Here is a framework that all churches and religious organizations can work with to better understand and prepare themselves for cyber attacks and protecting their data. The guidance encourages organizations such as churches to secure data from a privacy perspective and maintain security from a cyber perspective. This is called the NIST framework. NIST is a nationally recognized organization and is called the “National Institute of Standards and Technology” (NIST). The NIST framework is what they have laid out to help organizations prepare and implement the necessary tools to protect their environments from attack. The NIST framework provides insights on managing and reducing cybersecurity risk for churches of all sizes, positioning your organization to respond better.

Churches could be held liable for the loss of protected information such as “personally identifiable information” (PII) of members of your congregation, not for profit organization and other entities. What is PII? It is basically any combination of two of the following non-exhaustive list of data elements that the church would have as data in a computer or mobile device:
• Name
• Address
• Telephone number
• Date of Birth
• Social Security Number (whole or partial)
• Policy Number
• Driver’s License, State Identification, or Passport Number
• Financial Account Number (Credit Card Number, Bank Account Number, Routing Number, Debit Card Number, etc.)
• Medical Information
• tithe or contribution number
• log in Code
• Any other information that could reasonably permit a hacker to piece together the identity of an individual, directly or indirectly inferred, including any information which is linked or linkable to that individual.

The NIST Framework comprises of five levels, each divided into subcategories, as well as standards, guidelines and best practices that you can establish within your church or organization. These would become part of your policy.

Level 1: Identify
Identify assets and risk so you can prioritize your security efforts. You do this by conducting a risk assessment.
Level 2: Protect
Once you your risk assessment completed look at your assets and their values, rank your resources accordingly and decide what measures and software you will need to implement to protect them. You may need security devices and software, but also staff to operate the devices continually.
Level 3: Detect
In addition to preventive controls, security incidents still occur. That’s why it is essential to detect anomalous activity quickly to remove any attackers and prevent or lessen any damage. The key here is to be able to monitor your network (internet) traffic and your endpoints (servers, workstations mobile devices and laptops) 24 hours a day and this includes personal devices which your teams may be using.
Level 4: Respond
Now, this is a tough one. It assumes you have recognized that you have been hacked or breached, and I can tell you that is not something that is always apparent. The sooner you can get the attack, or data theft recognized the sooner you can minimize the damage. The longer attackers are in your network, meaning in your systems and computers, not only do you lose more and more data, it becomes more difficult and costly to get the attackers out. Think termites and roaches. Getting attackers out of your network takes a lot of expertise that most church organizations don’t have or for that matter not all small tech organizations either.
Level 5: Recover
Recovering from an attack takes planning long before your computers or network is hacked or breached. Think now about developing a “Business Continuity Plan” you will hear people commonly call these BCP plans. If you outsource your systems to a third party, you should ask them for a copy of their BCP plan, so you know what you are up against if they get hacked and breached.

Keep in mind the NIST framework is just that..a framework. It is a guide. It is not the tablets from Mount Horeb. Think of the context as your guide. What is really important is to conduct the assessment. See what risk your church has as exposure to lost data. Within your congregations, I am sure some members are familiar with the NIST framework, and you just may have computer savvy members who can assist with the implementation of the framework. The assessment is Key.

Visit our website at:  www.innovate-educate-collaborate.com