8.1 Security of Information systems
TABLE OF CONTENTS
- 8.1.1 What are we talking about?
- 8.1.2 What is at stake?
- 8.1.3 How NGOs can tackle the topic?
- 8.1.4 Key Resources
Keep in mind
The security of information systems is above all an organisational subject, with technologies, tools, infrastructures and associated support worthy of the name.
It is nevertheless essential, when talking about program data, to look at the tools that frequently remain at the periphery of the usual IT infrastructure but are necessary for the daily work of program teams in the field (tools for collection, processing, analysis, sharing etc.).
Indeed, they are often central to the processing of databases of vulnerable populations, but their level of security is not always evaluated.
Information systems-related security is an important dimension of data management. In this subsection, we will take a fresh look at its definition to understand its scope, present the associated issues and risks at sector level, as well as best human practices and key resources.
The securing of information systems is what is implemented to protect all resources that allow the collection, storage, processing and distribution of information within the NGO. This mainly concerns the IT security implemented by the organisation (in terms of technologies, tools, infrastructures…), but also the set of human practices of NGO members to avoid any data breach.
The majority of NGOs have a range of tools and infrastructure whose security has improved considerably in recent years. Nevertheless, there are still many practices and tools used by program teams that may, in some NGOs, be a little outside the remit of IT teams and therefore fall through the cracks in terms of security checks.
The security of information systems is essential because it can help prevent attacks, which can have serious consequences, in particular on the security of affected populations, the quality of an organisation’s interventions, its credibility, its financial stability, and consequently the trust placed in it by the population; it can suspend or put a stop to its activities; and may extend to the takeover of the system by its attackers.
Securing information systems not only serves to maintain control over decision-making, but also ensures respect of the affected populations by properly protecting their data to prevent it from being accessed by non-data subjects – or worse, malicious individuals.
Nevertheless, and especially when it comes to program data, there are always a certain number of applications used that are not necessarily within the remit of IT departments (local choice of tool imposed by a partner or lessor, perimeter of program tools sometimes outside the range of tools followed by headquarters, no referent in program data management at headquarters level etc.). To prevent the data collected and stored in these tools from being at risk of intrusion, it is important to respect a certain number of best practices, whether at the level of the members in charge of making the choice and implementing it, or of the users themselves. This is particularly the case as regards the selection of tools dealing with program data on security-related features (authentication, granularity of roles and users, encryption, location of servers, etc.), since the choice of these tools is not always made proactively at organisation level (with people who usually have time to look at all the ins and outs of the tools), but often left to the goodwill of the field teams who must make these decisions in haste and without having the ability to look at the tools available to them.
Nota Bene: It is important to specify that excessive security sometimes only encourages users - especially in the field - of the tools to implement avoidance strategies. It is therefore essential to ensure the practicality of what is put in place to promote ownership at all levels of the organisation.
A very large majority of the measures implemented to secure information systems are carried out by the IT departments of your organisations, whether in terms of IT systems, or policies in terms of human practices.
However, given the importance of the subject, and also to address the human practices dimension, the latter being essential to prevent aspects of security from falling through, we have prepared two capsules on this subject, one from the organisation’s standpoint (IT departments) and one from the NGO member’s point of view to summarise the good practices that can be put in place (both being complementary).
Securing IS- from an organisational standpoint
Securing IS- from the individual point of view
As being exhaustive on such complex topics - that go beyond the topic of program data management and greatly depend on choices made by each NGO- is not possible, we invite you to contact your IT services/the program data management referents of your NGOs to delve deeper and see how the topic applies to you, as well as to discover the policies and procedures in place.
- Feel free to look at the next section of this toolbox on cybersecurity, which explains the associated challenges in the sector and provides good practices and resources on the topic.
- You can also explore the CartONG checklist, which provides insights to facilitate your decision-making when choosing a data collection tool, with regard to data protection.
- A complementary resource to this checklist is the 2021 collection tools benchmark, (from CartONG in collaboration with Welthungerhilfe) which provides points of comparison between several mobile collection tools, in terms of organisational management, user experience, data quality, data protection and features facilitating case management.