IT SECURITY FOR NONPROFITS

Similar documents
Department of Management Services REQUEST FOR INFORMATION

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

2017 Annual Meeting of Members and Board of Directors Meeting

DDoS MITIGATION BEST PRACTICES

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Integrated Access Management Solutions. Access Televentures

Cyber security tips and self-assessment for business

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

ABB Ability Cyber Security Services Protection against cyber threats takes ability

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

CYBER RESILIENCE & INCIDENT RESPONSE

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Securing Industrial Control Systems

Keys to a more secure data environment

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Network Performance, Security and Reliability Assessment

Cyber Security. Building and assuring defence in depth

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

Heavy Vehicle Cyber Security Bulletin

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

A company built on security

ALTITUDE DOESN T MAKE YOU SAFE. Satcom Direct s Comprehensive Cyber Security Portfolio for Business Aviation

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

to Enhance Your Cyber Security Needs

Provided as an educational service by: Introduction

WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Security Policies and Procedures Principles and Practices

Cyber Security Program

align security instill confidence

OPERATIONS CENTER. Keep your client s data safe and business going & growing with SOC continuous protection

Information Security Controls Policy

10 Hidden IT Risks That Might Threaten Your Business

Gujarat Forensic Sciences University

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

SIEM: Five Requirements that Solve the Bigger Business Issues

THE CRITICAL COMMUNICATIONS COMPANY CYBER SECURITY AS A SERVICE

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

One Hospital s Cybersecurity Journey

Security by Default: Enabling Transformation Through Cyber Resilience

Managed IT Services Eliminating technology pains for SMBs

Sage Data Security Services Directory

An ICS Whitepaper Choosing the Right Security Assessment

Build Your Zero Trust Security Strategy With Microsegmentation

Transforming Security from Defense in Depth to Comprehensive Security Assurance

2015 VORMETRIC INSIDER THREAT REPORT

Managed Endpoint Defense

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

Security. Protect your business from security threats with Pearl Technology. The Connection That Matters Most

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

Continuous protection to reduce risk and maintain production availability

Today s cyber threat landscape is evolving at a rate that is extremely aggressive,

Data Security and Privacy Principles IBM Cloud Services

Cloud for Government: A Transformative Digital Tool to Better Serve Communities

Choosing the Right Security Assessment

22 BEVIS MARKS, LONDON, EC3A 7JB

NETWORK THREATS DEMAN

CYBER SECURITY AND MITIGATING RISKS

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

10 FOCUS AREAS FOR BREACH PREVENTION

Protect Your Data the Way Banks Protect Your Money

locuz.com SOC Services

Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions

How NOT To Get Hacked

CYBERSECURITY MATURITY ASSESSMENT

CYBERSECURITY HOW IT IS TRANSFORMING THE IT ASSURANCE FIELD

Best Practices in Securing a Multicloud World

Run the business. Not the risks.

Practical Guide to Securing the SDLC

The Business Case for Network Segmentation

Comprehensive Database Security

KnowBe4 is the world s largest integrated platform for awareness training combined with simulated phishing attacks.

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

Disaster Recovery Self-Audit

BULLETPROOF365 SECURING YOUR IT. Bulletproof365.com

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

NEN The Education Network

What is ISO ISMS? Business Beam

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

SECURITY PRACTICES OVERVIEW

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

CyberArk Privileged Threat Analytics

2018 GLOBAL CHANNEL PARTNER SURVEY THYCOTIC CHANNEL PARTNER SURVEY REPORT

BULLETPROOF365 SECURING YOUR IT. Bulletproof365.com

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

90% of data breaches are caused by software vulnerabilities.

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

ISAO SO Product Outline

ANATOMY OF AN ATTACK!

FOR FINANCIAL SERVICES ORGANIZATIONS

Education Network Security

A practical guide to IT security

SOLUTION BRIEF Virtual CISO

Transcription:

IT SECURITY FOR NONPROFITS COMMUNITY IT INNOVATORS PLAYBOOK April 2016 Community IT Innovators 1101 14th Street NW, Suite 830 Washington, DC 20005 The challenge for a nonprofit organization is to develop an appropriate security plan that recognizes the difficulty in managing the security of their data assets, engages their staff with sensible practices as an important line of defense, and keeps costs effective. Whether hiring a Managed Service Provider (MSP) or using an in-house IT Department, organizations need to establish a good foundation of updated systems, regular backups, good user training including passwords, and effective written security policies that can evolve with the organization. These steps are the Community IT Innovators approach to creating a multi-layered foundation of security.

This page deliberately left blank for two-sided copies

Page 1 Table of Contents Introduction.... 2 Our Approach... 3 People... 3 Process... 4 Technology... 5 Summary... 7 About Community IT Innovators... 8 Nonprofits can't hide in the herd. In fact, many hackers have discovered that nonprofits make good targets. They are easier to penetrate than large companies with security teams and less likely to catch a hacker in the act. Today, most hackers are part of professional rings focused on the bottom line. If there is money to be made by hacking your nonprofit, they won t hesitate. Idealware Report What Nonprofits Need to Know About Security December 2015

Page 2 Introduction We live in a world with increasing IT Security risks. Recent years have seen a dramatic increase in the change and innovation of the technology tools available to mission driven organizations, but, at the same time, the tools available to cyber criminals have also grown in sophistication. Networks can no longer be protected by a firewall at the edge of a network. The end user s device has become the perimeter. Begin by dismissing the notion that nonprofits are not targeted or that your organization is safely under the radar because of your size or the unimportance of your data. Attacks have become so automated and hacker code is so available and cheap that every computer and device is a target. Security threats have evolved into sophisticated and profit driven enterprises with significant resources for cyber criminals. Understanding the new and persistent threats that exist is a good first step to adopting a meaningful approach to security at your organization. Courtesy of http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/

Page 3 Our Approach People Most employees will not think IT security is more important than easily and effectively getting the job done. What Nonprofits Need to Know About Security from Idealware covers the basics of user-focused security training, as does the Community IT webinar from September 2015 http://www.communityit.com/resources/webinar-end-user-training/. Passwords are already one of the least secure protections we have available to us. There s every chance you re bad at them to begin with, and the more people who have the key to your alphanumerical digital lock, the more potentially exposed you become WIRED, February 2016

Page 4 Passwords should be long and contain a variety of letters, symbols and numbers. All user-chosen passwords must meet the following complexity requirements: Must contain at least one alphabetic, one numeric and one symbol character. Must be at least 8 characters in length. Ideally passphrases should be used to increase length. Increased length provides more security than complexity and is easier for a human to memorize. For example, the seven extra characters in Blue5Chandelier2@ make it 64 trillion times stronger than lf@j7asfd! Privileged accounts (typically domain admins) should be optimized for security since no human needs to memorize these passwords. The account names should also avoid using common Admin names (such as support, exchange, admin, etc) to reduce the surface area of attack for brute force attacks. Administrator level passwords with privileged access: Should maximize the possible length of password for each platform. Should not be memorized. Should avoid passphrases (ie. quickbrownfoxjumpedover) to discourage memorization. Using complex passwords is a challenge, so the use of a password manager is required. Solutions such as Secret Server Online, Last Pass or Dashlane are indispensable. Process Nonprofits of any size need a set of written IT security policies but in our work with clients we ve learned that many have outdated policies that no one references and staff who don t know what the policies cover, or realize too late they don t have a policy at all. You should have Written and Updated Security Policies tailored to your organization. These policies should be viewed as living documents that are regularly updated to reflect changes in technologies, priorities and assets. Your staff should be familiar with your IT Security Policy, should understand the reasons for your policies, should know how to consult your Security Policy or IT Providers if they have questions, and should be regarded as your principal asset in keeping your IT safe and secure. You and your IT provider, or IT department, should be conducting regular Staff Training and Awareness and sharing

Page 5 information on new procedures and threats to engage users in creating a collective culture of security responsibility. Written policies are not only protection against misunderstandings; creating up-todate policies can be an instrument for proactively assessing risk, assigning access, and enlisting staff as your first line of defense against hackers and disasters. Community IT Innovators employs the CIA security framework with our clients - this stands for Confidentiality, Integrity, and Accessibility. The CIA framework helps you assess your data and assign risk levels. Community IT presented a webinar in 2015 on Crafting an IT Security Policy for Your Nonprofit http://www.communityit.com/resources/webinar-april-2015/ The webinar takes you through a manageable outline to create or update a policy for your organization addressing different levels of access to data, confidentiality and security, and what policies need to be in place for staff mobile devices. Technology An effective security strategy requires a multi-layered approach. At Community IT Innovators we combine people and process elements along with robust technology solutions to build an effective security framework. Patching Community IT deploys patches from a cloud platform, where we constantly monitor and manage software, ensuring definitions are kept up-to-date and active. Our best practice is to patch workstations weekly and servers monthly. We know that most attacks are perpetrated by exploiting vulnerabilities in the operating system and third party applications such as Java, Flash and Acrobat. A security study by IBM indicated that the vector of application vulnerabilities has shifted over time from being primarily directed at Windows and related Microsoft applications to being directed against a wide range of third party applications.

Page 6 Our Community IT Innovators team communicates in real time with our client contacts, keeping them informed and updated on our security decisions, because we believe our clients can t participate in security if they view security as something someone else does. Antivirus Contemporary research shows that Antivirus is stopping only about 40-50% of malicious software. We do expect to see improvements in Antivirus effectiveness over time and still view the software as a key component of an effective security strategy. Our cloud based management platform fills a dual role of both deploying antivirus and monitoring its effectiveness and status. Through this two-pronged approach we are able to identify those systems that lack protection or are not receiving the most up to date virus definitions. Backups If disaster strikes, or you are compromised by a disgruntled employee or hackers demanding ransom, you will need to restore from your most recent backup. A good backup strategy is a key component of an effective security plan. Community IT Innovators sets up a backup regime with both Recovery Point Objectives and Recovery Time Objectives. We backup email, databases, and cloud data as well as on-premise data. Your organization should never be conducting a restore for the first time after a disaster. Community IT Innovators regularly conducts test restores and shares the results and learning from these trial runs with clients. Find more resources from our recent webinar here: http://www.communityit.com/resources/webinar-february- 18-2016-backups-and-disaster-recovery-for-nonprofits/ Predictive Intelligence Predictive intelligence seeks to proactively defending your systems against new attacks and threats. Predictive Intelligence firms both crunch big data to identify ongoing sources of attacks, and also react nimbly and immediately as new threats emerge. If you don t employ Predictive Intelligence in your arsenal of defense you become limited in your ability to keep hackers out, and can only react when your systems are already compromised. Community IT deploys a predictive intelligence layer powered by OpenDNS. OpenDNS provides zero latency protection against web-based attacks. All DNS queries are resolved by the service and malicious traffic is blocked and reported. More resources from http://www.communityit.com/resources/2016-jan-it-securitythreats/, a free webinar presented in January 2016.

Page 7 Summary Ask your IT Provider, Managed Services Provider (MSP) or IT Department about People Ask them to perform User Security Training and Awareness often. o Trainings should include the physical security of your IT assets - locked doors, proper passcode security with mobile devices, and what to do when IT assets are compromised. o Training should include compliance with written Security Policies. Ask them to explain in laymen s language the security steps they take, and be wary of an IT security head who wants blind trust; your provider should view your organization and your staff as vital partners in your security approach. Ask your IT Provider how to contact them when you suspect a problem, how long they take to respond, and what response levels are covered by your contract. Process What is our Written IT Security Policy? How often will it be updated? How do they help comply with any external compliance or regulatory requirements? How and when do they perform a data inventory? Technology How they perform emergency Patches as issued for known security vulnerabilities Which Antivirus they use and why How they utilize Predictive Intelligence How they perform Backups, how often, and how often they practice restoring from backups How they manage Passwords for users and Admin accounts o Is your password and account access policy robust enough? o Do you require 2-step authentication for access to systems?

Page 8 About Community IT Innovators Community IT Innovators is a Washington, Hiring a full-time Network D.C. based IT consultancy providing technical Administrator from staff and strategic technology support to Community IT is like hiring a nonprofit organizations. Community IT have whole organization to address focused exclusively on nonprofit technology our IT needs. since 1993, and have a staff of about 40 providing the depth and expertise needed for the broad range of technology management In addition to daily support, we challenges unique to nonprofits. Community IT tap into the collective is the only company from among the top 200 Community IT experience, solutions, new ideas, and best managed IT services providers in North practices. America that is focused exclusively on nonprofit technology support, with certifications in all of Karen Lattea, the major (and some less common) technologies Chief Administrative in use at nonprofit organizations today. Officer Community IT serves customers primarily in the DC and Baltimore areas, with customers Sojourners ranging in size from a few staff to several hundred. For more information please visit http://www.communityit.com Source: Community IT Innovators Help Desk Survey September 2015

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback