By Melissa Musser, CPA, CITP, CISA, Principal
With employees working from home, many nonprofits and associations (particularly smaller organizations) are more concerned than ever about information technology (IT) security. The issue is of even greater concern to organizations whose employees use their personal laptops and other electronic equipment to do their job remotely. With this in mind, many are revisiting their IT security policies during the COVID-19 pandemic. In reality, though nonprofit leaders should revisit policies and procedures regularly to prevent data breaches and cyberattacks. Whether you are implementing your first IT security policy or believe you need to update an existing policy with so many employees working from home, learn the basics of designing effective policies and procedures to protect your organization.
IT Security Basics
Your IT security policy and procedures should be customized to your organization because each workplace has different security threats and concerns. For example, if your association employs a vendor who accesses your network to assist with board elections, your IT security policy should have guidelines for third-party connections.
- Every organization, large and small, should have a written policy in place that governs how the organization will approach the security of their data assets.
- Your IT security policies and procedures should address issues such as software upgrades, password protection, backups, data retention, physical security, data privacy, network access, encryption, incident response, and employee responsibilities.
- IT policies must be tested regularly to determine whether they are effective or modifications are necessary.
- Employees must be educated and trained on your IT security policies and procedures. They are your best line of defense!
Designing IT Policies and Procedures
Step one – Perform a risk assessment to identify threats and vulnerabilities that will help you design the appropriate controls that become a key component of your IT policies. A formal IT risk assessment process with correlating information security policies and procedures should be developed and re-assessed annually.
An IT Risk Assessment is typically comprised of five parts:
- Assessing information maintained by the organization and the infrastructure’s scope,
- Understanding threats and vulnerabilities. Review the threats that face your organization,
- Estimating the impact to integrity, availability and/or confidentiality of data,
- Determining the risk in terms of likelihood, impact and current controls in place, and
- Implementing Controls. For high-risk items, outline the possible controls that could mitigate or eliminate the identified risks. The goal of recommended controls is to reduce the level of risk to the IT environment to an acceptable level. These controls can range from people and policy and procedure changes to new configurations, procurements, or the implementation of new technology.
Step two – Design and implement controls based on the risk assessment. Using the current “work from home” policies to provide examples, below are some examples of controls an organization should implement and include in their IT policies.
Depending on the type of sensitive financial and personal identifiable information (PII) held, an organization should consider properly protecting devices that hold this data, specifically laptops and mobile phones. Organizations should determine what type of sensitive information is at risk and follow up with proper encryption and/or other security measures. The goal is to make it difficult for those without permission to access the data. With the risks and appropriate measures identified, information security policies should be updated accordingly.
The following are important policy considerations regarding mobile devices.
- Require password, passcode, or personal identification number (PIN)
- Most handheld devices provide a lockout option that disables the device if someone makes several consecutive unsuccessful attempts to enter the password, PIN, or pattern. Using the lockout option can thwart a brute-force attempt to guess login credentials. Setting the lockout limit to 10 attempts is usually sufficient.
- Auto-wipe is similar to the lockout option, but more secure. After several consecutive unsuccessful password, PIN or pattern attempts, the device will automatically erase (wipe) all stored data and reset itself to factory defaults.
Whether your organization is concerned about security issues resulting from remote work or just ready to implement its first formal set of IT security policies and procedures, learn the basics of IT security and best practices for development and implementation. SANS offers free templates to help your organization develop its security policy. In addition, GRF offers a variety of resources in the form of articles, blog posts, and webinars specific to IT security for nonprofit organizations. A sample of these resourced is offered below.