Best practices: information security is threatened every day.
Whether your donor database is stored on your own computers or uses a hosted solution provider, here are some important practices to use or look for:
Backup, Backup, Backup. The greatest risk to your data is not really hackers; it's data loss due to computer failure, fire or other accidents. Not having a comprehensive backup plan can spell disaster for your organization.
Complete backups should be performed every day, and copies of the backup itself should be stored securely off-site. There are countless examples of data loss due to fires, floods, etc., where the organization dutifully backed up their data, but unfortunately stored the backup tapes next to their computer.
Hosted software providers handle daily off-site backup storage for you, but if you're not good about making backups yourself, consider an online backup service such as mozy.com or carbonite.com.
User ID & Password Security. Some of the most stringent data security requirements are used by the healthcare industry under the guidelines of the Health Information and Patient Privacy Act (HIPPA). HIPPA spells out many requirements for password security, including:
* Passwords should be at least seven characters in length, contain at least one non-alphabetical character, and not be words found in a dictionary.
* Passwords should never be displayed onscreen and always stored with a high level of encryption. You should never be able to download the password file- it must be individually reset for each user.
* Passwords should expire and be changed every 60 days and User IDs should automatically expire after a predetermined date. This safeguard ensures that users who are no longer authorized do not have access to the data.
* No more than three unsuccessful login attempts are allowed. Once three attempts have been made, the User ID is deactivated and the user cannot access the system unless the password is reset by the system administrator.
* Access to data should be able to be limited to only certain subsets of the data, such as Name and Address, and not include financial transactions. You should also be able to limit access for certain users to business hours Monday-Friday. Or you may even want to limit access to just certain designated IP (Internet Protocol) addresses.
Audit Trails. A database system should be able to provide a security audit trail of user logins. For example, it should track the user identification, time/date, and IP address of every single login. These security logs should be reviewed periodically, and any suspicious behavior identified.
Don't make the mistake of ignoring the audit trails until after you know of a security breach. In almost all cases you can stop a breach if you pay close enough attention to these logs regularly.
Physical Security. A weak link in many organizations is the physical protection of their property and databases. This not only includes protection of your servers and computers, but also protection from unauthorized access to the printed records of your database. All paper records should be destroyed (cross-cut shredding is best), including any correspondence (including the envelope!) from your donors.
Data identity thieves know that it is often much easier to sort through your trash looking for information than to successfully hack your systems or decrypt your password files.
User Security Awareness Training. Some of the greatest threats to your data are from hackers who can use social engineering to access your systems. Also known as "Phishing" schemes, these unscrupulous hackers can trick your users into revealing their security credentials. That's why it's important to make sure users are aware of such schemes, and to always be on the lookout for "official" looking email that redirects them to a rogue Web site to enter their credentials.
One of the easiest ways to identify a phishing attack is to be mindful of where the perpetrator redirects your Web browser. For example, while an email link may display an official looking Web site address (such as www.paypal.com/login.aspx), hovering the mouse over the link will reveal the actual HTML address in the bottom left hand corner of the browser. In fact, this type of phishing scheme is so prevalent, that many service providers will never include a link to a login page in email communications.
Securing your database systems should be a mandatory part of every organization's overall contingency planning, and in many cases it is necessary to ensure the organization's very survival. Both physical and software protections are required, and while outsourcing your database systems to professionals can provide added security, it's still necessary to teach greater security awareness among all your users to ensure that your data is as safely protected as possible. NPT
Jon Biedermann is vice president at SofterWare, Inc., developers of DonorPerfect. His email is firstname.lastname@example.org
|Printer friendly Cite/link Email Feedback|
|Publication:||The Non-profit Times|
|Date:||Feb 15, 2008|
|Next Article:||It's a new year: it's time to get in compliance with state rules.|