Abstract image of a woman sitting on books and studying on a laptop

Cloud Security - Idealware

I
Idealware

The document discusses cloud computing's advantages, such as low cost and easy access, while highlighting security concerns organizations face. It differentiates types of cloud services (SaaS, hosted private cloud, and co-located private cloud) and emphasizes the importance of understanding data sensitivity and implementing strong security practices. Ultimately, it suggests organizations assess vendor security standards and consider the true value of their data when making decisions about cloud storage.

Technology
1 of 54
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
The Cloud Beckons, But is it Safe? April 2012
The Cloud Beckons, But is it Safe? #12NTCCSec Laura Quinn Michael Enos
Evaluate This Session! Each entry is a chance to win an NTEN engraved iPad! or Online at www.nten.org/ntc/eval
Introductions Laura Quinn Executive Director Idealware Michael Enos Chief Technology Officer, Second Harvest Food Bank of Santa Clara and San Mateo Counties What are you hoping to get out of this session?
Cloud Security - Idealware
What is The Cloud?
The Lure of the Cloud Low cost of entry Easy remote access No complex infrastructure But what about security?
How Do YOU Feel About Cloud Security?
Why the Concern?
Cloud Security in the News
Under Siege To be on the Internet is to be vulnerable to attack. If you’re on the Internet, you’re in The Cloud
But We Do Lots of Things on the Internet We shop online We bank online We post crazy things on Facebook Why is the cloud different? It’s not.
How Secure is Your On-Site Data? Do any of these sound familiar? • No one patches computers or is responsible for network security • You haven’t really thought about passwords or permissions • No disaster recovery plans • Staff hasn’t had any security training
Myth “We’re a tiny nonprofit. We’re safe because no one would target us for cyber attack.”
Fact Many data security breaches are crimes of opportunity. Organizations don’t always consider the sensitivity of their data until it’s exposed.
Myth “Our data is safer not in the cloud”
A Cloud Data Center
Is This Your Server Closet?
What Does Security Mean?
The Three Pillars of Information Security
Confidentiality Information is available only to authorized parties.
Integrity Information isn’t modified inappropriately, and that you can track who made what change.
Availability Assurance that data is accessible when needed by authorized parties.
Also: Physical Possession Whoever has the data could, for instance, turn it over to the government
How Does This Apply to the Cloud?
Cloud Security The use of the term “Cloud” is cloudy! Three general types of clouds: – Software-as-a-Service – Hosted Private Cloud – Co-located Private Cloud All three have different security models
Software as a Service The vendor owns and manages all aspects of the environment. For instance:
Hosted Private Cloud The vendor owns and manages the equipment only, but all software is managed by the client. The equipment is on the vendors network. For instance:
Co-located Private Cloud The vendor provides the physical environment only in a data center, the client maintains the hardware and the software. For instance:
What Does Security Mean For You?
Rules for Absolute Safety Turn off your Internet connection. Allow no one access to your data and systems. But let’s be realistic…
Know What You’re Protecting What kinds of data are you storing, and how sensitive are they? Think about its value on the open market.
Red Flags You need extremely tight security to store: • Donor’s credit card numbers. • Scanned images of checks. • Donor’s bank account information.
What’s Your Exposure? Consider the impact of exposure of your confidential information, both in monetary terms and reputation.
What’s The Impact of an Outage? How much staff time could you lose from a short term or prolonged outage?
Testing Your On-Site Security Have you recently performed a: • Check on whether your systems have been recently patched? • Systems penetration test ? • Employee training on security procedures? • Backup/recovery test? If not, you’d likely increase your security by moving to the cloud.
A Multi-Level Security Model
Multi-Level Security is the Ideal
Physical Security • Guarded facilities • Protection of your hardware and devices • Power redundancy • Co-location (redundant facilities)
Network Security • Intrusion prevention • Intrusion detection • Firewalled systems • Network proactive anti-virus protection
Transmission Security Is data encrypted in transit? Is the network secure?
Access Controls • Ensuring the right people have access to the right data • Physical access to the server • Training on appropriate passwords and security measures
Data Protection • Data encryption • Solid backup and restore policies • Ability to purge deleted data • Ability to prevent government entities from getting your data with a subpoena
What to Look For in a Vendor
Description of Security Mechanisms Documentation of all the facets of security, and the staff can talk about it intelligently. Proves information security is on the “front burner”
Uptime Do they provide any guarantee of uptime? Any historic uptime figures? Uptime figures are typically in 9s-- 99%, 99.9% or 99.99% Your connection to the internet may well be the weakest link.
Regulatory Compliance: HIPAA Does the vendor support organizations that need to be compliant with HIPAA (the Health Insurance Portability and Accountability Act)?
Regulatory Compliance: SAS70 and SSAE16 Audit for security standards, hardware, and processes. Statement on Accounting Standards 70 (SAS70) Statement of Standards for Attestation Engagements 16 (SSAE16)
Regulatory Compliance: PCI DSS Compliance If you’re storing credit card numbers, your vendor needs to be compliant with PCI DSS (Payment Card Industry Payment Data Security Standard)
In Summary
Understand the Value of Your Data What is it worth to you? To others? What measures are appropriate to protect it?
Your Data Is No Safer Than You Make It Any computer attached to the internet is vulnerable unless you protect it. The cloud isn’t, in of itself, more or less secure
But Many Vendors Make Your Data Really Safe Choose vendors who show they’re serious about data protection (not all vendors are created equal). Consider a vendor’s regulatory compliance.
Questions?

More Related Content

PDF
The Cloud Beckons, But is it Safe?
NTEN
 
PPTX
The Cloud Beckons, But is it Safe?
Legal Services National Technology Assistance Project (LSNTAP)
 
PDF
RSA 2010 Kevin Rowney
Symantec
 
PDF
Symantec Data Loss Prevention- From Adoption to Maturity
Symantec
 
PPTX
Cloud & Sécurité
Technofutur TIC
 
PPTX
Tech Demo: Take the Ransom Out of Ransomware
marketingunitrends
 
PDF
Source Code Security the Symantec Way
Symantec
 
PDF
Security in the Cloud: Tips on How to Protect Your Data
Procore Technologies
 
The Cloud Beckons, But is it Safe?
NTEN
 
The Cloud Beckons, But is it Safe?
Legal Services National Technology Assistance Project (LSNTAP)
 
RSA 2010 Kevin Rowney
Symantec
 
Symantec Data Loss Prevention- From Adoption to Maturity
Symantec
 
Cloud & Sécurité
Technofutur TIC
 
Tech Demo: Take the Ransom Out of Ransomware
marketingunitrends
 
Source Code Security the Symantec Way
Symantec
 
Security in the Cloud: Tips on How to Protect Your Data
Procore Technologies
 

What's hot (20)

PDF
White Paper: Protecting Your Cloud
thinkASG
 
PPTX
Ransomware Has Evolved And So Should Your Company
Veriato
 
PPTX
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
centralohioissa
 
PPTX
Understanding cyber resilience
Christophe Foulon, CISSP
 
POTX
Ransomware: Why Are Backup Vendors Trying To Scare You?
marketingunitrends
 
PPTX
IT Security for Nonprofits
Community IT Innovators
 
PDF
Making Threat Modeling Useful To Software Development
ConSanFrancisco123
 
PPTX
ProtectV - Data Security for the Cloud
SafeNet
 
PDF
PaloAlto Enterprise Security Solution
Prime Infoserv
 
PPTX
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
Stanton Viaduc
 
PPTX
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
centralohioissa
 
PPTX
How to Recover from a Ransomware Disaster
Spanning Cloud Apps
 
PDF
Cloud Security Checklist and Planning Guide Summary
Intel IT Center
 
PPTX
SANS Critical Security Controls Summit London 2013
Wolfgang Kandek
 
PPT
How Adopting the Cloud Can Improve Your Security.
martin_lee1969
 
PDF
Who owns security in the cloud
Trend Micro
 
PPTX
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Michael Noel
 
PDF
Gavin Hill - Lessons From the Human Immune System
centralohioissa
 
PDF
Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...
Shawn Tuma
 
PPTX
Backups and Disaster Recovery for Nonprofits
Community IT Innovators
 
White Paper: Protecting Your Cloud
thinkASG
 
Ransomware Has Evolved And So Should Your Company
Veriato
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
centralohioissa
 
Understanding cyber resilience
Christophe Foulon, CISSP
 
Ransomware: Why Are Backup Vendors Trying To Scare You?
marketingunitrends
 
IT Security for Nonprofits
Community IT Innovators
 
Making Threat Modeling Useful To Software Development
ConSanFrancisco123
 
ProtectV - Data Security for the Cloud
SafeNet
 
PaloAlto Enterprise Security Solution
Prime Infoserv
 
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
Stanton Viaduc
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
centralohioissa
 
How to Recover from a Ransomware Disaster
Spanning Cloud Apps
 
Cloud Security Checklist and Planning Guide Summary
Intel IT Center
 
SANS Critical Security Controls Summit London 2013
Wolfgang Kandek
 
How Adopting the Cloud Can Improve Your Security.
martin_lee1969
 
Who owns security in the cloud
Trend Micro
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Michael Noel
 
Gavin Hill - Lessons From the Human Immune System
centralohioissa
 
Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...
Shawn Tuma
 
Backups and Disaster Recovery for Nonprofits
Community IT Innovators
 
Ad

Viewers also liked (8)

PPTX
Darim's Synagogue Data Series, Part 3
Idealware
 
PPTX
From Digital Divide to Digital Inclusion: Technology as an Equalizing Force-I...
Idealware
 
PPTX
Service Beyond Geography: Using Technology to Serve People Remotely-Idealware
Idealware
 
PPTX
Maturing Your Organization's Social Culture: Creating Effective Policies-Idea...
Idealware
 
PPTX
Measuring Your Mission: Using Data to Track Organizational Health and Success...
Idealware
 
PPTX
More Than Apps - Idealware
Idealware
 
PPTX
Creating a Social Media Policy - Idealware and Darim Online
Idealware
 
PPT
Innovation in Service Delivery - Idealware and MAP for Nonprofits
Idealware
 
Darim's Synagogue Data Series, Part 3
Idealware
 
From Digital Divide to Digital Inclusion: Technology as an Equalizing Force-I...
Idealware
 
Service Beyond Geography: Using Technology to Serve People Remotely-Idealware
Idealware
 
Maturing Your Organization's Social Culture: Creating Effective Policies-Idea...
Idealware
 
Measuring Your Mission: Using Data to Track Organizational Health and Success...
Idealware
 
More Than Apps - Idealware
Idealware
 
Creating a Social Media Policy - Idealware and Darim Online
Idealware
 
Innovation in Service Delivery - Idealware and MAP for Nonprofits
Idealware
 
Ad

Similar to Cloud Security - Idealware (20)

PPTX
Extending security in the cloud network box - v4
Valencell, Inc.
 
PPTX
Cloud Security: A matter of trust?
Mark Williams
 
PDF
Peering Through the Cloud Forrester EMEA 2010
graywilliams
 
PDF
Cloud Webinar Neiditz Weitz Mitchell Goodman
jonneiditz
 
PPT
Cloud Security: Trust and Transformation
Peter Coffee
 
PPTX
Brave new world of encryption v1
Khazret Sapenov
 
PPTX
Executive Briefing: Strategic Issues Surrounding Cloud Services
WhitmeyerTuffin
 
PPTX
Cloud computing - Assessing the Security Risks - Jared Carstensen
jaredcarst
 
ODP
Securing The Cloud
george.james
 
PPTX
talk6securingcloudamarprusty-191030091632.pptx
TrongMinhHoang1
 
PDF
Cloud Security:Threats & Mitgations
IndicThreads
 
PPTX
Security in the cloud Workshop HSTC 2014
Akash Mahajan
 
PDF
How Secure Is Cloud
William Lam
 
PDF
Cloud Security - Made simple
Sameer Paradia
 
PPTX
18CSE442 Cloud Security Introduction SRM.pptx
191013607gouthamsric
 
PPT
Cloud Computing Security Issues
Discover Cloud Computing
 
PDF
Cloudsecurity
drewz lin
 
POT
Automation alley day in the cloud presentation - formatted
Matthew Moldvan
 
PDF
Asset 1 security-in-the-cloud
drewz lin
 
PPTX
Quick Start to Building a Cloud Service Practice
Richard Tubb
 
Extending security in the cloud network box - v4
Valencell, Inc.
 
Cloud Security: A matter of trust?
Mark Williams
 
Peering Through the Cloud Forrester EMEA 2010
graywilliams
 
Cloud Webinar Neiditz Weitz Mitchell Goodman
jonneiditz
 
Cloud Security: Trust and Transformation
Peter Coffee
 
Brave new world of encryption v1
Khazret Sapenov
 
Executive Briefing: Strategic Issues Surrounding Cloud Services
WhitmeyerTuffin
 
Cloud computing - Assessing the Security Risks - Jared Carstensen
jaredcarst
 
Securing The Cloud
george.james
 
talk6securingcloudamarprusty-191030091632.pptx
TrongMinhHoang1
 
Cloud Security:Threats & Mitgations
IndicThreads
 
Security in the cloud Workshop HSTC 2014
Akash Mahajan
 
How Secure Is Cloud
William Lam
 
Cloud Security - Made simple
Sameer Paradia
 
18CSE442 Cloud Security Introduction SRM.pptx
191013607gouthamsric
 
Cloud Computing Security Issues
Discover Cloud Computing
 
Cloudsecurity
drewz lin
 
Automation alley day in the cloud presentation - formatted
Matthew Moldvan
 
Asset 1 security-in-the-cloud
drewz lin
 
Quick Start to Building a Cloud Service Practice
Richard Tubb
 

Recently uploaded (20)

PDF
Transform-Your-Supply-Chain-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
PDF
MENA-ECEONOMIC-CONTEXT-VC MENA-ECEONOMIC
Mustafa Kuğu
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week IV
NewMind AI
 
PDF
ment.tech-Siri Delay Opens AI Startup Opportunity in 2025.pdf
thomasnova26
 
PPTX
Internet of Everything -Basic concepts details
sendilkumar66
 
PDF
Advancing precision in air quality forecasting through machine learning integ...
IAESIJAI
 
PDF
Human Computer Interaction Miterm Lesson
JasperGarcia9
 
PDF
substrate PowerPoint Presentation basic one
jwaite4
 
PDF
Auditboard EB SOX Playbook 2023 edition.
DROK2
 
PDF
4 layer Arch & Reference Arch of IoT.pdf
sendilkumar66
 
PDF
SaaS reusability assessment using machine learning techniques
IAESIJAI
 
PDF
The-Future-of-Automotive-Quality-is-Here-AI-Driven-Engineering.pdf
Kalilur Rahman
 
PDF
Co-training pseudo-labeling for text classification with support vector machi...
IAESIJAI
 
PPTX
SGT Report The Beast Plan and Cyberphysical Systems of Control
hopegirl587
 
PDF
Ensemble model-based arrhythmia classification with local interpretable model...
IAESIJAI
 
PDF
5-Ways-AI-is-Revolutionizing-Telecom-Quality-Engineering.pdf
Kalilur Rahman
 
PDF
Dell Pro Micro: Speed customer interactions, patient processing, and learning...
Principled Technologies
 
PPTX
Presentation - Principles of Instructional Design.pptx
Ntokozo Mhlongo
 
PDF
Transform-Your-Factory-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
PDF
CEH Module 2 Footprinting CEH V13, concepts
ammarhassan185568
 
Transform-Your-Supply-Chain-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
MENA-ECEONOMIC-CONTEXT-VC MENA-ECEONOMIC
Mustafa Kuğu
 
NewMind AI Weekly Chronicles – August ’25 Week IV
NewMind AI
 
ment.tech-Siri Delay Opens AI Startup Opportunity in 2025.pdf
thomasnova26
 
Internet of Everything -Basic concepts details
sendilkumar66
 
Advancing precision in air quality forecasting through machine learning integ...
IAESIJAI
 
Human Computer Interaction Miterm Lesson
JasperGarcia9
 
substrate PowerPoint Presentation basic one
jwaite4
 
Auditboard EB SOX Playbook 2023 edition.
DROK2
 
4 layer Arch & Reference Arch of IoT.pdf
sendilkumar66
 
SaaS reusability assessment using machine learning techniques
IAESIJAI
 
The-Future-of-Automotive-Quality-is-Here-AI-Driven-Engineering.pdf
Kalilur Rahman
 
Co-training pseudo-labeling for text classification with support vector machi...
IAESIJAI
 
SGT Report The Beast Plan and Cyberphysical Systems of Control
hopegirl587
 
Ensemble model-based arrhythmia classification with local interpretable model...
IAESIJAI
 
5-Ways-AI-is-Revolutionizing-Telecom-Quality-Engineering.pdf
Kalilur Rahman
 
Dell Pro Micro: Speed customer interactions, patient processing, and learning...
Principled Technologies
 
Presentation - Principles of Instructional Design.pptx
Ntokozo Mhlongo
 
Transform-Your-Factory-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
CEH Module 2 Footprinting CEH V13, concepts
ammarhassan185568
 

Cloud Security - Idealware

  • 1. The Cloud Beckons, But is it Safe? April 2012
  • 2. The Cloud Beckons, But is it Safe? #12NTCCSec Laura Quinn Michael Enos
  • 3. Evaluate This Session! Each entry is a chance to win an NTEN engraved iPad! or Online at www.nten.org/ntc/eval
  • 4. Introductions Laura Quinn Executive Director Idealware Michael Enos Chief Technology Officer, Second Harvest Food Bank of Santa Clara and San Mateo Counties What are you hoping to get out of this session?
  • 6. What is The Cloud?
  • 7. The Lure of the Cloud Low cost of entry Easy remote access No complex infrastructure But what about security?
  • 8. How Do YOU Feel About Cloud Security?
  • 10. Cloud Security in the News
  • 11. Under Siege To be on the Internet is to be vulnerable to attack. If you’re on the Internet, you’re in The Cloud
  • 12. But We Do Lots of Things on the Internet We shop online We bank online We post crazy things on Facebook Why is the cloud different? It’s not.
  • 13. How Secure is Your On-Site Data? Do any of these sound familiar? • No one patches computers or is responsible for network security • You haven’t really thought about passwords or permissions • No disaster recovery plans • Staff hasn’t had any security training
  • 14. Myth “We’re a tiny nonprofit. We’re safe because no one would target us for cyber attack.”
  • 15. Fact Many data security breaches are crimes of opportunity. Organizations don’t always consider the sensitivity of their data until it’s exposed.
  • 16. Myth “Our data is safer not in the cloud”
  • 17. A Cloud Data Center
  • 18. Is This Your Server Closet?
  • 20. The Three Pillars of Information Security
  • 21. Confidentiality Information is available only to authorized parties.
  • 22. Integrity Information isn’t modified inappropriately, and that you can track who made what change.
  • 23. Availability Assurance that data is accessible when needed by authorized parties.
  • 24. Also: Physical Possession Whoever has the data could, for instance, turn it over to the government
  • 25. How Does This Apply to the Cloud?
  • 26. Cloud Security The use of the term “Cloud” is cloudy! Three general types of clouds: – Software-as-a-Service – Hosted Private Cloud – Co-located Private Cloud All three have different security models
  • 27. Software as a Service The vendor owns and manages all aspects of the environment. For instance:
  • 28. Hosted Private Cloud The vendor owns and manages the equipment only, but all software is managed by the client. The equipment is on the vendors network. For instance:
  • 29. Co-located Private Cloud The vendor provides the physical environment only in a data center, the client maintains the hardware and the software. For instance:
  • 30. What Does Security Mean For You?
  • 31. Rules for Absolute Safety Turn off your Internet connection. Allow no one access to your data and systems. But let’s be realistic…
  • 32. Know What You’re Protecting What kinds of data are you storing, and how sensitive are they? Think about its value on the open market.
  • 33. Red Flags You need extremely tight security to store: • Donor’s credit card numbers. • Scanned images of checks. • Donor’s bank account information.
  • 34. What’s Your Exposure? Consider the impact of exposure of your confidential information, both in monetary terms and reputation.
  • 35. What’s The Impact of an Outage? How much staff time could you lose from a short term or prolonged outage?
  • 36. Testing Your On-Site Security Have you recently performed a: • Check on whether your systems have been recently patched? • Systems penetration test ? • Employee training on security procedures? • Backup/recovery test? If not, you’d likely increase your security by moving to the cloud.
  • 39. Physical Security • Guarded facilities • Protection of your hardware and devices • Power redundancy • Co-location (redundant facilities)
  • 40. Network Security • Intrusion prevention • Intrusion detection • Firewalled systems • Network proactive anti-virus protection
  • 41. Transmission Security Is data encrypted in transit? Is the network secure?
  • 42. Access Controls • Ensuring the right people have access to the right data • Physical access to the server • Training on appropriate passwords and security measures
  • 43. Data Protection • Data encryption • Solid backup and restore policies • Ability to purge deleted data • Ability to prevent government entities from getting your data with a subpoena
  • 44. What to Look For in a Vendor
  • 45. Description of Security Mechanisms Documentation of all the facets of security, and the staff can talk about it intelligently. Proves information security is on the “front burner”
  • 46. Uptime Do they provide any guarantee of uptime? Any historic uptime figures? Uptime figures are typically in 9s-- 99%, 99.9% or 99.99% Your connection to the internet may well be the weakest link.
  • 47. Regulatory Compliance: HIPAA Does the vendor support organizations that need to be compliant with HIPAA (the Health Insurance Portability and Accountability Act)?
  • 48. Regulatory Compliance: SAS70 and SSAE16 Audit for security standards, hardware, and processes. Statement on Accounting Standards 70 (SAS70) Statement of Standards for Attestation Engagements 16 (SSAE16)
  • 49. Regulatory Compliance: PCI DSS Compliance If you’re storing credit card numbers, your vendor needs to be compliant with PCI DSS (Payment Card Industry Payment Data Security Standard)
  • 51. Understand the Value of Your Data What is it worth to you? To others? What measures are appropriate to protect it?
  • 52. Your Data Is No Safer Than You Make It Any computer attached to the internet is vulnerable unless you protect it. The cloud isn’t, in of itself, more or less secure
  • 53. But Many Vendors Make Your Data Really Safe Choose vendors who show they’re serious about data protection (not all vendors are created equal). Consider a vendor’s regulatory compliance.

Editor's Notes

  • #12: Those were examples that illustrate that the Internet itself is a dangerous place. Yet who would give up their Internet connection?
  • #13: If you shop and bank online, and share personal info via social media, you already use the cloud. You probably trust your bank and online merchants like Amazon because you believe they have the capability and the incentive to protect your information. You probably also realize that “free” social media vendors make money by selling information about you.
  • #14: Here are some vulnerabilities that apply to all systems connected to the Internet, including systems in the cloud.Reputable cloud vendors significant resources and teams of computer and security specialists devoted to maintaining the security of the data they handle. They can be far better positioned to protect your data than you are.
  • #15: People target systems for attack when that they know have valuable information, like account numbers, social security numbers and the like. Things that nonprofits don’t typically have.Hackers after fame are more likely to attack big ACME Bancorp, International, than a community food bank’s systems.This means your risk of attack is lower than that of some big company, but it doesn’t mean you’re safe.
  • #16: Cyber crime is often the computer equivalent of trying front doors until you find an unlocked house. IMPORTANT: Payment information SHOULD NOT be stored on your systems. If you have donor’s credit card data for recurring payments, move to a reputable payment processing vendor. Then delete this information. Thieves can’t steal data that you don’t have.
  • #17: People target systems for attack when that they know have valuable information, like account numbers, social security numbers and the like. Things that nonprofits don’t typically have.Hackers after fame are more likely to attack big ACME Bancorp, International, than a community food bank’s systems.This means your risk of attack is lower than that of some big company, but it doesn’t mean you’re safe.
  • #18: Reputable cloud vendors significant resources and teams of computer and security specialists devoted to maintaining the security of the data they handle. They can be far better positioned to protect your data than you are.
  • #19: If you have no full time IT and your server lives in a broom closet, your data is not likely secure.
  • #21: Information security boils down to these three areas, plus privacy.
  • #23: You know whether there is integrety. Like going in to change your salary because everyone has access, no accountablity. No universal login
  • #24: One of the most common. DNS attack. Systems are reliable.
  • #32: If you avoid automobiles, you’ll never be in a car accident. But you won’t get very far, either.Avoiding the Internet will cut your information security risk, but your productivity will be set back a few decades.There are ways to maximize information security, but you can’t entirely eliminate risk.
  • #33: This kind of “discovery” exercise is important. You may find that the data you think you have differs from what you actually. Maybe you have sensitive data that you’re not aware of. Secret Service level security might not be warranted, but its nice to know what protection is appropriate.How old is your server? Is it near the end of its life? What would you do if it crashed tomorrow?Can someone just walk up to your server? Do they need to log in? Is the admin password “letmein”?
  • #34: Don’t keep financial information related to donors on your system. Thieves can’t steal data you don’t have, and there’s no reason for you to take on the risk of handling such sensitive information. Better to outsource to a payment vendor who can guarantee the security of this information.
  • #35: Might the exposure of donor data hurt your ability to raise money in the future? What if that “anonymous” major donor was outted?What would be the financial impact if you couldn’t access key systems (wasted staff hours, missed fundraising opportunities, etc)?
  • #36: Might the exposure of donor data hurt your ability to raise money in the future? What if that “anonymous” major donor was outted?What would be the financial impact if you couldn’t access key systems (wasted staff hours, missed fundraising opportunities, etc)?
  • #37: If data and systems are in house, what are you doing to protect them? Could a cloud vendor do a better job than you can?Systems penetration – reverse engineer passwords, social engineering, known vulnerabilitiesinformation handling/protection procedures? Policies for changing passwords, what you do with old users
  • #39: The greater the depth of security measures, the longer a potential attacker will be delayed. This is important
  • #41: Computer intrusion detection and prevention systems alert you to possible systems breaches and try to thwart them. Look for abnormal patterns. Prevention – alerting someone. More harm than good for small orgs – so many false postives. Data center has “intrusion guy”Firewalls attempt to block entry to your systems by malicious people and information. Let’s in an out things in a circuit. HTTP is generally open, but there are rules to help with attacksAnti-virus software helps prevent malware from installing on your systems, and attempts to clean exisiting infections.
  • #42: Websites use security certificates to encrypt data while in transit *and* verify to you that the URL belongs to the organization you think it belongs to. FTP or secure FTP. PGP. VPN= encrypted tunnel between two trusted partners.https rather than http indicates that the site you’re using has a certificate and is encrypting the data you send. Newer browser allow you to click on icon near the URL (a picture of a lock in the case of Chrome) to show information on the encryption used and the site’s owner.
  • #44: Stolen data is of little use if it’s encryptedUnderstand what is recoverable from backups, and how. Disaster recovery backups do not necessarily mean that you’ll be able to restore data you accidentally overwrite.Business continuity/disaster recovery
  • #47: Designed to protect private health related data, but HIPAA compliance can speak well of how other sensitive data is handled.
  • #48: Designed to protect private health related data, but HIPAA compliance can speak well of how other sensitive data is handled.
  • #49: These audits are performed by CPA firms and verify that a vendor has procedures in place that allow it to meet standards for handling sensitive data and for meeting regulatory requirements like HIPAA.SSAE16 is the newer audit standard and is slowly replacing SAS70. SSAE16 is more internationalized than SAS70
  • #50: Provides guidance on how debit and credit card information should be handled. Especially relevant for payment processing vendors that handle online donations.
  • #52: Provides guidance on how debit and credit card information should be handled. Especially relevant for payment processing vendors that handle online donations.
  • #53: Provides guidance on how debit and credit card information should be handled. Especially relevant for payment processing vendors that handle online donations.