If you’ve been concerned about cybersecurity as a grantmaking organization, you’re not alone. The Council on Foundations recently noted that their legal team regularly receives questions regarding the data security of foundation operations and donor and grantee information. It’s a reality that many nonprofits are facing. According to a 2018 State of Philanthropy in Tech survey, 21 percent of respondents have experienced a security breach in the past two years.
Consolidating your data in a secure cloud environment is one way to reduce your risk. In most cases, this delivers an immediate improvement in security for nonprofits by providing a modern digital infrastructure. This is valuable for both cybersecurity and data protection compliance.
But as you make a shortlist of grant management systems, the Nonprofit Risk Management Center provides a word of advice, “Resolve to become a discerning consumer so you can distinguish dependable tech vendors from those unworthy of your trust.”
The following six questions will help you do just that. Make sure you have this list in hand as you evaluate your options.
If you’re a grant manager who needs to understand a SaaS provider’s security qualifications, start by asking about how they meet industry regulations. Is their software in compliance? Do they have third-party proof, as in certifications or audits?
Depending on where you’re located, what functions you need, and the types of grants you offer, certain regulations may be more important than others. However, here are five to consider.
GDPR - The General Data Protection Regulation is a European Union (EU) law on data protection and privacy for all individuals within the EU and the European Economic Area. It also addresses the export of personal data outside the EU and EEA areas. See if they have Privacy Shield Certification. These are comprehensive certification models that ensure companies comply with data protection requirements when transferring personal data from the EU and Switzerland to the United States.
HIPAA - The Health Insurance Portability and Accountability Act is the group of codes and regulations that define the treatment of protected health information (PHI) when a covered entity (health care organization) provides PHI to a vendor (business associate).
FedRAMP - The Federal Risk and Authorization Management Program is an assessment and authorization process which U.S. federal agencies use to ensure security is in place when accessing cloud computing products and services.
PIPEDA - The Personal Information Protection and Electronic Documents Act is a Canadian law relating to data privacy. It governs how private sector organizations collect, use, and disclose personal information in the course of commercial business.
PA-DSS - The Payment Application Data Security Standard is the global security standard created by the Payment Card Industry Security Standards Council, which provides the definitive data standard for software vendors that develop payment applications.
To protect your grantmaking organization, it’s best to give your SaaS provider the least amount of access to your data. In other words, only what they need to carry out the application. This is sometimes referred to as the “principle of least privilege,” which means only those employees who must have access to data will have access. Here are some specific questions to make sure you and your provider are on the same page:
Which of your employees have access to my data?
When would your employees need to look at my data?
How much of my data is indexed for search?
When is our data shared with another third-party? And why?
How do you manage risk when sharing with another third-party?
The principle of least privilege should apply to those within your organization as well. That’s why it’s important to choose a grant management system that offers role-based permissions, multi-factor authentication, and audit trails to see who has edited or removed data.
In addition to the precautions above, you should ask your SaaS provider about their protocols for data encryption. Data should be encrypted when at rest (such as when it's stored on a disk) and while it's in transit. Make sure your SaaS provider has both layers of protection in place.
Another best practice is data loss prevention policies. In brief, this involves classifying your data into levels of sensitivity so you can create additional barriers to sharing and/or alerts if the data is shared without permission. With so many stakeholders in the grantmaking process, this is a must.
Data loss is always top of mind when handing over control to a third party. After all, you know how hard your grant applicants worked on their proposals. Not to mention the time and effort by your review committee.
Your SaaS provider should offer protection for downtime caused by power losses, application failures, and natural disasters. Take time to understand exactly how they manage their data infrastructure with questions like:
How often do you replicate our data?
Where is our data stored?
How secure are the data centers?
Many SaaS providers rely on industry heavyweights like Amazon Web Services and Microsoft Azure, which have robust redundancy plans. If not, make sure your SaaS provider has its own backup plan to counter possible human error or service outage. You can also ask them to provide you with an interface to create your own backups.
You want a SaaS provider with a proactive cybersecurity strategy. One approach is to conduct penetration tests, which are simulated attacks on a software system by security experts. This helps to evaluate and identify vulnerabilities. Ask if they (or their data infrastructure provider) perform penetration tests. This shows a high level of commitment to security.
Likewise, you should ensure that they have a capable team ready to respond quickly in the event of an actual security incident. Ask your provider if they have documented procedures and how they communicate with customers until it’s resolved. You don’t want to be in the dark when you have so many grantees relying on your organization.
Even though you might not be thinking about parting ways when you’re selecting a grant management system, it’s critical to think long term. Technology changes quickly and your organization needs to have full control over its data.
Make sure the vendor guarantees specifically that you’ll be able to fully export all grant data and all attached files on request. If you can do this yourself, without relying on the vendor, even better.
--
Hopefully, these six questions have given you some clarity as you evaluate the data security features of potential grant management systems. We also recommend checking out the Cloud Services Due Diligence Checklist for a more comprehensive tool to assess providers.
SaaS offers many cybersecurity benefits to nonprofits, but grantmakers must always remain vigilant to protect the information of their grantees and donors.