The NIST Computer Security Division has released a Draft NISTIR 7621, Small Business Information Security: The Fundamentals that describes the fundamental components of an effective information security program for small businesses, including many nonprofit associations.
Nonprofits deal with membership information that may include sensitive personal data as well as financial transaction data. The account books may include vendor data and transaction detail that is confidential. Information security principles apply to them as well as to for profit businesses.
The term Small Enterprise (or Small Organization) is sometimes used for this same category of business or organization. A small enterprise/organization may also be a nonprofit organization.
…
Some of the information used in your business requires special protection for confidentiality (to ensure that only those who need access to that information to do their jobs actually have access to it). Some of the information used in your business needs protection for integrity (to ensure that the information has not been tampered with or deleted by those who should not have had access to it). Some of the information used in your business needs protection for availability (to ensure that the information is available when it is needed by those who conduct the organization’s business). And, of course, some information used in your business needs protection for more than one of these categories of information security.
…
Failure to properly protect such information, based on the required protections, can easily result in significant fines and penalties from the regulatory agencies involved.
Just as there is a cost involved in protecting information (for hardware, software, or management controls such as policies & procedures, etc), there is also a cost involved in not protecting information.
Small nonprofits, especially those depending upon volunteers for information related functions, may tend towards the ‘out of sight, out of mind’ school. The cost in not protecting information properly must be considered by the governance of the association. “Absolutely necessary” actions to be taken include policies that
1) protect information from damage by malicious software
2) provide proper security in network connections, including wireless access networks
3) keep operating systems and applications up to date
4) maintain proper backups of important business data and information
5) control physical access to computers and network components
6) train everyone who does anything with the information or the equipment used to store or process it in basic security principles.
teach them your expectations concerning limited personal use of telephones, printers, and any other business owned or provided resources. After this training, they should be requested to sign a statement that they understand these business policies, that they will follow your policies, and that they understand the penalties for not following your policies.
7) require individual user accounts for each person using computers to access information or data and make sure the account security is backed up with effective password and access policies.
8) limit access to data and information and also the authority to install software.
9) do not allow a single individual to both initiate and approve a transaction (financial or otherwise).
10) know and understand the potential risk and the costs of loss exposure.
It is important to understand that there is a real cost associated with not providing adequate protection to sensitive business information and that this cost is usually invisible until something bad happens. Then it becomes all too real (and all too expensive) and visible.
Information security is not something that should be left to amateurs. Just like your books can be maintained by an amateur but need professional accountant oversight backed up by written policy, so does your information security needs appropriate attention at all levels. Policy needs to be written with consultation of a skilled professional. Training is needed so that everyone knows and understands the policies and what they are to do. A periodic review, or even an audit, is necessary to make sure that security is maintained.
Don’t get caught closing the barn door after the horse has already escaped!