As nonprofits continue to embrace and expand their use of the cloud, they often grapple with security concerns when it comes to constituent data.
From credit card and social security numbers, to healthcare and even simple name and address information, nonprofits frequently deal with truly sensitive data. Keeping your constituent data secure and private involves not only protection from outside (hackers, power outages, etc.) but also from inside (those in your organization can see which constituent information). The concern about constituent and fundraising data is reinforced, in many cases, by regulations and standards—like HIPAA, PCI DSS, ISO 27001, EFTA—stipulating how organizations handle specific personal and financial data.
This concern around security in the cloud is natural, but not necessarily accurate. In reality, cloud-computing companies are subject to far stricter security policies than the typical nonprofit. As well, regardless of the security measures, staff behavior is often the greatest area of vulnerability through factors like weak passwords, social engineering and more.
Ensuring constituent data is safe in the cloud does involve care, however, and it’s a two-way street, involving both your nonprofit and your cloud-services company. To help keep constituent data safe in the cloud, your organization should:
• Identify where data lives. Do you maintain data about donors, volunteers and other constituents in more than one database—or in a spreadsheet? Or is all your constituent data in one core database? You must know where the data is before you or any company can secure it.
• Define which data is sensitive, proprietary or regulated, and needs to be secure. Data is usually classified in terms of either its need for protection (sensitive data) or its need for availability (critical data).
• Employ effective data governance, a recognized system to handle your nonprofit’s data. For many nonprofits, a key data governance issue is figuring out which staff, departments and/or locations can access certain (or any) constituent information. It can also include detailing how and when you collect data, managing data and privacy policies, among others.
Your cloud-services company should:
• Help with data governance. Once you set the rules that govern your data, your cloud provider should be able to help you meet those requirements. You might, for instance, be able to set access rules that allow national headquarters development staff to see all donor information but chapter staff to see only information on their regional donors.
• Have well-established guidelines for disaster recovery. Cloud application and service providers should maintain a second, fully functional location for client data. Customers may also choose to have fully mirrored databases at a second location that are synched with the database they use daily. If, say, a natural disaster affects the main database location, they can point their browsers to the replicated databases and get back to work almost immediately.
• Back up constituent data on a regular basis. Cloud providers should back up client data on a regular basis to disk (and tape) and take an additional step of mirroring the data over a communications link to the second location.
• Meet appropriate regulations and standards. Encryption to testing, password maintenance to malware detection—the company that handles your constituent data needs to comply with and even go beyond the rules and recommendations from regulators and standards associations. For instance, cloud companies that handle credit card transactions should be complaint with and receive certification from the PCI (Payment Card Industry) Security Standards Council.
These are just a few of the considerations your organization will deal with when you move constituent data to the cloud. With the right cloud-services provider, however, addressing those considerations will be considerably easier.
