Caused by Security Breakdowns
- Loss of current and future gift
- Damage to an institution's
- Loss in donor and constituent
confidence in the institution.
- Public scrutiny and the need for
- Lawsuits against the institution
for exposing individual and corporate data.
- Loss of morale if systems are
down on a regular basis because of security breaches.
Risk Management Assessment
The first step in reviewing security
is to do a risk management assessment and inventory to determine
where security improvements and changes are needed.
Some items a risk assessment inventory should include:
- List of assets and cost of
replacement for both systems and data assets of all types.
- Estimation of downtime and cost
caused by security breaches such as virus attacks, corruption of
- What contingency plans exist for
a system failure and the cost of replacing an entire system or
having a hot swappable backup environment.
- Estimation of costs for complete
disaster and recovery plan.
- Where the sources and points of
risk exist and the cost for improving and plugging these holes.
- A weighting and scoring system
for the different types of security risks. You want to think
about the 80/20 rule, and deal with the most important threats
- Include other information that
you might not normally consider such as donor profiles,
spreadsheets with budgets for development, development travel
records, event budgets. Many of these items are a normal part of
the development process, but could cause bad publicity for an
organization because the reasons for the expenditure of money in
these areas may not be well understood.
- Where are salaries and other
confidential human resource information stored and who has
access to these records?
- Where are offsite backups kept,
are they password protected and is there an adequate separation
of duties between the administrators of the system and the
- Extend the risk assessment to
other assets such as mobile devices, laptops and home computers.
- Include human resource policies
such as background and credit checks for employees,
comprehensive reference checking and in some cases ensuring
employees are bonded.
Risk assessment should not only
include computers and computer systems, but also items such as
central files, hard copy reports, data backup and recovery
strategies, who has access to information, record retention and
destruction policies and procedures, off site storage facilities,
shadow databases and more.
Support and IT staff need to be continually improving their
capabilities to get more payback from information technology, and if
there are breaches, this lowers the payback.
The complexity of your
environment and the sophistication of your systems also creates a
tradeoff in security.
The more complex, the more sophisticated and the more distributed, the more difficult it
lock down your environment.