With non-profits and governments having a more prominent place in the digital world, it is critically important for organizations to assess their information technology risks. Cyber crimes are not only impacting large public organizations but also smaller entities such as local municipalities and grassroot non-profit organizations. In addition, for organizations that have adapted their operations to a remote environment, there are additional risks. We have several recommendations and tips your organization should consider implementing in the next twelve months to improve security protocols at your organization (if you have not done so yet).
- Evaluate your IT service provider. Does your organization contract out its IT services or does your organization have in house IT? If your IT services are performed in house, is there sufficient knowledge residing within your IT team, and is the workload manageable for them? If you rely on contracted services, is there an official agreement with the third party?
- Evaluate specific risks relevant to your organization. Do you accept online credit card payments? Are these transactions stored and processed on site versus a third party payment processor? Is your organization required to follow the Health Insurance Portability and Accountability Act (HIPAA) to protect sensitive patient health information? There are also additional qualifications necessary for educational and financial institutions.
- Evaluate your accounting software in terms of whether operations are automatic or manual, who has access to the software, documentation of rights to the software and the review of those rights. Evaluate your overall network security and individual application security.
- Evaluate your access controls. (Access controls is a component of data security that dictates who is allowed to utilize your organization’s information and resources.) Authorization access controls have the goal of ensuring that the person seeking access is authorized, most often done with login credentials. Basic authentication controls ensure that those in possession of the authentication key (user name and password) can access your systems. Enhanced authentication controls ensure that the person who is accessing your data is not only authorized to access your data but also ensures they are who they say they are. Enhance authentication controls can be obtained by using dual factor authentication. Did you know that internal personnel are responsible for just as many security incidents as outsiders? Employees should only have need-to-know access to be able to do their jobs and nothing more.
- Is your organization following the NIST (National Institute of Standards and Technology) Guidance on passwords? To be reliable, passwords should be: a minimum of eight characters, be a mix of lowercase letters, uppercase letters, numbers and special characters to increase the strength of the password, there should be an automatically logoff or timeout due to inactivity, lock out of the account after three failed attempts (the duration of the lock out should be around 60-90 minutes to frustrate hacker attempts, and it could be indefinite for more sensitive accounts requiring reestablishment of credentials), and the account should be removed or disabled for terminated employees’ credentials in a timely manner. There should also be a segregation of duties, so that the person responsible for password policies, settings, and configurations should not be entering data or having access to applications.
- Evaluate your organization’s determination of access (is it the data owner or IT?) What about level of access? Is it role based or ad hoc? Structured access is best practice and exceptions should be minimal. A review of those who have access should be performed on a yearly basis at a minimum.
- What about your organization’s server and network operating system? Shares of the server should be examined and used sparingly/judiciously with rights to the server restricted for each group and user. Vendors should have read only and temporary access to maintain/debug the server. Be certain to sanitize default account credentials.
- What about your organization’s ability to recover from an adverse event over the IT infrastructure? These impacts can affect your organization from an environmental, physical, internal, and malicious standpoint. The Recovery Time Objective is the maximum acceptable delay between interruption of service and restoration of service. The Recovery Point Objective is the maximum acceptable amount of time since the last data recovery point. Evaluate how long your organization can afford to be down.
- Does your organization have cyber security insurance? Insurance will cover losses in the event of an adverse event, though this insurance can be cost prohibitive for smaller non-profits and governments, and not all events are covered. You can lower your insurance costs by implementing a strong password control policy, including dual authentication, and encrypting sensitive data and personally identifiable information. Lastly, control the number of records you access, store and transfer – don’t store PII (Personal Identifiable Information) and consider using a third party to store credit card information.
- Does your organization back up its data through full back ups and incremental back ups? Since backups are critical to the disaster recovery process, evaluate who performs them and where these backups are stored.
- Evaluate your organization’s security protocols. For software security, are patches and updates automatically applied? For network security, evaluate your firewalls, routers, intrusion detection, and data encryption. Evaluate your organization’s cyber security training practices.
- Do you have effective IT governance? Is there an IT Committee on your organization’s Board of Directors?
- What about the practices of your vendors? Have there been any security issues at the vendors you work with, and has your organization been made aware of any cyber incidents? If you outsource your payroll for processing, investments and health insurance, you should evaluate if their controls are working appropriately and if you have the controls at your organization to ensure that the third party is working correctly. You should obtain, review, and understand the third-party organization’s controls, and any issues should be reviewed by Management, and they should ensure complimentary controls are in place. Your auditors will request Service Organization Control Reports. An SOC 1 Report provides information about the controls at a Service Organization that may directly impact its financial statements. An SOC 2 Report provides information about the suitability of the design and controls at the Service Organization relevant to security, availability, processing integrity, confidentiality, or privacy. An SOC 3 Report provides the auditor’s opinion on whether the Service Organization maintains effective controls over its systems and is typically intended for users who do not require a more thorough report.
We understand the list of items above is quite extensive and for many public agencies with limited financial resources, it may not be feasible to implement all of these practices due to budgetary constraints. However, several of these items do not require any additional spending at all, but an overall commitment to investing the time needed to pay attention to critical security areas. We encourage you to implement the protocols that make sense for your organization with respect to your size, goals, and operations. If you have any questions regarding IT risks at your organization, please contact a member of your audit team.