330 likes | 414 Views
From Basic to Advanced: Trends, Tools, and Tales to Ensure Basic Nonprofit Security. Kevin Lo Becky Wiegand. Agenda. Introductions - What level of experience do you have with security? - Truth or fiction? - TechSoup Global What Is Security? - Systems, data, network, physical
E N D
From Basic to Advanced: Trends, Tools, and Tales to Ensure Basic Nonprofit Security Kevin LoBecky Wiegand
Agenda Introductions - What level of experience do you have with security? - Truth or fiction? - TechSoup Global What Is Security? - Systems, data, network, physical - Cloud security Solutions and Policies Your experiences, Q&A
We are working toward a time when every nonprofit and social benefit organization on the planet has the technology resources and knowledge they need to operate at their full potential
Through innovative partnerships, TechSoup Global delivers value to NGOs and technology providers. • Other corporate relationships: • Google donates PCs for refurbishing and Redemtech, a leading commercial refurbisher, partners to bring affordable equipment to our Refurbished Computer Initiative program • CMC, outsourcer in India, provides deeply discounted technology development support • NGO Partnerships • Advocates, Associates, Affiliates, Distribution Partners
TechSoup’s NGO Impact & Reach IMPACT REACH • 83,000organizations have received product donations • 400,000 unique monthly visitors • 190 countries of origin of visitors • 25%of overall traffic to TechSoup from outside U.S.(FY08 only) • 115,000 monthly TechSoup online forum visitor sessions(FY08 only) • $1.8 billionretail value of technology product donations distributed • $1.1 billionin potential savings for NGOs • 4 milliontechnology products distributed • 35product donor partners • 155,000documents downloaded
Where is TechSoup Global Today? Australia Belgium Botswana Canada Chile France Germany Hong Kong Hungary India Ireland Luxembourg Mexico New Zealand Poland Russia (Pilot) South Africa Spain Taiwan United Kingdom United States Currently operating in 21 Countries on 6 Continents
Why Does Security Matter? Photo via Flickr user: Will Lion, Creative Commons
What Is Security? • Security is more than just • fear of the tech unknown • “insurance” policy • loss aversion • There is a difference between real and perceived security • Three main interrelated tenets of security • Systems > Basic • Data > Intermediate • Network > Advanced Photo via Flickr user: itpromagazine, Creative Commons
Security Is Important for Nonprofits • Supporter privacy • Donor and funder data • Advocacy and activist info • Smaller infrastructure, easier target? • Lower capacity for backup, staff time, and financial investment into prevention and data recovery
Systems Security Do your systems behave the way they should, and are they protected from deliberate or inadvertent user error? • eg. someone opening an attachment that can potentially damage your PCs
How Do You Keep Your Data? Photo via Flickr user: Ian-S, Creative Commons
Data Security • Who gets to see your data, at what time, and from where? • eg. on-premise data, hosted data • Data protection compliance
Is This Your Network? Photo via Flickr user: steve_price82, Creative Commons
Network Security • Do you know which programs, users, and devices have access your network? • eg. wireless security • Web site security
Physical Security • How easy is it to “walk away” or physically affect your systems, data, and network? • Locking down devices • Proper disposal of data and hardware • Proper recycling • DoD data destruction standards
Overlapping realms • Security has a constantly changing landscape • Zero-day threats • Multi-vector • Know what your missing link may be • your users? • your devices?
Security In a Cloudy World Photo via Flickr user: MichaelMarlatt, Creative Commons
Security In a Cloud Computing World • Internet security (eBay, Amazon) • Software as a Service (SaaS) • Platform as a Service (PaaS) • Infrastructure as a Service (Iaas) • Some of these services may provide a major step up in security for smaller orgs • Some services may provide greater risk for larger orgs
Mitigating Security Risks • Combination of policies and solutions • Inherent tension between security and usability
Securing Your Systems – Policies • Office culture and adoption • Peer to peer vs client-network systems
Securing Your Systems – Solutions • Anti-virus/anti-spyware software • Windows Update • Endpoint protection • Visit Security Corner: www.techsoup.org/security
Securing Your Data – Policies • Data access policies should be aligned with business processes, but also tech savvy • eg. data access by volunteers vs staff • 2x2x2 backup rule • Data Loss Prevention (DLP) • Data Encryption • Wiping your disks before disposal, even if data may not be considered sensitive
Securing Your Data – Solutions • Encryption • TrueCrypt • Backup • Windows Backup • Backup Exec • Online Backups • Disk Wiping • Darik’s Boot and Nuke • Blancco Photo via Flickr user Philipioo, Creative Commons
Securing Your Network - Policies • How responsible can you expect your staff to be for your network? • Wireless/wired access • Remote access
Securing Your Network - Solutions • Wireless encryption and authentication • Remote access – what are you trying to achieve? • OpenVPN • DD-WRT • Cisco networking • Windows Server
Analyzing costs and benefits • Are security costs different from other IT expenditures? • Costs factor in only when it’s often too late – make it a part of routine IT management
Physical Security – Policies • Written employee policy regarding equipment usage and care expectations • External drives, “jump” or USB drive, and other portable data usage • Require use of laptop locks or regular inventory and check-in of portable equipment • Ensure regular backup so data won’t be lost if the equipment is lost or damaged
Physical Security - Solutions • Laptop locks • Manage equipment inventory • Automated regular backup • Secure and changing passwords Photo via Flickr user: Carlson Library, Creative Commons
Cloud Security - Policies • Manage user permissions carefully • Regular backup of critical data in an in-house or other online backup location • Careful and restricted “sharing” of docs and data with sensitive org or supporter info
Cloud Security - Solutions • Cisco debuted new cloud computing security apps on April 21, 2009. More to come? • Currently, ensuring that 2x2x2 is being done on cloud data is essential. • www.cloudsecurity.org
Conclusion/Takeaways • Three minimal things you should do: • Systems > Turn on automatic updates • Data > Backup your data regularly • Network > Authenticate your wireless network • Physical > Don’t make it easy for thieves • Cloud > Benefits are there but don’t put all eggs in one basket • Understand the responsibilities and consequences
Contact:Kevin at klo@techsoup.org or Becky at bwiegand@techsoup.org