Security has less to do with technology and more to do with training
Once training and education is in place, improving
technology and being aware will become second nature to those
employees in charge of managing security.
Preventing and Stopping
- Security should be part of the
orientation program for new staff, and also part of the ongoing
training and orientation of all staff. Security should be a
periodic agenda item at key meetings. Key staff
should be provided the budget to attend the appropriate
conferences on security as part of their ongoing professional
- There should be regularly and
randomly scheduled audits of security policies, procedures and
- Security considerations should
be an integral part of all network support, systems analysts,
report writing, research and processing staff's job descriptions
since advancement support staff are typically dealing with a lot
of sensitive data. They are also the individuals who
typically have the most access to the data. Other staff should
also have these considerations in their job descriptions in general terms.
- There should be distinct and
comprehensive policies and procedures regarding asset and data
security in place including a comprehensive statement of
appropriate use. Advancement and development departments may
require a statement that is more comprehensive than some of the
general statements typically used for a campus.
- Security breaches should be
logged and statistics recorded over time to monitor the
effectiveness of resolution policies and procedures.
- Independent external reviews
should take place periodically to help ensure that adequate protection
continues in place. You can involve
internal audit, or an independent external consultant. You can't
afford to be complacent once you have policies in place since
security concerns change constantly.
- You should test your backup and
recovery procedures on a regular basis and ensure that they are
working and that you would be able to restore data if required.
- If possible, your organization
chart should have an individual or group responsible for the
management of security of assets that is independent of the
areas they are responsible for protection.
Secure the Physical
- Locked file cabinets for
- Policies on shredding and
information destruction and periodic audits to make sure these
policies are followed.
- Data stored externally should be
with a reputable bonded company in a controlled environment.
- Are reports and downloads
available from the system, or is this controlled centrally, and
where are paper copy of reports stored?
- Are adequate policies in
place to protect confidential information that is forwarded to
other departments or governing bodies so that information
does not become public?
- Policy on donor names on public
web sites or other recognition vehicles.
- Are servers and other computer
and data assets physically secured?
- Are the use of secure ID cards
or other devices such as biometrics in place?
- Are buildings and offices locked
- Is there a policy or provision
to monitor the data and document retention policy.
Computer Systems and Data
- What programs need to be set up
and installed to monitor intrusion, and how does your
organization monitor them?
- How are shadow databases managed
- Is anti-virus software installed
and being automatically updated on all computers?
- Are your computers set to
receive automatic updates for security patches and are users
educated to do this?
- You should install spyware
software, and other programs that detect intrusion, obtrusive
cookies, and items that may be installed without your knowledge. Many of these programs are free and can be
found by just typing the words into a search engine.
- Are you monitoring
installation of unauthorized software, unauthorized Internet use and other
abuses of organizational computing assets? The term PC used to mean
personal computer and we now need to think of these assets as
- When installing programs, do a
minimum install with options defaulted off as opposed to on.
- All data stored on computer
systems and backup media should be encrypted.
- Users should be instructed to
store data on the network drives as opposed to their local
drives, or burning onto CD to store locally or take offsite.
- Users should not be allowed to
download large amounts of data without appropriate authorization
and controls in place.
- How is information forwarded to
control editing and changing. For example, if you forward a
statement in Excel format, the person receiving it can modify
the data for their own purposes.
- All systems and networks should
be behind firewalls.
- Laptops and mobile devices being
used off-site should be secured so that external users cannot
access your network through these devices.
- Limit access to systems, and
limit access to the network. Use IP address ranges.
- Physically separate systems. For
example, the telemarketing system should be in a separate
physical area working under a separate subnet.
- Block communication ports that
are not used.
- Consider the implementation of a
managed desktop system to help manage users.
- Have a clear backup and recovery
strategy and test this regularly.
- All server logs should be
reviewed and cleared daily.
- Server and database auditing
should be turned on by default.
- If remote access to systems is
in place, the highest level of encryption should be used for
- Consider the implementation of
digital rights management technology, since development and
advancement activities are very document centric.
Digital rights management assigns rights and other attributes to
data. This includes the ability to the sender of data to disallow
forwarding, printing and can also create an expiry date for the
document so it will cease to be able to be read after a certain
point in time.
- Make sure that all passwords are
secure, are sufficiently complex and that users are forced to
change on a regular basis.
Layer your security in depth. i.e. Lock server in a room, offsite
backups. Think of security in terms of perimeter defenses such as boundaries, fences,
walls, doors, rooms and cupboards.