Data security and Little Green Light
Posted January 13, 2014 by Chris Bicknell

 “After people, data is your most important resource.”

John Kenyon

Introduction

We’re often asked, “How secure will my data be in LGL?” Being in the cloud, we certainly understand where the question is coming from. Typically, assessing risk in relation to data and IT involves working through three major components:

  • Evaluation and assessment – Identifying assets and evaluating their properties and characteristics
  • Risk assessment – Discovering threats and vulnerabilities that pose risk to assets
  • Risk mitigation – Addressing risk by transferring, eliminating, or accepting it

Evaluation and assessment

First, none of the data types that are highly sensitive and highly pursued by those with bad intentions are easily stored in LGL (nor should they be stored there):

  • Credit card or other information that could be used for monetary gain
  • Social Security numbers, which could be used for identity theft
  • Health information protected under HIPAA laws (medications, diagnoses, etc.)
  • Education information protected under FERPA (grades, disciplinary reports, etc.)

Data assets typically stored in LGL (each client may need to add items as necessary; this chart covers the core items) and the level of sensitivity:

Data asset Level of sensitivity LGL comments
Name and contact information Low Publicly available information (phonebooks, voter rolls, large-scale databases)
Date of birth Low Also publicly available, though harder to acquire than names and contact information
Gift information Medium Proprietary to each organization but not secret. NOTE: Any organization that publishes an annual report makes this information public
Wealth indicators Low Not all clients use this aspect of LGL. If they do, the information is gathered from public records (e.g., scans of annual reports, insider information, etc.)

Risk assessment

Given that the majority of information stored in LGL by customers is neither highly sensitive nor subject to any federal compliance regulations, assessing the risk can be viewed in context of the nature of the data. Below are a sampling of factors LGL recommends considering in relation to the risk assessment of the data. Certainly clients are free to a) add items appropriate to their circumstances and/or b) make their own assessment.

Threat/vulnerability LGL assessment LGL comments
Internet hacking Low risk Given the relatively low profile of both LGL and its clients (none have national/international profiles like Walmart, Target, or eBay)
Physical theft/attack (equipment) Very low risk LGL is in “the cloud” and therefore not prone to this risk. (NOTE: This is the only type of security threat that LGL customers have suffered from and their LGL data was unaffected.)
Password sharing Low risk (IF client implements good practices) LGL offers unlimited accounts for this very reason, to avoid situations where usernames and passwords are shared.
Data loss due to hardware failure, natural disaster, etc. Low risk LGL uses top-notch server companies, the primary of which is Liquid Web.[i] Data redundancy and backup routines are maintained at a level unachievable by all but the largest nonprofits and businesses.
Unsecure local files Medium risk Clients regularly download Excel-friendly files from LGL. These are not password-protected and should be managed carefully on local drives, in email attachments, etc.

 


[i] http://www.liquidweb.com/datacenter/ (Datacenter access is strictly limited to technical staff. Electronic security systems control data center access and are accompanied by a full complement of motion-detecting security cameras, which monitor the entire facility. Our DataCenter facility external walls are reinforced poured concrete. We are a fully managed facility, which means we have level 3 technicians on site 24 hours per day, allowing incident response times to be kept to a minimum.)

 

Risk mitigation

Given all the above, the steps toward mitigating can be outlined as follows:

 Threat/vulnerability LGL mitigation steps Client mitigation steps
Internet hacking Use HTTPS[ii] and other best-in-class web security protocols N/A
Physical theft/attack (equipment) N/A Ensure computers are in physically secure spaces that ensure access by authorized personnel only.
Password sharing N/A Provide all those who need access to LGL with their own username/password. Do not distribute this information. Update passwords to be strong.
Data loss due to hardware failure, natural disaster, etc. Maintain/review server provider(s) to ensure they meet highest expectations N/A
Unsecure local files N/A Use downloaded files discreetly and delete them when no longer necessary. Store them on secure file servers rather than the local drive or USB drives. Email sparingly.

 


[ii] http://en.wikipedia.org/wiki/HTTP_Secure

Closing comments

While there is a lot of media attention paid to high-profile Internet security breakdowns, the vast majority of data stored in “the cloud” is neither interesting nor secret. The reality of today’s world is that “the cloud” gives nonprofits access to levels of IT infrastructure they could never achieve with their limited budgets. Secure facilities, redundant systems, background checks on staff, etc., are typically not available for “servers down the hall” in a nonprofit setting.

Leave a Reply

Your email address will not be published. Required fields are marked *

Name *

Free Webinars
Live demo of Little Green Light

Join us for a guided tour of our software, with Live Q&A

View Recording or Register Now > Introduction to LGL Forms

Take a tour of our online forms and donation processing feature, with Live Q&A

Register Now > Getting Started with Little Green Light

Learn about customizing your new account and your data migration options, with Live Q&A

View Recording or Register Now >
Support & Guides
Help Center

Visit our extensive knowledge base for troubleshooting tips

Visit Now > Learning Resources

Get knowledgeable support from our team, our community and our helpful articles

Learn More > Browse our Consultant Network

Get help migrating complex data

Find a consultant > Free Courses & Downloads View All >
Community
Join our Private Facebook Group

Meet other Little Green Light users. Share resources and tips.

Request Access >
Google Analytics Alternative