About  |  Contact Us  |  Register for Benefits  |  Login  |  View My Profile  |  Legal & Privacy

  Home      Blog      Job Board      Consulting & Sponsorships      Search Site
  Employment  |  Like Minded  |  More With Less  |  Philanthropy  |  Potpourri  |  Records  |  Reporting  |  Research  |  Revenue  |  Systems  |  Web Sightings
 
  Security survey. Systems
SecurityExample of some of the types of questions to consider when you need to evaluate you IT security infrastructure.

The questions will not only help you evaluate the security strengths and weakness within your advancement organization but also in relation to some of the resources and expertise that may exist within your organization as a whole.

A number of these questions can also apply to hard copy prospect and donor files.

Questions are adapted from Computer Security Institute Survey.
Which of the following best describes the information security structure of your organization:

Formal dedicated information security department or team
Dedicated staff within the organization whose primary job function is information security
Staff within the organization with a secondary job function of information security
Dedicated individuals outside the organization whose primary job function is information security
Dedicated individuals outside the organization whose secondary job function is information security
Outside experts through and outsourcing agreement
Outside of advancement and development does your organization have:

A Chief Security Officer
Chief Information Security Officer
Both
Neither
Which qualities are most important when choosing a security product or technology?

Performance
High availability
Integration with existing networks and hosts
Integration with existing network management and help desk systems
Ease of use
Tiered access control
Detailed audit logs
Do you include the purchase and maintenance of security equipment and software as part of your ongoing development budget?

How do you train your IT staff on security?

Vendor training
Institutionally provided training
Ethical hacking and penetration testing
Training at conferences
No specific training or just learn on the job
How would you describe your information and IT security staffing?

Severely understaffed
Moderately understaffed
Staffed at about the right level
Moderately overstaffed
Severely overstaffed
When you hire staff do you consider security credentials and are security aspects included in job postings and job descriptions?

How would you describe your security implementation process.

We put products in place and or train staff where we perceive there are weaknesses.
We have some security in place, but we generally react to threats as they arise.
We asses our IT systems in terms of risk to attack and loss in the event of compromise and we focus resources according to that assessment.
We follow the direction of our consultant or another institutional department.
How would you rate the relative risk of the following:

Internal attacks
External attacks
Known vulnerabilities in commercial products
Unknown vulnerabilities in commercial products
Known vulnerabilities in custom applications
Unknown vulnerabilities in custom applications
Email-borne viruses and worms
Web applications
Web services (SOAP, XML-RPC, etc)
Social engineering
How do you assess risk in your organization?

Input from peers
Penetration testing
Internal audit
External audit
Informal risk analysis
Formal risk analysis
Input from vendors
Assessment of regulatory compliance/non-compliance

Other
Which of these technologies are deployed on your perimeter?

Stateful packet filtering firewall
Application proxy firewall
Router access control lists
IPSec VPN gateway
SSL VPN gateway
Intrusion detection system
Network intrusion prevention system
Network behavior anomaly detection
Anti-virus
Content filtering
Which of these technologies are deployed on your internal networks?

Stateful packet filtering firewall
Application proxy firewall
Router access control lists
IPSec VPN gateway
SSL VPN gateway
Intrusion detection system
Network intrusion prevention system
Network behavior anomaly detection
Anti-virus
Content filtering
What methods do you protect desktops?

Manually apply patches
Automatically apply patches using Microsoft’s Automatic Update or SMS
Automatically apply patches with 3rd party patch management software
Desktop configuration control
Anti-virus software
Desktop firewalls
Host intrusion prevention
Desktop anti-spam
Strong authentication such as tokens or biometrics
Which steps does your organization use to secure wireless communications?

We don’t allow wireless on our network
None
WEP
WPA
MAC address filtering
Broadcast power control
VPN between client and gateway
Firewall between wireless and wired networks
Passive wireless monitoring for rogue access points
To what extent does your organization use automated intrusion response?

We don’t use automated intrusion response
We use automated intrusion response for events that are unlikely to generate false positives
We use automated intrusion response regardless of false positives
Which of  the following individuals in approving your security policy?

President/Managing Director
Vice President of Development
Major Gifts Director
Other Development Staff
COO
CIO
CTO
CFO/Treasurer/Controller
CSO (Chief Security Officer)
CISO (Chief Information Security Officer)
VP IS/IT/Networking/Engineering
IS/IT/Networking Director/Manager
Manager/Department Head Information Security/IT
Line-of-Business Technology Management
Security Administrator
Consultant
For what functions do you use your security policy?

To set minimum requirements in the procurement process
To define job functions, roles, and responsibilities
For audit purposes
To document security practices and processes
Other:  
What drives the creation of security policy at your organization?

Security breaches from external sources
Improved business practices
Auditing regulations
Legislative regulations
Protection of brand or image
Security breaches from internal sources
Industry standards
Insurance requirements
Other:
What drives spending on security initiatives?

Security breaches from external sources
Improved business practices
Auditing regulations
Legislative regulations
Protection of brand or institutional image
Security breaches from internal sources
Industry standards
Insurance requirements
Other:
Approximately what percent of your organization’s overall IT budget is allocated for information security?

Less than 1 percent
1 to 5 percent
6 to 10 percent
11 to 15 percent
16 to 20 percent
Greater than 20 percent
Not sure
Does your organization have an incident response policy?

Yes
No
Which regulations does your organization have to adhere to?

HIPAA
GLBA
Patriot Act
SB1386
Sarbanes-Oxley
Federal Privacy Act of 1974
European Union Directive for the Protection of Privacy
DoD 5015.2 Design Criteria Standard for Electronic Records Management Software Applications

Other:
Which best practices does your organizations adhere to?

 

Security:
   Supportingadvancement.com
Computer Security InstituteSecurity
 
Supportingadvancement.com FIRST – Forum of Incident Response and Security Teams
 
Supportingadvancement.com Industry Canada – Online Security and Privacy Guide
 
Supportingadvancement.com Microsoft – Baseline Security Analysis Tool, newsletters and other tools. Free seminars.
 
Supportingadvancement.com National Cyber Security Partnership – Public private partnership to make cyberspace more secure.
 
Supportingadvancement.com PC Magazine Utilities – A number of free tools such as spyware detectors.
 
Supportingadvancement.com Software Engineering Institute – Papers
 
Supportingadvancement.com Threats and Countermeasures From Microsoft. A free 900+ page document on improving web security.

Sites with privacy legislation, policies and procedures:
   AFP Toronto ChapterSecurity
 
AFP Canadian Public Policy on Privacy
 
Australian Government Privacy Office
 
CASE – Foundation Independence and Donor Privacy
 
Canadian Department of Justice Policy on Access to Information and Privacy
  Direct Marketing Association. Privacy policy generator.
 
Information and Privacy Commissioner of Ontario (IPC) Web site
 
Ontario’s Consultation on Privacy Protection
 
Privacy Commissioner of British Columbia
 
Privacy Commissioner of Canada
 
PrivacyInfo.ca
 
Privacy is Your Business from CIO
 
Privacy Rights Clearinghouse

On this site:
 
Data Backup and Recovery Strategies
 
Democracy and Responsibility. Additional security considerations given break-ins and compromises of higher ed data.
 
Employment Pages. Confidentiality agreements.
 
Privacy Architecture
 
Privacy Audit Questionnaire
 
Privacy Policy Statement
 
Privacy Principles
 
Privacy Recommendations
 
Releasing Alumni Information
 
Security Survey
 
Shadow Databases

 
  ↑  Top of Page  |  Samples Page  |  Sample Forms  |  Favorite Reports  |  Frequently Asked Questions  |  Glossary of Terms