Every epic tale has heroes and villains. Some end with a definitive victory of good over evil, others leave room for a sequel through an ambiguous ending. The saga of data security is the latter. There is no tidy end to a strong data security program--it is an ongoing effort, and each day is a sequel.
At Foundant, this daily crusade is at the center of our work. We apply industry-leading practices across the organization to keep client information safe, and our team looks for ways to support our clients in their efforts to do the same. All of these are part of the comprehensive third-party review required for Service Organization Controls 2 (SOC 2 Type 2) Certification.
How does Foundant help protect client data?
- SOC 2 Type 2 certification: achieving and maintaining current certification entails a thorough third-party review of security. Internal controls around safeguarding customer data and determining the effectiveness of those controls are core components of the annual certification process.
- Secure and encrypted data: Foundant software is a fully cloud-based solution hosted by Amazon Web Services (AWS). AWS uses the highest standards for data security. Data in the AWS network is encrypted and hosted at secure data centers. Foundant adheres to all facets of the “shared responsibility model” outlined by AWS and all of the data processing partners we engage with.
- Limited access: Foundant practices “least necessary access” protocols for employee access to sensitive areas. This entails strict access and usage guidelines, including monitoring activity and having a second person provide a dual control where needed.
- Training: All employees, regardless of position, are trained and tested in data and internet security protocols.
- Physical security: Access to Foundant office locations is restricted.
- No storage of payment information: Donor payments are processed by a PCI compliant third-party. Confidential payment data is not processed or saved on Foundant systems.
How can you help protect your organization’s data?
- Understand your current practices. Most organizations have written Policies and Procedures around data security, but it can be easy for daily practices to drift. Conduct your own mini-SOC analysis annually to ensure your organization is still on track. It may be helpful to think in terms of the standard SOC framework of security, confidentiality, processing integrity, availability, and privacy to guide your review. Even if every area is not handled in-house at your organization, like processing and availability, it is important to understand how your vendors support those areas.
- Identify gaps. Start by confirming that you have outlined a security strategy, timelines, frequency of review, and accountabilities. This will help you identify the gaps in your organization. Missing or dated information may be related to ownership of the security function, general staff knowledge, or technology needs.
Next, take a current inventory of sensitive information, how it is collected and by whom, where it is kept, who has access, and how access is controlled. This is also a good time to double check that you’re staying up to date on software, firewall, anti-virus and anti-malware updates.
- Engage your staff. The role of employees in keeping data secure has always been critical. Today’s hybrid work environment makes this both more challenging and more important. Be sure to include home networks and physical security of laptops and other devices in your review. Provide employees working from home a VPN connection to create a secure encrypted tunnel back to your office. Other important employee-related questions include:
- Do all staff understand the importance of keeping their home networks secure and protecting computers from theft when working off-site? Encourage employees to change default passwords on wireless routers and set up guest networks to keep visitors’ devices separate from work equipment. They should understand the importance of not transferring data off company equipment to personal computers or storage devices.
- If you have added any people since your last review, are duties still segregated appropriately? If anyone has left, have their profiles and permissions been removed accordingly?
- Last but not least, does everyone in your organization know how to create strong passwords? Current best practice is that passwords should be longer than 12-15 characters and should be passphrases vs passwords.
- Train, then train more. Have an ongoing training plan to keep knowledge fresh and help employees stay abreast of common threats. For example, 94% of malware is delivered by email (CSO Online). Do your employees know how to spot a malicious content in an innocuous looking email? They should understand how to hover over links to see if they are hyperlinked to a true website, and know to not open attachments unless they are expected from a known sender. Bad links can be disguised in an emailed invoice or other legitimate business purpose.
Remember, true heroes seldom work alone. The ongoing quest to keep data safe and secure requires partnership between champions all along the way. Through the powerful teamwork of both Foundant and our clients, the bad actors won’t stand a chance.