Nonprofits - Protect Your Sensitive Data - 04/27/2012
TANGO partner The Walker Group guest blogs for us about the things nonprofits should be doing to protect their sensitive data. All nonprofits should have a plan in place to protect their data and what to do in case of a disaster. Are these things that your nonprofit thinks about?
A breach of your business data can come from loss, theft, or unintended exposure of information. Depending on the type of data, how much of it is breached and who gets unauthorized access to it, the consequences for a non-profit can be severe. It’s impossible to completely protect your organization from this type of incident happening, but there are practical steps you can take to greatly reduce the potential damage.
Document where your data is stored and how it is accessed. Data is kept in different places – servers, individual computers, mobile devices, file cabinets, in the cloud and elsewhere. You need to know what data is being kept where, who has access to it, and how it is being accessed. Start with your most sensitive data and work from there.
Identify the level of protection required based on data type. For data that is very sensitive, determine an economically appropriate set of controls and countermeasures to protect it. For less sensitive data, standard security procedures may be adequate. At minimum, all of your data should be behind a firewall, employees should connect to your network remotely through a secure virtual private network (VPN), and business-critical data should be encrypted. The best way to determine which types of data need the strongest security measures is to consider the impact its loss would have on your company.
Secure your data technically. After segmenting your data by level of importance, you can implement specific security measures. Regardless of where the data is located, it can be reasonably protected with a combination of hardware and software, including encryption. Begin by protecting the data that keeps your company in business, such as a customer database. Then ensure all servers, desktops and laptops are locked down, checking that security features within your operating systems are enabled and properly configured.
Develop a disaster recovery plan. Even if you take every possible step to secure your network, you should have some form of disaster recovery plan. It should include the processes for continuously backing up your data and should clearly state who is responsible for making the backups, restoring the systems on which the data runs and determining which data should be restored first.
Be ready in case a data breach occurs. Depending on your industry, you may be required by local or federal laws to publicly report even a suspected data breach. Therefore, you should know what your incident response approach will be. You want regulators and customers to perceive there is a culture of compliance throughout your organization, so time is of the essence in determining whether a data breach has occurred and whether notification is required. If notification is advisable, then providing it must also be done quickly. Be ready. Select in advance a person or trusted 3rd party firm to conduct an investigation of your network and the compromised equipment.
Invest in effective security awareness training and policy development. The two most important pieces of an effective data protection strategy are often missing or outdated -- employee awareness and documented policies. Studies continue to show insider negligence as a top reason for corporate data loss. In many of these instances, the losses were preventable had employees clearly understood what is expected and required to keep information secure. An independent assessment can uncover areas where employee knowledge is lacking and important processes aren’t adequately documented.