Many not-for-profits are operating in an environment in which there is a tremendous amount of electronic documents, communications, and confidential data sits on computers and networks that are connected to the Internet. Privacy and security threats are also increasing, putting Internet communications and computer data at risk at an alarming rate. At the same time, laws and regulations with significant penalties have been passed or are being passed by states, the Federal government, and industry groups (e.g. PCI DSS) increasing the consequences of data breaches and privacy violations.
Whether you’re an executive director, program manager, or IT manager, this non-technical presentation will help you learn about the threats, requirements, and leading practices related to information security you need to help protect your donors and constituents.
What's New in Teams Calling, Meetings and Devices March 2024
Leading Practices in Information Security & Privacy
1. INTRAPRISETECHKNOWLOGIES LLC
Leading Practices in
Information Security & Privacy
NTEN Nonprofit Technology Conference
Atlanta, Georgia
April 9, 2010
Presented by
Donny C. Shimamoto, CPA.CITP
2. Today’s Agenda
About the Presenter
About the Audience
Information Risks and Losses are Increasing
Information Security Requirements
– ID Theft & Privacy Laws
– Payment Card Industry Data Security Standard
Your Role in Protecting Information
– A SAS 70 is not enough
– Risk Assessment Methodology
– Generally Accepted Privacy Principles (GAPP)
3. How Was this Session?
Call In Text Online
Call 404.939.4909 Text 165 to Visit nten.org/ntc-eval
nten.org/ntc
ntc-
Enter Code 165 69866 Enter Code 165
Session feedback powered by:
Tell Us and You Could Win a Free 2011 NTC Registration!
4. Donny C. Shimamoto, CPA.CITP
Background & Experience
BBA from University of Hawaii at Manoa
– Accounting
– Management Information Systems
Alumni of PricewaterhouseCoopers LLP
– Strategic Technology Group
– Financial Audit and IT Audit
– Washington Consulting Practice
Founder of IntrapriseTechKnowlogies LLC
– Organizational Development advisor with a focus on
Business Intelligence and Performance Management
– Business Process Improvement with emphasis on internal
controls and technology risk management
– IT Outsourcing for small and middle market organizations
5. Donny C. Shimamoto, CPA.CITP
Involvement, Awards, and Recognition
American Institute of CPAs
– Assurance Services Executive Committee (2009+)
– Co-Chair, Business Intelligence Workgroup (2009+)
– IT Executive Committee (2006-2009)
Association of IT Professionals
– Honolulu : Director (2008), Treasurer (2009), President (2010)
– National: Chair, Governance Task Force (2009+), National
Strategic Planning Committee (2009)
Awards & Recognition
– Top “40 Under 40” Accounting Professionals in the US
2007 & 2009, CPA Technology Advisor Magazine
– Top High Tech Leaders in Hawaii
2004, Pacific Technology Foundation & Technology News Network
5
6. Audience Poll #1
What part of the organization are you from?
– Executive Director
– Finance
– IT / IS
– Programs / Other Management
– Staff
– Vendors / Consultants
6
7. Audience Poll #12
What size of the organization are you from?
– Very Large (multiple offices, geographically
disbursed)
– Large (multiple offices, 250+ staff)
– Large (single office, 250+ staff)
– Mid-sized (100 – 250 staff)
– Small (<100 staff)
7
8. Information Risks and Losses are Increasing
Banking laws leave business customers
vulnerable to Internet fraud
– March 21, 2010 – Los Angeles Times
– 32% of 500 small business owners surveyed had
been victimized; >50% more than once
– Federal law doesn’t protect business customers
Data Theft Creates Notification Nightmare
for BlueCross
– March 1, 2010 – CIO.com
– 57 hard drives stolen, 1M customer support calls
– Which of 3M customers to notify?
9. Information Risks and Losses are Increasing
Wanted: Defense Against Online Bank Fraud
– February 8, 2010 – Wall Street Journal
– Smaller businesses rich target for hackers
because the smaller banks they utilize aren’t as
sophisticated in their protections
Study: Hacking Passwords Easy As 123456
– January 21, 2010 – CIO.com
– 2009 Data Breach Study:
30% had passwords <=6 characters
60% use limited set of alpha-numeric characters
50% use names, slang words, dictionary words or
trivial passwords (consecutive digits, adjacent keys)
10. Information Risks and Losses are Increasing
2009 AICPA Top Technology Initiatives
Survey (http://www.aicpa.org/toptech)
1. Information Security Management
2. Privacy Management
3. Secure Data File Storage, Transmission
and Exchange
4. Business Process Improvement,
Workflow, and Process Exception Alerts
5. Mobile and Remote Computing
11. Information Risks and Losses are Increasing
2009 AICPA Top Technology Initiatives
Survey (http://www.aicpa.org/toptech)
1. Information Security Management
2. Privacy Management
3. Secure Data File Storage, Transmission
and Exchange
4. Business Process Improvement,
Workflow, and Process Exception Alerts
5. Mobile and Remote Computing
12. Information Risks and Losses are Increasing
2008 CSI/FBI Computer Crime and Security Survey
– Greatest source of financial loss
Financial Fraud moved to the top in 2007
– Displaced Viruses, which as been top for last 7 yrs
Financial Fraud stayed at the top in 2008
– Average loss per respondent: $463,100
– Other high loss areas
Bots within the Organization: $345,600
Loss of customer/employee data: $268,000
Loss of proprietary information: $241,000
13. Information Risks and Losses are Increasing
Losses from Mobile
Device risks:
$8,429,150
Losses from Virus:
$8,391,800
Source: 2007 CSI/FBI Computer
Crime and Security Survey
14. Information Risks and Losses are Increasing
Losses from outsider:
$6,875,000
Losses from insider:
$6,802,000
Source: 2007 CSI/FBI Computer
Crime and Security Survey
15. Information Risks and Losses are Increasing
Federal Trade Commission
– ID Theft is the #1 concern of consumers
contacting the FTC
US Dept of Justice Statistics
– ID Theft has overtaken drug trafficking
2006 Gartner Study
– 28 ½ people become new victims every minute
– new victim almost every 2 seconds
Source: Identity Theft Resource Center
16. Information Risks and Losses are Increasing
Common Sources of Data Leaks
– 45% Lost or stolen laptop computers
– 29% Records lost by 3rd party business
partners or outsourcing companies
– 26% Misplaced or stolen backup files
– 10% Malware programs (e.g.
viruses/spyware)
Source: Identity Theft Resource Center
17. Information Risks and Losses are Increasing
Hawaii was 25th in ID Theft instances per Capita in 2005
18. Massachusetts Data Privacy Law
Requirements
– Written Information Security Program (WISP)
Must be appropriate for the size, scope, and type of
business conducted by the entity
Must address administrative, technical, and physical
safeguards
Applies to both consumer and employee information
Applies to all forms of media (paper & electronic) and
the devices that contain them (laptop/phone/ext-HD)
– Designated employee must be assigned to
Evaluate reasonably foreseeable internal and external
risks to personal information being managed
19. Massachusetts Data Privacy Law
Requirements
– Employee training program
– Monitoring of employee compliance
To ensure that the WISP is operating in a manner that
can be reasonably assumed to prevent unauthorized
access to or use of personal information
– Incident management
Identification of potential incidents
Assessment of breach and potential data loss
Documentation of actions taken in response to
breaches
20. Massachusetts Data Privacy Law
Additional Technical Requirements for
Electronically Stored Information (ESI)
– Secure authentication protocols
– Control of user IDs and other identifiers
– Password security
– Restriction of access to personal information to
active users and active user accounts
Limit access to a need-to-know basis
– Must encrypt personal info transmitted over
public networks
– Must encrypt personal info at rest on portable
devices
21. Massachusetts Data Privacy Law
I’m not in Massachusetts, why should I care?
State Privacy Laws protect the information
of the residents of that state
– If you have information about a state’s resident,
you are often then subject to the state’s privacy
law and compliance with the law
The European Union and State of California
also have very stringent privacy laws
23. Hawaii’s ID Theft Laws
Internal costs
– $197 per compromised record
2007 estimate by Ponemon Institute (per Journal of
Accountancy, January 2009)
State penalties
– Up to $2,500 for EACH violation/record
Additional costs
– Liability to injured parties for actual
damages sustained
24. Payment Card Industry Data Security Standard
Payment Card Industry Data Security
Standard (PCI DSS)
– Best practice security standards for protecting
cardholder data
– Compliance REQUIRED for
“Merchants” = Companies who accept credit/debit
card information (cardholder data)
“Service providers” = Companies the provide services
to merchants and have access to cardholder data
http://www.PCISecurityStandards.org
25. Payment Card Industry Data Security Standard
Penalties for Non-compliance
– Potential fines of up to $500,000 (in the discretion of Visa,
MasterCard, Discover Network or other card companies).
– All fraud losses incurred from the use of the compromised
account numbers from the date of compromise forward.
– Cost of re-issuing cards associated with the compromise.
– Cost of any additional fraud prevention/detection activities
required by the card associations (i.e. a forensic audit) or
costs incurred by credit card issuers associated with the
compromise (i.e. additional monitoring of system for
fraudulent activity).
From: Wells Fargo Merchant Services
https://www.wellsfargo.com/biz/help/merchant/faqs/pci#Q25
26. Payment Card Industry Data Security Standard
6 Principles + 12 Requirements
1. Build and Maintain a Secure Network
2. Protect Cardholder Data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain and Information Security Policy
http://www.PCISecurityStandards.org
28. Payment Card Industry Data Security Standard
Compliance Requirements
– Level 1 = must have onsite audit performed by a
QSA or internal auditor
– Level 2-4 = must complete Self-Assessment
Questionnaire (SAQ)
SAQ Type 1 = card not present
SAQ Type 2 = Imprint-only
SAQ Type 3 = Stand-alone merchant terminals
SAQ Type 4 = POS connected to Internet
SAQ Type 5 = All others
29. Payment Card Industry Data Security Standard
Sample SAQ Type 3 questions: (Req 9)
– Are all paper and electronic media that contain
cardholder data physically secure?
– Is strict control maintained over the internal or
external distribution of any kind of media that
contains cardholder data?
Is the media identified so that it can be identified as
confidential?
Is the media sent by secured courier or other delivery
method that can be accurately tracked?
– Is strict control maintained over the storage
and accessibility of media that contains
cardholder data?
30. Payment Card Industry Data Security Standard
Sample SAQ Type 3 questions: (Req 12)
– Is a security policy established, published,
maintained and disseminated?
Is it reviewed at least once a year and updated when
the environment changes?
– Is a formal security awareness program in
place to make all employees aware of the
importance of cardholder data security?
These are all basically control points/objectives
and should be “easy” for a CPA to answer.
31. Your Role in Protecting Information
NPOs must protect personal information
– Donors
– Clients/customers
– Employees
NPOs must be sure that service providers
are protecting personal information too
– Capital campaigns / Fundraising
– Donor management
– Financial data processing
A breach on the part of the service provider
is a breach of the NPO
32. Your Role in Protecting Information
A Common Myth: I use a SAS 70 certified vendor, I
don’t need to worry.
Wrong!!
SAS 70 only covers the internal controls and
operations of a service provider as it relates to
accounting processes and financial reporting
It does not cover operations related to non-
accounting/non-financial statement data
It does not include any coverage of confidentiality
or privacy controls
33. Your Role in Protecting Information
Instead of a SAS 70 you need to request a
– Trust Services report that specifically covers a
review of confidentiality and privacy
This is available from CPA firms that have IT
audit specialists
– Previously this was a very specialized area
– Education is being conducted to increase the
number of CPAs trained to provide this service
So what do I do until I can get this report?
34. Risk Assessment Methodology
Inventory places in your organization with
Personally Identifying Information (PII)
– Electronic Files/Databases AND Physical Files
Identify the safeguards in place
Identify applicable security requirements
Determine compliance gap
Assess risk of non-compliance
Develop risk remediation plan
– Work with IT to identify and evaluate options
35. Generally Accepted Privacy Principles
Provides criteria and related material for
protecting the privacy of personal
information
Incorporates concepts from significant
domestic and international privacy laws,
regulations, and guidelines
Used to guide and assist organizations in
implementing privacy programs
http://www.aicpa.org/privacy
36. Generally Accepted Privacy Principles
1. Management 7. Disclosure to
2. Notice Third Parties
3. Choice & Consent 8. Security for
4. Collection Privacy
9. Quality
5. Use & Retention
10. Monitoring and
6. Access
Enforcement
http://www.aicpa.org/privacy
37. You Must Be Proactive for Privacy!
Identify and understand the Privacy
Requirements that you are subject to
Conduct a Privacy Risk Assessment
Determine the acceptable level of risk for
your organization
Develop an enterprise privacy policy
Enact an enterprise privacy program
Get your privacy program evaluated by a
qualified CPA and get a Trust Services
report – use this to your advantage!
38. INTRAPRISETECHKNOWLOGIES LLC
Thank you for your
attention and participation!
Feedback and questions are welcome
Donny C. Shimamoto, CPA.CITP
donny@myitk.com
(808) 735-8324
Any Questions or Comments?
39. How Was this Session?
Call In Text Online
Call 404.939.4909 Text 165 to Visit nten.org/ntc-eval
nten.org/ntc
ntc-
Enter Code 165 69866 Enter Code 165
Session feedback powered by:
Tell Us and You Could Win a Free 2011 NTC Registration!