Tag Archives: Security

ISO 27001 (Did I bore you already?)

We have recently spent a lot of time working through and obtaining this certification. It really was a long and somewhat laborious process. If you are unfamiliar with this ISO standard then I won’t give you the complete definition but this paragraph sums it up. (You can read about it in depth on the ISO site).

The ISO/IEC 27001 standard provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system.

I suppose you might wonder what an information security management system actually is. I did too when we first went down the route to obtaining certification.

Prospective clients had asked us a lot about ISO 27001.

  • Do we have it?
  • Is it on our roadmap to obtain it?
  • Why don’t you have it?
  • If you don’t have it, how do you anyway implement clause x.y, paragraph b?

With Audit Trail, for example, we are handling a lot of data, potentially very sensitive data about the changes to donor’s records. In Chimpegration we work with supporters’ email addresses. In Importacular we move data about from one source of online data into Raiser’s Edge. How can we show that we are doing everything necessary to keep the data safe?

Of course, prior to obtaining the certification, we were doing a lot of things to ensure that data is transmitted securely, that we observe best practise in ensuring our code follows security standards and that all of our colleagues are kept up to date with data processing and cyber security regulations.

What we were not doing is documenting everything that we were doing in a formalised way. When you are a small company you may think,

I know what I know and I am doing everything that I know so I don’t need to write it all down.

As you grow and age (both as an individual and as a company) you forget why you have certain routines. You don’t question them. You just do them. The whole ISO 27001 process challenges us to review our processes. There is a requirement to audit them all over the lifetime of the certification. This forces us to look at what we are doing. Is a routine sensible for a company that has grown from 5 people to 10 people or from 10 to 20? Should we be doing the same thing now that we are based not just in one geographic jurisdiction but two or more?

While it was a lot of work to get the certification, it was definitely worth it. Our company is better for it. We know and we have clearly documented all of our routines. Our processes are in place and are validated regularly.

The ISO 27001 certification gives us confidence to manage our systems and data structures securely but equally importantly indicates to our clients that we do just that.

Overcoming the password update policy for custom Raiser’s Edge applications

A recent question on the Blackbaud forums got me thinking about this problem. The issue is this. If an organisation has a password policy in RE in place that ensures that users have to update their password every X days, what happens to a custom application that runs every day in order to perform some maintenance / export / import etc.? It is also required to update its password. This is somewhat problematic because most scheduled tasks are just meant to be run and more or less forgotten about.

The obvious solution is to turn off this functionality. However you are only able to do this for the whole organisation which is problematic.  Another solution is to use Windows authentication to log into RE. That way it is Windows that decides the password policy. This is also not always possible.

Here is a third, programmatic way of doing this. You need to make use of the “other” API. I have mentioned this previously in Checking Security. You need to make use of the  Blackbaud.PIA.RE7.SecData7 assembly. This gives you access to the security objects that are not present in BBREAPI.

You set up a database table with three columns; a primary key id, a password and an expiration date. You then fill the password column with a list of passwords that could be used.

On starting the application you select from the table the password with the most recent expiration date (which may be in the future). You use this to log into RE using the usual code. Once that is done you determine whether or not you need to change the password. If the expiration date is in the past then you should change the password using the code below. The new password should be the next password in the table that has a blank expiration date and lowest id.

Dim user As New CUser
user.Init(SessionContext)
user.Load(SessionContext.CurrentUserID)
user.Fields(Blackbaud.PIA.RE7.BBInterfaces.EUSERFields.USER_fld_PASSWORD)

You then set a new expiration date on this password. This expiration date should be a good few days before the actual date you are required to change the password that way the existing password will still be good.

If there are no passwords left in the table you can remove all the expiration dates and start from the first value in the table i.e the password with the lowest id. I assume that RE allows you to use the same password as at some point in the past if not the most recent values.

One variation to this is to just create a random passwords and not have a list of passwords. That way you would only have a table with one row and an expiration date.

Any improvements? let me know in the comments.

Checking access restrictions in The Raiser’s Edge

In a recent project I had to ensure that specific confidential information was being saved as an action. I had a custom screen where this data was going to be viewed and edited. Only certain users had access to that action using security by action types. I had to check to see if the current user was able to view the action and if they could whether or not they were able to edit the details. There are useful methods for this in the API and I assumed it would be a simple task to use them. Continue reading Checking access restrictions in The Raiser’s Edge