About  |  Contact Us  |  Register for Benefits  |  Login  |  View/Edit Your Profile  |  Consulting  |  Principal & Founder  |  Sponsorships  |  Legal & Privacy

  Home      Blog      Job Board      Community      Contribute      Vendor Listings      Search Site
  Employment  |  More With Less  |  Potpourri  |  Records  |  Reporting  |  Research  |  Revenue  |  Samples  | Systems  |  Web Sightings
 
  Security. Systems
Security Home | Problems and Risk Assessment | Sources of Attacks | Stopping Attacks | Summary
SecuritySecurity has less to do with technology and more to do with training and education.

Once training and education is in place, improving technology and being aware will become second nature to those employees in charge of managing security.

Preventing and Stopping Attacks
  • Security should be part of the orientation program for new staff, and also part of the ongoing training and orientation of all staff. Security should be a periodic agenda item at key meetings. Key staff should be provided the budget to attend the appropriate conferences on security as part of their ongoing professional development.
  • There should be regularly and randomly scheduled audits of security policies, procedures and business practices.
  • Security considerations should be an integral part of all network support, systems analysts, report writing, research and processing staff's job descriptions since advancement support staff are typically dealing with a lot of sensitive data. They are also the individuals who typically have the most access to the data. Other staff should also have these considerations in their job descriptions in general terms.
  • There should be distinct and comprehensive policies and procedures regarding asset and data security in place including a comprehensive statement of appropriate use. Advancement and development departments may require a statement that is more comprehensive than some of the general statements typically used for a campus.
  • Security breaches should be logged and statistics recorded over time to monitor the effectiveness of resolution policies and procedures.
  • Independent external reviews should take place periodically to help ensure that adequate protection continues in place. You can involve internal audit, or an independent external consultant. You can't afford to be complacent once you have policies in place since security concerns change constantly.
  • You should test your backup and recovery procedures on a regular basis and ensure that they are working and that you would be able to restore data if required.
  • If possible, your organization chart should have an individual or group responsible for the management of security of assets that is independent of the areas they are responsible for protection.

Secure the Physical Environment

  • Locked file cabinets for sensitive data.
  • Policies on shredding and information destruction and periodic audits to make sure these policies are followed.
  • Data stored externally should be with a reputable bonded company in a controlled environment.
  • Are reports and downloads available from the system, or is this controlled centrally, and where are paper copy of reports stored?
  • Are adequate policies in place to protect confidential information that is forwarded to other departments or governing bodies so that information does not become public?
  • Policy on donor names on public web sites or other recognition vehicles.
  • Are servers and other computer and data assets physically secured?
  • Are the use of secure ID cards or other devices such as biometrics in place?
  • Are buildings and offices locked and secured?
  • Is there a policy or provision to monitor the data and document retention policy.

Computer Systems and Data

  • What programs need to be set up and installed to monitor intrusion, and how does your organization monitor them?
  • How are shadow databases managed and secured?
  • Is anti-virus software installed and being automatically updated on all computers?
  • Are your computers set to receive automatic updates for security patches and are users educated to do this?
  • You should install spyware software, and other programs that detect intrusion, obtrusive cookies, and items that may be installed without your knowledge. Many of these programs are free and can be found by just typing the words into a search engine.
  • Are you monitoring installation of unauthorized software, unauthorized Internet use and other abuses of organizational computing assets? The term PC used to mean personal computer and we now need to think of these assets as productivity computers.
  • When installing programs, do a minimum install with options defaulted off as opposed to on.
  • All data stored on computer systems and backup media should be encrypted.
  • Users should be instructed to store data on the network drives as opposed to their local drives, or burning onto CD to store locally or take offsite.
  • Users should not be allowed to download large amounts of data without appropriate authorization and controls in place.
  • How is information forwarded to control editing and changing. For example, if you forward a statement in Excel format, the person receiving it can modify the data for their own purposes.
  • All systems and networks should be behind firewalls.
  • Laptops and mobile devices being used off-site should be secured so that external users cannot access your network through these devices.
  • Limit access to systems, and limit access to the network. Use IP address ranges.
  • Physically separate systems. For example, the telemarketing system should be in a separate physical area working under a separate subnet.
  • Block communication ports that are not used.
  • Consider the implementation of a managed desktop system to help manage users.
  • Have a clear backup and recovery strategy and test this regularly.
  • All server logs should be reviewed and cleared daily.
  • Server and database auditing should be turned on by default.
  • If remote access to systems is in place, the highest level of encryption should be used for external access.
  • Consider the implementation of digital rights management technology, since development and advancement activities are very document centric. Digital rights management assigns rights and other attributes to data. This includes the ability to the sender of data to disallow forwarding, printing and can also create an expiry date for the document so it will cease to be able to be read after a certain point in time.
  • Make sure that all passwords are secure, are sufficiently complex and that users are forced to change on a regular basis.

Layer your security in depth. i.e. Lock server in a room, offsite backups. Think of security in terms of perimeter defenses such as boundaries, fences, walls, doors, rooms and cupboards.

Security:
   Supportingadvancement.com
Computer Security InstituteSecurity
 
Supportingadvancement.com FIRST - Forum of Incident Response and Security Teams
 
Supportingadvancement.com Industry Canada - Online Security and Privacy Guide
 
Supportingadvancement.com Microsoft - Baseline Security Analysis Tool, newsletters and other tools. Free seminars.
 
Supportingadvancement.com National Cyber Security Partnership - Public private partnership to make cyberspace more secure.
 
Supportingadvancement.com PC Magazine Utilities - A number of free tools such as spyware detectors.
 
Supportingadvancement.com Software Engineering Institute - Papers
 
Supportingadvancement.com Threats and Countermeasures - From Microsoft. A free 900+ page document on improving web security.

Sites with privacy legislation, policies and procedures:
   Supportingadvancement.com AFP Toronto ChapterSecurity
 
Supportingadvancement.com AFP Canadian Public Policy on Privacy
 
Supportingadvancement.com Australian Government Privacy Office
 
Supportingadvancement.com CASE - Foundation Independence and Donor Privacy
 
Supportingadvancement.com Canadian Department of Justice Policy on Access to Information and Privacy
  Supportingadvancement.com Direct Marketing Association. Privacy policy generator.
 
Supportingadvancement.com Information and Privacy Commissioner of Ontario (IPC) Web site
 
Supportingadvancement.com Ontario's Consultation on Privacy Protection
 
Supportingadvancement.com Privacy Commissioner of British Columbia
 
Supportingadvancement.com Privacy Commissioner of Canada
 
Supportingadvancement.com PrivacyInfo.ca
 
Supportingadvancement.com Privacy is Your Business from CIO
 
Supportingadvancement.com Privacy Rights Clearinghouse

On this site:
 
Data Backup and Recovery Strategies
 
Democracy and Responsibility. Additional security considerations given break-ins and compromises of higher ed data.
 
Employment Pages. Confidentiality agreements.
 
Privacy Architecture
 
Privacy Audit Questionnaire
 
Privacy Policy Statement
 
Privacy Principles
 
Privacy Recommendations
 
Releasing Alumni Information
 
Security Survey
 
Shadow Databases

 
  ↑  Top of Page  |  Samples Page  |  Sample Forms  |  Favorite Reports  |  Frequently Asked Questions  |  Glossary of Terms