Technology Decision Makers

last person joined: yesterday 

A group for those in nonprofit IT decision-making roles to connect with peers and share best practices. This Technology Decision Makers group is for nonprofit IT or MIS Directors/Managers as well as CIOs and CTOs to connect with their peers and share best practices. Topics for discussion include, but are not limited to: hardware and software management, product reviews, emerging technology, best practices, collaborating effectively with other departments, and management conundrums. Membership is restricted to IT staff at nonprofit organizations.

Can we approve this new cloud service vendor?

  • 1.  Can we approve this new cloud service vendor?

    Posted Aug 15, 2018 10:02
    Hey NTEN decision makers,

    Just wondering if anyone has any good guidelines for approving cloud solutions for their staff.

    Our org is considering offering staff a new benefit to help with student loan repayment (screams of PII to me).  Anyway our legal counsel asked my opinion on the security of the cloud vendor.

    So far I know they are ISO 27001 and SOC 2 certified.  Staff who elect to use this service will manage their own accounts and logins.  Should I leave it there and say they are safe to approve or should I dig deeper and ask for their risk assessments, IT Policy, how they handle breach notifications, security awareness training for their staff, do they have an OWASP assessment, etc.

    That's one example.

    Then we have other examples like Asana.  Great tool for project management.  Our IT Committee has already approved offering it to staff.  Then as I dig deeper into their MSA and ask them if they have any policy on data breach notification they say they have none.

    I know these decisions depend on a lot of factors.  Should I stress over them or just say - as long as access is secure, behind our SSO and 2 factor we have done the best we can - since they are ultimately the data processor and not the controller.

    Perhaps - this is an NTEN conference session.

    But wanted to get your thoughts on these items.

    Carlos




    ------------------------------
    [Carlos] [Velez]
    [Director of Information Systems and Security]
    [Wellspring Philanthropic Fund, Inc.]
    [New York], [NY]
    ------------------------------


  • 2.  RE: Can we approve this new cloud service vendor?

    Posted Aug 16, 2018 11:20
    Hi Carlos,

    We're a completely cloud based organization. We choose our products based on the value they bring to staff and the organization, ease of use, integration capability with other systems, and cost. I haven't intervened with any service adoption based on security to date, though that's mostly because the majority of data we put through these systems is not sensitive. We do have multi-factor authentication required for email and cloud storage systems where sensitive data is more likely to live. We also use a cloud storage provider that can be configured for HIPPA compliance, though I've not gone down that route.

    It seems like you're more focused on the vendor's data security rather than about the services offered. Is there any particular security threat you're worried about? Or something that caused Legal to be concerned? We are currently working with a vendor for a major platform migration where our lawyers spent weeks renegotiating parts of the contract mostly around responsibility regarding data breaches. Since signing the contract, I've observed two incidents demonstrating a complete lack of security practice knowledge by non-technical staff at the vendor. We addressed both swiftly, but were surprised to see such a lack of regard/knowledge given how much we focused on security.

    In the end, I think it comes down to what is reasonable. If the company's services meet the stated need, has a good reputation, and proper credentials - the certifications you mentioned - then I would move forward.

    As an aside Asana is fantastic. Our office PM and myself both wish our org used it. (Everyone's too invested in our current project management platform to switch anytime soon.)  While troubling to learn that Asana doesn't have a policy on data breach notifications, what data will you be storing in a PM tool? If ours was compromised, people would see process checklists and timelines but nothing sensitive.  That wouldn't stop me from choosing it, though I would train staff differently on how they should use it.

    ------------------------------
    Stephanie Henyard
    Information Technology
    Society for College and University Planning
    www.scup.org
    ------------------------------



  • 3.  RE: Can we approve this new cloud service vendor?

    Posted Aug 16, 2018 11:33
    Hey Carlos,

    In terms of the specific decisions facing you regarding the repayment benefit, you can offer your professional opinion to the attorney: the provider passes an preliminary assessment of their security practices, but that you haven't done an in-depth analysis.

    The questions as I see them revolve around risk management: whose job is it to assess the risk, and whose job is it to decide to accept the risk? If you're not certain which role you're playing, it's really important to clarify that.

    These are the kinds of decisions we talk about when we talk about data governance. In an organization that governs data effectively, there would be a policy on this subject, a data steward to approach with this question, and a steering committee to assess the issues and guide the organization to wise decisions. We help organizations develop more effective and intentional data governance - let me know if you'd like to speak further about that.

    ------------------------------
    Isaac Shalev
    http://www.sage70.com
    Stamford CT
    @Sage70
    isaac@sage70.com
    ------------------------------



  • 4.  RE: Can we approve this new cloud service vendor?

    Posted Aug 17, 2018 09:15
    Thank you Isaac and Stephanie.

    I am currently working with a vendor to help me fine tune a cyber risk mitigation strategy I developed for the organization.

    I think adding the data governance policy on cloud application adoption will be a component to this.  The template would need to take into consideration the level of risk we are willing to take depending on the sensitivity of the data being processed, the value the application gives our staff and where the vendor lands on risk ownership.

    Stephanie:  Good to know you are benefiting from Asana and I agree - for the most part I don't see any sensitive data going in the application.  But informing staff about the limits to the risk ownership on the part of the cloud vendor is important.

    Best,
    Carlos

    ------------------------------
    [Carlos] [Velez]
    [Director of Information Systems and Security]
    [Wellspring Philanthropic Fund, Inc.]
    [New York], [NY]
    ------------------------------