4.5. Security Toolkit: Data Sharing
What Everyone Needs to Know
Sometimes when doing your work, you will need to share information and data with other people both inside and outside of your organization. This can range from individual files to large-scale data sharing. Whenever data is shared beyond an individual, team or unit, there are some additional risks such as inadvertently sharing data with the wrong people or those who received the shared data further disseminate the data to others inappropriately. While there are specific tools to help organizations While there are a range of technologies that help organizations manage inadvertent or inappropriate data sharing which are typically referred to as data loss presentation (DLP) technologies, there are some simpler steps that organizations can take while they consider more robust DLP solutions.
Those steps include developing written data sharing protocols that work across the organization but also for specialized units or practice groups. Included in the protocols might be guidance on:
- types of data that may be shared internally and externally (this might lead to a data classification protocol) ,
- which entities or types of entities may receive shared data
- when it is appropriate to share data and whether specific permission is needed
- which technologies should be used to share data (e.g., encrypted files, encrypted email, regular email, open web links, login-protected web links)
Depending on how the organization proceeds in managing shared data, your staff will need to be trained on the protocols and the technology. Likely, your IT team may need to implement additional technologies such as secure email and file sharing tools. Generally, all users should use the technologies IT team provides to share data as opposed to using personal accounts (e.g. personal Dropbox, Google Docs, or private email systems such as ProtonMail). Avoiding personal solutions to more secure file sharing helped ensure secure as well as governance and control of the firm's data. Managers and decision-makers are urged to take data sharing security issues seriously.
What IT Needs to Know
When it comes to data sharing, internally and externally, do you know the who, what, when, where, and why? Do you have the technology and protocols/policies in place to protect your data?
- Internally, do staff and volunteers only have access to data and files they are authorized to use?
- Do staff and volunteers have appropriate, limited access within the systems being used (e.g., case management, accounting, donor management, human resources)
- When sending out sensitive data, do you know what is being sent, who is it being sent to, and if it is being sent securely?
- Do you have the tools in place to know or log what data is being accessed by whom?
- Do you have the technology, polices/protocols, and training in place to help staff share data appropriately securely?
- Does the technology used for sharing data allow you quickly revoke the shared data or expiry the sharing of data based on time elapsed or some other variable?
To facilitate safe and secure file sharing, make sure you’ve implemented secure file sharing methods (e.g. file sharing solutions as part of your document management system). It is worth repeating the importance of documenting the data sharing protocols and training all used on data sharing. Finally, depending on the data being shared make use of email and file encryption technologies to help limit unauthorized entities for gaining access to shared data.
Solutions to consider:
- Mimecast: Website, Pricing
- SharePoint Website, Pricing
- BOX: Website, Pricing
- NetDocuments: Website
- Microsoft Data Loss Prevention: Website