Congregational Data and Computer Security Guidelines
Here’s a set of guidelines you can use to help keep your congregation’s data and computers safe.
Consider joining a community of congregational technology users for ongoing support. Take two minutes to subscribe to the Unitarian Universalist Association (UUA) ChurchMgmtSoftware email list where you can ask a question, search for an answer, or give someone else a hand. After subscribing, you’ll receive an email asking for confirmation. In the email, select the link labeled “Or visit this web page” for best results.
Throughout these guidelines, we refer to Protected Information. Here are the types of information that fall into this category.
- Personal Information includes social security, credit card, or bank account numbers of individuals, and health data. This is generally protected by law. Think about employees, donors, etc.
- Confidential information is anything a reasonable person would recognize as sensitive or potentially damaging, and should generally be protected.
- Information about minor children, including routine contact information, pictures, etc. might need to be protected, especially if the information itself implies the person is a minor child.
- If you keep paper or electronic records with Protected Information, guarantee that only trusted and authorized persons have access to that information. In particular, don’t retain social security, credit card, or bank account numbers of individuals unless it’s absolutely essential to conduct the business of the congregation. Destroy it when it’s no longer essential.
If Protected Information is on a computer:
- Require use of a strong password to use the computer. A strong password is at least 12 characters long and includes upper and lowercase letters and digits. (That’s almost a million trillion possible combinations.) It does not include names, dictionary words, birthdays, or obvious sequences of numbers. Recent research shows that the best protection comes from a long password that conforms to the rules above.
- Passwords should be changed at least every 6 months.
- Always change the password whenever anyone loses their authority to access the computer.
- Set the computer to lock automatically if it’s not used for 10 minutes.
- If possible, encrypt the files or folders that contain Protected Information, or encrypt the entire disk drive. We suggest a free open source tool called TrueCrypt for PCs. Macs include an encryption tool called FileVault. If you use encryption, make sure you have a copy of the password stored safely. Encrypted data cannot be recovered if you lose the password.
- If Protected Information is in paper files, lock the files in a cabinet and strictly control who has the keys.
- Never include Protected Information in an email or an email attachment. Those can be easily snooped by anyone on the Internet.
- All valuable data (not just protected Information) stored on your computers should be backed up periodically (e.g. weekly). See “Resources” for suggestions. If Protected Information is included in the backups, the backups should be encrypted and removable media should be stored in a locked location.
Hardware and Software Security
- Laptops should be kept in a locked cabinet, or secured with a locking cable.
- All computers should have virus detection software installed and automatically updated every day the computer is used. See “Resources” for suggestions.
- All software on your computers should be kept up-to-date, especially security updates. This includes your anti-virus software, pdf reader and media players as well as Windows or Apple software. Most computers come with an update service included and turned on. Don’t disable it and do allow it run. Every computer that can connect to the Internet should have software called a firewall. A firewall is included and turned on in every new computer. Don’t disable it and do allow it to be updated.
- If you have networking equipment (e.g., cable modems, wireless routers), change both the default administrator and network access passwords on each piece of equipment when it’s installed.
- Passwords to computers, network equipment, software, files, and online accounts should be stored in an encrypted and password-protected database such as the excellent open source KeePass. Don’t write passwords on paper or post-its, and don’t send them in emails.
A Note About Virus and Malware Protection
After doing all of the above, the first line of defense is…. YOU. Watch out for emails, websites, and popups that try to get you to:
- divulge confidential information.
- download something onto your computer.
- allow a scan of your computer.
In particular, never click on a link or an attachment in an email that you aren’t expecting, even if it appears to be from a friend. Your friend’s computer may be infected and sending a virus your way without their knowledge. If in doubt, contact the sender. Two minutes on the phone can save you hours or days of downtime and hassle.
Read the UUA’s Information Technology Services blog with info about spotting email scams.
“Always On” Virus Protection (Free)
On-Demand Virus Scanners (Free)
Use an on-demand virus scanner if you think you’re infected. Never allow a popup or uninvited website to do a security scan for you, even if it includes a scary message about being infected. Never.