Is your association’s IT security policy up to snuff?

Implement a strong security policy.

Anthem, the nation's second-largest health insurance company, is just another big name in a series of Fortune 500 companies and other entities (Office of Personnel Management, anyone?) that have been targets of security breaches. 80 million Anthem customers had their account information, including social security numbers, stolen. Ouch.

To minimize the chances of this nightmare scenario at your association, make sure your IT security policy addresses each of the following 5 areas.

5 Areas Your Security Policy Should Address

Backups

Backups must be a top priority in your security policy because some day you may have to rely on backups to continue operations.

The American Public Power Association (APPA) uses a fully virtualized storage area network (SAN) – installed by DelCor – for their server infrastructure, according to their IT manager, Adam Kuhn. A SAN is a high-speed network of storage devices connected to your servers. The SAN is capable of keeping backups for 28 days, but at the same time, the critical virtual servers, including all user data, is written across a communications link to DelCor’s Network Operations Center (NOC) for disaster recovery purposes. 

Furthermore, Adam employs Backup Exec to a separate local storage container for the purpose of retaining data beyond the 28 day retention period of the SAN. “Sometimes, staff don’t realize they’ve deleted something until after a month goes by,” Adam stated. 

Firewall

I sometimes find firewalls with 5-10 year old technology. That’s a frightening prospect. You should budget for a firewall replacement every 3-4 years to leverage new security technology.

Your firewall must have:

  • Deep packet inspection (DPI), a technology that inspects packets of data being sent and received by network users.
  • Perimeter-based malware protection that controls access to all entry and exit points of the network.
  • Integrated intrusion prevention, a technology that leverages DPI to identify and block known exploits.
  • Ability to block suspicious outbound traffic so you can identify a system that may be compromised and used for malicious activity such as a spambot.
  • Ability to block downloadable executables.

Adam at APPA suggests using a third-party service to analyze your firewall logs and alert you to any threats. That task is too time-consuming and critical to do yourself.

Servers

How often do you patch and reboot your servers and apps? Unpatched systems are often the entry way for security threats so it’s critical to apply patches on a daily basis. Web application servers are the most vulnerable. For example, if you have an old version of Cold Fusion, it needs to be patched regularly.

Web application security

You can have the best systems and policies in place but if there’s a vulnerability in your web application code, you’re putting your data at risk. Schedule a conversation with your web app developer to understand how the developer has (or hasn’t) ensured proper security for their web apps.

For example, make sure you have input sanitization for web apps that integrate with databases. Input sanitization ensures that any input, such as a website login, is ‘cleansed’ of harmful data and prevented from executing unauthorized actions.

For more information on possible threats, the OWASP Top Ten lists the most common web application vulnerabilities.

Staff computers

In an earlier post (second in this series), I suggested developing a security policy that balances the productivity needs of staff with the security needs of the association. Consider these practices when developing your policy:

  • Replace older operating systems, like Windows XP, that are no longer supported.
  • Don’t allow staff to have local administrator rights. As a result of this change, IT staff may be called upon to install printers or apply updates.
  • IT should centrally manage patches for vulnerable third-party applications such as Flash and Java.
  • Practice the principle of least privilege, when appropriate; that is, users can only access what they absolutely need. This principle swings the pendulum of security balance toward less functionality for the user and more support from IT, but it may sometimes be necessary to protect your data.

Next we’ll look at tools. In the meantime, if you need an audit of your security policy – or help creating one in the first place – we can help.

Editor’s note: This post in third in a series on the IT security threat landscape for associations. If you missed the first post, read it here.

Looking for more information about information security? We’ve got you covered. Check out our eBook The Cybersecurity Watchlist for Association and Nonprofit Executives for more information on threats to your organization’s security and how you can prevent your data from being compromised. 

Check It Out

Flickr photo by EFF Photos