Steps to Managing IT Security for Association Executives

Managing IT security and mitigating risk is a critical task for association leaders today. Just consider the cost of a cyberattack: a single incident exceeds $3.86 million today on average.

It is so important in fact that managing IT security should be part of the overall governance framework for your association. This guide will dive into what we call "cybersecurity governance" or how to manage your digital security.

Steps to Managing IT Security

IT Security or cybersecurity is the process that protects computer systems and networks from theft or damage as well as from the disruption or misdirection of the services they provide. Here are recommended steps to manage IT security at your organization:

STEP 1: Risk Assessment

Risk assessments help identify, estimate and prioritize risk. The primary challenge during an IT security risk assessment is to find an acceptable balance between convenience and the confidentiality, integrity, and availability of assets. 

STEP 2: Policy Development

A well-written IT security policy outlines what the organization expects from employees and partners in terms of the behavior, actions, and processes they take in specific scenarios. 

IT policies should clearly address each of the following areas: Acceptable Use, Password Protection, Remote Access, Confidential Data, Mobile Devices, Data Retention, Email, Backup, Contingency Planning, Network Access, Workforce Security, Personal Data Protection, Incident Response, Breach Notification, External Connections, Guest Access, Wireless Access, Network Security, Encryption, Data Processing Agreements, and Physical Security.

STEP 3: Education

Social engineering is the most common threat to cybersecurity in any organization. Recent breaches involving high-profile accounts at Twitter started with a phone call.

Continuous education for staff, partners, and members has proven effective in countering social engineering attacks.

STEP 4: Compliance Audits

Internal audits should be conducted regularly and results reported to management. Since many associations have only a few IT personnel, external resources may be required to conduct a cybersecurity audit.

Several common IT policies lend themselves to periodic internal audits. They include the following examples:

• Participation and completion of employee security awareness training
• User Network Access and Permissions
• Records Retention
• Personal Data Protection
• Data Processing Agreement

Read More: Establishing a Data Protection Plan: The Complete Guide

The ‘Techie Stuff’

Vulnerability Assessments and Penetration Testing are the ‘geekiest’ part of managing IT security risk. These processes are generally outsourced to independent experts.

Vulnerability Assessment

A Vulnerability Assessment identifies infrastructure weaknesses that could be triggered or exploited to enable a security breach. During a vulnerability test, your IT team or an outside expert will examine and determine which system flaws are in danger of being exploited. They might run specific software to scan for vulnerabilities, test from inside the network, or use approved remote access procedures to determine what needs to be corrected to meet standards.

Penetration Testing

This type of assessment involves hiring a ‘white-hat’ hacker, or firm, to attempt to breach your security systems. This brings to light potential access points and weaknesses in your infrastructure that may provide the opportunity for a breach to occur. Most commonly, this assessment is conducted from outside the network.  Pen testing is required annually to meet PCI compliance standards for some organizations.

Read More: Cyber insurance for associations: The ins and outs

Final Thoughts

Managing technology risk is an ongoing and evolving process. New technologies present new risks. For example, artificial intelligence is being used to create synthetic media (‘deep fakes”) and the Internet of Things (IoT) has created new entry points for bad actors.

Bottom line… managing IT Security is not an event… it is a process that requires focus from all levels of the organization.

Ready to get a pulse on the current state of your cybersecurity and compliance practices? Get started by taking our security assessment.