With the rise of automation tools and AI making it easier than ever for bad actors to prey on churches, it is important to stay on top of best security practices to keep your Elvanto account safe.
Below are general best security practices and tips we recommend any super admin stay on top of to best prevent issues before they arise. As a reminder, we will
Implement Permission Audits
While Elvanto explains how to set permissions, it doesn't advise on the lifecycle of those permissions.
Schedule a quarterly "Access Review" to identify users who have moved roles or left the church. Admins should proactively downgrade "Super Admin" accounts—which override all lockdowns—to specific "Access Permissions" roles as soon as the broad oversight is no longer required for their daily tasks.
-
The Principle of Least Privilege is a core cybersecurity concept restricting user, system, or process access to only the bare minimum permissions necessary to perform authorized tasks. By limiting access rights, organizations reduce the attack surface, minimize the damage from compromised accounts, and ensure compliance. We recommend honoring this.
Ask yourself, "does this person really need access in this way? before granting.
Enforce 2FA for High-Impact Roles
Utilizing Elvanto’s 2FA requirement for specific Access Permission levels is a great way to lock down the most privileged roles.
Do not wait for volunteers to opt-in; mandate 2FA for any role that has People viewing capabilities. It even makes sense to turn this on for those with access to Financials, Children’s Ministry data, secure custom fields, and more depending on your preference to keep data safe.
Here is more Enhancing Account Security with Two-Factor Authentication (2FA) in Elvanto!
Send Password Resets to users on a routine basis
Passwords do not expire in Elvanto by default. Consider requiring users to change these on a routine basis to make sure any weak passwords will be changed.
By going to a person's profile, clicking on the Account & Volunteering area, you can scroll down to request a new password for this person. Consider sending these out on yearly, or even biannual, basis.
When in doubt of unusual profile activity, you can also suspend an account. In that screenshot above, notice the suspend account checkbox. This could be a timely and helpful way to limit access if you notice anything unusual, say spam texts or emails going out from one of your users.
API Key Hygiene and Rotation
-
Apply the "Least Privilege" rule to software, not just people. Treat an API key like a Super Admin password. If an old integration is no longer in use, remove this as soon as possible for safe keeping.
To check on your integrations, go to Admin Area > Settings > Integrations.
For active integrations, rotate (regenerate) the keys annually. If a staff member who had access to your API settings leaves, assume the key is compromised and cycle it to prevent unauthorized external "scraping" of your database.
By following these steps listed above, you are doing what you can to stay security conscious, and to keep your Elvanto data safe in the meantime! Now give yourself a pat on the back for a job well done 😊