community it webinar - it security for nonprofits
TRANSCRIPT
IT Security New and Emerging Best
Practices
October 23, 2014
Community IT Innovators Webinar Series
Presenters:Steve LongeneckerMatthew Eshleman
#ITSecurity
Webinar Tips
• Ask questionsPost questions via chat
• InteractRespond to polls during webinar
• Focus Avoid multitasking. You may just miss the best part of the presentation
• Webinar PowerPoint & RecordingPowerPoint and recording links will be shared after the webinar
About Community ITCommunity IT Innovators partners with nonprofits to help them solve their strategic & day-to-day IT challenges.
Strategic Proactive approach so you can make IT decisions that support your mission and grow with you
Collaborative Team of over 30 staff who empower you to make informed IT choices
Invested We are committed to supporting your mission, and take care of your IT network as if it were our own
Nonprofit focus Worked with over 900 nonprofits since 1993
Presenters
Steve Longenecker, Project Manager
@CommunityIT
Matt Eshleman, Chief Technology
Officer [email protected]
@meshleman
Agenda
• The Big Picture
• Security Culture
• Security Best Practices
• Questions
The Big Picture
Source: From geograph.org.uk, Author: Tom Munro http://commons.wikimedia.org/wiki/File:View_across_the_Valley_of_the_Stones_-_geograph.org.uk_-_435889.jpg
It varies, and depends on the information...PDF of signed Annual Performance Review
• Confidentiality: Limit to HR and Supervisor (this may be a regulatory issue)
• Integrity: Data should not change and must have utmost confidence file is not altered.
• Availability: Needed only upon request, within 2-3 days.
Your Accounting System
• Confidentiality: Limit to Finance Department and President
• Integrity: Data constantly updated. Need ability to roll back last thirty days’ activity. Must have record of who changed what.
• Availability: Up to 8 hours of downtime is acceptable.
What are your organization’s CIA requirements?
CIA Worksheet
Security Objective
LOW MODERATE HIGH
Confidentiality Disclosure of information could be expected to have a limited adverse effect
Disclosure of information could be expected to have a serious adverse effect
Disclosure of information could be expected to have a severe or catastrophic effect
Integrity Modification or Destruction of data could be expected to have a limited adverse effect
Modification or Destruction of data could be expected to have a serious adverse effect
Modification or Destruction of data could be expected to have a severe adverse effect
Availability The disruption of access to or use of information could be expected to have a limited adverse effect
The disruption of access to or use of information could be expected to have a serious adverse effect
The disruption of access to or use of information could be expected to have a severe adverse effect
• NSA reads your email.
• You are the victim of hacker attack targeted at your organization specifically.
• You are the victim of general hacker attack, probably a script downloaded from the Internet.
• Data compromise due to known vulnerabilities in your IT infrastructure’s software/firmware.
• Data compromise due to action of disgruntled employee or former employee.
• Loss of data due to run-of-the-mill hardware failure.
• Data compromise due to end user carelessness.
Assessing Risk
http://www.strozfriedberg.com/wp-content/uploads/2014/01/Stroz-Friedberg_On-the-Pulse_Information-Security-in-American-Business.pdf
The Stroz Friedberg report describes an online survey of 764 information workers in the United States working for companies with more than 20 people, conducted by KRC Research in the fall of 2013.
Find the balance between CIA requirements and accessibility/cost.
Artist: Winslow Homer, Title: The See-Saw, Current location: Arkell Museum, Source/Photographer: The Athenaeumhttp://commons.wikimedia.org/wiki/File:Winslow_Homer_-_The_See-Saw_(1873).jpg
Security Culture
Source: New York City Department of Transportation, Author: Nicholas Whitaker Photographyhttps://www.flickr.com/photos/nycstreets/9970004423/
• Appropriate Use Policy and Controls
• Password Policy
• BYOD and BYOA Policies
Policies for End Users
• Patching Policy.
• Data Retention Policies
• Identity and Access management.
Policies for the IT Department
• Office Manager?
• HR person?
• CIO?
• CFO?
• CRO?
Who “owns” security
Security Best Practices
Source: by Iphone4 , Author Dicti0nary0 http://commons.wikimedia.org/wiki/File:Authentication_devices.jpg
Foundational Practices
Passwords
Backups
Patching
Antivirus
Our Experience
• Most common cause of data loss –
Hardware failure
• Second most common cause of data loss –
Viruses
• Recovery from “unmanaged backup” -
measured in multiple days
Evolving Org Trends
• Cloud based services
• Elimination of workplace borders
• Bring Your Own Device
• Bring Your Own App
Emerging Best Practices
• Single Sign On
• 2FA
• Mobile Device Management
• Application Approval
• Encryption
• Adaptive Defense
Practical Next Steps
• Have a data inventory: Know what
data you have, where it is and how its
protected
• Make sure you have good passwords
(and don’t use the same ones)
• Start planning for 2FA
Questions?
Author: DuMont Television/Rosen Studios, New York-photographer, Uploaded by We hope at en.wikipedia http://commons.wikimedia.org/wiki/File:20_questions_1954.JPG
Upcoming Webinar
Thursday November 20
4:00 – 5:00 PM EST
The Future of Nonprofit CRM:
Takeaways from BBCon and Dreamforce
David Deal and Kyle Haines
After the webinar
• Connect with us
• Provide feedback
Short survey after you exit the
webinar. Be sure to include any
questions that were not answered.
• Missed anything?
Link to slides & recording will be
emailed to you.