Nov/Dec 2006

Ask the Expert: What are the top concerns involving information security that my organization should be sure to address?

by David Crooke, Founder and Chief Technology Officer, Convio

Individuals in today's workplace, whether nonprofit or for-profit, often make two common errors when thinking about privacy and information security.

First, people tend to think of information security as a technology problem — making it all about firewalls and encryption. Designing a truly secure information handling system instead requires a holistic approach that uses technology components, but first must address business processes, policies and most importantly, people. Many serious and successful hacking attempts begin with what hackers refer to as "social engineering" — they compromise the human components of the information system rather than the electronic ones.

Second, people often think of information security in absolute terms (i.e., "We must have this or that"). Information security is a risk management problem, which is all about making sensible trade-offs. Security improvements require decisions involving money, time and efficiency, all of which must be evaluated against the risk it will reduce.

The key principles of good security design transcend time and have little to do with technology. Here are six important points that organizations should consider when evaluating their information security plans:

1. Education — People are the most important part of information security. Educate everyone in your organization on their role in maintaining security, how to think about security, how to evaluate risks and why information processes are designed a particular way.

2. Need to Know — The risk of information being compromised increases with every person who has access to data. This is not necessarily because certain individuals might be untrustworthy, but because everyone makes mistakes, and anyone's computer can get a virus. For example, only allow donor database access to people who actively work on it.

3. Avoiding Unnecessary Risk — There are currently more than 20 states that have passed laws requiring disclosure when social security numbers or credit card numbers are compromised. Organizations don't need social security numbers to accept donations, and since these are high-risk data items, don't ask for them. Instead, create your own membership numbers.

4. Defense In Depth — Processes, technology and people are all imperfect, and a system is only as secure as its weakest link. You should not rely on a single layer of protection for important information. For example, even if you are confident in your office firewall and physical security, your donor database server should be in a locked room, protected by an additional onboard firewall and password controlled access.

5. Continuous Improvement — Threats and technologies constantly change, and so do business needs. You should regularly review systems and processes, as well as shut down old systems that no longer are being used. Also, keep software patches up to date — most software breaches exploit weaknesses for which a patch had already been released by a vendor.

6. Enable, Don't Obstruct — If you make a habit of always saying "no" to requests for new information processes, people will resort to circumventing your security measures in order to do their jobs. Find ways to meet colleagues' needs while still keeping data secure.

By taking a holistic approach, organizations can establish more effective information security to protect important data from getting into the wrong hands.