Uploaded byIdealware
359 views

Cloud Security - Idealware

The document discusses cloud computing's advantages, such as low cost and easy access, while highlighting security concerns organizations face. It differentiates types of cloud services (SaaS, hosted private cloud, and co-located private cloud) and emphasizes the importance of understanding data sensitivity and implementing strong security practices. Ultimately, it suggests organizations assess vendor security standards and consider the true value of their data when making decisions about cloud storage.

Embed presentation

The Cloud Beckons, But is it Safe? April 2012
The Cloud Beckons, But is it Safe? #12NTCCSec Laura Quinn Michael Enos
Evaluate This Session! Each entry is a chance to win an NTEN engraved iPad! or Online at www.nten.org/ntc/eval
Introductions Laura Quinn Executive Director Idealware Michael Enos Chief Technology Officer, Second Harvest Food Bank of Santa Clara and San Mateo Counties What are you hoping to get out of this session?
What is The Cloud?
The Lure of the Cloud Low cost of entry Easy remote access No complex infrastructure But what about security?
How Do YOU Feel About Cloud Security?
Why the Concern?
Cloud Security in the News
Under Siege To be on the Internet is to be vulnerable to attack. If you’re on the Internet, you’re in The Cloud
But We Do Lots of Things on the Internet We shop online We bank online We post crazy things on Facebook Why is the cloud different? It’s not.
How Secure is Your On-Site Data? Do any of these sound familiar? • No one patches computers or is responsible for network security • You haven’t really thought about passwords or permissions • No disaster recovery plans • Staff hasn’t had any security training
Myth “We’re a tiny nonprofit. We’re safe because no one would target us for cyber attack.”
Fact Many data security breaches are crimes of opportunity. Organizations don’t always consider the sensitivity of their data until it’s exposed.
Myth “Our data is safer not in the cloud”
A Cloud Data Center
Is This Your Server Closet?
What Does Security Mean?
The Three Pillars of Information Security
Confidentiality Information is available only to authorized parties.
Integrity Information isn’t modified inappropriately, and that you can track who made what change.
Availability Assurance that data is accessible when needed by authorized parties.
Also: Physical Possession Whoever has the data could, for instance, turn it over to the government
How Does This Apply to the Cloud?
Cloud Security The use of the term “Cloud” is cloudy! Three general types of clouds: – Software-as-a-Service – Hosted Private Cloud – Co-located Private Cloud All three have different security models
Software as a Service The vendor owns and manages all aspects of the environment. For instance:
Hosted Private Cloud The vendor owns and manages the equipment only, but all software is managed by the client. The equipment is on the vendors network. For instance:
Co-located Private Cloud The vendor provides the physical environment only in a data center, the client maintains the hardware and the software. For instance:
What Does Security Mean For You?
Rules for Absolute Safety Turn off your Internet connection. Allow no one access to your data and systems. But let’s be realistic…
Know What You’re Protecting What kinds of data are you storing, and how sensitive are they? Think about its value on the open market.
Red Flags You need extremely tight security to store: • Donor’s credit card numbers. • Scanned images of checks. • Donor’s bank account information.
What’s Your Exposure? Consider the impact of exposure of your confidential information, both in monetary terms and reputation.
What’s The Impact of an Outage? How much staff time could you lose from a short term or prolonged outage?
Testing Your On-Site Security Have you recently performed a: • Check on whether your systems have been recently patched? • Systems penetration test ? • Employee training on security procedures? • Backup/recovery test? If not, you’d likely increase your security by moving to the cloud.
A Multi-Level Security Model
Multi-Level Security is the Ideal
Physical Security • Guarded facilities • Protection of your hardware and devices • Power redundancy • Co-location (redundant facilities)
Network Security • Intrusion prevention • Intrusion detection • Firewalled systems • Network proactive anti-virus protection
Transmission Security Is data encrypted in transit? Is the network secure?
Access Controls • Ensuring the right people have access to the right data • Physical access to the server • Training on appropriate passwords and security measures
Data Protection • Data encryption • Solid backup and restore policies • Ability to purge deleted data • Ability to prevent government entities from getting your data with a subpoena
What to Look For in a Vendor
Description of Security Mechanisms Documentation of all the facets of security, and the staff can talk about it intelligently. Proves information security is on the “front burner”
Uptime Do they provide any guarantee of uptime? Any historic uptime figures? Uptime figures are typically in 9s-- 99%, 99.9% or 99.99% Your connection to the internet may well be the weakest link.
Regulatory Compliance: HIPAA Does the vendor support organizations that need to be compliant with HIPAA (the Health Insurance Portability and Accountability Act)?
Regulatory Compliance: SAS70 and SSAE16 Audit for security standards, hardware, and processes. Statement on Accounting Standards 70 (SAS70) Statement of Standards for Attestation Engagements 16 (SSAE16)
Regulatory Compliance: PCI DSS Compliance If you’re storing credit card numbers, your vendor needs to be compliant with PCI DSS (Payment Card Industry Payment Data Security Standard)
In Summary
Understand the Value of Your Data What is it worth to you? To others? What measures are appropriate to protect it?
Your Data Is No Safer Than You Make It Any computer attached to the internet is vulnerable unless you protect it. The cloud isn’t, in of itself, more or less secure
But Many Vendors Make Your Data Really Safe Choose vendors who show they’re serious about data protection (not all vendors are created equal). Consider a vendor’s regulatory compliance.
Questions?

More Related Content

PDF
The Cloud Beckons, But is it Safe?
byNTEN
 
PPTX
The Cloud Beckons, But is it Safe?
byLegal Services National Technology Assistance Project (LSNTAP)
 
PDF
RSA 2010 Kevin Rowney
bySymantec
 
PDF
Symantec Data Loss Prevention- From Adoption to Maturity
bySymantec
 
PPTX
Cloud & Sécurité
byTechnofutur TIC
 
PPTX
Tech Demo: Take the Ransom Out of Ransomware
bymarketingunitrends
 
PDF
Source Code Security the Symantec Way
bySymantec
 
PDF
Security in the Cloud: Tips on How to Protect Your Data
byProcore Technologies
 
The Cloud Beckons, But is it Safe?
byNTEN
 
The Cloud Beckons, But is it Safe?
byLegal Services National Technology Assistance Project (LSNTAP)
 
RSA 2010 Kevin Rowney
bySymantec
 
Symantec Data Loss Prevention- From Adoption to Maturity
bySymantec
 
Cloud & Sécurité
byTechnofutur TIC
 
Tech Demo: Take the Ransom Out of Ransomware
bymarketingunitrends
 
Source Code Security the Symantec Way
bySymantec
 
Security in the Cloud: Tips on How to Protect Your Data
byProcore Technologies
 

What's hot

PDF
White Paper: Protecting Your Cloud
bythinkASG
 
PPTX
Ransomware Has Evolved And So Should Your Company
byVeriato
 
PPTX
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
bycentralohioissa
 
PPTX
Understanding cyber resilience
byChristophe Foulon, CISSP
 
POTX
Ransomware: Why Are Backup Vendors Trying To Scare You?
bymarketingunitrends
 
PPTX
IT Security for Nonprofits
byCommunity IT Innovators
 
PDF
Making Threat Modeling Useful To Software Development
byConSanFrancisco123
 
PPTX
ProtectV - Data Security for the Cloud
bySafeNet
 
PDF
PaloAlto Enterprise Security Solution
byPrime Infoserv
 
PPTX
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
byStanton Viaduc
 
PPTX
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
bycentralohioissa
 
PPTX
How to Recover from a Ransomware Disaster
bySpanning Cloud Apps
 
PDF
Cloud Security Checklist and Planning Guide Summary
byIntel IT Center
 
PPTX
SANS Critical Security Controls Summit London 2013
byWolfgang Kandek
 
PPT
How Adopting the Cloud Can Improve Your Security.
bymartin_lee1969
 
PDF
Who owns security in the cloud
byTrend Micro
 
PPTX
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
byMichael Noel
 
PDF
Gavin Hill - Lessons From the Human Immune System
bycentralohioissa
 
PDF
Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...
byShawn Tuma
 
PPTX
Backups and Disaster Recovery for Nonprofits
byCommunity IT Innovators
 
White Paper: Protecting Your Cloud
bythinkASG
 
Ransomware Has Evolved And So Should Your Company
byVeriato
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
bycentralohioissa
 
Understanding cyber resilience
byChristophe Foulon, CISSP
 
Ransomware: Why Are Backup Vendors Trying To Scare You?
bymarketingunitrends
 
IT Security for Nonprofits
byCommunity IT Innovators
 
Making Threat Modeling Useful To Software Development
byConSanFrancisco123
 
ProtectV - Data Security for the Cloud
bySafeNet
 
PaloAlto Enterprise Security Solution
byPrime Infoserv
 
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
byStanton Viaduc
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
bycentralohioissa
 
How to Recover from a Ransomware Disaster
bySpanning Cloud Apps
 
Cloud Security Checklist and Planning Guide Summary
byIntel IT Center
 
SANS Critical Security Controls Summit London 2013
byWolfgang Kandek
 
How Adopting the Cloud Can Improve Your Security.
bymartin_lee1969
 
Who owns security in the cloud
byTrend Micro
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
byMichael Noel
 
Gavin Hill - Lessons From the Human Immune System
bycentralohioissa
 
Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...
byShawn Tuma
 
Backups and Disaster Recovery for Nonprofits
byCommunity IT Innovators
 

Viewers also liked

PPTX
Darim's Synagogue Data Series, Part 3
byIdealware
 
PPTX
From Digital Divide to Digital Inclusion: Technology as an Equalizing Force-I...
byIdealware
 
PPTX
Service Beyond Geography: Using Technology to Serve People Remotely-Idealware
byIdealware
 
PPTX
Maturing Your Organization's Social Culture: Creating Effective Policies-Idea...
byIdealware
 
PPTX
Measuring Your Mission: Using Data to Track Organizational Health and Success...
byIdealware
 
PPTX
More Than Apps - Idealware
byIdealware
 
PPTX
Creating a Social Media Policy - Idealware and Darim Online
byIdealware
 
PPT
Innovation in Service Delivery - Idealware and MAP for Nonprofits
byIdealware
 
Darim's Synagogue Data Series, Part 3
byIdealware
 
From Digital Divide to Digital Inclusion: Technology as an Equalizing Force-I...
byIdealware
 
Service Beyond Geography: Using Technology to Serve People Remotely-Idealware
byIdealware
 
Maturing Your Organization's Social Culture: Creating Effective Policies-Idea...
byIdealware
 
Measuring Your Mission: Using Data to Track Organizational Health and Success...
byIdealware
 
More Than Apps - Idealware
byIdealware
 
Creating a Social Media Policy - Idealware and Darim Online
byIdealware
 
Innovation in Service Delivery - Idealware and MAP for Nonprofits
byIdealware
 

Similar to Cloud Security - Idealware

PPTX
Extending security in the cloud network box - v4
byValencell, Inc.
 
PPTX
Cloud Security: A matter of trust?
byMark Williams
 
PDF
Peering Through the Cloud Forrester EMEA 2010
bygraywilliams
 
PDF
Cloud Webinar Neiditz Weitz Mitchell Goodman
byjonneiditz
 
PPT
Cloud Security: Trust and Transformation
byPeter Coffee
 
PPTX
Brave new world of encryption v1
byKhazret Sapenov
 
PPTX
Executive Briefing: Strategic Issues Surrounding Cloud Services
byWhitmeyerTuffin
 
PPTX
Cloud computing - Assessing the Security Risks - Jared Carstensen
byjaredcarst
 
ODP
Securing The Cloud
bygeorge.james
 
PPTX
talk6securingcloudamarprusty-191030091632.pptx
byTrongMinhHoang1
 
PDF
Cloud Security:Threats & Mitgations
byIndicThreads
 
PPTX
Security in the cloud Workshop HSTC 2014
byAkash Mahajan
 
PDF
How Secure Is Cloud
byWilliam Lam
 
PDF
Cloud Security - Made simple
bySameer Paradia
 
PPTX
18CSE442 Cloud Security Introduction SRM.pptx
by191013607gouthamsric
 
PPT
Cloud Computing Security Issues
byDiscover Cloud Computing
 
PPTX
Cloud Computing Chap-4 (1)for_comp-science.pptx
by8718amrindange
 
PDF
Cloudsecurity
bydrewz lin
 
POT
Automation alley day in the cloud presentation - formatted
byMatthew Moldvan
 
PDF
Asset 1 security-in-the-cloud
bydrewz lin
 
Extending security in the cloud network box - v4
byValencell, Inc.
 
Cloud Security: A matter of trust?
byMark Williams
 
Peering Through the Cloud Forrester EMEA 2010
bygraywilliams
 
Cloud Webinar Neiditz Weitz Mitchell Goodman
byjonneiditz
 
Cloud Security: Trust and Transformation
byPeter Coffee
 
Brave new world of encryption v1
byKhazret Sapenov
 
Executive Briefing: Strategic Issues Surrounding Cloud Services
byWhitmeyerTuffin
 
Cloud computing - Assessing the Security Risks - Jared Carstensen
byjaredcarst
 
Securing The Cloud
bygeorge.james
 
talk6securingcloudamarprusty-191030091632.pptx
byTrongMinhHoang1
 
Cloud Security:Threats & Mitgations
byIndicThreads
 
Security in the cloud Workshop HSTC 2014
byAkash Mahajan
 
How Secure Is Cloud
byWilliam Lam
 
Cloud Security - Made simple
bySameer Paradia
 
18CSE442 Cloud Security Introduction SRM.pptx
by191013607gouthamsric
 
Cloud Computing Security Issues
byDiscover Cloud Computing
 
Cloud Computing Chap-4 (1)for_comp-science.pptx
by8718amrindange
 
Cloudsecurity
bydrewz lin
 
Automation alley day in the cloud presentation - formatted
byMatthew Moldvan
 
Asset 1 security-in-the-cloud
bydrewz lin
 

Recently uploaded

PDF
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
PDF
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
PDF
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
PDF
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
PPTX
Authority After Search: How AI Systems Reconstruct Trust, Expertise, and Legi...
byJeff Howell
 
PPTX
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PPTX
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
PDF
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
PPTX
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
PDF
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
PDF
Track Phone Location by Number (2026)_ What’s Actually Possible for Free (and...
byEmily Woods
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PPTX
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
PDF
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
PDF
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
Authority After Search: How AI Systems Reconstruct Trust, Expertise, and Legi...
byJeff Howell
 
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
Track Phone Location by Number (2026)_ What’s Actually Possible for Free (and...
byEmily Woods
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 

Cloud Security - Idealware

  • 1.
    The Cloud Beckons,But is it Safe? April 2012
  • 2.
    The Cloud Beckons, But is it Safe? #12NTCCSec Laura Quinn Michael Enos
  • 3.
    Evaluate This Session! Eachentry is a chance to win an NTEN engraved iPad! or Online at www.nten.org/ntc/eval
  • 4.
    Introductions Laura Quinn Executive Director Idealware Michael Enos Chief Technology Officer, Second Harvest Food Bank of Santa Clara and San Mateo Counties What are you hoping to get out of this session?
  • 6.
  • 7.
    The Lure ofthe Cloud Low cost of entry Easy remote access No complex infrastructure But what about security?
  • 8.
    How Do YOUFeel About Cloud Security?
  • 9.
  • 10.
  • 11.
    Under Siege To be on the Internet is to be vulnerable to attack. If you’re on the Internet, you’re in The Cloud
  • 12.
    But We DoLots of Things on the Internet We shop online We bank online We post crazy things on Facebook Why is the cloud different? It’s not.
  • 13.
    How Secure isYour On-Site Data? Do any of these sound familiar? • No one patches computers or is responsible for network security • You haven’t really thought about passwords or permissions • No disaster recovery plans • Staff hasn’t had any security training
  • 14.
    Myth “We’re a tiny nonprofit. We’re safe because no one would target us for cyber attack.”
  • 15.
    Fact Many data securitybreaches are crimes of opportunity. Organizations don’t always consider the sensitivity of their data until it’s exposed.
  • 16.
    Myth “Our data is safer not in the cloud”
  • 17.
  • 18.
    Is This YourServer Closet?
  • 19.
  • 20.
    The Three Pillarsof Information Security
  • 21.
    Confidentiality Information is available only to authorized parties.
  • 22.
    Integrity Information isn’t modified inappropriately, and that you can track who made what change.
  • 23.
    Availability Assurance that data is accessible when needed by authorized parties.
  • 24.
    Also: Physical Possession Whoeverhas the data could, for instance, turn it over to the government
  • 25.
    How Does ThisApply to the Cloud?
  • 26.
    Cloud Security The useof the term “Cloud” is cloudy! Three general types of clouds: – Software-as-a-Service – Hosted Private Cloud – Co-located Private Cloud All three have different security models
  • 27.
    Software as aService The vendor owns and manages all aspects of the environment. For instance:
  • 28.
    Hosted Private Cloud Thevendor owns and manages the equipment only, but all software is managed by the client. The equipment is on the vendors network. For instance:
  • 29.
    Co-located Private Cloud Thevendor provides the physical environment only in a data center, the client maintains the hardware and the software. For instance:
  • 30.
    What Does SecurityMean For You?
  • 31.
    Rules for AbsoluteSafety Turn off your Internet connection. Allow no one access to your data and systems. But let’s be realistic…
  • 32.
    Know What You’reProtecting What kinds of data are you storing, and how sensitive are they? Think about its value on the open market.
  • 33.
    Red Flags You need extremely tight security to store: • Donor’s credit card numbers. • Scanned images of checks. • Donor’s bank account information.
  • 34.
    What’s Your Exposure? Considerthe impact of exposure of your confidential information, both in monetary terms and reputation.
  • 35.
    What’s The Impactof an Outage? How much staff time could you lose from a short term or prolonged outage?
  • 36.
    Testing Your On-SiteSecurity Have you recently performed a: • Check on whether your systems have been recently patched? • Systems penetration test ? • Employee training on security procedures? • Backup/recovery test? If not, you’d likely increase your security by moving to the cloud.
  • 37.
  • 38.
  • 39.
    Physical Security • Guardedfacilities • Protection of your hardware and devices • Power redundancy • Co-location (redundant facilities)
  • 40.
    Network Security • Intrusion prevention • Intrusion detection • Firewalled systems • Network proactive anti-virus protection
  • 41.
    Transmission Security Is dataencrypted in transit? Is the network secure?
  • 42.
    Access Controls • Ensuringthe right people have access to the right data • Physical access to the server • Training on appropriate passwords and security measures
  • 43.
    Data Protection • Dataencryption • Solid backup and restore policies • Ability to purge deleted data • Ability to prevent government entities from getting your data with a subpoena
  • 44.
    What to LookFor in a Vendor
  • 45.
    Description of SecurityMechanisms Documentation of all the facets of security, and the staff can talk about it intelligently. Proves information security is on the “front burner”
  • 46.
    Uptime Do they provideany guarantee of uptime? Any historic uptime figures? Uptime figures are typically in 9s-- 99%, 99.9% or 99.99% Your connection to the internet may well be the weakest link.
  • 47.
    Regulatory Compliance: HIPAA Doesthe vendor support organizations that need to be compliant with HIPAA (the Health Insurance Portability and Accountability Act)?
  • 48.
    Regulatory Compliance: SAS70and SSAE16 Audit for security standards, hardware, and processes. Statement on Accounting Standards 70 (SAS70) Statement of Standards for Attestation Engagements 16 (SSAE16)
  • 49.
    Regulatory Compliance: PCIDSS Compliance If you’re storing credit card numbers, your vendor needs to be compliant with PCI DSS (Payment Card Industry Payment Data Security Standard)
  • 50.
  • 51.
    Understand the Valueof Your Data What is it worth to you? To others? What measures are appropriate to protect it?
  • 52.
    Your Data IsNo Safer Than You Make It Any computer attached to the internet is vulnerable unless you protect it. The cloud isn’t, in of itself, more or less secure
  • 53.
    But Many VendorsMake Your Data Really Safe Choose vendors who show they’re serious about data protection (not all vendors are created equal). Consider a vendor’s regulatory compliance.
  • 54.

Editor's Notes

  • #12 Those were examples that illustrate that the Internet itself is a dangerous place. Yet who would give up their Internet connection?
  • #13 If you shop and bank online, and share personal info via social media, you already use the cloud. You probably trust your bank and online merchants like Amazon because you believe they have the capability and the incentive to protect your information. You probably also realize that “free” social media vendors make money by selling information about you.
  • #14 Here are some vulnerabilities that apply to all systems connected to the Internet, including systems in the cloud.Reputable cloud vendors significant resources and teams of computer and security specialists devoted to maintaining the security of the data they handle. They can be far better positioned to protect your data than you are.
  • #15 People target systems for attack when that they know have valuable information, like account numbers, social security numbers and the like. Things that nonprofits don’t typically have.Hackers after fame are more likely to attack big ACME Bancorp, International, than a community food bank’s systems.This means your risk of attack is lower than that of some big company, but it doesn’t mean you’re safe.
  • #16 Cyber crime is often the computer equivalent of trying front doors until you find an unlocked house. IMPORTANT: Payment information SHOULD NOT be stored on your systems. If you have donor’s credit card data for recurring payments, move to a reputable payment processing vendor. Then delete this information. Thieves can’t steal data that you don’t have.
  • #17 People target systems for attack when that they know have valuable information, like account numbers, social security numbers and the like. Things that nonprofits don’t typically have.Hackers after fame are more likely to attack big ACME Bancorp, International, than a community food bank’s systems.This means your risk of attack is lower than that of some big company, but it doesn’t mean you’re safe.
  • #18 Reputable cloud vendors significant resources and teams of computer and security specialists devoted to maintaining the security of the data they handle. They can be far better positioned to protect your data than you are.
  • #19 If you have no full time IT and your server lives in a broom closet, your data is not likely secure.
  • #21 Information security boils down to these three areas, plus privacy.
  • #23 You know whether there is integrety. Like going in to change your salary because everyone has access, no accountablity. No universal login
  • #24 One of the most common. DNS attack. Systems are reliable.
  • #32 If you avoid automobiles, you’ll never be in a car accident. But you won’t get very far, either.Avoiding the Internet will cut your information security risk, but your productivity will be set back a few decades.There are ways to maximize information security, but you can’t entirely eliminate risk.
  • #33 This kind of “discovery” exercise is important. You may find that the data you think you have differs from what you actually. Maybe you have sensitive data that you’re not aware of. Secret Service level security might not be warranted, but its nice to know what protection is appropriate.How old is your server? Is it near the end of its life? What would you do if it crashed tomorrow?Can someone just walk up to your server? Do they need to log in? Is the admin password “letmein”?
  • #34 Don’t keep financial information related to donors on your system. Thieves can’t steal data you don’t have, and there’s no reason for you to take on the risk of handling such sensitive information. Better to outsource to a payment vendor who can guarantee the security of this information.
  • #35 Might the exposure of donor data hurt your ability to raise money in the future? What if that “anonymous” major donor was outted?What would be the financial impact if you couldn’t access key systems (wasted staff hours, missed fundraising opportunities, etc)?
  • #36 Might the exposure of donor data hurt your ability to raise money in the future? What if that “anonymous” major donor was outted?What would be the financial impact if you couldn’t access key systems (wasted staff hours, missed fundraising opportunities, etc)?
  • #37 If data and systems are in house, what are you doing to protect them? Could a cloud vendor do a better job than you can?Systems penetration – reverse engineer passwords, social engineering, known vulnerabilitiesinformation handling/protection procedures? Policies for changing passwords, what you do with old users
  • #39 The greater the depth of security measures, the longer a potential attacker will be delayed. This is important
  • #41 Computer intrusion detection and prevention systems alert you to possible systems breaches and try to thwart them. Look for abnormal patterns. Prevention – alerting someone. More harm than good for small orgs – so many false postives. Data center has “intrusion guy”Firewalls attempt to block entry to your systems by malicious people and information. Let’s in an out things in a circuit. HTTP is generally open, but there are rules to help with attacksAnti-virus software helps prevent malware from installing on your systems, and attempts to clean exisiting infections.
  • #42 Websites use security certificates to encrypt data while in transit *and* verify to you that the URL belongs to the organization you think it belongs to. FTP or secure FTP. PGP. VPN= encrypted tunnel between two trusted partners.https rather than http indicates that the site you’re using has a certificate and is encrypting the data you send. Newer browser allow you to click on icon near the URL (a picture of a lock in the case of Chrome) to show information on the encryption used and the site’s owner.
  • #44 Stolen data is of little use if it’s encryptedUnderstand what is recoverable from backups, and how. Disaster recovery backups do not necessarily mean that you’ll be able to restore data you accidentally overwrite.Business continuity/disaster recovery
  • #47 Designed to protect private health related data, but HIPAA compliance can speak well of how other sensitive data is handled.
  • #48 Designed to protect private health related data, but HIPAA compliance can speak well of how other sensitive data is handled.
  • #49 These audits are performed by CPA firms and verify that a vendor has procedures in place that allow it to meet standards for handling sensitive data and for meeting regulatory requirements like HIPAA.SSAE16 is the newer audit standard and is slowly replacing SAS70. SSAE16 is more internationalized than SAS70
  • #50 Provides guidance on how debit and credit card information should be handled. Especially relevant for payment processing vendors that handle online donations.
  • #52 Provides guidance on how debit and credit card information should be handled. Especially relevant for payment processing vendors that handle online donations.
  • #53 Provides guidance on how debit and credit card information should be handled. Especially relevant for payment processing vendors that handle online donations.