What level of protection is necessary for your organization’s data? This complicated question will have a variety of answers for different organizations and types of data. In some instances, state and federal laws may dictate a certain level of encryption for sensitive data. In all instances, protecting the people who trust you with their personal information should be your first priority.
Are Web-Based Collaboration Tools Secure?
The most well-known web-based collaboration tools are Google Docs and Microsoft Office Live Workspace; others include Zoho, OpenGoo, and Writeboard. In the past few years, these tools have grown beyond a niche market into a feasible alternative to traditional office software. But how secure are they?
In short, it depends. Since Google Docs launched, there have been a handful of high-profile reports of security breaches. Some incidents resulted from user error (for instance, a user accidentally sharing a sensitive Google document with all of his contacts) while others have demonstrated legitimate security holes. One tech support representative for Office Live Workspace summed up the situation succinctly: “Security has been taken seriously in the development of OL Workspace but we live in an era where major banks, corporations, the White House, and even the FBI have had their security breached by hackers. Decisions on security … have to be taken by users at a personal level.”
Note that encryption of individual files is not possible in either Google Docs or Office Live Workspace; your files are protected by a single login password, similar to how most webmail services work. Like Gmail, Google Docs allows Transport Layer Security access; simply point your browser to https://docs.google.com/ and change your bookmark to include the https protocol. These services are fine for planning events or collaborating on fundraising letters, questionable for keeping track of donor data and other sensitive information, and unacceptable for health records or any other information protected by law.
Transport Layer Security (Wikipedia)
http://en.wikipedia.org/wiki/Transport_Layer_Security Google Docs (Secure Version)
https://docs.google.com/ Discussion on security of Office Live Workspace
There are a few different ways to encrypt individual files with sensitive information. For documents created in Microsoft Office, the easiest way to encrypt is from within Office itself. When you save a document, open the Toolsmenu and select Security Options.
The Security dialog box opens. This is where you enter a password for opening the file and, optionally, a second password for modifying it.
Microsoft Office 2003 and later allows file encryption comparable to that used by banks, but not by default. The default encryption method is “97/2000 compatible,” which an experienced thief can crack with relative ease. For professional file encryption, use RC4 encryption with a 128-bit key length.
Most operating systems allow users to designate certain files, folders, or drives as accessible only for specified users. Generally, you can find user access information by right-clicking on the file or folder and selecting Properties. Below are links to more specific information for each operating system.
Windows Vista Ultimate and Enterprise include Bitlocker, a utility that lets you encrypt an entire volume. For Mac users, you can also encrypt your entire home directory using the FileVault application, included in Mac OS 10.3 and later.
Note that if you’re using file permissions to protect sensitive data, you should not stay logged in when you’re away from the computer. Shut down, log off, or lock the computer when you’re going to step away from it.
Protecting the private information of your donors, constituents, and volunteers is of the utmost importance. If you have not already, password-protect your CRM and donor database applications. (Check the user’s manual or help documentation if you’re not sure how to do this). Log out of these applications every time you leave the computer.
Many countries have individual laws and standards regarding encryption of personal data, particularly health information; please consult materials appropriate to your country for specific security recommendations. The Health Insurance Portability and Accountability Act (HIPAA) protects health data in the United States. For information on making sure your database meets HIPAA standards, see the Idealware article In Search of HIPAA-Compliant Software.
In Search of HIPAA-Compliant Software