|
|
|||||
|
|||||
| Path: Main Street : Resources & Library : Research Articles : Feature Article |
Protecting your agency's information: security and backupBy Gillian Kerr, Ph.D., C.Psych.
There are many things you can count on in this world. One of them is data loss. You can be absolutely sure that you will eventually lose information on a computer for any of several reasons, including hard drive failure, power surges, accidental deletions and even fire, burglary or floods (floods happen surprisingly often because of the number of nonprofits that operate in basements). Given that fact of life, how does your backup procedure stack up?
If you're like most organizations, your backup systems are spotty at best. A good backup system should be automatic, cover organizational files on laptops or home computers as well as the ones on your office network, allow for easy retrieval of data, have a few different versions of your data (so that you can retrieve a previous version in case you have backed up corrupted data by mistake), and store copies of your files off the premises. It should also be easy to use and secure from data thieves.
Another important area of risk for organizations involves security and privacy. This includes issues like: How do you protect your donors' names and financial information? How do you protect your clients and staff from privacy leaks? Can outsiders get into your computers and see confidential files? We're finding that most organizations have terrible ‘information hygiene'. Here are some of the things we've seen recently:
- Two agencies share a network to save costs. Confidential files about donors for one agency are accessible to volunteers working in the other agency. These files should be protected from everyone except the people who need to use them.
- A professional office sends out confidential client files using Hotmail. That's like sending them on postcards.
- Many agencies are setting up high-speed internet connections without installing firewalls to protect their networks. They are probably being infiltrated by hackers several times a day without knowing it.
Unfortunately, most people will do everything they can to sabotage security and backup processes. They write their passwords on notes that they stick on their monitors or put in their top desk drawer; they use a simple English word or their own names as passwords; they let visitors use their computers without protecting sensitive files; they send confidential information over unencrypted email; and so on. When you put processes into place to prevent security breaches, your staff will complain and/or try to get around them. It's a fact of life.
Over the past few months, Good Enough Information Systems has been developing privacy and security policies for our own organization as part of TRUSTe certification. After going through the process, we thought that some of our approaches might be relevant to other small organizations who deal with sensitive information, such as human service agencies or anyone doing fundraising. In this article, I will describe some of the ways we are protecting ourselves and our clients. You may get some ideas about how to set up procedures for your own agencies.
Warning: Our procedures are always in a state of flux as technology changes and as we experiment with different ways of doing things. Also, every decision relating to security is a trade-off between cost, convenience and protection. You will never find the perfect balance, and you will always have to be aware of the risks and costs of whatever procedures you set up. This article describes some approaches that may be helpful to you in thinking through your own needs, but we won't be held responsible for any errors or losses that you might incur as a result of following the suggestions in this article. Remember — whatever you do involves risk. For more information about this fascinating and terrifying area, read Secrets and Lies: Digital Security in a Networked World.
Protecting Your Information
These are highly simplified descriptions of the steps that we went through at Good Enough Information Systems. I've left out lots of procedures, such as how we ensure that our consultants maintain client confidentiality, how we create code names for each project, who uses paper shredders, how we assign passwords to consultants, and so on.
Assessment:
First, we identified the sensitive information in our organization.
- Web site visitors: We don't track web site visitors with cookies or ask them for any financial information, so we don't have to worry too much about online privacy. However, since we do invite people to apply for our online newsletter or post comments, we wanted to comply with the new federal privacy legislation.
- Clients: We provide consulting and systems development for clients in the public, nonprofit and private sectors. Because most of our work with them involves strategy and organizational development, we often deal with confidential information.
- Consultants: We hire consultants from all over the U.S. and Canada. Sensitive information would include phone numbers and addresses, billing rates and resumes.
- Corporate information, such as financial and business documentation. Our concerns around this information focus more on backup and data integrity than on privacy.
Policy Development:
Second, we decided what policies should guide us in protecting sensitive information. For online privacy, we found that a good resource was ‘Your Privacy Responsibilities' by the Privacy Commission of Canada. We followed those guidelines, which are also consistent with industry guidelines in the U.S. and Canada, in developing our privacy policies and statement. We decided to treat privacy issues around our clients and consultants using the procedures recommended by TRUSTe.
We found that the certification process for TRUSTe has been a real eye-opener. It made us look at every aspect of security, including confidentiality agreements, storage of hard copy documents, password protected screensavers, paper shredders, database design, firewalls, virus protection for our consultants, and so on. If you are not planning to go through a formal process like that, you need, at minimum, to assess the impact of privacy breaches and data loss, and to decide about your legal and ethical responsibilities if, for example, our donors' credit cards were leaked online, or a file regarding a psychotherapy client was emailed to the wrong person.
Procedure Development:
Third, we developed specific procedures around key areas.
We use a variety of tools to back up and protect our data. For this article, I'll ignore the issues around managing our web sites, including our intranet, and focus on our corporate and project files, which would be most comparable to nonprofit agency files.
All active project files are saved into a secure online collaboration space using Critical Path Secure File Services. Since we're a virtual company, we use this service as our file network. We could use our intranet for file sharing, but Critical Path's security is better than anything we could afford to build ourselves. The service also automatically scans for viruses, so if one of our consultants (or clients!) has uploaded an infected file, it will be identified immediately. (We expect our consultants to install virus checking software, but we can't directly check to ensure that it's up to date.) We also use Secure File Services to courier sensitive files, rather than through email attachments, and to share project information with clients. We have set up some demonstration accounts for Secure File Services, so please contact us if you want to find out more about it.
When a project is completed, we compress the documents into a zip file and download it to an encrypted hard drive on a PC. We then delete the project files from the collaboration space, and ask the consultants who worked on the project to delete all of their material relating to the project, including hard copies.
The corporate and project information on our PCs are backed up using Connected TLM. This online backup service satisfies all the criteria that I listed at the beginning of the article; it's fast, automatic and easy. One of its nice features is the option to get overnight delivery of your backup data on a CD ROM in case your hard drive fails or you lose your computer. The data is encrypted and protected in various ways.
We require that passwords to our protected areas follow certain standards; they should be a combination of numbers and letters, a certain length, and so on. Hackers now use ‘dictionary attacks', in which they try millions of words and word combinations in a matter of a few minutes. Hard-to-guess passwords are getting harder to create all the time.
Because we can't be sure about our consultants' firewalls and security from internet attacks, we require that they encrypt their project files using a product like Encryption Folders Freeware. This is a great piece of software, but be careful with it — if you encrypt your files and then forget your password, or decide to uninstall the program without unencrypting them, you've lost your files forever! The paid version lets you encrypt an unlimited number of folders.
The most important tasks for your agency are to understand your security risks and to take responsibility for addressing them. It's not a simple process, and it takes a while to develop procedures that work with your staff and volunteers. If you develop a beautiful procedure that nobody follows because it's too much hassle, you don't have a working procedure. A common response to a security panic is to implement impossible-to-follow processes that everyone ignores after the first couple of weeks. Do not fall into this trap.
I would be very interested to hear about peoples' experiences with backup and security, and how they have dealt with those issues in small agencies. Please contact me if you want to share your ideas with other groups or if you have any other feedback.
************
Gillian Kerr, Ph.D., C.Psych.
President, RealWorld Systems
gkerr at realworldsystems.netRead my weblog at http://blog.realworldsystems.net
Disclosure: We have affiliate relationships with some of the services we describe in our columns, but we do not recommend or review services based on their affiliate programs. Among the services listed in this article, for example, we have a referral agreement only with Critical Path, and that was arranged after we had decided to buy their services for ourselves.
|
|||
