March 2015 Meeting:
Assessing IT Risk and Mitigation
Russell Greenwald, Vice President and Director, Technology Consulting Practice at Insource Services, Inc. gave a presentation that outlined areas of possible risk in your organization in relation to databases, files, email, computer network, and personnel. He also covered how to rate the risks, prioritize them and determine next steps. Russell has been consulting with nonprofits, for-profits, and technology companies for the past 14 years.
How secure is your IT operation? First you need to determine who has access and how safe and secure is that access, including physical access. Your IT system includes: desktops, laptops, email, servers, and the cloud. The perception of many organizations is that if you have a password to gain access to the system, that is sufficient. However, that is not really adequate. Your password should be encrypted, especially for emails. Emails are not really very private and sensitive data should never be transported via email. Mobile phones and other devices are also very vulnerable to outside threats. Encryption is very important. Is the data on your server safe and secure, and very important, is your back-up system working? Have you tested it and do you have a recovery plan? Is it on-site or off-site (off-site is better), and what are your recovery options?
Training staff to secure their data and communications is a fundamental step for any organization. Passwords are not very secure. Laptops, mobile devices, USB storage units, and emails must be encrypted. Any staff who is fired or leaves the organization should be denied access to your IT system immediately. IT security is an organization wide responsibility, not just the responsibility of your IT staff.