IT Security New and Emerging Best

Practices

October 23, 2014

Community IT Innovators Webinar Series

Presenters:Steve LongeneckerMatthew Eshleman

#ITSecurity

Webinar Tips

• Ask questionsPost questions via chat

• InteractRespond to polls during webinar

• Focus Avoid multitasking. You may just miss the best part of the presentation

• Webinar PowerPoint & RecordingPowerPoint and recording links will be shared after the webinar

About Community ITCommunity IT Innovators partners with nonprofits to help them solve their strategic & day-to-day IT challenges.

Strategic Proactive approach so you can make IT decisions that support your mission and grow with you

Collaborative Team of over 30 staff who empower you to make informed IT choices

Invested We are committed to supporting your mission, and take care of your IT network as if it were our own

Nonprofit focus Worked with over 900 nonprofits since 1993

Presenters

Steve Longenecker, Project Manager

slongenecker@communityit.com

@CommunityIT

Matt Eshleman, Chief Technology

Officer meshleman@communityit.com

@meshleman

Agenda

• The Big Picture

• Security Culture

• Security Best Practices

• Questions

The Big Picture

Source: From geograph.org.uk, Author: Tom Munro http://commons.wikimedia.org/wiki/File:View_across_the_Valley_of_the_Stones_-_geograph.org.uk_-_435889.jpg

It varies, and depends on the information...PDF of signed Annual Performance Review

• Confidentiality: Limit to HR and Supervisor (this may be a regulatory issue)

• Integrity: Data should not change and must have utmost confidence file is not altered.

• Availability: Needed only upon request, within 2-3 days.

Your Accounting System

• Confidentiality: Limit to Finance Department and President

• Integrity: Data constantly updated. Need ability to roll back last thirty days’ activity. Must have record of who changed what.

• Availability: Up to 8 hours of downtime is acceptable.

What are your organization’s CIA requirements?

CIA Worksheet

Security Objective

LOW MODERATE HIGH

Confidentiality Disclosure of information could be expected to have a limited adverse effect

Disclosure of information could be expected to have a serious adverse effect

Disclosure of information could be expected to have a severe or catastrophic effect

Integrity Modification or Destruction of data could be expected to have a limited adverse effect

Modification or Destruction of data could be expected to have a serious adverse effect

Modification or Destruction of data could be expected to have a severe adverse effect

Availability The disruption of access to or use of information could be expected to have a limited adverse effect

The disruption of access to or use of information could be expected to have a serious adverse effect

The disruption of access to or use of information could be expected to have a severe adverse effect

• NSA reads your email.

• You are the victim of hacker attack targeted at your organization specifically.

• You are the victim of general hacker attack, probably a script downloaded from the Internet.

• Data compromise due to known vulnerabilities in your IT infrastructure’s software/firmware.

• Data compromise due to action of disgruntled employee or former employee.

• Loss of data due to run-of-the-mill hardware failure.

• Data compromise due to end user carelessness.

Assessing Risk

http://www.strozfriedberg.com/wp-content/uploads/2014/01/Stroz-Friedberg_On-the-Pulse_Information-Security-in-American-Business.pdf

The Stroz Friedberg report describes an online survey of 764 information workers in the United States working for companies with more than 20 people, conducted by KRC Research in the fall of 2013.

Find the balance between CIA requirements and accessibility/cost.

Artist: Winslow Homer, Title: The See-Saw, Current location: Arkell Museum, Source/Photographer: The Athenaeumhttp://commons.wikimedia.org/wiki/File:Winslow_Homer_-_The_See-Saw_(1873).jpg

Security Culture

Source: New York City Department of Transportation, Author: Nicholas Whitaker Photographyhttps://www.flickr.com/photos/nycstreets/9970004423/

• Appropriate Use Policy and Controls

• Password Policy

• BYOD and BYOA Policies

Policies for End Users

• Patching Policy.

• Data Retention Policies

• Identity and Access management.

Policies for the IT Department

• Office Manager?

• HR person?

• CIO?

• CFO?

• CRO?

Who “owns” security

Security Best Practices

Source: by Iphone4 , Author Dicti0nary0 http://commons.wikimedia.org/wiki/File:Authentication_devices.jpg

Foundational Practices

Passwords

Backups

Patching

Antivirus

Our Experience

• Most common cause of data loss –

Hardware failure

• Second most common cause of data loss –

Viruses

• Recovery from “unmanaged backup” -

measured in multiple days

Evolving Org Trends

• Cloud based services

• Elimination of workplace borders

• Bring Your Own Device

• Bring Your Own App

Emerging Best Practices

• Single Sign On

• 2FA

• Mobile Device Management

• Application Approval

• Encryption

• Adaptive Defense

Practical Next Steps

• Have a data inventory: Know what

data you have, where it is and how its

protected

• Make sure you have good passwords

(and don’t use the same ones)

• Start planning for 2FA

Questions?

Author: DuMont Television/Rosen Studios, New York-photographer, Uploaded by We hope at en.wikipedia http://commons.wikimedia.org/wiki/File:20_questions_1954.JPG

Upcoming Webinar

Thursday November 20

4:00 – 5:00 PM EST

The Future of Nonprofit CRM:

Takeaways from BBCon and Dreamforce

David Deal and Kyle Haines

After the webinar

• Connect with us

• Provide feedback

Short survey after you exit the

webinar. Be sure to include any

questions that were not answered.

• Missed anything?

Link to slides & recording will be

emailed to you.