Non-profits must realize that as large corporations and online business better protect their information and systems, data thieves, hackers focus their attention towards institutions with weaker information security practices like non-profits. Non-profits are in possession of an abundance of financial & personal information such bank accounts, credit cards, date of births and social security numbers, which are very valuable in the wrong hands. Additionally, non-profits have the least amount of qualified professionals equipped to manage an effective Information Security program. Washington Post articled reported that data breaches increased a by 69% from 2007 to 2008. It's an alarming statistic that shows no signs of slowing down.
Learn what Defines Personal Information
States like Arizona and Massachusetts have created laws to hold organizations more accountable with personal information. The guidance for declaring just what is personal information is goes like this in the States of MA and AZ; generally great guidance.
It begins with a natural/ human person's First name or First initial and Last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:
- Social Security number,
- Driver's license number or identification card number, and
- Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account. Source: Non-profit Times - http://www.nptimes.com/08Nov/npt-081115-3.html
How to Start a Data Privacy Program
So where does a non-profit start? Start at the top!
The first thing that any organization must do to protect the confidentiality of the data they collect is to establish executive governance over it, which flows from the top down in their organization. Create a written data privacy policy that has sponsorship by its executive board that all staff MUST follow. The policy should give clear guidance regarding how all data is handled within that organization, from information that is shared with the general public, to data that must be protected as required by laws and industry regulations. Group the organization's data by classifications levels, from most risky to least risky. The classification of the organizations data will help to determine the appropriate controls to apply to ensure confidentiality, Integrity & Availability of the information. More importantly, it will demonstrate "Due Diligence" & "Due Care" by the organization in protecting the privacy of its clients, donors, members & staff.
According to Non-Profit Technology News, organizations can begin doing the following to lower the risks associated with collected data:
- Begin with a top-to-bottom review of all sensitive or confidential information that's in-house;
- Assess what data must be kept, what can be stored in (and easily accessed from) a remote location, and perhaps most important, what can be discarded; Determine who needs access to the data and why, and provide only those people with password-protected access to the data;
- Make sure that the data you do have is backed up on a regular basis in a secure, remote location;
- If your organization can afford it, hire an independent security expert to review your data security policies and procedures. ("It never fails to surface things that never really were an issue to anyone," says Hart.)
- Don't store complete credit card information on site;
- Limit physical access to servers;
- Be aware of what confidential and sensitive information is on printed (paper) files, and make sure that all such files are kept secure at all times; Make certain that your Web site complies to fundamental, industry-standard encryption and security measures in the processing of personal information and donation collections.
In addition to the recommendations above, I recommend the following:
- Create a data destruction policy, which states how long sensitive information should be kept and the manner in which old computers, storage media and paper documents are wiped clean or destroyed, to ensure that the risk of the information being compromised is eliminated.
- Any data about clients, donors or members that is carried on a laptop or external media MUST be encrypted. Encryption software is not very costly and an organization avoids having to notify individuals of a security breach if an encrypted laptop or encrypted external media is lost or stolen. Incidents like this can be very costly financially and most importantly damaging the reputation of that organization;
- Don't keep or collect banking account or credit card information after it is no longer needed;
- Data that is burned or copied to external media must ALWAYS be encrypted to insure safe transport;
- Don't give more access to an individual than is needed for them to do their job;
- Incorporate "Separation of Duties" to reduce risks of fraud. Don't allow one person to be the only one responsible for generating and approving financial transactions.
- Don't allow a single individual to have complete access to an organizations sensitive data;
- Use certified donation collecting technology by external vendors to reduce the risk unauthorized access to sensitive data or transactions.
- Conduct an annual data access review of individuals to determine who has access to what, and if their level of access is still needed.
- If the non-profit can't afford the services of an Information Security professional to review their security needs, then alternative arrangements like bartering may help obtain needed security services. For example, freebies like memberships and waived conference fees may be accepted in return for security services.
- Create an Incident Response Policy which gives guidance for the organization to follow in the event of a data security breach; this insures that the organization reduces any further liabilities associated with privacy laws or industry regulations, due to a data breach;
- The best defense against data theft is actually very basic in nature, and it is "Awareness". Organizations should require that individuals who handle sensitive data take Information Security Awareness training every year to stay sharp and alert regarding their responsibility to protect confidential information.
Basics of Information Security Protection - Practice with Consistency!
Bmighty.com reports that in 2008, over 285 million records were compromised and 90% of the breaches reported would have not occurred if the most BASIC security fundamentals were followed:
- Change default credentials – This means out of the box/ gate administrative accounts and passwords;
- Don't share credentials;
- Patch immediately and comprehensively upon patch availability;
- Review user accounts regularly;
- Terminate IT access thoroughly when employees are terminated;
- Log and monitor Web and application access.
Helping Non-Profits get compliant with PCI DSS (Payment Card Industry Data Security Standard)
Beginning in July 2010, all organizations that process credit card transactions must adhere to the Payment Card Industry Data Security Standard (PCI DSS,) or face costly fines or revoking of credit card transaction privileges.
The following PCI Standard consists of 12 key security controls/ requirements that if followed reduces an organizations exposure to unauthorized access of sensitive data:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Source: PCI Standard Council - https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
Don't be a non-profit leader who avoids talking about the issue of protecting sensitive personal information and who won't make it a priority. Put it along side with other critical business concerns, it's the natural human condition to hope for the better, and that a data breach has not occurred in your mind. At my Master's graduation ceremony from the University of Fairfax, our keynote speaker, an expert on data breaches stated the following: "It's not if a data breach occurs, it's when it will occur…all databases will have a breach at some point".
Julius Clark, MBA, CISSP, CISA
Information Security Professional
Charlotte, NC
References:
2008 Data Breach Report - http://www.washingtonpost.com/wp-dyn/content/article/2008/06/30/AR2008063002123.html?nav=rss_technology
Increasing Data Security In an Insecure World - http://www.nptechnews.com/management-features/increasing-data-security-in-an-increasingly-insecure-world.html
Data Breaches - www.bmighty.com/blog/main/archives/2009/04/data_breaches_w.html
States Push to Encrypt Personal Data - http://www.nptimes.com/08Nov/npt-081115-3.html