Basic Security Posture Checklist
You can easily tackle the first section of the list in an hour or two. It’s such a small investment related to the risk reduction involved.
Audit the list of people with access to your volunteer data.
If you use any sort of software where administrators must log in, check the list of administrators for any that should be removed. This is a common security issue in the sector and one that is very easy to correct. It will take you very little time to audit this and remove the admin access for former staff members. Add the step of removing access to your volunteer management software to the list of all other software that requires an update when a staff member leaves. If this specific list doesn’t exist where you work, raise this issue with the ED or CEO ASAP. As an extra safeguard, best practices in data security also call for a periodic audit of access to software.
Ensure redundancy in top level access
If you use volunteer management software and you are the only person to have full access to it, adding one or two more to have full access. If, for whatever reason, you are not around to log into the system, your organization will have to reach out to the software vendor asking them to add a new administrator. This is, and needs to be, a time-consuming experience to ensure authenticity.
Eliminate any use of any shared accounts
These create greater challenges in the audit of administrators, and you have no way of knowing who logged in if you ever need to do an investigation.
Activate 2 Factor Authentication if available
Also known as MFA or Multi Factor Authentication, this creates a barrier to getting into your account by someone who learns your username and password. Logging in requires a second form of authentication, such as a code sent to your mobile phone or email. Most software programs these days support 2FA but you may need to take steps to implement it.
Ensure that you never use the same password twice
If one platform you use gets compromised, malicious actors can easily use those credentials and apply them to multiple other platforms that you might use.
Implement a password vault
With a password vault, all you need to do is memorize one very secure password and the vault safely stores very long passwords that are unique to every site you use.
Set automated screen locks and timeouts
This can be done on your computer and right within any secure volunteer management system. It’s easy to get up from your computer thinking you will only be gone for a moment and then be drawn into something that keeps you away long enough for someone who should not have access to volunteer data, doing so.
Lock down your software platforms to your office
If you never work from home, and if your volunteer software allows for it, lock down admin access to the software to your office IP addresses. You’ll need your IT department or supplier to help you with this. You need to be certain you won’t need access from outside your office, but once set up, it’s another barrier protecting your volunteers’ data.
This next set of tasks will take more time. Although you won’t get them all done all done as quickly as the list above, as you work your way through them, you’ll continue to increase your security posture and become a better guardian of your volunteer’s data.
Review your application form for data you don’t need yet
Start with emergency contact information and then look for anything else that can wait to be collected. Keep in mind that some software platforms give you the ability to have volunteers fill in one form to get started and another once they are partially through the process or have been accepted.
Review data on file for data you no longer need
Hopefully the software you use makes it easy to identify information you no longer need and delete it in bulk, but even if it doesn’t, it’s worth the time.
Ensure that whatever system you are using, that it is a secure one.]
If you are still using spreadsheets, I recommend reading our publication on Nine Reasons to Ditch Spreadsheets. If you are using some other system, particularly if it is one that is not updated frequently, check to see that it has kept pace with technology protections. For example, does it support 2 factor authentication? Is it easy to delete data no longer needed? Is the company ISO27001 certified? This is the hallmark of industry standards regarding data protection.
Create an incident response plan and policy
A formal incident response plan can help ensure that small infractions are recorded for use in security improvement plans and give everyone the right guidance on what to do, and NOT do, should something more serious happen.
Put some training in place
One option that keeps security top of mind on a regular basis is to subscribe to some ongoing training such as Ninjio. These four-minute videos come out once a month and cover a different a new topic each month in an entertaining and informative way.