Many nonprofits keep confidential information on their computers, including sensitive data and items that cannot be lost. Membership or donor information, accounting data, and other confidential information should be safeguarded against snooping eyes.
A typical control here is to have a disaster preparedness plan, which includes a recovery strategy for the nonprofit’s functions. But that’s not enough. Organizations should consider the following issues with software, hardware, and the cloud.
Risks when dealing with software include unauthorized entry, loss of data, and confidentiality issues. Some internal control mechanisms to minimize these risks are:
- Use anti-virus and firewall programs to prevent malware from infiltrating the system.
- Do daily backups of all systems and keep the backed up file outside the premises.
- Require IDs and passwords on all systems.
- Acquire programs to identify and stop unauthorized entry using the Internet and other means.
- Require information system’s authorization for program purchases to be sure the program is indeed needed and is compatible with existing software.
- Once employees leave the organization, they should not have access to the nonprofit’s systems
- Include security to prevent information systems personnel access to passwords or confidential information.
- Create policies and procedures about computer usage and safety.
The risks with hardware involve theft, maintenance, and obsolescence of the machines. Below are some controls to minimize these risks:
- Place all equipment, including servers and printers, in a safe location.
- Label all equipment with numbers and create a list of all equipment using the number and description.
- Maintain this list, doing physical audits to identify equipment disappearances, losses and damages.
- Centralize maintenance services and schedule them regularly.
- IT management should approve purchases, retirement or sales of hardware.
- Dispositions of old computers must be done carefully since they contain confidential information that may be recovered unless the nonprofit takes certain
- Dispositions of old computers and peripherals must comply with laws to avoid poisoning the environment and possible fines.
Using the Cloud
Many nonprofits have been using accounting and other programs “in the cloud.” This means that organizations’ management and staff access these computerized programs through the Internet, making the software very convenient since employees can access the system anywhere as long as they have proper online connections, login IDs, and passwords.
-Organizations using old, unreliable equipment may benefit from the cloud since the data is not saved locally. If the server or individual computers stop working, the information is not lost and is still available.
However, there are risks associated with the cloud system. For example, the program may not be available online for long periods. So, before selecting a cloud system, check its reliability through Internet searches and word-of-mouth.
Once the organization decides to go online, management must trust the Internet provider to provide adequate security for the data, which may include donor information. Not surprisingly, data security of cloud systems is a major concern for both for-profit and nonprofit users.
Another issue with the cloud is the data transfer. If a nonprofit employs the cloud and then moves to another system, the existing data will need to be downloaded and transferred to another program. The cloud provider should allow for such transfers and help the organization in this matter, but some charge fees, so inquiries about this matter are beneficial to avoid surprises later.
Interested on CPE credits regarding nonprofits? Online Practical CPE Courses
You can also check out my books: