the current information security management landscape of 9-1-1 public
safety communication centers upon the beginning of nationwide Next Generation 9-1-1 initiated
through H.R. 3403: New and Emerging Technologies 911 Improvement Act of 2008, which is
the implementation of switching analog communication systems to Internet-Protocol (IP)
communication systems, . The study draws upon the National Emergency Number Association
Next Generation 9-1-1 security standards for a compliance survey for 9-1-1 agency information
security and technology management evaluation. Also, a literature review of the implementation
of managing Internet-protocol 9-1-1 communication technology and services will be presented.
As well as providing the security standards, the study will determined current 9-1-1 agency
status in terms of compliance or noncompliance to the of standards, as well as obstacles and
challenges agencies face in achieving compliance. The primary finding was that no public safety
answering point (PSAP) reported compliance and potentially serious barriers related to funding
exist.
i
Dedication
I would like to dedicate my thesis work to all the very dedicated 9-1-1 professionals, especially
from Atchison County Communications Center, Atchison, Kansas.
ii
Acknowledgments
I would like to thank my Thesis Committee, particularly my Chair, Dr. Morse, for continued
guidance during the graduate thesis process. Also I want to give many thanks to my family, for
their patience with my writing, reading, and proofing marathon sessions behind closed doors.
iii
Table of Contents
Acknowledgments ii
List of Tables v
List of Figures vii
CHAPTER 1. INTRODUCTION 1
Introduction to the Problem 1
Background of the Study 2
Statement of the Problem 3
Purpose of the Study 3
Research Questions 4
Significance of the Study 4
Definition of Terms 5
Assumptions and Limitations 5
Nature of the Study 6
Organization of the Remainder of the Study 8
CHAPTER 2. LITERATURE REVIEW 9
CHAPTER 3. METHODOLOGY 26
Research Design 26
Sample 27
Setting 28
Instrumentation / Measures 28
Data Collection 29
Data Analysis 30
iv
Validity and Reliability 30
Ethical Considerations 31
CHAPTER 4. RESULTS 32
CHAPTER 5. DISCUSSION, IMPLICATIONS, RECOMMENDATIONS 63
REFERENCES 80
APPENDIX A. PRE-NEXT GENERATION 9-1-1 IMPLEMENATION INFORMATION SECURITY MANAGEMENT SURVEY 85
APPENDIX B. NEXT GENERATION 9-1-1: EXAMINATION OF INFORMATION
SECURITY MANAGEMENT PUBLIC SAFETY COMMUNICATIONS CENTER PARTICIPANT INFORMED CONSENT 90
v
List of Tables
Table A. Current agency 9-1-1 status/capability 36 Table B. Job title/role at agency 38 Table C. Current agency IT/Network administration description 41 Table D. Agency anticipation of employing/contracting an IT/Network administrator who currently have none 43 Table E. Reason or obstacles for not employing/contracting IT/Network administration if currently none 44 Table F. Type of IT descriptions and policies (first six categories) 45 Table G. Type of IT descriptions and policies (last six categories) 46 Table H. If Next Generation capable, reasons and/or obstacles for not having the descriptions and policies in Table F.1 and Table F.2 49 Table I. Virus and/or spyware detection software on all servers and end user computers 51 Table J. Reason and/or obstacles for agency not running anti-virus and/or spyware detection software 52
Table K. Current inventory, schematic, and audit documents on file 54 Table L. Reasons or obstacles for not having network inventory, schematic, and/or audit documents 56 Table M. Type of security awareness training and education standards currently in place 57 Table N. Reasons or obstacles for not having staff security training and/or current
training/certification for IT administration 60 Table O. Agencies reporting compliance with NG-SEC 66
vi
List of Figures
Figure 1. The population range of the agency's jurisdiction. 35 Figure 2. Current agency 9-1-1 status/capability. 37 Figure 3. Job title/role for small agencies. 38 Figure 4. Job title/role for medium agencies. 39 Figure 5. Job title/role for large agencies. 40 Figure 6. IT/Network Administration for small agencies. 41 Figure 7. IT/Network Administration for medium agencies. 42 Figure 8. Obstacles for not employing IT administration for small agencies. 44
Figure 9. IT descriptions and policies for small agencies. 47
Figure 10. IT descriptions and policies for medium agencies 47 Figure 11. IT descriptions and policies for large agencies. 48 Figure 12. Obstacles for not having the descriptions/policies for small agencies. 50
Figure 13. Obstacles for not having the descriptions/policies for small agencies. 50
Figure 14. Virus and/or spyware detection software for small agencies. 51 Figure 15. Virus and/or spyware detection software for medium agencies. 52 Figure 16. Obstacles for no anti-virus and/or spyware detection software for small agencies 53 Figure 17. Current IT documentation for small agencies. 54 Figure 18. Current IT documentation for medium agencies. 55 Figure 19. Current IT documentation for large agencies. 55 Figure 20. Obstacles for complete IT documentation for small agencies. 56 Figure 21. Obstacles for complete IT documentation for medium agencies. 57
vii
Figure 22. Security awareness and training for small agencies. 58 Figure 23. Security awareness and training for medium agencies. 58 Figure 24. Security awareness and training for large agencies. 59 Figure 25. Obstacles for security training and education for small agencies. 60 Figure 26. Obstacles for security training and education for medium agencies. 61 Figure 27. Reported NG-SEC compliance by agency size. 66 Figure 28. Part-time or no current network administration by agency size. 69
Figure 29. Obstacles for not having full-time network administration for small agencies. 72 Figure 30. Presence of malware in network traffic (Ponemon, 2009). 74
(Note: Do not remove the section break that follows this paragraph.)
1
CHAPTER 1. INTRODUCTION
Introduction to the Problem
Technology has expanded the way society communicates, particularly in the last few
decades (Barbour, 2008). Today, cell phones are prevalent and have expanded the tools available
for individuals to get help from public safety agencies. In addition to voice communications over
the telephone wires, individuals can easily conduct voice and video conversations using
computers on either wired or wireless Internet networks. People can instantly send and receive
text, photos, and video from their cell phones. With the additional communication options
available to the public, the technical capabilities of 9-1-1 public safety communications need to
expand.
Society’s expectations and the reality of what the 9-1-1 systems should be able to handle,
are wide apart. One example is the Virginia Tech shooting in April 2007 when students
attempted to send text messages to 9-1-1, they were unaware the call center was not equipped to
receive such communications (Luna, 2008). Many hearing impaired callers rely on newer modes
of communication available on smart phone devices, yet cannot utilize them during an
emergency to contact a 9-1-1 system that is analog based (Kimball, 2010).
Another example of the need to upgrade capability to meet expectations is the fact legacy
9-1-1 equipment is unable to provide accurate location services. Of course, that service is now
widely available and many mobile and social networking services currently provide it according
to the National E9-1-1 Implementation Coordination Office (2009). Due to this wide gap of
expectation verses capability, the need for public safety communications to upgrade to match
consumer technology advancements is vital if the system is to continue to keep citizens safe.
2
In July 2008, H.R. 3403: New and Emerging Technologies 911 Improvement Act of 2008
(also known as the NET 911 Improvement Act of 2008) was signed into law to promote and
enhance public safety by facilitating the rapid deployment of IP-enabled 911 and E-911 services,
and encouraging the nation’s transition to a national IP-enabled (Internet Protocol) emergency
network, and improve 911 and E-911 access to those with disabilities. The initiative of
advancing 9-1-1 systems to IP technologies nationwide is known as Next Generation 9-1-1 (or
NG9-1-1). Currently, there is no definite date of completion for nationwide NG9-1-1. Also,
public safety organizations are independently planning and implementing NG9-1-1 technologies
(Kimball, 2011). Because of the vast technological changes and requirement of nationwide
standards, this lack raises concern about the way IP-based 9-1-1 systems are managed to
maintain their security and integrity, which is also evolving due to converting the closed analog
system to a connected Internet system (NENA, 2011). Given the size and scope of the project,
there is a need to monitor compliance capability.
Background of the Study
In the United States, the current 9-1-1 system is going through a transformation from
analog based systems to IP-based (Internet Protocol) systems (NENA, 2011). The analog 9-1-1
systems are not compatible with most of the current consumer technologies and converting to
digital systems will allow the variety of available consumer communication devices to work
within public safety systems. Next Generation 9-1-1 will allow for IP-base communication
technologies to be used, such as text messages, voice, photos, and videos over security Internet
points. Prior to the introduction of Next Generation 9-1-1, public safety communication systems
were not connected to other networks, which provided stronger security barriers from attacks.
With Next Generation 9-1-1, the barriers are significantly decreased through the internet-
3
protocol connections, making 9-1-1 a potentially appealing and vulnerable target. Thus,
information security management standards were established in February 2010 by the National
Emergency Number Association in order to address the technological changes of 9-1-1
communications. The National Emergency Number Association (NENA) Security for Next-
Generation 9-1-1 Standards (NENA, 2010) was established and all Next Generation 9-1-1 status
agencies are to comply with the standards immediately (NENA, 2010, p. 8). Therefore, the
relevance of this research is to establish the progress towards achieving this requirement. In
general, potential reasons for noncompliance can range from high costs, privacy issues, business
disruption, even though there may be penalties and legal issues, national security, and welfare
and safety of citizens. For public safety communications, it is critical for agencies to be and
remain compliant to keep communication services available and safeguard lives and information.
Statement of the Problem
The problem that will be explored in this study is the level of compliance or non-
compliance with information security management standards in the public safety
communications environment.
Purpose of the Study
The purpose of the thesis study is to ascertain if public safety answering points (PSAPs)
have information security management standards in place that reveal compliance or non-
compliance with National Emergency Number Association (NENA) Security for Next-
Generation 9-1-1 Standards (NENA, 2010) prior to nationwide Next Generation 9-1-1
implementation and to identify any needed next steps to reach compliance.
4
Research Questions
1. What are the Next Generation 9-1-1 information security management standards and
policies?
2. What percentage of agencies have Next Generation 9-1-1 status?
3. What percentage of agencies are compliant or noncompliant?
4. What are the obstacles and/or challenges for public safety answering points (PSAPs)
that are not compliant with public safety communication information security
standards?
Significance of the Study
Every project must be planned and, where possible, kept on schedule. 9-1-1 is a vital
societal system. The National Emergency Number Association (NENA), estimated in October
2011, 240 million calls were made to 9-1-1 in the United States annually (NENA, 2011, sec. 2,
para. 1). From those annual calls, at least one-third are wireless, and it is estimated that 26.6% of
all United States households currently rely on wireless communication as their primary services
(NENA, 2011, sec. 8). NENA has provided the national security standards and best practices for
public safety answering points with the National Emergency Number Association (NENA)
Security for Next-Generation 9-1-1 Standards or NG-SEC (NENA, 2010). The next step in the
project is to implement those standards so that public safety communications adapt to advancing
technology and consumer needs without compromising security. But, projects do not guide
themselves. To meet the need for nationwide security standards compliance managers need up-
to-date data regularly available. The study of compliance is significant in providing updated data
of security readiness as public safety communication agencies move forward, making the
5
transition from closed to open systems with Next Generation 9-1-1 with its ability to continue to
provide the emergency services required for citizens.
Definition of Terms
Next Generation 9-1-1. Next Generation 9-1-1 is an Internet Protocol (IP) based system that will
allow 9-1-1 public safety entities to receive and send such communications as text
messages, video, photos, and voice through secured Internet points on 9-1-1
communication systems (NENA, 2011).
Public Safety Answering Points (PSAPs). Public Safety Answering Points are 9-1-1 emergency
call centers that are staffed with trained 9-1-1 operators that receive emergency telephone
communications for law enforcement, fire, ambulance, and/or rescue services (NENA,
2011).
Data Transience. The explanation that data can be ever changing and provide a momentary
snapshot of what may be true at one point in time but not necessarily true the next time
data is collected.
Assumptions and Limitations
The research is a "naturalistic" or applied study. There are assumptions surrounding the
questioning technique used in the sample. It was assumed the responders had an appropriate
level of knowledge due to being designated as contact points within their organizations. The
questioning utilizes vocabulary presented in the National Emergency Number Association
(NENA) Security for Next Generation 9-1-1 standards or NG-SEC, which the sample should
understand. The questioning links sufficiently to the participant’s experience, again due to
utilizing the national standards that were created by 9-1-1 leaders (NENA, 2010). The researcher
also assumed that each participant will answer willingly and truthfully since the study did not
6
publish names of contacts or agencies, assuring confidentiality of any information shared.
Limitations of the thesis are of practicality, such as, researcher experience, time limit of study,
and university rules.
Nature of the Study
It is vital that Next Generation 9-1-1 technologies are both implemented and accessible
nationally to insure the growing demands of consumer technology and consumer mobility for
emergency services. However it is also essential for public safety answering points (PSAPs) to
be in compliance with security standards because of the openness of the evolving technology.
The study revolves around the security standards and data collected from agencies. The thesis is
an empirical study. Empirical research can be defined as research gained on experimentation,
observation, or experience (Classroom Assessment, 2011). Leedy (2010) points out “the
significance of data depends on how the researcher extracts meaning…” and “underlying and
unifying any research project is its methodology” (p. 6).
The thesis is also an evaluation study. Such studies require a researcher to specify a
criteria which in this instance are the National Emergency Number Association (NENA) Security
for Next-Generation 9-1-1 Standards or NG-SEC. Measurement will involve collecting data via
survey of a cross sectional sample of agencies in the United States and conducting a review of
the literature. As Leedy (2010) states, “measurement is ultimately a comparison and it is a tool
by which data may be inspected, analyzed and interpreted” (p. 25). The survey utilizes the NG-
SEC and serves as the measurement scale for the purpose of comparison and analysis of research
questions. The data collected are ever changing and only provide a momentary look at the Next
Generation 9-1-1 status and compliance or non-compliance of agencies sampled. Time, evolving
7
technology, consumer needs, agency obstacles, and future laws and standards, will inevitably
change data. Therefore, the data are “transient” (Leedy, 2010, p. 89).
The objectives of empirical research go beyond reporting observations. They promote an
environment for improved understanding, combine extensive research with detailed case study,
and prove relevancy of theory by working in a real world environment (Experiment Resources,
2011). The study provides analysis of data collected from public safety answering points
(PSAPs) in order to provide an examination of the written standards in real life application. The
case study method, as explained by Zainal (2007, p. 1) “enables a research to closely examine
the date within a specific context”. Yin (1984) further defines the method “as an empirical
inquiry that investigates a contemporary phenomenon within its real-life context” (p. 23) and by
utilizing a case study method in this study, not only will the data be explored, but also show
complexities of the real-life situations (Zainal, 2007, p. 4). When researching human activities, it
is important to capture contextual data and situational complexity. According to Leedy (2010)
“research conducted in more naturalistic but invariable more complex environments – is more
useful for external validity; that is, it increases the chances that a study’s findings are
generalizable to other real-life situations and problems” (p. 100). The field of study may be
unique and the human activities in the project require complexity as part of the research. Lorino
(2008) explains the situatedness of research in that “it takes place in a specific situation which
influences the view of the complex system” (p. 8).
The study identified the collective experience of agencies implementing a key technology
in the field. Each agency surveyed is itself a potential case study. Thus, there are multiple
individual surveys available for analysis. According to replication logic, if findings are replicated
through out the different agencies, more confidence can be placed on the findings and
8
generalizing beyond the original participants becomes possible. The rationale for this type of
analysis is supported by Yin (2009), who explains that replication logic is where the researcher is
looking for congruence that indicates increased confidence in the overall finding. Identifying
congruence between a standard and a practice is the heart of criterion referenced evaluation
research. Such studies not only provide data on the subject, but to also serve data driven quality
improvement reviews used in assessments of the development process.
Organization of the Remainder of the Study
In the following chapters, the researcher provides a literature review, methodology,
presentation of survey results, and concluding study discussion and recommendations. The
literature review describes the evolution of 9-1-1 to its current transition of Next Generation 9-1-
1. It also presents and discusses the information security management standard set forth by
National Emergency Number Associations (NENA) for public safety communication
compliance. In Chapter 3, the researcher provides the survey study methodology in which the
data will be collected and analyzed to explore the research questions. Chapter 4 present the
results and description of the data collected, following with a conclusion and recommendations
based on the researcher’s findings in Chapter 5.
9
CHAPTER 2. LITERATURE REVIEW
9-1-1, in the United States, is the number to call if citizens need help (NENA, 2011).
Whether the emergency requires medical, fire, or law enforcement, the three digit number is
supposed to be the one Americans contact for a quick response to a particular emergency
(Barbour, 2008). For the most part of the last four decades that 9-1-1 has been in existence, the
way citizens communicated to emergency services, with the exception of showing up in person,
was through the use of pay phones and residential landlines (Barbour, 2008).
It was a very straightforward analog system that gradually incorporated the phone
number from which the call was coming, the location of the call, and even a list of appropriate
emergency response units based on jurisdiction of the call. However, now in the age of the
Internet and a mobile lifestyle, this traditional 9-1-1 communication has continued to fall behind
in meeting the needs of the consumers. Especially with the increasing disappearance of fixed-line
communications (Luna, 2008). A particularly tragic example took place in 2008. A woman from
Tampa, Florida was kidnapped and called the local public safety communication center on her
mobile phone while the incident was occurring. The public safety communications center’s 9-1-1
was an analog system and her GPS-enabled (global positioning system) phone did not register
her location. Later, police found the dead woman’s body in a vacant home in a nearby town
(Bruce, Newton, & Vaughan, 2011, p. 8). If the local 9-1-1 system had been equipped with
Internet-Protocol technologies, the public safety communications center may have been able to
track her location through GPS and her life may have been saved. Certainly, the system did not
even permit that possibility.
Enter Next Generation 9-1-1, which is based on transforming the currently analog 9-1-1
communications system with an Internet-Protocol or IP-based system to allow 9-1-1 call takers
10
to receive the same location and unit information as they do now with landline or fixed-line
telephone systems. Public safety communication personnel would be able to communicate with
citizens and emergency respond units via text and mobile, as well as, to exchange photos and
videos through Internet Protocol (IP)-based communication (Lipowicz, 2009).
The very scope of nationwide Next Generation 9-1-1 implementation will take time and
there are obstacles and issues to work around and resolve. In 2008, the state of New York
conducted a 911 project to enhance wireless communication with a grant from the United States
Department of Transportation and National Highway Traffic Safety Administration. The project
found that technology was not the major obstacle in enhanced wireless deployment. Though
some technical issues may slow the progress, funding for technological upgrades is the most
pressing obstacle (Bailey & Scott, 2008). Of course, this was the year when a major financial
problem engulfed many countries so it is understandable the study reported that many public
answering points did not have sufficient funds for enhanced wireless communication upgrades.
Ultimately this need for finances has prolonged the time needed to complete the project. The
New York study provided examples of obstacles for Enhanced Wireless technologies, which
involve cellular 9-1-1 communications for Wireless Phase I and Wireless Phase II
implementation and not Internet-Protocol technology that are the required for Next Generation 9-
1-1 (Bailey & Scott, 2008). However, the funding comparison can be made for obstacles 9-1-1
entities face in upgrading the national 9-1-1 system. If agencies have issues with funding for
cellular wireless technologies of Wireless Phase I and Wireless Phase II, which still utilize the
analog systems, they may have same issues with Next Generation 9-1-1 funding.
11
9-1-1: Past and Present
In order to understand and discuss the current changes of today’s 9-1-1 systems, it is best
to briefly review where and how 9-1-1 began and the current types of 9-1-1 services. Jason
Barbour’s article (2008) explained the first official 9-1-1 call was on February 16, 1968 in
Haleyville, Alabama and provided an overview of the 40 year history of 9-1-1, from the
inception in 1967 to the current day. Mr. Barbour’s historical perspective told how the
technological advances through out the years have benefited the profession of saving lives.
Barbour also observed that keeping up with consumer technology has always been a challenge
and that some of the difficulty has been with the lack of synchronicity between the public and
private sectors. It is also important to note the humble beginnings of the first 9-1-1 call in the
small town of Haleyville, Alabama. Barbour illustrated the importance of modest technological
strides from the thousands of public safety agencies nationwide.
According to the National Emergency Number Association or NENA’s website (2011),
the different types of 9-1-1 Systems readily used now are Basic, Enhanced, Wireless Phase I, and
Wireless Phase II. Basic 9-1-1 is when the three-digit number is used, and either a voice or a
Telecommunication Device for the Deaf (TDD) is received by the local public safety answering
point (NENA, 2011, sec. 3). Enhanced 9-1-1 builds on the basic service, but additionally
provides dispatchers the caller’s location, phone number, and the PSAP responder information
for the caller’s address (NENA, 2011, sec. 4). It is important to understand that both Basic and
Enhanced 9-1-1 only apply to landline phones, not wireless (NENA, 2011, sec. 4).
With wireless, the reality of what is displayed or the information available to the public
safety answering point (PSAP) can be different than that of the wireline or landline 9-1-1 call.
The National Emergency Number Association’s website (NENA, 2011) continued to explain the
12
next two phases, wireless Phase I and Phase II. Under Wireless Phase I only the cell phone
number displays (NENA, 2011, sec. 5) and Wireless Phase II provides the cell phone number
and the location of the caller (NENA, 2011, sec. 6). A critical point to remember regarding
Wireless Phase II, is that a caller’s location is based on the closest cell towers. Depending if the
caller is located in an urban or rural area. In rural areas there can be quite a distance between
towers.
Voice over Internet Protocol (VoIP) is spreading rapidly with consumers and the 9-1-1
communities have only begun to complete Enhanced 9-1-1 capabilities for VoIP 9-1-1 (NENA,
2011). The Federal Communications Commission or FCC websites’ (2008) discussion of VoIP
9-1-1 services explained that since the communication uses Internet protocol as opposed to
traditional analog systems, not all VoIP services connect through 9-1-1. Next Generation 9-1-1
or NG9-1-1 would address the issue of 9-1-1 and VoIP capability since NG9-1-1 provides public
safety communication agencies with Internet-Protocol based systems. According to the National
Emergency Number Association’s NG9-1-1 Transition Plan (NENA, February 24, 2011), NG9-
1-1 has begun with the prerequisite of deploying IP networks in some areas already occurring
and with vendors developing NG9-1-1 equipment. However, the organization does address
“NG9-1-1 will be a journey that will be realized at different rates within various parts of North
America, based upon state/province, local implementation and stakeholder environments” (p.
15).
Current 9-1-1 Usage
Current 9-1-1 statistics are provided by the National Emergency Number Association
(NENA) website under the category of Public & Media (2011, November 12):
United States has 6,130 primary and secondary public safety answering point (PSAP) and
13
3,135 Counties which include parishes, independent cities, boroughs and Census areas.
Based on NENA’s preliminary assessment of the most recent FCC quarterly filings:
97.7% of 6,130 PSAPs have some Phase I
96.0% of 6,130 PSAPs have some Phase II
94.1% of 3,135 Counties have some Phase I
91.8% of 3,135 Counties have some Phase II
98.1% of Population with some Phase I
97.4% of Population with some Phase II
Phase I and II is not provided 100 percent nationwide. It is estimated that about 20% of
households in the United States do not use landline phone services; instead they rely on wireless
services only (NENA, 2011, sec. 1).
There are a few agencies throughout the United States, such as King County in
Washington and Rochester in Monroe County, New York, that use portions of Next Generation
9-1-1 technologies by either working as a test public safety answering point (PSAP) or with a
very small percentage of Internet Protocol (IP)-based technologies working alongside the main
analog systems (Intelligent Transportation Systems, 2009). Black Hawk County, IA is the first
PSAP to allow text messages to be sent directly to 911, though it is only through one wireless
provider (Mannion, 2009). Charlotte County Florida received a Florida State grant and is using it
to begin implementing different Next Generation 9-1-1 capabilities (Hamilton, 2009). The U.S.
Department of Transportation (2009) tested various IP-based technologies with five public safety
answering points (PSAPs) who gathered the information that assisted the 9-1-1 communities like
National Emergency Number Association (NENA) and Association of Public Safety Officials
(APCO), along with the government officials to develop nationwide plans.
14
The United States government is a very important part of the development of regulations
for 9-1-1 technologies. From 9-1-1’s first inception in 1967, by the President’s Commission on
Law Enforcement Administration of Justice (Barbour, 2008), to continuous active pursuits of
legislations, through most recently, the ENHANCE 911 Act of 2004 and NET 911 Improvement
Act of 2008, which address the concerns raised by emerging technology and how it affects the
services of 9-1-1 (Moore, 2009). It is clear from these governmental actions that it has been
working to improve its 9-1-1 services with the evolving technology.
In February 2010, National Emergency Number Association (NENA) published the
NENA Security for Next-Generation 9-1-1 Standards or NG-SEC (NENA, 2010). Many industry
experts from a variety of private and government sectors contributed to the security standards to
address the needs of Next Generation 9-1-1 (NG9-1-1) technologies. The standards are in place
to “establish the minimal guidelines and requirements for the protection of NG9-1-1 assets or
elements within a changing business environment” and to “impact the operations of 9-1-1
systems and PSAPs as standardized security practices” (p. 1). Also, all NG9-1-1 entities will be
required to understand, implement and maintain the new standards and requirements, and that
requirement is effective immediately. Any vendor who presents devices, future applications or
technologies for 9-1-1 systems are also to be in compliance with NG-SEC. In August 2011, the
Federal Communications Commission (FCC) announced it still had to consider “how to ensure
adequate broadband infrastructure to deliver the bandwidth PSAPs will need to provide NG9-1-
1. As part of the NPRM, the FCC will examine interim solutions for ensuring that
carriers/service providers support transmission of text-to-911” (Genachowski, 2011, p. 1).
15
The Future: Next Generation 9-1-1 and Security Issues
At the moment, the technologies that may be used for Next Generation 9-1-1 capabilities
are Internet protocol (IP) voice, video, instant messaging (IM), short messaging (SMS), data, and
telematics (Luna, 2008). Although the Luna article was written in 2008, 9-1-1 systems remain
limited. The Federal Communications Commission (FCC, 2008), stated some of the issues with
voice-over Internet protocol (VoIP) 9-1-1 are those calls may not connect to the public safety
answering point (PSAP), or may improperly ring to the administrative line of the PSAP, which
may not be staffed after hours, or by trained 9-1-1 operators. VoIP calls may correctly connect to
the PSAP, but not automatically transmit the user’s phone number and/or location information.
VoIP service may not work during a power outage, or when the Internet connection fails or
becomes overloaded. This can be a problem for citizens, when many times emergencies occur in
masses or when the power is out. Because of these issues, there are efforts to include enhanced
VoIP (Kim, Song & Schulzrinne, 2006) that address things like language-based call routing, and
the ability for 9-1-1 operators to call back a disconnected call (FCC, 2008).
Further considerations with voice-over Internet protocol (VoIP) deal with the added
security required on networks that will need to accommodate VoIP and not just data-only
networks. Added cost to 9-1-1 agencies are the reality for additional power backup systems,
firewalls, 9-1-1 answering software for VoIP and other IP based communications. Not only
would new equipment and software need to be installed to accommodate IP-based technologies
specific to 9-1-1 communications, but also routine testing would need to take place to insure
system security and would require adequate staff to manage the systems to allow for 24/7
uptimes (NIST SP 800-58). 9-1-1 entities would need to continue to meet demands of evolving
16
technology for upgrades and possible loss of 9-1-1 service if a disaster were to occur within the
9-1-1 center. In short, there remain technical problems in addition to financing concerns.
A view of risk and security issues is through Lynette Luna (2008), who took the social
approach on how consumer technologies and the lack of integration with the current 9-1-1
systems, may effect emergency situations. She used well-known incidents, such as the Virginia
Tech shootings, to make a strong argument showing the ability of 9-1-1 centers to accept text
messages could have possibly saved lives. For the purpose of risk assessments to upgrading to
next generation 9-1-1, it is good to have a social perspective of 9-1-1 technologies, because
ultimately the point is to provide safety and security to citizens (Luna, 2008).
Hilton Collin’s (2008) states that a Next Generation 9-1-1 technology that is attractive to
public safety answering points (PSAPs) for cost savings and shared resource solutions is
virtualization. 9-1-1 agencies could consolidate servers and desktops, requiring less hardware
purchases and conserve energy. It also allows for network administrators to manage upgrades
and installs from one console, saving time and money. Also virtualization software can allow for
application testing before installing on a live system. This would benefit agencies by not
compromising 9-1-1 communication applications and save costs toward network administration
that would need to bring system and services back up immediately (TechSoup.org, 2011).
It is possible that this is another example of a solution that creates additional problems.
The savings imply fewer personnel needs as well. In addition, there are security risks that come
with a virtual environment. Hilton Collins (2008) discusses information about virtualized and
non-virtualized environments as a whole, as well as some best practices for protecting virtual
networks from cyber-attacks. The main concern is that virtualization in government agencies,
particularly public safety and law enforcement, will bring greater exposure for exploits and
17
security breaches by introducing “a new layer of software on top of the host machine or system,
which creates additional infrastructure to manage and secure” (Collins, 2008, para. 2). The
article elaborated the risks involved with virtual networks, like hackers, and illustrates that
attackers seek out poorly configured and exposed servers. Collins advised that potentially all
systems that are interconnected with the agency could be compromised. It only takes one open
network machine to be a possible threat of opening the door to a secured system or systems
(Collins, 2008). Costs that could be incurred with one breach of security could be limitless
depending on amount of staff to bring critical systems back up, amount and type of data loss, and
legal action costs as a few possibilities.
Another change from Next Generation 9-1-1 that Douglas (2008) discussed is that
dispatchers will need to use a whole other set of sensory skills in addition to what they use now
to perform duties. Currently the information received is heard, either by the caller’s actual voice
or from a relay service for the hearing impaired. In the future, it will rely more on visual
information, rather than audible. The visual format makes completing interactive functions while
multitasking by the dispatcher harder because the cognitive load or attention requirements of
human beings vary. The additional multitasking from staff can raise training cost and cost to
obtain and keep trained staff. Douglas (2008) also touched upon how 9-1-1 Centers will have to
re-evaluate their training curriculums and even hiring processes to adapt to the changes. These
personnel and training issues could be looked at as vulnerabilities and could then be exploited by
individuals or organized groups (Douglas, 2008). Many times the weakest link in security is the
people that use the system (Breithaupt & Merkow, 2006). If staff are not trained properly or do
not have the required skills to use Next Generation 9-1-1 technology systems and software, this
could create a vulnerability to the whole system.
18
Current Information Security Management
Information Technology implementation in 9-1-1 public safety communications can be
slow in adaptation especially when compared to consumers and the corporate sector (Barbour,
2008). As stated by Chairman Genachowski (2011), “no single governing entity has jurisdiction
over NG911…” and “the FCC will work with state 911 authorities, other Federal agencies, and
other governing entities to provide technical expertise and develop a coordinated approach to
NG911 governance” (sec. 3, para. 4). Lynette Luna (2008) stated in her article that an individual
“calling a catalog company to order goods such as clothing, the call-taker would have better tools
than the typical 911 call-taker — who is dealing with life and death situations” (p. 4). Luna noted
that one reason may be due to budgets and jurisdictional matters, such as funding issues,
regulatory amendments, and state regulations that stipulate 9-1-1 component usage. Luna (2008)
also mentioned that the transitioning to Next Generation 9-1-1 technologies would be an ongoing
process through changes in software, databases, and workers’ procedures. In October 2008 the
United States and global economy suffered and it continues to struggle over concerns over
American and European debt issues (Arizona State University, 2011). Local governments have
tightened their financial belts and the additional cost of upgrading 9-1-1 infrastructures and
maintenance, though a necessity, is none too appealing in the current economic climate. With
the country’s economic climate and with those changes that Luna mentioned (software,
databases, and workers’ procedures), the information security management would seem to also
need to adapt to the changes.
According to the publication “Principles of Information Security: Principles and
Practices”, the major categories of computer crimes are as follows: Military and Intelligence
Attacks, Business Attacks, Financial Attacks, Terrorist Attacks, Grudge Attacks, and “Fun”
19
Attacks. To break down each category, their definition (Breithaupt & Merkow, 2006) and how it
could apply to 9-1-1 IP systems are accordingly listed:
Military and intelligence attacks: Criminals and intelligence agents illegally obtain
classified and sensitive military and police files.
Business attacks: Increasing competition between companies frequently leads to illegal
access of proprietary information. As much as it may be hard to believe, this
could include competing public safety venders.
Financial attacks: Banks and other financial institutions provide attractive targets (p.
143).
Obviously 9-1-1 is not a bank or financial institution in the direct sense, but it is a government-
funded entity that could be attacked. Though financial gain would not be the end result, causing
significant financial harm could be a motive. Breithaupt & Merkow continue to list and explain
major categories of crimes:
Terrorist attacks: Terrorist attacks could be executed for either a direct or indirect attack
on a 9-1-1 system. An indirect example would be an attack targeted in one geographical
area to pull sources away, so the intended target would be vulnerable. It could also
involve one system or a large-scale attack of several systems either simultaneously or
consecutively.
Grudge attacks: This could come in the form of either a disgruntled employee or citizen
seeking revenge against the specific agency or even just against law enforcement or
government entities in general.
Thrill attacks: hackers penetrate the system just for the “fun of it”, bragging rights, or
simply for a challenge (2006, p. 143).
20
To conclude the risk portion, there, of course, is the continued threat of viruses and
malware as with any IP network. However, instead of only affecting a computer-aided dispatch
software program that could quickly be exchanged with an internal closed legacy system or even
a paper system for back up purposes, a 9-1-1 communications system would not be as easily
replaceable or have much allowances for any down-time, even temporarily, due to a virus or
malware issue. Daily vulnerabilities of network infection and system outage on a vital system
such as 9-1-1 make any loss of service an issue of public safety.
The National Emergency Number Association (NENA, 2011) website had a plethora of
documentation, guidelines, requirements and standards that addressed a variety of technology
and equipment implementation, connectivity, and functionality issues, which were more
appropriate for a systems administrator. Though system administrator policies and standards and
practices may include “security controls, information classification, employee management
issues, and corresponding administrative controls” (Berithraupt & Merkow, 2006, p. 43), which
apply to information security, none were specific to current 9-1-1 public safety communication
entities during an initial literature research. However, in February 2010, NENA organized and
published a set of national standards specific to Next Generation 9-1-1 security objectives for 9-
1-1 entities, titled National Emergency Number Association (NENA) Security for Next-
Generation 9-1-1 Standards (NENA, 2010) or also known as NG-SEC, which will be discussed
in more detailed in this chapter. Before the creation of NG-SEC, though, no national standard or
policy was in place for 9-1-1 agencies.
Next Generation 9-1-1 Information Security Management
The researcher investigated the literature specific to Next Generation 9-1-1 information
security management standards. The National Emergency Number Association advised the
21
purpose of the National Emergency Number Association (NENA) Security for Next-Generation
9-1-1 Standards was to “establish the minimal guidelines and requirements for the protection of
NG9-1-1 (Next Generation 9-1-1) assets or elements within a changing business environment”
(NENA, 2010, p. 7). The national public safety communication organization published the
document to provide standardized security practices for Next Generation 9-1-1 technologies, but
explained that it is a work in progress and the document is in its first version with revisions to
come to accommodate future issues (NENA, 2010). Technical requirements, upgrading and/or
replacing equipment, will incur costs to agencies. Readiness and available funds may also vary
with each 9-1-1 entity.
The document scope covered public safety answering points (PSAPs), Next Generation
9-1-1 ESINet, Next Generation 9-1-1 service providers, Next Generation 9-1-1 vendors,
contracted services, and any individual or group who use, design, have access to, or are
responsible for Next Generation 9-1-1 assets (NENA, 2010). Like Breithaupt and Merkow
(2006), the National Emergency Number Association (NENA) document listed roles and
responsibilities of individuals specific to NG9-1-1 security and similarly concluded that
ultimately security is “everyone’s responsibility” (NENA, 2010, p. 11). When it came to
security policies, NENA stated that it is the first step in any effective attempt in the
implementation of a security program (NENA, 2010).
The National Emergency Number Association (NENA) further explained the minimum
standards shall have a senior management statement (or an organizational security statement),
functional policies, and procedures. It continued to detail each section, starting with the senior
management statement policy. NENA emphasized that “senior management must be engaged
and committed to maintain highly effective security so the rest of the staff can be able to do their
22
part” (NENA, 2010, p. 11). As the National Emergency Number Association document stated,
security is “everyone’s responsibility” (NENA, 2010, p. 11) and senior management is not
exempted. The absolute minimum that should accompany the senior management statement is
two items: identify person responsible for security (even though it technically is everyone’s
responsibility) and provide a written description of the security goals and objectives of the Next
Generation 9-1-1 entity (NENA, 2010).
To compare this with information security management standard practices in realms
outside of 9-1-1 public safety communications, the book by Breithaupt and Merkow (2006),
provided an overview of information security management through security principles and a
common body of knowledge used in private and public industry. They explained that “setting a
successful security stage” with “effective security policies can rectify many of the weaknesses
from failures to understand the business direction and security mission and can help to prevent or
eliminate many of the faults and errors caused by a lack of security guidance” (Breithaupt &
Merkow, 2006, p. 60).
The Next Generation 9-1-1 information security management standards documentation
(NENA, NG-SEC, 2010) stated that it is to provide a “deeper level of granularity after creating
an executive management statement” (NENA, 2010, p. 12). The document gave a list of some
examples of what may be contained in it: “acceptable usage policy, authentication/password
polices, data protection policy, wireless policy, physical security policy, remote access policies,
hiring practices, security enhancements or technology, baseline configurations for workstations,
standards for technology selections, and incident response policy” (NENA, 2010, p. 12). The
procedures section included documentation that provided the “method of performing a specific
task” (NENA, 2010, p. 12), such as creating new user accounts or how vendors would be
23
allowed access to the server room. This complimented common body of knowledge (Breithaupt
& Merkow, 2006) and practices that private and government industries (ISO/IEC 27001, 2005),
outside of 9-1-1 public safety communications, utilized for information security management.
Obstacles and Solutions for Next Generation 9-1-1 Information Security Management
When information was collected for possible standards as they applied to various aspects
of Next Generation 9-1-1 operations, a mixture of obstacles and possible solutions were found.
In Merrill Douglas’ article (2008), she explained some problematic issues from the 9-1-1
operator’s perspective regarding Next Generation 9-1-1 and now 9-1-1 information will be
received in the future. Douglas explained that currently the information received is heard, either
by the caller’s actual voice or from a relay service for the hearing impaired. In the future, it will
rely more on visual information, rather than audible and a whole set of sensory skills will need to
be used and it makes performing interactive functions while multitasking much harder (Douglas,
2008). The article also discussed how 9-1-1 Centers will have to re-evaluate their training
curriculums and even hiring processes to adapt to the changes. Lack of training for staff creates
vulnerabilities and could then be exploited by individuals or organized groups (NIST SP-800-
50), as well as be related to the risk assessments of the future 9-1-1 systems and that the effects
of security are significant because people are usually the weakest link (Douglas, 2008).
Mary Rose Roberts (2009) brought up consolidation of Next Generation 9-1-1 enabled
public safety answering points (PSAPs) and illustrated both economical and shared resource
benefits. She explained that technology improvements are growing exponentially and even
though costs were lowering, still it behooved agencies to share resources to save money, as well
as the benefit of sharing intelligence. The year before the standards were developed, Robert
(2009) was asking, “if it's next generation compliant, what does that mean? We haven't defined
24
what next generation is totally, so how can you be compliant to a standard that may not even
exist yet…" and "as a result, we don't believe every PSAP in this country is going to go to an
NG911 environment any time in the very near future” (p. 23). Merrill Douglas (2009) also
addressed consolidation cost benefits for PSAPs, which then helps with the burden of costs and
provides better redundancy by switching to an IP network.
Craig Whittington (2009) explored the public's expectations of 9-1-1 services and the
difference in what is reality. In his article, he stressed if the public's perception and the reality of
9-1-1 do not agree, it can be more than a public relations problem; it can put lives at risk. From
that perception issue, the article illustrated what Next Generation 9-1-1 can provide. Like shared
networks, new and different ways to communicate with callers and responders, as well as an
increased capacity to transmit and disseminate information. Mr. Whittington additionally
emphasizes the most vital part of 9-1-1 systems (now and in the future), are the 9-1-1 Operators
and Dispatchers. It is a very important to make sure that personnel are well trained and at ease
with the new responsibilities and technologies. Not only will it be a challenge to re-evaluate
training curriculums, but also how to do it with continuing decreased budgets. The continued
significance of operators in the 9-1-1 center is that they can become the weakest link in the
overall network risk management. In order to acquire the benefits discussed earlier, this article
illustrates the importance of making sure competent employees are hired and retained, as well as,
trained in the most current technologies, important issues in risk assessments (Whittington,
2009).
Conclusion
As the technology of 9-1-1 continues to evolve into Next Generation 9-1-1 systems,
information security management in public safety communications will need to evolve as well to
25
meet the needs of various technologies, consumers, and 9-1-1 staff. Matters of funding,
governance, reliability, and security surround the project and the changes that current 9-1-1
public safety answering points (PSAPs) have and will be experiencing in the near future. It
provided a summary of the National Emergency Number Association (NENA) Security for Next-
Generation 9-1-1 Standards that agencies will be required to be compliant with Internet-protocol
based technologies. It also illustrated some challenges PSAPs will have due to the Next
Generation 9-1-1 evolution. Against this background the researcher delved into the real-life state
in which the PSAPs are currently compliant, either operating at Next Generation 9-1-1 status or
before utilizing Internet-protocol technologies.
26
CHAPTER 3. METHODOLOGY
Research Design
The study was a non-experimental, Mixed Method study because it included both verbal
and numerical data. The study had a two stage design. There was secondary data gathered in a
review of the literature as well as primary data collected to answer the research questions. The
research design was an evaluation study being conducted to evaluate compliance with security
standards of Public Safety Answer Points (PSAPs). The study was descriptive and illustrated
aspects of agencies considered to be representative. It was also exploratory because the standards
used to evaluate compliance were relatively new and the information collected was intended to
help develop future more focused understandings of PSAP needs required for support in
achieving compliance. The topic was new and little understood, so an exploratory project was
appropriate.
Published response data for the survey’s questions served as benchmarks for the purpose
of comparison and analysis of this study’s questions. Thus, a criterion-based design was used.
The standards were the criteria and in this design they provided the hypothesized situation
against which this study was performed, as well as the standard of judgment for success or
failure, and they provided a stable platform that enabled the researcher to decide whether the
conclusions of this and other studies were relevant so that a pattern matching strategy could be
employed, as explained by Yin (2009).
The study was field based using only publically available online membership contact
information of either state or regional chapters of Association of Public-Safety Communications
Officials (APCO) and National Emergency Number Association (NENA), both not-for- profit
professional organizations for public safety professionals. According to NENA (2011), the
27
United States has 6,130 primary and secondary public safety answering point (PSAP). For the
purpose of this study and based on the time and resources available to the researcher, obtaining
6,130 agency contacts would not have be feasible. However, utilizing an Internet search of
publically available members of state or regional APCO or NENA chapters to collect at least one
or more agency contacts, representing 50 states in order to examine the study nationwide was
achievable. The online search produced a list of 225 individual agency contacts, including a
name for point of contact, e-mail address, and agency phone number. The study consisted of a
one time survey, sent to each 225 agency contact and was a cross sectional study. The survey
was self administered by email and the researcher utilized survey services through Survey
Gizmo.
Sample
The study utilized a cluster sampling technique. Leedy (2010) explains this technique is
appropriate when “the population of interest is spread out over a large area” (p. 209). The 225
agencies were the population units, i.e. the clusters. They were classified by size of population
each agency serves utilizing 2010 United States Census information. The sample was stratified
into three segments: small (serving 1-99,999 population), medium (serving 100,000-499,999
population), and large (serving 500,00 or more population). Of the 225 agencies, the following
counts and percentages were present in this survey study: small (125 agencies, 55%), medium
(71 agencies, 32%), and large (29 agencies, 13%).
All survey methods have weaknesses in the survey method. For example, participants may
have wanted to reflect compliance, when in fact, they were not, or their responses may have been
based on their understanding of the question and standards, which could in fact be a
misunderstanding (Colorado State University, 2012). The survey referenced the industry
28
accepted security standards for the survey questions and the researcher had to trust that all
agencies were familiar with them and how it applied to their specific agency in order to
accurately provide information for the study. Another issue, non-response, was present for
possible reasons. (Cooper, 2008, p. 257) For example, the contact information may not have
been accurate or been addressed to the person in which the survey would have best able to
answer in the context of the compliance survey. Use of an official association was intended to
reduce issues related to contact information. Also it was difficult to secure a large amount of the
selected agencies to respond to the survey. First, the initial contact was through the e-mailed
survey and the researcher and educational institution, not representing a public safety
communications organization or government agency, was relatively unknown to the public safety
communication centers. Or, there may have been restrictions on the agency the researcher was
unaware of. A telephone follow-up to non-responders was used to increase the pool of available
responses.
Setting
The thesis study was conducted as a field setting. The 225 agencies consisted of city,
county, or state entities and were subject to a variety of regulations. They have been described
elsewhere.
Instrumentation / Measures
The instrumentation used was an online survey that was emailed to 225 individual agency
contacts. Measurement of the current 9-1-1 status/capability was categorical: Basic 9-1-1,
Enhanced 9-1-1, Wireless Phase I, Wireless Phase II, and Next Generation 9-1-1. Categorical
measurement was made of respondent job title/role within their agency through three categories,
9-1-1 Supervisor (middle management), 9-1-1 Manager (upper management), 9-1-1 IT/Network
29
Administrator (technical management). There was also an “Other” category for main job
title/role if the three did not apply to the individual. Other measures focused on compliance
standards.
The researcher used the National Emergency Number Associations (NENA) Security for
Next-Generation 9-1-1 Standards (National Emergency Number Association, 2010) to develop
the survey questions in order to gather information about the security landscape of 9-1-1 public
safety communication agencies at the dawn of Next Generation 9-1-1 nationwide
implementation. The first set of questions, questions 1 through 3, provided population range,
current 9-1-1 status/capabilities, and participant’s job tile/role. Questions 4 through 6 focused on
the agency’s Network Administration landscape. In questions 7 through 14, the participant
selected each security policy and standard that was currently in place at their agency and
provided obstacle explanations if applicable. Each security policy and standards question
reflected a security standard presented in the National Emergency Number Associations (NENA)
Security for Next-Generation 9-1-1 Standards (National Emergency Number Association, 2010).
Data Collection
Data collection in this study was subject to time constraints. Specifically, data collection
was limited to a three week period in November. Data collection included content from the
review of literature and survey agency sample. The literature provided the compliance standards
with the National Emergency Number Associations (NENA) Security for Next-Generation 9-1-1
Standards (National Emergency Number Association, 2010) and the NENA website of 9-1-1
basic statistics supplying amount of public safety answering points (PSAPs). An email was sent
to 225 9-1-1 public safety agencies from the list of Association of Public-Safety Communication
Official (APCO) and National Emergency Number Association (NENA) members. The
30
researcher followed up with a phone call to the agencies. The researcher exported survey data
from the Survey Gizmo report dashboard of all respondents for data review and analysis.
Data Analysis
Data was analyzed using both logical reasoning and descriptive statistics. The data
presented used a question format. The questions supplied agency size and current agency 9-1-1
status or capability, illustrated by pie charts showing percentage of small, medium, and large
agencies and bar graphs for 9-1-1 status. In addition, to various charts and graphs, tables were
used to further analyze the data from each survey question and provided total counts and
percentages of each agency population size and total agency responses.
Validity and Reliability
Classroom Assessment (2011) states that “reliability and validity are two concepts that
are important for defining and measuring bias and distortion” (sec. C, para. 1) with reliability
referring to the “extent in which assessments are consistent” (sec. C, para. 2) and validity as the
“accuracy of an assessment” (sec. C, para. 5) even if it does not measure what is to be measured.
The survey questions mirrored the compliance standards. This established the content validity of
the questions. Another way of determining validity was the use of expert judgment. Therefore,
the committee reviewing this research was another check on validity.
Another approach of validity was through triangulation. Leedy (2010) describes
triangulation as collecting data from multiple sources “with the hope they will all converge to
support a particular hypothesis or theory” (p. 99). It is common in qualitative designs to use
different sources of data as support for the researcher’s confidence in the conclusions presented
in Chapter 5.
31
Ethical Considerations
The researcher conducted the survey by questioning individuals managing 9-1-1
communication systems with the following ethical considerations. There are four categories of
ethical consideration in research studies (1) Do no harm (2) Informed Consent (3) Right to
Privacy (4) Honesty.
Do no harm is a broad ethical category. It includes not asking sensitive questions
that would possibly injure an individual’s employment status. Security is a sensitive issue
and a discussion of security issues under some circumstances might be interpreted as “sensitive”.
For that reason data is collected in ways that do not reveal the individual; replies and participants
are clearly informed about their right not to participate.
Specifically, to meet the need for full disclosure, each 9-1-1 participant was informed of
the intention of the study (copy in appendix B), which was to provide an academic snapshot of
compliance through literature review and a survey of public safety answering points (PSAPs) to
complement existing research and discussions of Next Generation 9-1-1 within the public safety
communication realm and provide a platform for further dialogue and study on specific Next
Generation 9-1-1 information security management goals and practices. The researcher was
aware of the ethical demand for honesty in data collection.
In addition, the participants who complete the survey did not have their personal identity
or the identity of the agency revealed. None of the questions in the survey requested information
that identified a specific person or agency, or put them in any harm. All information collected for
the study was confidential to the research through the Survey Gizmo data collection and used
only for the purpose of the academic thesis study.
32
CHAPTER 4. RESULTS
Introduction
This chapter presents the data gathered from the surveys from public safety answering
points (PSAPs). The survey was sent to 225 agencies stratified by population size. The purpose
of the survey was to gather data needed to answer these questions:
1. What percent of agencies have Next Generation 9-1-1 status?
2. What percent of agencies are compliant or noncompliant with standards?
3. What are the obstacles and/or challenges for public safety answering points (PSAPs)
that are not compliant with public safety communication information security
standards?
Answering these questions will lead to the answer to the main question and reveal
compliance or non-compliance of PSAPs that are Next Generation 9-1-1 (NG9-1-1). The survey
categorized PSAPs as small (1-99,999), medium (100,000-499,999), and large (500,000 or
greater). It is an instrument of analysis to gauge the nationwide landscape of public safety
answering points (PSAPs) currently and identify possible issues and obstacles of where it is
heading.
The methodology the researcher followed entailed contacting 225 agencies by e-mail
utilizing Survey Gizmo survey online services. From 225 agencies, 4 agency e-mails were
rejected with no other contact information available to the researcher, leaving a total of 221
agencies receiving the survey for response. Of these 221, a total of 56 agencies responded as a
result of the survey process. In the first 3 days, 52 agencies responded. Three days after the
initial surveys were e-mailed; the researcher sent a reminder with a second wave of the surveys
to the 169 agencies that did not respond. According to StatPac, Internet surveys receive 90% of
33
the responses within three days after the e-mail invitation is sent (StatPac, 2011). In this instance
that proved a good ballpark estimate because 52/56 is 92%. The reminder did not produce
additional responses.
The next week, follow up phone calls were made to each of the 169 agencies that did not
respond. The researcher directly spoke with 52 agency contacts from those 169 agencies. The 52
contacts the researcher reached by phone, advised they were not sure if they received the email,
remembered the survey but had not taken the survey. The 117 agencies that direct contact was
not made, the researcher either left a message with the dispatcher or non-emergency personnel
answering the phone, or a message was left on the contact’s voicemail. The follow up phone
calls produced 4 responses, making the total survey study response 56.
Because the non-response rate was 75%, it is necessary to discuss response bias. Israel
(2009) notes strategies to deal with response bias with calling back non-respondents, which the
researcher did, and to “assume there is no response bias and to generalize the population” (p. 2,
para. 4). In addition, Israel suggests that the researcher’s previous public safety communication
experience offers expertise needed to make judgments regarding key information others might
benefit from and use as part of generalization. In addition, that experience would support their
confidence in conclusions drawn in discussion even with this response rate.
Interestingly, since the survey generated 56 responses, it is comparable to other results,
such as that in Deline, Ko, and Venolia (2007). They reported 55 responses on a sample of 250
(p. 7-8). The total population of this study’s survey was 221 with 56 responses and this
comparison supports the decision to consider the response rate sufficient for the analysis and
conclusions drawn in this study. Therefore, although there were time limitations on data
collection for the project, the researcher during the third week of data collection contacted the
34
agencies about reasons for survey non-responses. Of the 165 non-respondent agencies 33
provided reasons for non-response. During this follow up, three reasons were provided by
agencies for their decision. Although some mentioned time constraints, two other reasons
provided were: (1) they did not want to participate due to not being familiar with the researcher
or the graduate program institution and (2) they were not comfortable in sharing data with non-
governmental entities. Given that security really is a sensitive topic, the researcher could have
anticipated this response. In an e-mail to the researcher, Dr. Robert Morse confirmed other thesis
candidates had been told contracts with security providers restricted the release of data only to
authorized agents of that provider (R. Morse, personal communication, January 27, 2012).
One additional point mentioned by the Federal Communications Commission Chairman,
in August 2011:
We need a comprehensive, multi-pronged approach to NG911 implementation: If we do
nothing, to address NG911 requirements, timelines, costs, and governance, we will see
uncoordinated patchwork deployment of NG911 over the next five to ten years, leaving
much of the U.S. without any NG911 capability (Genachowski, 2011).
In other words the FCC chairman was in essence claiming a rudder to steer the project is still
needed. That fact and these additional reasons, time constraints on data collection and the cost of
multiple calls to agencies were considerations that influenced the decision to stop data collection
and make the judgment to report the data as collected. The researcher’s advisors pointed out self-
selection bias is always a possibility in this type of research and agreed with the decision to
report the results of the survey and follow-up conversations.
35
Data Analysis
Data is analyzed using both logical reasoning and statistics. The data is presented using a
question format. In addition to various pie charts and graphs, tables will be used to further
analyze the data from each survey question survey.
There were three possible categories of responses by the size of agency jurisdiction. The
distribution of response rates by agency size {small (38 agencies, 68%), medium (16 agencies,
29%), and large (2 agencies, 3%)}.
Figure 1. The population range of the agency's jurisdiction.
What is interesting is that the categories do not reflect an even distribution. Essentially
the three divisions can be considered in terms of x < 500,000 and x > 500,000. Out of the 56
respondents, 2 agencies select the Large category (3%), 16 selected the Medium category (29%),
and 38 respondents selected the Small category (68%). If the 16 Medium sized respondents are
considered in combination with the 38 small category respondents, then clearly the bulk or 97%
of respondents represented service areas of less than 500,000.
36
The next survey question: What is your agency's current 9-1-1 status/capability? This
question requested the agency current 9-1-1 status, noting to respond with their most advanced
level that applied to their agency. All 56 respondents selected Wireless Phase II as their current
9-1-1 status/capability, which allows for wireless 9-1-1 calls to display both latitude and
longitude of the caller’s location. A key finding is that all are at the same level of compliance
since all were at the same 9-1-1 status/capability.
Table A
Current agency 9-1-1 status/capability
Agency Size Basic Enhanced Wireless I Wireless II Next Generation
%
Large 0 0 0 2 0 3%
Medium 0 0 0 16 0 29%
Small 0 0 0 38 0 68%
Totals (%) 0% 0% 0% 100% 0% 100%
37
Figure 2. Current 9-1-1 status/capability.
The third survey question: Which best describes your main job title/role at your agency?
From the total responses, 23% selected 9-1-1 Supervisor (Middle Management), 61% selected 9-
1-1 Manager (Upper Management), and 8% selected IT/Network Administrator (Technical
Management). There were also a four agencies (2 Medium agencies and 2 Small agencies, or
8%) that selected the “Other” category. The descriptions given for “Other” were “Executive
Director”, “Communications Training Coordinator”, “Both Manager and IT Administrator”, and
“Trainer”. This shows the majority of responses were from upper management as requested with
the selection of 9-1-1 managers with the capability and knowledge of the compliance standards
and to provide accurate information about their specific agency.
38
Table B
Job title/role at agency
Size 9-1-1 Supervisor
9-1-1 Manager
IT/Network Administrator
Other %
Large 0 1 1 0 3%
Medium 1 10 3 2 29%
Small 12 23 1 2 68%
Totals (%) 23% 61% 8% 8%
Shown in Figure 3, the highest job title/role for Small agencies was “9-1-1 Manager”.
Second choice was “9-1-1 Supervisor”. The third and fourth selections were “Other” and
“IT/Network Administrator”. As with the overall response, the majority selected for job role was
9-1-1 manager category, showing that small agencies have designated and dedicated managers
for their entities, signifying upper management responsibilities and knowledge as with other size
agencies.
Figure 3. Job title/role for small agencies.
39
The Medium agencies selected “9-1-1 Manager” the most, “IT/Network Manager” next,
and then “Other” and “9-1-1 Supervisor” for the least two job titles/roles (shown in Figure 4).
The medium agencies had 19% of their responses from the IT category. If compared to the small
agencies’ 5% (see Figure 3.), this could illustrate small agencies having less network
administrative personnel on staff and that the 9-1-1 manager in small agencies could hold IT
administrative responsibilities even if it is a secondary role. Medium size agencies show to have
more network administration on staff with the higher main role responsibility percentage.
Figure 4. Job title/role for medium agencies.
Figure 5 illustrates the two choices selected by the Large agencies, which was two total in
responding. One selected “9-1-1 Manager” and one selected “IT/Network Administrator”. None
selected “9-1-1 Supervisor” or “Other”. Since only two large agencies responded, the division of
roles is 50%. What could be concluded is large agencies have levels of staff that are on upper
level management and/or have a dedicated network administration department.
40
Figure 5. Job title/role for large agencies.
In survey question 4: What best describes your current IT/Network Administration at
your agency? The two Large agencies both selected “Full-time internal IT/Network
Administrator”. The Medium agencies varied among three categories, 12 for ““Full-time internal
IT/Network Administrator”, 1 for “Part-time external IT/Network Administrator, and 3 for “Full-
time external IT/Network Administrator. The Small agencies provided a representation for all
five categories. For the “Part-time internal IT/Network Administrator”, 2 made that selection, 19
selected “Full-time internal IT/Network Administrator”, 1 selected “Part-time external
IT/Network Administrator”, and 13 chose “full-time external IT/Network Administrator”.
Finally, 3 Small agencies selected “No IT/Network Administrator”.
41
Table C
Current agency IT/Network administration description
Size None Part-Time internal
Full-time internal
Part-time external
Full-time external
%
Large 0 0 2 0 0 3%
Medium 0 0 12 1 3 29%
Small 3 2 19 1 13 68%
Totals (%) 5% 4% 60% 3% 28%
The small agencies had at least one selection in each of the current agency IT/Network
administration description category. The highest selected was “Full-time internal” and second
highest was “Full-time external”. The last three, in order of most selected, were “None”, “Part-
time internal”, and “Part-time external” (see Figure 6). Even though it is possible for small
agencies to have less budget allocation for a designated IT/Network Administrator, the data
illustrates small agencies are not necessarily at a disadvantage at staffing network administration.
Figure 6. IT/Network Administration for small agencies.
42
In Figure 7, the Medium agencies selected three total for their current IT/Network
administration description types. The most often selected response was “Full-time internal”, the
second was “Full-time external”, and the least selected was “Part-time external”. Large agencies
selected that their IT/Network administration was full-time, internal staff (see Table C). If
comparing all three jurisdiction sizes, it shows that the larger the agency size, the increase of
full-time network administrators and those that are internally staffed. But even though smaller
agencies have a lower percentage, they are apparently capable of having full-time administrators
even if they need to contract externally.
Figure 7. IT/Network Administration for medium agencies.
For survey question 5: If your agency has "No internal or external IT/Network
Administrator" does your agency anticipate in employing or contracting an IT/Network
Administrator? As shown in Table C, only 3 small agencies selected this category. The 3 that
selected “No internal or external IT/Network Administrator” in question 4 also selected “No” for
question 5. However, one agency that selected “Full-time external IT/Network Administrator” in
question 4, also selected “No” for question 5. This illustrates that smaller agencies, while some
43
having the ability to have network administration staff full-time as reflected in question 4, there
are some that yet need to overcome obstacles which will be explained in question 6 (see Table
E).
Table D
Agency anticipation of employing/contracting an IT/Network administrator who currently have
none.
Size Yes No %
Large 0 0 0%
Medium 0 0 0%
Small 0 4 100%
Totals (%) 0% 100%
For survey question 6: If you answered "No" to either question 5, please explain the
reason and/or obstacles of why your agency does not anticipate doing so? From Table D, it
shows that 4 Small agencies selected “No” and 4 Small agencies selected categories providing a
reason for their answers in Table E. Cost was selected by 3 Small agencies and Upper
Management had 1 selection. The “Other” category was selected by 2 Small agency with the
explanations of “I do it” and “we have a staff member currently enrolled in college to get his
degree for our IT, as the County only has 2 full time IT but they are for the entire county and we
have to wait on their availability. We have current State and Federal policies in place and try to
stay in compliance with NENA/APCO standards”.
44
Table E
Reason or obstacles for not employing/contracting IT/Network administration if currently none
Size Cost Upper management
High turnover
Lack of qualified resources
Other %
Large 0 0 0 0 0 0%
Medium 0 0 0 0 0 0%
Small 3 1 0 0 2 100%
Totals (%) 75% 25% 0% 0% 50%
Small agencies are the ones reporting obstacles when it comes to not employing or
contracting IT/Network administration, which would affect their compliancy with the established
security standards. With “Cost” receiving the majority of the obstacles, this could possibly be
elevated through future funding assistance, either by state or federal agencies, to allow them not
to be at a disadvantage with the were not have to supply sufficient revue for their budgets.
Figure 8. Obstacles for not employing IT administration for small agencies.
45
The survey question 7: What type of Information Technology (IT) descriptions and
policies does your agency currently have in place? The selection of all, with the exception of
“none apply”, would allow the agency to be compliant under the NENA Security for Next-
Generation 9-1-1 Standards or NG-SEC (NENA, 2010). Table F breaks down the first six
categories and Table G provides information for the last six of question 7. All but one agency
had at least one category selected. The agency that did not select any category was one Small
agency, making it a total of 55 responses for this question. Looking at both Table F and G, both
the large agencies selected all but two categories, “Wireless Policy” and “Incident Response”.
For the medium agencies, all selected “Acceptable Usage”, with many agencies in that category
also selecting “Password Policy”, “Data Protection”, “Wireless Policy”, “Physical Security”,
“Remote Access”, and “Access Control”. No Small agency had all policies selected, but many
agencies selected “Acceptable Usage”, “Password Policy”, and “Physical Security”. Also, one of
the large agencies selected everyone choice, including the “None apply” even when they selected
all of the previous policies.
Table F
Type of IT descriptions and policies (first six categories)
Size Acceptable Usage
Password Policy
Information Classification
Data Protection
Wireless Policy
Physical Security
Large 2 2 2 2 1 2
Medium 16 15 9 12 13 14
Small 33 34 16 27 17 33
Totals (%) 93% 93% 51% 74% 56% 91%
46
Table G
Type of IT descriptions and policies (last six categories)
Size Remote Access
Access Control
System Control
System Patching
Incident Response
None Apply
* %
Large 2 2 2 2 1 1 4%
Medium 13 10 9 8 9 0 29%
Small 16 22 6 9 23 1 67%
Totals (%) 54% 63% 31% 33% 62% 3%
* % both Table F and Table G
In Figure 9, it illustrates all of the IT descriptions and policies from both Table F.1 and
Table F.2 that were selected by Small agencies. The most selected was “Password Policy”.
Following the most, in order, “Acceptable Usage”, “Physical Security”, “Data Protection”,
“Incident Response”, “Access Control”, “Wireless Policy”, “Information Classification”,
“Remote Access”, “System Patching”, “System Control”, and last, with one agency selection,
“None Apply”. If compared to the following figures that illustrate medium and large agency
responses (figures 10 and 11), the most difference in IT policies are with system controls, system
patching, remote access, information classification, and wireless policies. For small agencies,
this lack of policies may be due to network administration staffing or even the capabilities of
their current database networks and they do not have those policies in place because it is not
applicable to their network yet. However, once they are Next Generation 9-1-1 capable, all
categories will need to be in place.
47
Figure 9. IT descriptions and policies for small agencies.
The medium agency selections are shown in Figure 11. The most selected was category
“Acceptable Usage” and last was “System Patching”. None of the medium agencies selected
“None Apply”. The medium agencies seem to have the more in compliance with many of the
policies. This may be with more evolved database networks and staffing.
Figure 10. IT descriptions and policies for medium agencies.
48
The Large agency selections of IT descriptions and policies from both Table F.1 and
Table F.2 are shown in Figure 12. Both Large agencies selected “Acceptable Usage”, “Password
Policy”, “Information Classification”, “Data Protection”, “Physical Security”, “Remote Access”,
“Access Control”, and “System Control”. However, one agency selected “Wireless Policy” and
“Incident Response”. Also, as noted previously, one agency also selected “None Apply”.
Surprisingly, incident response and wireless policies were not selected from one of the two large
agencies. Many metropolitan public safety communications centers communicate local
databases, such as computer aided dispatch (CAD) or records management systems (RMS)
wirelessly from laptops in vehicles and other mobile devices. It would also be thought that a
large agency would have incident response policies in place in case of natural, terrorist, or
technical disaster occurred.
Figure 11. IT descriptions and policies for large agencies.
The survey questions 8: If your agency is Next Generation 9-1-1 capable and any of the
following descriptions and policies listed in question 7 were not selected please select the
reason(s) and/or obstacle(s). The data in Table G received 32 survey responses at least one of the
49
selections regardless of all agencies reporting the highest 9-1-1 status/capability of Wireless
Phase II. None of the 56 responding agencies reported having Next Generation 9-1-1
status/capabilities for question two of the survey. None of the large agencies made selections for
question 8. However, 7 medium agencies and 25 small agencies made at least one selection,
making over half (57%) of the 56 total responses to the survey. The two “Other” categories
consisted of “IT department prefers to not to release information due to concerns over security”
and “we are NG9-1-1 capable, but state law prohibits implementation”.
Table H
If Next Generation capable, reasons and/or obstacles for not having the descriptions and policies
in Table F and Table G
Size Cost Time Upper Management
Staff Constraints
Other %
Large 0 0 0 0 0 0%
Medium 4 5 0 2 1 22%
Small 16 18 1 14 1 78%
Totals (%) 68% 75% 3% 53% 6%
Even though none of the responding agencies were Next Generation 9-1-1 capable, the
responses do shed light on current obstacles agencies face towards compliancy. Cost does reflect
over half of the obstacles, but “Time” is selected as 75% of the overall reason and is the highest
ranked obstacle in both medium and small agencies. This could indicate that agencies feel they
are spread thin in keeping up with standards and evolving technology even if they have the staff
and money.
50
Figure 12. Obstacles for not having the descriptions/policies for small agencies.
Figure 13. Obstacles for not having the descriptions/policies for medium agencies.
For survey question 9: Select the following software your agency currently runs on all
servers and end user computers? Anti-virus software and/or spyware detection software. All 56
agencies selected either one or both of the software selections. All agencies currently run Anti-
virus software on all servers and end user computers. Only a few in both the medium and small
51
agencies do not currently run Spyware detection software. Reasons where inquired in the
following survey question (see Table I).
Table I
Virus and/or spyware detection software on all servers and end user computers
Size Anti-virus Spyware detection %
Large 2 2 3%
Medium 16 13 29%
Small 38 34 68%
Totals (%) 100% 88%
Figure 14. Virus and/or spyware detection software for small agencies.
52
Figure 15. Virus and/or spyware detection software for medium agencies.
Survey question 10 asked: If you did not select one or both of the choices in question 10,
please advise the reason(s) and/or obstacle(s) your agency has for not running anti-virus and/or
spyware detection software on all server and end user computers? Table J show agency
responses.
Table J
Reason and/or obstacles for agency not running anti-virus and/or spyware detection software
Size Cost Time Upper Management
Staff Constraints
Other %
Large 0 0 0 0 0 0%
Medium 0 0 0 0 0 0%
Small 0 1 0 1 0 1%
Totals (%) 0% 2% 0% 2% 0%
Only 1 small agency responded regarding a reason for not currently running a Spyware
detection program (see Table J). The two reasons selected were “Time” and “Staff constraints”.
53
Unlike previous obstacles for not complying with standards, this did not include “Cost”.
However, this may not be an initial cost concern, but with time and staff constraints, indirect
costs related to monitoring network traffic on a daily basis for smaller agencies by having to hire
or contract services to fulfill this requirement.
Figure 16. Obstacles for no anti-virus and/or spyware detection software for small
agencies.
Question 11 asked: Does the agency have the following on file: current inventory,
schematic, and audit documents?
Both of the large agencies reported having all three items on file. The other size agencies
responded with 15 medium and 36 small, making a total of 53 responses shown in Table J. Most
medium agencies had a current network inventory and many had a current network schematic.
Many small agencies reported having current network inventory and/or current network
schematic. Both medium and small agencies had some current annual internal audits on file.
Even both large agencies reported having all the required IT documentation; medium and small
agencies were not too far behind with network inventory and schematics.
54
Table K
Current inventory, schematic, and audit documents on file
Size Network inventory
Network schematic
Annual internal audits
%
Large 2 2 2 3%
Medium 15 13 9 28%
Small 21 17 9 67%
Totals (%) 71% 60% 38%
Figure 17. Current IT documentation for small agencies.
55
Figure 18. Current IT documentation for medium agencies.
Figure 19. Current IT documentation for large agencies. For survey questions 12: If you did not select any of the choices in question 11, please
advise the reason(s) and/or obstacle(s). There were 15 responses, both from Medium (7) and
Small (8) agencies. The two agency sizes responding selected “Cost”, “Time”, and/or “Staff
constraints”. Again, though cost may not be a direct obstacle, with medium and small agencies
56
reporting time and staff constraints, in direct cost could occur with hiring more staff to alleviate
those obstacles.
Table L
Reasons or obstacles for not having network inventory, schematic, and/or audit documents
Size Cost Time Upper Management
Staff Constraints
Other %
Large 0 0 0 0 0 0%
Medium 3 2 0 3 0 46%
Small 2 4 0 5 0 53%
Totals (%) 33% 40% 0% 53% 0%
Figure 20. Obstacles for complete IT documentation for small agencies.
57
Figure 21. Obstacles for complete IT documentation for medium agencies.
The survey question 13: What type of security awareness training and education
standards does your agency currently require? Almost all agencies responded to question 13,
with a total of 54 responses. Most agencies reported having “Annual staff security training”
and/or “current training/certification for IT administration”. A few Medium and Small agencies
reported having “no staff training policy”.
Table M
Type of security awareness training and education standards currently in place
Size Annual staff
security training
Current training/certification
for IT administration
No staff training policy
No training/certification
for IT administration
%
Large 1 2 0 0 6%
Medium 11 12 2 0 43%
Small 11 12 3 0 51%
Total (%) 41% 46% 10% 0%
58
Figure 22. Security awareness and training for small agencies.
Figure 23. Security awareness and training for medium agencies.
59
Figure 24. Security awareness and training for large agencies
The final survey question, 14: If you did not select any of the choices in question 13,
please advise the reason(s) and/or obstacle(s). Ten agencies responded to question 14 with the
majority of responses from the small (9) agencies. Most of the selections were from the “Time”
and “Staff constraints” categories. The two “Other” explanations provided, both from two small
agencies, were “IT Department prefers not to release information due to concerns over security”
and “we have State and Federal forms and training to keep us in compliance”. The indirect cost
of both time and staff constraints could still be an obstacle for small and medium agencies. In the
case of the one response that state and federal forms and training keep the agency compliant,
even if the cost is free of charge for the training, they still may have to apply overtime to cover
shifts or staff shortage for employees to attend training and certification, as well as, if travel cost
may be involved.
60
Table N
Reasons or obstacles for not having staff security training and/or current training/certification
for IT administration
Size Cost Time Upper Management
Staff Constraints
Other %
Large 0 0 0 0 0 0%
Medium 0 1 0 1 0 10%
Small 3 6 0 4 2 90%
Totals (%) 30% 70% 0% 50% 20%
Figure 25. Obstacles for security training and education for small agencies.
61
Figure 26. Obstacles for security training and education for medium agencies.
Conclusion
The purpose of the research was to reveal compliance or non-compliance of public safety
answering points (PSAPs) that are Next Generation 9-1-1 (NG9-1-1). Based on the survey, all
PSAPs were compliant at the Wireless II stage, Additionally, based on the job titles, respondent
agencies were primarily represented by management personnel who would be in a position to
comment on plans, policies, and obstacles as requested by the survey. Another finding was that a
high percentage of PSAPs had full time network support available. However, 12% had relied on
part time support. From a security perspective this seems to be an important finding. The follow
up question revealed there was no intent to hire and that expense was a key factor in that decision
for small service areas. Although agencies generally had policies for acceptable usage and
password protection, agencies were much less likely to have a wireless policy or an information
classification policy. The data showed that 12% of the agencies did not have a spyware policy.
Spyware can transmit and collect personal identifiable information and with 9-1-1 becoming
Internet-based, the public’s privacy and safety could be compromised if spyware detection
62
software is not only installed, but also monitored properly. Time constraints were also reported
by small, 40%, and medium, 50%, agencies as obstacles for security training and education.
Though sample responses did not report they were NG9-1-1 status yet, agencies working towards
compliance before rolling NG9-1-1 technologies would strengthen the security of the transition
of providing those technologies to the public they serve. This data shows a sample snap shot of
that transition to compliance.
63
CHAPTER 5. DISCUSSION, IMPLICATIONS, RECOMMENDATIONS
The purpose of this thesis was to ascertain the status of public safety answering points
(PSAPs) have information security management standards in place prior to Next Generation 9-1-
1 and reveal compliance or non-compliance of National Emergency Number Association
(NENA) Security for Next-Generation 9-1-1 Standards (NENA, 2010) nationwide Next
Generation 9-1-1 implementation. Although all were compliant to Wireless II, the category just
below NG9-1-1, the clear answer to the primary research question is “no”. In the previous
chapters, the researcher presented the current literature on information security management for
Next Generation 9-1-1 and the results of a survey study from public safety answering points
(PSAPs) utilizing the National Emergency Number Association (NENA) Security for Next-
Generation 9-1-1 Standards or NG-SEC with reports of obstacles and reasons for certain areas of
noncompliance. This chapter offers an answer to each research question, provides implications
and contributions, and makes recommendations for future research in the field.
Discussion of Research Findings
The research questions presented in Chapter 1 asked:
1. What are the Next Generation 9-1-1 information security management standards and
policies?
2. What percent of agencies have Next Generation 9-1-1 status?
3. What percent of agencies are compliant or noncompliant?
4. What are the obstacles and/or challenges for public safety answering points (PSAPs)
that are not compliant with public safety communication information security
standards?
64
In Chapter 2, the Next Generation 9-1-1 information security management compliant
standards were discussed with a summary of the National Emergency Number Association
(NENA) Security for Next-Generation 9-1-1 Standards. These standards provided the basic
content for the survey.
Question 1: What are the Next Generation 9-1-1 information security management
standards and policies?
The study found the Next Generation 9-1-1 information security management standards
and policies were established through the National Emergency Number Association (NENA)
Security for Next-Generation 9-1-1 Standards (NENA, 2010) or also known as NG-SEC and
expected compliance effective immediately to any agency with Next Generation 9-1-1 status.
The standards were presented and discussed in Chapter 2 literature review.
Question 2: What percent of agencies have Next Generation 9-1-1 status?
The study found that the sample population was not Next Generation 9-1-1 yet. The
literature review illustrated that for the past couple of years, some NG9-1-1 technologies where
in the process and that agencies were to begin implementation.
Question 3: What percent of agencies are compliant or noncompliant?
The study found the criteria of compliance in the NG-SEC standards and the survey
mirrored that criteria. Though agencies were not Next Generation 9-1-1 status yet, and not
explicitly required to comply with the NG-SEC standards, the results presented in Chapter 4
illustrate that some were either already compliant or were compliant in specific standard
requirements. It also showed areas in which they were not and provided reasons for not meeting
the standards.
65
Question 4: What are the obstacles and/or challenges for public safety answering points
(PSAPs) that are not compliant with public safety communication information security
standards?
The study found the areas in which agencies did not meet NG-SEC standards, cost, time,
and staff constraints were the majority of reported obstacles.
Overall, the information collected illustrated that agencies are still working on the Next
Generation 9-1-1 implementation with the majority not at compliant status with current National
Emergency Number Association (NENA) Security for Next-Generation 9-1-1 Standards (NENA,
2010) or also known as NG-SEC. All agencies reported their current 9-1-1 status was Wireless
Phase II and not Next Generation 9-1-1. As noted by in Chapter 2, the outpacing of consumer
technology and needs to 9-1-1 capabilities and the sample illustrates that continued gap
(Barbour, 2008). However, the data shows some are already meeting standards or specific
security standards before they have Next Generation 9-1-1 status. This is an encouraging sign of
agencies beginning to think and act upon security policies before they are absolutely required
compliance when they open up their 9-1-1 systems to IP-based communications.
In Table O it shows the amount of compliant and noncompliant from each agency size.
The highest responding agencies were small, but only two reported they were compliant. In the
two other categories, 4 out of 16 total responses from medium sized agencies and 1 out of 2 large
agencies reported to be compliant. It also provides the percentage by each size and from the
overall sample response. Percentage wise, both medium and large agencies responded more
compliancy. This could be due to agencies already have network administration security policies
well established from years of computer-aided dispatch and records management database
networks and having more financial and staffing resources than agencies covering less populated
66
areas. Out of 56 agencies, 13% reported compliance. While it is a low percentage, again, this is
before agencies report Next Generation 9-1-1 status. From the 7 (13%) that reported compliance,
Figure 27 shows the percentage that responded from each agency size. Here it can be seen that
medium (57%) has over the majority of the compliance responses. This could illustrate that
medium agencies already have the funding, staff, and policies laid out from previous network
administration standards, either self imposed or state mandated, and they may be able to progress
quicker with Next Generation 9-1-1 security standards than the other populations because the
technology projects may not be as laboring or costly as larger entities, but yet they may have
local revenue sources and staffing capabilities that smaller entities may not.
Table O
Agencies reporting compliance with NG-SEC
Agency Size Compliant Noncompliant % Compliant by Size
Large 1 1 50%
Medium 4 12 25%
Small 2 36 5%
Total % 13% 87%
67
Figure 27. Reported NG-SEC compliance by agency size.
In Chapter 2, the researcher illustrated risk and attack exposures 9-1-1 entities are more
vulnerable through transforming from a closed analog system to an open Internet-Protocol based
systems. According to the publication “Principles of Information Security: Principles and
Practices”, some major categories of attacks are Military and Intelligence Attacks, Business
Attacks, Financial Attacks, Terrorist Attacks, Grudge Attacks, and “Fun” Attacks. There is also
the continued threat of malware as with any IP network. However, instead of only affecting a
computer-aided dispatch software program that could quickly be exchanged with an internal
closed legacy system or even a paper system for back up purposes, a 9-1-1 communications
system would not be as easily replaceable or have much allowances for any down-time, even
temporarily, due to a malware issue. Again, the burden could be greater for small agencies, who
would be required interconnectivity and comply with security standards due to financial and staff
resources. . Security is only as good as your weakest link.
The sample of 225 agencies was stratified into three segments by agency size. The range
of agencies within a group varied. Of the 225 agencies, the following number and percentages
68
were represented in the three segments, small (125 agencies, 55%), medium (71 agencies, 32%),
and large (29 agencies, 13%). Numerically most of the agencies serve smaller populations of less
than 100,000 than the larger agencies. Funding of upgrading and maintaining the current 9-1-1
infrastructures could impact smaller agencies more that may not have the financial resources.
The availability of staff, both time and amount of employees, could also impact the smaller
agencies more. Also, as indicated in Chapter 4, the large agencies had a low response rate (15%)
of the large agency strata and 3% of the sample responses. This contrasted sharply with the small
sample strata. In chapter 2, it was pointed out that since public safety agencies are connected to
extremely sensitive information such as criminal and medical records and filed or on-going
investigation reports, there is a tremendous need for confidentially to protect data, citizens, and
public safety officials. This can extend to providing security procedural information, regardless
of anonymity, for research study. Even though 9-1-1 is a public service, sharing information to
anyone outside known and trusted entities can be preceded with caution and the results of few
responses, this was a factor in the survey study.
When considering just the large agencies, there was an interesting result on question 7.
Only one selected all compliant standards and policies in the survey. However, on question 7,
that agency in addition to selecting all of the information technology (IT) descriptions and
policies, the agency also selected the last choice, “None apply, agency does not have IT
descriptions and policies”. Perhaps, that the agency simply selected the last choice by mistake
but it could have been purposeful to make all selections suspect. It is not possible to know for
sure. As for the other agencies, 4 Medium agencies and 2 Small agencies showed compliance.
In question 4 of the survey, all 56 respondents chose the category that best described their
current information technology (IT) or Network Administration. Majority selected “Full-time
69
internal” (60%) and the second most selected was “Full-time external” (28%), making full-time
network administration coverage 88% for agencies. Of the 12% that do not have full-time or no
current network administration, majority are small agencies. As the Michigan Next Generation 9-
1-1 Feasibility Study conducted by L.R. Kimball notes, “network management of an IP-based 9-
1-1 network is crucial in providing the level of service expected by the residents of PSAPs” and
it will be these networks will require an uptime of 99.999% availability or better (Kimball,
2010). Figure 30 below shows the percentage of the agencies that reported part-time or no
current network administration.
Figure 28. Part-time or no current network administration by agency size.
By the results, both large and medium size agencies have some type of internal or
external IT/Network Administration, either part-time or full-time. A few small agencies (5%)
still have no type of IT/Network Administration, however, from all three strata sizes, small
agencies replied the most (86%) to either part-time or no current network administration. It could
be concluded that small agencies are not able to have full-time network administration by both
the lack of financial and staff resources.
70
Most reported obstacles for areas not in line with NG-SEC were costs, time, and staff
constraints. Time and staff constraints could also be viewed as an indirect cost issue. Since it is
unlikely more demanding technology requirements would not alleviate time and staff issues,
more staff would need to be hired or services employed which again, amounts to cost. As
discussed in chapter 2, the New York state study involving Wireless Phase 1 and Wireless Phase
II cellular 9-1-1 communications showed funding as the biggest hurdle for technological
upgrades for their Enhanced Wireless technologies 9-1-1- project (Bailey & Scott, 2008). And
with the United States still recovering from the 2008 economic crisis, funding for the initial
transition of 9-1-1 technologies to Next Generation 9-1-1 and the continued expenditure for
maintenance and upgrading, cost factors heavily for public safety agencies.
In a 2009 article, Mary Rose Roberts discussed consolidation of Next Generation 9-1-1
enabled public safety answering points (PSAPs) and illustrated both economical and shared
resource benefits. She explained that technology improvements are growing exponentially and
even though costs were lowering in the consumer markets, still it behooved agencies to share
resources to save money, as well as the benefit of sharing intelligence. But it is still yet to remain
if cost for transitioning 9-1-1 systems and continued upgrades will be economically feasible for
agencies since each 9-1-1 entities needs vary, as well as their means for paying for all direct and
indirect costs. Also with sharing resources, agencies that may have political differences may not
find this alternative attractive, despite possible economic savings.
In question 6 of the survey, information was collected of the obstacles or reasons for
agencies not hiring network administration employees or services. The same four agencies that
responded to question 6, selected three categories, which were “Cost” (75%), “Other” (50%),
and “Upper Management” (25%). It is not surprising to see that “Cost” was selected the most.
71
Small agencies may have a difficult time with financial resources for network administration
services with smaller government budgets and the survey responses show promise that small
agencies are finding ways to provide this service. The “Other” category was selected twice and
the explanations for each were, “I do it” and “we have a staff member currently enrolled in
college to get his degree for our IT, as the County only has 2 full time IT but they are for the
entire county and we have to wait on their availability. We have current State and Federal
policies in place and try to stay in compliance with NENA/APCO standards”. The agency that
responded as “I do it” also responded to their role at the 9-1-1 Manager/Upper Management.
This illustrates that one person is fulfilling two roles, both 9-1-1 center manager and network
administration services. It could also be categorized as another cost or staff issue due having one
person doing two separate job roles. This could be problematic since both roles can be full time
responsibilities for an agency. The second “Other” response shows the agency has a 9-1-1 staff
member receiving technology educations to remedy their issue of not having a dedicated 9-1-1
network administrator. This is a forward thinking approach to the possible demands of network
administration once Next Generation 9-1-1 is full implemented. Figure 29 shows the percentages
of small agency responses to the obstacles and/or reasons for not having full-time network
administration on their systems.
72
Figure 29. Obstacles for not having full-time network administration for small
agencies.
The information technology (IT) descriptions and policies questions generated a lot of
variety of responses. There were a few that selected all and a few who advised they currently do
not have any IT policies. The two categories selected the least were, (with the exception of
“None apply”), “System Control” (31%) and “System Patching” (33%). The National
Emergency Number Association (NENA) Security for Next-Generation 9-1-1 Standards (NENA,
2010), defines System Control is controlling changes and status within the system, hardware,
software, and backups (NENA, 2010, p. 46). NENA explains System Patching as updating
operating systems, other software, or hardware devices to address critical security vulnerabilities
(NENA, 2010, p. 46-47). All other categories had at least a 51% or higher response. The top two
categories selected were “Acceptable Usage” and “Password Policy” (both 93%). Not one
category had all 56 agencies responses. But the results did show that the 2 Large agencies
selected almost all categories, compared to the Medium and Small agencies. The “Wireless
Policy” and “Incident Response” category was the only one from a large agency that was not
73
selected. Even though only two large agency responded to the entire survey responses, it could
be shown with further research, that large agencies fulfill the IT description and policies for
NENA. However again, another study with more or all public safety answering points (PSAPs)
would need to be surveyed for further analysis.
The next question asked if an agency was Next Generation 9-1-1 capable and any of the
following descriptions and policies listed in question 7 were not selected please select the
reason(s) and/or obstacle(s). As the researcher already stated, all agencies advised their current
highest/most advanced status/capability was Wireless Phase II in question 1. None selected Next
Generation 9-1-1 status/capability. Yet in question 8, thirty-two agencies made one or more
selections to report obstacles. The majority of these responding were small agencies (78%) and
22% were from medium agencies. None of the large agencies responded. It is unclear to the
researcher why several of the agencies responded to this question when all had stated they were
not Next Generation 9-1-1 status and did not have to respond at all. It brings another uncertainty
of accuracy to the answers within the survey from the respondents, either from not reading the
questions completely, the questions not being worded properly, or not providing consistent
information, either intentionally or unintentionally.
Question 9 and 10 requested information about detection software and obstacles if both
were not currently used at the agency. All 56 agencies responded and selected they were
currently running Anti-virus software on all servers and end user computers. Spyware detection
software usage received an 88% response, with 81% of medium agencies and 90% of
small agencies selecting the category, leaving only 10-20% not utilizing anti-spyware software.
The obstacles and/or reasons stated were “Time” and “Staff Constraints”. Yet only one small
agency responded to that particular question. The other six did not reply.
74
In a study by Ponemon Institute in 2009, a summary of information security assessments
from 754 corporate respondents of network traffic for the presence of malware. The presence of
active malware infections showed to be 100%, Internet Relay Chat bots, 72%, network worms,
42%, generic malware 81% and information stealing malware, 56%. Figure 32 shows the bar
graph illustration of the study (Ponemon, 2009).
Figure 30. Presence of malware in network traffic (Ponemon, 2009).
Malware is a problem in corporate settings as shown the above figure, however, having
9-1-1 systems exposed to this type of malware problem can cause some serious issues to not only
the systems themselves, but to public safety. The medium and small agencies that responded to
not having either anti-virus and/or spyware detection already installed on their non-9-1-1 system
networks, are exposing their emergency networks to great risks. It can also be mentioned that
even with anti-malware software installed, the risk is there, especially since the corporations
involved in the Ponemon study were running anti-malware software on their systems.
Another set of inquiries dealt with current network inventory, schematics, and audit
documentation on file. A total of 53 agencies responded with both Large agencies having all
three documents on file. Network inventory documentation had the highest response (71%), with
75
the second most reported of network schematic (60%), and least selected, annual internal audit
documentation (38%). The obstacles and reasons provided by Medium and Small agencies as to
not have one or more of the three categories of documentation were mostly explained by “Staff
constraints (53%), “Time” (40%), and “Cost” (33%). With these responses, it could be
concluded that agency jurisdiction size under 500,000, have less staff to dedicate or funding to
provide and keep annually these type of documents.
The last two questions in the survey dealt with security training for both technical and
non-technical staff. Question 13 inquired what type of security awareness training and education
standards does the agency currently require and question 14 requested reasons and/or obstacles if
one or more of the categories in question 13 were not selected. None of the agencies selected
“No training/certification for IT administration”. Only 10% (2 from Medium and 3 from Small
agencies) selected “No staff training policy”. Many of the agencies responding reported they
conducted either or both annual staff security training and their network administration
employees or contractors were current with annual training and certifications.
Limitations
There are limitations to this thesis study. Some limitations have been presented in
Chapter 1. One limitation of the thesis is due to the study arrives at the genesis of Next
Generation 9-1-1 standards and implementation providing limitation in shared studies to
National Emergency Number Association (NENA) Security for Next-Generation 9-1-1
Standards (NENA, 2010) or NG-SEC compliance. Another limitation is the amount of Next
Generation 9-1-1 status entities nationwide. Specific to information technology (IT)
management, a limitation of the study is the wide scope of examining nationwide Next
Generation 9-1-1 IT management. An additional limitation is the population sampled was only a
76
small sample of the entire public safety answering points (PSAPs) in the nation. The amount of
responses was another limitation and the feedback received for lack of survey participation was
due to agencies not being familiar with the researcher or the school and not wanting to share
information with non-government or outside sources. The survey dealt with compliance of NG-
SEC standards and policies and possible participate bias with some respondents choosing more
or all compliant selections.
Implications and Contributions
The thesis study focused on National Emergency Number Association (NENA) Security
for Next-Generation 9-1-1 Standards (NENA, 2010). The overall responses resulted in some of
the questions producing very straightforward selections and feedback. Others generated
conflicting data. The most reported obstacles and/or reasons were cost and time for the not
selecting a particular standard section. With the current economy presenting financial
constraints, employee cutbacks or hiring freezes, along with continued added responsibilities to
9-1-1 and information technology management placed on public safety communication agencies
the obstacles do not appear to be relieved anytime soon. This may perhaps be the slowing of the
nationwide implementation of Next Generation 9-1-1 technologies in general and may prolong
the full implementation for several more years than expected. In an announcement made by the
Federal Communications Commission in November 2011, they identified seven states that divert
a portion of 9-1-1 fees for non 9-1-1 purposes in 2010. The report shows a decline from previous
years and that in future the federal government will require states to collect even more detailed 9-
1-1 collection fees in order to pay for Next Generation 9-1-1 technologies. Receiving accurate
information will also help in not only transparency, but making sure 9-1-1 entities that do not
77
have the capability to keep up with technologies based on their fees collected, may receive some
assistance in order to provide the same 9-1-1 services throughout the nation.
There is no specific public study at the time of this thesis examining compliance or non-
compliance of the National Emergency Number Association (NENA) Security for Next-
Generation 9-1-1 Standards (NG-SEC) and this research provides a study on this specific topic.
The findings also present the obstacles of why agencies are not compliant with NG-SEC
standards and policies. The results of the survey data analysis show some agencies are compliant
and or have some standards and policies already in place, despite having Wireless Phase II status
and not Next Generation 9-1-1 status. The thesis study is a foundation of further research, either
studying compliance and non-compliance in for public safety communication agencies or
examining more specific areas of compliance within each of the National Emergency Number
Association (NENA) Security for Next-Generation 9-1-1 standards.
Recommendation for Future Research
This thesis study focused on the National Emergency Number Association (NENA)
Security for Next-Generation 9-1-1 Standards compliance and non-compliance on a small scale
in which 225 public safety answering points (PSAPs) were contacted from a total of 6,130
primary and secondary PSAPs (NENA, 2011, October). A study that surveyed the entire public
agency population and allowed a better comparison of large, medium, and small agencies would
be beneficial. Also as stated previously, examining more specific areas of compliance within the
NENA Security for Next-Generation 9-1-1 standards, such as examining national or regional
physical security, acceptable usage, or incident response policies. Future studies comparing
compliance between agency size segments, rural verses metropolitan entities, or regional
sections within the United States (East, South, Midwest, Southwest, Pacific Northwest, West
78
state regions). Another recommendation would be to examine survey styles that work best with
government and/or public safety entities to allow a higher response rate. This study could also be
repeated in a few years time to see if any differences or changes have occurred.
Conclusion
Traditional 9-1-1 communications has continued to fall beyond in the needs of the
consumers’ Internet and mobile lifestyle and the increasing disappearance of fixed-line
communication (Luna, 2008). Next Generation 9-1-1 will transform the current analog 9-1-1
communications systems with an Internet-Protocol or IP-based systems to allow 9-1-1 call takers
to receive the same location and unit information as they do now with landline or fixed-line
telephone systems, as well as communicate with citizens and emergency response units via text
and mobile. Next Generation will also provide the capability to exchange photos and videos
through Internet Protocol (IP)-based communication (Lipowicz, 2009).
This research examined the current information security management landscape of 9-1-1
public safety communication centers upon the beginning stages of Next Generation 9-1-1, which
is the implementation of switching analog communication systems to Internet-Protocol (IP)
communication systems. The study utilized the National Emergency Number Association
(NENA) Security for Next-Generation 9-1-1 Standards for public safety communication
information security management policy and procedure compliance examination. The researcher
provided a literature review in Chapter 2 describing the evolution of 9-1-1, Next Generation 9-1-
1 technologies, and National Emergency Number Association (NENA) Security for Next-
Generation 9-1-1 Standards. In Chapter 3, the researcher provided a methodology for the survey
study of compliance and presented the results in Chapter 4. Conclusions of the result findings
were examined in Chapter 5, along with limitations and recommendations for further research.
79
This thesis serves to add to a body of work specifically targeted at Next Generation 9-1-1’s
information security management, both now and in the future.
80
REFERENCES
Arizona State University (2011, October 25). Debt crisis: Similarities, differences and lessons learned from the U.S. and Europe. Retrieved from http://knowledge.wpcarey.asu.edu/pdf.cfm?aid=1095.
Bailey, B., & Scott, J. (2008). The New York state wireless enhanced 911 project: lessons
learned. Informally published manuscript, Department of Emergency Medicine, Upstate Medical University, Syracuse, New York.
Barbour, J. (2008, March 1). What a 40 years it has been. Urgent Communications. Retrieved
from http://urgentcomm.com/mag/radio_years/ Breithaupt, J., & Merkow, M. (2006). Principles of information security: Principles and
practices. Upper Saddle River, NJ: Pearson Education, Inc. Bruce, G., Newton, J., & Vaughan, E. (2011). Next generation networks for public safety: Build
locally to achieve nationally. Digital Communities. Folsom, CA. Classroom Assessment. (2011). Reliability and validity. Retrieved from
http://fcit.usf.edu/assessment/basic/basicc.html Collins, H. (2008, April 18). Virtualization raises new cyber-security questions for government.
Government Technology. Retrieved from http://www.govtech.com/gt/381048 Colorado State University (2012). Advantages and disadvantages of the survey method.
Retrieved from http://writing.colostate.edu/guides/research/survey/com2d1.cfm DeLine, R., Ko, A., & Venolia, G. (2007). Information needs in collocated software development
teams. Microsoft Research. Retrieved from http://faculty.washington.edu/ajko/talks/ICSE2007InformationNeeds.pdf
Douglas, M. (2008, September 1). Not to worry. Urgent Communications. Retrieved from
http://urgentcomm.com/psap/mag/radio_not_worry/ Douglas, M. (2009, June 1). Route and roll. Urgent Communications. Retrieved from
http://urgentcomm.com/networks_and_systems/mag/psap-ip-technology-progress-200906/.
Experiment-Resources (2011). Retrieved from http://www.experiment-resources.com/empirical-
research.html Federal Communications Commission. (2008, September 17). FCC consumer advisory for VoIP
and 911 services. Retrieved from http://www.fcc.gov/cgb/consumerfacts/voip911.html
81
Federal Communications Commission (2011, November 8). FCC releases third annual report to congress on state collection and distribution of 911 and enhanced 911 fees and charges. Retrieved from http://transition.fcc.gov/Daily_Releases/Daily_Business/2011/db1108/DOC-310895A1.pdf
Federal Information Processing Standards Publication. (1994, November 9). Guideline for the
analysis local area network security (FIPS PUB 191). Washington, DC: U.S. Government Printing Office.
Gagner, Jr., R. P. (2005). Voice over internet protocol: Secure or not recommendations to the
business and private sector. (Informally published by Department of Management Information Systems, Bowie State University, Bowie, Maryland.) Retrieved from http://74.125.155.132/scholar?q=cache:hVNP3pz7Y4AJ:scholar.google.com/+9-1-1+VoIP&hl=en
Genachowski, J., (2011). Proceedings from 2011 APCO Conference August 20: Five step action
plan to improve the deployment of next generation 9-1-1(NG911). Philadelphia, PA. Retrieved from http://www.fcc.gov/document/fact-sheet-five-step-action-plan-improve-deployment-next-generation-9-1-1-ng911
Hamilton, J. (2009, April 22). Florida county uses next-generation 911 system to enhance public
safety. Emergency Management. Retrieved from http://www.emergencymgmt.com/safety/Florida-County-Uses-Next-Generation.html
H.R. 3403. 110th Congress: NET 911 Improvement Act of 2008. (2007). In GovTrack.us
(database of federal legislation). Retrieved November 17, 2011, from http://www.govtrack.us/congress/bill.xpd?bill=h110-3403
International Organization for Standardization. (2005, October 15). Information technology-
security techniques-information security management systems-requirements. (ISO/IEC 27001). Geneva, Switzerland. Retrieved from http://webstore.iec.ch/preview/info_isoiec27001%7Bed1.0%7Den.pdf
Intelligent Transportation Systems. (2009). Next generation 9-1-1 (NG 9-1-1) system initiative: Proof of concept testing report. Retrieved from http://www.its.dot.gov/ng911/pubs/NG911_POC_TestReport_FINAL091708.htm Israel, G. (2009). Sampling issues: Nonresponse. University of Florida. Retrieved from http://edis.ifas.ufl.edu/pdffiles/PD/PD00800.pdf Kim, J. Y., Song, W., & Schulzrinne, H. (2006). An enhanced VoIP emergency services prototype. Retrieved from
http://74.125.155.132/scholar?q=cache:-FXMTV-40UUJ:scholar.google.com/+9-1-1+VoIP&hl=en
82
Kimball, L. (2010). Next generation 9-1-1 feasibility study. Retrieved from
http://www.michigan.gov/documents/msp/Michigan_Next_Generation_9-1-1_Feasibility_Study_304211_7.pdf.
Kimball, L. (2011). The critical role of GIS in NG9-1-1. (White Paper CT.T79.2011-07.WP014)
Retrieved from http://www.lrkimball.com/forms/download.aspx?d=CT&at=WP&an=The%20Critical%20Role%20of%20GIS%20in%20NG9-1-1&e=457&r=/index.aspx&n=&m=M14,&cg=62,
Kotapati, K. (2008). Assessing security of mobile telecommunication networks. The Pennsylvania State University. ProQuest Dissertations and Theses, Retrieved from http://search.proquest.com/docview/807444193?accountid=38189 Leedy, P. (2010). Practical research: planning and design. Upper Saddle River, NJ: Pearson
Education, Inc. Lipowicz, A. (2009, August 11). Nextgen 911 shows versatility. Federal Computer Week.
Retrieved from http://www.fcw.com/Articles/2009/08/11/Vendor-demonstration-NextGen-911-calls.aspx
Lorino, P., (2008). Pragmatism-inspired methods for the study of complex situations: A dialogical and mediated inquiry approach. Retrieved from http://egosnet.org/jart/prj3/egosnet/data/uploads/OS_2008/W-102.doc.
Luna, L. (2008, August 1). Interlocking pieces. Urgent Communications. Retrieved from
http://urgentcomm.com/mag/radio_interlocking_pieces/index.html Mannion, A. (2009, September 1). The next generation of 911. The American City & County
124(9), 14. Mary, R. R. (2010). Cyber breaches threaten next-gen 911. Fire Chief. Retrieved from http://search.proquest.com/docview/216135858?accountid=38189 Moore, L. K. (2009, June 16). Emergency communications: The future of 911. Congressional
Research Service. Retrieved from http://pdf.911dispatch.com.s3.amazonaws.com/crs_911_june2009.pdf
National Emergency Number Association. (2011, November 12). NG 9-1-1 project: Overall
NG9-1-1 status. Retrieved from http://www.nena.org/?page=NG911_OverallStatus National Emergency Number Association. (2010, February 6). Nena security for next-generation
9-1-1 standards. Retrieved from http://www.nena.org/standard/NG9-1-1_Security
83
National Emergency Number Association. (2011, February 24). Nena ng9-1-1 transition plan considerations. Retrieved from http://www.nena.org/?page=NG911_TransPlanning
National Emergency Number Association (2011, November 12). 9-1-1 statistics. Retrieved from
http://www.nena.org/?page=911Statistics National Institute of Standards and Technology. (2003). Building an information technology
security awareness and training program (NIST SP-800-50). Washington, DC: U.S. Government Printing Office.
National Institute of Standards and Technology. (2005). Security considerations for voice over
IP systems (NIST SP 800-58). Washington, DC: U.S. Government Printing Office. Oscarson, P. (2007). Actual and perceived information systems security. (Doctoral dissertation,
Retrieved from http://sh.diva-portal.org/smash/get/diva2:16984/FULLTEXT01. Parker, S., & Wisely, S. (2009). Guide to information sharing and data interoperability for local
communication centers. Proceedings of the Apco international 75th annual conference (pp. 1-45). Washington, DC.
Peerbolte, S. (2010). A quantitative study of critical thinking skills amongst local emergency managers. Retrieved from ProQuest Digital Dissertations http://search.proquest.com/docview/305222946?accountid=38189 Ponemon Institute. (2009). Anatomy of data-stealing malware: a study of enterprise security & it
security practitioners. Retrieved from http://www.trendmicro.com/cloud-content/us/pdfs/business/white-papers/wp_data-stealing-malware.pdf.
Roberts, M. R. (2009, March 1). Under one roof. Urgent Communications. Retrieved from
http://urgentcomm.com/policy_and_law/mag/economy-drive-psap-consolidation-0301/index.html
Salkind, N. (2010). Statistics for people who (think they) hate statistics: Excel 2007 edition.
Thousand Oaks, CA: SAGE Publications, Inc. StatPac. (2011). Survey design, hosting, & analysis. Retrieved from http://www.statpac.com/tab-
house.htm Strebe, M. (2004). Network security foundations: Technology fundatmentals for it success.
Alameda, CA: Sybex. TechSoup.org. (2011, January 19). Virtualization 101. Retrieved from
http://www.techsoup.org/learningcenter/software/page4826.cfm
84
Tejay, G. (2008). Shaping strategic information systems security initiatives in organizations. (Doctoral dissertation). Virginia Commonwealth University. Richmond. The National E9-1-1 Implementation Coordination Office. (2009). A national plan for migrating
to ip-enabled 9-1-1 systems. Washington, DC: Government Printing Office. Retrieved from www.911.gov/pdf/National_NG911_Migration_Plan_FINAL.pdf
United States Census (2010). Retrieved from http://2010.census.gov/2010census/ Whittington, C. (2009, June 1). Money well spent. Urgent Communications. Retrieved from
http://urgentcomm.com/networks_and_systems/commentary/ng-911-training-200906/ Yin, R. K., (1984). Case study research: Design and methods. Beverly Hills, CA: Sage Publications. Zainal, Z. (2007). Case study as a research method. Retrieved from http://eprints.utm.my/8221/1/ZZainal2007-Case_study_as_a_Research.pdf.
85
APPENDIX A. PRE-NEXT GENERATION 9-1-1 IMPLEMENTATION INFORMATION
SECURITY MANAGEMENT SURVEY
1. What is the population range of your agency's jurisdiction? (Select ONE):
[ ]1-99,999
[ ] 100,000-499,999
[ ] 500,000 or greater
2. What is your agency's current 9-1-1 status/capability? (Select ONLY the highest/most
advanced that applies to your agency):
[ ] Basic 9-1-1
[ ] Enhanced 9-1-1
[ ] Wireless Phase I
[ ] Wireless Phase II
[ ] Next Generation 9-1-1
3. Which BEST describes your main job title/role at your agency? (Select ONE):
[ ] 9-1-1 Supervisor (middle management)
[ ] 9-1-1 Manager (upper management)
[ ] 9-1-1 IT/Network Administrator (technical management)
[ ] Other, explain
4. What BEST describes your current IT/Network Administration at your agency? (Select
ONE):
[ ] No internal or external IT/Network Administrator
[ ] Agency has a part-time (non-24/7/365) internal IT/Network Administrator
[ ] Agency has a full-time (24/7/365) internal IT/Network Administrator
86
[ ] Agency has a part-time (non-24/7/365) external IT/Network Administrator
[ ] Agency has a full-time (24/7/365) external IT/Network Administrator
5. If your agency has "No internal or external IT/Network Administrator" does your
agency anticipate in employing or contracting an IT/Network Administrator?
[ ] Yes
[ ] No
6. If you answered "No" to either question 5, please explain the reason and/or
obstacles of why your agency does not anticipate doing so?
[ ] Cost
[ ] Upper management
[ ] High turnover
[ ] Lack of qualified resources
[ ] Other, explain
7. What type of Information Technology (IT) descriptions and policies does your agency
currently have in place? (Select ALL that apply):
[ ] Acceptable Usage Policy
[ ] Password Policy
[ ] Information Classification Policy
[ ] Data Protection Policy
[ ] Wireless Policy
[ ] Physical Security Policy
[ ] Remote Access Policy
[ ] Access Control/Least Privilege Policy
87
[ ] System Change Policy
[ ] System Patching Policy
[ ] Incident Response Policy
[ ] None apply, agency does not have IT descriptions and policies
8. If your agency is Next Generation 9-1-1 capable and any of the following
descriptions and policies listed in question 7 were not selected please select the
reason(s) and/or obstacle(s). (Select ALL that apply):
[ ] Cost
[ ] Time
[ ] Upper management
[ ] Staff constraints
[ ] Other, explain
9. Select the following software your agency currently runs on all servers and end user
computers?
[ ] Anti-virus software
[ ] Spyware detection software
10. If you did not select one or both of the choices in question 10, please advise the
reason(s) and/or obstacle(s) your agency has for not running anti-virus and/or spyware
detection software on all server and end user computers?
[ ] Cost
[ ] Time
[ ] Upper management
[ ] Staff constraints
88
[ ] Other, explain
11. Does the agency have the following on file (Select ALL that apply):
[ ] Current network inventory
[ ] Current network schematic
[ ] Current annual internal network audits
12. If you did not select any of the choices in question 11, please advise the reason(s)
and/or obstacle(s. (Select ALL that apply):
[ ] Cost
[ ] Time
[ ] Upper management
[ ] Staff constraints
[ ] Other, explain
13. What type of security awareness training and education standards does your agency
currently require? (Select ALL that apply):
[ ] Employees engage in annual security awareness training
[ ] Employees or contracted individuals responsible for system and security
administration receive current security training and certification on their assigned
system(s)
[ ] Agency does not have a security awareness training policy for employees
[ ] Agency does not have a security training and certification for employees or contracted
individuals responsible for assigned systems.
14. If you did not select any of the choices in question 13, please advise the reason(s)
and/or obstacle(s). (Select ALL that apply):
89
[ ] Cost
[ ] Time
[ ] Upper management
[ ] Staff constraints
[ ] Other, explain
90
APPENDIX B.
NEXT GENERATION 9-1-1: EXAMINIATION OF INFORMATION SECURITY
MANAGEMENT PUBLIC SAFETY COMMUNICATIONS CENTERS
Principal Investigator Natalie Yardley
PARTICIPANT INFORMED CONSENT
October 2011
Please read the following material that explains this research study. Completing this survey form will indicate that you have been informed about the study and that you want to participate. We want you to understand what you are being asked to do and what risks and benefits—if any—are associated with the study. This should help you decide whether or not you want to participate in the study. You are being asked to take part in a research project conducted by Natalie Yardley, a graduate student in the University of Advancing Technology program of Information Assurance. This project is being done under the direction of Dr. Robert Morse, Program of Thesis Studies. Natalie Yardley can be reached at 913-426-5328 or [email protected]. Project Description: This research study is about examining information security management in public safety centers. The survey will collect information from 9-1-1 center managers in the United States about the current information security management landscape for public safety answering points (PSAPs). The researcher will analyze the answers provided with the National Emergency Number Association (NENA) Security for Next-Generation 9-1-1 Standards. The information gathered will provide valuable data about the current information security management posture for 9-1-1 centers at the dawn of a nationwide Next-Generation 9-1-1 implementation. You are being asked to be in this study because of your leadership and management position at your agency. Your name and contact information was collected through your local Association of Public-Safety Communication Officials (APCO) chapter public website. It is entirely your choice whether or not to participate in this study. The benefit of your answers will provide vital information to the research. If you agree to take part in this study, you will be asked to click the SurveyMonkey.com link provided in the email and answer a set of 10 questions. The questions will consist of either multiple choice or Yes or No answers. You be required to answer all of the 10 questions to complete the survey. Once you have answered all questions, click the Done button at the bottom to submit your survey answers.
91
Participating should take approximately 10 minutes of your time. You will be asked questions about your agency’s 9-1-1 status/capabilities (e.g. Basic 9-1-1, Enhanced 9-1-1, Wireless Phase I) and if you have a designated IT/Network Administrator. The survey will ask if your agency has a written network security policy, computer security education training for employees, runs anti-virus and spyware software, conduct network back ups, and has a disaster plan. The answers you provide will be collected anonymously through SurveyMonkey.com and will not be associated with your agency or your name. The answers collected from the survey will be used for the purpose of the study described in the Project Description. Questions? If you have any questions regarding your participation in this research, you should ask the investigator before completing the survey. If you should have questions or concerns during or after your participation, please contact Natalie Yardley at 913-426-5328 or [email protected]. Authorization: I have read this project description about the study or it was read to me. I know that being in this study is voluntary. I choose to be in this study. I know that I can withdraw at any time. Thank you very much for consideration and participation. It is greatly appreciated.