It’s Not Just Your Complaince That Matters
Tips to Ensuring Third-Party Compliance For Data Security
As recent events in the donor software world have shown, you not only need to be vigilant about your own data security, but make sure that any third party vendors with access to your data are compliant as well. Assurances aside, how can you do that? Here are a few tips:
- Who’s there? – First and foremost, make sure you know how any third party vendors handle permissions and what their user access protocols are. The fewer the number of users with access, the better, but more importantly, you want to make sure that access is secure, with two-part verification, frequent password changes and other standard best practices.
- What’s the plan for the worst case scenario? – Data security is great when there’s no one trying to take it, but what plans does your vendor have in place for when there is a crisis? Those plans should be in writing and they should include notifying you immediately of any data breach. If they can’t say what they’d do in an emergency, they shouldn’t be listened to when there’s not.
- More than security – In this day and age it’s not just data security that needs to be a priority; data privacy is just as important. Has your vendor identified what fields of data need the extra security to maintain privacy? What are their protocols?
- Up-to-date updates? – How do your third party vendors manage patches, system configurations and penetration testing? A frequent and robust schedule can indicate that they are staying on top of things.
- Your third party’s “Third Party” – Do your vendors provide third-party verification or is their process handled in-house?
- The known unknowns – New threats are coming every day. For instance, security breaches launched through older equipment that have been tied into IoT (Internet of Things) networks increased 15% to 26% in just 2 years. While that may not directly threaten a nonprofit, do you know what other clients your third party does business with?
- Updated updates – What are your vendor’s policy and practices regarding security? How often are those policies and practices implemented and updated? Who is in charge of that process and with other compliance issues. Those team members should be a regular part of your interaction with the vendor and updates should happen without request.
- Following or making the rules? – While GDPR has affected those who are not doing business in the European Union, one thing is for certain: more rules will always be coming from somewhere. Several states have rules in effect, or laws under development, and a Federal statute is expected after the November elections. Is your vendor not only up-to-date, but ahead of the curve?
- Is Your Board on board? – Your board needs to be involved in this process for several reasons. They need to understand this process and associated costs, as well as the cost of being on the wrong end of a data breach. They need to consider forming a Risk Management Committee to make the review process part of the board’s duties. And perhaps most importantly, your board is made up of people from different industries, many of whom (especially those in Tech, Healthcare, Insurance and Financial Services) are far ahead of the curve in dealing with data security and may have access to more efficient tools and resources.
And we are proud to announce that, for the fifth year in a row, Big River has been independently verified to be PCI-DSS compliant. Additionally, we have a regularly updated data security protocol as well as reporting and detection plans in place. If you’d like to discuss your current security, and see how our software can help your planning and future digital plans, please contact us.