The NonProfit Times - February 15, 2008 - (Page 16)

DATABASE JON BIEDERMANN Best Practices Information security is threatened every day W ith the recent outbreaks of security breaches in the news, it’s more important than ever to ensure that your data is safe. While no system is ever 100 percent secure, there are many steps and industry best practices you can follow to significantly reduce your risk of becoming the next victim of a security breach, data corruption, or loss of mission-critical data. Whether your donor database is stored on your own computers or uses a hosted solution provider, here are some important practices to use or look for: Backup, Backup, Backup. The greatest risk to your data is not really hackers; it’s data loss due to computer failure,fire or other accidents.Not having a comprehensive backup plan can spell disaster for your organization. Complete backups should be performed every day, and copies of the backup itself should be stored securely off-site.There are countless examples of data loss due to fires, floods, etc., where the organization dutifully backed up their data, but unfortunately stored the backup tapes next to their computer. Hosted software providers handle daily off-site backup storage for you, but if you’re not good about making backups yourself, consider an online backup service such as mozy.com or carbonite.com. User ID & Password Security. Some of the most stringent data security requirements are used by the healthcare industry under the guidelines of the Health Information and Patient Privacy Act (HIPPA). HIPPA spells out many requirements for password security, including: • Passwords should be at least seven characters in length, contain at least one non-alphabetical character, and not be words found in a dictionary. • Passwords should never be displayed onscreen and always stored with a high level of encryption. You should never be able to download the password file - it must be individually reset for each user. • Passwords should expire and be changed every 60 days and User IDs should automatically expire after a predetermined date. This safeguard ensures that users who are no longer authorized do not have access to the data. • No more than three unsuccessful login attempts are allowed.Once three attempts have been made, the User ID is deactivated and the user cannot access the system unless the password is reset by the system administrator. • Access to data should be able to be limited to only certain subsets of the data, such as Name and Address, and not include financial transactions. You should also be able to limit access for certain users to business hours Monday-Friday. Or you may even want to limit access to just certain designated IP (Internet Protocol) addresses. Audit Trails. A database system should be able to provide a security audit trail of user logins. For example, it should track the user identification, time/date, and IP address of every single login. These security logs should be reviewed periodically, and any suspicious behavior identified. Securing your database systems should be a mandatory part of every organization’s overall contingency planning Don’t make the mistake of ignoring the audit trails until after you know of a security breach. In almost all cases you can stop a breach if you pay close enough attention to these logs regularly. Physical Security. A weak link in many organizations is the physical protection of their property and databases. This not only includes protection of your servers and computers, but also protection from unauthorized access to the printed records of your database. All paper records should be destroyed (cross-cut shredding is best), including any correspondence (including the envelope!) from your donors. Data identity thieves know that it is often much easier to sort through your trash looking for information than to successfully hack your systems or decrypt your password files. User Security Awareness Training. Some of the greatest threats to your data are from hackers who can use social engineering to access your systems. Also known as “Phishing” schemes, these unscrupulous hackers can trick your users into revealing their security credentials. That’s why it’s important to make sure users are aware of such schemes, and to always be on the lookout for “official”looking email that redirects them to a rogue Web site to enter their credentials. One of the easiest ways to identify a phishing attack is to be mindful of where the perpetrator redirects your Web browser. For example, while an email link may display an official looking Web site address (such as www.paypal.com/login.aspx), hovering the mouse over the link will reveal the actual HTML address in the bottom left hand corner of the browser. In fact, this type of phishing scheme is so prevalent, that many service providers will never include a link to a login page in email communications. Securing your database systems should be a mandatory part of every organization’s overall contingency planning, and in many cases it is necessary to ensure the organization’s very survival. Both physical and software protections are required, and while outsourcing your database systems to professionals can provide added security, it’s still necessary to teach greater security awareness among all your users to ensure that your data is as safely protected as possible. NPT Jon Biedermann is vice president at SofterWare, Inc., developers of DonorPerfect. His email is jbiedermann@donorperfect.com REGULATION KARL E. EMERSON It’s A New Year It’s time to get in compliance with state rules I 16 f you’re one of those who thought Congressional scrutiny of the nonprofit sector was going to end just because Sen. Charles Grassley (R-Iowa) is no longer chairman of the Senate Finance Committee, think again. Not only has the senator continued to expend considerable effort investigating actual and perceived abuses in the sector, his colleagues at the House Oversight and Government Reform Committee recently joined his efforts by holding a lengthy hearing on sector abuses. Committee members expressed outrage at the conduct of certain charities detailed at the hearing and indicated that they plan to hold additional hearings early this year. Of course, this heightened Congressional scrutiny has been fueled by the steady stream of stories about actual and alleged abuses in the sector that has regularly appeared in news media across the country on an almost daily basis for many years now. Because of this heightened Congressional and media scrutiny, perhaps the single most important thing a charity can do to start the new year out right is to have a comprehensive compliance assessment performed to determine whether it has any actual or potential problems that, if not adFEBRUARY 15, 2008 dressed in an appropriate and timely manner, could lead to damaging media stories and/or state or federal prosecutions. If your organization has one or more actual or potential problems, it be far better to uncover the problems yourself and take appropriate action to correct them rather than having the problems discovered by a state or federal regulator, an inquisitive investigative reporter, or, worse still, by Grassley or one of his Congressional colleagues. So, here are just five of the many www.nptimes.com items that should be reviewed during a comprehensive compliance assessment.In future columns,other,equally important, items will be covered. First, is your organization in compliance with all applicable state charitable solicitation statutes? Regulation, page 17 THE NONPROFIT TIMES http://www.paypal.com/login.aspx http://mozy.com http://carbonite.com http://www.nptimes.com

Table of Contents Feed for the Digital Edition of The NonProfit Times - February 15, 2008

The NonProfit Times - February 15, 2008 Raising $1 Billion Rebranding A Tradition Making The Pitch Contents Message Matters Consolidation Continues Coordinating Your Message All About The Money Ho-Ho-Hoping At Christmas Best Practices It’s A New Year NPT Jobs Resource Directory

The NonProfit Times - February 15, 2008

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.