Non-Profit Boards – Focusing on Data Privacy

One of the first challenges non-profits face with data privacy is the lack of overall awareness to data privacy laws, which continue to emerge and can lead to unwanted penalties and fines. Organizations of all sizes can proactively navigate the data privacy laws by appointing a designated data privacy officer (DPO), chief security officer or an appointed champion, which may be the case for smaller organizations. This individual should confirm the proper treatment of personally identifiable information (PII) data, whether it is collected from staff, donor, volunteer or beneficiary. Additional responsibilities should include:

  1. Develop an internal privacy policy. This will require involvement from both the non-profit management team and general counsel, so the organization can determine if their PII data handling meets all legal requirements. For example, specific types of PII require encryption or password protection. Under these circumstances, the internal privacy policy will want to specifically call out how certain types of PII data will be secured, such as privacy by design.
  2. Create an external communication plan. The organization will want to articulate how staff, donors, volunteers and beneficiaries’ personal data will be processed, stored and used by the organization. The non-profit will want to state if this information will be shared with outside parties. This typically falls under a privacy statement located on an organization’s website.
  3. Map the legal landscapes as it relates to data privacy laws. We recommend using some of the more stringent data privacy laws as a baseline, as most upcoming laws will do the same. As it relates to other regulated data (healthcare or payment card data), the organization also will want to verify that the non-profit is complying with other regulations like Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS). Once the legal requirements are uncovered, the next phase will be to bring the organization into compliance with data privacy laws.
Mapping the Data

To map the data, leveraging a third-party resource will help alleviate stress on internal IT staff trying to figure this out on their own and provide oversight from industry professionals. The first step would be drafting a data classification policy that has categories and classifications that address all the types of data located within the organization. Special attention should be given to different types of PII that many new data privacy laws address. Next, the organization should begin with a risk assessment, which maps all data based on the data classification policy. The risk assessment can help accomplish the following:

  • Inventory all data and where it is stored within the network (such as filing cabinets, laptops, mobile phones, servers and applications databases, along with vendors that have access to the non-profit’s core data).
  • Assist in identifying availability of this data as it exists on hardware, within applications and by vendors that provide services around utilizing the data.
  • Identify events or incidents that may occur and could adversely impact the non-profit organization and its data.
  • Make assumptions about threats and include potential damages caused by these types of events, as well as details regarding the amount of time needed to recover from an incident and restore operations.
  • Identify preventive measures and controls, both implemented and missing, within the environment that could help mitigate the likelihood of an incident or event. Where identified residual risk levels are considered high in nature based on specific events or incidents, further control measures can be recommended to reduce the residual risk levels to acceptable levels for the organization.
Navigating the Cybersecurity Threat Landscape

An initial consideration by the board of directors (BOD) is verifying the organization has an approved up-to-date information security program (ISP). The ISP should align with the non-profit’s mission and business objectives, which should include robust information security policies and procedures. If these policies and procedures have not been developed completely, external consultants can help, especially when internal resources are not available.

Non-profit BODs also need to understand the current security controls environment and security risk posture. For most organizations, BOD expenditures on cybersecurity are like a pendulum swing: continue investing in the mission or invest in cybersecurity to secure their data and prevent a data breach. Unfortunately, some BODs have chosen to not invest adequately in cybersecurity. Listed below are some of the major security controls to consider in order to protect data and comply with laws.

  1. Verify that patch management utilities cover key endpoint applications (Adobe® Flash or PDF, Java™ and Microsoft® Office). There are numerous appliances that can patch operating system (OS) patches. Missing application patches require the most vigilance when it comes to many cybersecurity vulnerabilities. Make sure your patch management software or appliance provides visibility into both missing OS and applications patches – if this key control is missing, your organization potentially is exposed to a security incident.
  2. Verify that privileged account procedures are in place at the non-profit organization and that everyone is operating under the principle of least privilege. Users should only have local administrative right to their laptops. The number of domain administrative accounts on the network should be kept to a minimal number, with separate password polices for these types of privileged accounts using a 15-character minimum password.
  3. Intrusion detection and prevention capabilities to provide visibility into malicious network traffic and prevent it from affecting the network infrastructure and core data.
  4. LAN scanning device capabilities to detect any rogue devices (such as wireless access points, auditor laptops and personal devices) being connected to the production network.
  5. Automated event logging solution, also known as security information and event management to provide more visibility into what is happening on the network. For example, if your organization cannot detect the creation of a domain administrator account in real-time, how would you know that your organization has been breached?
  6. Purchase a next-generation antivirus solution for all endpoints. If you have not upgraded your current antivirus solution over the past couple of years, it is probably outdated software.
  7. Implement a web traffic filter solution. End-users should be restricted to only the websites needed to perform their job functions. All other websites should be blocked, including high-risk categories (such as explicit adult content, gambling and hacking).
  8. Implement a spam filter. Many organizations still do not have a best-in-breed product to scan all incoming email messages and block most threats. It should be configured to block all *.VBS, *.BAT, and *.EXE files.
  9. Disable all incoming macro script-enabled office documents on all inbound emails.
  10. Next-generation firewalls should include performing Layer 7 inspection of the application layer of the OSI Model.
  11. Implement application whitelisting via AppLocker on the Windows domain controller. This is a built-in feature of the Microsoft server.
  12. Domain blacklisting procedures should be enabled for a known malicious IP address being blocked in real-time in both the firewall and spam filters. This would include geo-blocking threat actors from known geographical locations.
  13. Backups, backups, backups. The only silver bullet for surviving a ransomware attack is having appropriate backups. We recommend using cloud-connected backup appliances with different credentials for core data. Tape backups are still effective against ransomware attacks. All virtual machines (VMs) should be fully replicated, stored on a separated domain and kept powered off for a quick, seamless recovery in the event of a security incident.
  14. Verify that you have a well-documented incident response policy. This policy should contain information about the members of the incident response team, the role of each of the team member, the party responsible for testing the policy and how to execute the policy in the event of an incident. Having a policy that is comprehensive, in-place and practiced will assist the organization with the tools and resources to identify and recover from a security incident.
  15. Implement a security awareness training program. All staff should undergo awareness training throughout the year to assist in elevating end-user awareness levels at the non-profit organization. Having properly trained staff acting at the first-line-of-defense is critical in preventing cybersecurity attacks.
  16. Periodic testing of the organization’s end-user awareness program, which should include most types of social engineering assessments end-users may face over time. Such assessments should cover awareness and response to activities like voice phishing (vishing), email phishing, fake websites and physical access walkthroughs. This will help the organization understand where the current end-user awareness levels are at within the organization based on the comprehensive testing described above. Based on the results of this testing, follow up by sending end-users back who fail any of these test scenarios to the formal end-user awareness training program designed to continually raise awareness levels. Repeat as often as necessary until the desired result levels are achieved.
  17. A mobile device management (MDM) appliance should be considered to manage all laptops and other bring your own devices, if your non-profit organization allows these devices on the network. It is especially critical if these devices access emails and PII data.
  18. Use of multifactor authentication (MFA) should be considered for both authentication to the network and the email server.
  19. Perform an annual comprehensive penetration test, which should include credentialed vulnerability scanning, so that missing application patches (such as Adobe Flash or Java missing patches) are identified appropriately. We also recommend penetration testing include assessment of network management and monitoring security controls.

Being vigilant and implementing a strong security controls environment helps organizations survive cybersecurity incidents and protect their PII data. Start now, as some of these changes could take time to put in place. Implementing these controls will help ease security concerns, position your nonprofit organization to be prepared in the face of cybersecurity attacks and assist with data privacy law compliance, helping to avoiding or minimize potentially costly penalties and fines.

About DHG IT Advisory

DHG IT Advisory works with companies to manage technology risk while maintaining data integrity, protecting privacy and complying with regulations. From project management and regulatory compliance assistance to digital forensics and incident response, DHG is equipped to meet your IT advisory needs that drive your business. To learn more about DHG IT Advisory, visit dhg.com/itadvisory.

Related Knowledge Share