What Are You Doing for IT Security and Compliance (+Training)?


(Dave Mackey) #1

Hi Folks,

I know this topic has come up before but was hoping we could have a fresh discussion on how you are handling digital security at your church. I’m eager to hear about anything you might want to share, here are a few areas I’m particularly interested in:

  • What do you use for endpoint security? We are currently shopping around for a new vendor.
  • What training do you provide staff on proper digital precautions?
  • Do you require staff to utilize a password management system? I’m personally a fan of LastPass.
  • Any best practices for securing servers and data storage?
  • Thoughts on cloud storage and apps, data sharing? These are a bit of a nightmare. Folks tend to utilize these without informing IT.
  • Do you utilize an IDS or similar software to proactively internally monitor your network? Ubiquiti has released IDS functionality as part of their network setup (in beta) with this latest release.

Anything you are willing to share is greatly appreciated. :slight_smile:

Dave


(Michael R. Beatty) #2

Hi Dave, I can speak to a couple of those areas.

  1. Endpoint security: Endpoint protection is a matter of defense in depth and risk modelling, there is no silver bullet protection and mitigation solution. As end-client-technology providers release regular product/software updates, security tools will become outdated - just as a rule. Multiyear endpoint protection commitments will leave you playing a constant game of catch up. The solution is a holistic internal security assessment that provides identifies and satisfies your desired endpoint protection feature set with the corresponding endpoint protection suite and a comprehensive implementation strategy. Really selecting and implementing
    Have you done a vendor assessment yet? I can show you my vendor assessment if you want.
  2. Training: There are a couple of LMS systems out there and you will probably want one that include most of the core IT processes surrounding IT security: DRP, BCP, risk management, external compliance, process controls and internal audits, security management and strategy.
    Let me know if you want to chat for a half hour and I can show you how we’ve done it.
    I hope this helps.
    Mike

(Andy Baker) #3

Hello Dave,
I can speak to a couple of points as well. Additionally, I am interested in what others are doing for security awareness training.

  1. We use Thirtyseven4 as our AV solution. We have not had a major infection since moving to them from Symantec Endpoint Protection 3 years ago.
  2. I’m interested the Security Awareness & training topic as well. We used a free code to get KnowBe4 to send emails to our staff to see who would fall for Phishing attacks. It was eye opening, 25% of our staff opened and clicked on links. The first email wasn’t even that tricky.
    We certainly are planning on budgeting for and partnering with KnobBe4. I believe they have a wealth of information and help with Security Awareness training for staff.
  3. Cloud Storage and Apps - I’m a big fan of cloud storage and apps as it helps our teams access their files from anywhere and any device. It also helps them collaborate on docs all at the same time. I would love for our whole staff to embrace the technology we pay for and have approved, Office 365 (OneDrive, SharePoint, Teams, etc,), but we do struggle with teams opening accounts with other cloud platforms like Dropbox for Business, Google Drive, etc. Microsoft has closed the gap a bit as far as ease of use, features, but teams tend to stick with what they are comfortable with. We do hold lunch and learns as a way to showcase the value of using Office 365, but they are only attended by about 10 - 15% of staff. There are certainly some cons to the cloud as well, Backups, someone leaves staff but had docs others need, etc. We are still working on many of these issues.
  4. We use Cisco ASA’s with Firepower enabled. This is one level of IDS/IPS protection. Additonally, ThirtySeven4 provides this at the endpoint level.