Community IT CEO Johan Hammerstrom has a conversation with cybersecurity expert and Community IT CTO Matt Eshleman about what policies you need, and where to find templates for them.

Do you have the security and IT general policies you need? Have they been updated recently to reflect any new work environment or expectations? Are staff using personal devices? Are they working from home? Are you requiring MFA on all log ins, or using Single Sign On? What do you do when staff off-board to recover company data assets and reset their passwords?

Crafting nonprofit IT security policies helps your teams think about your IT expectations, and helps clarify expectations with staff.

Listen to Podcast

Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on AppleSpotifyGoogleStitcher, Pandora, and more. Or ask your smart speaker.

Key Takeaways


Presenters

Matt Eshleman


As the Chief Technology Officer at Community IT, Matthew Eshleman leads the team responsible for strategic planning, research, and implementation of the technology platforms used by nonprofit organization clients to be secure and productive. With a deep background in network infrastructure, he fundamentally understands how nonprofit tech works and interoperates both in the office and in the cloud. With extensive experience serving nonprofits, Matt also understands nonprofit culture and constraints, and has a history of implementing cost-effective and secure solutions at the enterprise level.

Matt has over 22 years of expertise in cybersecurity, IT support, team leadership, software selection and research, and client support. Matt is a frequent speaker on cybersecurity topics for nonprofits and has presented at NTEN events, the Inside NGO conference, Nonprofit Risk Management Summit and Credit Builders Alliance Symposium, LGBT MAP Finance Conference, and Tech Forward Conference. He is also the session designer and trainer for TechSoup’s Digital Security course, and our resident Cybersecurity expert

Matt holds dual degrees in Computer Science and Computer Information Systems from Eastern Mennonite University, and an MBA from the Carey School of Business at Johns Hopkins University.

He is available as a speaker on cybersecurity topics affecting nonprofits, including cyber insurance compliance, staff training, and incident response. You can view Matt’s free cybersecurity videos from past webinars here.



Johan Hammerstrom’s focus and expertise are in nonprofit IT leadership, governance practices, and nonprofit IT strategy. In addition to deep experience supporting hundreds of nonprofit clients for over 20 years, Johan has a technical background as a computer engineer and a strong servant-leadership style as the head of an employee-owned small service business. After advising and strategizing with nonprofit clients over the years, he has gained a wealth of insight into the budget and decision-making culture at nonprofits – a culture that enables creative IT management but can place constraints on strategies and implementation.

As CEO, Johan provides high-level direction and leadership in client partnerships. He also guides Community IT’s relationship to its Board and ESOP employee-owners. Johan is also instrumental in building a Community IT value of giving back to the sector by sharing resources and knowledge through free website materials, monthly webinars, and external speaking engagements.



Transcript 

Johan Hammerstrom:  

Thank you for joining us for today’s webinar on Crafting Nonprofit Security Policy. My name is Johan Hammerstrom. And I am the president and CEO of Community IT 

And now it’s my pleasure to welcome today’s presenter and our Chief Technology Officer at Community IT, Matthew Eshelman. Hi, Matt.

Matthew Eshleman:  Hi, thanks for the intro, Johan. Since we’re talking about IT Security Policy, I want to provide a reference link to a really great resource from SANS and their security policy templates.

So this is a resource that is free and publicly available and can be a great place to look to start. 

So if you’re looking to get started with an IT Policy, or looking to make sure that you have all of your bases covered. This is a really great resource for getting ideas for those policy templates and building from there. The website is https://www.sans.org/information-security-policy/

Terminology

Just some basic terminology:

We’re talking about policies and those policies are the principles rules and guidelines formulated or adopted by an organization to reach its long-term goals. 

So that’s the framework that we’re talking about today.

Guidelines, they’re recommended practices, get some discretion, some leeway, like, hey, these are some good ideas. These are the guardrails.

We have standards, which would be universally accepted or established meanings. So, we may say, “Hey, we’re going to use the AES-128 Encryption Standard as something that we are going to mandate as part of our communication.” So that would be a standard. 

Then we’ve got procedures that really talk about how all these things get put into place, how we really take the policies and put them into action. 

It’s always good to start with a little bit of background, just terminology, so that we’re all on the same page in terms of definitions as we move forward.

Security Policies

There were a number of questions that were asked ahead of time about 

what policies to have and where to start, and here’s a couple of items: 

Acceptable Use Policy

As we have seen organizations operate in action and be exposed to different security threats. I think this follows what I see as the biggest priorities in terms of what organizations need to focus on.  

Often, the acceptable use policy is something that most organizations already have that’s typically part of your employee handbook.  It oftentimes describes good computer behavior. Don’t look at websites you’re not supposed to, your computer is to be used for business purposes, there may be things like, you don’t have an expectation of privacy, or monitoring, the IT Department has the ability to monitor things, and so forth.

So I think the acceptable use policy is often a great place to start.  If you don’t have anything, that’s probably where you should start. 

If you are an organization looking to build out, the acceptable use policy provides a framework or a way to insert or add additional policies into something that already exists. So again, I mentioned, the acceptable use policy will often describe how to handle computer equipment, what’s provided, it will govern examples of what web browsing is acceptable. 

It can also be a place where things like your mobile device policy can be included as well. So how are mobile devices handled? A BYOD approach where staff can bring their own devices and connect them to work resources, is that permitted? Are employees provided with business resources and how is that line drawn?

One of the things that often comes up is, how do you handle reimbursements for that?

I know in the past couple years Community IT has changed how we handle that because of some IRS guidelines. 

So we now provide a technology stipend and it’s just provided to all employees. And that’s a taxable benefit that we get because the other alternative would be for employees to get reimbursed for the portion of the phone that they use for business purposes and that becomes an administrative headache. So as a policy, we’ve chosen to go that route.

I do think in the nonprofit space, in particular, the pendulum is swinging back a little bit from being really permissive about mobile devices, where “Hey, Staff! Isn’t it great that you can use your phone to get your email?” to a position where people are being a little bit more thoughtful about what it means to have company data on personal assets.

And I think because the technology has also improved, so that it’s a little bit easier to implement a mobile device management policy where there are more tight controls over what data is allowed on phones.  Have the ability for that phone to be wiped if it’s lost or if an employee is off boarded and so on and so forth. So I think, Mobile Device Policy, I would put on there, as a higher priority policy to have and can be nested under that Acceptable Use Policy.

Data Policy

The second is a data policy. 

And this is a fairly broad topic. And it’s broad intentionally, because as we’ve seen more and more information go to the cloud.  The cloud doesn’t necessarily change things in terms of not needing to think about it or not needing to have a policy, but it opens up more opportunities for questions to be asked.  The data is no longer in the server closet down the hall, so we don’t really have data residency issues.  It could be on the web somewhere. 

So it presents more opportunities for questions around how data should be managed, what controls we want to have around, what expectations we have of our vendors, what other information we need to layer on so we understand our data.  Not just file data, but also database systems, digital assets, like pictures.  Think about data broadly, as opposed to just where my file is stored, where my email is stored, because that data can be stored in lots and lots of different systems, not just systems that deal with storing discrete files.

Identity and Account Policy

I have identity and account policy as a separate line item as well. This becomes a lot more important because we were talking about identity, not just your Active Directory account, you use to login to your computer, but we’re talking about your identity that is now used to log into Salesforce, to Hootsuite, to Twitter, to your HR system online. 

So this identity now exists and travels with you, not just within the bounds of the network, but across the whole cloud and web application sphere, where you are accessing systems, many different systems. And so each of those systems creates an opportunity or a window for data loss to occur, for systems to be compromised.

Having a clear sense of what expectations are around managing an identity, what security policies we want to apply can help focus an organization on thinking about that much more broadly than a single account.

HIPAA

And then finally, I do have HIPAA on here, there were some questions around, “What compliance rules am I required to follow as an organization?” 

I would say, typically, nonprofit organizations may not have many “legally mandated compliance requirements” that they need to follow.  The big exception would be HIPAA and PCI compliance. 

And one way that we often think about that is doing things through a CIA framework or a Confidentiality and Integrity and Availability framework.

Categorize data and help provide a rigorous classification, where information should be stored and what other controls may need to be placed around it. 

We see we’ve got some things that are sensitive data like medical records and then we can categorize those saying medical records have a high level or high degree of confidentiality, a high degree of integrity, and a high degree of availability. And we can create IT systems that can support that requirement.

Whereas program management, maybe that’s a low degree of confidentiality, a moderate degree of integrity, and a moderate degree of availability. And as a result, different IT systems can be put in place to support that framework. 

And again, as much as we’re talking about developing IT Policy that really should come first.

So as opposed to thinking of the technology and then working backwards, it’s preferred to think about the policy and the data first and then find technology solutions to meet those organizational requirements. 

IT Security Policy Process

So in terms of implementing an IT Security Policy, this is something that needs to follow a fairly well defined process. 

And it’s a process that really needs to start with senior management, “the board level support or mandate,” and this is an important distinction to make.  

IT policies developed by IT for IT, I think are often not very effective. Our position would be that these IT policies really benefit having executive or board level sponsorship to ensure that they are supporting the broader organizational goals.

And again, that’s what the IT policy is for – to really support the organization itself, as it works to achieve its mission.  It’s not in service just to the IT department. 

So, once the senior management or the board is engaged in that process, then the process can begin to develop a draft policy. 

And, as I mentioned, there are a lot of great templates and resources out there.  The SANS ones, I think, are very good and thorough and well written. I think, in terms of overall process, flowing from that draft policy, then that can go to colleague support or program support. 

For example, if there’s going to be some data management or data retention policies that may need to have support from other folks in the organization, to say, “Hey, we’re concerned about, we’ve got files on our file server that are 20 years old. And we think we can have a data retention policy that says, hey, after a program is over, we only need to keep it for seven years.”

And so, enlisting the colleagues to refine and create those policies is going to go a long way into the overall success and adoption of the policies in general. 

So once the supporter thing has been enlisted for these policies, then we can move into, “Okay, how are we going to monitor these things?”

And I think this is another area where smaller organizations with not as many resources find it hard to really rigorously monitor a lot of these policies and systems over time. I think that’s why organizations are better off being a little bit more general, in terms of their definitions, and try to anticipate how much time it is going to take to effectively monitor and manage these policies once they have been implemented.

Some guidance could be, start small and work from there, as opposed to defining a very rigorous and extensive policy that’s going to require a lot of management and overhead to deal with in support. 

And then finally, once we have some boundaries around how we are going to monitor these policies, then you can move into an implementation phase. And we’ll talk a little bit more about some different approaches for implementation as we move along.

Organizational Adoption

So once we’ve gone through this process and we get to the organizational adoption, there still are a few more decisions to be made in terms of determining the implementation approach.  If you’re going to do a big bang, like, “Hey, we’re implementing a new IT policy, and that means, X, Y, and Z.” So is that something that’s going to happen all at once? Or is that something that’s going to be more of a phased deployment approach? 

The good guidance around this, particularly from SANS, is to say, “Hey, you’ve worked really hard on your IT policy and we want to go ahead and just implement it,” and implement it all at one time. We have one end user impacting event and we can work through that as opposed to a slow and steady drip of maybe behavioral changes that staff need to be made. Again, I think this is going to be driven largely by an organization’s culture, in terms of what’s going to make the most sense. 

And so you know, as much as you can, I do think this big bang approach is probably preferable, particularly if it’s going to involve a lot of user change. So it’s good to have a build up in focus on training around that influence your policy.  Mostly we’re talking about things that will impact end users potentially, like password changes, password policies, maybe changes to your mobile device management approach.

These are things that you’re probably well served by doing it all at once, after a small deployment or a small pilot group to make sure that everything is working effectively and then you can go to a broader deployment. 

Our Approach to Policies

In general, our approach to policies is generally permissive. So if you look at some documentation, there’s a couple different levels. There’re areas where anything goes, you do whatever you want. 

There’s permissive, which generally is to allow things.  

There’s conservative where the default is to deny things. 

And then there’s really restrictive and so that would be when you can’t do anything except with approval. So that may be more appropriate for the military or NSA or whatever. 

In general, we find that a generally permissive organizational policy suits the nonprofit culture best, because we trust the staff that work in our organizations. And we aren’t going to invest as much in the overhead apparatus to really monitor and manage a more restrictive policy.

So, while our default is generally to allow behaviors, 

So maybe backing up to another cloud may have some other redundancy. But again, I think that’s an example of where your policy can really help to inform some of the behaviors, the technology solutions to support those services that you’re using. 

Where to Invest

As we come to the tail end of the presentation, talking about where to invest, this can be really daunting, especially if you’re an organization that’s just getting started. You don’t really have much to go on.

Where do you focus?

And I would say there’s probably three things to focus on. 

And so these, I would say, would be the first three things to focus on. 

Aligning the Technology with Policy

Aligning the technology with policy, these are all decisions where the policy comes first. And you can find technology and technology solutions to help support those policies that have already been defined. So again, acceptable use policy, talk about things in general.  

We find that these acceptable use policies say things like, “computers are for organizational use, they’re not for personal use. And there’s no expectation of privacy, we want to encourage good computer stewardship.” This acceptable use policy is really an umbrella policy that can help reference other policies and so that can be your framework that you can build off of.

Again, the data policy we’re talking about data, a big, big D data, data in wherever it may reside. And so that may be your email blast system, it may be your CRM, but the data broadly where does that exist? It’s not just files anymore. 

And use that data classification, the CIA triad to help provide some additional perspective on that. Is all data super confidential? High degree of integrity, always has to be up? Yeah, maybe so. So let’s find technology solutions that can help meet those requirements. And again, define the retention requirements. This one I think is tough. Storage is cheap, the time to figure out what data we need to keep around, that requires a lot of person hours to sort through and figure out.

And so this can be a hard one to say, yeah, we are going to actually go through and purge data that we haven’t accessed or used in seven years, and we are going to be pretty assertive about cleaning out our mailboxes, because we’re concerned about what happens if that email gets compromised. So data retention can really help drive some of those decisions.

Then finally, identity account policy. We want passwords to be changed every 90 days, we want to have account lockouts to help prevent against brute force attacks. And when possible, we want to have two-factor [or MFA] for cloud based solutions.

Ideally, we’re also doing single sign on, so instead of remembering or using a password manager to remember the 15 to 20 different passwords that you use, you can use a single sign on solution to have a single password. And all these systems are authenticating against that single directory. And that’s a secure password with a second factor. And then we can manage an audit report in one location for all the applications as opposed to needing to do audit reporting against 20 different websites. 

And there are some other things that, I think, have been best practices for a long time. But again, it’s just worth reading mentioning, renaming your default admin accounts, having complex service account passwords, so we’ve certainly seen accounts like copier or scanner with passwords that haven’t been changed in years.

And so, being mindful of how those accounts are created and maintained is an important step in this overall identity and account policy. 

Q&A

Johan Hammerstrom:  Yeah. Great. Thank you, Matt. That was excellent. One point of clarification, no pun intended, you had mentioned, it’s important to have a clear backup and data policy. And I was wondering if you could just

Elaborate on what you mean by clear.

Matthew Eshleman:  Sure, I think what I mean by clear, is an organization has an accurate understanding of where their data lives. So we have file data, here’s where the file data lives. We have email, email data, here’s where the email data lives and then have an understanding of if that data was lost or compromised or cryptoed. What do we need? Like, what do we need or what do we expect, maybe is a better word, to be able to get that data back? Do we expect to be able to get all that data back within a couple of hours? Do we expect to be able to recover a file that was deleted five years ago?

If an organization doesn’t have a well-documented data inventory system, what could happen is the system gets compromised, maybe the server crashes. Okay, we have a backup of this data. Here’s the folder, we’re going to restore the data in that folder. And then we come to learn that, Oh, well, this user was actually storing data in this other location that wasn’t part of the official “backup system.” 

Often organizations will say, “we’re backing up the network data.” And if it’s on your computer, it’s gone. But I would take that to say, let’s just make sure that all the data that’s on the network that is assumed to be backed up is, in fact, backed up.

And so again, it’s checking those expectations to say, “Here’s my expectation. Let’s have a conversation with IT. Hey, I expect to be able to recover the deleted file that this person deleted a year ago, can I actually do that?” And so, you can walk through those scenarios to test those assumptions that the technology solution is in fact, living up to your expectations.

Johan Hammerstrom:  So the data policy is a combination of a data asset inventory, combined with availability requirements, recoverability requirements and a specification of the systems that are providing the functionality.

Matthew Eshleman:  Yeah, yeah. I think that’s accurate. And I think, the backup and disaster recovery plan, or the business continuity plan will often make reference to some data inventory list. And there might be additional dimensions of data that are added when we talk about the backup and disaster recovery plan. But again, it’s important to have that inventory, so that there’s a common understanding about what is our organizational data? Where does it live? And then you can go from there, how are we backing up? How are we retaining it? What happens if you lose access to it?

Using Templates

Johan Hammerstrom:   Great. We have another question. Actually, there have been a number of questions about templates or samples that can be used. And I think you addressed that pretty well, early on, you know, SANS publishes a guideline. 

But I think really, the most effective policy is going to be one that is consistent with the other policies that an organization already has. And you’re better off working within the existing policy framework for your organization. And rather than trying to shoehorn a template, it’s in a completely different format. And I think that gets to the adoption policy, adoption process that you outlined earlier in the presentation.

Matthew Eshleman:  Yeah, I mean, I think that’s right. I think that the policy templates are great reference checks to make sure that you’re covering all your bases. Yeah, but I would say that, in general, I think the policy templates that are out there are very exhaustive and so you’ll probably spend more time throwing out things than you do adding to it.

Security Policies for Websites, Social Media, Other

Johan Hammerstrom:  There are a couple questions about custom-built web-based systems, website redesigns. To what extent do you see IT security policies extending out to things like websites, social media accounts, things that are maybe not traditionally considered part of the purview of the IT department?

Matthew Eshleman: I do think that coming back to this idea of data, your data policy and that would extend maybe to your data security, I think is relevant particularly when you’re working with additional vendors, where you’re providing information to. I remember one specific example, where an organization, I think they were using Salesforce as their CRM, like a lot of other organizations and they were looking for a vendor. They were looking for a vendor to do some mailings. So they wanted to give them access to their Salesforce database, generate a bunch of mailings, send it and they found through their contract review process that they had a couple different vendors or two vendors that they were looking at.  One would essentially take a copy of their data and then run all the processes from this copy of the data, and they would “have it on their network.”

And then the other vendor, essentially would be able to look at the data to run the reports, but they wouldn’t actually keep or retain any of that. And so in that case, the organization, because of their data policy said no, we need to keep tight control around our organizational information. And so we can’t use a vendor who is going to have a copy of our data on their system, even if it’s just to do work that we say that they can do. So I think that’s an example. 

So again, if you’re doing a website, you’re providing a lot of information to or through this website, vendor or developer.  It’s important to understand what are your data boundaries around the information that’s being provided? Is it going to leave your control? Is it going to be accessed by an entity that you may not expect to be able to access it that way?

Johan Hammerstrom: Yeah, that’s a good, great consideration. I like that concept of data boundaries as a way of thinking about where your data might go, how you want to control it. 

How to Choose Solutions and Vendors for Security Tools

There have been a couple of questions about specific tools, questions about the best type of firewall for home environments, a question about hardware firewalls versus software firewalls, a question about the best antivirus or antimalware package. 

I was wondering if you could just – we only have a few minutes left. But if you could speak broadly about how IT Policy can help inform decisions about types of security solutions or the selection of various security solutions?

Matthew Eshleman:  Sure, I think everybody wants to make sure they’re having the “best technology” to protect their organization. 

I do think it’s important to understand that there is no silver bullet, there is no perfect technology solution that is going to be right all the time. And I think that is one of the really challenging things in IT and IT Security is that, you’re playing defense, you’re going to have to be right 100% all the time. 

And it’s the one unpatched system that can be compromised and bring down the rest of the network. So, that’s why I think in general, IT Policy should be rather broad and non-technology specific. 

So, it may be appropriate to say if you’re working in the office, we expect to have a firewall that’s going to be filtering traffic and we’re going to be blocking the known threats. And leave it at that. And then it’s up to working with it to do a vendor evaluation to say, “What’s going to be the best firewall for us right now?” And I think, now probably more than ever, what makes the best firewall, may not be just how it performs technically and blocking threats. But how effective is it at reporting? What’s the user interface? How has that experience been?

For us personally, we’ve started to use Meraki a lot more as a security appliance. And I think it’s a good firewall and in terms of its technical capabilities. But the real benefit is that it’s really easy to use and administer and we get a lot of insight out of it. And so as opposed to maybe some other solutions, maybe even were more superior technically, understanding how they were working, getting reporting out of that was a lot harder. So being more general, yes, computers need to have antivirus.  Yes, we need to have a firewall, working with trusted partners to find out what’s the best solution for your needs, right there. There could be different options depending on other requirements of the organization.

Johan Hammerstrom:  Great. Well, thank you, Matt. I want to thank everyone for joining us today. And thank you very much, Matt, for your time. This is a fantastic, very interesting webinar, a great topic. And we intend to publish a little bit more on our blog on this topic. So keep your eyes open for that, and thanks, Matt. Have a great afternoon.

Ready to get strategic about your IT?

Community IT has been serving nonprofits exclusively for twenty years. We offer Managed IT support services for nonprofits that want to outsource all or part of their IT support and hosted services. For a fixed monthly fee, we provide unlimited remote and on-site help desk support, proactive network management, and ongoing IT planning from a dedicated team of experts in nonprofit-focused IT. And our clients benefit from our IT Business Managers team who will work with you to plan your IT investments and technology roadmap, if you don’t have an in-house IT Director. When you need technology change management, our ITBM team can help you communicate what the change is, why your organization is doing it, and discover who it will impact.

We constantly research and evaluate new technology to ensure that you get cutting-edge solutions that are tailored to your organization, using standard industry tech tools that don’t lock you into a single vendor or consultant. And we don’t treat any aspect of nonprofit IT as if it is too complicated for you to understand.

We think your IT vendor should be able to explain everything without jargon or lingo. If you can’t understand your IT management strategy to your own satisfaction, keep asking your questions until you find an outsourced IT provider who will partner with you for well-managed IT.

If you’re ready to gain peace of mind about your IT support, let’s talk.