Tip

Compliance rules complicate nonprofits' move to cloud-based computing

Nonprofit agencies rarely have compliance managers. If a small nonprofit is lucky, it will employ an IT manager who handles compliance strategy -- but more often, it simply relegates those tasks to an office manager or assistant director.

    Requires Free Membership to View

Vanessa James

Sparse staffing and budgets are the primary lure for small nonprofit organizations turning to cloud-based computing services, but many nonprofit directors are still hesitant to make the move, concerned that cloud computing's quirks could be their organization's downfall.

Compliance realities are a big part of these concerns. No matter what departments are managing applications and data, organizations must be sure that all of their associates -- from staff to volunteers to vendors -- are adhering to relevant industry rules and regulations.

Nonprofit CIOs and IT managers are experiencing increased complexity in their compliance endeavors simply because their funding sources often require various compliance-related controls. Without the assurances that come from meeting regulatory compliance mandates, the organization could be denied federal funding or grants.

With proper due diligence, consideration and planning, cloud-based computing can be a beneficial choice for the small nonprofit.

This layer of risk makes it crucial that nonprofits engaging in cloud-based computing services -- whether via a public cloud or through a cloud services provider -- first assess a few crucial areas to negate cloud computing's potential compliance snags.

Is your provider onboard with compliance?

First and foremost, it's up to the CIO or IT director to confirm that the cloud vendor is qualified to maintain compliance with any of the regulations governing their particular funding sources and/or relevant federal restrictions.

Many cloud providers have already started following all forms of compliance dictated within myriad federal, state and private trust-driven grant regulations, as well as laws mandated within certain industries. However, you can't leave this particular element to chance: If a data breach occurs, it's the nonprofit organization that will ultimately pay the price.

Nonprofits are not completely adrift. The Health Insurance Portability and Accountability Act (HIPAA) requires by law that cloud service providers serving health care organizations are considered "covered entities" and are thus inextricably linked to their contracted clients.

More on cloud-based computing strategy

Use risk management frameworks to ensure cloud security

Proper planning, strategy needed to alleviate cloud security risk

Therefore, like any other employee or contractor, these organizations are mandated to provide a secure, confidential environment for data storage, transfer, monitoring and incident response. The service providers are also required to meet the specific policies and protocols required by HIPAA ยง164.312.

Nonprofit organizations looking to alleviate compliance concerns also face potential operations-related security and confidentiality issues when moving to the cloud. The nonprofit's executive director must diligently take the necessary steps to ensure the cloud provider is meeting the agency's specific compliance concerns -- especially when it comes to grants and other funding sources for the agency.

Plan for cloud-based computing security

With proper due diligence, consideration and planning, cloud-based computing can be a beneficial choice for the small nonprofit, especially for those with limited office space, operating capital and staff.

There's no reason nonprofits should fear the perceived disadvantages of these technologies. Cloud-based computing, whether it's a free cloud storage option or a contract with a fully serviced cloud provider, has the ability to give small nonprofit organizations the chance to play with enterprise-grade computing power on a very small budget.

As long as the nonprofit selects a cloud-based storage provider that is grant-compliant, establishes a definitive and rock-solid service-level agreement with the vendor and has conducted a thorough IT consultation, the cloud will signal a step in a new -- and quite attractive -- direction for nonprofit agencies willing to embrace the technologies.

Vanessa James is a business technology consultant and blogger. She enjoys reading about new technologies and issues regarding the IT world. Her work has been published on TechRepublic, IT Manager Daily and The Higher Ed CIO blog.

Let us know what you think about the story; email Ben Cole, associate editor. For IT compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

This was first published in February 2013

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Expert Discussion

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.