Members Only Logo  

or Subscribe by Email by entering your address below:

Powered by FeedBlitz
Learn about Subscriptions Follow me on Twitter!

The topics discussed here grow out of the bread-and-butter issues that confront my consulting and software clients on a daily basis. We'll talk about prosaic stuff like Membership Management, Meetings and Events Management and Fundraising, broader ideas like security and software project management, and the social, cultural, and organizational issues that impact IT decision-making.

Powered by Blogger

Tuesday, October 07, 2008

Three common security pitfalls

Security is a growing concern in the non-profits community. The requirements may be legally mandated, as in the case of HIPAA and client health care information. The issue may be competitive -- you do not want to hand out your grant applications to the other orgs in your building before you've even sent them off to funders. And everyone has finally woken up to the need to secure supporters' credit card information and comply with PCI standards.

Organizations are putting increasing pressure on vendors of applications and networks to assure security through the use of encryption, https, and user specific access to data fields and tables. But we see three simple security flaws over and over again in the smaller non-profits.

Inadequate physical security of the servers. Is your database server sitting in the unlocked phone closet? Is your web server in a room shared by three programmers? I know one group with real privacy concerns who keep the server on a counter in the break room. It doesn't really matter how much you lock your network down with the latest firewall technology and encryption techniques if the servers can be waltzed out of the building without causing a stir.

Inadequate password security. I see this everywhere I go - users know each others passwords. It may even become part of standard operating procedure: "to do this, I log in as Eileen." Let your OS help you with this: require users to change their passwords frequently. Require complex passwords. Beat up on people who tell others what their password is. And if you have legally mandated privacy concerns, consider adding biometrics to your user authentication procedure - USB thumb scanners are widely available these days.

Improper Disposal of Computers. When the time comes to dispose of a pc, what do you do with it? All your security efforts were for naught if you just sit the machine in the trash. Wipe that drive! Reformatting the drive does not do it - it just clears the directory structure. Any snoop can still read your data after a reformat. There are numerous software packages on the market for just this purpose - a number of government agencies have standardized on cyberCide. You can destroy the drive with a few well-placed drill holes - but the software approach is easier - and then you can still donate the old.
Thanks to Sean Henriques for a tweeting a link that made me start thinking about this!

Labels: ,