Don't be left in the dark.

Little Green Light is a cloud-based donor management system for fundraisers.
Subscribe to get our latest product updates, best practices and tips to grow your nonprofit.

Data security and Little Green Light

Posted January 13, 2014 by Chris Bicknell

 “After people, data is your most important resource.”

John Kenyon

Introduction

We’re often asked, “How secure will my data be in LGL?” Being in the cloud, we certainly understand where the question is coming from. Typically, assessing risk in relation to data and IT involves working through three major components:

  • Evaluation and assessment – Identifying assets and evaluating their properties and characteristics
  • Risk assessment – Discovering threats and vulnerabilities that pose risk to assets
  • Risk mitigation – Addressing risk by transferring, eliminating, or accepting it

Evaluation and assessment

First, none of the data types that are highly sensitive and highly pursued by those with bad intentions are easily stored in LGL (nor should they be stored there):

  • Credit card or other information that could be used for monetary gain
  • Social Security numbers, which could be used for identity theft
  • Health information protected under HIPAA laws (medications, diagnoses, etc.)
  • Education information protected under FERPA (grades, disciplinary reports, etc.)

Data assets typically stored in LGL (each client may need to add items as necessary; this chart covers the core items) and the level of sensitivity:

Data assetLevel of sensitivityLGL comments
Name and contact informationLowPublicly available information (phonebooks, voter rolls, large-scale databases)
Date of birthLowAlso publicly available, though harder to acquire than names and contact information
Gift informationMediumProprietary to each organization but not secret. NOTE: Any organization that publishes an annual report makes this information public
Wealth indicatorsLowNot all clients use this aspect of LGL. If they do, the information is gathered from public records (e.g., scans of annual reports, insider information, etc.)

Risk assessment

Given that the majority of information stored in LGL by customers is neither highly sensitive nor subject to any federal compliance regulations, assessing the risk can be viewed in context of the nature of the data. Below are a sampling of factors LGL recommends considering in relation to the risk assessment of the data. Certainly clients are free to a) add items appropriate to their circumstances and/or b) make their own assessment.

Threat/vulnerabilityLGL assessmentLGL comments
Internet hackingLow riskGiven the relatively low profile of both LGL and its clients (none have national/international profiles like Walmart, Target, or eBay)
Physical theft/attack (equipment)Very low riskLGL is in “the cloud” and therefore not prone to this risk. (NOTE: This is the only type of security threat that LGL customers have suffered from and their LGL data was unaffected.)
Password sharingLow risk (IF client implements good practices)LGL offers unlimited accounts for this very reason, to avoid situations where usernames and passwords are shared.
Data loss due to hardware failure, natural disaster, etc.Low riskLGL uses top-notch server companies, the primary of which is Liquid Web.[i] Data redundancy and backup routines are maintained at a level unachievable by all but the largest nonprofits and businesses.
Unsecure local filesMedium riskClients regularly download Excel-friendly files from LGL. These are not password-protected and should be managed carefully on local drives, in email attachments, etc.

 


[i] http://www.liquidweb.com/datacenter/ (Datacenter access is strictly limited to technical staff. Electronic security systems control data center access and are accompanied by a full complement of motion-detecting security cameras, which monitor the entire facility. Our DataCenter facility external walls are reinforced poured concrete. We are a fully managed facility, which means we have level 3 technicians on site 24 hours per day, allowing incident response times to be kept to a minimum.)

 

Risk mitigation

Given all the above, the steps toward mitigating can be outlined as follows:

 Threat/vulnerabilityLGL mitigation stepsClient mitigation steps
Internet hackingUse HTTPS[ii] and other best-in-class web security protocolsN/A
Physical theft/attack (equipment)N/AEnsure computers are in physically secure spaces that ensure access by authorized personnel only.
Password sharingN/AProvide all those who need access to LGL with their own username/password. Do not distribute this information. Update passwords to be strong.
Data loss due to hardware failure, natural disaster, etc.Maintain/review server provider(s) to ensure they meet highest expectationsN/A
Unsecure local filesN/AUse downloaded files discreetly and delete them when no longer necessary. Store them on secure file servers rather than the local drive or USB drives. Email sparingly.

 


[ii] http://en.wikipedia.org/wiki/HTTP_Secure

Closing comments

While there is a lot of media attention paid to high-profile Internet security breakdowns, the vast majority of data stored in “the cloud” is neither interesting nor secret. The reality of today’s world is that “the cloud” gives nonprofits access to levels of IT infrastructure they could never achieve with their limited budgets. Secure facilities, redundant systems, background checks on staff, etc., are typically not available for “servers down the hall” in a nonprofit setting.

Ready to try LGL? Get your first 30 days free. No credit card required.