Download - Identifying IT Risks at Nonprofits
Identifying IT Risks
Community IT Innovators Webinar Series
October 20, 2016
Webinar Tips
• InteractAsk questions via chatConnect on Twitter
• Focus Avoid multitasking. You may just miss the best part of the presentation
• Webinar Slides & RecordingPowerPoint and recording links will be shared after the webinar
About Community IT
Advancing mission through the effective
use of technology.
• Invested Work exclusively with nonprofit organizations, serving over 900 since 1993.
• Strategic Help our clients make IT decisions that support mission.
• Collaborative Team of over 30 staff who empower you to make informed IT choices.
Nura AbokiNetwork [email protected]
Eva TownsendNetwork [email protected]
Identifying Risks• There is no simple recipe that will pinpoint and
nullify all potential threats
• Determine the likelihood of a vulnerability being exploited and quantify the potential losses
• The stability of a network requires both prevention and recovery planning
Vehicles of Risk•hacking, ransomware, software vulnerabilities, unauthorized backdoors, altered data attack, cloud attack
Malicious Outsider
•Natural disaster, accident Catastrophe
•power outage, internet outage, hardware failure
System Failure
•Breach of policy, intentional or unwitting exposure
Inside Source
Potential Impacts
Partial or total loss of data
Misuse of data
Physical damage
Siphoning of
business resources
Business productivity impacts
Loss of compliance status
Reputation
Financial cost
Layers of ProtectionIT
Governance
Top down governanc
eBusiness processes
and policiesRegular
reporting and
oversight
IT Manage
ment
Training
Business continuity
and recovery
plan Annual audit
Network Connecti
vityRedundanc
y
Failover
Security
Physical Devices
Warranty & support contract
Updates
Virus & malware
Information
Systems
Backups
Updates
Security
Assessment Areas• Equipment & services for internet,
wireless, and networkingConnectivity• Backups, business continuity,
antivirus, patching, remote access, accounts & passwords
Security• front & back office equipment, mobile
devicesDevices
• Email, files, business applicationsInformation Systems
Connectivity
• Service is adequate and stable; business continuity requirements are met
Internet
• Staff access is secure; guest access is secure and segregated from staff access
• Sufficient access points for coverage, network is seamless and performs well
• Equipment is under warranty with an active support contract
Wireless
• Switches are managed, within expected lifespan, and under warranty • A firewall is in place and under warranty with an active support
contract; firewall firmware is current; a recent backup configuration file is saved in a secure location
Networking Infrastructure
Security
• Managed backups are in place for servers, cloud systems, email, and any other critical systems; restoration process and viability is tested regularly; local backups and regular off-site backups are running
• Business requirements are adequately met by backup schedule and continuity configuration
Backup & business continuity
• Managed antivirus solution is in place for all workstations and servers; web filtering is in place to improve protection against web based malware and threats; an email filtering solution is in place; there is established patching schedule for servers and workstations
Antivirus, patching, and more
Security, continued
• Remote access is secured and monitored
Remote access
• Accounts are disabled or deleted when no longer in use, • Domain/Enterprise Admins group contains only IT admin
personnel, Just-In-Time access provides additional security • Staff accounts use complex passwords that expire on a set
schedule, multi-factor authentication is a good addition• Organizational Units are adequately distributed and in use.• Share permissions are used across data shares
Accounts & passwords
DevicesSwitches, firewall, routers, storage devices• Performance is stable, age is within expected lifespan, firmware is
current, active warranty/support agreement, configuration file is savedUninterruptible Power Supply (battery backup)• device capacity is sufficient, graceful shutdown and alerts are
configured, temperature alerts are in place for server closetsServers, workstations, copiers• Active monitoring, within expected lifespan, warranty/support
agreementMobile devices • Centrally managed, bring-your-own-device policy in place
Information Systems
• Anti-spam, backups & encryption
• Stored on a single place and platform
Files
• Critical applications are routinely patched and updated, carry a current support agreement from vendor
• Platforms on which these are run are in optimal condition
Business Applications
Summary - 5 Takeaways
Backups for local
and cloud
systems
Password policy and
execution
Antivirus is not
enough anymore
Test your backup
and recovery
plan
Detailed audit every
year or so
Upcoming Webinar
Is Dropbox your next File Server?Thursday November 17
4:00 – 5:00 PM ESTSteve Longenecker
Provide feedback Short survey after you exit the webinar. Be sure to include any questions that were not answered.
Missed anything? Link to slides & recording will be emailed to you.
Connect with us