On Data security and security culture

<p>I have been thinking more ad more about data security of late which leads to the larger concept of [l:http://www.eriders.net/model/stories/in/?id=35|security culture] particularly in non-profit and political realms.</p> <p>The recent incidents that have lead to me thinking about this relate to two clients of mine (these are just the two most recent incidents, it is true that at work we just finally instituted a computer use policy that staff must adhere to).</p> <p>So here is the deal. An group that i have done some work or in the past asked me to enhance their membership database by matching it to the voterfile for the area where they work. They provided me with the votrfile for this area and they provided me with their membershp list. The voterfile (being large) was sen to me physically. But the membership list (being smaller) was transmitted electronically.</p> <p>Here are the problems i see:<br /> 1) the file was not encrypted in anyway. Ecryption would have prevented protected against a 3rd party intercepting the data. Granted, no one thinks that smoe 3rd party is going to be looking for their data and going throuh the trouble of intercepting it but the more imortant and concerning problem follows…<br /> 2) this group has no paper on me. What i mean is we do not have a cotract, there fore we have no terms of agreement. i have not indicated how i secure their data when it is in my posession, nor what i do with their data when i am done performing the requested enhancement. I have phone numbers and email and names etc of their members, and now it is enhanced with voterfile data at their expense and i could turn around and sell it to a third party. <b>(I WOULD NOT DO THIS)</b> </p> <p>The point here is that smoeone else might. And this group handed over their data without any agreement in place. (Sure they have known me for years, but so what? would they have done differently with any other vendor or consultant?)</p> <p>Similar scenario with another client. I have been providing database consulting support to. THey just gave me their data and we are terminating our relationship, but there was no proviso in our agreement as to the disposition of their data after our relationship terminates.</p> <p>How many non profits and political organizations are in this boat? And what is their responsibility to their members/constitents to safe guard the data? This is not just a consultant client problem…. How safe is the data when it is in the org's office? Do interns and vols have access to it? Can someone steal it?</p> <p>The big question is what responsibility to technologists have to their clients to force security culture down their throats? Should I only accept data files encrypted? (and then is it my responsibility to teach the client how to encrypt?) Should I write up a data security policy/agreement and sign it with each client? Should I harp on clients to adopt security policies for their organizations, to conduct security audits, to secure their networks (wired and wireless) encrypt hard drives and thumbnail drives and laptops and PDAs? And then where does it end? and how do I deal with the fact that I am not a security expert? How much security is enough?</p> <p>here are some resources [del:encryption] on del.icio.us<br /> and search encryption on [lk:techsoup.com]</p> <p>And let me know what you do (your organization, or yourself if you are a provider) leave a comment on the blog or call it in for use on the podcast 206-203-3531.</p>