Academic journal article International Management Review

Developing an Information Security Awareness Program for a Non-Profit Organization

Academic journal article International Management Review

Developing an Information Security Awareness Program for a Non-Profit Organization

Article excerpt

[Abstract]

The Federal Bureau of Investigation (FBI) and the Privacy Rights Clearinghouse, a consumer information and advocacy group, state that non-profit organizations, colleges, and universities are most susceptible to security incidents that lead to identity-theft. Although, non-profit organizations face the same information security threats as any other organization, most do not have the same resources available to most businesses. Implementing a security awareness program is an essential piece of the overall information security infrastructure. This paper identifies the potential information security risks faced by non-profit organizations and provides recommendations to implement an information security awareness program.

[Keywords] Security awareness; information security; non-profit organizations; security risk

Introduction

Connectivity and Internet presence is vital to any organization to remain competitive in today's ever changing business environment. This is also true for a non-profit organization that could use information technology to disseminate information, raise funds and manage resources. Although, nonprofit organizations face the same information security threats as any other organization, most do not have the same resources available to for-profit companies (Petel, 2004).

For a non-profit organization, raising funds is a major factor for success. Most non-profits mainly focus their strategies on fundraising and operations rather than on information security technology and data protection. Furthermore, non-profit organizations are not required to follow Federal regulations, such as the Public Company Accounting Reform and Investor Protection Act of 2002 (SOX). Only recently have states like Massachusetts and Nevada passed laws that require encryption of personal information during electronic transmission (Donohue, 2008).

The Federal Bureau of Investigation (FBI) and the Privacy Rights Clearinghouse, a consumer information and advocacy group, state that non-profit organizations, colleges, and universities are most susceptible to security incidents that lead to identity-theft (Nobles, 2008). Just like any organization, non-profits have a strong Web presence and conduct almost all of their activities electronically. Donor records (personal information, addresses and phone numbers) and organizational data are stored on networked data servers (Hrywna, 2007).

Some non-profits involved with health-care store and process confidential patient information, such as names, addresses, medical history, and family information. Some of this medical information is communicated through unsecure e-mail. When credit card donations are accepted online, donor credit card details are also stored and processed electronically (Donohue, 2008).

According to Privacy Rights Clearinghouse, a total of 155,048,651 records containing confidential personal information were stolen from various websites from January 2005 to June 2007 (Hrywna, 2007). If a non-profit organization stores donor and credit card information in an encrypted Microsoft Word or Excel file, the information is safe only if the encryption key is held securely. An employee error or failure to protect the encryption key could expose such confidential information (Donohue, 2008).

In the past, colleges used Social Security numbers to identify their students. Most colleges now use a student identification number to mitigate the threat of identity theft. However, a change in the data collection practices does not eliminate the risk of identity theft. Due to a human error, Social Security numbers of 90,000 faculties, staff, and other employees of Stony Brook University on Long Island were inadvertently published on a public web server (Hrywna, 2007).

A non-profit organization may also face information security threats due to a security breach at a vendor or service provider. In November 2007, Con vio, a software provider for non-profit institutions, reported a security breach in its "Get Active" software systems. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.