Discuss

last person joined: 4 days ago 

Ask a question. Give advice. Share resources. Looking for software or hardware recommendations? Want to know how others are using text messaging in their work? Trying to find examples of IT policies? The NTEN Discuss forum is a great resource for all of the above and more! It's the general discussion list for the NTEN community, and folks all over the US (and the world) are sharing their questions, answers, and news about nonprofit technology.

Advice on security reviews

  • 1.  Advice on security reviews

    Posted 13 days ago
    I want to conduct a security review at my organization, but it's not something I've done before and I'm looking for some guidance on where to start.  Ideally I'd like to bring in an expert to lead us through the process and make recommendations.  Some Googling has turned up a lot of different kinds of consultants (risk auditors, vCISOs, etc.) and a lot of terminology (security reviews, risk assessments, risk audits, etc.) that I'm having trouble navigating.

    Does anyone have advice on what kind of consultant to look for?  Where to look?  What kind of service I should be asking for?  Or have you gone through a similar process and would you be willing to talk to me about it?

    A little more about what I'm imagining:
    • Review our current practices around data and computer systems
    • Make a prioritized list of recommendations to move us towards best practices
    • Guidance on implementing those recommendations, and maybe working with us on the actual implementation
    • Help developing policies on data and computer use
    • Help with regulatory compliance around data security and privacy (e.g. in relation to GDPR, HIPAA, etc.)
    • We're a 25-employee nonprofit and I would like a consultant and a review process that are well suited to our size
    Thanks in advance for your thoughts.


    ------------------------------
    Joe Blodgett
    IT Manager
    Family House, Inc.
    San Francisco, CA
    ------------------------------


  • 2.  RE: Advice on security reviews

    Posted 12 days ago
    Joe,

    Below are some free resources I'm happy to share.

    Resource 1) Cybersecurity Assessment Survey - This is totally free, completely self-serve.

    Resource 2) Ten Steps to Cybersecurity Maturity - This is still in draft mode - but you might find it a helpful resource. I also welcome feedback.

    Resource 3) Cybersecurity for Nonprofits - 2.5 hour online course through Udemy - This just came out - I did this in partnership with Whole Whale. You can access it for free with this code: CYBERFRIENDS

    By the way, as for all the different terminology you are running across - I actually discuss that in the course. Here's a clip of that section: Risk Assessment.

    If you wish to discuss working together, Joe, I'm happy to discuss. You can book a call with me at this link.

    Best,

    -JP

    P.S. I know I replied to entire discussion and everyone should feel free to help themselves to these free resources and I welcome peer review and feedback, especially on the Ten Steps and on the Udemy course.


    ------------------------------
    Joshua Peskay
    Vice President
    RoundTable Technology
    joshua@roundtabletechnology.com
    www.roundtabletechnology.com
    ------------------------------



  • 3.  RE: Advice on security reviews

    Posted 12 days ago
    While it is great to think of these items as all part of one big effort, you have described elements that come from different areas of expertise.

    Just to simplify your task a bit, I would recommend separating out the IT security component (system security, encryption, access, authentication, disaster recovery, etc.) from your legal liability and compliance components (Privacy Policy, GDPR compliance, trademark/service mark, copyright, patents, etc).

    Have your legal advisers handle the latter, which narrows the scope for your IT review.

    ------------------------------
    Ted Spencer
    Executive Director
    Voters Pledge
    ------------------------------



  • 4.  RE: Advice on security reviews

    Posted 12 days ago

    Information Ecology also has some resources on assessing readiness to undertake security improvement, and best practices in the areas of device security, passwords and authentication, email safety, wireless safety, and G Suite configuration. We work primarily with small orgs so these are all aimed at that audience.

    The whole doc set is at https://ecl.gy/sec-check. They are Creative Commons licensed so everyone is encouraged to take and use, remix, etc. 

    We do a lot of engagements that are scoped how you describe, Joe, and I'd be happy to talk further.

    -LJ

    --
    Lisa Jervis
    Principal
    Information Ecology: Strategic technology for progressive organizations
    https://iecology.org/

    My pronouns are she/her.

    Want to send me encrypted email? My public key is available at https://ecl.gy/lj-gpg.

     


    On 2018-06-06 4:52 pm, Joe Blodgett via NTEN: The Nonprofit Technology Network wrote:

    I want to conduct a security review at my organization, but it's not something I've done before and I'm looking for some guidance on where to...

    Discuss

    Advice on security reviews
    Reply to Group Reply to Sender
    Joe Blodgett
    Jun 6, 2018 7:52 PM
    Joe Blodgett
    I want to conduct a security review at my organization, but it's not something I've done before and I'm looking for some guidance on where to start.  Ideally I'd like to bring in an expert to lead us through the process and make recommendations.  Some Googling has turned up a lot of different kinds of consultants (risk auditors, vCISOs, etc.) and a lot of terminology (security reviews, risk assessments, risk audits, etc.) that I'm having trouble navigating.

    Does anyone have advice on what kind of consultant to look for?  Where to look?  What kind of service I should be asking for?  Or have you gone through a similar process and would you be willing to talk to me about it?

    A little more about what I'm imagining:
    • Review our current practices around data and computer systems
    • Make a prioritized list of recommendations to move us towards best practices
    • Guidance on implementing those recommendations, and maybe working with us on the actual implementation
    • Help developing policies on data and computer use
    • Help with regulatory compliance around data security and privacy (e.g. in relation to GDPR, HIPAA, etc.)
    • We're a 25-employee nonprofit and I would like a consultant and a review process that are well suited to our size
    Thanks in advance for your thoughts.


    ------------------------------
    Joe Blodgett
    IT Manager
    Family House, Inc.
    San Francisco, CA
    ------------------------------
      Reply to Group Online   View Thread   Recommend   Forward   Flag as Inappropriate  



     
    You are subscribed to the Discuss community as lisa@iecology.org. To change your notifications, go to Community Notifications. To unsubscribe this community, go to Unsubscribe.

    NOTE: Do not forward. Links in this message are connected to your account. Clicking links in this message will log you into your account automatically.





  • 5.  RE: Advice on security reviews

    Posted 7 days ago
    Thank you, Joshua, Ted, and Lisa.  These are all great thoughts that are helping me understand our needs a little better.  I'm going to spend some time looking through all these resources and discussing with my coworkers.

    Joe

    ------------------------------
    Joe Blodgett
    IT Manager
    Family House, Inc.
    San Francisco, CA
    ------------------------------