An IT Director’s Guide to Securing Data at Your Nonprofit

With annual giving campaigns taking place soon, now is an ideal time for a self-assessment of nonprofit information security and privacy, and to address gaps.

For most nonprofits, the risks involved with donations are transferred to partnerships with reputable payment processing vendors adhering strictly to payment card industry (PCI) compliance guidelines. If an organization is processing payments in-house, then PCI compliance is a must. A review of documentation and signed agreements made with a payment processor may surface questions and concerns to be taken up with the vendor. When an organization downloads or exports donation data from the payment processor’s site to its own servers, computers, or laptops, and the data contains personally identifiable information (PII), steps should be taken to protect the exported data from unauthorized access.

The SANS Institute, a nonprofit information security training organization, highlights a list of the top twenty critical controls that any organization must adopt for effective information security. Even before a formal security assessment is conducted, the SANS top twenty can be used as a less-formal in-house assessment. It may be surprising how a checklist of quick wins can be generated from a review of the SANS top twenty. Making use of the SANS top twenty as a guide, here are five areas for critical controls including some quick wins for each.

1. Asset and Software Inventories

Inventories are at the top of the priority list.  What devices are on the network and what applications are installed? Automated tools can discover new assets and applications for approval. Scan regularly for applications and get a list of approved applications together. Remove applications that are altered, suspicious, or not approved.

2. Secure Configurations

Most security risks can be addressed by keeping applications, firmware and operating systems updated to the latest patch, including mobile devices, laptops, and the images on firewalls, routers, and switches. Consider retiring or upgrading unsupported devices and systems. It is more important than ever to continuously patch, scan, and firewall content management systems running websites. Audit and review configurations and submit changes to a review board.

3. Wireless Access Control

Guest wireless is likely to serve internet to unpatched and potentially compromised machines, so the traffic to and from these devices are best steered away from an organization’s main network and onto a separate virtual local area network (VLAN). Wireless passwords do become known widely. Seek out and deal with devices connected to WiFi that are detected as potentially compromised, and disable rogue wireless access points. You’ll thank yourself later!

4. Malware Defenses

The advanced malware of today does not have a signature that can be detected, is built specifically for the vulnerability of the environment, and is targeted with phishing attacks that are highly convincing, unlike the misspelled and grammatically unfortunate phishing emails of yesteryear. To detect and block these advanced attacks, consider more advanced tools. You cannot put a price on your organization’s data, but if you are breached, you can be sure that cyber-criminals will. Signature-based detection, spam blocking, and IP correlation with traffic to and from malicious sites continues to be necessary. Potentially unwanted programs (PUPs) are not only potentially unwanted, they are potentially dangerous.

5. Administrative and User Accounts

Users do not typically require administrative access to their machines; when they do, IT can be available to install approved software and change configurations as necessary. Using group policy to remove local and domain administrative access for users creates a barrier for malicious software installation. Privileged accounts are the keys to the kingdom, so guard them carefully. Enforce password policies that require complexity and change at regular intervals. Use an audit tool to monitor the domain’s Active Directory, or LDAP, for unauthorized end user and administrative access and privilege escalation. Use two-factor authentication wherever possible.

Additional features of security program might include the following:

• Awareness campaigns that hit home to users about the dangers of the internet, how to identify social engineering tactics and phishing, and how to keep mobile devices and home computers safe and secure. You cannot patch the human operating system, but you can educate and inform your users.
• Sensitive data can be air-gapped, stored, vaulted and encrypted on a computer or storage device networked on a separate virtual LAN that has no internet access.  Rules would then restrict access to the vaulted data to a specific set of users, machines, protocols or applications within the agency’s internal network.  Some organizations have several layers of vaults within vaults.
• Next generation firewalls (NGFW) are application- and user-aware, giving more visibility into the network. A properly configured NGFW device is highly adept at detecting and blocking malicious and suspicious traffic.
• Configuration management makes for an effective cornerstone of a security program, integrating and expanding many existing features into one powerful suite that includes asset management, centralized endpoint protection, software deployment, software updates, operating system deployment, scripting, reporting, and much more.
• A Security Event and Incident Management (SEIM) system meets the requirement for the top twenty critical control of maintenance, monitoring, and analysis of audit logs. A full-fledged SEIM can be costly. A low cost SEIM can be assembled using Splunk and a host of Splunk apps specific to security such as Netflow Integrator and apps developed and maintained by firewall manufacturers.
• Convincing executive and finance directors of the need for improving the organization’s security profile would seem to require no more than a reading of the front page of the news lately. However, it is incumbent on technology leaders to explain needs to executives in plain language emphasizing a risk management model while defining baseline requirements and budgets.
• Penetration tests and program reviews help an organization pinpoint and prioritize vulnerabilities to be remediated and documentation improvements required to demonstrate that the organization is making efforts to meet regulatory guidelines for PCI, PII and HIPAA.

In the unfortunate event of a breach, it is good practice to have a breach plan in place. Keep a list of the team members current and updated. The team would likely be made up of an attorney familiar with privacy laws, a forensics team that can determine the true extent and impact of the breach, and someone in a position of authority who would engage public and media relations around the event as guided by the team. The plan would include contacting donors and constituents who may be adversely affected and point them in the direction of resources for remediation. The plan would also include remediation steps for stopping and preventing the breach from occurring again. A breach will distract from the mission, but a well-executed breach plan will minimize the damage.

There is much the nonprofit industry can do among our communities and in collaboration with each other and with the tech industry in order to more effectively secure our organizations’ hardware, software, networks, and cloud services and to protect the privacy of our organization and its constituents. Sharing information and communicating is critical to the success of these efforts in order to collectively address the changing threats, risks, and vulnerabilities to our assets. It is in that spirit that this article is offered.

About the author:

Spencer Bolles is the IT Director at Bay Area Community Resources, a community and school based nonprofit serving children and families with after school programs, counseling, tutoring and mentoring, drug and alcohol treatment services, and youth development programs throughout the San Francisco Bay Area. Spencer received a graduate degree in social welfare from UC Berkeley in 1997 with an emphasis on management, administration and planning. You can find him on Twitter @spencerbolles.