With the launch of our business, we are launching a blog that will cover topics of Information Technology as well as IT Security as they relate to Nonprofit Organizations.
In the future, we expect to cover software, services, best practices, definitions (i.e. “Cloud Computing”), and much more. As best we can, we will keep our readers abreast on current IT trends as they relate to nonprofits, and introduce new services and concepts.
In this first post, we discuss some definitions and prerequisites to Information Technology Security.
Just as we firmly believe that technology needs to be embraced as a means to an end (and is not the end-goal itself), we believe that the requirements for usability and availability should inform how information security is implemented in IT.
Information Technology Security is defined by the National Institute of Standards and Technology as:
The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware, software, information/data, and telecommunications).
Although this definition was written in 1995, and information technology has eveolved rapidly since then (and thus, security requirements and considerations have also eveolved), it is still a very applicable definition.
In “Computer Security Principles and Practices” (an information security textbook), authors William Stallings and Lawrie Brown point out that the NIST definition introduces three main concepts which are referred to as the CIA Triad: Computer Security must include Confidentiality, Integrity, and Availability.
It means that not only should we be concerned about privacy and keeping the data or service we’re protecting out of the hands of unauthorized people, but we should also be concerned about making the data or service available for use.
But in the implementation of IT Security, especially in the nonprofit sector where there are limited resources, we also need to take into account the usability of a product or service. After all, as is noted in Information Security: Starting Out, a White Paper published by the SANS Institute,
Employees want to know how things will help them do their job and will not be eager when they see something as an obstacle to their work.
It doesn’t do any good to have the best security around, but not be able to use a product or service.*
We do not compromise on necessary security precautions, and we firmly believe that nonprofits should not either. Security is often an overlooked area and is viewed as a hindrance. But at the same time, “security” should not be implemented “just because.” It is a means to an end, and it would serve nonprofit directors everywhere well to consider the implications of implementing a new security feature or practice into your existing organization.
In summary, we encourage you to think critically about whether or your data or the service you use is actually “secure.” How critical is the software, service or data to your organization? Are you absolutely sure that it is confidential and has integrity (assuredness that the data or service is only changed by authorized people in an authorized manner)? Does the software, service or data remain available when you need it?
If the answer to any of these questions is “no”, then you need to carefully evaluate (or have an outside IT consultant help you evaluate) the software, service or data. What can be done to improve the confidentiality, integrity or availability of the software, service or data?
These are just some of the questions or concepts we hope to help our readers begin to answer in our upcoming blog posts. To keep up with our posts, consider signing up to our blog newsletter!
* We acknowledge that this is true for most organizations. However, some organizations may have regulations they must meet or have other requirements for the best-of-the-best security. Whatever the situation, there are circumstances when security cannot be compromised.