Support By :(518)718-4011

Get A Quote
Images

3

Apr
  • By Team Cyber Ops

Enhancing Non-Profit Data Protection: Insights from IT Assessments and Data Inventory Management

In today's digital age, ensuring robust data protection measures is crucial for organizations of all sizes, including nonprofit entities. As data breaches become increasingly common, nonprofits must prioritize safeguarding sensitive information to maintain trust and credibility with stakeholders. One effective approach to enhancing data protection is through tailored IT assessments, which provide valuable insights into potential vulnerabilities and opportunities for improvement. Before getting into the topic, let's define two words up front. The first is confidentiality or, better yet, data confidentiality. 

 

The University of Delaware website says: 

Data confidentiality is about protecting data against unintentional, unlawful, or unauthorized access, disclosure, or theft. 

 

The second definition is data integrity. 

Data integrity is about protecting data against improper maintenance, modification, or alteration. It includes data authenticity.

 

Now, preserving the confidentiality and integrity of data is very important, not only for large corporations but also for small to medium-sized businesses, especially SMB non-profit organizations. I say that because even with limited budgets, limited IT and limited resources, Non-profits still have the responsibility of guarding their sensitive donor information and other vital data. Those limitations mentioned before make safeguarding this information a challenge. Many countries have implemented data protection laws and regulations, such as the General Data Protection Regulation (GDPR) in the European Union or the California Consumer Privacy Act (CCPA) in the United States. These laws apply to organizations regardless of their size, mandating them to protect the confidentiality and integrity of data they handle.  To address these challenges, SMBs, including non-profits, can leverage resources provided by organizations specializing in affordable cybersecurity defense. For instance, exploring the services offered by the organizations mentioned in our blog post '7 Key Organizations for Affordable Cybersecurity Defense ' can be invaluable for enhancing data protection measures within these organizations.

As mentioned earlier, a good way to strengthen data protection is through IT assessments customized to meet the specific needs and challenges of an organization. By looking specifically at data assessment (our topic of discussion) during these IT assessments, we can review several data-related tasks. For example, we can review the current state of data protection measures within the organization. This sounds straight forward, but that one topic involves conducting comprehensive reviews of data storage systems, access controls, encryption protocols, backup and recovery procedures, and overall data governance practices. Through tailored assessments, organizations can begin to identify potential risks such as data breaches, unauthorized access, data loss, and regulatory non-compliance. During an assessment, an organization can analyze key components that support their data life cycle, such as data management practices, data backups, data security measures, data governance policies, and compliance with data protection regulations. Let's dive into some key observations we have found during IT assessments and how these observations can help non-profit organizations to develop effective data protection strategies.

Where is the Beef?

The phrase "Where's the beef?" has become synonymous with the quest for substance and significance. Just as meat and potatoes form the backbone of a hearty meal (for some), data serves as the foundation of any successful organization. Before implementing data protection measures, organizations must have a comprehensive understanding of their data assets.

This understanding begins with a thorough search to identify all types of data present in the environment. Depending on the organization and its compliance requirements, maintaining a data inventory is essential to assessing potential risks effectively. For instance, HIPAA mandates a rigorous risk analysis:           

RISK ANALYSIS (Required).

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization]. 

It will be hard to determine the risk to this data without gathering all the information you can about the organization's data. However, merely listing the various data types and locations is insufficient. This exercise will give you a framework which can be used to focus on finding data where it exists within a given environment and acquiring any and all information we can about the data.

On Your March, Get Set...GO!

I will not lie to you. Depending on the size of your organization, gathering all this information about the data assets within your organization can be a daunting task. Yes there are automated tools that can help you find data assets within your organization. These tools are usually available via a data cataloging software. This article assumes these tools are not available to you. At Cyber Op Source if we are doing a data inventory, we use the Data Audit Framework (DAF) methodology. The Data Audit Framework (DAF) methodology was developed by Sarah Jones, Seamus Ross, and Raivo Ruusalepp. They were affiliated with the Digital Curation Centre and the Humanities Advanced Technology & Information Institute (HATII) at the University of Glasgow, as well as the Estonian Business Archives. The framework was later renamed the Data Asset Framework. You can find references to the original paper and website linked in this blog. As much as we like this framework, we are going to place our own spin on it. To create a data inventory we are going to use the Enhanced Data Asset Management (EDAM) process. Our Enhanced Data Asset Management (EDAM) process is a proprietary method developed in-house. Ninety percent of what we do in EDAM is based on the DAF methodology, so don’t worry. The issue with the DAF methodology is that it is designed specifically for creating inventories of research datasets tailored to Higher Education Institutions. Given the wide range of organizations we work with, we require something broader.

Just like the DAF methodology EDAM has the same four stages but with finer detail:

Stage 1 - Planning and Preparation:

Clearly define the objectives and scope of the data inventory project, including the types of data assets to be inventoried and the intended outcomes.

 

Stage 2 - Data Asset Identification and Classification:

Develop a systematic approach to identifying and cataloging all data assets within the organization, including databases, files, documents, and other repositories.

 

Stage 3 - Data Assessment and Analysis:

Data Quality Assessment: Evaluate the quality, completeness, accuracy, and reliability of data assets to assess their fitness for specific purposes.

Risk Assessment: Identify potential risks associated with data assets, including security risks, compliance risks, and data governance issues.

Workflow Analysis: Analyze data workflows and processes to understand how data is collected, stored, processed, and used within the organization.

 

Stage 4 - Recommendations and Action Plan:

Gap Analysis: Identify gaps and areas for improvement in data management practices based on the findings from the data inventory and assessment.

Recommendations: Develop actionable recommendations for enhancing data management, governance, and quality assurance processes.

Implementation Plan: Create a phased implementation plan with clear timelines, responsibilities, and milestones for implementing the recommended changes.

Monitoring and Review: Establish mechanisms for monitoring progress, tracking performance metrics, and conducting regular reviews to ensure the effectiveness of data inventory efforts over time.

 

Deep Dive

Stage 1 Planning and Preparation, is one of the most important steps in this entire process. At this stage we are creating a blueprint of what is to take place throughout the entirety of the project. By laying the groundwork during the Planning and Preparation stage, organizations set the stage for a successful project. With clear objectives, engaged stakeholders, allocated resources, and informed research, you will be ready to navigate the twists and turns of the data inventory project ahead. 

 

Here's how it unfolds:

 

Define Objectives:

Before getting started, it is important to define the overall objective and scope of your data inventory project. Why are you undertaking this task, and what specific goals do you hope to achieve? Establishing clear objectives helps align the data inventory project with the broader project goals and overall organizational goals. It also ensures that every aspect of the project (from data collection to analysis) serves a specific purpose. Are you aiming to streamline data governance, improve overall data security, or perhaps ensure compliance with data regulations? For instance, a nonprofit organization might set out to enhance donor management practices by centralizing donor information and optimizing fundraising strategies. These are some of the things we need to think of before we begin. In addition, the scope allows us to determine the personnel, tools, budget, and time required to execute the project successfully. 

 

Now that you have this information, you are ready for the next step.

Stakeholder Engagement:

Every successful project thrives on collaboration, and your data inventory initiative is no exception. Identify key stakeholders across departments - IT, legal, finance, operations, and more. Engage them early on to gather insights, align priorities, and secure their commitment. Consider the case of a healthcare organization starting a data inventory journey. They would want to include clinicians, administrators, and IT specialists to ensure that the project captures diverse perspectives and addresses critical data needs, such as safeguarding patient confidentiality and complying with healthcare regulations.

 

Resource Allocation:

With objectives in sight and stakeholders on board, it's time to assemble your toolkit. Allocate resources - be it skilled personnel, cutting-edge technology, or budgetary provisions - to fuel your data inventory efforts. If you need help finding inventory software, here is a great place to start: https://www.techtarget.com/searchdatamanagement/feature/16-top-data-catalog-software-tools-to-consider-using

 

Preliminary Research:

Before taking the plunge, conduct thorough reconnaissance of your organization's data environment. Look at existing data management practices, get any existing documentation, and familiarize yourself with regulatory requirements. Uncover potential roadblocks, identify data sources, and assess the readiness of your organization for the data inventory journey. Imagine a Non-profit getting ready to organize all its different data assets, like donor details, program results, and volunteer info. At first, they find out that their data is all over the place, stored in different places and managed by different teams. Doing a preliminary search allows you to consider solutions for such a situation.

The Inventory

 In Stage 2, the inventory process allows us to create a detailed list of all data assets owned and managed by the organization. This can include donor information, financial records, program data, employee records, and any other data sources relevant to the organization's operations. Additionally, it's crucial to determine the reasons why the organization collects and retains specific data. Understanding the purposes, such as donor management, fundraising, compliance reporting, or operational analytics, helps align data protection efforts with organizational goals. 

To begin, you can create a spreadsheet if you haven't already found a software solution. Here is a list of columns that you can include in a spreadsheet:

  • Data Asset Name: Provide a unique identifier or name for each data asset so you can easily distinguish it from others in the inventory. 
  • Description: Include a brief description of the data asset, specifying its content, purpose, and relevance to the organization. 
  • Location: Document the physical or digital location of the data asset, such as the storage server, cloud storage provider, file cabinet, desktop, laptop, or specific department where the data is stored.
  • Sensitivity Level: Classify the data asset based on its sensitivity level, for example you can categorize it as public, internal, confidential, or restricted. This classification helps determine the level of protection and access controls required. Here is an example of a classification that could be used:
    • Public Data:
      • Definition: Public data refers to information that is intended for unrestricted access and can be freely shared with the public. 
      • Examples: Public data may include general company information, marketing materials, press releases, public-facing website content, and non-sensitive research findings. 
    • Internal Data: 
      • Definition: Internal data is information that is meant for internal use within an organization and is not intended for public disclosure. 
      • Examples: Internal data includes employee records, internal communications, non-sensitive financial reports, and operational procedures. While not publicly accessible, internal data is accessible to authorized employees within the organization. 
    • Confidential Data: 
      • Definition: Confidential data is sensitive information that requires protection due to its potential impact if exposed or accessed by unauthorized individuals. 
      • Examples: Confidential data includes personally identifiable information (PII) such as social security numbers, financial records, health records, proprietary business information, trade secrets, and intellectual property. Access to confidential data is restricted to authorized personnel with a legitimate need-to-know. 
    • Restricted Data: 
      • Definition: Restricted data is highly sensitive information that requires the highest level of protection due to legal, regulatory, or contractual obligations. 
      • Examples: Restricted data may include classified government information, sensitive customer data (e.g., credit card information, health records), legal documents, confidential contracts, and data subject to privacy regulations (e.g., GDPR, HIPAA). Access to restricted data is limited to a select group of individuals with explicit authorization and strong security measures in place. 
  • Purpose of Data Collection: Describe why the organization collects and retains the data asset, including its intended use, analysis, reporting, or compliance requirements. 
  • Access Permissions: Specify who has access to the data asset and what permissions they have, such as read-only, edit, or delete. 
  • Retention Period: Document how long the data asset should be retained based on legal requirements, business needs, data sensitivity, and regulatory compliance. 
  • Disposal Policy: Include procedures for securely disposing of the data asset when it is no longer needed or relevant. Specify how data should be deleted or destroyed to prevent unauthorized access or data breaches. 
  • Metadata and Classification: Record any additional metadata or classification information relevant to the data asset, such as tags, labels, or metadata attributes used for search, organization, and categorization purposes. 

 

By incorporating an understanding of things such as data purpose, access control, sensitive data fields, and responsible data management into the data inventory process, organizations can build a robust foundation for effective data protection strategies. This approach enhances data governance practices, mitigates risks associated with data handling, and fosters a culture of responsible data stewardship within the organization.

Data Assessment

Stage 3 - Data Assessment and Analysis: Well done on wrapping up the essential task of organizing your organization's data inventory. With all your data assets accounted for, it's time to gear up for the assessment phase. Here, you'll roll up your sleeves and get into the nitty-gritty of evaluating your data's quality, security, and integrity, setting the stage for robust data protection strategies.

Stage 3 - Data Assessment and Analysis

Data Quality Assessment:

It is very important that, as part of this process, you try to evaluate the quality, completeness, accuracy, and reliability of our data assets. Depending on the members of your team and the level of access to data assets, it might be hard to gather this information. At this point, you should define criteria for assessing data quality, considering factors like accuracy, completeness, consistency, timeliness, and relevance. If areas of poor data quality are identified, steps should be taken to document how to clean and correct the data. For example, removing duplicates, standardizing formats, and filling in missing information. In addition, validation of data accuracy and consistency can be achieved by comparing data against external sources or known benchmarks. 

Risk Assessment:

At this stage we must identify security risks, compliance pitfalls, and governance gaps that may exist. Conducting a data risk assessment is crucial for organizations to identify and mitigate potential threats to their data assets. We started by identifying all the data your organization collects, processes, and stores. Next, you should assess the potential risks to this data, considering factors such as unauthorized access, data breaches, and data loss. Then evaluate the likelihood of these risks occurring and the potential impact they could have on your organization, including financial losses, reputational damage, and legal liabilities. Once you've identified the risks, prioritize them based on their severity and develop strategies to mitigate or eliminate them. These suggestions may involve implementing data encryption, access controls, and data backup procedures, as well as providing employee training on data security best practices. By proactively identifying and addressing data risks, you can strengthen your organization's data security posture and minimize the likelihood of data breaches and other security incidents.

Workflow Analysis:

In tandem with assessing data quality and identifying risks, conducting a thorough analysis of data workflows is pivotal for optimizing organizational processes. Workflow analysis involves mapping out the sequence of steps involved in data handling, from collection to storage and utilization. By visualizing these workflows, organizations gain insights into the efficiency and effectiveness of their data management practices. This process illuminates bottlenecks, redundancies, and inefficiencies that may impede smooth data operations.

 

To conduct a workflow analysis, begin by identifying key data workflows within the organization's operations. This includes processes such as data entry, validation, processing, storage, retrieval, and dissemination. Document each step in these workflows, along with the individuals or departments responsible for executing them. Assemble a cross-functional team comprising representatives from various departments to ensure comprehensive coverage and diverse perspectives.

Once the workflows are mapped out, analyze each step to identify areas for improvement. Look for opportunities to streamline processes, eliminate redundant tasks, and automate manual interventions where possible. Consider the integration of technology solutions, such as workflow management software or data integration platforms, to optimize data flows and enhance productivity.

Recommendations 

Stage 4 - Recommendations and Action Plan: In this final phase of our data inventory journey, our goal in this phase is clear: translate our findings into actionable steps to strengthen our data practices.

Gap Analysis: 

Our first step is to carefully assess where we currently stand. Imagine a company reviewing its data management practices identifying weaknesses and areas for improvement. By comparing our practices with industry standards, we can pinpoint vulnerabilities, fix compliance issues, and better protect our data.In fact, learn how SMBs can improve data defenses with these 9 strategies.

Recommendations: 

With our assessment complete, it's time to make practical suggestions. For instance, a healthcare organization might decide to encrypt patient records and regularly audit their systems to ensure compliance. These steps help safeguard sensitive data and build trust with stakeholders. Additionally, it's important to foster a culture of accountability rather than blaming when addressing data management issues. This approach encourages teamwork and collaboration, leading to more effective solutions and a stronger data protection framework.

Implementation Plan: 

Once we know what needs to change, we create a plan to make it happen. This could involve breaking tasks into smaller steps, assigning responsibilities, and setting deadlines. By taking a structured approach, we ensure progress towards our data management goals.

Monitoring and Review: 

Lastly, we establish systems to keep an eye on our progress. Regular check-ins and audits help us stay on track and adapt to any new challenges that arise. This ongoing monitoring ensures that our data practices remain effective and compliant over time.

That is it! Again, our process closely mirrors DAF with a few enhancements, hence the term Enhanced Data Asset Management. Below you will find a few things we think you should pay attention to that we didn’t go into much detail.

Things to pay attention to during this process

Your Team

To implement a successful data inventory and classification program, it is important to collaborate with key stakeholders within your organization. Your team should include IT personnel responsible for technical implementation, data stewards overseeing data management, compliance officers ensuring regulatory adherence, legal advisors guiding legal aspects, and senior management providing strategic support, researchers, etc. It is also important to gather input from data users and business units to tailor classification criteria to operational needs. This collaborative approach ensures that data classification policies and practices are comprehensive, aligned with regulatory requirements, and effectively protect sensitive information. Ultimately, this enhances data security and organizational resilience.

Data Policies and Procedures

Data policies and procedures are the backbone of effective data management and protection for non-profit organizations. These policies establish clear guidelines for data classification, access control, retention, encryption, privacy, and governance, ensuring that sensitive information is handled securely and in compliance with regulations. By implementing robust data policies and procedures, non-profits can minimize risks of data breaches, maintain donor and stakeholder trust, and demonstrate accountability in their data management practices. So our recommendation is to also review what policies and procedures are in place during this process.

Implementing Data Encryption 

Encryption is a fundamental aspect of data protection, especially for non-profits handling sensitive information. IT assessments often highlight the importance of implementing encryption techniques to secure data both in transit and at rest. This ensures that even if unauthorized individuals gain access to the data, it remains unintelligible and unusable without the decryption key. At this point, organizations can start to begin thinking about sensitive fields or files that can be encrypted within data assets.

Data Backup and Recovery

We recommend implementing robust data backup procedures to ensure data resilience and continuity in case of data loss or system failures. Regularly test backup and recovery processes to verify their effectiveness and reliability.

Enhancing Access Controls 

Controlling access to sensitive data is crucial for preventing unauthorized disclosure or modification. IT assessments can help non-profits evaluate their access control mechanisms, including user authentication protocols, role-based access controls, and monitoring systems. By limiting access to only authorized personnel and implementing robust authentication measures, organizations can significantly reduce the risk of data breaches. 

Educating Employees 

Human error remains one of the leading causes of data breaches. IT assessments emphasize the importance of employee education and awareness in maintaining data security. This includes training staff on security best practices, raising awareness about common cyber threats such as phishing attacks, and promoting a culture of vigilance and accountability across the organization. 

Regular Vulnerability Scanning and Patch Management 

Cyber threats are constantly evolving, making it essential for non-profits to stay vigilant and proactive in identifying and addressing vulnerabilities. IT assessments often recommend implementing regular vulnerability scanning programs to detect potential weaknesses in systems and applications. Additionally, organizations should prioritize patch management to promptly address known security vulnerabilities and reduce the risk of exploitation by malicious actors. 

Why the Enhanced Data Asset Management (EDAM) Framework and not Data Audit Framework (DAF)?

Enhanced Data Asset Management (EDAM) represents an evolution of the Data Audit Framework (DAF) methodology, incorporating refinements and enhancements to address the diverse needs and challenges faced by organizations in managing their data assets effectively. While both methodologies share the foundational principles of conducting data inventories and assessments, EDAM offers several key improvements that distinguish it from DAF.

  1. Comprehensive Scope: While DAF was primarily designed for creating inventories of research datasets tailored to Higher Education Institutions, EDAM extends its scope to cater to a wider range of organizations. By incorporating insights from various industries and sectors, EDAM provides a more versatile framework adaptable to the unique data management requirements of non-profit organizations, businesses, and governmental entities.
  2. Fine-tuned Process: EDAM offers a more detailed and structured process compared to DAF, with refined stages and methodologies for each phase of the data inventory journey. This includes more specific guidelines for planning and preparation, data asset identification and classification, data assessment and analysis, and recommendations and action planning. By providing clearer instructions and methodologies, EDAM streamlines the data management process and enhances the effectiveness of data protection strategies.
  3. Customization and Flexibility: One of the key enhancements of EDAM is its emphasis on customization and flexibility to accommodate the diverse needs and contexts of different organizations. Unlike DAF, which may have been more rigid in its application, EDAM allows organizations to tailor the methodology to suit their specific objectives, stakeholders, resources, and compliance requirements. This flexibility enables organizations to leverage EDAM effectively regardless of their size, industry, or regulatory environment.
  4. Practical Implementation: EDAM places a stronger emphasis on actionable insights and practical recommendations, guiding organizations not only in identifying data management gaps but also in implementing concrete steps to address them. By offering additional ideas of performing things such as gap analysis, recommendation formulation, implementation planning, and monitoring and review, EDAM empowers organizations to translate assessment findings into tangible improvements in data governance, security, and compliance.

Overall, Enhanced Data Asset Management (EDAM) represents a more refined and versatile approach to data inventory and management, building upon the foundation laid by the Data Audit Framework (DAF) to provide organizations with the tools and methodologies needed to navigate the complexities of modern data ecosystems effectively.

Conclusion: Strengthening Nonprofit Data Protection with IT Assessments

In an increasingly digital world, data protection is non-negotiable for non-profit organizations. By leveraging insights gained from IT assessments, such as a data assessment, non-profits can develop and implement robust data protection strategies tailored to their unique needs and challenges. From understanding data sensitivity to enhancing access controls and employee education, these strategies play a crucial role in safeguarding donor information and maintaining the trust and confidence of stakeholders. By prioritizing data protection and adopting a proactive approach to security, non-profits can mitigate the risk of data breaches and fulfill their mission with integrity and accountability. 

 

 References

https://gatesopenresearch.org/documents/2-45

https://www.nccoe.nist.gov/sites/default/files/2023-04/data-class-nist-sp-1800-39a-preliminary-draft.pdf

https://blog.netwrix.com/2023/12/01/data-classification-for-compliance/

https://www.linkedin.com/pulse/guide-data-classification-frameworks-nis2-gdpr-samuel-a-adewole-pcihe

https://blog.netwrix.com/data-security/

https://www.g2.com/articles/data-lifecycle-management-dlm

https://blog.satoricyber.com/metadata-repositories-data-dictionary-vs-data-inventory-vs-data-catalog/#datainventory

https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html

https://www.digitalguardian.com/blog/what-data-classification-data-classification-definition

https://www.lepide.com/blog/what-is-data-classification-and-how-to-do-it/

https://blog.satoricyber.com/data-inventory-for-snowflake-manual-vs-automated/

https://www1.udel.edu/security/data/confidentiality.html

https://www1.udel.edu/security/data/integrity.html

https://www.linkedin.com/pulse/topic-mapping-data-creating-inventory-gdpr-compliance-srinivasan

“You are a target. Information security is everyone's responsibility.”

Add a comment

Fields followed by * are mandatory

HTML code is displayed as text and web addresses are automatically converted.

  • Tags:

Blog Categories

Latest Blog

Theme: