Nonprofit Accounting Basics

Guidelines to Maintain Information Security

Note: Articles published before January 1, 2017 may be out of date. We are in the process of updating this content.

As you work with confidential financial data and personal information performing your daily business tasks, follow these straightforward guidelines to help maintain information security and be a more security conscious computer user.

Often, you work quickly on computer files trying to meet deadlines, browse the Internet performing research, and process email so rapidly, you can easily fall prey to malicious Internet hackers or otherwise inadvertently disclose information. This article will help raise your awareness of several best practices to maintain information security.

(1) Maintain Information Security in Your Office

Trashcans and dumpsters can be valuable sources of sensitive information that is discarded without shredding. Examples include company phone books, organization charts, policy manuals, calendars, company letterhead, etc. Old equipment including storage devices, memory sticks, and laptops must be disposed properly. The goal of the hacker is to collect information that can be used to deceive someone into giving out more information.

To avoid shoulder-surfing by someone who may walk up to your computer or walk by a reception desk looking for information, use these tips. The Windows 7 operating system has a “Show Desktop” icon that will minimize all open windows in one click and then put all the windows back in place in one click. Point the mouse pointer on the small vertical bar in the extreme lower right corner of your monitor and click. All windows will minimize. Click again and all windows will be restored. The keyboard shortcut is holding down the Windows key and pressing the “D” key on the keyboard.

(2) Maintain Information Security While Connected to the Internet

Because over 50,000 new malicious programs appear on the Internet every day, there are many opportunities to catch you off guard and allow viruses to enter your computer. Millions of computers are controlled by hackers without the owner’s knowledge. Hackers can see everything typed on those machines such as usernames and passwords and hackers have even controlled the computer microphone to listen to the surrounding area of the computer.

Chances are in the past week you have received an email in your Inbox that “pretends” to be from your bank, e-commerce vendor, or other online website. Technology-based social engineering attempts to obtain confidential information from individuals within an organization. The goal is to access the organization’s network to collect more information and/or to cause problems.

Two widely-used techniques of deception are:

  • Encourage an unsuspecting computer user to open a malicious email attachment. Attachments can contain malicious visual basic programming that can run programming code on your computer without your knowledge.
  • Encourage an unsuspecting computer user to click on a hyperlink within an email. If you click on a hyperlink that opens the page of a malicious website, a file can be sent to your computer carrying a virus and potentially installing a computer virus.

(3) Maintain Information Security When Transmitting Information

Examples of laws that may affect your organization include the Federal Information Security Management Act (FISMA); the European Union Directive on Data Protection; the Health Insurance Portability and Accountability Act (HIPAA); and the Sarbanes Oxley Act, which requires publicly traded companies to put controls in place to protect reporting and financial information. A breach of information could damage your organization’s reputation, hurt an employee or donor, and/or lead to fines.

Check with your legal advisor about the specific data breach laws that apply to your organization. Specific regulations will identify all types of sensitive information that must be protected.

To help avoid a security breach, follow these guidelines:

  • Never send sensitive information in an unencrypted email.
  • Change passwords regularly and use strong passwords.
  • Never talk on cell phones in public areas about sensitive information, passwords, or credit card numbers.
  • Never connect to an unsecured wireless network.
  • Never disable antivirus software or firewall software.
  • Do not install unauthorized software applications.
  • Do not click on links to unknown websites.
  • Never leave a laptop unattended while travelling.
  • Do not use removable media such as thumb drives for sensitive information.
  • Do not open attachments to an email from unknown senders.
  • Use the redaction feature on PDF files in Adobe Acrobat 9 or X Pro versions to permanently remove sensitive information.

Maintaining Information Security is a Never-Ending Process

Each organization must build a security conscious culture, provide end user training to reinforce security awareness, develop proper guidelines for disposal of storage media, regularly audit security systems and test staff, and develop procedures for reporting an incident. Everyone in each organization is responsible for maintaining information security.