Information Technology is critical infrastructure for modern associations. IT Security, or Cybersecurity is the process that protects computer systems and networks from theft or damage as well as from the disruption or misdirection of the services they provide.
Cybersecurity should be part of the overall governance framework for your association.
Here are recommended steps for cybersecurity governance at your organization:
STEP 1: Risk Assessment
Risk assessments help identify, estimate, and prioritize risk. The primary challenge during an IT security risk assessment is to find an acceptable balance between convenience and the confidentiality, integrity, and availability of assets.
STEP 2: Policy Development
A well written policy outlines what the organization expects from employees and partners in terms of the behavior, actions, and processes they take in specific scenarios.
IT policies should clearly address each of the following areas: Acceptable Use, Password Protection, Remote Access, Confidential Data, Mobile Devices, Data Retention, Email, Backup, Contingency Planning, Network Access, Workforce Security, Personal Data Protection, Incident Response, Breach Notification, External Connections, Guest Access, Wireless Access, Network Security, Encryption, Data Processing Agreements and Physical Security.
STEP 3: Education
Social engineering is the most common threat to cybersecurity in any organization. Recent breaches involving high profile accounts at Twitter started with a phone call. Continuous education for staff, partners and members has proven effective in countering social engineering attacks.
STEP 4: Compliance Audits
Internal audits should be conducted regularly and results reported to management. Since many associations have only a few IT personnel, external resources may be required to conduct a cybersecurity audit.
Several common IT policies lend themselves to periodic internal audits. They include the following examples:
- Participation and completion of employee security awareness training.
- User Network Access and Permissions
- Records Retention
- Personal Data Protection
- Data Processing Agreement
The ‘Techie Stuff’
Vulnerability Assessments and Penetration Testing are the ‘geekiest’ part of managing cybersecurity risk. These processes are generally outsourced to independent experts.
A Vulnerability Assessment identifies infrastructure weaknesses that could be triggered or exploited to enable a security breach. During a vulnerability test, your IT team or an outside expert will examine and determine which system flaws are in danger of being exploited. They might run specific software to scan for vulnerabilities, test from inside the network or use approved remote access procedures to determine what needs to be corrected to meet standards.
This type of assessment involves hiring a ‘white-hat’ hacker, or firm, to attempt to breach your security systems. This brings to light potential access points and weaknesses in your infrastructure that may provide opportunity for a breach to occur. Most commonly, this assessment is conducted from the outside the network. Pen testing is required annually to meet PCI compliance standards for some organizations.
Managing technology risk is an on-going and evolving process. New technologies present new risks. For example, artificial intelligence is being used to create synthetic media (‘deep fakes”) and the Internet of Things (IoT) has created new entry points for bad actors.
Bottom line… managing IT Security is not an event… it is a process that requires focus from all levels of the organization.
If you need help with IT Security, or any other association technology challenge feel free to reach out to us at firstname.lastname@example.org